Re-thinking The Human Factor with Bruce Hallas

On Episode 6 of series 2 of the Re-Thinking the Human Factor podcast, we are joined by Dr Char Sample to dive into the topic of culture and the role it plays when it comes to cybersecurity. But this podcast chat is not what you will expect to hear when it comes to culture; we're going to explore how your cultural values can be used against you in cybersecurity attack.  Some of the topics we're going to dive into during this podcast episode include Cultural Dimensions, Geography of Thought, and Values as a Vector for Attack. Culture and cybersecurity Dr Sample is a researcher-fellow employed for ICF at the US Army Research Laboratory in Adelphi, Maryland and has over 20 years experience in the information security industry. Dr Sample’s area of research examines the role of national culture in cybersecurity behaviours. At the moment, Dr Sample is continuing research on modelling cyber behaviours by culture. Other areas of research are information weaponisation, data fidelity and fake news. Dr Sample is a frequent collaborator with the University of Warwick, in the UK which is where she completed her fellowship. “It’s an old Russian proverb: ‘TRUST, BUT VERIFY.’ We put all of our eggs in trust and we left verify exposed.” JOIN CHAR SAMPLE AND BRUCE HALLAS AS THEY DISCUSS THE FOLLOWING: The meshing of two schools of cultural thought to create a more complete cultural model from which to approach awareness, behaviour, culture, and even defence campaigns: Hofstede’s Cultural Dimensions Theory Nisbett’s work: “Geography of Thought: How Asians and Westerners Think Differently…and Why” Design for success - Whether you’re designing a phishing campaign, an education awareness campaign, how you’re going to manage incidents, whatever it is, it’s about understanding that all of this is being done with people in mind, either as the victims, the perpetrators, or the middle people. You can’t shape culture in the short-term, which causes a clash between organisational culture and security culture. Organisational cultures often look for success metrics every quarter, but culture takes much longer to change. We all have cultural lenses, and those cultural lenses help us (or don’t help us) with the definition of what it is that we see. The Cultural Dimensions Theory is old enough that we now have tons of data to analyse around the 6 dimensions. Cultural values are very enduring because those values are reinforced all throughout society. So, you’ve got this lifelong influence on culture / shaping of culture, and you’re trying to set up a security culture within your organization — Which one is going to win? Insights around culture and how that relates to victims. How important is the role of values in decision-making? Also, Char shows an example of how to map behaviour to Hofstede’s Cultural Dimensions to give a possible answer to the question. Culture as a vector for attack. “We have a tendency to want to throw technology at the problem. But of you don’t take the cultural values of the person who’s sitting at the end of the computer there, and who’s going to be the recipient of this data, if you don’t take that into account, you can at best have a partial success.” Further study and research Hofstede’s Cultural Dimensions Theory Nisbett’s “The Geography of Thought: How Asians and Westerners Think Differently…and Why” About Dr Char Sample LinkedIn Please subscribe to the podcast in iTunes, and if you enjoyed this interview, please share with your friends and colleagues and leave a 5 star rating and review. Thanks for listening and sharing. Bruce & The Re-thinking the Human Factor Podcast Team

Observations and Take-Aways: Episodes Review with Craig Thomson, Security & Awareness Manager   On this episode of the Re-Thinking the Human Factor Bruce Hallas is joined by Craig Thomson, the Security Education & Awareness Manager at Nationwide Building Society. He is an experienced Education specialist with a demonstrated history of delivering impactful results in the Defence, Air & Space and Information Security arenas. He is skilled in the management of Training Programme and solution design using SAT and ADDIE methodologies to deliver engaging and meaningful training and communications that create measurable behavioural change. Craig values using effective emotional intelligence skills to develop teams and solutions in support of achieving business strategy goals.   “Awareness is a two-way street… Awareness is just as much about actually being aware ourselves of who our target audience is…”   JOIN CRAIG THOMSON AND BRUCE HALLAS AS THEY DISCUSS:   Their shared connection around the armed forces and applicable observations they’ve made about L&D and recruitment for the Armed Forces The importance of people having vested interest in policy creation The problem of cognitive dissonance within company culture (i.e. ‘This is what the policy says, but what push comes to shove, here’s what we actually do’) What motivates people to take part or give their time to engagement with awareness initiatives Awareness is a two-way street Lessons learned around conducting surveys as a means of gathering information about one’s target audience, and other means of garnering useful information and feedback from those people The difference environment makes in training, accurate observation, and behaviour change Sharing ideas across a network of security professionals The concept of “Awareness” as communications that give people a sense of understanding and control over upcoming change in their work environment, which helps them not feel as stressed about the change, which then helps to overcome their innate desire to avoid or not comply with the desired change in behaviour If / how metrics can be used to enhance Awareness strategy and creation   MORE ABOUT CRAIG THOMSON: LinkedIn   Please subscribe to the podcast in iTunes, and if you enjoyed this interview, please share with your friends and colleagues and leave a 5 star rating and review.   Thanks for listening and sharing.   Bruce & The Re-thinking the Human Factor Podcast Team

What makes our brains tick, and why does that matter for change managers and organizational heads?   The Human Brain vs. Awareness, Behaviour, and Culture   Hilary Scarlett is an international speaker, consultant and author on change management and neuroscience at Scarlett & Grey. Hilary’s work has spanned Europe, the US and Asia and concentrates on the development of people-focused change management programmes, coaching and employee engagement. Her specialities include: change management employee communication employee engagement leadership coaching (Inst of Leadership & Management accredited)   “A need for control, a need to be able to predict what’s coming up is really important to the brain.”   JOIN HILARY SCARLETT AND BRUCE HALLAS AS THEY DISCUSS: The necessity of understanding how our brains work The human brain’s distaste for change A brief rundown on what the brain actually is, i.e. what it does, how it’s made, the structure of it How understanding what our brains do and how they work can guide efforts towards creating proper learning environments and organizational cultures where people can more easily learn and thrive Why our brains are often lazy by default Growth mindset within an organizational culture The importance of prioritizing tasks by order of importance because the brain’s energy / ability to process information critically will become increasingly depleted as the day goes on Tools for getting the brain back on track and restoring some of its energy during the day Understanding how brains process change and what it means for Change Managers The power of storytelling in communications, understanding, and memory   “Change is extremely difficult for us if we feel it’s unpredictable and uncontrollable… People further down the hierarchy who feel they don’t have that same sight at what’s coming up and don’t have that same control or influence, their brains are in a much more stressed place than [the boss].”   FURTHER STUDY AND RESEARCH Neuroscience for Organizational Change by Hilary Scarlett Edgar Schein Neuroplasticity The Endowment Effect Mindset by Carol Dweck   MORE ABOUT HILARY SCARLETT: LinkedIn   Please subscribe to the podcast in iTunes, and if you enjoyed this interview, please share with your friends and colleagues and leave a 5 star rating and review.   Thanks for listening and sharing.   Bruce & The Re-thinking the Human Factor Podcast Team

Did you know up to 80% of information is forgotten within 24 hours? Admittedly, this is not an encouraging statistic for those of us seeking to raise awareness, change behaviour, and foster an appropriate organizational culture. For this reason, we at the Re-Thinking the Human Factor Podcast are looking for answers from outside the security industry from people who can provide an evidence-based path forward which can help us to improve learning and development. We’re happy to share some fresh insights with you on the topic of improving the training experience, likelihood of learning, and stickiness of memory after the training is completed. Evidence-Based Methodology to Improve Learning and Development Stella Collins joins Bruce in Series 2 / Episode 3 of the Re-Thinking The Human Factor podcast to have a deeper look into how we can improve learning and development using evidence base methodology. She is a learning specialist, an expert in Brain Friendly learning, author of Neuroscience for Learning and Development, and the Creative Director of Stellar Learning, a business whose goal is to transform training, learning and communication - particularly when it's tough, technical or tortuous. They support and train their clients to build excellent relationships and make critical messages stick.  