Most organizations use sanctions as a way of enforcing cybersecurity policies and encouraging sound security behaviors. But few organizations ever test whether these sanctions are effective. Often they aren't; in fact, when used improperly sanctions can backfire. In this episode of Cyber Ways, Tom and Craig talk about sanctions and their effectiveness with Dr. Mikko Siponen of the University of Alabama's Culverhouse College of Business. Dr. Siponen is among the world's leading scholars when it comes to understanding the effects of sanctions on cybersecurity behaviors. Listen and learn how your organization can use sanctions more effectively.

Dr. Mikko Siponen is Professor of Business Cybersecurity and Management at the University of Alabama's Culverhouse College of Business. He holds advanced degrees in Software Engineering, Information Systems, and Philosophy. A leading scholar in Information Systems, he ranks among the top 30 worldwide based on publications in premier journals. Professor Siponen is the only Finnish IS professor invited to join The Finnish Academy of Science and Letters. His expertise spans cybersecurity management, IS development, and philosophical aspects of IS. He has extensive experience as a visiting professor, consultant, and research leader internationally, with a particular focus on cybersecurity management.

Sanctions and Cybersecurity Policies:

• Effectiveness of Sanctions:
• Sanctions can work even without prior direct experience.
• Firsthand sanction experiences may enhance effectiveness.
• Can backfire if perceived as unjust, leading to resentment.
• Employees' Awareness and Knowledge:
• Typically lack detailed knowledge of cybersecurity policies.
• Inadequate training contributes to confusion and non-compliance.
• Policies often conflict with practical organizational needs (e.g., link clicking).

Training and Effectiveness:

• Deficiencies in Training:
• Often generic and check-the-box nature, hence ineffective.
• Rarely measured for effectiveness by providers.
• Recommendations for Improvement:
• Demand effectiveness metrics from training providers.
• Training should reduce cybersecurity risks significantly.

Practical Implications and Recommendations:

• Sanctions as a Deterrent:
• Active Sanctions:
• Monitored closely but can backfire if perceived as unjust.
• Passive Sanctions:
• Applied only when necessary, safer from backlash.
• Communication and Awareness:
• Clear, effective communication of cybersecurity policies and sanctions is crucial.
• Must bridge the gap between policy and practical enforcement.
• Balancing Fairness and Consistency:
• Consistency across departments is vital to ensure fairness.
• Fair sanctions are essential to prevent demotivation and resentment.
• Sanction Implementation Tips:
• Consider firm culture and employee perspectives.
• Pilot test sanctions; gather employee feedback.
• Obtain management support and recognize the impact of unions.

Understanding Employee Behavior:

• Psychological Impact:
• Sanctions can have long-term negative effects on employee perception.
• Need for research on the psychological impact, especially for rule-breakers.

Current Research:

• Dr. Mikko Siponen working on:
• Understanding and prevention of cybercrime through offender-victim communication.

Industry Trends:

• Increasing sophistication of threat actors, potentially enhanced by AI.

Takeaways for...

In this thought-provoking episode of Cyber Ways, Tom and Craig discuss the intriguing topic of cybersecurity and religion with guests Dr. Karen Renaud and Dr. Marc Dupuis. Karen and Marc share insights from their research exploring the intersection of cybersecurity and world religions, offering a fresh perspective on enhancing cybersecurity practices.

Key Points Covered:

- The innovative research by Karen and Marc on leveraging positive values from world religions to influence cybersecurity behavior.

- The discussion on the drawbacks of fear-based cybersecurity practices and the importance of fostering a positive culture within organizations.

- Insights into the role of community, belonging, and sacred values in both religious communities and cybersecurity environments.

- The parallels drawn between religious principles and cybersecurity practices, emphasizing adaptability, forgiveness, and the sense of belonging.

- The significance of incorporating nonnegotiable values and building a culture that supports cybersecurity from top to bottom within organizations.

As Karen and Marc shed light on the impact of incorporating religious values into cybersecurity, they advocate for a different perspective on how a sense of community, forgiveness, and grace can transform cybersecurity practices. Join Tom, Craig, Karen, and Marc as they explore the potential for positive change in cybersecurity culture by drawing upon timeless principles from world religions.

Don't miss out on this enlightening episode of Cyber Ways and discover the transformative power of integrating religious values into cybersecurity practices. Tune in to gain a new perspective on building trust, community, and resilience in the ever-evolving landscape of cybersecurity.

Subscribe now to Cyber Ways for more insightful discussions on innovative approaches to information security and stay ahead in the realm of cybersecurity. Go to https://cyber-ways-podcast.captivate.fm to subscribe.

