Re-thinking The Human Factor with Bruce Hallas

EPISODE 08 SUMMARY - BEN AFIA ———————————————— On this episode of Re-thinking the Human Factor, Ben Afia joins Bruce Hallas in a discussion around “Tone of voice”. Tone of voice deals with the brand and personality of an organization coming through in language, in words, and this personality stems from values, both personal as well as those of a broader organizational culture. Ben is a consultant, writer and speaker on brand strategy, language and change.   “We’re talking about how we influence behaviour, especially within organizations with people who can choose to be influenced or not…I don’t think you actually need to be that heavy-handed to achieve the right outcome of protecting an organization.”   Join Ben Afia and Bruce Hallas as they discuss: The importance of getting the tone of voice right in relation to the creation and implementation of effective policies within an organization How tone of voice can bring to life an organization’s brand (or hurt their brand) Paradoxically, though tone of voice is largely about one’s brand and organizational personality, it’s also important to understand one’s audience when building and applying tone-of-voice guidelines, because it’s also about them, and it’s about understanding what your audience will be able to actually hear Heavy-handed vs. lighter, more engaging, more human communication methods The importance of having a well-defined brand and well-defined values when coming up with tone-of-voice guidelines The need to get broad stakeholder engagement, not from the very top of the organization, but also all the way down if the goal is organization-wide change   “I think that your tone of voice and your values then have to flex depending on the local circumstance.”   QUESTIONS FOR FURTHER STUDY AND RESEARCH What is your tone of voice? Does it really reflect your brand? How well do people engage with that? Do your communications have any element of tone of voice or are you just getting your team to write without any direction regarding how you want to appear, to be perceived by your audience when they receive your message?   MORE ABOUT BEN AFIA: Website   Please subscribe to the podcast in iTunes, and if you enjoyed this interview, please share with your friends and colleagues and leave a 5 star rating and review.   Thanks for listening and sharing.   Bruce & The Re-thinking the Human Factor Podcast Team

EPISODE 07 SUMMARY - GEORDIE STEWART ———————————————— We’re taking a different approach to our chat in Episode 07 of the Re-thinking the Human Factor podcast. For this episode, we asked one of our listeners to come on the show and share with us the key lessons they’ve learned from the first three episodes of our show:   Episode 01 - An Interview with Gregory Michaelidis, former Head Speech Writer for the Secretary of Homeland Security Episode 02 - An Interview with Heather Dahl and Chase Cunningham Episode 03 - A conversation With John Pollack, former Speechwriter to President Bill Clinton   Geordie Stewart joins Bruce Hallas in a discussion we hope will help you synthesize the vast amount of information covered in those episodes. Geordie is a CISO who has worked at organisations like of John Lewis, TUI UK & Europe and has most recently taken up residence at the UK’s largest Building Society, the Nationwide. As well as his day job he is an international speaker and keen innovator in the area of technology risk communication. His award winning masters thesis at the Royal Holloway Information Security Group examined information security awareness from a fresh perspective as a marketing and communications challenge. [1]   “And in a busy environment with lots of competing messages…, the challenge is, how do we make sure messages of value land in a way that somebody can use and benefit from?…because we are competing with HR, finance, and these other sources of information and guidance within companies.”   Join Geordie and Bruce as they give you the hash on: The necessity of understanding your audience and empathizing with them if you hope to effectively raise awareness, influence behaviour, and foster a culture amongst that audience How a lack of feedback loops and accurate metrics has effected the speed at which the security industry has evolved in their communication and training strategies The concept of the captive audience, and how having an audience built into the organizations that security professionals serve has stifled motivation to innovate and improve upon security awareness, behaviour, and culture communication and training The role that brand plays in terms of how it influences the level of engagement you’ll get from people and whether or not people will comply with organizational policies and procedures   RESOURCES AND TOPICS FOR FURTHER STUDY The Analogies Project Predictably Irrational by Dan Ariely ISC2 MORE ABOUT GEORDIE STEWART: Website [1]   Please subscribe to the podcast in iTunes, and if you enjoyed this interview, please share with your friends and colleagues and leave a 5 star rating and review.   Thanks for listening and sharing.   Bruce & The Re-thinking the Human Factor Podcast Team

