Explore how Nadine Michaelides, a security and crime psychologist, redefines the role of employees in cybersecurity by focusing on intrinsic motivation and human risk management. Joined by hosts Julie Haney and Sean Martin, this episode delves into creating a culture where the human element strengthens, rather than weakens, digital defenses.
Guests:
Nadine Michaelides, CEO / VD, Anima People
On LinkedIn | https://www.linkedin.com/in/nadinemichaelides/
Julie Haney, Computer scientist and Human-Centered Cybersecurity Program Lead, National Institute of Standards and Technology [@NISTcyber]
On LinkedIn | https://www.linkedin.com/in/julie-haney-037449119/
____________________________
Host: Sean Martin, Co-Founder at ITSPmagazine [@ITSPmagazine] and Host of Redefining CyberSecurity Podcast [@RedefiningCyber]
On ITSPmagazine | https://www.itspmagazine.com/sean-martin
___________________________
Episode Notes
Imagine a world where employees aren't just potential risks, but the vanguard of cyber defense. A world where the human element, long considered the weakest link in security, becomes the cornerstone of an impenetrable digital fortress.
The latest episode of the Human Centered sub-series on the Redefining CyberSecurity podcast features a compelling discussion with Nadine Michaelides, a security and crime psychologist, researcher at University College London, speaker, and entrepreneur. Julie Haney co-hosts the episode with Sean Martin, discussing the critical role employees play in strengthening cybersecurity defenses.
Nadine Michaelides shares her insights on the shift from viewing employees as potential risks to recognizing them as essential components of a robust cybersecurity strategy. This approach emphasizes the importance of understanding the human element in security and integrating psychological principles to improve employee engagement and motivation. Unlike purely technical measures, human-centered cybersecurity focuses on fostering intrinsic motivation and creating a culture where security is an integral part of daily operations.
The conversation highlights the importance of moving beyond mere awareness campaigns. According to Michaelides, simply making employees aware of security risks is insufficient. Organizations must focus on creating intrinsic motivation, ensuring that employees understand and internalize the significance of their actions. This can be achieved through effective training, clear communication, and involving employees in security initiatives.
Michaelides also introduces the concept of human risk management, which involves assessing and addressing the psychological and behavioral factors that influence cybersecurity. She stresses the need for a multidisciplinary approach, incorporating insights from psychology, sociology, and organizational behavior to create comprehensive security strategies. This holistic approach helps organizations identify and mitigate risks more effectively, as it considers the diverse motivations and behaviors of employees.
Sean Martin raises an interesting point about how personal risk assessments can parallel organizational security measures. He suggests that just as individuals assess the risks associated with their actions and make informed decisions, organizations should empower employees to understand and manage their own cybersecurity risks. This empowerment can lead to more proactive and responsible security behaviors.
The discussion also touches on the significance of cultural factors in cybersecurity. Michaelides explains that security initiatives must resonate with the cultural values and norms of the workforce to be truly effective. This involves creating tailored security content that reflects the diverse backgrounds and experiences of employees, making it relevant and engaging for everyone.
Julie Haney underscores the potential of employee feedback loops in enhancing security measures. She suggests that organizations should actively seek input from employees to identify pain points and areas for improvement in their security practices. By involving employees in the development and refinement of security protocols, organizations can create a more supportive and effective security culture.
In conclusion, the episode presents a forward-thinking perspective on cybersecurity, advocating for a shift from traditional, top-down approaches to more inclusive and employee-centered strategies. By recognizing and leveraging the human element, organizations can transform their employees from potential vulnerabilities into key defenders of digital assets.
___________________________
Sponsors
Imperva: https://itspm.ag/imperva277117988
LevelBlue: https://itspm.ag/attcybersecurity-3jdk3
ThreatLocker: https://itspm.ag/threatlocker-r974
___________________________
Watch this and other videos on ITSPmagazine's YouTube Channel
Redefining CyberSecurity Podcast with Sean Martin, CISSP playlist:
📺 https://www.youtube.com/playlist?list=PLnYu0psdcllS9aVGdiakVss9u7xgYDKYq
ITSPmagazine YouTube Channel:
📺 https://www.youtube.com/@itspmagazine
Be sure to share and subscribe!
