Hi, folks. This is the Cyberways podcast, and we

translate our academic knowledge about information security into stuff that you

can use as a security professional. We think it's a unique mission. We think you'll

like it. I'm Tom Stafford. Craig Van Slyke. Tom and I are your hosts on

your journey to knowledge. Cyberways is brought to you by the Louisiana

Tech College of Business's Center For Information Assurance. The center offers

undergraduate and graduate certificate programs in cybersecurity and

sponsors academic research focused on behavioral aspects of

cybersecurity and information privacy. Hello,

everybody, and welcome back in to cyber ways. This is a

production of the Louisiana Tech Center For Information Assurance in the College of

Business. It's a DHS NSA certified center of academic excellence in

cybersecurity, and we consider one of our jobs is to connect

you with the people that know what's happening in security research so you can

take advantage of the very best findings in the most timely manner.

Our our special guest today is doctor Mikko Sipinan. He is professor of

business, cyber security, and management at the University of Alabama's

Culverhouse College of Business. He holds advanced degrees,

several advanced degrees, in software engineering, information

systems, and my favorite of his group of degrees, philosophy.

He's a leading scholar in information systems, one of the thought leaders in our

behavioral information assurance workshop group. He

ranks amongst the top 30 worldwide for publication,

taking 2. He ranks among the top 40

worldwide based on his publications in premier journals.

Professor Siponen is the only Finnish IS professor who's been invited to join the

Finnish Academy of Science in Letters, and his expertise spans

cybersecurity management, IS development, and philosophical aspects of

information systems. He has extensive experience as a visiting professor, a

consultant, and a research leader internationally with his particular

focus on cybersecurity management. Mikko, welcome to our podcast.

Thank you. It's great to be here, and nice to discuss about sanctions and

how they work, and what kind of things you should avoid

if you are planning to use sanctions in your firm. So

what has had my attention for a number of years in the, the workshop group

that we all attend is, the role of sanctions and how they have

an effect on better cyber security. And, so

I I guess the question at the top of this, do sanctions work? How do

they work? Sanctions can work,

but if you don't use them carefully, they can also be worse than useless.

So that's why you have to be very careful when you're

using sanctions. And today, I will discuss

what we know and, you know, what kind of things you should avoid and so

on. So you you need to make sure that you understand what makes

sanctions effective and what to avoid. And,

luckily, many of of these questions about the effectiveness

of sanctions have already been answered in the in the scientific literature.

Actually, in cybersecurity management, sanctions have been studied over 30

years, especially in information systems, IS side of

cybersecurity security literature. Talk to us about the factors that

determine whether sanctions are effective or not. Yeah. There are

quite many. The most studied aspects are

what people call certainty of sanctions and the severity of

sanctions. So let's start with these 2 first. So the

certainty of sanctions means, basically, likelihood of getting

caught. So it means the likelihood that active

your activities will be detected and identified for the purpose of

sanction. And I will keep very soon, I will give you examples. Okay. The

other well known well studied aspect of sanction

is is the severity of punishment. It basically means

that if you get caught or somebody get caught, you

know, how harsh or big is the

penalty. And in the literature, these are

often presented in a way that the higher is the certainty

and severity, the less risky cyber

cybersecurity behavior will follow. And, of course,

on these two dimensions, there are few many which

I'll, explain later. People are talking about likelihood

of getting caught and and the severity of punishment. These

are refers to people or, in this case, users'

perception. For example, they they perception of

the likelihood of detection and and severity of punishment. So let's

illustrate this this with a very simple example first,

which is familiar to everybody, namely driving over the speed limit.

What the certainty of detection means, it means that

if you believe that there is a police radar, you know, when you drive,

on a highway, you are more likely to drive within the speed limit.

So more radar, more the more likelihood you believe there's a police radar,

the less you are likely you are driving over the speed limit. That's the

likelihood of getting caught, also known as certainty of

detection. The other thing is severity of the punishment.

