Re-thinking The Human Factor with Bruce Hallas

In this episode we re-visit an earlier theme explored in this series. The theme of mesurement and metrics. The question of how to measure awareness, behaviour or culture is something we consistently come across here at Re-thinking the Human Factor when exploring opportunities to work with clients. There's an palpable feeling, across industry chatter, that there's a real lack of maturity when it comes to how we demonstrate the effectiveness of our effrots to influence employee awareness, behaviour and culture. However, there is hope. In this episode I talk with Bernie Smith. Bernie has a focus on KPI's, not just your standard range but also he brings ideas about how you might create new metrics as well. We discuss his view on the development of metrics and how metrics can help not just measure performance but ultimately influence behaviour and shape culture.

In this episode we take a peek at the role of the security teams' own culture and its impact on the broader organisational culture. This, is an important perspective, because whilst many commentators focus on influencing organisational culture they haven't considered the role that the value and behaviours of the security team has in influencing positive security outcomes across the business. To help us explore this perspective, on cultural forces at play, we have a guest who knows a thing or two about how cultures are formed and influenced. Lianne Potter studied in social anthropology, then geeked out on technology before combining the two to shape an industry career which has achieved numerous accolades for her thought leadership in not just the human factor but also information security generally. Lianne, for me, illustrates a small, but growing force within the industry that recognises that the human factor needs to be repositioned not as an after thought once all the work of designing security controls has been done, but as a critical and key part of the process of understanding and managing information security risk. ©Copyright Marmalade Box Limited The content of this podcast is the property of Marmalade Box Limited. Any use of the content of the podcast, either in full or partially, will be considered an infringement of Marmalade Box Limited rights as sole owners of this content. Any enquiries about the use of this content should be directed to Marmalade Box Limited. Contact information can be found at www.marmaladebox.com .

If you're a regular listener then you will have already met today's guest Dr. Char Sample. Char is a force at work deep within the information security community. Char is a rarity, combining a deep knowledge of both the technical and human aspects of the challenges security professionals face when managing cyber security risks. Char and I go back a long way, to a horrible conference lunch in London, where her riveting conversation meant I didn't have to eat what was on the plate in front of me. I have been forever grateful. That riveting conversation was all about our shared understanding of how culture influences everyone's day to day behaviours and how everyday behaviours make up culture. That shared interest has led to many conversations and shared ideas about how the information security industry could step up a level by seeing the potential for improving how we assess and manage human factor risks. In this episode we capture one of those conversations. We talk about heuristics and biases, what they are and what role they might have in artificial intelligence. Why what makes us human often makes us behave in seemingly irrational ways even when presented with all the data we need  and assumptions we frequently make when developing and designing systems and processes and how this is undermining the management of business risks. Be warned, there's a lot of laughter in this episode.

In this episode we are joined by a guest who has committed their career to the world of advertising agency work. Influencing target audiences awareness of products and stacking the odds in their clients favour, that the target audience will choose their product over their competitors. The challanges our guest has faced, over the years, are in many ways similar to those that education and awareness managers, for information security and data protection, now face.

The role of the human resources function, in the the overall process of employee awareness, behavioru and culture can't be under stated. In the early days of my research, at Re-thinking the Human Factor, it was very apparent that HR was a major stakeholder. From what I like to call KPI's clash, where stakeholders KPI's sometimes clash against each other, through to employee performance and development, and from HR processes such as starters, movers and leavers, through to organisational change. The HR department can add a lot of value to the process of delivering change in employee security awareness, behaviour and culture if you work on fostering a beneficial releationship.  With that in mind I wanted to invite a guest who excels in the area of organisational development, epople management and HR. Our guest, Anne Benedict, stepped right up and agreed to share some insights into the challange of employee awareness and education, from a HR perspective.

When I first got involved in “information security” 20+ years ago, I found myself almost entirely surrounded by industry peers whose training and experience was in technology or technology disciplines. My training in law, marketing and finance, and my experience in business development, marketing, recruitment and even a stint in purchasing and supplies all seemed out of line with the world of IT security as it was called back then. As I came to understand, during my own research in human behaviour and culture, my lack of an education in technology meant I was culturally and even physically wired differently. This meant I looked at things through a different set of lenses. The result, was an approach that we would now call governance, risk and compliance. However, it was these very human disciplines, which led me to fundamentally think differently when it came to kicking off the Re-thinking the Human Factor research programme. Our guest Lana McGill, to me, enshrines the change in direction of an increasing number of forward thinking security professionals looking for a more mature approach to employee awareness, behaviour and culture. Lana believes that by diversifying their search for skills and experience, outside of the traditional industry expectations, you can bring new insights and energy to the challenge of influencing  employee behaviour and culture. Her role as a senior information security leader, in the finance sector, and her willingness to embrace other skills and experiences in the search for more effective interventions, gives hope that the industry inertia, when it comes to the human factor, may finally be shifting.   ©Copyright Marmalade Box Limited The content of this podcast is the property of Marmalade Box Limited. Any use of the content of the podcast, either in full or partially, will be considered an infringement of Marmalade Box Limited rights as sole owners of this content. Any enquiries about the use of this content should be directed to Marmalade Box Limited. Contact information can be found at www.marmaladebox.com .

Finding relevent metrics, for security awareness, behaviour and culture has been a long standing  challenge which the information security industry has struggled hard to address. Now, when I reflect on how I personally tackled metrics, around the human factor, before I kicked off my research programme here at Re-thinking the Human Factor, I recognise I had an in-mature approach. That approach focused on what data I knew I could get rather than what was useful. Some industry folks called this "vanity metrics." That's all changed now, and that change started off, with getting back to basics by looking at what the science of measurement had to say. In this episode our guest and I talk about the sceince of measurement, how it is has evolved to enable human kind to progress at every stage of human evolution and how this knowledge might shine a light on the challenge of finding effective metrics when it comes to employee awareness, behaviour and culture. If you want to know more about how we have used this and other insights into metrics to support information security professionals measure the effectiveness of their programmes to influence security awareness, behaviour and culture then visit www.re-thinkingthehumanfactor.com and register for the monthly webinar.   

Educating employees on their roles and responsilities when it comes to information security and data protection, is common sense, and, even if you don't think that's the case, it is, without a doubt, a regulatory obligation for many. So, what is "education" and what is going on in the world of learning and development which might help us to re-think the human factor? In this episode our guest, Teisa Marshik, a respected educational psychologist and passionate educator, shares how her's and her colleagues approach to educating learners is changing. We cover everything from how the effectiveness and success of education is measured, through to how advances in our understanding of human behaviour and culture, mean we now recognise that students are consuming and responding to education content based on their own life experiences and situations and what this means for traditional best practices in L&D.  

Our guest, is Dr. Ben Evans. Ben is an aeronautical engineer, and he's applying his understanding of the forces at play, to the seemingly insurmountable challenge of conquering the breaking a world record at the Bloodhound Land Speed Project. Ben talks about the laws of science and engineering which help him to find the marginal opportunities for improvement which are helping the team towards breaking the world record. But, in this interview, it's also clear to me, that success is a matter of teamwork often with colleagues with different and sometimes conflicting priorities. Understanding the forces at play includes understanding science and nature, even when it comes to human awareness, behaviour and culture, but it's also about understanding the forces at play across stakeholders, where often conflicting priorities and interests can arise. Getting the “Team” aspect right, you could argue is as important as the science which drives decision its self.

In this episode we look through the eyes and experiences of an education and awareness manager from Brazil. We explore the consistent challenges, no matter where you are or what your culture is, when it comes to employee awareness, behaviour and culture.

In this episode we delve into the world of branding with the out standing Geraldine Michel and explore possibilities for security professionals responsible for the human factor. We draw on lessons from the world of fashion, by skirting through branding and how Brand Directors and Managers utilise this mammoth of the modern day commercial world to shape and influence behaviour and culture. 

Internal communications is a major stakeholder in employee awareness, behaviour and culture. We often defer to their skills and experience as the specialists in communication strategy for reaching out to internal staff. However, there's something a foot in the industry. Traditional ideas of what makes "good internal communications" are being challenged and our good friend "behavioural science" has been a great influence on the thought leaders in the field of communications. In this episode  I talk with one such thought leader.

In previous episodes of the podcast we have explored why human judgement and decision making, which drives our behaviour, is heavily influenced by the environment within which we make our decisions. In this episode we take this one step further and ask how employee awareness, behaviour and culture pans out, after all of the theorising and planning, when the tranquil environment of corporate learning is replaced by the rawness of a major security crisis.

In this episode I am joined by my co-authors, Adrian, Ciaran and Jess, of the CyberSecurity ABC's book for a long overdue catch up. We hadn't been able to spend anytime chatting for a while and so it was fabulous to get us all together again to enjoy having a talk about security awareness, behaviour and culture. We touch on not just the challenge of employee awareness, behaviour and culture but also about industry stakeholder's roles in recognising the long overdue need for change. We explore the role of the environment in people's decision making through the way Covid 19 has shaped not just the world but highlighted the need for continually re-assessing employee education and awareness. We tread the well-trodden path and saying that education and awareness doesn't always deliver changes in behaviour and culture, and we ponder whether there needs to be a change in the language that industry uses to really break through the glass ceiling that's been imposed on everyone responsible for employee education and awareness. It's a great episode, touching on so much, with some laughter rolled in and a dodgy rendition of the Thompson Twin's Doctor, Doctor track as well.

Episode Outline: We love a different angle here at Re-thinking the human factor and we think this interview is a great new angle with which to tickle your re-thinkology senses. Pay attention closely and it's littered with insights which can make a difference to your efforts. In this episode I have the privilege to chat with the ex Information Commissioner to the United Kingdom, Richard Thomas. Richard was appointed by Her Majesty the Queen to spearhead the data protection office in its delivery of embedding privacy cultural values into day to day life in the United Kingdom. Richard explains the challenges that he and his team faced around awareness, behaviour and culture and also his thoughts around what good awareness, behaviour and culture might look like from a  regulators perspective when assessing an organisation who has been reported to the regulator for a breach in security around personal data.

The vast majority of cyber attacks target people, not technology. That's why an approach to cybersecurity that centres around people can be a game changer. Research shows that ensuring employees know what to do when faced with a real threat can reduce successful phishing attacks and malware infections by up to 90%. But how do you go about it? Do you just go for it? In this episode, we'll dive deeper into what it means to have a people-centric approach to cybersecurity, and how putting the human at the heart of your strategy can be a change gamer.

In this episode we talk with a guest who is on the front line when it comes to employee education and awareness. We talk about video content, tailoring your content to your audience and what it takes to succeed when it comes to creating videos for education and awareness purposes. We will also explore why we should not neglect, or make assumptions about, the cyber security teams brand and how our customers perceive us. And, if we get this right, how it contributes to our roles as influencers of employee awareness, behaviour and culture.

Knowing when to deliver the right education, to the right people, at the right time is critical in building security aware teams that succeed. However, when failing to maintain users engaged the organisation's exposure to threats might be an even bigger challenge to solve. In this episode, we'll diver deeper into how ‘limited attention' can result into a security awareness-poor organisation and explore the different ways in which people learn, the importance of ‘Learning Science Principles' in maximising the learning curve.

