Podd: Re-thinking The Human Factor with Bruce Hallas

Lessons from the world of coffee!

30 augusti 2024 | 78 min

Key performance metrics

30 augusti 2024 | 71 min

The security function's culture.

21 april 2024 | 46 min

An appointment with the Doctor to discuss culture, behaviour and decision making.

17 mars 2024 | 45 min

Insights from advertising for security awareness professionals.

22 januari 2024 | 57 min

A Human Resource view on Information Security Awareness and Education

4 december 2023 | 47 min

Embracing Diverse Skills When Building an Effective Education and Awareness Team.

20 november 2023 | 52 min

When I first got involved in “information security” 20+ years ago, I found myself almost entirely surrounded by industry peers whose training and experience was in technology or technology disciplines. My training in law, marketing and finance, and my experience in business development, marketing, recruitment and even a stint in purchasing and supplies all seemed out of line with the world of IT security as it was called back then.

As I came to understand, during my own research in human behaviour and culture, my lack of an education in technology meant I was culturally and even physically wired differently. This meant I looked at things through a different set of lenses. The result, was an approach that we would now call governance, risk and compliance. However, it was these very human disciplines, which led me to fundamentally think differently when it came to kicking off the Re-thinking the Human Factor research programme.

Our guest Lana McGill, to me, enshrines the change in direction of an increasing number of forward thinking security professionals looking for a more mature approach to employee awareness, behaviour and culture. Lana believes that by diversifying their search for skills and experience, outside of the traditional industry expectations, you can bring new insights and energy to the challenge of influencing employee behaviour and culture. Her role as a senior information security leader, in the finance sector, and her willingness to embrace other skills and experiences in the search for more effective interventions, gives hope that the industry inertia, when it comes to the human factor, may finally be shifting.

©Copyright Marmalade Box Limited

The content of this podcast is the property of Marmalade Box Limited. Any use of the content of the podcast, either in full or partially, will be considered an infringement of Marmalade Box Limited rights as sole owners of this content. Any enquiries about the use of this content should be directed to Marmalade Box Limited. Contact information can be found at www.marmaladebox.com .

The Science Behind Metrics

6 november 2023 | 50 min

Insights from Educational Psychology for Information Security Professionals

23 oktober 2023 | 79 min

Understand the forces at play.

29 november 2021 | 54 min

The human factor. A view from Brazil.

3 november 2021 | 49 min

Versace, Burberry and Lacoste. Thoughts from branding.

18 oktober 2021 | 48 min

An internal communications perspective.

5 oktober 2021 | 65 min

The human factor in the middle of a major security breach.

6 september 2021 | 51 min

CyberSecurity ABC's

9 augusti 2021 | 61 min

An ex-regulators view on awareness, behaviour and culture.

19 juli 2021 | 63 min

What does it mean to have a people-centric approach to cybersecurity? And, why you should have one?)

5 juli 2021 | 51 min

Content is king or so they say! Discover some caveats around the saying as we explore the role of a security influencer.

27 juni 2021 | 65 min

What role training materials must play in building security aware-rich organisations?

21 juni 2021 | 53 min

What does it take for security teams to win in the cybersecurity fight?

14 juni 2021 | 56 min

How technology can be a CISO's best friend in changing behaviour.

7 juni 2021 | 49 min

Re-thinking the Human Factor: Cyber Security Mini Series

31 maj 2021 | 40 min

A conversation with award-winning CISO, Andrew Rose

28 april 2020 | 63 min

Know your cyber security risks, with Prudence Smith

21 april 2020 | 47 min

Marketing Strategy Applied To Cyber Security with TERRY O’REILLY.

14 april 2020 | 62 min

Why we need to re-think the human factor in security, with Bruce Hallas

7 april 2020 | 70 min

Why we need to re-think the human factor in security, with Bruce Hallas

Bruce Hallas sits in the hot seat for a change as Alexia of Marmalade Box grills him, for this: Series 3, Episode 4 of the Re-Thinking the Human Factor Podcast. Having received a lot of emails asking us for more information about Bruce Hallas, the host of this podcast, Alexia agreed to put Bruce through some viewer lead questioning in the hopes of delving deeper into his background and expertise.

Having trained in accounting and law, Bruce started his work life in business development, outside the realms of tech, and found himself passionate about security awareness and human behaviour. Via a series of questioning, 7 years ago Bruce was lead to his groundbreaking research that lead to his book ‘Rethinking The Human Factor’. Apart from his work as a researcher and author, he also runs Marmalade Box, a company dedicated to helping organisations cultivate and design a positive security awareness by raising awareness and influencing behaviours.

Bruce is an expert in reducing risk and helping companies design security processes that reduce the guesswork from the human factor. We know you will enjoy listening to how and why Bruce is so passionate about his chosen occupation and how you can benefit from his vast understanding.

AS YOU LISTEN TO THE EPISODE, IF YOU FIND YOURSELF WANTING TO IMPLEMENT SOME OF THE INSIGHTS YOU’RE GAINING BUT YOU FEEL YOU NEED A LITTLE HELP, PLEASE DO GET IN TOUCH WITH ME AT:

[email protected]

JOIN BRUCE HALLAS AND ALEXIA AS THEY DISCUSS:

The questions Bruce asked himself when he started his research journey.
How understanding the human factor allows for better engagement.

Breaking down the entire system within information security to better the process.

The Analogies Project and how analogies help in shaping culture and behaviour.
Who benefits the most from the Rethinking The Human Factor research?
Designing with the human in mind.
Does evidence point to the validity of the frame work created from the research done in Rethinking The Human Factor?
The importance of establishing a cohesive vision as an anchor.
How personal values influence culture.
What can my organisation do to benefit from this?

RESOURCES AND TOPICS FOR FURTHER STUDY

Rethinking The Human Factor by Bruce Hallas
Nudge by Richard H. Thaler
The Power Of Analogy by Dieter Wanner

MORE ABOUT BRUCE HALLAS:

Please subscribe to the podcast in iTunes, and if you enjoyed this interview, please share with your friends and colleagues and leave a 5 star rating and review.

Thanks for listening and sharing.

Bruce & The Re-thinking the Human Factor Podcast Team

Taking risks to reduce risk, with Eric Ravello

31 mars 2020 | 65 min

Simplifying Cyber Security, with Neil Frost

24 mars 2020 | 53 min

The Accidental Security Specialist, with David Shipley

17 mars 2020 | 55 min

The Accidental Security Specialist, with David Shipley.

Living up to our promise to bring you fantastic guests, David Shipley joins us for Series 3, Episode 6 of the Re-Thinking the Human Factor Podcast. Time to go phishing so grab your rod.

David is a self professed accidental cyber security professional, but has spent time as a soldier, newspaper reporter and marketer. After a cyber hack within his company occurred, David grew increasingly interested in cyber security and was asked to take on this role within his company.

Currently based in Canada, David is an award-winning entrepreneur and head of Beauceron Security. Beauceron's holistic approach to measuring and reducing cyber risk brings together threat intelligence, user education and awareness, simulated attacks and real incident data into an easy-to-use and deploy cloud platform that transforms cybersecurity from an IT-centric issue into a pan-organization management opportunity.

AS YOU LISTEN TO THE EPISODE, IF YOU FIND YOURSELF WANTING TO IMPLEMENT SOME OF THE INSIGHTS YOU’RE GAINING BUT YOU FEEL YOU NEED A LITTLE HELP, PLEASE DO GET IN TOUCH WITH ME AT:

[email protected]

IN THIS EPISODE, DAVID SHIPLEY AND BRUCE HALLAS DISCUSS:

The sheepdog effect.
- Turning the cyber victims into defenders.
- Empowering the person.
The importance of driving behavioural reinforcement within a culture to keep positive cyber security behaviour thriving.
Getting the metrics correct- Repeat clickers and what we can learn.
Taking the time to make sure people really retain new cyber security-related information and behaviours.
Phishing fallibility:
- Is someone’s emotional state a factor to be considered?
- The 8 emotional scale.
- Fear response, social hi-jacking and engineering.
- How time affects people’s behaviour during a 24 hour period.
- The power of keeping calm. Speed can often be your enemy.
The Power Model - what it is and how it can be used to boost cyber-security awareness:
- People, environment, actions and resources.
- Creating an easy to use protocol to gauge involvement.
- Learning from each other. Building a solid support structure.
Black box culture - going deeper into more effective cyber security training:
- Talking about issues without laying blame.
- The story of the mayor that got phished.
- Learning from mistakes in proactive ways. Rewarding right behaviour.
- Scoring people and then helping them improve their performance within the security culture.
Compliance:
- Exceeding compliance via relative, contextual, timely informative videos.
- Treat your audience like adults.
Using Surveying as a tool to generate better metrics around risk and awareness:
- The importance of your baseline and the importance of a good survey.
- How does bias affect survey answers and are there ways around it?
- Using video responses to surveying to offer training in weak spots and offer guidance and support to colleagues.
- Start a positive feedback loop.
Phishing attacks and data strategy.
- Data gathering from ‘time to click’ data proves to be very fruitful at limiting risk.
- Huge amounts of data are available to be mined to design cyber security awareness and education pieces that change behaviour.
- Having a strategy for data gathering is crucial. Learning when people click leads to a defined process towards a positive security culture.
Cyber Security Marketing.
- The same tools that marketing applies can be used when trying to form a new culture of awareness within a business.
What is a KPI clash?
Where is the cyber security industry failing?
- Not enough focus on the human factor.
- Not enough funding for training.
- Real meaningful change comes with data and planning correctly
- Data driven decision making around security awareness.
- The need for sharing resources exists to help strengthen the entire security industry.

RESOURCES AND TOPICS FOR FURTHER STUDY

MORE ABOUT DAVID SHIPLEY:

Please subscribe to the podcast in iTunes, and if you enjoyed this interview, please share with your friends and colleagues and leave a 5 star rating and review.

Thanks for listening and sharing.

Bruce & The Re-thinking the Human Factor Podcast Team

Designing Learning Experiences That Stick, with Megan Sumeracki

10 mars 2020 | 65 min

DESIGNING LEARNING EXPERIENCES THAT STICK, WITH MEGAN SUMERACKI

Megan Sumeracki joins us for Series 3, Episode 5 of the Re-Thinking the Human Factor Podcast.

Megan Sumeracki is an Assistant Professor at Rhode Island College. She co-founded the Learning Scientists in January 2016 with Yana Weinstein. Megan received her Master’s in Experimental Psychology at Washington University in St. Louis and her PhD in Cognitive Psychology from Purdue University. Her area of expertise is in human learning and memory, and applying the science of learning in educational contexts.

WHAT'S THIS EPISODE ABOUT?

As cyber security practitioners, we often ask ourselves the question of how we get people to remember to do the things we tell them to do. How do we get them to retain what we teach them in our trainings?

Well, you’re in luck. This conversation is full of treasures to do with how our brains work when learning and strategies (based on scientific evidence) that can help you create training situations where the information will be more likely to stick.

Side Note -- We touch a lot on something called Retrieval Practice. Retrieval practice is simply a strategy in which bringing information to mind enhances and boosts learning. It’s about deliberately pulling what we’ve learned back out of our heads to examine it.

Megan addresses empirical questions such as: What retrieval practice formats promote student learning? What retrieval practice activities work well for different types of learners? And, why does retrieval increase learning?