It basically mean in the in the driving over the speed limit

example, that the higher is the the ticket fine, the less likely

you are you are expected drive within the speed limit. And now, I

mean, in that kind of cases, applying

sanction is quite easy and straightforward. But if

you apply these elements to

cybersecurity cases, it's a little bit

challenging. So let's take a phishing as an example. And let's illustrate

one idea only. The third time you have detect detection,

also known as the likelihood of getting caught. So if you're

a cybersecurity manager and, you know, you apply this principle,

You should ensure that the employees believe that if they click a phishing link or

share their password, the company will monitor such in

incidents and impose sanctions on them. So what is the problem

here? Well, the situation in in cybersecurity

and, of course, this depends case by case, but in the phishing

example, it's actually very different from the speeding example. Because in

the speeding example, people usually have

they know their car speed. Right? The only

contribution might be what is the actual speed limit on the road,

and then do their navigators often provide that information.

But if you think about the phishing victimization case, none of

this is true. Employees often lack the necessary

knowledge to separate phishing message from real one. And, you

know, if you impose sanctions in that case, the sanctions may backfire because

employees really believe how I should, you know, know these things.

That's why applying sanctions in cybersecurity cases is tricky.

And there are many other concerns. One is sanctions

experience. If you believe the original theory

developed in seventies by guy named Gibbs so he was

basically saying that you can use sanctions. The

sanctions require sanctions experience.

And there are 2 kind of sanction experience if you follow

the original idea. There are general and there are specific.

The specific means that employees have received

sanctions themselves. So they have own experience

of receiving sanctions. That's called specific experience.

The other experience is general experience. General

experience means that you have not received sanctions

yourself, but you have seen other received received sanctions. For example, you

may have never received a ticket for driving over the speed limit, but you

know it's actually happening. People are getting caught and people get

ticket. Okay. So so all of these conditions, if

you can think about the driving over the speed limit example, I

easily met. Be because people have either seen

that, you know, this actually happened. You know? People are driving over the speed limit.

They get caught, and they get a ticket, or they have their own

experience of that. Or, well, in many cases, both. But in

cybersecurity cases, that may not be the case.

For example, think about password reuse,

meaning you are using the same password in different accounts. Have anybody

ever received sanctions for password reuse when hardly anyone has

personal experience of receiving sanctions in, you know, many

cases like my example of password reuse,

then there's no really interference experience.

If we read the theory and we believe the theory, sanctions

would not work in that kind of cases. Because without this

this experience that you have own experience of receiving sanctions,

or you have seen that other people receive sanctions, the

sanctions should not work if we believe the theory.

There's a difference between sanctions, which somebody else is

imposing on you, and risk. So,

like, I I I've never heard of anybody being, you know, receiving a sanction

for reusing the password, but I've heard of people that got

hacked from reusing a password. So that that's a very different

thing. Right? Yeah. It's a different thing. And and and well, if

okay. If you believe the theory, here it means that

that you need to have sanction experience. Sanction experience does not mean that

somebody hacked, but somebody hacked and then

because of the hacking, the firm punished somebody.

Of course, the sanctions might be formal or might be informal. Informal

means that, you know, you get the warning or something. So that

basically the sanctions experience means. Okay? And if

you believe the theory, it means that you have seen that

employees in the firm has received sanctions

by the firm by not following cybersecurity

policies, or they have own experience, or they have seen that, you know, somebody

else actually received sanctions. And, again, the

theory is saying, if that not the case, sanctions should not work.

Now I'm saying, the theory is actually wrong

here. Because if if you look the evidence, as I

said, we have been studying sanctions 30 years.

And if you look to scientific evidence, it points out that

sanctions do have some effect in cybersecurity

cases, even there would be no sanction experience.

So my conclusion here is that sanctions could be more

effective if you have a sanction experience,

meaning you have received sanctions or you have seen people have received

sanctions by the firm for violating cybersecurity policies.