With a BSc in Psychology, an MSc in Human Communication, a coaching diploma, 15 years in the IT industry, and more than 15 years in L&D, she injects a theoretical knowledge of learning and communication with creative and practical ideas and hands-on experience. Stella says “there’s no such thing as a boring topic – just boring training.” JOIN STELLA COLLINS AND BRUCE HALLAS AS THEY DISCUSS: The importance of knowing the background behind a neuroscientific finding, i.e., who’s done the research, what was on their agenda when they did it, and whether the proper research methodology and statistical analysis was used to arrive at the conclusion on which your team is now basing its L&D and policy changes The empowering nature of evidence-based ideas Effective planning for L&D training, including making people excited about going through the training, and making the most of the time you have with people rather than wasting time and money on a captive audience that will forget most of what they learned within 24 hours (see our opening statement above) The importance of what happens after L&D training, like inter-staff communication and ensuring that the work environment is conducive to easy adoption of new skills and policies What is training, actually? Likewise, what is learning? Neuroplasticity, or the fact that our brains are flexible and able to create new pathways for learning throughout life Ways to maximizing the potential for learning when engaging in training efforts When it comes to learning and memory, humans are not sponges as the metaphor suggests The future of L&D and self-directed learning “An experience, as opposed to fact…When we have an experience, we remember that sensory information… Emotion is massively sticky. Emotions and senses are hugely important.” FURTHER STUDY AND RESEARCH Neuroscienece for Learning and Development by Stella Collins Stellar Learning (Make Your Message Sticky) Choice Architecture Neuroplasticity   MORE ABOUT STELLA COLLINS: LinkedIn   Please subscribe to the podcast in iTunes, and if you enjoyed this interview, please share with your friends and colleagues and leave a 5 star rating and review.   Thanks for listening and sharing.   Bruce & The Re-thinking the Human Factor Podcast Team

Understanding decision making in the workplace is almost like the holy grail. What we want is for our colleagues to make better decisions, but for this to happen we need to take a few steps back. Decision making in the workplace takes place in the context of the organisational culture. Often when we talk to people about organisational culture, they see culture as something so big that it becomes too overwhelming to think about. Instead, they prefer to take the path of least resistance, focusing on awareness and driving behaviour. However, behavioural science keeps pointing to the fact that individuals need to feel involved in policy creation if buy-in and actual behavioural change is to occur. But, won’t this take too much time? How can an organisation possibly gain buy-in from all their employees? Interestingly, the amount of interaction that people need in order to feel that they are involved is probably a lot less than you think… Individuals, Groups, Decision-Making, And Self-Regulation Susan Weinschenk joins Bruce in Series 2 / Episode 2 of the Re-Thinking The Human Factor podcast to have a deeper look into this topic. Susan has a Ph.D. in Psychology. She applies research in brain science and psychology to predict, understand, and explain what motivates people and how they behave. Her consulting includes applying behavior science to the design of websites, software, medical devices, tv ads, physical devices, presentations, experiences, and physical spaces. She is an author, teacher, mentor, and consultant to Fortune 1000 clients, government, non-profit, and start-ups. Her books include: How To Get People To Do Stuff, 100 Things Every Designer Needs to Know About People, 100 Things Every Presenter Needs to Know About People, and Neuro Web Design: What makes them click?  Susan’s specialties include Behavioural Science, Brain Science, Psychology, and User Experience.   JOIN SUSAN WEINSCHENK AND BRUCE HALLAS AS THEY DISCUSS: The influence of individual self-stories on a person’s behaviour Brain function and value-based, goal-directed decision-making vs. habit-based decision-making The importance of similarity in environments between the one in which a person is trained vs. the space where that person will encounter actual on-the-job issues, and how different environments can hamper training and habit-based decision-making What choice architecture is and how it relates to how you build an actual environment to bring around the behavioural outcomes you’re looking for Whether any gains around behaviour can be made without taking into consideration the broader cultural context The power of social norms and groups to regulate behaviour The necessity of involving at least some members of strong-tie teams/communities in development of policies in order to increase buy-in and ensure wider-spread behavioural change The importance of looking at Cyber Security as if it were a product, understanding that having repeat customers of the product is the end goal Drivers of motivation behind people’s engagement with awareness campaigns, and what kind of behavioural change can be expected through gamification and rewards-style motivation   “The amount of interaction that people need in order to feel that they were involved is probably a lot less than you think…”   FURTHER STUDY AND RESEARCH Re-thinking the Human Factor Ep 05 with Ciaran McMahon Choice Architecture Robin Dunbar (Dunbar’s Number) The IKEA Effect   MORE ABOUT SUSAN WEINSCHENK: LinkedIn   Please subscribe to the podcast in iTunes, and if you enjoyed this interview, please share with your friends and colleagues and leave a 5 star rating and review.   Thanks for listening and sharing. Bruce & The Re-thinking the Human Factor Podcast Team