AS YOU LISTEN TO THE EPISODE, IF YOU FIND YOURSELF WANTING TO IMPLEMENT SOME OF THE INSIGHTS YOU’RE GAINING BUT YOU FEEL YOU NEED A LITTLE HELP, PLEASE DO GET IN TOUCH WITH ME AT: [email protected]

BELOW IS A MORE DETAILED OUTLINE OF WHAT MEGAN AND I DISCUSSED:

Understanding how we learn information and how we apply and remember it.
The goal of education is to teach students how to learn and retain information so they can use it in the future.
- The key words: Learn, memory, retain, apply.
- Even though a student needs to pass exams and get grades, it is more useful to retain information and are able to apply it in the future.
- Standardised testing could be improved as education needs to create a new behaviour rather then just stored information.
- Creating tests that mimic the real world can help people retain and then use new information.

Data driven approach.
- Just because we enjoy certain methods of learning does it mean it will help me retain any new information?
- Challenging the way we learn can push us towards more durable learning processes.
- Instinct and intuition do not answer the question of education necessarily.
- Building effective strategies.

Why cramming does not relate to long term memory of a topic.
Understand what it is that helps people learn and retain information over a longer period of time.
Retrieval practice bringing things to mind, spacing practice, spreading learning over a period of time.
It is difficult to predict an individual way of learning rather then a larger group on average.

Confirmation bias can muddy research waters.
- Expecting to see something can create patterns.
- Finding ways to remove bias such as breaking a theory down to disprove it.
- Results free of bias lead to stronger data.

Spacing and retrieval.
- Spacing and retrieval have been around since the 1800s and used repeatedly.
- How the true value of all knowledge and understanding is application.
- The art of communication.
- Student driven research into learning through accessibility.

What other misunderstandings do people have around learning?
- Designing with the human in mind.
- The cognitive process.
- Getting the information in is only one step, you have to be able to get the information back out and apply it.
- Retrieval cues and how they help.

The importance of finding ways to bring back to mind recently learned information to help it stick.

Bridging the gap from study to new awareness and understanding.
Situational awareness building can help develop new behaviours.
Encoding information does not necessarily lead to retrieval.
Storytelling as a way to help retrieve new information. Holding interest to hold attention.

Does interest really govern retention?
- If a person likes engaging they will likely engage more with a topic or action.
- Attention span can often be affected by external influence like eating breakfast and rest.
- Bite sized learning spread out over a longer period can aid retention.
- Sometimes ’seductive details’ can be distracting even if entertaining.

RESOURCES AND TOPICS FOR FURTHER STUDY

FIND MEGAN SUMERACKI ONLINE:

Please subscribe to the podcast in iTunes, and if you enjoyed this interview, please share with your friends and colleagues and leave a 5 star rating and review.

Thanks for listening and sharing.

Bruce & The Re-thinking the Human Factor Podcast Team

Storytelling For Better Cybersecurity, with Sarah Moffat

3 mars 2020 | 56 min

Storytelling For Better Cybersecurity, with Sarah Moffat

Sarah Moffat joins us for Series 3, Episode 4 of the Re-Thinking the Human Factor Podcast.

With a vast background in cybersecurity and understanding the human factor, Sarah is currently advising the Federal Government on privacy and security in Washington, D.C. She is also a leadership and development coach, using her knowledge of psychology to inspire others, tailoring specific training to meet the personal needs of her clients.

Can storytelling shape culture within the workspace towards better cybersecurity? Let’s hear what Sarah has to say on this enlightening topic.

MORE ABOUT SARAH MOFFAT:

JOIN SARAH MOFFAT AND BRUCE HALLAS AS THEY DISCUSS:

Navigating generational influences upon the way people pick up new technology.
- How storytelling can help instructional design.

Millennials have a very different security culture to baby boomers.

Creating a map as a framework to build a program to suit different attitude types. (Because realistically, what can learn from pilots and powerpoint?)

How as an industry have we seen cybersecurity education and awareness training?
- Is it a good idea to have it as a stand alone piece of training?

Cyber security needs to become interwoven at every level of life, especially at work.

Security as a life skill is needed for this new tech-based environment.

How early should we all be learning cybersecurity as a culture nowadays?

Cultures are formed through a process of experience, so are we doing a good enough job developing behaviours early enough?

The importance of identifying right action, not only as cyber security professionals, but also helping those we lead to understand easily which choices are the “right” ones
- Personal choice. How to cultivate a healthy reaction.

Is once a year training worthwhile in a changing security landscape?

The importance of awareness training and inspiring interest throughout the year.

Bridging the gap -
- Implanting security into the overall culture of the organisation can better protect it.
- Branding strategy, touch points and brand equity are all important attributes of an effective awareness and behaviour campaign

How bridging the gap between the CIO and the rest of an organisation boosts security awareness and engagement.

Mistakes that can happen when creating security cultures -
- The percentage of people given the responsibility for security awareness within an organisation is really high but it is another hat they wear.

Ticking boxes vs. building a new culture.

Protecting PII should be about protecting people.

Is security awareness a risky business?

Personal responsibility plays a large role in adaptation of new behaviour across culture.

Investment of time and money and/or the lack thereof, and how it influences change.

As security professionals, we must remember that doing the same thing over and over again expecting different results is insanity.

Capitalise on what we know drives human behaviour.

Telling stories costs very little, so not much risk involved, and stories have been proven to change behaviours.

DO YOU NEED SOME HELP IMPLEMENTING THE NEW STRATEGIES YOU’RE PICKING UP? SIGN UP FOR ONE OF OUR WORKSHOPS:

Thanks for listening and sharing,

Bruce & The Re-thinking the Human Factor Podcast Team

Applying Marginal Gains One Small Step At A Time, with Chris Fleming

25 februari 2020 | 66 min

Applying Marginal Gains One Small Step At A Time, with Chris Fleming.

Chris Fleming steps in to join us for Series 3, Episode 3 of the Re-Thinking the Human Factor Podcast.

If you have been with us here for sometime you will know we strive to bring you the highest caliber guests for your listening delight. After hearing Chris do an incredible presentation at the SANS conference on marginal gains (you all know how much we here at the podcast love those marginal gains) we knew he would be the perfect guest to bring on the show.

Chris studied accounting and finance, but made a career change and is currently acting as Senior Manager of Global Security Culture & Awareness at an international insurance company. His approach to internal security is firmly rooted in understanding human behaviour to bolster security from within with both compassion and empathy. To put it in Chris’s own words he is: ‘responsible for strengthening the human firewall...one nudge at a time.’

“Big gains can become apparent when small, incremental improvements are made across the board.

In today’s interview we’ll be discussing how the various parts of the whole can be upgraded one small step at a time.”

JOIN CHRIS FLEMING AND BRUCE HALLAS AS THEY DISCUSS:

Factoring human behaviour in to security procedure can allow a more empathetic reaction to security issues.
Malicious insider risk, the human angle. Is a thief always just a bad egg?
- Human behaviour can be affected by changes in external influences. Understanding these can create a better security culture.
- Creating a stronger network within internal security via education and the building of awareness, can open up the possibility of preventing internal risk.
- Internal support systems can be set up to help employees deal with difficulties. Small changes in the way issues are dealt with can have a huge impact.
The importance of being well read to expand your knowledge.
How the aggregation of marginal gains can help you achieve your larger goal -
- When the British Cycling Team hired Dave Brailsford as its new performance director he changed tiny details within the teams cycling regime to change performance.
- Marginal gains is the concept of breaking down every single part of a whole to work on improving them individually, by as little as 1%.
- How simply changing a pillow had a knock on affect.
The main hurdles we face when trying to apply change across a large company -
- When you as a team are tasked to change the security culture across an organisation it is a huge job and usually comes with little budget.
- A lack of manpower can be overcome by using the concept of aggregated marginal gains.
- Takeru Kobayashi, a professional speed eater, made incremental changes to improve his performance, breaking world records against all odds.
Finding opportunities to apply material gains within security and awareness.
- Communications need little manpower or budget to be tackled. Simply changing the way an email is sent can reap measurable gains.
- Choosing your words wisely, language impacts response.
- Randomised controlled trials, otherwise known as AB testing, and how these help you fine tune your process.
- Low risk and low investment — maximum rewards. A great compliment to larger initiatives.

RESOURCES AND TOPICS FOR FURTHER STUDY

MORE ABOUT CHRIS FLEMING:

Chris Fleming

Please subscribe to the podcast in iTunes, and if you enjoyed this interview, please share with your friends and colleagues and leave a 5 star rating and review.

Thanks for listening and sharing.

Bruce & The Re-thinking the Human Factor Podcast Team

What Security Awareness Professionals Can Learn From Marketers and Understanding the Customer Journey, with Kenda MacDonald

18 februari 2020 | 71 min

What Security Awareness Professionals Can Learn From Marketers and Understanding the Customer Journey, with Kenda MacDonald.

Kenda MacDonald joins us in the hot seat for Series 3, Episode 2 of the Re-Thinking the Human Factor Podcast. We are absolutely thrilled to have Kenda MacDonald on the show today. As I’m sure you’ll agree, she has the knack for pulling things together in a way that is easy for you, the listener, to understand and digest. We could have talked all day but we managed to stop ourselves….. just.

Formerly a forensic psychology major, Kenda MacDonald is now an award winning business owner, and the award winning author of ‘Hack The Buyer Brain’. Kenda is the founder and CEO of Automation Ninjas, and she sees her mission as helping forward thinking businesses get better quality leads that convert better, for happier customers that come back and spend more. The key to this is combining buyer psychology and marketing automation.

In our show today, we're going to dive into what we in the security awareness profession can glean from insights provided by marketers such as Kenda and their understanding of human behaviour and decision-making.

"It is incredibly important to know your target market and make sure they keep on coming back for more, and with so much data available to businesses these days, there really has never been a better time to do so."

JOIN KENDA MACDONALD AND BRUCE HALLAS AS THEY DISCUSS:

The importance of making the time to tailor your customer journeys via understanding why and how your customers stay the long haul with you as a business provider — whilst remaining ethically tethered. And how this can be applied to marketing and implementing your security awareness.
How does knowing human behaviour and conscious consumerism aid your business?
- Prevent choice paralysis. Being able to cater directly to an individual and know whether to offer them ‘A’ or ‘B’ saves time and money for both you and your users.
- How giving people conscious choices they will want to make, for the benefit of all, can help get things done.

A happy, fulfilled customer is bringing you, the service provider, customer lifetime value via loyalty and advocacy. Building your ambassador network by learning from how it is done in marketing loyalty schemes.

Customer Lifetime Value: The benefits of a lifetime customer versus a one off purchaser, and what we can learn from this.

Time viewed as a lifetime value. Gaining value via full attention and usage of apps.
It’s far more cost effective to spend time getting to truly know your audience, rather then thrashing about in the dark.
Give people a positive experience with little friction and they will help to generate corporation and seed new awareness within the culture around them.
The importance of data gathering when trying to shape human behaviour.

Humans have developed to be social animals. They have group identities and labels whether they like to admit it or not. Like attracts like and stereotypes do exist.
The Customer’s Journey can be applied when implementing security awareness-
- The customer’s journey is everything a consumer has to do along a path to buy and utilise a product.
- Avoid making the mistake of forgetting about the fact that purchasing something is only one part of a long journey as a consumer.
- By utilising customers’ ‘moments of truth’ you gain more lifetime value from them.
Understanding mental biases -
- The brain creates a great deal of rule sets to help it make sense of the reality around it.
- A cognitive bias is a systematic error in thinking that affects the decisions and judgments that people make. Some of these biases are related to memory.
- The individual can develop a bias towards a product or service due to recent repetition of exposure to it. The brain likes availability and ease of use.
Marketing security more effectively and driving behaviour using the Heroes Journey -
- Craft content to make your user feel like a hero in their own story,
- Validate with data to see if your users are looking for the content you are providing.
- How gathering data helps you understand the wants and desires of your customers to aid you in bringing them their happily ever after.