Guest bios

Karen Renaud is a Scottish computing Scientist at the University of Strathclyde in Glasgow, working on all aspects of Human-Centered Security and Privacy. She is particularly interested in deploying behavioural science techniques to improve security behaviours, and in encouraging end-user privacy-preserving behaviours. She collaborates with academics in 5 continents and incorporates findings and techniques from multiple disciplines in her research.

Marc J. Dupuis, Ph.D., is an Associate Professor within the Computing and Software Systems Division at the University of Washington Bothell where he also serves as the Graduate Program Coordinator. Dr. Dupuis earned a Ph.D. in Information Science at the University of Washington with an emphasis on cybersecurity. His research focuses on human factors related to cybersecurity, especially how psychological traits affect cybersecurity behaviors.

Discover the forces shaping your financial data's safety as we sit down with the eminent Jake Lee Jaeung, the Clifford Ray King Endowed Professor of Information Systems. In a landscape where cybercriminals lurk at every digital corner, we dissect how a blend of routine activity theory and practical cybersecurity can alter the terrain to our advantage. Together, we plunge into Jake's rigorous study with 461 financial institution employees and unravel the factors that skew risk perception and the likelihood of data breaches.

With Jake's expertise, we peel back the layers of data security, challenging the conventional wisdom that greater transparency equals higher risk. This episode illuminates how the value of information, the effectiveness of guardians, and the strategic reduction of data availability can form a robust shield against unauthorized access. We also navigate the nuanced chess game of social engineering defenses, providing valuable insights and tangible actions that can be applied across industries to shield your organization's most precious assets from the prying eyes of the digital underworld.

Intro audio for the Cyber Ways Podcast

Outro audio for Cyber Ways Podcast

Cyber Ways is brought to you by the Center for Information Assurance, which is housed in the College of Business at Louisiana Tech University. The podcast is made possible through a "Just Business Grant," which is funded by the University's generous donors.

https://business.latech.edu/cyberways/

Are you ready to shift your perspective on cybersecurity? We've got Dr. Karen Renaud, the general chair of Dewald Roode Workshop (DRW) this year and a renowned figure in information security research, to guide us on this fascinating journey. We'll be dissecting the paradigm-shifting presentations, lively debates and thought-provoking discussions from the workshop, with a special focus on Basie von Solms' revolutionary thoughts on the future of cybersecurity.

Looking to understand why people often disregard security procedures? Or how personality traits can impact the security decisions we make? Our discussion reveals that cautiousness, morality, and self-consciousness can positively affect security decisions, but increasing security knowledge doesn't always correlate with safer decisions. As we navigate through the papers, we'll also investigate how AI-enhanced security systems could alleviate user stress and transform the way we approach security training.

We also tackle an under-discussed issue in the cybersecurity sphere: the misuse of system access and the potential for computer abuse by managers. With their unique position of trust and autonomy, could managers be the new insider threat to watch out for? We'll also delve into the role of habits in cyber hygiene, the promises and perils of AI in the field, and how these insights can be applied in the workplace. Join us for this enlightening discussion -- it's an episode you won't want to miss!


DRW Website: https://drw2023.github.io/
(All papers and the Key Note slides are available on the website.)

Papers discussed:4

• Personality Facets and Behavior: Security Decisions under Competing Priorities, Sanjay Goel, Jingyi Huang, Alan Dennis, Kevin Williams
• An Examination of How Security-Related Stress, Burnout, and Accountability Design Features Affect Security Operations Decisions, Mary Grace Kozuch, Adam Hooker, Philip Menard, Tien N Nguyen, Raymond Choo
• Bosses Behaving Badly: Managers Committing Computer Abuse, Laura Amo
• Encouraging Peer Reporting of Information Security Wrongdoings: A Normative Ethics Perspective, Reza Mousavi, Adel Yazdanmehr, Jingguo Wang, Fereshteh Ghahramani
• Impact of Cyber Hygiene Behavior on Target Suitability using Dual Systems Embedded Dual Attitudes Model, Harsh Parekh, Andrew Schwarz
• The Blend of Human Cognition and AI Automation: What Will ChatGPT Do to the Cybersecurity Landscape?, Hwee-Joo Kam, Chen Zhong, Hong Liu, Allen Johnston

Intro audio for the Cyber Ways Podcast

Outro audio for Cyber Ways Podcast

Cyber Ways is brought to you by the Center for Information Assurance, which is housed in the College of Business at Louisiana Tech University. The podcast is made possible through a "Just Business Grant," which is funded by the University's generous donors.

https://business.latech.edu/cyberways/

Ever thought about the digital footprints you leave while surfing the web? What about those convenient log-ins via multiple accounts - ever wondered about the risks involved? This week, we're thrilled to talk with Professors France Belanger and Donna Wertalik of Virginia Tech University's Pamplin College of Business to help us unravel these intriguing questions. They're here to discuss their groundbreaking initiative, Voices of Privacy (https://www.voicesofprivacy.com/), aimed at raising awareness about the significance of online privacy and empowering individuals to make informed decisions about their data.