Welcome to Series 2, Episode 1 of the Re-Thinking the Human Factor Podcast. It's fantastic to be back after a 3-month break!  As we like to do every so often, Episode 1 of Series 2 begins with a conversation with Louise Cockburn, a listener to our show whom we invited to come on and share insights she's picked up from previous episodes of the podcast, as well as her own experiences and thoughts on the challenge of security awareness, behaviour and culture. Louise is the information security awareness and culture manager at Quilter (prev. Old Mutual Wealth), and she had much to say about the need for creativity in communications, the power children hold in shaping behaviour and culture, personnel buy-in, and more, but the overarching theme of the conversation centered around one thing - behaviour. Tune in to hear all about it. Further Resources Re-thinking the Human Factor Book Our new book, Re-Thinking the Human Factor, which is available on Amazon In the nine chapters of the book, we challenge some of the assumptions that many people make when designing education and awareness programs to raise awareness, influence behaviour and foster an appropriate organizational culture. Also, we bring in a load of insights, some of which have come from the research that Bruce and his team has done over the last seven years, whilst some stem directly from the interviews that we've done in Series one of the podcast. Also, it's a short read. LinkedIn Group We have recently launched the Re-Thinking the Human Factor LinkedIn Group, where we want to enable you to continue the discussion around the human factor in information security. We hope that by having a space to hold these discussions that we can all better understand the role that awareness, behaviour, and culture can have on our information security objectives.  Thanks for tuning in!  

The challenge with creating behavioural change is doing it well enough that people actually change their behaviour consistently. And beyond that, it's about ensuring that other people in the organisation can observe this new behaviour around them so that they come to the realise this is simply "the way we do things around here" in other words, the organisational culture. When we set about creating behavioural change, the ultimate objective is for that change to become embedded in the culture, because that's when we start to see the results we're looking for. Creating Behavioural Change that Becomes Part of Culture In today's podcast episode this is what we're going to be exploring. Bruce is joined on the podcast by Su Ee Wong. Su Ee’s journey towards becoming a safety and health (S&H) professional is an unusual one. She started off in biomedical science and a serendipitous stint in the HR office of an academic institution sparked an interest in workplace safety and health.  The unique blend of her science background, HR experience, and S&H interest got her a Mid-Career Training Sponsorship where she was given the opportunity to train as an S&H professional in a University. As the core businesses of a University are research and teaching, she is able to apply her knowledge in research to better manage the S&H of staff and students.  Her passion is in creating a safe, healthy and happy environment that the community can thrive in. She strongly believes that the activities we engage in should do no harm to our people or to Mother Earth. [1] JOIN SU EE WONG AND BRUCE HALLAS AS THEY DISCUSS: Su Ee’s post that told of an experiment conducted around the public safety problem of how to change the behaviour of jaywalkers who were crossing the street no matter what color the light was. Making policies fun, interesting, and engaging can help catalyze behavioural change. The importance of creating policies that have as little friction as possible to follow. When we want to change behaviour, a lot of us think that should be through punishment,  like handing out fines for doing something. We think if we give them a slap on the wrist, that changes behavior. But it might not be sustainable in the long run. How do we get something more creative that is more positive to change the behaviour and then reinforce it later so that this behavior sticks until it becomes second nature? In organizations, people at different levels will have different cultural norms. Though one might craft the perfect awareness campaign based on research gathered from within the various organizational levels at their local office, those same campaigns might not elicit the response one is anticipating in the overseas office possibly due to a sort of a national culture. The importance or recognizing policy “champions” for their work. How do we incorporate people’s natural biases in how we design awareness campaigns? Creating an environment and culture where people can share their insights and engage with leadership or the local champion, without blame, to create trust between workers and leaders, because that will be one of the best ways to manage problems knowing that leadership can’t be everywhere all at once. What Su Ee Wong did to understand root causes of behaviors in her organization. Awareness is just as much about policy-makers themselves becoming aware as it is about crafting the right kinds of campaigns and procedures.   FURTHER STUDY AND RESEARCH Re-thinking the Human Factor Ep 09 with Dan Ariely Shortcut by John Pollock Choice Architecture Infosec Europe   MORE ABOUT SU EE WONG: LinkedIn [1]   Please subscribe to the podcast in iTunes, and if you enjoyed this interview, please share with your friends and colleagues and leave a 5 star rating and review.   Thanks for listening and sharing.   Bruce & The Re-thinking the Human Factor Podcast Team