RESOURCES AND TOPICS FOR FURTHER STUDY

Hack The Buyer Brain
A Prescription For Cutting Costs
The Availability Bias
The Sunk Cost Fallacy

MORE ABOUT KENDA MACDONALD:

Please subscribe to the podcast in iTunes, and if you enjoyed this interview, please share with your friends and colleagues and leave a 5 star rating and review.

Thanks for listening and sharing.

Bruce & The Re-thinking the Human Factor Podcast Team

Reducing Cyber Risk By Reducing Friction, with Jason Hoenich

11 februari 2020 | 67 min

Reducing Cyber Risk By Reducing Friction, with Jason Hoenich

Jason Hoenich joins us as we return for Series 3, Episode 1 of the Re-Thinking the Human Factor Podcast. We are glad to be back after our hiatus having made a few changes to the podcast that we hope will add value and increase our reach so we can continue making security and behaviour awareness an engaging topic for all.

Both a security vendor and a sponsor of this podcast, Jason is a leader in the security awareness arena and a well-known speaker and blogger on the subject of awareness. He is the creator of the popular Hashtag Awareness video series and he brings over a decade of experience developing world-class awareness programs for companies including The Walt Disney Company, Activision Blizzard, and Sony Pictures Entertainment. Currently the President of Habitu8.

‘We live in the age of ‘Peak TV’ — people expect and demand high quality, binge-worthy content. If your training can grab their attention in the first 10 seconds and keep them engaged, that’s your chance to influence them and make them actually want to learn.’ - Jason Hoenich.

JOIN JASON HOENICH AND BRUCE HALLAS AS THEY DISCUSS:

What challenges does one come across when applying security awareness across a behemoth such as Disney?
The importance of flexibility when addressing different types of professionals coming from different mind sets.
- Left brain versus right brain professionals need different methods of communication.

- How flexibility enabled a safe space to explore new ideas and growth within user engagement.
The challenges of influencing behaviour within specific environments.
- Looking for friction within different departments and accepting the reality that one cap does not fit all.
- Understanding each department within an environment personally by spending time to observe the way they prefer communications to be presented.
The issue of time when taking a more nuanced approach to security across departments:
- Dealing with company preconceptions about how security and behaviour awareness looks.
- There is a need to market security correctly to get people to change their behaviour. Making decisions easy for user engagement.
- Setting expectations that are realistic is vital to the success of the mission to update security protocols across a company.

Identifying stake holders and how it aids success:
- The foundational action is to engage key stake holders early on for optimum results.
- Corporate communications need to be brought into alignment quickly and painlessly.
- Selling the broader strategy and strengthening the internal ambassador network.

The importance of change and how to tackle bias.
- Looking for ways to make communications more engaging.
- Crafting media to suit the audience and appeal to their attention span.
- How does staying fresh and relevant effect engagement?
The famous ‘jam experiment’ and what can be gleaned from it.
- Choice architecture and applying it to security and human behaviour.
- A small amount of high quality choice equals a greater reaction.
- Understanding whether or not the process makes sense to the users to remove any friction.

Role of regulators -
- Just because the law says it must be done, does this mean it gets done?
- Are regulations aiding the job of security awareness and education managers and is there any room for creativity?
- We cannot treat humans the same way we treat computers and the digital realm. Human behaviour needs to be accounted for.
- Reducing the risk of noncompliance via applied understanding of human behaviour.

RESOURCES AND TOPICS FOR FURTHER STUDY

MORE ABOUT JASON HOENICH

Please subscribe to the podcast in iTunes, and if you enjoyed this interview, please share with your friends and colleagues and leave a 5 star rating and review.

Thanks for listening and sharing.

Bruce & The Re-thinking the Human Factor Podcast Team

Effective Leadership and Successful Organisational Change, with John P. Kotter

6 juni 2019 | 79 min

The Road to Effective Leadership and Successful Organizational Change, with John P. Kotter

John P. Kotter joins us on the show for episode 25 of the Re-Thinking the Human Factor Podcast.

We know that while some of our listeners will see his name and ask themselves, “Who?”, those who are familiar with John P. Kotter’s work will be asking, “How?”. As in, ‘How did they get him on the podcast?’. Wherever you find yourself on the spectrum, we are very excited to bring you this interview with someone whom we consider to be a living legend.

John P. Kotter is regarded by many as the authority on leadership and change. He is a New York Times best-selling author, award winning business and management thought leader, business entrepreneur, inspirational speaker and Harvard Professor. Kotter’s ideas, books, speeches, and company, Kotter International, have helped mobilise people around the world to better lead organisations, and their own lives, in an era of increasingly rapid change.

Change management is an area in cyber security that requires consistent learning, creativity, re-tooling, and re-thinking. We know that. So we are excited to share this pertinent interview with you today.

JOIN JOHN KOTTER AND BRUCE HALLAS AS THEY DISCUSS:

The importance of having time for reflection in order to bring about clarity of thought. Clarity is the door to creativity, curiosity, innovation, and ultimately, change.
We have two systems operating at a subconscious level -
- Survival Mode, a system developed over time to help us identify and respond to threats quickly in order to to ensure survival.
- Thrive mode, which is the brain’s system for recognising opportunity and is most likely responsible for our species emerging from the Savannah and from caves.
Understanding these two modes is important. An organisation whose leaders and workers operating most often in Survival Mode will have a far more difficult time accessing the clarity and creativity that Thrive Mode affords us. This ultimately means that change and innovation will be more difficult to accomplish in those organisations.
What factors are present in organisations that have successfully implemented organisational changes vs. those that fail to meet their objectives.
Understanding various barriers to change, such as -
- How our dominant survival trait when married with desire for consistent output creates an environment where change is difficult
- Complacency, a huge barrier to change
- False urgency, which is driven by the Survival system
The power of a Guiding Coalition to help achieve organisational change and the difference between that style of leadership vs. traditional management styles
Best practice around communication -
- Emotional communication is more sticky than dry, non-emotional messaging. Interestingly enough, a person with buy-in for an idea is more likely to naturally convey emotion when speaking about the idea than the one who is going along because he/she has to do so.
- Frequency is also key to making messages stick
- Communicating ideas in various ways helps ensure the message is picked up by lots of different people
Enabling situations where quick wins are possible for an organisation is a necessary practice for a few reasons -
- Establishing credibility for a change initiative is a huge issue at the beginning of the change process, and quick wins establish the necessary trust in an idea so that buy-in is possible.
- Quick wins then enact the Thrive System in the brain when the brain receives feedback that progress is being made.
- A series of wins keeps the Thrive System running and helps people to hang in for the long haul of proposed change.

RESOURCES AND TOPICS FOR FURTHER STUDY

Guiding Coalitions
The availability heuristic bias
Survival Mode vs. Thrive Mode

MORE ABOUT JOHN P. KOTTER:

LinkedIn

Please subscribe to the podcast in iTunes, and if you enjoyed this interview, please share with your friends and colleagues and leave a 5 star rating and review.

Thanks for listening and sharing.

Bruce & The Re-thinking the Human Factor Podcast Team

What children's books can teach us about changing behaviour, with Todd Courtney

23 maj 2019 | 59 min

What children's books can teach us about changing behaviour, with Todd Courtney

Welcome to episode 24 of the Re-Thinking the Human Factor Podcast.

Joining us on the show today is Todd Courtney, an author who has created a series of children’s books in partnership with his wife that are scientifically based and geared towards instilling children with healthy mindsets and positive behavioural circuitry.

The catch is that behavioural patterns are almost completely solidified in the brain by the age of 7. Todd and his wife have created several children’s books with the goal of helping create balance in the minds of children. The aim is create balance between the messaging their young readers receive from their environment and personal relationships, with an inner neural network and idea landscape composed of positive affirmations and behaviours.

JOIN TODD COURTNEY AND BRUCE HALLAS AS THEY DISCUSS THE FOLLOWING:

How the Max Rhymes books help instill positive behavioural patterns in young children.
Cultural differences in how one’s “truth” is understood and how that truth effects behaviour.
The influence of one’s close circle of friends or family on one’s truth, and how that might relate to groups in a work environment.
Studies around behavioural influence initiatives and their effectiveness necessitate long-sightedness and patience to achieve accurate metrics and positive results.
Only 1 / 10 adults ever change their behavioural patterns. Change must come from within, and change imposed from without will be met with resistance.
How governments and other stakeholders in the industry are trying to educate children about internet usage safety and other topics around educating children.

RESOURCES MENTIONED

How to be Idle by Tom Hodgkinson
Culture and Security with Gert Jan Hofstede (Re-Thinking the Human Factor, Episode 6)
Heather, Chase, and the Cynja Comic Series (Re-Thinking the Human Factor, Episode 2)

MORE ABOUT TODD COURTNEY:

Please subscribe to the podcast in iTunes, and if you enjoyed this interview, please share with your friends and colleagues and leave a 5 star rating and review.

Thanks for listening and sharing.

Bruce & The Re-thinking the Human Factor Podcast Team

How to develop a security culture, interview with Gert Jan Hofstede

9 maj 2019 | 64 min

How to develop a security culture, interview with Gert Jan Hofstede

Understanding the role of culture is crucial if we want to develop a security culture. Especially if we want to have a realistic chance of influencing behaviour, which is probably why we're wanting to develop a security culture in the first place.

This is because culture is like a body of water. If you come at the water from high above at too high a velocity with a massive, weighty body of change, the body of water will act like a slab of concrete.

You'll get a very different response, however, if you approach the water from a closer range, at a slower speed and with something more streamlined. You’ll glide through to the underside of the water and be able to explore the intricate inner-workings of the ecosystem contained within.

It’s that understanding which will guide your cyber security awareness, behaviour, and culture initiatives towards a greater chance of success.

Gert Jan Hofstede joins us for a second time on the show for Episode 23 of the Re-Thinking the Human Factor Podcast.

Gert Jan is a population biologist and social scientist hailing from the Netherlands. His research and publications have provided many with deeper understanding in the areas of cultural evolution, societal change, cultural stability, and how those forces interact with and have influence upon one another.

Gert Jan is also known for his work in social simulation as well as for a number of books he has co-written with his father, Geert Hofstede.

“This is where culture is really at its most useful. To know that similar social results… to take a group where it should go, have to be reached by different ways by different routes in different cultures.”

JOIN GERT JAN HOFSTEDE AND BRUCE HALLAS AS THEY DISCUSS:

Brexit, and drawing a comparison between the importance of understanding the cultural dimensions at play in Britain, and likewise, the cultural forces at play in one’s organisation.

The importance of recognising and acknowledging that we don’t even recognise our own cultural biases and the errors that lack of understanding of ourselves can cause.

Increased usage of the word 'culture', especially in job titles, as companies strive to develop a security culture.

How the meaning of the word 'culture' can easily differ from organisation to organisation depending on the broader cultural context of the society in which the organisation is situated. This is because the social and technical systems of an organisation are dovetailed in everyday behavioural dynamics

Along with being cognisant of cultural differences, we also needs to learn how to properly interpret those differences. We have to remember that our brains naturally make quick decisions about people and groups, who’s in and who’s out.

Has culture evolved to help us address our deep seated anxiety about the unknown?