Cybersecurity awareness can be one of the most challenging items in any CISO, IT/Security team's agenda as building a program that effectively drives awareness and cultural change can be daunting. After all what makes us human, makes us a risk! So, what does it take to win when it comes to driving user behaviour? In this episode, we'll look at where do you start with a company-wide training program that aims to change behaviour and impact organisational culture. What barriers might you come across to get buy-in and how to overcome them.

Culture is an intrinsic part of what makes us human – it encompasses the social behaviour and norms found in human societies and their individuals. And, in a ‘always on' digital society, that can only mean one thing – We Click! We click to open potentially malicious emails, infected files. We click to share information and then we click to share a bit more – all in a simple click of a button. In this episode, we explore how cultures are formed and influenced by digital, social media, and we touch on the role of technology in allowing organisations to drive security awareness and cultural change in today's ‘NEW HQ'.

Humans have achieved great things, from survival through to prosperity, and all because of how our brains have evolved. However, our physical and cognitive evolution lags behind Moores law and our brains just cannot cope with the amounts of information and huge number of decisions we need to make both consciously and unconsciously every day How do our brains cope and why does this coping mechanism make us vulnerable and keep CISO's awake at night? In this episode Bruce and ProofPoint's in resident CISO Andrew Rose tackle this thorny question amongst a range of other interesting points

A conversation with award-winning CISO, Andrew Rose   ANDREW ROSE joins us for Series 3, Episode 12 of the Re-Thinking the Human Factor Podcast. Join us for this straight forward discussion with an award winning CISO who transformed security management for three major organisations.   With his extensive background, Andrew is a strong relationship manager who is able to develop and lead teams, driving initiatives forward with a style that is facilitative, tenacious and positive. Able to communicate, co-ordinate and influence effectively at all levels and respond to challenges with dedication, enthusiasm and pragmatism.    Andrew Rose is strongly focussed on sensible, cost effective security solutions being used to enable a business to innovate and develop.     AS YOU LISTEN TO THE EPISODE, IF YOU FIND YOURSELF WANTING TO IMPLEMENT SOME OF THE INSIGHTS YOU’RE GAINING BUT YOU FEEL YOU NEED A LITTLE HELP, PLEASE DO GET IN TOUCH WITH ME AT:     bruce.hallas@re-thinkingthehumanfactor.com     JOIN ANDREW ROSE AND BRUCE HALLAS AS THEY DISCUSS: The early days of cyber security and how people almost gave up on the human factor. How the idea of applying the knowledge of human awareness came into play. Challenges today’s cyber security managers face. How can you be safe if you are not secure? The key indicators to a healthy security culture. The influences that help to drive our decision-making and behaviour. Designing cyber security awareness and training with the human in mind. How to win over people to try something new. How hackers think.     RESOURCES AND TOPICS FOR FURTHER STUDY B.J. Fogg and his new book, "Tiny Habits" The Analogies Project   MORE ABOUT ANDREW ROSE: LinkedIn Twitter     Please subscribe to the podcast in iTunes, and if you enjoyed this interview, please share with your friends and colleagues and leave a 5 star rating and review.   Thanks for listening and sharing.   Bruce & The Re-thinking the Human Factor Podcast Team

Know your cyber security risks with Prudence Smith   PRUDENCE SMITH joins us for Series 3, Episode 11 of the Re-Thinking the Human Factor Podcast. Join us as we discuss risk assessment within a changing cyber landscape. We know our listeners are going to glean a great deal from this discussion this week and enjoy the fruits of Prudence’s years of experience.   PRUDENCE SMITH is a trusted cyber and security risk professional who has been working in security, technology and compliance in a career spanning over 20 years, working in large multinational financial institutions, senior management, client and government liaison, high-risk targets, intelligence and SMB infrastructures.   So put the kettle on, sit back and enjoy this riveting discussion as Prudence explains the importance of understanding the ever changing landscape of cyber security risk.     AS YOU LISTEN TO THE EPISODE, IF YOU FIND YOURSELF WANTING TO IMPLEMENT SOME OF THE INSIGHTS YOU’RE GAINING BUT YOU FEEL YOU NEED A LITTLE HELP, PLEASE DO GET IN TOUCH WITH ME AT:   iwanttoknowmore@re-thinkingthehumanfactor.com     TOPICS DISCUSSED: When/why human behaviour become a focus in the cyber security industry. How an audit lead to the investigation into the human factor. Cyber security awareness. Risk-based profiling.   Cyber Security Education, Awareness and Culture. What impact events such as the Coronavirus have on culture and awareness.     RESOURCES AND TOPICS FOR FURTHER STUDY RSA Conference The Analogies Project Consumer Data Research Report   MORE ABOUT TERRY O’REILLY: LinkedIn  Twitter         Please subscribe to the podcast in iTunes, and if you enjoyed this interview, please share with your friends and colleagues and leave a 5 star rating and review.   Thanks for listening and sharing.   Bruce & The Re-thinking the Human Factor Podcast Team

Marketing Strategy Applied To Cyber Security with TERRY O’REILLY   TERRY O’REILLY joins us for Series 3, Episode 10 of the Re-Thinking the Human Factor Podcast. Join us as we delve into the brilliant marketing mind of our guest so we can apply this understanding to our industry of cyber security and awareness.   Terry O’Reilly is the host of CBC Radio's Under the Influence. Co-Founder of The Apostrophe Podcast Company. He is also an engaging speaker and author to boot, with over 35 years of experience as an adman. He discusses the bigger issues of marketing and how it affects the public.   But most of all, Terry connects the dots when it comes to pop culture, human nature and the numerous gales and undertows that effect communication. Sprinkled, of course, with the humour required to deal with it all.    AS YOU LISTEN TO THE EPISODE, IF YOU FIND YOURSELF WANTING TO IMPLEMENT SOME OF THE INSIGHTS YOU’RE GAINING BUT YOU FEEL YOU NEED A LITTLE HELP, PLEASE DO GET IN TOUCH WITH ME AT: iwanttoknowmore@re-thinkingthehumanfactor.com     JOIN TERRY O’REILLY AND BRUCE HALLAS AS THEY DISCUSS: Marketing, and its application to cyber security and awareness. Shish Kebab Theory. The long game of cyber security awareness and training. Strategies for effectively marketing cyber security campaigns. How to gain an understanding of your target audience. Are people gathering data frequently enough? Understanding and aligning your company’s values with your cyber security goals        RESOURCES AND TOPICS FOR FURTHER STUDY This I Know - By Terry O'Reilly The Analogies Project   MORE ABOUT TERRY O’REILLY: LinkedIn Company LinkedIn Page Under The Influence Podcast     Please subscribe to the podcast in iTunes, and if you enjoyed this interview, please share with your friends and colleagues and leave a 5 star rating and review.   Thanks for listening and sharing.   Bruce & The Re-thinking the Human Factor Podcast Team

Why we need to re-think the human factor in security, with Bruce Hallas   Bruce Hallas sits in the hot seat for a change as Alexia of Marmalade Box grills him, for this: Series 3, Episode 4 of the Re-Thinking the Human Factor Podcast. Having received a lot of emails asking us for more information about Bruce Hallas, the host of this podcast, Alexia agreed to put Bruce through some viewer lead questioning in the hopes of delving deeper into his background and expertise.   Having trained in accounting and law, Bruce started his work life in business development, outside the realms of tech, and found himself passionate about security awareness and human behaviour. Via a series of questioning, 7 years ago Bruce was lead to his groundbreaking research that lead to his book ‘Rethinking The Human Factor’. Apart from his work as a researcher and author, he also runs Marmalade Box, a company dedicated to helping organisations cultivate and design a positive security awareness by raising awareness and influencing behaviours.   Bruce is an expert in reducing risk and helping companies design security processes that reduce the guesswork from the human factor. We know you will enjoy listening to how and why Bruce is so passionate about his chosen occupation and how you can benefit from his vast understanding.   AS YOU LISTEN TO THE EPISODE, IF YOU FIND YOURSELF WANTING TO IMPLEMENT SOME OF THE INSIGHTS YOU’RE GAINING BUT YOU FEEL YOU NEED A LITTLE HELP, PLEASE DO GET IN TOUCH WITH ME AT: iwanttoknowmore@re-thinkingthehumanfactor.com   JOIN BRUCE HALLAS AND ALEXIA AS THEY DISCUSS: The questions Bruce asked himself when he started his research journey. How understanding the human factor allows for better engagement.  Breaking down the entire system within information security to better the process.   The Analogies Project and how analogies help in shaping culture and behaviour. Who benefits the most from the Rethinking The Human Factor research? Designing with the human in mind. Does evidence point to the validity of the frame work created from the research done in Rethinking The Human Factor? The importance of establishing a cohesive vision as an anchor. How personal values influence culture. What can my organisation do to benefit from this?   RESOURCES AND TOPICS FOR FURTHER STUDY Rethinking The Human Factor by Bruce Hallas Nudge by Richard H. Thaler The Power Of Analogy by Dieter Wanner   MORE ABOUT BRUCE HALLAS: LinkedIn Marmalade Box The Analogies Project   Please subscribe to the podcast in iTunes, and if you enjoyed this interview, please share with your friends and colleagues and leave a 5 star rating and review.   Thanks for listening and sharing.   Bruce & The Re-thinking the Human Factor Podcast Team

Taking risks to reduce risk, with Eric Ravello   If criminals are doing research into human behaviour then they are designing phishing attacks with the human in mind. As attackers change their attacks, so must cyber security providers change their methods of dealing with them.   Eric Ravello joins us for Episode 33 of the Re-Thinking the Human Factor Podcast. We are holding strong to our promise to bring you top notch guests this week, we cannot wait to delve into this podcast topic. Eric has more than 15 years of experience within cybersecurity, acquired with multiple programs in international environments. Eric loves to inspire confidence and create cooperation for people in long term strategy. He believes we can achieve a better environment by designing and managing positive security culture programs that respect all individuals.  To transform his environment, he delivers attractive and engaging campaigns for all or tailored to specific business functions. He is not afraid to go against the grain and take risks.   AS YOU LISTEN TO THE EPISODE, IF YOU FIND YOURSELF WANTING TO IMPLEMENT SOME OF THE INSIGHTS YOU’RE GAINING BUT YOU FEEL YOU NEED A LITTLE HELP, PLEASE DO GET IN TOUCH WITH ME AT: iwanttoknowmore@re-thinkingthehumanfactor.com   RESOURCES AND TOPICS FOR FURTHER STUDY Re-Thinking The Human Factor E-Book The Analogies Project   MORE ABOUT ERIC RAVELLO: LinkedIn   Please subscribe to the podcast in iTunes, and if you enjoyed this interview, please share with your friends and colleagues and leave a 5 star rating and review. Thanks for listening and sharing. Bruce & The Re-thinking the Human Factor Podcast Team