___________________________
Resources
___________________________
To see and hear more Redefining CyberSecurity content on ITSPmagazine, visit:
https://www.itspmagazine.com/redefining-cybersecurity-podcast
Are you interested in sponsoring this show with an ad placement in the podcast?
Learn More 👉 https://itspm.ag/podadplc
When Risk Management and Information Security Resonate with Hearts and Minds | A Conversation with Nadine Michaelides and Julie Haney | Redefining CyberSecurity with Sean Martin
Please note that this transcript was created using AI technology and may contain inaccuracies or deviations from the original audio file. The transcript is provided for informational purposes only and should not be relied upon as a substitute for the original recording, as errors may exist. At this time, we provide it “as it is,” and we hope it can be helpful for our audience.
_________________________________________
Julie Haney: [00:00:00] Okay.
Sean Martin: And hello, everybody. You're very welcome to a new redefining cybersecurity podcast here on ITSP Magazine. This is Sean Martin, your host, where if you listen to the show, you know, I get to talk to loads of cool people about cool things, ultimately helping businesses and their teams, uh, bring security into the fold in a way that enables business and drives value for customers, not just reduce risk, but hopefully Generate revenue and protect it in the process and I'm thrilled to have Julie Haney on who?
Joins me as a co host for the sub series and I'm thrilled, thrilled to see you again, Julie. It's been a few weeks. Good, good to have you
Julie Haney: Yeah, it's been, it's been a few months. Uh, we've both been pretty busy and traveling.
Sean Martin: busy summer, busy summer, doing good stuff, hopefully on both sides. And, uh, this is all rooted in the research of. Obviously, as the, as it says in the, uh, the title, [00:01:00] human centered cybersecurity. So not just the tech, but how do we, how do we understand who we are as, as humans and, uh, what that means using tech and what that means protecting ourselves with technology.
And, and it's not magic, right? This is research driven by people understanding how people work. And, uh, I'm going to leave it to you, Julie, to kind of introduce our guest today.
Julie Haney: Thanks, Sean. Um, so I am excited that today we have as our guest Nadine Michaelides. Um, Nadine is a security and a crime psychologist. She's a researcher at University College London. She's a speaker and an entrepreneur. Um, so she has tons of free time, no doubt, um, and I met Nadine, I've maybe about a year ago, give or take, and we had a great discussion about the work that she's doing, um, which is absolutely fascinating.
It's rooted in psychology. Um, it's evidence based and has [00:02:00] real practical applicability, um, to, uh, organizations today. So welcome, Nadine. Glad to have you on the podcast.
Nadine Michaelides: Thank you. It's great to be here.
Julie Haney: So one of the things that I find, um, absolutely fascinating is that I've been meeting more and more people who are working in cybersecurity, but they started off in a completely different discipline, um, but now they're, they're in the field and they're bringing these great people together. skills that they learned in these other disciplines.
And you are one of those people, Nadine, where you didn't start off in cybersecurity. Um, so can you tell us a little bit about your professional journey? How did you get to where you are now?
Nadine Michaelides: Yes, of course. So I started out, um, as an undergrad in psychology and, um, and then essentially went into stakeholder engagement and communications around big digital transformations, big [00:03:00] projects. So national healthcare projects in the UK, we have the National Health Service. service, which is a public sector healthcare organization.
And so myself, um, as a consultant was responsible for the people. Aspect of the project, which can make or break them. We're talking about multi billion pound projects, uh, mergers, acquisitions, consolidation of services, digital, a lot of digital transformation. And without the people, those projects would collapse.
So the methodologies that I would use were very much, um, employee focused. So we would use psychological methodologies. Um, also looking at sort of employee feedback was, it was a major thing that we rolled out across England. Um, so that we could really gauge, um. Um, the level of, um, the experience that, um, patients and employees were having and what impact that had on these projects.
So, yeah, so I started very much out in, um, a different world, not a cybersecurity world, more [00:04:00] around healthcare, but with very similar. Problems. How do we engage people? How do we motivate them for change when it feels uncomfortable? Um, there was a lot of, redundancies and changes of ways of working that people were not necessarily embracing and open to.