The status quo bias - that people stay rooted in doing what they normally do until it gets to the point where it’s a disaster.

You can’t change the culture of a society, but you can change the culture of an organisation, but it’s very hard and takes time.

Influencing an existing culture vs. creating a new security culture, and whether or not one can or should develop a security culture that's separate.

Values dimensions and using a whistleblower. This is an example of how values can influence societal responses to these kinds of people in differing ways depending on the values of the culture within which the whistleblower is situated.

Using a cultural framework to look at incidence reporting in which people report on themselves for their mistakes.

A helpful tip for those working in multicultural environments for working through the behavioural differences they experience.

“I think there’s nothing better than international experience with reflection.”

RESOURCES AND LINKS FOR FURTHER RESEARCH:

Gert Jan Hofstede’s first appearance on the Re-Thinking the Human Factor Podcast

MORE ABOUT GERT JAN HOFSTEDE:

Please subscribe to the podcast in iTunes, and if you enjoyed this interview, please share with your friends and colleagues and leave a 5 star rating and review.

Thanks for listening and sharing.

Bruce & The Re-thinking the Human Factor Podcast Team

Eliciting Intrinsic Motivation and Reframing Problems, with Rachel Lawes

25 april 2019 | 67 min

Eliciting Intrinsic Motivation and Reframing Problems, with Rachel Lawes

Rachel Lawes joins us for Episode 22 of the Re-Thinking the Human Factor Podcast. Rachel gave a fantastic interview back in Series one of the podcast, and if you haven’t had a chance to listen yet, please check it out here when you’re able. We’ve received feedback from a few people recently about how they were really blown away by what Rachel had to say about semiotics as well as how she spoke more broadly about branding, behaviour, and the role of semiotics in behaviour and culture.

Rachel is the author of some of the earliest published papers in semiotics and she’s proud to have been involved at a time when it was first emerging in the UK. She uses it, and her academic background in social science, to rejuvenate brands, innovate products and services and steer comms. She conducts research projects using semiotics, ethnography and discourse analysis. She delivers training for client side and agency users, and she supplies consultancy to ad agencies and large branding agencies. She also works with universities because she loves to teach.

“People are shocked at what they fall for when they think they’re actually defending themselves…”

JOIN RACHEL LAWES AND BRUCE HALLAS AS THEY DISCUSS:

Some clever and engaging videos created by airlines as well as one created by Burger King that featured Snoop Dog, the difference between having an engaging comms piece vs. one that actually elicits behavioural change, and budget issues many cyber security awareness professionals are up against when it comes to the creation of engaging awareness materials.
Thinking of Security as a product, almost from a branding or marketing sense.
The fact that humans get used to information they see over and over, so it is important to consistently apply innovation to crafting awareness and training materials.
Film, audio, visual approach to creating awareness and training campaigns and whether or not there’s a better way to accomplish the same goal.
The use of incentives within awareness and training campaigns - do they work? If not, what’s a better way to elicit engagement and behaviour change from campaigns?
Extrinsic vs. intrinsic motivation, and which is more effective in catalyzing behaviour change.
How science has shown that intrinsic motivation is more long-lasting than extrinsic motivation, but for many organizations, a good portion of their awareness budget is spent on incentives, which are extrinsic in nature. With budgets being an issue, would it not be better to spend the money on something that would have an intrinsically motivating effect?
It’s possible that incentives have their place to accomplish short-term, tactical awareness measures. However, heads of organizations must be communicated with regarding the short-term nature of the incentives program for which they they are approving money, and they also need to know to be prepared for the need for longer-term, intrinsic measures to be funded.
The fact that some operate on the model that use of fear, uncertainty, and doubt as scare tactics are going to get people’s attention (a practice based on a study of Maslow’s “Hierarchy of Needs” concept). Rachel has a different take on this, though, and health campaigns geared towards getting folks to stop smoking stand as a shining example of what she has to say.
- Bruce also posits that instead of fear, cyber security professionals should create policies that are easier to accomplish than those that were enacted previously. Alleviating friction, alleviating the heaviness (fear / uncertainty) of a policy actually increases the likeliness of compliance.
The environment in which people are making decisions about whether or not to comply with a policy will have triggers. Those triggers, when they are triggered, are going to increase the likelihood that people aren’t going to choose to comply. So, understanding the environment first, and understanding that we make choices in that environment, are core parts of what cyber security professionals must do.
The difference between telling people what they need to do vs. telling people what they need to do and explaining why.
That awareness and training managers should use the word “DON’T” as little as possible when explaining policies and procedures, while a more successful approach will be to explain what people should “DO”.

RESOURCES AND LINKS FOR FURTHER RESEARCH:

MORE ABOUT RACHEL LAWES:

LinkedIn

Please subscribe to the podcast in iTunes, and if you enjoyed this interview, please share with your friends and colleagues and leave a 5 star rating and review.

Thanks for listening and sharing.

Bruce & The Re-thinking the Human Factor Podcast Team

Episodes Review with Nathan Mielke, Director of Information Technology & Cyber Security Manager

4 april 2019 | 55 min

While Nathan Mielke was teaching a cyber security lesson in homeroom at the Hartford Union High School in Wisconsin, the school experienced a distributed denial-of-service (DDoS) attack that took them down for about a class period. While the identity of the attacker was never discovered, Nathan is fairly certain the attacks were coming from a student’s phone, or as it goes in classic American Horror films, the call was coming from inside the house…

Episodes Review with Nathan Mielke, Director of Information Technology & Cyber Security Manager

Nathan Mielke joins us for this episode of the Re-Thinking the Human Factor Podcast. Nathan is from Milwaukee, Wisconsin, and he’s a Director of Information Technology & Cyber Security Manager combining high-level security and systems domain administration experience with a background in leading infrastructure development, data solutions, and information risk programs. His job is to manage training, data intelligence, risk, cyber defence, and investigation activities to safeguard users, secure assets, and ensure high-level security and systems domain administration. He and his team stay updated on the latest trends in security equipment/technology to not only keep the organisation safe but also on the cutting edge.

Interestingly, Nathan began his career as a Librarian, took a turn into the IT realm, and through a series of DDos attacks and other events has brought him to where he is now.

In this episode, Nathan Mielke joins Bruce Hallas to discuss insights they’ve both picked up while listening to the previous 3 episodes of the Re-Thinking the Human Factor Podcast:

“But ultimately, when something goes wrong, you will be judged on the thinking process that you had behind the choice that you made…”

SOME OF THE TOPICS NATHAN AND BRUCE DISCUSS IN THIS EPISODE ARE:

What is it that drew Nathan to the Human Factor, the people piece?
Bennett Arron’s routine involving asking if any people in the crowd had been arrested and the lesson of timing and easing one’s audience into heavier, more difficult topics.
Char Sample, culture as a vector for attack, and how Nathan incorporates that insight into his goals for increasing security awareness for the educators he works with.
As was pointed out in Jonathan Armstrong’s episode, people must rehearse for what happens in the case of a security breach, and each of the involved organisational teams (i.e. Cyber, Lawyer, PR, etc) need to know how to work together in those situations to solve issues quickly and effectively.
Regarding the human factor piece, do we think of awareness as being internal-facing only, or should we be considering that awareness is also about external stakeholders that may have an interest in what we’re doing?
How medium to small size businesses are the ones often flying by the seat of their pants when it comes to security awareness, behaviour, and culture.
The probability that people who work in a positive cultural environment are more likely not only to retain training, but also to stop, think, ask questions, and behave in a safer more thoughtful manner than those who work in negative, stressful cultural environments.
Stress those who are CISOs or Security Managers experience based on tight budgets and expectations born from the false belief many organisational leaders hold that if IT and security managers are doing their jobs, nothing bad is going to happen, ever; and how that stress effects the performance of those in charge of security awareness, behaviour, and culture for an organisation.
How security and awareness managers and leaders need to be sure to build and maintain trust and a positive relationship with others in their organisations in order to bolster security efforts organisation-wide.

“Your data breach is coming. Are you prepared for it?”

MORE ABOUT NATHAN MIELKE:

LinkedIn

Please subscribe to the podcast in iTunes, and if you enjoyed this interview, please share with your friends and colleagues and leave a 5 star rating and review.

Thanks for listening and sharing.

Bruce & The Re-thinking the Human Factor Podcast Team

Using Humour to Raise Cyber Awareness, with Bennett Arron

21 mars 2019 | 52 min

How a Victim of Identity Theft Uses Humour to Generate Cyber Awareness, with Bennett Arron

Welcome to Episode 20 of the Re-Thinking the Human Factor Podcast. Joining us on the show today is Bennett Arron, Bennett was one of the first major victims of Identity Theft in the UK.

According to the Police and credit reference agencies, he owed thousands of pounds to phone companies, banks and department stores.

The only thing was, it wasn’t him.

This theft resulted in Bennett becoming penniless and homeless.

A comedy about identity theft

Years later, Bennett wrote a comedy show about his experience. The show was critically acclaimed at the Edinburgh Festival and led to Bennett being asked to direct and present the documentary 'How To Steal An Identity' for Channel 4.

How to steal an identity

In the documentary, Bennett proved, through a series of stunts, how easy the crime of ID theft is to carry out by first stealing the identities of the general public and then, rather foolishly, stealing the identity of the Home Secretary.

The documentary was 'Pick of The Week' in The Guardian and The Telegraph and was called ‘Fascinating and Disturbing’ by the TV Times. Bennett was shortlisted for a BAFTA.

As a result of Bennett’s programme, the UK Driving Licence Application Form had to be changed…

The programme can be viewed below (and you don’t even have to put in your bank details to watch!).

https://www.youtube.com/watch?v=-URDjwb0fS4

Bennett now tours the world, telling his disturbingly true yet funny account of what it’s like to have your identity stolen and revealing the devastating consequences of making a documentary ‘in the public interest’.

He was the Guest Speaker at the International Fraud Convention in Italy, the International Congress on Anti-Fraud and Anti-Corruption in Poland (twice), the Security Forum in South Africa and the opening keynote speaker at AUScert, Brisbane in front of 2000 delegates.

In addition to this, Bennett also speaks to Management and Customer Service Staff on the subject of Data Protection and GDPR showing how the repercussions from clerical, computerised or face-to-face errors can be devastating.

“People are shocked at what they fall for when they think they’re actually defending themselves…”

JOIN BENNETT ARRON AND BRUCE HALLAS AS THEY DISCUSS THE FOLLOWING:

Trying to stir emotion in an audience is one thing, but being emotional yourself helps that. However you’re going to communicate to your audience, it’s going to be much more powerful if the person creating the content has emotional investment in the topic.
Whether or not humour is as powerful an ingredient in effective communications as it is thought to be.
The importance of having good timing when using humour in communications.
Are there underlying processes one can learn to become funny or get better at being funny?
Finding your voice.
Knowing the right time for the right voice.
The importance of tone of voice as well as tone of subject matter in effective communication.
Humour as a softer means of communicating awareness initiatives or policy so that people’s responses and engagement with the information is more open.
How laughter effects humans physiological and psychologically.
That humour works across cultures as long as references are dropped that would be culturally irrelevant to the audience at hand.

MORE ABOUT BENNETT ARRON:

Please subscribe to the podcast in iTunes, and if you enjoyed this interview, please share with your friends and colleagues and leave a 5 star rating and review.