NEIL FROST joins us for Series 3, Episode 7 of the Re-Thinking the Human Factor Podcast. Join us for this straight forward discussion on how to cultivate easy to digest security campaigns that have the lasting effect of benefiting culture. Neil Frost was part of the team responsible for Security Awareness and Culture at the HMRC (the UK Tax Office). Before that he worked at the UK Police Force on Training and Awareness.    AS YOU LISTEN TO THE EPISODE, IF YOU FIND YOURSELF WANTING TO IMPLEMENT SOME OF THE INSIGHTS YOU’RE GAINING BUT YOU FEEL YOU NEED A LITTLE HELP, PLEASE DO GET IN TOUCH WITH ME AT:   iwanttoknowmore@re-thinkingthehumanfactor.com   JOIN NEIL FROST AND BRUCE HALLAS AS THEY DISCUSS: Defense against cyber attacks. Tips to make your cyber security training efforts more effective. How budgeting effects training outcomes. How perceptions can block the flow of information. Using data to create security training around the needs of your organization rather than throwing something against the wall and hoping it sticks. How to get the real data rather then answers given "just to please". Implementing lasting behavioural change through messaging and stories. Story telling as a means of communication is hard wired into human behaviour. Finding the right tools such as software platforms and technology to create your solutions.   RESOURCES AND TOPICS FOR FURTHER STUDY Wired For Story The Analogies Project   MORE ABOUT NEIL FROST: LinkedIn Bobs Business Bobs Business (Twitter)     Please subscribe to the podcast in iTunes, and if you enjoyed this interview, please share with your friends and colleagues and leave a 5 star rating and review.   Thanks for listening and sharing.   Bruce & The Re-thinking the Human Factor Podcast Team

The Accidental Security Specialist, with David Shipley.   Living up to our promise to bring you fantastic guests, David Shipley joins us for Series 3, Episode 6 of the Re-Thinking the Human Factor Podcast. Time to go phishing so grab your rod. David is a self professed accidental cyber security professional, but has spent time as a soldier, newspaper reporter and marketer. After a cyber hack within his company occurred, David grew increasingly interested in cyber security and was asked to take on this role within his company. Currently based in Canada, David is an award-winning entrepreneur and head of Beauceron Security. Beauceron's holistic approach to measuring and reducing cyber risk brings together threat intelligence, user education and awareness, simulated attacks and real incident data into an easy-to-use and deploy cloud platform that transforms cybersecurity from an IT-centric issue into a pan-organization management opportunity.        AS YOU LISTEN TO THE EPISODE, IF YOU FIND YOURSELF WANTING TO IMPLEMENT SOME OF THE INSIGHTS YOU’RE GAINING BUT YOU FEEL YOU NEED A LITTLE HELP, PLEASE DO GET IN TOUCH WITH ME AT: iwanttoknowmore@re-thinkingthehumanfactor.com       IN THIS EPISODE, DAVID SHIPLEY AND BRUCE HALLAS DISCUSS: The sheepdog effect. Turning the cyber victims into defenders. Empowering the person. The importance of driving behavioural reinforcement within a culture to keep positive cyber security behaviour thriving. Getting the metrics correct- Repeat clickers and what we can learn. Taking the time to make sure people really retain new cyber security-related information and behaviours. Phishing fallibility: Is someone’s emotional state a factor to be considered? The 8 emotional scale. Fear response, social hi-jacking and engineering. How time affects people’s behaviour during a 24 hour period. The power of keeping calm. Speed can often be your enemy. The Power Model - what it is and how it can be used to boost cyber-security awareness: People, environment, actions and resources. Creating an easy to use protocol to gauge involvement.  Learning from each other. Building a solid support structure. Black box culture - going deeper into more effective cyber security training: Talking about issues without laying blame. The story of the mayor that got phished. Learning from mistakes in proactive ways. Rewarding right behaviour. Scoring people and then helping them improve their performance within the security culture. Compliance: Exceeding compliance via relative, contextual, timely informative videos. Treat your audience like adults.  Using Surveying as a tool to generate better metrics around risk and awareness: The importance of your baseline and the importance of a good survey. How does bias affect survey answers and are there ways around it? Using video responses to surveying to offer training in weak spots and offer guidance and support to colleagues. Start a positive feedback loop. Phishing attacks and data strategy. Data gathering from ‘time to click’ data proves to be very fruitful at limiting risk. Huge amounts of data are available to be mined to design cyber security awareness and education pieces that change behaviour. Having a strategy for data gathering is crucial. Learning when people click leads to a defined process towards a positive security culture.  Cyber Security Marketing. The same tools that marketing applies can be used when trying to form a new culture of awareness within a business. What is a KPI clash? Where is the cyber security industry failing? Not enough focus on the human factor. Not enough funding for training. Real meaningful change comes with data and planning correctly Data driven decision making around security awareness. The need for sharing resources exists to help strengthen the entire security industry.     RESOURCES AND TOPICS FOR FURTHER STUDY More about heuristics The Analogies Project Black Box Thinking   MORE ABOUT DAVID SHIPLEY: LinkedIn Beauceron Security Twitter       Please subscribe to the podcast in iTunes, and if you enjoyed this interview, please share with your friends and colleagues and leave a 5 star rating and review. Thanks for listening and sharing. Bruce & The Re-thinking the Human Factor Podcast Team

DESIGNING LEARNING EXPERIENCES THAT STICK, WITH MEGAN SUMERACKI   Megan Sumeracki joins us for Series 3, Episode 5 of the Re-Thinking the Human Factor Podcast.  Megan Sumeracki is an Assistant Professor at Rhode Island College. She co-founded the Learning Scientists in January 2016 with Yana Weinstein. Megan received her Master’s in Experimental Psychology at Washington University in St. Louis and her PhD in Cognitive Psychology from Purdue University. Her area of expertise is in human learning and memory, and applying the science of learning in educational contexts.   WHAT'S THIS EPISODE ABOUT? As cyber security practitioners, we often ask ourselves the question of how we get people to remember to do the things we tell them to do. How do we get them to retain what we teach them in our trainings? Well, you’re in luck. This conversation is full of treasures to do with how our brains work when learning and strategies (based on scientific evidence) that can help you create training situations where the information will be more likely to stick.    Side Note -- We touch a lot on something called Retrieval Practice. Retrieval practice is simply a strategy in which bringing information to mind enhances and boosts learning. It’s about deliberately pulling what we’ve learned back out of our heads to examine it.   Megan addresses empirical questions such as: What retrieval practice formats promote student learning? What retrieval practice activities work well for different types of learners? And, why does retrieval increase learning?   AS YOU LISTEN TO THE EPISODE, IF YOU FIND YOURSELF WANTING TO IMPLEMENT SOME OF THE INSIGHTS YOU’RE GAINING BUT YOU FEEL YOU NEED A LITTLE HELP, PLEASE DO GET IN TOUCH WITH ME AT: shortcuts@re-thinkingthehumanfactor.com       BELOW IS A MORE DETAILED OUTLINE OF WHAT MEGAN AND I DISCUSSED: Understanding how we learn information and how we apply and remember it. The goal of education is to teach students how to learn and retain information so they can use it in the future. The key words: Learn, memory, retain, apply. Even though a student needs to pass exams and get grades, it is more useful to retain information and are able to apply it in the future. Standardised testing could be improved as education needs to create a new behaviour rather then just stored information. Creating tests that mimic the real world can help people retain and then use new information. Data driven approach. Just because we enjoy certain methods of learning does it mean it will help me retain any new information? Challenging the way we learn can push us towards more durable learning processes. Instinct and intuition do not answer the question of education necessarily. Building effective strategies. Why cramming does not relate to long term memory of a topic. Understand what it is that helps people learn and retain information over a longer period of time. Retrieval practice bringing things to mind, spacing practice, spreading learning over a period of time. It is difficult to predict an individual way of learning rather then a larger group on average. Confirmation bias can muddy research waters. Expecting to see something can create patterns. Finding ways to remove bias such as breaking a theory down to disprove it. Results free of bias lead to stronger data.  Spacing and retrieval. Spacing and retrieval have been around since the 1800s and used repeatedly. How the true value of all knowledge and understanding is application. The art of communication. Student driven research into learning through accessibility.   What other misunderstandings do people have around learning? Designing with the human in mind. The cognitive process. Getting the information in is only one step, you have to be able to get the  information back out and apply it. Retrieval cues and how they help. The importance of finding ways to bring back to mind recently learned information to help it stick. Bridging the gap from study to new awareness and understanding. Situational awareness building can help develop new behaviours. Encoding information does not necessarily lead to retrieval.  Storytelling as a way to help retrieve new information. Holding interest to hold attention. Does interest really govern retention?  If a person likes engaging they will likely engage more with a topic or action. Attention span can often be affected by external influence like eating breakfast and rest. Bite sized learning spread out over a longer period can aid retention. Sometimes ’seductive details’ can be distracting even if entertaining.     RESOURCES AND TOPICS FOR FURTHER STUDY Understanding How We Learn: A Visual Guide Elizabeth Loftus More on Retrieval Practice   FIND MEGAN SUMERACKI ONLINE: LinkedIn Twitter Learning Scientists Website   Please subscribe to the podcast in iTunes, and if you enjoyed this interview, please share with your friends and colleagues and leave a 5 star rating and review.  Thanks for listening and sharing. Bruce & The Re-thinking the Human Factor Podcast Team

Storytelling For Better Cybersecurity, with Sarah Moffat Sarah Moffat joins us for Series 3, Episode 4 of the Re-Thinking the Human Factor Podcast. With a vast background in cybersecurity and understanding the human factor, Sarah is currently advising the Federal Government on privacy and security in Washington, D.C.  She is also a leadership and development coach, using her knowledge of psychology to inspire others, tailoring specific training to meet the personal needs of her clients. Can storytelling shape culture within the workspace towards better cybersecurity?  Let’s hear what Sarah has to say on this enlightening topic.   MORE ABOUT SARAH MOFFAT: https://www.linkedin.com/in/sarahcmoffat/ https://www.leadingladies.co/   JOIN SARAH MOFFAT AND BRUCE HALLAS AS THEY DISCUSS: Navigating generational influences upon the way people pick up new technology. How storytelling can help instructional design. Millennials have a very different security culture to baby boomers. Creating a map as a framework to build a program to suit different attitude types. (Because realistically, what can learn from pilots and powerpoint?) How as an industry have we seen cybersecurity education and awareness training? Is it a good idea to have it as a stand alone piece of training? Cyber security needs to become interwoven at every level of life, especially at work. Security as a life skill is needed for this new tech-based environment. How early should we all be learning cybersecurity as a culture nowadays? Cultures are formed through a process of experience, so are we doing a good enough job developing behaviours early enough? The importance of identifying right action, not only as cyber security professionals, but also helping those we lead to understand easily which choices are the “right” ones Personal choice. How to cultivate a healthy reaction. Is once a year training worthwhile in a changing security landscape? The importance of awareness training and inspiring interest throughout the year. Bridging the gap -  Implanting security into the overall culture of the organisation can better protect it. Branding strategy, touch points and brand equity are all important attributes of an effective awareness and behaviour campaign How bridging the gap between the CIO and the rest of an organisation boosts security awareness and engagement. Mistakes that can happen when creating security cultures -  The percentage of people given the responsibility for security awareness within an organisation is really high but it is another hat they wear. Ticking boxes vs. building a new culture. Protecting PII should be about protecting people. Is security awareness a risky business? Personal responsibility plays a large role in adaptation of new behaviour across culture. Investment of time and money and/or the lack thereof, and how it influences change. As security professionals, we must remember that doing the same thing over and over again expecting different results is insanity. Capitalise on what we know drives human behaviour.  Telling stories costs very little, so not much risk involved, and stories have been proven to change behaviours.   DO YOU NEED SOME HELP IMPLEMENTING THE NEW STRATEGIES YOU’RE PICKING UP? SIGN UP FOR ONE OF OUR WORKSHOPS: Re-Thinking the Human Factor – Introductory Workshop Risk Assessment Workshop   Thanks for listening and sharing, Bruce & The Re-thinking the Human Factor Podcast Team