The relationship between culture and security is an important one and one that is discussed a lot. Unfortunately, many people miss the point somewhat when exploring culture and security. The obvious place to start is the security culture within an organisation, but let’s not dismiss organisational culture too quickly. Better still, let’s also take a look at industry culture and national culture. So you see, when we start looking at culture and security, there’s more to it than we might initially assume. So we thought this would make an excellent podcast episode. Today, Bruce is joined by Gert Jan Hofstede. Gert Jan is a population biologist and social scientist hailing from the Netherlands whose research and publications have provided many with deeper understanding in the areas of cultural evolution, societal change, cultural stability, and how those forces interact with and have influence upon one another. He is also known for his work in social simulation as well as for a number of books he has co-written with his father, Geert Hofstede. In this episode, Bruce and Gert Jan discuss a wide variety of organization and culture-related topics that have important implications for the Cyber Security industry. “It is as if you were a fish and they asked you to describe the air… If you’ve always lived in one place in the world, then it’s very hard for you to see that behaviors from another place that seem strange, illegal, ridiculous… that those behaviors can make sense, but within a larger [cultural] system.” Join Bruce and Gert Jan in this episode of Re-thinking the Human Factor as they explore: How awareness of cultural differences (or lack thereof) can be an opportunity for greater collaboration between groups, or greater friction, and how this awareness contributes to one’s ability to understand and effectively communicate cross-culturally The need for organizations to achieve a sense of mutual cultural understanding as the starting place for implementing organizational change rather than striving to achieve cultural homogenization as the means for implementing that change Different perceptions of what cultural differences mean to an organization (barrier to progress, a catalyst for a breakthrough, etc.), and the importance of realizing that these differences do exist so that one can begin to try and understand them as a means of navigating the challenges and growth potential afforded by these differences The importance that “cultural ambassadors” within an organization be, first and foremost, acceptable to the cultural audience whom they seek to address 4 helpful cultural metaphors to help with navigating cross-cultural organizational communication: The Family (Asia and Africa) The Machine (Germanic/Northern Italy type of region) The Market (Anglo-Saxon, the UK and North America) The Pyramid (the Mediterranean and Slavic countries) MORE ABOUT GERT JAN HOFSTEDE, HIS BOOKS, AND HIS RESEARCH: Associate Professor at the Information Technology Group at Wageningen University & Research // Population biologist and social scientist in information management and social simulation // Interested in the interplay of the contrasting forces of cultural evolution, societal change and cultural stability. Gertjanhofstede.com   Please subscribe to the podcast in iTunes, and if you enjoyed this interview, please share with your friends and colleagues and leave a 5 star rating and review.   Thanks for listening and sharing.   Bruce & The Re-thinking the Human Factor Podcast Team

Understanding the impact of technology on behaviour is one of the biggest questions we must ask ourselves today. Technology is advancing so quickly and we are seeing human behaviour adapt very rapidly. A glance on a train platform during peak hour will hint at people's obsession with their smartphone. Or, just watch a two-year-old use an iPad with ease if you have any doubts. So it seems right to explore this in more detail as cybersecurity professionals need to get their heads around the effect of technology on behaviour and what that means in terms of developing sound and effective information security strategies. A conversation with Ciaran McMahon, Director at Institute of Cyber Security In this episode, Bruce explores this with Ciaran McMahaon, Director at the Institute of Cyber Security and they discuss how advances in technology have impacted people's behaviour. Award-winning academic psychologist Ciaran McMahon joins Bruce Hallas in episode 5 of Re-thinking the Human Factor. Hailing from the Republic of Ireland, Ciaran comes from a psychology background and has extensively studied how advancements in technology, throughout human history to the present day, have affected societal behaviours. He shares our belief that understanding the human side of things is necessary to effectively influence information security behaviours within an organisation, and he is eager to bring his psychological insights to the problems we face in cybersecurity awareness, behaviour, and culture. “It’s unlikely that we can use all of this technology and not be changed in some way…” The effect of technology on behaviour Join Bruce and Ciaran in this episode as they explore: The impact on people’s behaviour of changes in technology and what that means for designing security environments and choices in cyber security awareness and policy implementation How people justify their behaviour and choices not to comply with security best practise including deterrence, punishment vs reward, neutralization, the defence of necessity, and others. People’s innate understanding of right and wrong and the issue of justice and fairness in relation to security behaviours. SUBJECTS AND RESOURCES MENTIONED: ISC2 The Information Security Forum Infosec Europe Behavioural Economics Choice architecture FOR FURTHER RESEARCH: Choice Architecture Defence of Necessity MORE ABOUT CIARAN: Website       Please subscribe to the podcast in iTunes, and if you enjoyed this interview, please share with your friends and colleagues and leave a 5 star rating and review.   Thanks for listening and sharing.   Bruce & The Re-thinking the Human Factor Podcast Team  