Thanks for listening and sharing

Bruce & The Re-thinking the Human Factor Podcast Team

Awareness, Behaviour, Legal and Regulatory Requirements, with Jonathan Armstrong

7 mars 2019 | 70 min

Awareness, Behaviour, Legal and Regulatory Requirements, with Jonathan Armstrong

Welcome to Series 2, Episode 7 of the Re-Thinking the Human Factor Podcast. Joining us on the show today is Jonathan Armstrong, a lawyer who helps multinational clients with risk and compliance across Europe. Recent projects include lots on data breach, GDPR & data transfer, UK Bribery Act 2010, internal investigations, ethics & compliance code implementation, emerging technology, and corporate governance & online reputation.

He has also written articles on technology and compliance related topics. He is a Fellow of The Chartered Institute of Marketing (FCIM) and Vice-Chair of the New York State Bar Association International Section.

Jonathan has also spoken at conferences in the US, China, Brazil, Canada, Vietnam, Singapore, Dubai & across Europe. In addition, he’s been involved in the development of a number of technology applications going back to the 1990s and was twice a Regional Finalist in the UK Government dti/ISI Awards for Innovation in e-commerce.

JOIN JONATHAN ARMSTRONG AND BRUCE HALLAS AS THEY DISCUSS THE FOLLOWING:

Training / Practice for helping to not only reduce the likelihood of cyber attacks, but also how to address a problem when something goes wrong (which it inevitably will at some point)
The law is increasingly saying that companies must implement some form of education and awareness training, and when a breach does happen, companies must have their arguments ready pre-breach so they can respond effectively to a breach and be able to defend their efforts to stave off the attack
Those who have managed breaches most effectively are those who have run simulations and had a plan in place
Stakeholder management
The role Education and Awareness plays in terms of how a regulator might look at a breach
How to spot training programs that will pass regulations vs those that won’t
The disparity between the cost of high-quality training vs the cost of handling a breach or facing fines for non-compliance

MORE ABOUT JONATHAN ARMSTRONG:

LinkedIn

Please subscribe to the podcast in iTunes, and if you enjoyed this interview, please share with your friends and colleagues and leave a 5 star rating and review.

Thanks for listening and sharing.

Bruce & The Re-thinking the Human Factor Podcast Team

How cultural values can be used in cybersecurity attacks, with Dr Char Sample

21 februari 2019 | 67 min

On Episode 6 of series 2 of the Re-Thinking the Human Factor podcast, we are joined by Dr Char Sample to dive into the topic of culture and the role it plays when it comes to cybersecurity. But this podcast chat is not what you will expect to hear when it comes to culture; we're going to explore how your cultural values can be used against you in cybersecurity attack.

Some of the topics we're going to dive into during this podcast episode include Cultural Dimensions, Geography of Thought, and Values as a Vector for Attack.

Culture and cybersecurity

Dr Sample is a researcher-fellow employed for ICF at the US Army Research Laboratory in Adelphi, Maryland and has over 20 years experience in the information security industry. Dr Sample’s area of research examines the role of national culture in cybersecurity behaviours. At the moment, Dr Sample is continuing research on modelling cyber behaviours by culture. Other areas of research are information weaponisation, data fidelity and fake news. Dr Sample is a frequent collaborator with the University of Warwick, in the UK which is where she completed her fellowship.

“It’s an old Russian proverb: ‘TRUST, BUT VERIFY.’ We put all of our eggs in trust and we left verify exposed.”

JOIN CHAR SAMPLE AND BRUCE HALLAS AS THEY DISCUSS THE FOLLOWING:

The meshing of two schools of cultural thought to create a more complete cultural model from which to approach awareness, behaviour, culture, and even defence campaigns:
- Hofstede’s Cultural Dimensions Theory
- Nisbett’s work: “Geography of Thought: How Asians and Westerners Think Differently…and Why”
Design for success - Whether you’re designing a phishing campaign, an education awareness campaign, how you’re going to manage incidents, whatever it is, it’s about understanding that all of this is being done with people in mind, either as the victims, the perpetrators, or the middle people.
You can’t shape culture in the short-term, which causes a clash between organisational culture and security culture. Organisational cultures often look for success metrics every quarter, but culture takes much longer to change.
We all have cultural lenses, and those cultural lenses help us (or don’t help us) with the definition of what it is that we see.
The Cultural Dimensions Theory is old enough that we now have tons of data to analyse around the 6 dimensions.
Cultural values are very enduring because those values are reinforced all throughout society. So, you’ve got this lifelong influence on culture / shaping of culture, and you’re trying to set up a security culture within your organization — Which one is going to win?
Insights around culture and how that relates to victims.
How important is the role of values in decision-making? Also, Char shows an example of how to map behaviour to Hofstede’s Cultural Dimensions to give a possible answer to the question.
Culture as a vector for attack.

“We have a tendency to want to throw technology at the problem. But of you don’t take the cultural values of the person who’s sitting at the end of the computer there, and who’s going to be the recipient of this data, if you don’t take that into account, you can at best have a partial success.”

Further study and research

About Dr Char Sample

LinkedIn

Please subscribe to the podcast in iTunes, and if you enjoyed this interview, please share with your friends and colleagues and leave a 5 star rating and review.

Thanks for listening and sharing.

Bruce & The Re-thinking the Human Factor Podcast Team

Episodes Review with Craig Thomson, Security Education & Awareness Manager

7 februari 2019 | 75 min

Observations and Take-Aways: Episodes Review with Craig Thomson, Security & Awareness Manager

On this episode of the Re-Thinking the Human Factor Bruce Hallas is joined by Craig Thomson, the Security Education & Awareness Manager at Nationwide Building Society. He is an experienced Education specialist with a demonstrated history of delivering impactful results in the Defence, Air & Space and Information Security arenas. He is skilled in the management of Training Programme and solution design using SAT and ADDIE methodologies to deliver engaging and meaningful training and communications that create measurable behavioural change. Craig values using effective emotional intelligence skills to develop teams and solutions in support of achieving business strategy goals.

“Awareness is a two-way street… Awareness is just as much about actually being aware ourselves of who our target audience is…”

JOIN CRAIG THOMSON AND BRUCE HALLAS AS THEY DISCUSS:

Their shared connection around the armed forces and applicable observations they’ve made about L&D and recruitment for the Armed Forces
The importance of people having vested interest in policy creation
The problem of cognitive dissonance within company culture (i.e. ‘This is what the policy says, but what push comes to shove, here’s what we actually do’)
What motivates people to take part or give their time to engagement with awareness initiatives
Awareness is a two-way street
Lessons learned around conducting surveys as a means of gathering information about one’s target audience, and other means of garnering useful information and feedback from those people
The difference environment makes in training, accurate observation, and behaviour change
Sharing ideas across a network of security professionals
The concept of “Awareness” as communications that give people a sense of understanding and control over upcoming change in their work environment, which helps them not feel as stressed about the change, which then helps to overcome their innate desire to avoid or not comply with the desired change in behaviour
If / how metrics can be used to enhance Awareness strategy and creation

MORE ABOUT CRAIG THOMSON:

LinkedIn

Please subscribe to the podcast in iTunes, and if you enjoyed this interview, please share with your friends and colleagues and leave a 5 star rating and review.

Thanks for listening and sharing.

Bruce & The Re-thinking the Human Factor Podcast Team

The Human Brain vs. Awareness, Behaviour, and Culture

13 december 2018 | 67 min

What makes our brains tick, and why does that matter for change managers and organizational heads?

The Human Brain vs. Awareness, Behaviour, and Culture

Hilary Scarlett is an international speaker, consultant and author on change management and neuroscience at Scarlett & Grey. Hilary’s work has spanned Europe, the US and Asia and concentrates on the development of people-focused change management programmes, coaching and employee engagement. Her specialities include:

change management
employee communication
employee engagement
leadership coaching (Inst of Leadership & Management accredited)

“A need for control, a need to be able to predict what’s coming up is really important to the brain.”

JOIN HILARY SCARLETT AND BRUCE HALLAS AS THEY DISCUSS:

The necessity of understanding how our brains work
The human brain’s distaste for change
A brief rundown on what the brain actually is, i.e. what it does, how it’s made, the structure of it
How understanding what our brains do and how they work can guide efforts towards creating proper learning environments and organizational cultures where people can more easily learn and thrive
Why our brains are often lazy by default
Growth mindset within an organizational culture
The importance of prioritizing tasks by order of importance because the brain’s energy / ability to process information critically will become increasingly depleted as the day goes on
Tools for getting the brain back on track and restoring some of its energy during the day
Understanding how brains process change and what it means for Change Managers
The power of storytelling in communications, understanding, and memory

“Change is extremely difficult for us if we feel it’s unpredictable and uncontrollable… People further down the hierarchy who feel they don’t have that same sight at what’s coming up and don’t have that same control or influence, their brains are in a much more stressed place than [the boss].”

FURTHER STUDY AND RESEARCH

Neuroscience for Organizational Change by Hilary Scarlett

Edgar Schein

Neuroplasticity

The Endowment Effect

Mindset by Carol Dweck

MORE ABOUT HILARY SCARLETT:

LinkedIn

Please subscribe to the podcast in iTunes, and if you enjoyed this interview, please share with your friends and colleagues and leave a 5 star rating and review.

Thanks for listening and sharing.

Bruce & The Re-thinking the Human Factor Podcast Team

Evidence-Based Methodology For Improving Learning & Development

29 november 2018 | 66 min

Did you know up to 80% of information is forgotten within 24 hours? Admittedly, this is not an encouraging statistic for those of us seeking to raise awareness, change behaviour, and foster an appropriate organizational culture.

For this reason, we at the Re-Thinking the Human Factor Podcast are looking for answers from outside the security industry from people who can provide an evidence-based path forward which can help us to improve learning and development. We’re happy to share some fresh insights with you on the topic of improving the training experience, likelihood of learning, and stickiness of memory after the training is completed.

Evidence-Based Methodology to Improve Learning and Development

Stella Collins joins Bruce in Series 2 / Episode 3 of the Re-Thinking The Human Factor podcast to have a deeper look into how we can improve learning and development using evidence base methodology.

She is a learning specialist, an expert in Brain Friendly learning, author of Neuroscience for Learning and Development, and the Creative Director of Stellar Learning, a business whose goal is to transform training, learning and communication - particularly when it's tough, technical or tortuous. They support and train their clients to build excellent relationships and make critical messages stick.

With a BSc in Psychology, an MSc in Human Communication, a coaching diploma, 15 years in the IT industry, and more than 15 years in L&D, she injects a theoretical knowledge of learning and communication with creative and practical ideas and hands-on experience. Stella says

“there’s no such thing as a boring topic – just boring training.”

JOIN STELLA COLLINS AND BRUCE HALLAS AS THEY DISCUSS:

The importance of knowing the background behind a neuroscientific finding, i.e., who’s done the research, what was on their agenda when they did it, and whether the proper research methodology and statistical analysis was used to arrive at the conclusion on which your team is now basing its L&D and policy changes
The empowering nature of evidence-based ideas
Effective planning for L&D training, including making people excited about going through the training, and making the most of the time you have with people rather than wasting time and money on a captive audience that will forget most of what they learned within 24 hours (see our opening statement above)
The importance of what happens after L&D training, like inter-staff communication and ensuring that the work environment is conducive to easy adoption of new skills and policies
What is training, actually? Likewise, what is learning?
Neuroplasticity, or the fact that our brains are flexible and able to create new pathways for learning throughout life
Ways to maximizing the potential for learning when engaging in training efforts
When it comes to learning and memory, humans are not sponges as the metaphor suggests
The future of L&D and self-directed learning

“An experience, as opposed to fact…When we have an experience, we remember that sensory information… Emotion is massively sticky. Emotions and senses are hugely important.”