Applying Marginal Gains One Small Step At A Time, with Chris Fleming. Chris Fleming steps in to join us for Series 3, Episode 3 of the Re-Thinking the Human Factor Podcast.  If you have been with us here for sometime you will know we strive to bring you the highest caliber guests for your listening delight.  After hearing Chris do an incredible presentation at the SANS conference on marginal gains (you all know how much we here at the podcast love those marginal gains) we knew he would be the perfect guest to bring on the show. Chris studied accounting and finance, but made a career change and is currently acting as Senior Manager of Global Security Culture & Awareness at an international insurance company. His approach to internal security is firmly rooted in understanding human behaviour to bolster security from within with both compassion and empathy.  To put it in Chris’s own words he is: ‘responsible for strengthening the human firewall...one nudge at a time.’    “Big gains can become apparent when small, incremental improvements are made across the board. In today’s interview we’ll be discussing how the various parts of the whole can be upgraded one small step at a time.”   JOIN CHRIS FLEMING AND BRUCE HALLAS AS THEY DISCUSS: Factoring human behaviour in to security procedure can allow a more empathetic reaction to security issues. Malicious insider risk, the human angle. Is a thief always just a bad egg?  Human behaviour can be affected by changes in external influences. Understanding these can create a better security culture. Creating a stronger network within internal security via education and the building of awareness, can open up the possibility of preventing internal risk. Internal support systems can be set up to help employees deal with difficulties. Small changes in the way issues are dealt with can have a huge impact. The importance of being well read to expand your knowledge.  How the aggregation of marginal gains can help you achieve your larger goal - When the British Cycling Team hired Dave Brailsford as its new performance director he changed tiny details within the teams cycling regime to change performance. Marginal gains is the concept of breaking down every single part of a whole to work on improving them individually, by as little as 1%. How simply changing a pillow had a knock on affect. The main hurdles we face when trying to apply change across a large company - When you as a team are tasked to change the security culture across an organisation it is a huge job and usually comes with little budget. A lack of manpower can be overcome by using the concept of aggregated marginal gains. Takeru Kobayashi, a professional speed eater, made incremental changes to improve his performance, breaking world records against all odds. Finding opportunities to apply material gains within security and awareness. Communications need little manpower or budget to be tackled. Simply changing the way an email is sent can reap measurable gains. Choosing your words wisely, language impacts response. Randomised controlled trials, otherwise known as AB testing, and how these help you fine tune your process.   Low risk and low investment — maximum rewards. A great compliment to larger initiatives.   RESOURCES AND TOPICS FOR FURTHER STUDY Dave Brailsford  Atomic Habits by James Clear The Kaizen Method   MORE ABOUT CHRIS FLEMING: Chris Fleming   Please subscribe to the podcast in iTunes, and if you enjoyed this interview, please share with your friends and colleagues and leave a 5 star rating and review.   Thanks for listening and sharing.   Bruce & The Re-thinking the Human Factor Podcast Team

What Security Awareness Professionals Can Learn From Marketers and Understanding the Customer Journey, with Kenda MacDonald.   Kenda MacDonald joins us in the hot seat for Series 3, Episode 2 of the Re-Thinking the Human Factor Podcast. We are absolutely thrilled to have Kenda MacDonald on the show today. As I’m sure you’ll agree, she has the knack for pulling things together in a way that is easy for you, the listener, to understand and digest. We could have talked all day but we managed to stop ourselves….. just.   Formerly a forensic psychology major, Kenda MacDonald is now an award winning business owner, and the award winning author of ‘Hack The Buyer Brain’. Kenda is the founder and CEO of Automation Ninjas, and she sees her mission as helping forward thinking businesses get better quality leads that convert better, for happier customers that come back and spend more. The key to this is combining buyer psychology and marketing automation.   In our show today, we're going to dive into what we in the security awareness profession can glean from insights provided by marketers such as Kenda and their understanding of human behaviour and decision-making.   "It is incredibly important to know your target market and make sure they keep on coming back for more, and with so much data available to businesses these days, there really has never been a better time to do so."   JOIN KENDA MACDONALD AND BRUCE HALLAS AS THEY DISCUSS: The importance of making the time to tailor your customer journeys via understanding why and how your customers stay the long haul with you as a business provider — whilst remaining ethically tethered.  And how this can be applied to marketing and implementing your security awareness. How does knowing human behaviour and conscious consumerism aid your business? Prevent choice paralysis. Being able to cater directly to an individual and know whether to offer them ‘A’ or ‘B’ saves time and money for both you and your users. How giving people conscious choices they will want to make, for the benefit of all, can help get things done. A happy, fulfilled customer is bringing you, the service provider, customer lifetime value via loyalty and advocacy. Building your ambassador network by learning from how it is done in marketing loyalty schemes. Customer Lifetime Value: The benefits of a lifetime customer versus a one off purchaser, and what we can learn from this. Time viewed as a lifetime value. Gaining value via full attention and usage of apps.  It’s far more cost effective to spend time getting to truly know your audience, rather then thrashing about in the dark. Give people a positive experience with little friction and they will help to generate corporation and seed new awareness within the culture around them. The importance of data gathering when trying to shape human behaviour. Humans have developed to be social animals. They have group identities and labels whether they like to admit it or not. Like attracts like and stereotypes do exist. The Customer’s Journey can be applied when implementing security awareness-  The customer’s journey is everything a consumer has to do along a path to buy and utilise a product. Avoid making the mistake of forgetting about the fact that purchasing something is only one part of a long journey as a consumer. By utilising customers’ ‘moments of truth’ you gain more lifetime value from them.  Understanding mental biases -  The brain creates a great deal of rule sets to help it make sense of the reality around it.   A cognitive bias is a systematic error in thinking that affects the decisions and judgments that people make. Some of these biases are related to memory. The individual can develop a bias towards a product or service due to recent repetition of exposure to it. The brain likes availability and ease of use. Marketing security more effectively and driving behaviour using the Heroes Journey -  Craft content to make your user feel like a hero in their own story,  Validate with data to see if your users are looking for the content you are providing. How gathering data helps you understand the wants and desires of your customers to aid you in bringing them their happily ever after.   RESOURCES AND TOPICS FOR FURTHER STUDY Hack The Buyer Brain A Prescription For Cutting Costs The Availability Bias The Sunk Cost Fallacy   MORE ABOUT KENDA MACDONALD: LinkedIn https://www.automationninjas.com/   Please subscribe to the podcast in iTunes, and if you enjoyed this interview, please share with your friends and colleagues and leave a 5 star rating and review.   Thanks for listening and sharing.   Bruce & The Re-thinking the Human Factor Podcast Team

Reducing Cyber Risk By Reducing Friction, with Jason Hoenich Jason Hoenich joins us as we return for Series 3, Episode 1 of the Re-Thinking the Human Factor Podcast. We are glad to be back after our hiatus having made a few changes to the podcast that we hope will add value and increase our reach so we can continue making security and behaviour awareness an engaging topic for all. Both a security vendor and a sponsor of this podcast, Jason is a leader in the security awareness arena and a well-known speaker and blogger on the subject of awareness. He is the creator of the popular Hashtag Awareness video series and he brings over a decade of experience developing world-class awareness programs for companies including The Walt Disney Company, Activision Blizzard, and Sony Pictures Entertainment. Currently the President of Habitu8.   ‘We live in the age of ‘Peak TV’ — people expect and demand high quality, binge-worthy content. If your training can grab their attention in the first 10 seconds and keep them engaged, that’s your chance to influence them and make them actually want to learn.’ - Jason Hoenich.   JOIN JASON HOENICH AND BRUCE HALLAS AS THEY DISCUSS: What challenges does one come across when applying security awareness across a behemoth such as Disney? The importance of flexibility when addressing different types of professionals coming from different mind sets. Left brain versus right brain professionals need different methods of communication. How flexibility enabled a safe space to explore new ideas and growth within user engagement. The challenges of influencing behaviour within specific environments.  Looking for friction within different departments and accepting the reality that one cap does not fit all. Understanding each department within an environment personally by spending time to observe the way they prefer communications to be presented. The issue of time when taking a more nuanced approach to security across departments: Dealing with company preconceptions about how security and behaviour awareness looks. There is a need to market security correctly to get people to change their behaviour. Making decisions easy for user engagement.  Setting expectations that are realistic is vital to the success of the mission to update security protocols across a company.  Identifying stake holders and how it aids success: The foundational action is to engage key stake holders early on for optimum results.  Corporate communications need to be brought into alignment quickly and painlessly. Selling the broader strategy and strengthening the internal ambassador network. The importance of change and how to tackle bias. Looking for ways to make communications more engaging. Crafting media to suit the audience and appeal to their attention span. How does staying fresh and relevant effect engagement?  The famous ‘jam experiment’ and what can be gleaned from it. Choice architecture and applying it to security and human behaviour. A small amount of high quality choice equals a greater reaction. Understanding whether or not the process makes sense to the users to remove any friction. Role of regulators -  Just because the law says it must be done, does this mean it gets done?  Are regulations aiding the job of security awareness and education managers and is there any room for creativity? We cannot treat humans the same way we treat computers and the digital realm. Human behaviour needs to be accounted for. Reducing the risk of noncompliance via applied understanding of human behaviour.   RESOURCES AND TOPICS FOR FURTHER STUDY https://scottfenstermaker.com/too-much-choice-the-jam-experiment/ bruce.hallas@marmaladebox.com https://www.marmaladebox.com/training/   MORE ABOUT JASON HOENICH LinkedIn https://www.habitu8.io/   Please subscribe to the podcast in iTunes, and if you enjoyed this interview, please share with your friends and colleagues and leave a 5 star rating and review.   Thanks for listening and sharing.   Bruce & The Re-thinking the Human Factor Podcast Team