Creating effective education and awareness programs is a fundamental aspect of an effective security strategy. In this episode, we talk about the importance of integrating behavioural economics and psychology into the creation of effective education and awareness programs, and the strategy behind them. A conversation with Robert Madelin, former Director General of Health and Consumer Policy at the European Commission Robert Madelin brings a distinguished career and experience to the conversation in Episode 4 of Re-Thinking the Human Factor. Robert has been focused throughout his career on policy generation, awareness and education, and as part of that, designing policy so the odds are stacked in favour of those who comply with that policy.  Why behavioural economics and psychology is relevant to education and awareness programs Join Bruce and Robert in this episode as they each draw from a well of extensive experience to converse around: Fast and slow thinking and how each influences how we behave in society The importance of integrating behavioural economics and psychology and choice-architecture when it comes to the design of EFFECTIVE education and awareness strategies and programs The “uncomfortable truth” that people do not respond rationally when given data and how recognizing that truth is key to guiding policy creation and choice architecture efforts How cultural differences in the cybersecurity space have more to do with digital literacy, age, principles and values rather than one’s passport, or “passport culture”, as Robert refers to it The role of culture or the context within people live their lives, and how that may have an effect upon: the policy itself how you raise awareness within institutions or even nation-states, as in Robert’s experience The importance of international cooperation in efforts to raise awareness and influence behaviour "It's the human factor that makes us vulnerable." RESOURCES AND SUBJECTS MENTIONED: World Economic Forum: GLOBAL RISKS REPORT DG CONNECT (Communication Networks, Content, and Technology) EU Health and Food Safety (SANCO) FOR FURTHER RESEARCH: Daniel Kahneman Thinking, Fast and Slow (by Daniel Kahneman) Behavioural Economics and Psychology Choice Architecture ABOUT ROBERT MADELIN Chairman, Fipra International // Director General for Communications Networks, Content and Technology (CONNECT) // Director-General for Health and Consumer Policy (SANCO) // A negotiator in international trade and investment, first for the UK, and then for the EU // Served in the Cabinet of European Commission Vice-President Leon Brittan. CONNECT WITH ROBERT: LinkedIn    Please subscribe to the podcast in iTunes, and if you enjoyed this interview, please share with your friends and colleagues and leave a 5 star rating and review.   Thanks for listening.   Bruce & The Re-thinking the Human Factor Podcast Team

EPISODE 03 SUMMARY - JOHN POLLACK Author // Consultant // Speechwriter // Journalist // Reporter ———————————————— What is needed within cyber security industry communications to generate the kind of awareness and training materials that enable governments, businesses, and the general public to protect themselves against cyber security threats? We want people to hear our message and act in accordance with responsible security behaviours, but what changes do we as an industry need to make in order to accomplish this goal? Join Bruce and John as they converse around these questions and unpack topics such as: John was a strolling violinist at a restaurant where the head chef taught him that people eat twice, once with their eyes and once with their stomach, and that good communication relies on a combination of a sensory stimuli. Building a relationship with an audience, fostering trust, requires communicators to listen as much, if not more, than communicate. Communication needs to come from a place of empathy and this is often missing. The importance of authenticity and credibility in developing and delivering effective communication that supports change in behaviour. "Washington is where good words go to die" comment illustrating the impact of internal corporate communication guidelines on the effectiveness of communications designed to raise awareness and influence behaviour.   “…We ought keep our eye out for ways to capture people’s attention because capturing people’s attention, and holding it, is the essence of communication…”   PROJECTS AND RESOURCES MENTIONED: The Analogies Project Shortcut (by John Pollack)   CONNECT WITH JOHN: Website   Thank you for listening! Please subscribe to the podcast in iTunes, and if you enjoyed this interview, please share with your friends and colleagues and leave a 5 star rating and review.   Thanks for listening.   Bruce & The Re-thinking the Human Factor Podcast Team