So it becomes a way of how can we influence without it being a top down approach, but more of a kind of bottom up, um, on a level playing field approach. So I ended up, um, actually in, in. Cybersecurity, um, only about five years ago. And it was when I decided I was going to, um, go back to education and do a cut three master's degrees actually.
And, um, the first one was investigative journalism, just because it was, uh, beginning of COVID times, I was feeling. Pretty, uh, like I wanted to do something a little bit different. And I ended up in this journalism project, um, with, uh, Uptar Gransning, which is kind of [00:05:00] a, uh, panorama, UK would call it panorama, but a secret investigative project.
And the focus was on sort Surveillance, drug cartels and cybersecurity. So I was working with these cybersecurity agencies and I realized that actually that the problems that they were facing, um, in being able to secure these organizations from harm was very much related to human factors and this people aspect that I've been dealing with for very many years.
And, um. And I really felt that, um, organizational psychology or otherwise known as business psychology or occupational psychology could offer a lot of value in helping to, um, engage, motivate, and understand the people factor, um, and therefore. Um, protect those organizations from harm. So, um, so I then went on to, to do another master's degree in organizational psychology and, and engage university college London as part of a [00:06:00] PhD doctorate and continue that education while still.
Simultaneously, um, working with security professionals to understand what the issues were and, and what kind of methodologies were around in research that could help mitigate some of that risk from a human factors perspective.
Sean Martin: Fascinating, uh, for sure. I'm excited to dig into it. Um, I know Julie's probably going to take us here, uh, kind of deeper into some of that research, but I want to ask this question about the work that you've done over the last few years, when we, when we talk cybersecurity, we, we tend to have conversations that everything's constantly changing, the threat actors are changing, their, their objectives are changing, the tech is changing.
The tech stack is changing business capabilities or change a lot of change here.
So one, like a layman myself, one might think, well, the human is kind of static. Our makeup is our makeup.[00:07:00]
Then you mentioned during COVID times, you changed, you wanted to change the, Things up a little bit and look at different things, which leads me to think, well, maybe we're, we're always changing as well. So I don't know your thoughts on that in terms of how that fits into society and how that might affect how we approach some of the stuff from a cybersecurity perspective.
Nadine Michaelides: Yeah, that's that's a very interesting question that I've never been asked for, actually, but it's it's spot on. It's so change management and methodologies around change management are very much appropriate for this as well. And so managing the people aspect of change because people respond to change in very different ways.
Some people are very reluctant or resistant, and some people embrace it and are torchbearers of change and create change and love change. So understanding those. So different characteristics of human beings can help you understand how people will relate to that change. Um, because essentially cybersecurity behaviors, [00:08:00] uh, which is what we want all employees to do, rely on employees changing.
In some ways. So it's not just about changing whether they change their passwords, it's changing their mindset towards security and cybersecurity. So we need them to have this mindset that they, they care about their organization's wellbeing, their own wellbeing, their team's wellbeing. And part of that is about.
of that organization and adopting certain behaviors. So change is extremely relevant. Um, and it's something that's been studied, um, for many, many years in psychology and a big part of my research. Um, but actually a layer below that, which is even more critical than the change, which is essentially a.
still a surface level phenomenon is, is motivation. Um, so motivation is the, the core aspect of, of my particular research in this area and also the psychometrics [00:09:00] that, that I've developed at university college London and as part of the work that I do from a practitioner point of view in my, in my company.
So essentially it's. Uh, change is important. How we respond to change is very important. How other people respond to change and understanding how whole teams respond. So there's something called the, um, psychological contract. And, um, and that is a psychological, um, phenomenon, which has been, tested since the 1990s.
And that is, um, I won't go too much into the psychology of it, because not everyone is a psychologist and wants to know the detail, but essentially it's, it's those sorts of extra factors. So rather than what's in black and white on a work contract, it's those sorts of other expectations that we have around our employees.
So it could be that, um, we expect that if we work really hard and excel in what we're doing, that we may get promoted or that we may get a salary [00:10:00] rise of some sort, or it could be that you expect to be treated as a, As a valuable human being, an employee is part of your career and your manager should be respectful of you.