The Road to Effective Leadership and Successful Organizational Change, with John P. Kotter   John P. Kotter joins us on the show for episode 25 of the Re-Thinking the Human Factor Podcast.   We know that while some of our listeners will see his name and ask themselves, “Who?”,  those who are familiar with John P. Kotter’s work will be asking, “How?”. As in, ‘How did they get him on the podcast?’. Wherever you find yourself on the spectrum, we are very excited to bring you this interview with someone whom we consider to be a living legend.   John P. Kotter is regarded by many as the authority on leadership and change. He is a New York Times best-selling author, award winning business and management thought leader, business entrepreneur, inspirational speaker and Harvard Professor. Kotter’s ideas, books, speeches, and company, Kotter International, have helped mobilise people around the world to better lead organisations, and their own lives, in an era of increasingly rapid change.   Change management is an area in cyber security that requires consistent learning, creativity, re-tooling, and re-thinking. We know that. So we are excited to share this pertinent interview with you today. JOIN JOHN KOTTER AND BRUCE HALLAS AS THEY DISCUSS: The importance of having time for reflection in order to bring about clarity of thought. Clarity is the door to creativity, curiosity, innovation, and ultimately, change. We have two systems operating at a subconscious level - Survival Mode, a system developed over time to help us identify and respond to threats quickly in order to to ensure survival. Thrive mode, which is the brain’s system for recognising opportunity and is most likely responsible for our species emerging from the Savannah and from caves. Understanding these two modes is important. An organisation whose leaders and workers operating most often in Survival Mode will have a far more difficult time accessing the clarity and creativity that Thrive Mode affords us. This ultimately means that change and innovation will be more difficult to accomplish in those organisations. What factors are present in organisations that have successfully implemented organisational changes vs. those that fail to meet their objectives. Understanding various barriers to change, such as - How our dominant survival trait when married with desire for consistent output creates an environment where change is difficult Complacency, a huge barrier to change False urgency, which is driven by the Survival system The power of a Guiding Coalition to help achieve organisational change and the difference between that style of leadership vs. traditional management styles Best practice around communication - Emotional communication is more sticky than dry, non-emotional messaging. Interestingly enough, a person with buy-in for an idea is more likely to naturally convey emotion when speaking about the idea than the one who is going along because he/she has to do so. Frequency is also key to making messages stick Communicating ideas in various ways helps ensure the message is picked up by lots of different people Enabling situations where quick wins are possible for an organisation is a necessary practice for a few reasons - Establishing credibility for a change initiative is a huge issue at the beginning of the change process, and quick wins establish the necessary trust in an idea so that buy-in is possible. Quick wins then enact the Thrive System in the brain when the brain receives feedback that progress is being made. A series of wins keeps the Thrive System running and helps people to hang in for the long haul of proposed change.   RESOURCES AND TOPICS FOR FURTHER STUDY Guiding Coalitions The availability heuristic bias Survival Mode vs. Thrive Mode   MORE ABOUT JOHN P. KOTTER: LinkedIn   Please subscribe to the podcast in iTunes, and if you enjoyed this interview, please share with your friends and colleagues and leave a 5 star rating and review.   Thanks for listening and sharing.   Bruce & The Re-thinking the Human Factor Podcast Team

What children's books can teach us about changing behaviour, with Todd Courtney   Welcome to episode 24 of the Re-Thinking the Human Factor Podcast. Joining us on the show today is Todd Courtney, an author who has created a series of children’s books in partnership with his wife that are scientifically based and geared towards instilling children with healthy mindsets and positive behavioural circuitry. The catch is that behavioural patterns are almost completely solidified in the brain by the age of 7. Todd and his wife have created several children’s books with the goal of helping create balance in the minds of children. The aim is create balance between the messaging their young readers receive from their environment and personal relationships, with an inner neural network and idea landscape composed of positive affirmations and behaviours.   JOIN TODD COURTNEY AND BRUCE HALLAS AS THEY DISCUSS THE FOLLOWING: How the Max Rhymes books help instill positive behavioural patterns in young children. Cultural differences in how one’s “truth” is understood and how that truth effects behaviour. The influence of one’s close circle of friends or family on one’s truth, and how that might relate to groups in a work environment. Studies around behavioural influence initiatives and their effectiveness necessitate long-sightedness and patience to achieve accurate metrics and positive results. Only 1 / 10 adults ever change their behavioural patterns. Change must come from within, and change imposed from without will be met with resistance. How governments and other stakeholders in the industry are trying to educate children about internet usage safety and other topics around educating children.   RESOURCES MENTIONED How to be Idle by Tom Hodgkinson Culture and Security with Gert Jan Hofstede (Re-Thinking the Human Factor, Episode 6) Heather, Chase, and the Cynja Comic Series (Re-Thinking the Human Factor, Episode 2)   MORE ABOUT TODD COURTNEY: Max Rhymes Website LinkedIn   Please subscribe to the podcast in iTunes, and if you enjoyed this interview, please share with your friends and colleagues and leave a 5 star rating and review.   Thanks for listening and sharing.   Bruce & The Re-thinking the Human Factor Podcast Team

How to develop a security culture, interview with Gert Jan Hofstede Understanding the role of culture is crucial if we want to develop a security culture. Especially if we want to have a realistic chance of influencing behaviour, which is probably why we're wanting to develop a security culture in the first place. This is because culture is like a body of water. If you come at the water from high above at too high a velocity with a massive, weighty body of change, the body of water will act like a slab of concrete.  You'll get a very different response, however, if you approach the water from a closer range, at a slower speed and with something more streamlined. You’ll glide through to the underside of the water and be able to explore the intricate inner-workings of the ecosystem contained within. It’s that understanding which will guide your cyber security awareness, behaviour, and culture initiatives towards a greater chance of success.     Gert Jan Hofstede joins us for a second time on the show for Episode 23 of the Re-Thinking the Human Factor Podcast. Gert Jan is a population biologist and social scientist hailing from the Netherlands. His research and publications have provided many with deeper understanding in the areas of cultural evolution, societal change, cultural stability, and how those forces interact with and have influence upon one another. Gert Jan is also known for his work in social simulation as well as for a number of books he has co-written with his father, Geert Hofstede.     “This is where culture is really at its most useful. To know that similar social results… to take a group where it should go, have to be reached by different ways by different routes in different cultures.”     JOIN GERT JAN HOFSTEDE AND BRUCE HALLAS AS THEY DISCUSS: Brexit, and drawing a comparison between the importance of understanding the cultural dimensions at play in Britain, and likewise, the cultural forces at play in one’s organisation.   The importance of recognising and acknowledging that we don’t even recognise our own cultural biases and the errors that lack of understanding of ourselves can cause.   Increased usage of the word 'culture', especially in job titles, as companies strive to develop a security culture.   How the meaning of the word 'culture' can easily differ from organisation to organisation depending on the broader cultural context of the society in which the organisation is situated. This is because the social and technical systems of an organisation are dovetailed in everyday behavioural dynamics   Along with being cognisant of cultural differences, we also needs to learn how to properly interpret those differences. We have to remember that our brains naturally make quick decisions about people and groups, who’s in and who’s out.   Has culture evolved to help us address our deep seated anxiety about the unknown?   The status quo bias - that people stay rooted in doing what they normally do until it gets to the point where it’s a disaster.   You can’t change the culture of a society, but you can change the culture of an organisation, but it’s very hard and takes time.   Influencing an existing culture vs. creating a new security culture, and whether or not one can or should develop a security culture that's separate.   Values dimensions and using a whistleblower. This is an example of how values can influence societal responses to these kinds of people in differing ways depending on the values of the culture within which the whistleblower is situated.   Using a cultural framework to look at incidence reporting in which people report on themselves for their mistakes.   A helpful tip for those working in multicultural environments for working through the behavioural differences they experience.     “I think there’s nothing better than international experience with reflection.”     RESOURCES AND LINKS FOR FURTHER RESEARCH: Gert Jan Hofstede’s first appearance on the Re-Thinking the Human Factor Podcast   MORE ABOUT GERT JAN HOFSTEDE: LinkedIn Website   Please subscribe to the podcast in iTunes, and if you enjoyed this interview, please share with your friends and colleagues and leave a 5 star rating and review.   Thanks for listening and sharing.   Bruce & The Re-thinking the Human Factor Podcast Team

Eliciting Intrinsic Motivation and Reframing Problems, with Rachel Lawes   Rachel Lawes joins us for Episode 22 of the Re-Thinking the Human Factor Podcast. Rachel gave a fantastic interview back in Series one of the podcast, and if you haven’t had a chance to listen yet, please check it out here when you’re able. We’ve received feedback from a few people recently about how they were really blown away by what Rachel had to say about semiotics as well as how she spoke more broadly about branding, behaviour, and the role of semiotics in behaviour and culture.    Rachel is the author of some of the earliest published papers in semiotics and she’s proud to have been involved at a time when it was first emerging in the UK. She uses it, and her academic background in social science, to rejuvenate brands, innovate products and services and steer comms. She conducts research projects using semiotics, ethnography and discourse analysis. She delivers training for client side and agency users, and she supplies consultancy to ad agencies and large branding agencies. She also works with universities because she loves to teach.   “People are shocked at what they fall for when they think they’re actually defending themselves…”   JOIN RACHEL LAWES AND BRUCE HALLAS AS THEY DISCUSS: Some clever and engaging videos created by airlines as well as one created by Burger King that featured Snoop Dog, the difference between having an engaging comms piece vs. one that actually elicits behavioural change, and budget issues many cyber security awareness professionals are up against when it comes to the creation of engaging awareness materials. Thinking of Security as a product, almost from a branding or marketing sense. The fact that humans get used to information they see over and over, so it is important to consistently apply innovation to crafting awareness and training materials. Film, audio, visual approach to creating awareness and training campaigns and whether or not there’s a better way to accomplish the same goal. The use of incentives within awareness and training campaigns - do they work? If not, what’s a better way to elicit engagement and behaviour change from campaigns? Extrinsic vs. intrinsic motivation, and which is more effective in catalyzing behaviour change. How science has shown that intrinsic motivation is more long-lasting than extrinsic motivation, but for many organizations, a good portion of their awareness budget is spent on incentives, which are extrinsic in nature. With budgets being an issue, would it not be better to spend the money on something that would have an intrinsically motivating effect? It’s possible that incentives have their place to accomplish short-term, tactical awareness measures. However, heads of organizations must be communicated with regarding the short-term nature of the incentives program for which they they are approving money, and they also need to know to be prepared for the need for longer-term, intrinsic measures to be funded. The fact that some operate on the model that use of fear, uncertainty, and doubt as scare tactics are going to get people’s attention (a practice based on a study of Maslow’s “Hierarchy of Needs” concept). Rachel has a different take on this, though, and health campaigns geared towards getting folks to stop smoking stand as a shining example of what she has to say. Bruce also posits that instead of fear, cyber security professionals should create policies that are easier to accomplish than those that were enacted previously. Alleviating friction, alleviating the heaviness (fear / uncertainty) of a policy actually increases the likeliness of compliance. The environment in which people are making decisions about whether or not to comply with a policy will have triggers. Those triggers, when they are triggered, are going to increase the likelihood that people aren’t going to choose to comply.  So, understanding the environment first, and understanding that we make choices in that environment, are core parts of what cyber security professionals must do. The difference between telling people what they need to do vs. telling people what they need to do and explaining why. That awareness and training managers should use the word “DON’T” as little as possible when explaining policies and procedures, while a more successful approach will be to  explain what people should “DO”.     RESOURCES AND LINKS FOR FURTHER RESEARCH: Semiotics ISC2 Maslow’s hierarchy of needs pyramid Allen Carr Re-Thinking the Human Factor episode with Dan Ariely in which ‘choice architecture’ is discussed David Halpern - Inside the Nudge unit MORE ABOUT RACHEL LAWES: LinkedIn   Please subscribe to the podcast in iTunes, and if you enjoyed this interview, please share with your friends and colleagues and leave a 5 star rating and review.   Thanks for listening and sharing.   Bruce & The Re-thinking the Human Factor Podcast Team