How Heather and Chase are eliciting positive behaviour change in kids and their parents by engaging with them creatively and emotionally EPISODE 02 SUMMARY - HEATHER DAHL AND CHASE CUNNINGHAM ———————————————— We talk with Heather Dahl and Chase Cunningham, co-founders of The Cynja, a comic series created with the aim of “[engaging] children… To teach them how to make smart choices [when they encounter the internet], practice online security, and enable privacy protection as they practice cyber security in their digital lives.” Heather and Chase bring a variety of work experience to the area of cyber security awareness and education and seek to bring a fresh, entertaining perspective to an otherwise drab communications M.O.  “…Sometimes in our families, it’s our kids that are educating the adults on the world that’s out there, and we can’t underestimate the role of comics in this sense for kids in educating all of those that are around them that may not be as digitally savvy as they are.” In this episode, Bruce, Heather, and Chase discuss how creativity, emotion, and excitement are necessary ingredients in cyber security awareness/education materials, especially if the aim of those materials is to elicit engagement and behaviour change from an audience. In the same vein, they also discuss the power that lies within communication efforts that take into consideration the way a certain group of people speaks and engages with their world.  “And if you look to the world of marketing for example and how organizations market their products and services, and what’s the brand, there IS some of that excitement…If you want to sell a product, you connect with people on an emotional level.”   PROJECTS AND RESOURCES MENTIONED: The Cynja - https://www.cynja.com/  The Analogies Project - https://theanalogiesproject.org/   CONNECT WITH Heather and Chase: Twitter - https://twitter.com/TheCynja  Facebook -https://www.facebook.com/thecynja  Pinterest - https://www.pinterest.com/thecynja/    Thank you for listening! Please subscribe to the podcast in iTunes, and if you enjoyed this interview, please share with your friends and colleagues and leave a 5 star rating and review. Thanks for listening. Bruce & The Re-thinking the Human Factor Podcast Team

How we can improve policy messaging and implementation EPISODE 01 SUMMARY - GREGORY MICHAELIDIS ———————————————— Gregory (Greg) Michaelidis spent 7 years working for the Obama Administration within the Department of Homeland Security, first as the Head Speech Writer for the Secretary of Homeland Security, and then in the Homeland Security directorate that handles cyber security and infrastructure protection. His experience ranges from defining and creating policy to establishing buy-in for policy through good messaging, and he’s bringing that experience into the arena of cyber security awareness. During his tenure in the Obama Administration, Greg noticed a frustrating pattern in government policy making — “Much of the energy in security policy would go into policy formulation and interagency tussle over who would implement the policy, but once that was all figured out, the policy given less attention, especially in regards to the manner in which messaging around a certain policy was delivered to people who would ideally hear it and get on board.” In this episode, Bruce and Greg discuss issues around cyber security awareness, how to improve messaging around issues of cyber security, and perhaps even more importantly, what needs to be done to ensure that awareness is turning into positive security behaviors. “So when we have more of those people who aren’t from the traditional computer science or engineering backgrounds who are contributing to the conversation, I think it will be a sign of health, that we are getting beyond what is now…a heavily industry or fee-for-service/fee-for-product driven model that is in need of a real shake-up.”   PROJECTS, POLICIES, AND RESOURCES MENTIONED: The Analogies Project https://theanalogiesproject.org/ - The Ready Campaign https://www.ready.gov/ - preparedness for natural disasters If You See Something, Say Something (still in effect) https://www.dhs.gov/see-something-say-something - situational awareness to teach people to report to law enforcement when they see something that seems amiss or out of place (still in effect) Stop.Think.Connect https://www.stopthinkconnect.org/ - cyber security awareness program (still in effect) UK “Prevent” Programs https://www.gov.uk/government/publications/2010-to-2015-government-policy