So these are expectations that we have. And, uh, and when that, when that's very positive, when that relationship with your employer and your, the organization is very positive, It promotes these positive attitudes and positive behaviors. Um, when it becomes negative, when that, uh, psychological contract breach occurs, and we have a breakdown in expectations between the employer and the employee, it creates disgruntlement, it creates maliciousness, this sort of not necessarily intentional harm against the organization, but, um, layers below that, which is not dissimilar from the.
The change methodologies and our approach to change in the sense of the way we may be reluctant or resistant to adopting [00:11:00] security behaviors or change. Um, so it's not necessarily malicious. So essentially what I do is I, I, as part of my research, um, and also what I do in my daily work is I move away from this.
Julie Haney: Okay.
Nadine Michaelides: good and bad apples and more into really understanding the employee, the individual employee, and how do they relate to the rest of their teams and their organization through employee feedback loops, um, through psychometrics, um, through understanding, um, organizational factors that may exist within the organization that may predetermine behavior.
Um, so it can be basic things like [00:12:00] encryption tools are, um, not enabling employees to fulfill the needs of their jobs, particularly if they're, for example, thinking back to one of the big projects I worked for the UK bank. if they are high net worth individuals, that their clients are high net worth individuals and their fee IP account managers and their responsibility are to provide an exemplary service.
And yet there are all these barriers in place. Um, so they become, um, barriers to them being able to fulfill the needs of their job and fulfill the needs of their clients. So things that are these organizational factors. Well, which are really important. So yes, that's a long answer to your short question, but change is a fundamental part in how we respond to change is incredibly important when we look at the human centered security aspect.
Julie Haney: Yeah, that, that's fantastic. And I, and I know our initial discussion about the psychological contact, uh, contract really, I mean, that really drew me in [00:13:00] because it makes sense that when people are kind of disgruntled with their employer, they're not going to necessarily go above and beyond to take these extra security measures.
Actions that is really, you know, not necessarily part of their primary job. Um, so, you know, they, they don't have that incentive to, to do that. Um, So I mean, that was a fantastic overview of, you know, some of the factors that are influencing employee engagement. So how, how are organizations doing with that?
Are they recognizing these, you know, what are, what are they doing well, or what can they improve on when it comes to kind of their attitudes and their approaches about that human element of cybersecurity? very
Nadine Michaelides: So I like that. Um, so I think the, what's done, what's been done really well over the last two years is this drive for awareness. [00:14:00] Whilst I don't particularly enjoy the term awareness because for me, that's a very small nugget of the whole behavior change piece.
Um, it's the, probably the least important one, to be honest. Um, it's, it's a move away from technical security and into understanding the human factor. So, um, the, the. The other good news is, um, whilst it takes some time to evolve, particularly when we have mainly technical people that are facilitating human centered security, um, we've also moving slightly from my explanation and my Discussions with practitioners.
My feeling is we're moving away from awareness and more into human risk management. Now, I know there's a lot of grumpiness, um, and a lot of discourse around, should it be called human risks because employees shouldn't be put in negative light and, and, and all that sort of thing. But there's a very good reason for that.
And that is because we can, we can measure risk. Um, [00:15:00] it's, it's hard to measure awareness and not in a way that matters because awareness itself. Um, I'm aware, I would say I'm aware that I shouldn't eat chocolate. After this podcast, I'm probably going to go and buy some chocolate. You know, it doesn't actually have that much influence on my behavior.
Um, and it's, it's, it's one metric, one superficial metric of compliance rate, or did I do the quiz questions correctly? It doesn't really necessarily mean that I'm going to, um, absorb that knowledge in a long term memory, repeat those behaviors. Um, completely irrelevant of my environment and what I feel about my organization and my employee, employer.
So, um, so yeah, so absolutely, so aspects like Motivation, as I already mentioned, Sean mentioned change, but, but also beyond that, we need to be thinking about, you know, what do people think about security, uh, commitment, loyalty, trust? What do they think about their organizations? And these are all very [00:16:00] important factors.