While Nathan Mielke was teaching a cyber security lesson in homeroom at the Hartford Union High School in Wisconsin, the school experienced a distributed denial-of-service (DDoS) attack that took them down for about a class period. While the identity of the attacker was never discovered, Nathan is fairly certain the attacks were coming from a student’s phone, or as it goes in classic American Horror films, the call was coming from inside the house…   Episodes Review with Nathan Mielke, Director of Information Technology & Cyber Security Manager   Nathan Mielke joins us for this episode of the Re-Thinking the Human Factor Podcast. Nathan is from Milwaukee, Wisconsin, and he’s a Director of Information Technology & Cyber Security Manager combining high-level security and systems domain administration experience with a background in leading infrastructure development, data solutions, and information risk programs. His job is to manage training, data intelligence, risk, cyber defence, and investigation activities to safeguard users, secure assets, and ensure high-level security and systems domain administration. He and his team stay updated on the latest trends in security equipment/technology to not only keep the organisation safe but also on the cutting edge.   Interestingly, Nathan began his career as a Librarian, took a turn into the IT realm, and through a series of DDos attacks and other events has brought him to where he is now.   In this episode, Nathan Mielke joins Bruce Hallas to discuss insights they’ve both picked up while listening to the previous 3 episodes of the Re-Thinking the Human Factor Podcast: Char Sample Jonathan Armstrong Bennett Arron   “But ultimately, when something goes wrong, you will be judged on the thinking process that you had behind the choice that you made…”   SOME OF THE TOPICS NATHAN AND BRUCE DISCUSS IN THIS EPISODE ARE: What is it that drew Nathan to the Human Factor, the people piece? Bennett Arron’s routine involving asking if any people in the crowd had been arrested and the lesson of timing and easing one’s audience into heavier, more difficult topics. Char Sample, culture as a vector for attack, and how Nathan incorporates that insight into his goals for increasing security awareness for the educators he works with. As was pointed out in Jonathan Armstrong’s episode, people must rehearse for what happens in the case of a security breach, and each of the involved organisational teams (i.e. Cyber, Lawyer, PR, etc) need to know how to work together in those situations to solve issues quickly and effectively. Regarding the human factor piece, do we think of awareness as being internal-facing only, or should we be considering that awareness is also about external stakeholders that may have an interest in what we’re doing? How medium to small size businesses are the ones often flying by the seat of their pants when it comes to security awareness, behaviour, and culture. The probability that people who work in a positive cultural environment are more likely not only to retain training, but also to stop, think, ask questions, and behave in a safer more thoughtful manner than those who work in negative, stressful cultural environments. Stress those who are CISOs or Security Managers experience based on tight budgets and expectations born from the false belief many organisational leaders hold that if IT and security managers are doing their jobs, nothing bad is going to happen, ever; and how that stress effects the performance of those in charge of security awareness, behaviour, and culture for an organisation. How security and awareness managers and leaders need to be sure to build and maintain trust and a positive relationship with others in their organisations in order to bolster security efforts organisation-wide.     “Your data breach is coming. Are you prepared for it?”     MORE ABOUT NATHAN MIELKE: LinkedIn   Please subscribe to the podcast in iTunes, and if you enjoyed this interview, please share with your friends and colleagues and leave a 5 star rating and review.   Thanks for listening and sharing.   Bruce & The Re-thinking the Human Factor Podcast Team

How a Victim of Identity Theft Uses Humour to Generate Cyber Awareness, with Bennett Arron   Welcome to Episode 20 of the Re-Thinking the Human Factor Podcast. Joining us on the show today is Bennett Arron, Bennett was one of the first major victims of Identity Theft in the UK. According to the Police and credit reference agencies, he owed thousands of pounds to phone companies, banks and department stores. The only thing was, it wasn’t him. This theft resulted in Bennett becoming penniless and homeless.   A comedy about identity theft Years later, Bennett wrote a comedy show about his experience. The show was critically acclaimed at the Edinburgh Festival and led to Bennett being asked to direct and present the documentary 'How To Steal An Identity' for Channel 4. How to steal an identity In the documentary, Bennett proved, through a series of stunts, how easy the crime of ID theft is to carry out by first stealing the identities of the general public and then, rather foolishly, stealing the identity of the Home Secretary. The documentary was 'Pick of The Week' in The Guardian and The Telegraph and was called ‘Fascinating and Disturbing’ by the TV Times. Bennett was shortlisted for a BAFTA. As a result of Bennett’s programme, the UK Driving Licence Application Form had to be changed… The programme can be viewed below (and you don’t even have to put in your bank details to watch!). https://www.youtube.com/watch?v=-URDjwb0fS4   Bennett now tours the world, telling his disturbingly true yet funny account of what it’s like to have your identity stolen and revealing the devastating consequences of making a documentary ‘in the public interest’. He was the Guest Speaker at the International Fraud Convention in Italy, the International Congress on Anti-Fraud and Anti-Corruption in Poland (twice), the Security Forum in South Africa and the opening keynote speaker at AUScert, Brisbane in front of 2000 delegates. In addition to this, Bennett also speaks to Management and Customer Service Staff on the subject of Data Protection and GDPR showing how the repercussions from clerical, computerised or face-to-face errors can be devastating. “People are shocked at what they fall for when they think they’re actually defending themselves…” JOIN BENNETT ARRON AND BRUCE HALLAS AS THEY DISCUSS THE FOLLOWING: Trying to stir emotion in an audience is one thing, but being emotional yourself helps that. However you’re going to communicate to your audience, it’s going to be much more powerful if the person creating the content has emotional investment in the topic. Whether or not humour is as powerful an ingredient in effective communications as it is thought to be. The importance of having good timing when using humour in communications. Are there underlying processes one can learn to become funny or get better at being funny? Finding your voice. Knowing the right time for the right voice. The importance of tone of voice as well as tone of subject matter in effective communication. Humour as a softer means of communicating awareness initiatives or policy so that people’s responses and engagement with the information is more open. How laughter effects humans physiological and psychologically. That humour works across cultures as long as references are dropped that would be culturally irrelevant to the audience at hand.   MORE ABOUT BENNETT ARRON: Shopping Centre Scam Website LinkedIn   Please subscribe to the podcast in iTunes, and if you enjoyed this interview, please share with your friends and colleagues and leave a 5 star rating and review. Thanks for listening and sharing Bruce & The Re-thinking the Human Factor Podcast Team

Awareness, Behaviour, Legal and Regulatory Requirements, with Jonathan Armstrong Welcome to Series 2, Episode 7 of the Re-Thinking the Human Factor Podcast. Joining us on the show today is Jonathan Armstrong, a lawyer who helps multinational clients with risk and compliance across Europe. Recent projects include lots on data breach, GDPR & data transfer, UK Bribery Act 2010, internal investigations, ethics & compliance code implementation, emerging technology, and corporate governance & online reputation. He has also written articles on technology and compliance related topics. He is a Fellow of The Chartered Institute of Marketing (FCIM) and Vice-Chair of the New York State Bar Association International Section. Jonathan has also spoken at conferences in the US, China, Brazil, Canada, Vietnam, Singapore, Dubai & across Europe. In addition, he’s been involved in the development of a number of technology applications going back to the 1990s and was twice a Regional Finalist in the UK Government dti/ISI Awards for Innovation in e-commerce.   JOIN JONATHAN ARMSTRONG AND BRUCE HALLAS AS THEY DISCUSS THE FOLLOWING: Training / Practice for helping to not only reduce the likelihood of cyber attacks, but also how to address a problem when something goes wrong (which it inevitably will at some point) The law is increasingly saying that companies must implement some form of education and awareness training, and when a breach does happen, companies must have their arguments ready pre-breach so they can respond effectively to a breach and be able to defend their efforts to stave off the attack Those who have managed breaches most effectively are those who have run simulations and had a plan in place Stakeholder management The role Education and Awareness plays in terms of how a regulator might look at a breach How to spot training programs that will pass regulations vs those that won’t The disparity between the cost of high-quality training vs the cost of handling a breach or facing fines for non-compliance   MORE ABOUT JONATHAN ARMSTRONG: LinkedIn   Please subscribe to the podcast in iTunes, and if you enjoyed this interview, please share with your friends and colleagues and leave a 5 star rating and review.   Thanks for listening and sharing.   Bruce & The Re-thinking the Human Factor Podcast Team

On Episode 6 of series 2 of the Re-Thinking the Human Factor podcast, we are joined by Dr Char Sample to dive into the topic of culture and the role it plays when it comes to cybersecurity. But this podcast chat is not what you will expect to hear when it comes to culture; we're going to explore how your cultural values can be used against you in cybersecurity attack.  Some of the topics we're going to dive into during this podcast episode include Cultural Dimensions, Geography of Thought, and Values as a Vector for Attack. Culture and cybersecurity Dr Sample is a researcher-fellow employed for ICF at the US Army Research Laboratory in Adelphi, Maryland and has over 20 years experience in the information security industry. Dr Sample’s area of research examines the role of national culture in cybersecurity behaviours. At the moment, Dr Sample is continuing research on modelling cyber behaviours by culture. Other areas of research are information weaponisation, data fidelity and fake news. Dr Sample is a frequent collaborator with the University of Warwick, in the UK which is where she completed her fellowship. “It’s an old Russian proverb: ‘TRUST, BUT VERIFY.’ We put all of our eggs in trust and we left verify exposed.” JOIN CHAR SAMPLE AND BRUCE HALLAS AS THEY DISCUSS THE FOLLOWING: The meshing of two schools of cultural thought to create a more complete cultural model from which to approach awareness, behaviour, culture, and even defence campaigns: Hofstede’s Cultural Dimensions Theory Nisbett’s work: “Geography of Thought: How Asians and Westerners Think Differently…and Why” Design for success - Whether you’re designing a phishing campaign, an education awareness campaign, how you’re going to manage incidents, whatever it is, it’s about understanding that all of this is being done with people in mind, either as the victims, the perpetrators, or the middle people. You can’t shape culture in the short-term, which causes a clash between organisational culture and security culture. Organisational cultures often look for success metrics every quarter, but culture takes much longer to change. We all have cultural lenses, and those cultural lenses help us (or don’t help us) with the definition of what it is that we see. The Cultural Dimensions Theory is old enough that we now have tons of data to analyse around the 6 dimensions. Cultural values are very enduring because those values are reinforced all throughout society. So, you’ve got this lifelong influence on culture / shaping of culture, and you’re trying to set up a security culture within your organization — Which one is going to win? Insights around culture and how that relates to victims. How important is the role of values in decision-making? Also, Char shows an example of how to map behaviour to Hofstede’s Cultural Dimensions to give a possible answer to the question. Culture as a vector for attack. “We have a tendency to want to throw technology at the problem. But of you don’t take the cultural values of the person who’s sitting at the end of the computer there, and who’s going to be the recipient of this data, if you don’t take that into account, you can at best have a partial success.” Further study and research Hofstede’s Cultural Dimensions Theory Nisbett’s “The Geography of Thought: How Asians and Westerners Think Differently…and Why” About Dr Char Sample LinkedIn Please subscribe to the podcast in iTunes, and if you enjoyed this interview, please share with your friends and colleagues and leave a 5 star rating and review. Thanks for listening and sharing. Bruce & The Re-thinking the Human Factor Podcast Team