We like to invite listeners to the podcast to come on the show and share insights that they’ve picked up from previous episodes of the podcast.  We also invite them to share their own experiences and thoughts on the challenge of security awareness, behaviour and culture. In this show, Ed Tucker, the 2017 European CISO of the Year joins us to lift the lid on the challenges he sees and the insights he’s picked up. Ed feels there is a common theme between what Robert, Ciaran and Gert discuss and what happens in the reality of the organisation, which highlights the common failings of ineffective security people. The theme he highlights is ignorance. Tune in to hear all about it. About Ed Tucker Ed is the current European Chief Information Security Officer of the Year, UK Security Professional of the Year, and Security Leader of the Year and has been recognised for his massive contribution and sharing of best practice with the wider security world. Ed is the former Head of Cyber Security for the UK Tax Authority HMRC, where he led the Cyber Security and Response Capability for eight years. Ed designed and built the Cyber Security capability for HMRC, developing two intelligence driven Cyber Security Command Centres; the first in-house developed capabilities in UK Government. Ed implemented security controls across all HMRC's email domains and reduced phishing emails purporting to be the UK Tax Authority by 500 million a year 2016 through spearheading the use of DMARC (Domain-based Message Authentication, Reporting and Conformance). Ed also instigated the take down of 14,000 fraudulent websites harvesting data and has had a broad spectrum of responsibilities in his fifteen-year career including Online Fraud, Hacking Analysis & Capability Scoring and Forensic Investigations. A regular speaker at events such as InfoSec Europe, European Information Security Summit, European CISO Conference, InfoCrime Summit, and now eCrime, Ed is a highly regarded industry expert on all aspects of data protection.

EPISODE 10 SUMMARY - RACHEL LAWES ———————————————— Joining Bruce Hallas on Episode 10 of the Re-thinking the Human Factor Podcast is Dr. Rachel Lawes, who comes to the show with a background in the field of semiotics. Don’t worry, if you’re not familiar with the term, you’re probably in good company. However, upon learning more about Rachel and the field of semiotics prior to recording the interview, we knew she had something of interest, substance, and worth to bring to the conversation around Cyber Security Awareness, Behaviour, and Culture.   MORE ABOUT RACHEL If you go to market research conferences, you’ve probably met her already. She’s one of the original founders of British commercial semiotics and she never stops being excited about what it can do. She uses semiotics and related methods, backed up by a comprehensive knowledge of social science, to rejuvenate brands, innovate products and services and steer comms. She delivers research, insights and strategic guidance to brand owners. She delivers training in advanced research methods for both client side and agency side users. She also supplies consultancy services to ad agencies, design agencies and large branding agencies.  From time to time she works with universities because she loves to teach. [1]   JOIN RACHEL LAWES AND BRUCE HALLAS AS THEY DISCUSS: What semiotics is. In reference to a challenge often put our way regarding the applicability of insights from without the security industry — whether the insights gained through semiotics be applied to both sides of the fence, so to speak, both externally AND internally, as in the case of within an organization. One fascinating consequence of digital culture — that written language has taken on a life of its own in a way that really haven’t seen in our life times. It’s no longer really required that you follow the rules you learned in school. What’s more important is getting your message across, which might involve substantial use of abbreviations, emoji’s, etc. People communicate using language and text now more than they have done for a long long time. The work of semiotics is partly about observing what’s going on in a given audience to try to understand what it is they’re giving off, what the signs are you see in the audience which may be a reflection on how they would respond to you presenting something to them. How semiotics can help one engage more effectively and influence changes more effectively. Studying signs and symbols (semiotics) gives one an understanding of what is driving people’s behaviour from a cultural perspective. This is important because, as discussed with Gert Jan Hofstede in Episode 06 of the Re-thinking the Human Factor Podcast, culture forms everybody - there’s no escape from it.   FURTHER STUDY AND RESEARCH Semiotics Tone of Voice Episode 06 - A Chat With Gert Jan Hofstede About Culture and Security. MORE ABOUT RACHEL LAWES: Website [1] Please subscribe to the podcast in iTunes, and if you enjoyed this interview, please share with your friends and colleagues and leave a 5 star rating and review.   Thanks for listening and sharing.   Bruce & The Re-thinking the Human Factor Podcast Team