So, so that's kind of this appreciation of human centered security and human factors is a wonderful development. I think the problem with this sort of approach right now is we still have technical people defining the scope for human. Factors or socio technical security. And, and what's happening, what's booming in, in, in industry right now is you've got awareness solution.
So essentially content providers, people creating content, whether it's Hollywood, Hollywood movies, or, um, whether it's simply posters, you've got content providers, managing human risk and creating human risk platforms, and, uh, You know, it doesn't take a lot of logic to understand that obviously human risk is something that's extremely serious, that requires a multidisciplinary approach, that requires psychologists, sociologists, a variety of different people to understand.
It's a holistic approach to human risk that we need. [00:17:00] Otherwise it becomes very dangerous. And when you have content creators, um, with some CISOs creating understanding, um, or creating human risk. Models, if you like, and defining scoring for individuals. That's, that's kind of a dangerous way to go really.
So there's becoming an increasing need for understanding employees and their motivations and their perspectives. And we need a multidisciplinary approach for that, which includes psychologists essentially. So yeah, so lots of great stuff happening, but we really need to bring the right people in the room to create the right solutions.
Sean Martin: Can I, can I ask you this Nadine, because you talk about going to get chocolate, uh, chocolate wouldn't be my favorite thing. I love chocolate. It wouldn't be the thing I go out, I'd leave the house to go get. Ice cream would be a different story. A nice gelato I'd love. And so there's risk health [00:18:00] wise to that, right?
Cholesterol and putting on weight. So for me, I can make that risk assessment. I love that we're talking about risk here, by the way. Um, whether, whether we call it human risk or whatever, but I can make that assessment. Of I'm going to eat that ice cream three scoops instead of two because I feel like it today.
I want to treat myself. Um, I will mitigate some of that risk by walking 15 miles today instead of 10 or hike two days this weekend instead of just one. I can personally do some risk mitigation myself and in the business, they, they can put some mitigating, let's say controls or other, other factors in to help mitigate the risk that the employee brings, but is there an opportunity to help the employee understand the risk
Nadine Michaelides: um, so I think I caught most of that. So essentially, um, I mean there are always mitigating factors and approaches that you can take. Uh, when looking at human risk, um, or any other [00:19:00] psychological factor or human centered factor around security. But, um, essentially what we're trying to do is resonate with hearts and minds.
And it's the difference between intrinsic and extrinsic motivation. So, which is another part of my research. So, um, when you're dealing with extrinsic motivation, which is the majority of initiatives that security teams have, you know, security champion, uh, initiatives or reward systems or awards. These are all extrinsic.
So, you know, we might see value in them because there's some sort of monetary value perhaps, or, you know, just a pat on the back. Um, But they tend to be quite short term and, and quite vulnerable to change. So, um, you know, you might win an award one day, but the next day, if you have a breakdown in, in communication with your manager, um, then, you know, you may be [00:20:00] tempted still to do some harm against the organization in some way, whereas if.
You're intrinsically motivated towards security. You're much less likely to, uh, do harm against that organization, even with a number of scenarios. So with intrinsic, um, motivation, we are resonating with hearts and minds in a way that feels like it belongs. Part of us. So that's where we are able to understand how our own personal individual human risk relates to the organizing the team and the organizational wider risk.
And it becomes, they become interconnected. So you, you as an individual, as an employee, um, don't just see yourself as a temporary contractor that's, that's in it for transactional reasons for a definitive period of time. But you're actually in it because you, you see this [00:21:00] organization as being a value to you, that you see this as a career.
You see this as more of a long term thing that you want to internalize. And, and that's when through content, through initiatives, through how employees are treated, we can create this intrinsic motivation towards their security, but their wider organization. So it becomes less about. Trying to get people to do specific tasks and more about trying to bring them on the journey so they understand why security is important, not just to the organizations, um, you know, so that they don't lose billions of dollars.
But actually to themselves and individual and securing their jobs and being part of their, um, their career in the longterm. And also what they, the security aspects that they may bring home with them. They bring a laptop home with them, um, or anything else. So, [00:22:00] so making security relevant to that individual in a way.