Observations and Take-Aways: Episodes Review with Craig Thomson, Security & Awareness Manager   On this episode of the Re-Thinking the Human Factor Bruce Hallas is joined by Craig Thomson, the Security Education & Awareness Manager at Nationwide Building Society. He is an experienced Education specialist with a demonstrated history of delivering impactful results in the Defence, Air & Space and Information Security arenas. He is skilled in the management of Training Programme and solution design using SAT and ADDIE methodologies to deliver engaging and meaningful training and communications that create measurable behavioural change. Craig values using effective emotional intelligence skills to develop teams and solutions in support of achieving business strategy goals.   “Awareness is a two-way street… Awareness is just as much about actually being aware ourselves of who our target audience is…”   JOIN CRAIG THOMSON AND BRUCE HALLAS AS THEY DISCUSS:   Their shared connection around the armed forces and applicable observations they’ve made about L&D and recruitment for the Armed Forces The importance of people having vested interest in policy creation The problem of cognitive dissonance within company culture (i.e. ‘This is what the policy says, but what push comes to shove, here’s what we actually do’) What motivates people to take part or give their time to engagement with awareness initiatives Awareness is a two-way street Lessons learned around conducting surveys as a means of gathering information about one’s target audience, and other means of garnering useful information and feedback from those people The difference environment makes in training, accurate observation, and behaviour change Sharing ideas across a network of security professionals The concept of “Awareness” as communications that give people a sense of understanding and control over upcoming change in their work environment, which helps them not feel as stressed about the change, which then helps to overcome their innate desire to avoid or not comply with the desired change in behaviour If / how metrics can be used to enhance Awareness strategy and creation   MORE ABOUT CRAIG THOMSON: LinkedIn   Please subscribe to the podcast in iTunes, and if you enjoyed this interview, please share with your friends and colleagues and leave a 5 star rating and review.   Thanks for listening and sharing.   Bruce & The Re-thinking the Human Factor Podcast Team

What makes our brains tick, and why does that matter for change managers and organizational heads?   The Human Brain vs. Awareness, Behaviour, and Culture   Hilary Scarlett is an international speaker, consultant and author on change management and neuroscience at Scarlett & Grey. Hilary’s work has spanned Europe, the US and Asia and concentrates on the development of people-focused change management programmes, coaching and employee engagement. Her specialities include: change management employee communication employee engagement leadership coaching (Inst of Leadership & Management accredited)   “A need for control, a need to be able to predict what’s coming up is really important to the brain.”   JOIN HILARY SCARLETT AND BRUCE HALLAS AS THEY DISCUSS: The necessity of understanding how our brains work The human brain’s distaste for change A brief rundown on what the brain actually is, i.e. what it does, how it’s made, the structure of it How understanding what our brains do and how they work can guide efforts towards creating proper learning environments and organizational cultures where people can more easily learn and thrive Why our brains are often lazy by default Growth mindset within an organizational culture The importance of prioritizing tasks by order of importance because the brain’s energy / ability to process information critically will become increasingly depleted as the day goes on Tools for getting the brain back on track and restoring some of its energy during the day Understanding how brains process change and what it means for Change Managers The power of storytelling in communications, understanding, and memory   “Change is extremely difficult for us if we feel it’s unpredictable and uncontrollable… People further down the hierarchy who feel they don’t have that same sight at what’s coming up and don’t have that same control or influence, their brains are in a much more stressed place than [the boss].”   FURTHER STUDY AND RESEARCH Neuroscience for Organizational Change by Hilary Scarlett Edgar Schein Neuroplasticity The Endowment Effect Mindset by Carol Dweck   MORE ABOUT HILARY SCARLETT: LinkedIn   Please subscribe to the podcast in iTunes, and if you enjoyed this interview, please share with your friends and colleagues and leave a 5 star rating and review.   Thanks for listening and sharing.   Bruce & The Re-thinking the Human Factor Podcast Team

Did you know up to 80% of information is forgotten within 24 hours? Admittedly, this is not an encouraging statistic for those of us seeking to raise awareness, change behaviour, and foster an appropriate organizational culture. For this reason, we at the Re-Thinking the Human Factor Podcast are looking for answers from outside the security industry from people who can provide an evidence-based path forward which can help us to improve learning and development. We’re happy to share some fresh insights with you on the topic of improving the training experience, likelihood of learning, and stickiness of memory after the training is completed. Evidence-Based Methodology to Improve Learning and Development Stella Collins joins Bruce in Series 2 / Episode 3 of the Re-Thinking The Human Factor podcast to have a deeper look into how we can improve learning and development using evidence base methodology. She is a learning specialist, an expert in Brain Friendly learning, author of Neuroscience for Learning and Development, and the Creative Director of Stellar Learning, a business whose goal is to transform training, learning and communication - particularly when it's tough, technical or tortuous. They support and train their clients to build excellent relationships and make critical messages stick.  With a BSc in Psychology, an MSc in Human Communication, a coaching diploma, 15 years in the IT industry, and more than 15 years in L&D, she injects a theoretical knowledge of learning and communication with creative and practical ideas and hands-on experience. Stella says “there’s no such thing as a boring topic – just boring training.” JOIN STELLA COLLINS AND BRUCE HALLAS AS THEY DISCUSS: The importance of knowing the background behind a neuroscientific finding, i.e., who’s done the research, what was on their agenda when they did it, and whether the proper research methodology and statistical analysis was used to arrive at the conclusion on which your team is now basing its L&D and policy changes The empowering nature of evidence-based ideas Effective planning for L&D training, including making people excited about going through the training, and making the most of the time you have with people rather than wasting time and money on a captive audience that will forget most of what they learned within 24 hours (see our opening statement above) The importance of what happens after L&D training, like inter-staff communication and ensuring that the work environment is conducive to easy adoption of new skills and policies What is training, actually? Likewise, what is learning? Neuroplasticity, or the fact that our brains are flexible and able to create new pathways for learning throughout life Ways to maximizing the potential for learning when engaging in training efforts When it comes to learning and memory, humans are not sponges as the metaphor suggests The future of L&D and self-directed learning “An experience, as opposed to fact…When we have an experience, we remember that sensory information… Emotion is massively sticky. Emotions and senses are hugely important.” FURTHER STUDY AND RESEARCH Neuroscienece for Learning and Development by Stella Collins Stellar Learning (Make Your Message Sticky) Choice Architecture Neuroplasticity   MORE ABOUT STELLA COLLINS: LinkedIn   Please subscribe to the podcast in iTunes, and if you enjoyed this interview, please share with your friends and colleagues and leave a 5 star rating and review.   Thanks for listening and sharing.   Bruce & The Re-thinking the Human Factor Podcast Team

Understanding decision making in the workplace is almost like the holy grail. What we want is for our colleagues to make better decisions, but for this to happen we need to take a few steps back. Decision making in the workplace takes place in the context of the organisational culture. Often when we talk to people about organisational culture, they see culture as something so big that it becomes too overwhelming to think about. Instead, they prefer to take the path of least resistance, focusing on awareness and driving behaviour. However, behavioural science keeps pointing to the fact that individuals need to feel involved in policy creation if buy-in and actual behavioural change is to occur. But, won’t this take too much time? How can an organisation possibly gain buy-in from all their employees? Interestingly, the amount of interaction that people need in order to feel that they are involved is probably a lot less than you think… Individuals, Groups, Decision-Making, And Self-Regulation Susan Weinschenk joins Bruce in Series 2 / Episode 2 of the Re-Thinking The Human Factor podcast to have a deeper look into this topic. Susan has a Ph.D. in Psychology. She applies research in brain science and psychology to predict, understand, and explain what motivates people and how they behave. Her consulting includes applying behavior science to the design of websites, software, medical devices, tv ads, physical devices, presentations, experiences, and physical spaces. She is an author, teacher, mentor, and consultant to Fortune 1000 clients, government, non-profit, and start-ups. Her books include: How To Get People To Do Stuff, 100 Things Every Designer Needs to Know About People, 100 Things Every Presenter Needs to Know About People, and Neuro Web Design: What makes them click?  Susan’s specialties include Behavioural Science, Brain Science, Psychology, and User Experience.   JOIN SUSAN WEINSCHENK AND BRUCE HALLAS AS THEY DISCUSS: The influence of individual self-stories on a person’s behaviour Brain function and value-based, goal-directed decision-making vs. habit-based decision-making The importance of similarity in environments between the one in which a person is trained vs. the space where that person will encounter actual on-the-job issues, and how different environments can hamper training and habit-based decision-making What choice architecture is and how it relates to how you build an actual environment to bring around the behavioural outcomes you’re looking for Whether any gains around behaviour can be made without taking into consideration the broader cultural context The power of social norms and groups to regulate behaviour The necessity of involving at least some members of strong-tie teams/communities in development of policies in order to increase buy-in and ensure wider-spread behavioural change The importance of looking at Cyber Security as if it were a product, understanding that having repeat customers of the product is the end goal Drivers of motivation behind people’s engagement with awareness campaigns, and what kind of behavioural change can be expected through gamification and rewards-style motivation   “The amount of interaction that people need in order to feel that they were involved is probably a lot less than you think…”   FURTHER STUDY AND RESEARCH Re-thinking the Human Factor Ep 05 with Ciaran McMahon Choice Architecture Robin Dunbar (Dunbar’s Number) The IKEA Effect   MORE ABOUT SUSAN WEINSCHENK: LinkedIn   Please subscribe to the podcast in iTunes, and if you enjoyed this interview, please share with your friends and colleagues and leave a 5 star rating and review.   Thanks for listening and sharing. Bruce & The Re-thinking the Human Factor Podcast Team

Welcome to Series 2, Episode 1 of the Re-Thinking the Human Factor Podcast. It's fantastic to be back after a 3-month break!  As we like to do every so often, Episode 1 of Series 2 begins with a conversation with Louise Cockburn, a listener to our show whom we invited to come on and share insights she's picked up from previous episodes of the podcast, as well as her own experiences and thoughts on the challenge of security awareness, behaviour and culture. Louise is the information security awareness and culture manager at Quilter (prev. Old Mutual Wealth), and she had much to say about the need for creativity in communications, the power children hold in shaping behaviour and culture, personnel buy-in, and more, but the overarching theme of the conversation centered around one thing - behaviour. Tune in to hear all about it. Further Resources Re-thinking the Human Factor Book Our new book, Re-Thinking the Human Factor, which is available on Amazon In the nine chapters of the book, we challenge some of the assumptions that many people make when designing education and awareness programs to raise awareness, influence behaviour and foster an appropriate organizational culture. Also, we bring in a load of insights, some of which have come from the research that Bruce and his team has done over the last seven years, whilst some stem directly from the interviews that we've done in Series one of the podcast. Also, it's a short read. LinkedIn Group We have recently launched the Re-Thinking the Human Factor LinkedIn Group, where we want to enable you to continue the discussion around the human factor in information security. We hope that by having a space to hold these discussions that we can all better understand the role that awareness, behaviour, and culture can have on our information security objectives.  Thanks for tuning in!  