But if if firms are actually giving sanctions,

that's tricky as you know, when you

impose sanctions, you actually start to punish people or give warnings, the

sanctions may backfire. People don't like sanctions and so

on, and they may turn against you.

That's an interesting stream in the literature that I've noticed. The the articles you and

your your coauthors have been writing is the the possibility

resentment arising from the organization enforcing its

security mandate. I want to go back to the, the

the driving too fast in traffic example, because I'm going to be traveling up through

your part of the woods in a couple of weeks. Straight past Tuscaloosa, I

generally travel about 10 miles over the speed limit with a radar detector.

The thing in my mind is I always slow down if everybody else slows down,

and I always slow down if I see blue lights flashing, meaning somebody's been caught

in a speed trap. That leads me to ask the employees knowing

about, the punishable acts, knowing about what might get sanctioned,

that's an aspect of this too, isn't it? Their awareness of a of a security

protocol that might be applied against them? Yeah. So the

employees' knowledge should have a big role here, and especially if

you read the theory. So the original theory assumes that that

that users know already what is illegal

or, in in our case, cybersecurity policies and what

is allowed and not allowed by the cybersecurity policies. But

often the users may not know the policies. We have

run number of studies on on these things, and, you know, most

employees do not remember the details in cybersecurity policies. So

that's, of course, challenge. And there's also another issue, other

another knowledge issue related to how to do the right thing in

terms of cybersecurity because cybersecurity

policies may instruct let's take a pass password example

again. Okay? Cybersecurity policies may say, hey. Use

long random unique password for each account. But

then, you know, policy does not actually tell you how to do it, how how

you manage this, you know, how you remap accountless long unique passwords. And

they may not be training on this. Of course, this

issue is not specific to use of sanctions, but that kind of challenge is

there is in terms of employees' knowledge that they don't know the cybersecurity

policies. And even they know, they don't necessarily

know how to do the right thing because the company doesn't give them enough

information. Training is not adequate and so on. Of course, as I mentioned, this

issue is not specific to, return steering. Maybe we can explore that a

little bit more. As you were talking about that, I

started thinking about if if you're driving along the highway and you don't notice

that the speed limit changes, you don't necessarily

react to seeing that officer on the side of the road because you think you're

going the speed limit. Well, then if you get a ticket

and it turns out the speed limit sign was behind the branch of a

tree, you're gonna experience a lot of resentment. And

I think maybe or let me ask, do you think that the same sort of

thing is in play with cybersecurity? So we've got these

policies, either we haven't received training on them or the

policies are really complicated. We violate the policies,

get caught, get punished. It seems like that would lead to

resentment, wouldn't it? Yeah. I mean, big

thing here is that a very different thing if you don't

know the the rules. And and as I mentioned,

for many firms, you just give the policies. There's some generic

training. It means that people may not really

understand, you know, why they have to follow these policies. And sometimes the policies are

not actually good ones. You know? They are. There might be conflict between what the

cybersecurity policies are saying and what the firms want you to

do. For common example is that security guys are saying don't

click any, links. And then, you know, administration is

actually saying, just do this training and click a link. So, you know, that's a

con Look at this document to see what I'm writing you about. They do that

all the time where we were. Yeah. So there's basic con conflict that, you

know, cybersecurity policy is in the conflict, but you should do in the

work. And that's actually past cybersecurity management, not about the the

return as theory as such. Whether using sanctions or not,

it's important that the policies make sense, employees understand the

cybersecurity policies. And they also know how to cope, as

I mentioned. You know? If you start to say, hey. For every account,

you have 30 account. Every account use unique long

password, but you don't tell how to actually manage this, then, you know, you are

not really helping employees. And then don't and then don't use a password manager because

that that's, risks. I know yeah. Well, and I

I don't know about where you are, but we have annual training.

Yeah. And it's, what, Tom, 4 hours, 5

hours of just all kinds of training. It's a chunk of time. Yeah.