FURTHER STUDY AND RESEARCH

Neuroscienece for Learning and Development by Stella Collins

Stellar Learning (Make Your Message Sticky)

Choice Architecture

Neuroplasticity

MORE ABOUT STELLA COLLINS:

LinkedIn

Please subscribe to the podcast in iTunes, and if you enjoyed this interview, please share with your friends and colleagues and leave a 5 star rating and review.

Thanks for listening and sharing.

Bruce & The Re-thinking the Human Factor Podcast Team

Decision-making and behavioural change

15 november 2018 | 67 min

Understanding decision making in the workplace is almost like the holy grail. What we want is for our colleagues to make better decisions, but for this to happen we need to take a few steps back. Decision making in the workplace takes place in the context of the organisational culture.

Often when we talk to people about organisational culture, they see culture as something so big that it becomes too overwhelming to think about. Instead, they prefer to take the path of least resistance, focusing on awareness and driving behaviour. However, behavioural science keeps pointing to the fact that individuals need to feel involved in policy creation if buy-in and actual behavioural change is to occur.

But, won’t this take too much time?

How can an organisation possibly gain buy-in from all their employees?

Interestingly, the amount of interaction that people need in order to feel that they are involved is probably a lot less than you think…

Individuals, Groups, Decision-Making, And Self-Regulation

Susan Weinschenk joins Bruce in Series 2 / Episode 2 of the Re-Thinking The Human Factor podcast to have a deeper look into this topic.

Susan has a Ph.D. in Psychology. She applies research in brain science and psychology to predict, understand, and explain what motivates people and how they behave. Her consulting includes applying behavior science to the design of websites, software, medical devices, tv ads, physical devices, presentations, experiences, and physical spaces. She is an author, teacher, mentor, and consultant to Fortune 1000 clients, government, non-profit, and start-ups. Her books include: How To Get People To Do Stuff, 100 Things Every Designer Needs to Know About People, 100 Things Every Presenter Needs to Know About People, and Neuro Web Design: What makes them click?

Susan’s specialties include Behavioural Science, Brain Science, Psychology, and User Experience.

JOIN SUSAN WEINSCHENK AND BRUCE HALLAS AS THEY DISCUSS:

The influence of individual self-stories on a person’s behaviour
Brain function and value-based, goal-directed decision-making vs. habit-based decision-making
The importance of similarity in environments between the one in which a person is trained vs. the space where that person will encounter actual on-the-job issues, and how different environments can hamper training and habit-based decision-making
What choice architecture is and how it relates to how you build an actual environment to bring around the behavioural outcomes you’re looking for
Whether any gains around behaviour can be made without taking into consideration the broader cultural context
The power of social norms and groups to regulate behaviour
The necessity of involving at least some members of strong-tie teams/communities in development of policies in order to increase buy-in and ensure wider-spread behavioural change
The importance of looking at Cyber Security as if it were a product, understanding that having repeat customers of the product is the end goal
Drivers of motivation behind people’s engagement with awareness campaigns, and what kind of behavioural change can be expected through gamification and rewards-style motivation

“The amount of interaction that people need in order to feel that they were involved is probably a lot less than you think…”

FURTHER STUDY AND RESEARCH

Re-thinking the Human Factor Ep 05 with Ciaran McMahon

Choice Architecture

Robin Dunbar (Dunbar’s Number)

The IKEA Effect

MORE ABOUT SUSAN WEINSCHENK:

LinkedIn

Please subscribe to the podcast in iTunes, and if you enjoyed this interview, please share with your friends and colleagues and leave a 5 star rating and review.

Thanks for listening and sharing.

Bruce & The Re-thinking the Human Factor Podcast Team

Episodes Review with Louise Cockburn, Information Security Awareness and Culture Manager at Quilter

29 oktober 2018 | 67 min

Creating Behavioural Change That Becomes A Part Of The Culture

6 juli 2018 | 77 min

The challenge with creating behavioural change is doing it well enough that people actually change their behaviour consistently. And beyond that, it's about ensuring that other people in the organisation can observe this new behaviour around them so that they come to the realise this is simply "the way we do things around here" in other words, the organisational culture. When we set about creating behavioural change, the ultimate objective is for that change to become embedded in the culture, because that's when we start to see the results we're looking for.

Creating Behavioural Change that Becomes Part of Culture

In today's podcast episode this is what we're going to be exploring. Bruce is joined on the podcast by Su Ee Wong. Su Ee’s journey towards becoming a safety and health (S&H) professional is an unusual one. She started off in biomedical science and a serendipitous stint in the HR office of an academic institution sparked an interest in workplace safety and health.

The unique blend of her science background, HR experience, and S&H interest got her a Mid-Career Training Sponsorship where she was given the opportunity to train as an S&H professional in a University. As the core businesses of a University are research and teaching, she is able to apply her knowledge in research to better manage the S&H of staff and students.

Her passion is in creating a safe, healthy and happy environment that the community can thrive in. She strongly believes that the activities we engage in should do no harm to our people or to Mother Earth. [1]

JOIN SU EE WONG AND BRUCE HALLAS AS THEY DISCUSS:

Su Ee’s post that told of an experiment conducted around the public safety problem of how to change the behaviour of jaywalkers who were crossing the street no matter what color the light was.
Making policies fun, interesting, and engaging can help catalyze behavioural change.
The importance of creating policies that have as little friction as possible to follow.
When we want to change behaviour, a lot of us think that should be through punishment, like handing out fines for doing something. We think if we give them a slap on the wrist, that changes behavior. But it might not be sustainable in the long run. How do we get something more creative that is more positive to change the behaviour and then reinforce it later so that this behavior sticks until it becomes second nature?
In organizations, people at different levels will have different cultural norms. Though one might craft the perfect awareness campaign based on research gathered from within the various organizational levels at their local office, those same campaigns might not elicit the response one is anticipating in the overseas office possibly due to a sort of a national culture.
The importance or recognizing policy “champions” for their work.
How do we incorporate people’s natural biases in how we design awareness campaigns?
Creating an environment and culture where people can share their insights and engage with leadership or the local champion, without blame, to create trust between workers and leaders, because that will be one of the best ways to manage problems knowing that leadership can’t be everywhere all at once.
What Su Ee Wong did to understand root causes of behaviors in her organization.
Awareness is just as much about policy-makers themselves becoming aware as it is about crafting the right kinds of campaigns and procedures.

FURTHER STUDY AND RESEARCH

Re-thinking the Human Factor Ep 09 with Dan Ariely

Shortcut by John Pollock

Choice Architecture

Infosec Europe

MORE ABOUT SU EE WONG:

LinkedIn [1]

Please subscribe to the podcast in iTunes, and if you enjoyed this interview, please share with your friends and colleagues and leave a 5 star rating and review.

Thanks for listening and sharing.

Bruce & The Re-thinking the Human Factor Podcast Team

Episodes Review with Ed Tucker, European CISO of the Year

6 juni 2018 | 72 min

We like to invite listeners to the podcast to come on the show and share insights that they’ve picked up from previous episodes of the podcast.

We also invite them to share their own experiences and thoughts on the challenge of security awareness, behaviour and culture.

In this show, Ed Tucker, the 2017 European CISO of the Year joins us to lift the lid on the challenges he sees and the insights he’s picked up.

Ed feels there is a common theme between what Robert, Ciaran and Gert discuss and what happens in the reality of the organisation, which highlights the common failings of ineffective security people.

The theme he highlights is ignorance. Tune in to hear all about it.

About Ed Tucker

Ed is the current European Chief Information Security Officer of the Year, UK Security Professional of the Year, and Security Leader of the Year and has been recognised for his massive contribution and sharing of best practice with the wider security world.

Ed is the former Head of Cyber Security for the UK Tax Authority HMRC, where he led the Cyber Security and Response Capability for eight years. Ed designed and built the Cyber Security capability for HMRC, developing two intelligence driven Cyber Security Command Centres; the first in-house developed capabilities in UK Government. Ed implemented security controls across all HMRC's email domains and reduced phishing emails purporting to be the UK Tax Authority by 500 million a year 2016 through spearheading the use of DMARC (Domain-based Message Authentication, Reporting and Conformance).

Ed also instigated the take down of 14,000 fraudulent websites harvesting data and has had a broad spectrum of responsibilities in his fifteen-year career including Online Fraud, Hacking Analysis & Capability Scoring and Forensic Investigations. A regular speaker at events such as InfoSec Europe, European Information Security Summit, European CISO Conference, InfoCrime Summit, and now eCrime, Ed is a highly regarded industry expert on all aspects of data protection.

How semiotics can help us engage more effectively

29 mars 2018 | 54 min

EPISODE 10 SUMMARY - RACHEL LAWES

————————————————

Joining Bruce Hallas on Episode 10 of the Re-thinking the Human Factor Podcast is Dr. Rachel Lawes, who comes to the show with a background in the field of semiotics. Don’t worry, if you’re not familiar with the term, you’re probably in good company.

However, upon learning more about Rachel and the field of semiotics prior to recording the interview, we knew she had something of interest, substance, and worth to bring to the conversation around Cyber Security Awareness, Behaviour, and Culture.

MORE ABOUT RACHEL

If you go to market research conferences, you’ve probably met her already. She’s one of the original founders of British commercial semiotics and she never stops being excited about what it can do. She uses semiotics and related methods, backed up by a comprehensive knowledge of social science, to rejuvenate brands, innovate products and services and steer comms. She delivers research, insights and strategic guidance to brand owners. She delivers training in advanced research methods for both client side and agency side users. She also supplies consultancy services to ad agencies, design agencies and large branding agencies.

From time to time she works with universities because she loves to teach. [1]

JOIN RACHEL LAWES AND BRUCE HALLAS AS THEY DISCUSS:

What semiotics is.
In reference to a challenge often put our way regarding the applicability of insights from without the security industry — whether the insights gained through semiotics be applied to both sides of the fence, so to speak, both externally AND internally, as in the case of within an organization.
One fascinating consequence of digital culture — that written language has taken on a life of its own in a way that really haven’t seen in our life times.
- It’s no longer really required that you follow the rules you learned in school. What’s more important is getting your message across, which might involve substantial use of abbreviations, emoji’s, etc. People communicate using language and text now more than they have done for a long long time.
The work of semiotics is partly about observing what’s going on in a given audience to try to understand what it is they’re giving off, what the signs are you see in the audience which may be a reflection on how they would respond to you presenting something to them.
How semiotics can help one engage more effectively and influence changes more effectively.
Studying signs and symbols (semiotics) gives one an understanding of what is driving people’s behaviour from a cultural perspective. This is important because, as discussed with Gert Jan Hofstede in Episode 06 of the Re-thinking the Human Factor Podcast, culture forms everybody - there’s no escape from it.

FURTHER STUDY AND RESEARCH

MORE ABOUT RACHEL LAWES:

Website [1]

Please subscribe to the podcast in iTunes, and if you enjoyed this interview, please share with your friends and colleagues and leave a 5 star rating and review.

Thanks for listening and sharing.

Bruce & The Re-thinking the Human Factor Podcast Team

Behavioural Change in Cyber Security, with Dan Ariely

27 februari 2018 | 61 min

Understanding behavioural change is a crucial aspect of better understanding the human factor. If we hope to influence behaviour then we need to better understand human behaviours, decision-making and motivations. The leading expert in this today is Dan Ariely and we are thrilled to have him as a guest on the podcast. Behavioural change is a large part of the work we have to do when it comes to improving security outcomes, and the work by leading thinkers such as Dan is really helping to pave the way.