That matters to them is really, really important. So one of the things I did when I was working with, um, as the subject matter expert with the European Union, um, agency of cyber security and Nisa was look at cultural factors, um, because. You know, if you're creating content, for example, whether it's a, a Hollywood movie, um, content or whether it's something a lot more simple, you have to make sure that it resonates with the, the cultural aspects of those individuals.
So if it's a foreign language or it feels to American and they're from Africa, you know, you're going to, there's, there's a barrier there to, um, really appreciating and feeling inspired and involved with the content that's being Being shared with them. So it needs to be that kind of interactive two way appreciation for security that can be internalized.
Um, and in [00:23:00] that way, individuals then I think would have more, um, appreciation for that individual human risk, as well as how that relates to the wider organizational security posture.
Julie Haney: Yeah, I love that. It's, it's all about, um, Making people feel like they're active and involved partners in security. Whereas I think, um, many in the cybersecurity community tend to view, um, the users as, you know, the weakest link or the enemy, or, you know, it's kind of an us versus them, um, type of situation instead of.
Um, saying, you know, we're, we're all partners in this. We all have to do our part. We all, um, have some responsibility in this. So I, I completely agree. That's, that's where we want to ideally be. Um, so you mentioned, you started to mention something about, you know, kind of taking in the kind of cultural [00:24:00] factors.
Um, in mind when you were trying to get employees engaged, what are some other ways that you would recommend that organizations try to engage their employees more in cyber security?
Nadine Michaelides: So when I was in a stakeholder engagement and communications, I always used to use Inform, involve, and inspire. It's going back a few years ago now, and it's not something I use now particularly on a daily basis, but what we do as content creators is we inform people and we assume that they will be uh, they will understand that material, that it will resonate, that they will remember it, and they will utilize it in a positive way at some point later down the line.
The next layer above that is to involve the minute. So that's how we, we That's how we get this more interactive discussion. They are involved in the journey. It's not just top down. We're actually in some way, whether it's through discussion, whether it's through the using [00:25:00] VR, instead of using videos, we in some way of finding a way to involve, and then we have the best way of doing things, which is to inspire.
And that comes down to this intrinsic motivation. We want to inspire individuals to care about. security and they have to understand why it's important and how, what impact counterproductive behavior, which is very much a psychological term that we can measure and has been studied for many years, how counterproductive behavior can have an impact on the security posture.
And also themselves as individuals within that, that macrocosm, that, that organization. So, so stakeholder engagement is in, it's very, very important, but I mean, we're talking a lot about research. Um, you know, there's a lot of research and academia and science and psychology, which is incredibly important before, you know, rolling anything out, um, when it comes to security, but some of this is extremely logical.
It's very logical. I mean, we, it's employee [00:26:00] feedback. You know, if you want to understand what, where the problems are within an organization and why people are disengaged, why they're not doing the, um, the security training videos or why they're not changing their passwords, you just need to ask them. You know, it's, it's quite simple, really.
It might be, um, very simple reasons why they're not. You know, it could be, of course, insider threat or some sort of foreign threat actor espionage. It could be as serious as that, but equally it could be very simple and, and very, very, uh, easy for the security teams to, to change in order to increase behavior in a positive way.
So these, these employee feedback loops are extremely important and, and these days so easy to do with AI and NLP and sentiment analysis, we can get a lot of intelligence and insights, um, before we've even recruited people right from the recruitment and selection stage. We can, we can get a lot of data and intelligence, which then [00:27:00] defines what the security teams need to do.
Where the. hotspots are in the organization where they need to tailor and focus their initiatives on. So we need to move away from this one size fits all approach. Everybody needs to do the same three minute videos, the same questions. Everybody hates it. Them, you know, because ultimately it's not part of their job description.
It's not part of their bonus structures. So why should they take time out of their day to do something that they don't enjoy and feels irrelevant? Um, so we need to move away from that and more to bespoke tailored. solutions which resonate, which, you know, those individuals understand, well, actually, yeah, this makes sense to me.
I've taken, um, perhaps I've done some, some, some assessments and I can see where my lap, my gaps in knowledge are, or potential issues that might happen if I don't do certain training or have certain initiatives to mitigate risk in some way. So, yeah, so it's about this, um, [00:28:00] Moving so bottom up approach rather than top down starting employee focused solutions are the only way to go to keep that stakeholder and get that employee engagement carrying on.