And the security training is buried in the middle of that,

and you're kind of tuned out. You know, all you wanna do is get through

the training. That's why I wonder if that's a reason that people

react poorly when they are sanctioned because they feel like

the training isn't very effective. It goes back to your awareness.

So what what about, can I can I can I quickly comment that? Sure.

Sure. So this is a almost like universal

problem. So not specific to, sanctions, of

course. It also have implications for sanctions because if you don't know the policies, you

don't know how to how how to react. But often, you know

and and the people who are listening to this, if if they are cybersecurity managers,

you know, or you are responsible for the cybersecurity, you should ask,

have you ever asked from the provider who is actually giving you the

training how effective the training is? Mhmm. So for example, if you take a vaccine,

you, you know, you ask, like, how effective? Is is this giving me 80% of

protection or 70% of protection and so on? You know, if you have a

cybersecurity training, you should ask the provider, give me

test results. How effective the training is?

Right. So, you know, is it actually no. If if I have an let's say,

anti phishing training, how effective this training

is against the you know, how how much is lower the

rate of victimization? And most providers, they have never

even tested. You know, while you're selling or buying

products with you don't know how effective they are. And if they aren't effect effective

are you actually wasting employees' time? Do you think that's just checking a

box? Yeah. You know? That that's a lot of because lot of cybersecurity

management, that's that's a really different topic. Lot of cybersecurity management

is people call it best practice, but it basically does that, you know, tick

box compliance that you can say to auditors that, hey. We have we have been

to you know, we have covered this. Right. You don't really you don't really care

or you don't know how to, you know, what is actually quality here. You just

say, hey, we did this. Next item, we did this. Right.

Right. Well, you said something earlier that I wanted to come back

and revisit, which is that employees typically don't know the full

totality of the information security policy of the organization, and

that implies that the, the information security officers need to be able to

communicate not only the restrictions and the prohibitions,

but also the sanctions associated with violating them in a more

in an effective and reasonable way. How can the security managers

get that word out in a way that will take that will be effective with

the other employees? In communicating sanctions, there are

a couple of things. First, you need to understand the firm culture

and the nature of the firm business. So if sanctions are not

self evident and depending on the firm culture and

existing cybersecurity education efforts, you

must explain why the sanctions are necessary if you want to use them

effectively. Also, you should think about putting

yourself in employee shoes. You know, say, hey. How about these sanctions?

Would you accept these sanctions if you would be the employee?

If you want to introduce sanctions, you should pilot test ideas with

you people. Discuss the concept and get feedback on

how they think about this. And, of course, you need management support.

And in any reason and this is really depending on

the country or state or even, you know, the the what kind of,

firm. Is it public firm or is it, like, private firm? But, you know, some

cases, some countries, some states, there might be strong work

union. And if there's a work strong union, they may actually challenge you

unless you are well prepared. A lot of cases in my, consulting

work where, you know, lot of things we introduce and then the work union came

and, you know, are you actually you know, what you are doing for our creative

employees. You have to know your firm culture well, what kind

of culture it is, put you on employees' shoes, pilot test

ideas, get management support, and so

on. So for our listeners who are generally managers responsible

for determining how to, manage security violations, how do

they determine the right level of sanction? In our protection motivation work that we're

all familiar with tends to suggest that if you have too heavy a

hammer, people are gonna shy away out of, perceptual screening,

essentially. The old fear appeals argument, don't scare them too much. How does the

CISA determine the right level of sanctions so they're,

maximally effective? 1st, I think you should under as I mentioned,

you should understand the firm's culture, and that's very

different. And here, actually, I think many

many scientists make a mistake. You know? If you if you let let's assume you

you have very liberal university and philosophy department. That's an extreme example.

Most employees think that sanctions would be absurd unless you you really explain

them carefully, and perhaps you are never able to do that. In contrast, if you

go to military organizations, almost everybody almost know,

hey. There will be sanctions. You know? It's it's a normal thing. In Northern

Europe or France, employees expect more autonomy, so sanctions must be

justified more than other countries. In turn, if you go,

like, US in the Middle East, sanctions are more commonly used. So, you know, you

need to know your firm culture. In cultures where

sanctions are not in firms culture with sanctions are not commonly used, then you really

need to justify the sanctions and especially if there are harder sanctions.