Understanding behavioural change is a crucial aspect of better understanding the human factor. If we hope to influence behaviour then we need to better understand human behaviours, decision-making and motivations. The leading expert in this today is Dan Ariely and we are thrilled to have him as a guest on the podcast. Behavioural change is a large part of the work we have to do when it comes to improving security outcomes, and the work by leading thinkers such as Dan is really helping to pave the way. Dan Ariely was recently voted as the second most influential psychologist in the world. He is a professor of psychology and behavioural economics at Duke University and a founding member of the Center for Advanced Hindsight. He is the author of the bestsellers Predictably Irrational, The Upside of Irrationality, and The Honest Truth About Dishonesty - as well as the TED Book Payoff: The Hidden Logic that Shapes Our Motivations. Through his research and his (often amusing and unorthodox) experiments, he questions the forces that influence human behavior and the irrational ways in which we often all behave. Behavioural Change in CyberSecurity In this episode, Dan Ariely joins Bruce Hallas to discuss behavioural economics and its role in better organising operating environments and how we can use this in the cybersecurity industry. Dan’s speciality is in the study of behavioural economics with a focus on communicating his findings in a language anyone can understand so this makes him an ideal guest for the podcast. ‘[His] immersive introduction to irrationality took place many years ago while [he] was overcoming injuries sustained in an explosion. The range of treatments in the burn department, and particularly the daily “bath” made [him] face a variety of irrational behaviours that were immensely painful and persistent. Upon leaving the hospital, [he] wanted to understand how to better deliver painful and unavoidable treatments to patients, so [he] began conducting research in this area. [He] became engrossed with the idea that we repeatedly and predictably make the wrong decisions in many aspects of our lives and that research could help change some of these patterns.’ [1] “You have to understand that part of your job as a security expert is not just to create security but to create appreciation. Because if you create security with no appreciation, you’re not going to get people to value it and want to participate in it.” Join Dan Ariely and Bruce Hallas as they discuss: What behavioural economics is (10:50) Preferences, how we form them, and the effect our preferences have on our behaviour. (19:01) Untapped demand, or the idea that there’s a big difference between people’s preferences and what they end up doing, and the fact that those differences have a lot to do with friction (the easiest decision will often be the one that is chosen) (23:04) The role of behavioural economics in better designing the operating environment within which employees are trained and work within in order to maximize the potential for positive cyber security behaviours (24:56) The concept of “endowment”, or the idea that people who have contributed to something feel a greater sense of value about that something as well, and the “Ikea effect”, which simply understood is that labour leads to love (29:39) Value cues, and the need for cybersecurity policy creators to communicate the value of following their policies to their audience (33:59) Another big challenge in the cybersecurity industry - the fact that security failures happen infrequently, and what that teaches people about how they need to behave (41:36) Effective and ineffective methods for motivating positive cyber security behaviours from employees (44:30) The effect of overconfidence in our own knowledge and ability on our behaviours (49:17) “One of the biggest challenges is to get people to admit we are fallible.” Further Reading & Research Small Change | Money Mishaps and How to Avoid Them, by Dan Ariely Predictably Irrational, by Dan Ariely Bruce Hallas’s blog: Behavioural Economics: When irrationality is the remarkably logical decision Here is one of Dan's famous TED talks on decision-making.   About Dan Ariely You can find out more about Dan at his website www.danariely.com or you can follow him on Twitter. Please subscribe to the podcast in iTunes, and if you enjoyed this interview, please share with your friends and colleagues and leave a 5 star rating and review.   Thanks for listening and sharing.   Bruce & The Re-thinking the Human Factor Podcast Team