Navigating the digital world can be a complex affair, with pitfalls and challenges at every turn. In our conversation with Prof. Belanger and Prof. Wertalik, we dissect the crucial distinction between security and privacy, highlighting the understated importance of data protection. We also touch upon the increasingly blurred lines between convenience and privacy, scrutinizing the risks of logging into websites and apps with multiple accounts. Besides, we evaluate the role of big corporations in safeguarding consumer data and the dire need for raising awareness about this issue.

As we dig deeper into this compelling conversation, we explore the Voices of Privacy initiative further. We discuss their treasure trove of resources, including engaging webisodes and insightful talks with privacy experts. We also evaluate the upcoming webisodes on children's privacy and privacy during vacation - essential, thought-provoking content that everyone should check out. So, brace yourself for an enlightening exploration of online privacy and how you can better protect your data.

Voices of Privacy website: https://www.voicesofprivacy.com/

Intro audio for the Cyber Ways Podcast

Outro audio for Cyber Ways Podcast

Cyber Ways is brought to you by the Center for Information Assurance, which is housed in the College of Business at Louisiana Tech University. The podcast is made possible through a "Just Business Grant," which is funded by the University's generous donors.

https://business.latech.edu/cyberways/

ChatGPT burst into public awareness only a few months ago. The popularity of ChatGPT and similar generative AI tools offer great promise, but also represent significant threats to cybersecurity. In this episode of Cyber Ways, Tom and Craig have a fascinating discussion with Dr. Karen Renaud of the University of Strathclyde and Dr. Merrill Warkentin of Mississippi State University about their recent article in MIT Sloan Management Review, which they co-authored with George Westerman of MIT's Sloan School of Management.

Drs. Renaud and Warkentin talk about the effects of generative AI on cybersecurity and how these tools represent a threat, but can also be part of the solution. We talk about the importance of going beyond policies and describe new ways of thinking about cybersecurity.

Renaud, K., Warkentin, M., & Westerman, G. (2023). From ChatGPT to HackGPT: meeting the cybersecurity threat of generative AI. https://pureportal.strath.ac.uk/en/publications/from-chatgpt-to-hackgpt-meeting-the-cybersecurity-threat-of-gener

Intro audio for the Cyber Ways Podcast

Outro audio for Cyber Ways Podcast

Cyber Ways is brought to you by the Center for Information Assurance, which is housed in the College of Business at Louisiana Tech University. The podcast is made possible through a "Just Business Grant," which is funded by the University's generous donors.

https://business.latech.edu/cyberways/

Phishing attempts remain an important attack vector, despite efforts to mitigate their effectiveness. In this episode of Cyber Ways, Tom and Craig talk with Dr. Deanna House of the University of Nebraska - Omaha about her paper that examines the relationship between fear messaging and the success of phishing attempts. Dr. House gives some actionable advice to security professionals who want to help their users avoid falling victim to phishing attempts.

Intro audio for the Cyber Ways Podcast

Outro audio for Cyber Ways Podcast

Cyber Ways is brought to you by the Center for Information Assurance, which is housed in the College of Business at Louisiana Tech University. The podcast is made possible through a "Just Business Grant," which is funded by the University's generous donors.

https://business.latech.edu/cyberways/

Security professionals often treat users as a major problem with securing information assets. But what if we could view humans as the SOLUTIONS? Users aren't the enemy of security professionals and they shouldn't be treated as such. Our guest, Dr. Karen Renaud of Strathclyde University in Glasgow, Scotland, joins us to talk about the importance of treating users as allies, not the enemy, building a culture of security that focuses on successes, encourages learning, and builds resilience.

Many of her ideas are captured in her 2019 paper:
Zimmermann, V., & Renaud, K. (2019). Moving from a ‘human-as-problem” to a ‘human-as-solution” cybersecurity mindset. International Journal of Human-Computer Studies, 131, 169-187.

Intro audio for the Cyber Ways Podcast

Outro audio for Cyber Ways Podcast

Cyber Ways is brought to you by the Center for Information Assurance, which is housed in the College of Business at Louisiana Tech University. The podcast is made possible through a "Just Business Grant," which is funded by the University's generous donors.

https://business.latech.edu/cyberways/