Sean Martin: I love that the, uh, the, the spoke, cause as, as you were talking, I was thinking engineers look at things differently than somebody in marketing and somebody in, in finance, then sales, right. And you just go down the list and then even just generational. Cause you use the word. Well, the objective is to kind of bring folks in, bring the employees in to feel like they're part of the organization.
Um, but some of the, some of the latest generations like transactional type activities, they want to take the Uber. They don't want to own a car. Or have a driver's license, right? They, they like that transactional type of engagement in many cases. So how do we, I mean, it could be an endless matrix of bespoke content.
How do we get a [00:29:00] handle on what to present to whom and know that it will stick?
Nadine Michaelides: Well, I mean, you can measure it. There are measurements that you can, that I mean, you're talking about several different kind of metrics there. If you're trying to understand whether it's stuck up here, um, then what you would do, if you're talking about the individual, or you're talking about a whole nation.
So with October cyber security month, when I was working with Anissa, you're talking about 27. How do we know how we, how do we evidence the fact that all this taxpayers money that's pumped into radio, TV and various different types of content is actually having a positive impact on citizens around Europe.
And so we were actually able to measure that and, uh, and, uh, Thankfully, it did have a successful impact. Uh, so the ROI was effective. So there are definitely ways that you can measure whether your initiatives have had an [00:30:00] impact and stuck. Um, it's just a case of having the, uh, either the team expertise or the functionality, uh, to be able to do that.
And I very strongly, um, advise people to do that. I mean, unfortunately the awareness. market has become a bit of a market for, for lemons, uh, which was a philosopher back, um, some years ago, but, uh, that defined it in that way. And it's become a bit of a tick box exercise for people without much thought about the why and, and the impact.
and whether it's had a positive impact or not. So I think if we get back down to that employee focused security and finding those ways of getting employee feedback, then we have a better chance of preventing this one size fits all approach, which doesn't resonate, doesn't have an impact, and doesn't stick, and doesn't create behavioral change impact.
Julie Haney: Yeah, the employee feedback is [00:31:00] something, um, that I recommend and it's, it's very interesting because security professionals are kind of caught off guard, like, Oh, we never, we never thought about going to the people that. You're actually having the, the, you know, the struggles and talking to them. Um, but I, but I wonder sometimes if employees are hesitant to provide that feedback, um, especially if it, um, might shed some light on maybe some work arounds that they're doing that, you know, that they, they shouldn't be doing, or they're, or it kind of admits that they don't know what, what's going on.
Maybe they didn't pay attention to the training. Um, and so one of the things, um, That I've been thinking about is in. In safety we have the safety privilege, right? There's a lot of organizations trying to create a culture of safety and and saying, you know, you if you come for Forward and you talk about something you're not going to get in trouble Um, and I often [00:32:00] wonder if we should have something like cyber privilege in that respect I mean have you in your experience have you seen that employees might be hesitant?
To talk about some of the security problems that they're having Okay.
Nadine Michaelides: you the answers you want, but invariably will, um, optimize that to suit their own benefits or perhaps out of fear of upsetting you.
Setting someone's, there's lots of reasons why it might prevent them from telling the truth. Um, but, um, essentially that that's what psychology is here for. Um, they have, uh, spent many, many years in finding ways of analyzing employee feedback, um, and analyzing textual or numerical values. To, um, enrich, to get enriched [00:33:00] intelligence from that, which kind of gets away from this self reported ability to manipulate, be manipulated or manipulate other people.
So one of the ways in which I address that through my research is using situational judgment tests. Which has been used by the military in the U. S. and U. K. for many, many, many years. And that is assessing how do people respond to different scenarios? So what, how are they likely to behave given a certain scenario?
Which, um, in the military or some sort of security services is very relevant because if someone gets shot at the end of the street, And that person responsible for, um, for resolving that situation runs away in the opposite direction. You kind of need to know that as part of the recruitment process. So this is an example, if you were to ask that individual, what would you do if someone gets shot down the street?
