In this On Location episode, Kate Labunets explores how bridging the gap between cybersecurity research and real-world practice can lead to more effective, human-centered security solutions. In this conversation, she shares how understanding employee behavior—like shadow IT use—can inform better policies, communication, and collaboration between academia and industry.
During the upcoming OWASP Global AppSec EU in Barcelona, Kate Labunets, a cybersecurity researcher focused on human factors and usable security, takes the stage to confront a disconnect that too often holds the industry back: the gap between academic research and real-world cybersecurity practice.
In her keynote, “Outside the Ivory Tower: Connecting Practice and Science,” Kate invites practitioners to reconsider their relationship with academic research—not as something removed from their daily reality, but as a vital tool that can lead to better decisions, more targeted security programs, and improved organizational resilience.
Drawing from her current research, Kate shares how interviews and surveys with employees reveal the hidden motivations behind the use of shadow IT—tools and technologies adopted without formal approval. These aren’t simply acts of rebellion or ignorance. They reflect misalignments between human behavior, workplace needs, and policy communication. By understanding these mindsets, organizations can move beyond one-size-fits-all training and begin designing interventions grounded in evidence.
This is where science meets practice. Kate’s work isn’t about generating abstract theories. It’s about applying research methods—like anonymous interviews and behavior-focused surveys—to surface insights that security leaders can act on. But for this to happen, researchers need access, and that depends on building trust with practitioners.
The keynote also raises a critical point about time. In industries like medicine, the gap between a published discovery and its application in the real world can be 15 years. Kate argues that cybersecurity faces a similar delay, citing the example of multi-factor authentication: patented in 1998, but still not universally adopted today. Her goal is to accelerate this timeline by helping practitioners see themselves as contributors to science—not just consumers of its outcomes.
By inviting companies to participate in research and engage with universities, Kate’s message is clear: collaboration benefits everyone. The path to smarter, more human-aligned cybersecurity isn’t gated behind academic walls. It’s open to any team curious enough to ask better questions—and brave enough to challenge assumptions.
GUEST: Kate Labunets | Assistant Professor (UD1) in Cyber Security at Utrecht University | https://www.linkedin.com/in/klabunets/
HOSTS:
Sean Martin, Co-Founder at ITSPmagazine [@ITSPmagazine] and Host of Redefining CyberSecurity Podcast [@RedefiningCyber] | On ITSPmagazine: https://www.itspmagazine.com/sean-martin
Marco Ciappelli, Co-Founder at ITSPmagazine [@ITSPmagazine] and Host of Redefining Society Podcast & Audio Signals Podcast | On ITSPmagazine: https://www.itspmagazine.com/itspmagazine-podcast-radio-hosts/marco-ciappelli
SPONSORS
Manicode Security: https://itspm.ag/manicode-security-7q8i
RESOURCES
Kate's Session: https://owasp2025globalappseceu.sched.com/event/1v86U/keynote-outside-the-ivory-tower-connecting-practice-and-science
Learn more and catch more stories from OWASP AppSec Global 2025 Barcelona coverage: https://www.itspmagazine.com/owasp-global-appsec-barcelona-2025-application-security-event-coverage-in-catalunya-spain
Catch all of our event coverage: https://www.itspmagazine.com/technology-and-cybersecurity-conference-coverage
Want to tell your Brand Story Briefing as part of our event coverage? Learn More 👉 https://itspm.ag/evtcovbrf
Want Sean and Marco to be part of your event or conference? Let Us Know 👉 https://www.itspmagazine.com/contact-us
[00:00:00] Sean Martin: Marco,
[00:00:02] Marco Ciappelli: Sean.
[00:00:03] Sean Martin: I'm, I'm confused.
[00:00:05] Marco Ciappelli: Yeah,
[00:00:05] Sean Martin: You. You did har You did. I know. I'm always confused. You did Harley. Hardly any conversations at RSA conference in San Francisco yet. Your voice is gone. I know
[00:00:15] Marco Ciappelli: I, well, you know, hardly that's, that's, uh, I didn't do as much as you did for
[00:00:20] Sean Martin: You didn't, you did quite a few actually.
[00:00:21] Marco Ciappelli: I did a few. Um, but, uh,
[00:00:24] Sean Martin: on the road again.
[00:00:25] Marco Ciappelli: we, we are, uh, well, you
[00:00:27] Sean Martin: left.
[00:00:29] Marco Ciappelli: I follow a little later.
[00:00:30] Sean Martin: dropped me off in LA somewhere, LA ish, uh, driving back from San Francisco and I'm making my way to Barcelona
[00:00:37] Marco Ciappelli: Yep.
