Most organizations use sanctions as a way of enforcing cybersecurity policies and encouraging sound security behaviors. But few organizations ever test whether these sanctions are effective. Often they aren't; in fact, when used improperly sanctions can backfire. In this episode of Cyber Ways, Tom and Craig talk about sanctions and their effectiveness with Dr. Mikko Siponen of the University of Alabama's Culverhouse College of Business. Dr. Siponen is among the world's leading scholars when it comes to understanding the effects of sanctions on cybersecurity behaviors. Listen and learn how your organization can use sanctions more effectively.

Dr. Mikko Siponen is Professor of Business Cybersecurity and Management at the University of Alabama's Culverhouse College of Business. He holds advanced degrees in Software Engineering, Information Systems, and Philosophy. A leading scholar in Information Systems, he ranks among the top 30 worldwide based on publications in premier journals. Professor Siponen is the only Finnish IS professor invited to join The Finnish Academy of Science and Letters. His expertise spans cybersecurity management, IS development, and philosophical aspects of IS. He has extensive experience as a visiting professor, consultant, and research leader internationally, with a particular focus on cybersecurity management.

Sanctions and Cybersecurity Policies:

• Effectiveness of Sanctions:
• Sanctions can work even without prior direct experience.
• Firsthand sanction experiences may enhance effectiveness.
• Can backfire if perceived as unjust, leading to resentment.
• Employees' Awareness and Knowledge:
• Typically lack detailed knowledge of cybersecurity policies.
• Inadequate training contributes to confusion and non-compliance.
• Policies often conflict with practical organizational needs (e.g., link clicking).

Training and Effectiveness:

• Deficiencies in Training:
• Often generic and check-the-box nature, hence ineffective.
• Rarely measured for effectiveness by providers.
• Recommendations for Improvement:
• Demand effectiveness metrics from training providers.
• Training should reduce cybersecurity risks significantly.

Practical Implications and Recommendations:

• Sanctions as a Deterrent:
• Active Sanctions:
• Monitored closely but can backfire if perceived as unjust.
• Passive Sanctions:
• Applied only when necessary, safer from backlash.
• Communication and Awareness:
• Clear, effective communication of cybersecurity policies and sanctions is crucial.
• Must bridge the gap between policy and practical enforcement.
• Balancing Fairness and Consistency:
• Consistency across departments is vital to ensure fairness.
• Fair sanctions are essential to prevent demotivation and resentment.
• Sanction Implementation Tips:
• Consider firm culture and employee perspectives.
• Pilot test sanctions; gather employee feedback.
• Obtain management support and recognize the impact of unions.

Understanding Employee Behavior:

• Psychological Impact:
• Sanctions can have long-term negative effects on employee perception.
• Need for research on the psychological impact, especially for rule-breakers.

Current Research:

• Dr. Mikko Siponen working on:
• Understanding and prevention of cybercrime through offender-victim communication.

Industry Trends:

• Increasing sophistication of threat actors, potentially enhanced by AI.

Takeaways for...