The challenge with creating behavioural change is doing it well enough that people actually change their behaviour consistently. And beyond that, it's about ensuring that other people in the organisation can observe this new behaviour around them so that they come to the realise this is simply "the way we do things around here" in other words, the organisational culture. When we set about creating behavioural change, the ultimate objective is for that change to become embedded in the culture, because that's when we start to see the results we're looking for. Creating Behavioural Change that Becomes Part of Culture In today's podcast episode this is what we're going to be exploring. Bruce is joined on the podcast by Su Ee Wong. Su Ee’s journey towards becoming a safety and health (S&H) professional is an unusual one. She started off in biomedical science and a serendipitous stint in the HR office of an academic institution sparked an interest in workplace safety and health.  The unique blend of her science background, HR experience, and S&H interest got her a Mid-Career Training Sponsorship where she was given the opportunity to train as an S&H professional in a University. As the core businesses of a University are research and teaching, she is able to apply her knowledge in research to better manage the S&H of staff and students.  Her passion is in creating a safe, healthy and happy environment that the community can thrive in. She strongly believes that the activities we engage in should do no harm to our people or to Mother Earth. [1] JOIN SU EE WONG AND BRUCE HALLAS AS THEY DISCUSS: Su Ee’s post that told of an experiment conducted around the public safety problem of how to change the behaviour of jaywalkers who were crossing the street no matter what color the light was. Making policies fun, interesting, and engaging can help catalyze behavioural change. The importance of creating policies that have as little friction as possible to follow. When we want to change behaviour, a lot of us think that should be through punishment,  like handing out fines for doing something. We think if we give them a slap on the wrist, that changes behavior. But it might not be sustainable in the long run. How do we get something more creative that is more positive to change the behaviour and then reinforce it later so that this behavior sticks until it becomes second nature? In organizations, people at different levels will have different cultural norms. Though one might craft the perfect awareness campaign based on research gathered from within the various organizational levels at their local office, those same campaigns might not elicit the response one is anticipating in the overseas office possibly due to a sort of a national culture. The importance or recognizing policy “champions” for their work. How do we incorporate people’s natural biases in how we design awareness campaigns? Creating an environment and culture where people can share their insights and engage with leadership or the local champion, without blame, to create trust between workers and leaders, because that will be one of the best ways to manage problems knowing that leadership can’t be everywhere all at once. What Su Ee Wong did to understand root causes of behaviors in her organization. Awareness is just as much about policy-makers themselves becoming aware as it is about crafting the right kinds of campaigns and procedures.   FURTHER STUDY AND RESEARCH Re-thinking the Human Factor Ep 09 with Dan Ariely Shortcut by John Pollock Choice Architecture Infosec Europe   MORE ABOUT SU EE WONG: LinkedIn [1]   Please subscribe to the podcast in iTunes, and if you enjoyed this interview, please share with your friends and colleagues and leave a 5 star rating and review.   Thanks for listening and sharing.   Bruce & The Re-thinking the Human Factor Podcast Team

We like to invite listeners to the podcast to come on the show and share insights that they’ve picked up from previous episodes of the podcast.  We also invite them to share their own experiences and thoughts on the challenge of security awareness, behaviour and culture. In this show, Ed Tucker, the 2017 European CISO of the Year joins us to lift the lid on the challenges he sees and the insights he’s picked up. Ed feels there is a common theme between what Robert, Ciaran and Gert discuss and what happens in the reality of the organisation, which highlights the common failings of ineffective security people. The theme he highlights is ignorance. Tune in to hear all about it. About Ed Tucker Ed is the current European Chief Information Security Officer of the Year, UK Security Professional of the Year, and Security Leader of the Year and has been recognised for his massive contribution and sharing of best practice with the wider security world. Ed is the former Head of Cyber Security for the UK Tax Authority HMRC, where he led the Cyber Security and Response Capability for eight years. Ed designed and built the Cyber Security capability for HMRC, developing two intelligence driven Cyber Security Command Centres; the first in-house developed capabilities in UK Government. Ed implemented security controls across all HMRC's email domains and reduced phishing emails purporting to be the UK Tax Authority by 500 million a year 2016 through spearheading the use of DMARC (Domain-based Message Authentication, Reporting and Conformance). Ed also instigated the take down of 14,000 fraudulent websites harvesting data and has had a broad spectrum of responsibilities in his fifteen-year career including Online Fraud, Hacking Analysis & Capability Scoring and Forensic Investigations. A regular speaker at events such as InfoSec Europe, European Information Security Summit, European CISO Conference, InfoCrime Summit, and now eCrime, Ed is a highly regarded industry expert on all aspects of data protection.

EPISODE 10 SUMMARY - RACHEL LAWES ———————————————— Joining Bruce Hallas on Episode 10 of the Re-thinking the Human Factor Podcast is Dr. Rachel Lawes, who comes to the show with a background in the field of semiotics. Don’t worry, if you’re not familiar with the term, you’re probably in good company. However, upon learning more about Rachel and the field of semiotics prior to recording the interview, we knew she had something of interest, substance, and worth to bring to the conversation around Cyber Security Awareness, Behaviour, and Culture.   MORE ABOUT RACHEL If you go to market research conferences, you’ve probably met her already. She’s one of the original founders of British commercial semiotics and she never stops being excited about what it can do. She uses semiotics and related methods, backed up by a comprehensive knowledge of social science, to rejuvenate brands, innovate products and services and steer comms. She delivers research, insights and strategic guidance to brand owners. She delivers training in advanced research methods for both client side and agency side users. She also supplies consultancy services to ad agencies, design agencies and large branding agencies.  From time to time she works with universities because she loves to teach. [1]   JOIN RACHEL LAWES AND BRUCE HALLAS AS THEY DISCUSS: What semiotics is. In reference to a challenge often put our way regarding the applicability of insights from without the security industry — whether the insights gained through semiotics be applied to both sides of the fence, so to speak, both externally AND internally, as in the case of within an organization. One fascinating consequence of digital culture — that written language has taken on a life of its own in a way that really haven’t seen in our life times. It’s no longer really required that you follow the rules you learned in school. What’s more important is getting your message across, which might involve substantial use of abbreviations, emoji’s, etc. People communicate using language and text now more than they have done for a long long time. The work of semiotics is partly about observing what’s going on in a given audience to try to understand what it is they’re giving off, what the signs are you see in the audience which may be a reflection on how they would respond to you presenting something to them. How semiotics can help one engage more effectively and influence changes more effectively. Studying signs and symbols (semiotics) gives one an understanding of what is driving people’s behaviour from a cultural perspective. This is important because, as discussed with Gert Jan Hofstede in Episode 06 of the Re-thinking the Human Factor Podcast, culture forms everybody - there’s no escape from it.   FURTHER STUDY AND RESEARCH Semiotics Tone of Voice Episode 06 - A Chat With Gert Jan Hofstede About Culture and Security. MORE ABOUT RACHEL LAWES: Website [1] Please subscribe to the podcast in iTunes, and if you enjoyed this interview, please share with your friends and colleagues and leave a 5 star rating and review.   Thanks for listening and sharing.   Bruce & The Re-thinking the Human Factor Podcast Team

Understanding behavioural change is a crucial aspect of better understanding the human factor. If we hope to influence behaviour then we need to better understand human behaviours, decision-making and motivations. The leading expert in this today is Dan Ariely and we are thrilled to have him as a guest on the podcast. Behavioural change is a large part of the work we have to do when it comes to improving security outcomes, and the work by leading thinkers such as Dan is really helping to pave the way. Dan Ariely was recently voted as the second most influential psychologist in the world. He is a professor of psychology and behavioural economics at Duke University and a founding member of the Center for Advanced Hindsight. He is the author of the bestsellers Predictably Irrational, The Upside of Irrationality, and The Honest Truth About Dishonesty - as well as the TED Book Payoff: The Hidden Logic that Shapes Our Motivations. Through his research and his (often amusing and unorthodox) experiments, he questions the forces that influence human behavior and the irrational ways in which we often all behave. Behavioural Change in CyberSecurity In this episode, Dan Ariely joins Bruce Hallas to discuss behavioural economics and its role in better organising operating environments and how we can use this in the cybersecurity industry. Dan’s speciality is in the study of behavioural economics with a focus on communicating his findings in a language anyone can understand so this makes him an ideal guest for the podcast. ‘[His] immersive introduction to irrationality took place many years ago while [he] was overcoming injuries sustained in an explosion. The range of treatments in the burn department, and particularly the daily “bath” made [him] face a variety of irrational behaviours that were immensely painful and persistent. Upon leaving the hospital, [he] wanted to understand how to better deliver painful and unavoidable treatments to patients, so [he] began conducting research in this area. [He] became engrossed with the idea that we repeatedly and predictably make the wrong decisions in many aspects of our lives and that research could help change some of these patterns.’ [1] “You have to understand that part of your job as a security expert is not just to create security but to create appreciation. Because if you create security with no appreciation, you’re not going to get people to value it and want to participate in it.” Join Dan Ariely and Bruce Hallas as they discuss: What behavioural economics is (10:50) Preferences, how we form them, and the effect our preferences have on our behaviour. (19:01) Untapped demand, or the idea that there’s a big difference between people’s preferences and what they end up doing, and the fact that those differences have a lot to do with friction (the easiest decision will often be the one that is chosen) (23:04) The role of behavioural economics in better designing the operating environment within which employees are trained and work within in order to maximize the potential for positive cyber security behaviours (24:56) The concept of “endowment”, or the idea that people who have contributed to something feel a greater sense of value about that something as well, and the “Ikea effect”, which simply understood is that labour leads to love (29:39) Value cues, and the need for cybersecurity policy creators to communicate the value of following their policies to their audience (33:59) Another big challenge in the cybersecurity industry - the fact that security failures happen infrequently, and what that teaches people about how they need to behave (41:36) Effective and ineffective methods for motivating positive cyber security behaviours from employees (44:30) The effect of overconfidence in our own knowledge and ability on our behaviours (49:17) “One of the biggest challenges is to get people to admit we are fallible.” Further Reading & Research Small Change | Money Mishaps and How to Avoid Them, by Dan Ariely Predictably Irrational, by Dan Ariely Bruce Hallas’s blog: Behavioural Economics: When irrationality is the remarkably logical decision Here is one of Dan's famous TED talks on decision-making.   About Dan Ariely You can find out more about Dan at his website www.danariely.com or you can follow him on Twitter. Please subscribe to the podcast in iTunes, and if you enjoyed this interview, please share with your friends and colleagues and leave a 5 star rating and review.   Thanks for listening and sharing.   Bruce & The Re-thinking the Human Factor Podcast Team