[00:00:37] Sean Martin: for one of, uh. I have to say, no offense to the RSA crew, but, uh, OASP puts on some of the best for me, some of the best conferences.
They're my people, developers and engineers and, and, uh, AppSec folks. So I'm, I'm super excited to be in Barcelona for, for the end, and I'm even more excited to have Kate on with us, who's, [00:01:00] uh, hosting a keynote, which is, uh. Pretty exciting. We're gonna talk about connecting, uh, connecting the human behavior to the science and to the practitioner and all that good stuff.
And Kate's gonna tell us a bit about that. before we get to the, the topic, Kate, a few words about what you're up to, your role at the university, the work you're doing there. Anything else you wanna share your connection to Oasp and how you, how you got the keynote, which is cool. Congratulations by the way.
[00:01:27] Kate Labunets: Thanks. It's also a pleasure to join, uh, you on this podcast and to share my perspective and hopefully to engage more people, uh, joining Ovos and attending my keynote Well, um, I have pretty, uh, diverse background, so coming from Minsk, Belarus, I studied also in Italy. And in a nature, I'm an empirical scientist and I would like to share my perspective on how to conduct research [00:02:00] with real world, uh, with practitioners.
Right now I'm into human factors in cybersecurity research and usable security. So for me, it's the most interesting to find out how different stakeholders in organizations understand. The same cybersecurity concepts and how the gaps in this understanding cause problems and make companies vulnerable.
So in my keynote, I would like to. Talk about the challenges that we as researchers face when we try to reach out to practitioners, engage them in our studies. Many of you probably received, uh, survey invitations or requests for interviews. But it feels like, is it really science? What can I do with this?
Yeah. Like we [00:03:00] doing interview, we sharing our background, expertise, um, our perspective. And for us as researchers, it's also a valid tool. How to collect data and learn about what's going on right now in industry. What are the current challenges, what are the problems that you're facing, and how different people are solving these problems.
[00:03:21] Marco Ciappelli: All right. Let me, let me ask you a question before Sean goes more. Deeper in the, in the, in the AppSec world. I'm more interested into, of course, what you said, the human aspect, but also the science and, and the relationships. So often we talk about these cybersecurity being an industry that is. Relatively young, and I don't know if sometimes it's an excuse, but it's thrown out there quite a bit and uh, you know, there are a high expectation and challenges and all of that, but I feel like, you know, everybody or everything has been young in a certain point when you begin.
So [00:04:00] feel like. This connection between the science and the empirical world the practitioner, but also the, the industry in general, the, the commercial activity. I, I didn't expect that there was a divide there. So tell me a little bit more about this divide that you feel as a researcher and is the missing connection link with the real world.
[00:04:29] Kate Labunets: Well, maybe it's easier for more senior researchers with well established networks to recruit participants and to, uh, get companies on board with this research. But for the scientists, uh, as young as myself, uh, it's. A real challenge to, uh, get access to practitioners and build this trusted relationship.
And like a good researcher can be like a priest for a company. So we can tell you about your things to remind [00:05:00] about them, but also we can find, uh, together we use some roadmap to redemption of these things. So, and hopefully the result, we will share these findings with the broader community. Obviously, we will anize this data.
[00:05:17] Marco Ciappelli: Is it happening already? I mean, is it better now? What? It would compare with, I don't know, five, 10 years ago?
[00:05:26] Kate Labunets: Well, I think with the growth of the. Of the community, it's definitely better because if you get one reject, you can reach out to a dozen more companies and maybe one of them will be more proactive at more enthusiastic about, uh, this problem. But definitely takes a lot of, uh, resources and effort to, uh, to connect with practitioners.
[00:05:54] Sean Martin: All right. Can you share some examples of. What [00:06:00] the, the survey, the inquiries, the queries, whatever, uh, contains so we can kinda get a picture of what you're trying to extract. And then maybe after that we can talk about you analyze that, data to come up with, with some guidance.
[00:06:16] Kate Labunets: Well, it depends on the research problems that we are, uh, aiming to solve. Um, but one of the recent, for example, uh, examples that we, um. Now working on is a shadow it, uh, attitudes of employees in the companies. And so we started as a, in, in a review and survey study within one large company where we tried to figure out as a research team what kind of.
Perception employees and companies have towards using shadow it. Sometimes they even had a moment of realization that, okay, hmm, that's why this interview is anonymous because I'm not supposed to [00:07:00] use this, uh, piece of software or, uh, cloud service. Uh, um, and then. Based on, uh, the outcome of these interviews.