Dan Ariely was recently voted as the second most influential psychologist in the world. He is a professor of psychology and behavioural economics at Duke University and a founding member of the Center for Advanced Hindsight. He is the author of the bestsellers Predictably Irrational, The Upside of Irrationality, and The Honest Truth About Dishonesty - as well as the TED Book Payoff: The Hidden Logic that Shapes Our Motivations. Through his research and his (often amusing and unorthodox) experiments, he questions the forces that influence human behavior and the irrational ways in which we often all behave.

Behavioural Change in CyberSecurity

In this episode, Dan Ariely joins Bruce Hallas to discuss behavioural economics and its role in better organising operating environments and how we can use this in the cybersecurity industry. Dan’s speciality is in the study of behavioural economics with a focus on communicating his findings in a language anyone can understand so this makes him an ideal guest for the podcast.

‘[His] immersive introduction to irrationality took place many years ago while [he] was overcoming injuries sustained in an explosion. The range of treatments in the burn department, and particularly the daily “bath” made [him] face a variety of irrational behaviours that were immensely painful and persistent. Upon leaving the hospital, [he] wanted to understand how to better deliver painful and unavoidable treatments to patients, so [he] began conducting research in this area.

[He] became engrossed with the idea that we repeatedly and predictably make the wrong decisions in many aspects of our lives and that research could help change some of these patterns.’ [1]

“You have to understand that part of your job as a security expert is not just to create security but to create appreciation. Because if you create security with no appreciation, you’re not going to get people to value it and want to participate in it.”

Join Dan Ariely and Bruce Hallas as they discuss:

What behavioural economics is (10:50)
Preferences, how we form them, and the effect our preferences have on our behaviour. (19:01)
Untapped demand, or the idea that there’s a big difference between people’s preferences and what they end up doing, and the fact that those differences have a lot to do with friction (the easiest decision will often be the one that is chosen) (23:04)
The role of behavioural economics in better designing the operating environment within which employees are trained and work within in order to maximize the potential for positive cyber security behaviours (24:56)
The concept of “endowment”, or the idea that people who have contributed to something feel a greater sense of value about that something as well, and the “Ikea effect”, which simply understood is that labour leads to love (29:39)
Value cues, and the need for cybersecurity policy creators to communicate the value of following their policies to their audience (33:59)
Another big challenge in the cybersecurity industry - the fact that security failures happen infrequently, and what that teaches people about how they need to behave (41:36)
Effective and ineffective methods for motivating positive cyber security behaviours from employees (44:30)
The effect of overconfidence in our own knowledge and ability on our behaviours (49:17)

“One of the biggest challenges is to get people to admit we are fallible.”

How to connect with your audience and improve engagement

15 februari 2018 | 45 min

EPISODE 08 SUMMARY - BEN AFIA

————————————————

On this episode of Re-thinking the Human Factor, Ben Afia joins Bruce Hallas in a discussion around “Tone of voice”. Tone of voice deals with the brand and personality of an organization coming through in language, in words, and this personality stems from values, both personal as well as those of a broader organizational culture. Ben is a consultant, writer and speaker on brand strategy, language and change.

“We’re talking about how we influence behaviour, especially within organizations with people who can choose to be influenced or not…I don’t think you actually need to be that heavy-handed to achieve the right outcome of protecting an organization.”

Join Ben Afia and Bruce Hallas as they discuss:

The importance of getting the tone of voice right in relation to the creation and implementation of effective policies within an organization
How tone of voice can bring to life an organization’s brand (or hurt their brand)
Paradoxically, though tone of voice is largely about one’s brand and organizational personality, it’s also important to understand one’s audience when building and applying tone-of-voice guidelines, because it’s also about them, and it’s about understanding what your audience will be able to actually hear
Heavy-handed vs. lighter, more engaging, more human communication methods
The importance of having a well-defined brand and well-defined values when coming up with tone-of-voice guidelines
The need to get broad stakeholder engagement, not from the very top of the organization, but also all the way down if the goal is organization-wide change

“I think that your tone of voice and your values then have to flex depending on the local circumstance.”

QUESTIONS FOR FURTHER STUDY AND RESEARCH

What is your tone of voice?
Does it really reflect your brand?
How well do people engage with that?
Do your communications have any element of tone of voice or are you just getting your team to write without any direction regarding how you want to appear, to be perceived by your audience when they receive your message?

MORE ABOUT BEN AFIA:

Website

Please subscribe to the podcast in iTunes, and if you enjoyed this interview, please share with your friends and colleagues and leave a 5 star rating and review.

Thanks for listening and sharing.

Bruce & The Re-thinking the Human Factor Podcast Team

A CISO's Perspective on the Human Factor, with Geordie Stewart

22 december 2017 | 66 min

EPISODE 07 SUMMARY - GEORDIE STEWART

————————————————

We’re taking a different approach to our chat in Episode 07 of the Re-thinking the Human Factor podcast. For this episode, we asked one of our listeners to come on the show and share with us the key lessons they’ve learned from the first three episodes of our show:

Geordie Stewart joins Bruce Hallas in a discussion we hope will help you synthesize the vast amount of information covered in those episodes. Geordie is a CISO who has worked at organisations like of John Lewis, TUI UK & Europe and has most recently taken up residence at the UK’s largest Building Society, the Nationwide. As well as his day job he is an international speaker and keen innovator in the area of technology risk communication. His award winning masters thesis at the Royal Holloway Information Security Group examined information security awareness from a fresh perspective as a marketing and communications challenge. [1]

“And in a busy environment with lots of competing messages…, the challenge is, how do we make sure messages of value land in a way that somebody can use and benefit from?…because we are competing with HR, finance, and these other sources of information and guidance within companies.”

Join Geordie and Bruce as they give you the hash on:

The necessity of understanding your audience and empathizing with them if you hope to effectively raise awareness, influence behaviour, and foster a culture amongst that audience
How a lack of feedback loops and accurate metrics has effected the speed at which the security industry has evolved in their communication and training strategies
The concept of the captive audience, and how having an audience built into the organizations that security professionals serve has stifled motivation to innovate and improve upon security awareness, behaviour, and culture communication and training

The role that brand plays in terms of how it influences the level of engagement you’ll get from people and whether or not people will comply with organizational policies and procedures

RESOURCES AND TOPICS FOR FURTHER STUDY

MORE ABOUT GEORDIE STEWART:

Website [1]

Please subscribe to the podcast in iTunes, and if you enjoyed this interview, please share with your friends and colleagues and leave a 5 star rating and review.

Thanks for listening and sharing.

Bruce & The Re-thinking the Human Factor Podcast Team

Culture and Security, with Gert Jan Hofstede

29 november 2017 | 76 min

The relationship between culture and security is an important one and one that is discussed a lot. Unfortunately, many people miss the point somewhat when exploring culture and security. The obvious place to start is the security culture within an organisation, but let’s not dismiss organisational culture too quickly. Better still, let’s also take a look at industry culture and national culture. So you see, when we start looking at culture and security, there’s more to it than we might initially assume. So we thought this would make an excellent podcast episode.

Today, Bruce is joined by Gert Jan Hofstede. Gert Jan is a population biologist and social scientist hailing from the Netherlands whose research and publications have provided many with deeper understanding in the areas of cultural evolution, societal change, cultural stability, and how those forces interact with and have influence upon one another. He is also known for his work in social simulation as well as for a number of books he has co-written with his father, Geert Hofstede. In this episode, Bruce and Gert Jan discuss a wide variety of organization and culture-related topics that have important implications for the Cyber Security industry.

“It is as if you were a fish and they asked you to describe the air… If you’ve always lived in one place in the world, then it’s very hard for you to see that behaviors from another place that seem strange, illegal, ridiculous… that those behaviors can make sense, but within a larger [cultural] system.”

Join Bruce and Gert Jan in this episode of Re-thinking the Human Factor as they explore:

How awareness of cultural differences (or lack thereof) can be an opportunity for greater collaboration between groups, or greater friction, and how this awareness contributes to one’s ability to understand and effectively communicate cross-culturally
The need for organizations to achieve a sense of mutual cultural understanding as the starting place for implementing organizational change rather than striving to achieve cultural homogenization as the means for implementing that change
Different perceptions of what cultural differences mean to an organization (barrier to progress, a catalyst for a breakthrough, etc.), and the importance of realizing that these differences do exist so that one can begin to try and understand them as a means of navigating the challenges and growth potential afforded by these differences
The importance that “cultural ambassadors” within an organization be, first and foremost, acceptable to the cultural audience whom they seek to address
4 helpful cultural metaphors to help with navigating cross-cultural organizational communication:
- The Family (Asia and Africa)
- The Machine (Germanic/Northern Italy type of region)
- The Market (Anglo-Saxon, the UK and North America)
- The Pyramid (the Mediterranean and Slavic countries)

MORE ABOUT GERT JAN HOFSTEDE, HIS BOOKS, AND HIS RESEARCH:

Associate Professor at the Information Technology Group at Wageningen University & Research // Population biologist and social scientist in information management and social simulation // Interested in the interplay of the contrasting forces of cultural evolution, societal change and cultural stability.

Gertjanhofstede.com

Please subscribe to the podcast in iTunes, and if you enjoyed this interview, please share with your friends and colleagues and leave a 5 star rating and review.

Thanks for listening and sharing.

Bruce & The Re-thinking the Human Factor Podcast Team

How advancements in technology have impacted people's behaviour

2 oktober 2017 | 75 min

Understanding the impact of technology on behaviour is one of the biggest questions we must ask ourselves today. Technology is advancing so quickly and we are seeing human behaviour adapt very rapidly. A glance on a train platform during peak hour will hint at people's obsession with their smartphone. Or, just watch a two-year-old use an iPad with ease if you have any doubts.

So it seems right to explore this in more detail as cybersecurity professionals need to get their heads around the effect of technology on behaviour and what that means in terms of developing sound and effective information security strategies.

A conversation with Ciaran McMahon, Director at Institute of Cyber Security

In this episode, Bruce explores this with Ciaran McMahaon, Director at the Institute of Cyber Security and they discuss how advances in technology have impacted people's behaviour.

Award-winning academic psychologist Ciaran McMahon joins Bruce Hallas in episode 5 of Re-thinking the Human Factor. Hailing from the Republic of Ireland, Ciaran comes from a psychology background and has extensively studied how advancements in technology, throughout human history to the present day, have affected societal behaviours. He shares our belief that understanding the human side of things is necessary to effectively influence information security behaviours within an organisation, and he is eager to bring his psychological insights to the problems we face in cybersecurity awareness, behaviour, and culture.

“It’s unlikely that we can use all of this technology and not be changed in some way…”

The effect of technology on behaviour

Join Bruce and Ciaran in this episode as they explore:

The impact on people’s behaviour of changes in technology and what that means for designing security environments and choices in cyber security awareness and policy implementation
How people justify their behaviour and choices not to comply with security best practise including deterrence, punishment vs reward, neutralization, the defence of necessity, and others.
People’s innate understanding of right and wrong and the issue of justice and fairness in relation to security behaviours.

SUBJECTS AND RESOURCES MENTIONED:

FOR FURTHER RESEARCH:

Choice Architecture
Defence of Necessity

MORE ABOUT CIARAN:

Website

Please subscribe to the podcast in iTunes, and if you enjoyed this interview, please share with your friends and colleagues and leave a 5 star rating and review.