They're going to say, Oh, I would, I would, of course I would [00:34:00] go straight to them and go and help, blah, blah, blah. But there are ways in which. Psychological methodologies and other approaches in science can help really get down to the truth of what people would really do in these different scenarios. And situational judgment tests is, is a really great way of doing that.
And the other reason why I like them so much is it creates profiles that are based on values. So there's no right or wrong. Um, personality is quite, um, it changes depending, well, from one situation to another situation. So you can do the same personality test at 2 p. m. and it will be very different to what it's like at 5 p.
m. When it's values based and it's It's going through different scenarios where you're having to think about how you would respond in these different scenarios, it becomes more stable over a long period of time, and it creates more insights of understanding people rather than calling them [00:35:00] red, uh, good or bad apples, essentially.
Sean Martin: That's so super cool. I'd love to dig into that. Um, I don't think we have time to do that, but I have one, one more question. It's from, it may be connected, uh, actually. I'll certainly connect it to the last. Point that was made around, uh, measuring success, but there, there was a term in, in some of the notes, uh, cyber or cyber psychometrics.
I don't, so can you explain what that is? Is it related to what we were just talking about or what is it and how does it fit in and what do people need to know?
Nadine Michaelides: Yeah. Yeah, of course. I mean, people get a little bit scared when, when you say psychometrics and, and there's been a, from a marketing perspective, a lot of talk, should it be psychological assessments? Should it be human risk assessment? Should it be psychometric? I mean, essentially, yes, the situational judgment test that I'm talking about was part of a project called Project Athena, which was part of my [00:36:00] doctorate and, and is, is psychometrics, which help to analyze, uh, security posture within organization from an individual, if they should want it, but also wider hotspots within the organization.
So psychometrics doesn't have to be scary at all. It's, it's It can be very much values based and it can be very much about, well, how would you respond in these different situations? Um, and actually when we use the term psychometrics, we're also including aspects like training needs assessments, um, like cultural factors within organizations.
Uh, so security culture, security values, um, in fact, even secure net promoters. So a whole heap. of different kind of metrics, and we're putting it in the psychometrics box, but just to try and bring home how important it is to understand these psychological aspects, or nuanced aspects that may exist in the organization, the socio temporal Side of technical.
And so that's why [00:37:00] we've created or Angela Sassi, which is my supervisor at UCL and created the term socio technical security. Um, and I think that's a great way of putting it on a level playing field. You lost me for a minute.
Julie Haney: Yeah, we did. You just mentioned Angela.
Nadine Michaelides: Oh, okay. Right. So, um, I was just saying that she's, um, my supervisor at UCL and this, she created the term of socio technical security, which puts the social and the technical on a level playing field, which I think is a healthy way to address security and consider human factors. And human centered security is another great term, of course.
Julie Haney: Great. Awesome. This has been an amazing conversation, Nadine. Absolutely fascinating. I love, um, Thank you. understanding more about the psychology behind security and how organizations can better engage [00:38:00] their employees. Um, so we're gonna, we're gonna wrap up now. Um, thank you so much again for being on the podcast.
Um, and, uh, Sean, I'll leave it to you to take it, take it away.
Sean Martin: you always bring amazing topics and guests to have great chats with Julie. So I'm grateful for that. And, and Nadine, it's a pleasure meeting you and having this conversation to making my brain go 100 miles an hour here. Sure. Hopefully the audience is picking up on a few things and And, uh, of course, we'll leave, leave links to your profile so folks can connect with you if they have questions about the research you've done and, and, uh, how it might help them and impact their own programs in the organization.
Um, Julie, it's always a pleasure. Human centered cybersecurity, an important thing. It's not just about the tech and I'm, uh, I'm honored to, uh, to host this series, uh, alongside you or, yeah, you hosted along with me. [00:39:00] Everyone look up.
Julie Haney: no, it's no, it's the opposite. You're definitely the host. Thank you, Sean.
Sean Martin: I want to thank everybody for listening and watching and be sure to subscribe and share and stay tuned for more here on redefining cybersecurity. Thanks everybody.
Julie Haney: All right. Thanks.
Nadine Michaelides: Thank you.