We designed a survey, tried to prompt employees about the attitudes, so set of shadow it mindsets, so how different people perceive, uh, the same concepts and what are motivations that they have towards adopting and using the shadow IT in a company, even though there is a. Kind of clear policy about, uh, how to use technologies.
Now we try to, uh, evolve and improve the survey in order to be able to capture and, um, let's say ize companies also, uh, with a instrument to learn about the, um, set of [00:08:00] such mindsets among the employees. We hope that it'll help also to adjust the security solutions and, uh, risk communication within company knowing that there is actually a diverse set of reasons for using Shadow IT and maybe lack of guidance for, uh, for this employees about this topic.
[00:08:25] Sean Martin: And can I, can I touch on that communication piece? I know you,
[00:08:28] Kate Labunets: Yep.
[00:08:29] Sean Martin: done a lot of work on in this area as well, what I'm picturing you said weaponize and I, I feel maybe fighting humans with humans or, or language with language or mindset. With mindset instead of just trying to find a, a set of technologies to come in and save the day. Because I, I was thinking primarily to the policy, right? There's a policy in place. We don't think the way the policy's written. We think about how we function as humans and how we're operating in, in our environment at work. And they, there's a [00:09:00] disconnect there. And, and perhaps the communication and the training also doesn't align well with how we think.
Um, it's more coming from the company and the business and the operations perspective, less, less perhaps the human mindset. So any thoughts or comments on that?
[00:09:17] Kate Labunets: Well weaponize, um, here using it in a more positive way to help companies also to realize, uh, this lack of communication or lack of more targeted training. And hopefully by learning about the, uh, now more diverse, uh, types of employees and attitudes towards specific technology and cybersecurity solutions company have.
We actually, so they're not no longer facing this brick wall of not understanding what's going on inside their own ecosystem, but also learning and improving based on this knowledge. So more adopting [00:10:00] evidence-based approach to towards also how to train the employees, how to communicate about risks, but also what sort of technologies are working or not, and how to improve them.
[00:10:14] Marco Ciappelli: So I'm gonna jump in with this 'cause I can see we always talk again about sharing information, threat intelligence, collaborating in the community, keeping a secret, keeping the breach. It's all school. Keeping something private. I mean, I know it's a competitive world, but if we are going to be a little idealistic. We all want to win this battle cyber crime, so I feel. Ideally, you know, the, the, the companies and, and the professionals should welcome the contribution of a party, like a research group, a university to be above the parts most of the time. And, and that's, uh, I'm just wondering [00:11:00] is it a lack of incentive for the company?
Is it trying to protect their secrets? What, what's your feel about this?
[00:11:11] Kate Labunets: Well, I can only speak away because I'm not a company.
[00:11:14] Marco Ciappelli: Right. Yeah. Your percept, your, your perspective.
[00:11:18] Kate Labunets: Um, well, I think it depends on the goals of the company and actually I have good examples of a productive and um, collaboration with people from industry as well. But mostly what kind of unites these people for me, this is a kind of inner curiosity about learning, more about using, um, a new methods or new solutions.
So, um, also kind of inner incentive to share their own knowledge as well, so it's more mutually beneficial process. [00:12:00] What kind of stops other practitioners or management of the companies, maybe the goal and kind of the goal of making more money, attracting customers, uh, increasing their revenues. Who knows?
[00:12:23] Marco Ciappelli: Sean, do you have an answer?
[00:12:24] Sean Martin: I always have the answer.
[00:12:29] Marco Ciappelli: It's 42.
[00:12:29] Sean Martin: want to, um, I think the. things. I wanna have a deeper conversation on this topic with you, so perhaps you'll join us again for, uh, for more discussion. I'm, I'm actually thinking, uh, 'cause I have a human centered, uh, subseries on redefining cybersecurity that I, that I do with Julie Haney. She's all about human centered security practices and I think the three of us have a great conversation so we can explore that. But I wanna specifically get to your. Keynote as part of
[00:12:58] Marco Ciappelli: All right.
[00:12:58] Sean Martin: 2025 Global [00:13:00] AppSec EU in Barcelona. So it's called Outside the Ivory Tower Connecting Practice and Science. It's Friday, May 30th at nine in the morning to kick things off that day.
I think, um, give us an overview of this. Don't give away any secrets, but the overview of the structure, you intend to share with the audience, um, what you hope they'll take away from, from hearing from you, and engaging with you that day.