Thanks for listening and sharing.

Bruce & The Re-thinking the Human Factor Podcast Team

Why behavioural economics is relevant to education and awareness programs, with Robert Madelin

31 augusti 2017 | 54 min

Creating effective education and awareness programs is a fundamental aspect of an effective security strategy. In this episode, we talk about the importance of integrating behavioural economics and psychology into the creation of effective education and awareness programs, and the strategy behind them.

A conversation with Robert Madelin, former Director General of Health and Consumer Policy at the European Commission

Robert Madelin brings a distinguished career and experience to the conversation in Episode 4 of Re-Thinking the Human Factor. Robert has been focused throughout his career on policy generation, awareness and education, and as part of that, designing policy so the odds are stacked in favour of those who comply with that policy.

Why behavioural economics and psychology is relevant to education and awareness programs

Join Bruce and Robert in this episode as they each draw from a well of extensive experience to converse around:

Fast and slow thinking and how each influences how we behave in society
The importance of integrating behavioural economics and psychology and choice-architecture when it comes to the design of EFFECTIVE education and awareness strategies and programs
The “uncomfortable truth” that people do not respond rationally when given data and how recognizing that truth is key to guiding policy creation and choice architecture efforts
How cultural differences in the cybersecurity space have more to do with digital literacy, age, principles and values rather than one’s passport, or “passport culture”, as Robert refers to it
The role of culture or the context within people live their lives, and how that may have an effect upon:
- the policy itself
- how you raise awareness within institutions or even nation-states, as in Robert’s experience

The importance of international cooperation in efforts to raise awareness and influence behaviour

"It's the human factor that makes us vulnerable."

RESOURCES AND SUBJECTS MENTIONED:

FOR FURTHER RESEARCH:

Daniel Kahneman
- Thinking, Fast and Slow (by Daniel Kahneman)
Behavioural Economics and Psychology
Choice Architecture

ABOUT ROBERT MADELIN

Chairman, Fipra International // Director General for Communications Networks, Content and Technology (CONNECT) // Director-General for Health and Consumer Policy (SANCO) // A negotiator in international trade and investment, first for the UK, and then for the EU // Served in the Cabinet of European Commission Vice-President Leon Brittan.

CONNECT WITH ROBERT:

LinkedIn

Please subscribe to the podcast in iTunes, and if you enjoyed this interview, please share with your friends and colleagues and leave a 5 star rating and review.

Thanks for listening.

Bruce & The Re-thinking the Human Factor Podcast Team

What it takes to craft a message with impact across different cultures, able to effect real behavioural change.

31 juli 2017 | 57 min

EPISODE 03 SUMMARY - JOHN POLLACK

Author // Consultant // Speechwriter // Journalist // Reporter

————————————————

What is needed within cyber security industry communications to generate the kind of awareness and training materials that enable governments, businesses, and the general public to protect themselves against cyber security threats? We want people to hear our message and act in accordance with responsible security behaviours, but what changes do we as an industry need to make in order to accomplish this goal? Join Bruce and John as they converse around these questions and unpack topics such as:

John was a strolling violinist at a restaurant where the head chef taught him that people eat twice, once with their eyes and once with their stomach, and that good communication relies on a combination of a sensory stimuli.
Building a relationship with an audience, fostering trust, requires communicators to listen as much, if not more, than communicate.
Communication needs to come from a place of empathy and this is often missing.

The importance of authenticity and credibility in developing and delivering effective communication that supports change in behaviour.

"Washington is where good words go to die" comment illustrating the impact of internal corporate communication guidelines on the effectiveness of communications designed to raise awareness and influence behaviour.

“…We ought keep our eye out for ways to capture people’s attention because capturing people’s attention, and holding it, is the essence of communication…”

PROJECTS AND RESOURCES MENTIONED:

The Analogies Project
Shortcut (by John Pollack)

CONNECT WITH JOHN:

Website

Thank you for listening! Please subscribe to the podcast in iTunes, and if you enjoyed this interview, please share with your friends and colleagues and leave a 5 star rating and review.

Thanks for listening.

Bruce & The Re-thinking the Human Factor Podcast Team

How to elicit positive behavioural change by engaging creatively and emotionally

29 juni 2017 | 62 min

How Heather and Chase are eliciting positive behaviour change in kids and their parents by engaging with them creatively and emotionally

EPISODE 02 SUMMARY - HEATHER DAHL AND CHASE CUNNINGHAM

————————————————

We talk with Heather Dahl and Chase Cunningham, co-founders of The Cynja, a comic series created with the aim of “[engaging] children… To teach them how to make smart choices [when they encounter the internet], practice online security, and enable privacy protection as they practice cyber security in their digital lives.” Heather and Chase bring a variety of work experience to the area of cyber security awareness and education and seek to bring a fresh, entertaining perspective to an otherwise drab communications M.O.

“…Sometimes in our families, it’s our kids that are educating the adults on the world that’s out there, and we can’t underestimate the role of comics in this sense for kids in educating all of those that are around them that may not be as digitally savvy as they are.”

In this episode, Bruce, Heather, and Chase discuss how creativity, emotion, and excitement are necessary ingredients in cyber security awareness/education materials, especially if the aim of those materials is to elicit engagement and behaviour change from an audience. In the same vein, they also discuss the power that lies within communication efforts that take into consideration the way a certain group of people speaks and engages with their world.

“And if you look to the world of marketing for example and how organizations market their products and services, and what’s the brand, there IS some of that excitement…If you want to sell a product, you connect with people on an emotional level.”

PROJECTS AND RESOURCES MENTIONED:

The Cynja - https://www.cynja.com/
The Analogies Project - https://theanalogiesproject.org/

CONNECT WITH Heather and Chase:

Twitter - https://twitter.com/TheCynja
Facebook -https://www.facebook.com/thecynja
Pinterest - https://www.pinterest.com/thecynja/

Thank you for listening! Please subscribe to the podcast in iTunes, and if you enjoyed this interview, please share with your friends and colleagues and leave a 5 star rating and review.

Thanks for listening.

Bruce & The Re-thinking the Human Factor Podcast Team

Security Communication Strategy; How to improve policy messaging and implementation

31 maj 2017 | 57 min

How we can improve policy messaging and implementation

EPISODE 01 SUMMARY - GREGORY MICHAELIDIS

————————————————

Gregory (Greg) Michaelidis spent 7 years working for the Obama Administration within the Department of Homeland Security, first as the Head Speech Writer for the Secretary of Homeland Security, and then in the Homeland Security directorate that handles cyber security and infrastructure protection. His experience ranges from defining and creating policy to establishing buy-in for policy through good messaging, and he’s bringing that experience into the arena of cyber security awareness. During his tenure in the Obama Administration, Greg noticed a frustrating pattern in government policy making —

“Much of the energy in security policy would go into policy formulation and interagency tussle over who would implement the policy, but once that was all figured out, the policy given less attention, especially in regards to the manner in which messaging around a certain policy was delivered to people who would ideally hear it and get on board.”

In this episode, Bruce and Greg discuss issues around cyber security awareness, how to improve messaging around issues of cyber security, and perhaps even more importantly, what needs to be done to ensure that awareness is turning into positive security behaviors.

“So when we have more of those people who aren’t from the traditional computer science or engineering backgrounds who are contributing to the conversation, I think it will be a sign of health, that we are getting beyond what is now…a heavily industry or fee-for-service/fee-for-product driven model that is in need of a real shake-up.”

PROJECTS, POLICIES, AND RESOURCES MENTIONED:

The Analogies Project https://theanalogiesproject.org/ -

The Ready Campaign https://www.ready.gov/ - preparedness for natural disasters

If You See Something, Say Something (still in effect) https://www.dhs.gov/see-something-say-something - situational awareness to teach people to report to law enforcement when they see something that seems amiss or out of place (still in effect)

Stop.Think.Connect https://www.stopthinkconnect.org/ - cyber security awareness program (still in effect)

UK “Prevent” Programs https://www.gov.uk/government/publications/2010-to-2015-government-policy

Re-thinking The Human Factor with Bruce Hallas

Welcome to the Re-Thinking the Human Factor podcast.

Om podden

Avsnitt

Lessons from the world of coffee!

Key performance metrics

The security function's culture.

An appointment with the Doctor to discuss culture, behaviour and decision making.

Insights from advertising for security awareness professionals.

A Human Resource view on Information Security Awareness and Education

Embracing Diverse Skills When Building an Effective Education and Awareness Team.

The Science Behind Metrics

Insights from Educational Psychology for Information Security Professionals

Understand the forces at play.

The human factor. A view from Brazil.

Versace, Burberry and Lacoste. Thoughts from branding.

An internal communications perspective.

The human factor in the middle of a major security breach.

CyberSecurity ABC's

An ex-regulators view on awareness, behaviour and culture.

What does it mean to have a people-centric approach to cybersecurity? And, why you should have one?)

Content is king or so they say! Discover some caveats around the saying as we explore the role of a security influencer.

What role training materials must play in building security aware-rich organisations?

What does it take for security teams to win in the cybersecurity fight?

How technology can be a CISO's best friend in changing behaviour.

Re-thinking the Human Factor: Cyber Security Mini Series

A conversation with award-winning CISO, Andrew Rose

Know your cyber security risks, with Prudence Smith

Marketing Strategy Applied To Cyber Security with TERRY O’REILLY.

Why we need to re-think the human factor in security, with Bruce Hallas

Taking risks to reduce risk, with Eric Ravello

Simplifying Cyber Security, with Neil Frost

The Accidental Security Specialist, with David Shipley

Designing Learning Experiences That Stick, with Megan Sumeracki

Storytelling For Better Cybersecurity, with Sarah Moffat

Applying Marginal Gains One Small Step At A Time, with Chris Fleming

What Security Awareness Professionals Can Learn From Marketers and Understanding the Customer Journey, with Kenda MacDonald

Reducing Cyber Risk By Reducing Friction, with Jason Hoenich

Effective Leadership and Successful Organisational Change, with John P. Kotter

What children's books can teach us about changing behaviour, with Todd Courtney

How to develop a security culture, interview with Gert Jan Hofstede

Eliciting Intrinsic Motivation and Reframing Problems, with Rachel Lawes

Episodes Review with Nathan Mielke, Director of Information Technology & Cyber Security Manager

Using Humour to Raise Cyber Awareness, with Bennett Arron

Awareness, Behaviour, Legal and Regulatory Requirements, with Jonathan Armstrong

How cultural values can be used in cybersecurity attacks, with Dr Char Sample

Episodes Review with Craig Thomson, Security Education & Awareness Manager

The Human Brain vs. Awareness, Behaviour, and Culture

Evidence-Based Methodology For Improving Learning & Development

Decision-making and behavioural change

Episodes Review with Louise Cockburn, Information Security Awareness and Culture Manager at Quilter

Creating Behavioural Change That Becomes A Part Of The Culture

Episodes Review with Ed Tucker, European CISO of the Year

How semiotics can help us engage more effectively

Behavioural Change in Cyber Security, with Dan Ariely

How to connect with your audience and improve engagement

A CISO's Perspective on the Human Factor, with Geordie Stewart

Culture and Security, with Gert Jan Hofstede

How advancements in technology have impacted people's behaviour

Why behavioural economics is relevant to education and awareness programs, with Robert Madelin

What it takes to craft a message with impact across different cultures, able to effect real behavioural change.

How to elicit positive behavioural change by engaging creatively and emotionally

Security Communication Strategy; How to improve policy messaging and implementation