[00:13:27] Kate Labunets: Well, I can give a little of preview for my talk as well. Um, one interesting fact that I learned when preparing for my keynote is that there is a huge gap actually between, uh, research publications and. Adopting some technology in practice. So this research gap hasn't been explored for computer science or cyber cybersecurity, but for pharmaceutical and [00:14:00] medical research, it consists 15 years now.
So between researchers finding some cure or drug and actually putting it in market, a lot of time goes. I feel like with the technology it might be quite similar about decade probably. So if we look at MFA, for example, this technology hasn't, has been patented on 1998 in at and t research labs if I'm correct, but do you remember when we start using it?
[00:14:42] Sean Martin: Yesterday, I think, funny enough, Microsoft just announced they're only gonna use MFA now, right? No more passwords. So basically an MFA driven login. yeah, I mean, I'm sure there are many, well, certainly many apps that don't [00:15:00] enforce the use of MFA or some two, some additional factor. And I'm sure not every organization applies it widely or routinely across everything either still so.
[00:15:11] Kate Labunets: Yeah. So in my keynote I'm going to explore how to reduce this time and how to also make practitioners aware about the ways how they can contribute to science and not being afraid of interviews and survey. So what sort of value they, uh, can contribute to this type of. Research methods, but also what they can learn maybe to seek for a collaboration with a, uh, neighborhood university and start a research project based on what are the current problems they face and seek for this help.[00:16:00]
[00:16:00] Marco Ciappelli: Well, I, I, I feel they do science as well. I mean, I might get a little philosophical on this 'cause. when you work for a company and you're in development and research, you're still doing science, right? You're still innovating, you're still you're still finding solution to a problem. I think, I think that the, the goal, the final goal may be a little bit different, but I don't see it to be impossible to make it converge.
So I, I think what you're doing is, it's extremely important. I think that. Also, there should be a reach from the other side as well. And I'm sure in some cases there is to collaborate with, with research group and university. So, um, I love to to hear the, you know, like you mentioned that little earlier, the success stories as well that are already happening.
There are those that do collaborate, they come out from the. The tower and, and they, and they, and [00:17:00] they, and they do these, and I feel like, I feel like AWA speed's the perfect place to do that. So.
[00:17:07] Kate Labunets: Yeah, that's why for me it is also important to reach out and talk to community, um, because, uh. You are our fuel, basically, and source of knowledge for our research, not specifically for mine, but in general for cybersecurity is also an important part of community.
[00:17:27] Marco Ciappelli: Yeah.
[00:17:28] Sean Martin: absolutely. Especially since these teams are building. Building apps with security built in, hopefully, right? That that'll impact many, many, many, many people. Kate, I'm excited to, uh, to hear your keynote on Friday. Uh. The, the entire conference. There are two days of training, three days of training, 26th through the 28th of May, then the 29th and 30th are the, are the keynotes and sessions and presentations and panels and all that good stuff. I'll be on location, uh, that [00:18:00] week, hoping to catch, you'll catch a selfie with you and maybe a chat there as well. And, uh, with many others we have more, more coming. From, uh, OAS AppSec Global, we're gonna get an overview from some of the organizers and, and, uh, some chats with some additional folks, uh, who are speaking there as well. Kate, congratulations on, uh, getting this keynote spot, um, and sharing this information and, and getting that call to action out to this very important group uh, I look forward to seeing you there, Marco, anything else?
[00:18:32] Marco Ciappelli: Nope. I, I hope that, uh, with my intention to be much more in Europe next year, it's gonna be a lot easier for me to just jump on a plane for like 45 minutes and, and join the AWA community, which I am not gonna be a part of that. And it is shown passion,
[00:18:50] Sean Martin: It is my
[00:18:51] Marco Ciappelli: but, but I have met so many people in this community and it is a pretty awesome community.
So,
[00:18:58] Sean Martin: community.
[00:18:59] Marco Ciappelli: yeah.
[00:18:59] Sean Martin: Yep. [00:19:00] Well, with that, I will say thank you again, Kate, and, uh, safe journey to Barcelona. everybody for listening and watching. Please do subscribe and share and, uh, stay tuned for more coming from Owas AppSec Global eu and, uh, more on location with Mark and myself. We're, uh, we're busy over the next few months.
London coming after that, after, uh,
[00:19:24] Marco Ciappelli: And Las Vegas after that.
[00:19:26] Sean Martin: Vegas after that, so stay tuned. again, Kate.
[00:19:30] Kate Labunets: Thank you, Sean. Thank you, mark, and I'm looking forward to meeting you in Barcelona.
[00:19:36] Marco Ciappelli: Thank
[00:19:36] Kate Labunets: Bye.
[00:19:36] Marco Ciappelli: Kate. Bye.