But as I mentioned, this is really depends on the firm's culture, so it's

it's very firm specific issue. But you can also compare the

cybersecurity sanctions with other sanctions. What kind of sanctions

the firm is giving other type of violations?

And, again, same commerce apply. Put yourself into employee shoes.

Pilot testing to idea ideas with few people. And, of course, you need to get

management support, as I mentioned, also.

Sounds like sanctions could backfire if they're not engineered

properly. How how could a a a manager avoid

sanctioning in a way that would have the an unintended effect?

Backfire basically means that you increase sanctions for

improving cybersecurity behavior. Perhaps cybersecurity behavior increases,

but then you have negative effects, kind of side

effects. People don't like sanctions as a result of which

they work work motivation may decrease. They may

start to hate cybersecurity, or they may start to hate

IT or even leave the firm. In in in case of

cybersecurity, one concern is also privacy.

It can depends on the culture and even people, what they think about privacy. Some

for some people, private is very important. For some people, it's not.

The privacy is important in cybersecurity cases because often

when you actively use sanctions, you have to monitor.

Right? And that's may involve violating employees'

privacy. And because of privacy concerns, people may start to

hate cybersecurity, hate to IT because they think that they

are the one and the same thing and so on. And we have studied that.

We have one study where short term, that was field field

experiments in Europe. So short term, the cybersecurity behavior

increased. Longer term, the sanctions were not

effective in cybersecurity behavior, but there was backfire effect

that people didn't trust the company and lot of negative

views regarding the company and so on. So in order to

avoid the backfire effect, you must

understand that the employees get the

importance of cyber stick policies and the reasons behind

regulating some actions by sanctions. This is depending on

the firm's nature. If you are military organization, this is easy. If you are in

a university, very hard, depending on the firm

culture. But the idea is that you if you use sanctions actively,

you need to justify them if they are not already self evident for employees. And

many organizations, they are not self evident for employees. And, you know, they

need to understand why the activities sanctioned

by sanctions are important to to cover and and so on. If they don't

understand that, if they're not accurate that they think that it's a you know, you

are just violating their privacy or you are just, making their work

more harder, then you most likely will get get the

backfire effect. I'm hearing a pretty

consistent subtext of fairness. So a lot of the things

that you're mentioning that can cause the sanctions to backfire would

be when the employees don't feel like it's fair. Yeah. You know, you're

violating my privacy. You know,

I didn't understand. You didn't communicate. They're too harsh.

But but I wonder if unevenness and

sanctions is a problem. I know at universities and and a

lot of other organizations, different departments or different functional

areas have different subcultures.

And so if you're talking to somebody in another department,

then, you know, I they get to leave early on Fridays, and, you know, nobody

cares when you come in. And your boss says, you better be in at

your desk at 8, and you better not be out that door before 5.

That seems like it could cause a lot of problems. Is that an issue with

the security sanctions as well? Well, that's an excellent question. I I

don't think that nobody knows the answer to that. Alright. Future

research. Yeah. Okay. So I think what I'm taking

from this is if, if the security

provisions they're required to follow aren't common sense, if they don't already know

it, It needs to be carefully explained in a in an explicit

manner by the manager Absolutely. In order to justify its application. So

it's almost as though explaining the the security policy

achieves a lot of what has to happen. It's that 1%,

those with a certain sense of psychopathy who are gonna break the rules anyway that

need to understand they're gonna get punished if they don't comply. You know,

if you think about the employees' compliance with cybersecurity policies,

lot of cases where almost every organization should do

better, and that's not necessary sanctions. Specific issue is that,

you know, you should make effort that the employees understand the policies and

why, you know, the policies are like they are. I don't know

that there's research into this in in the context of cybersecurity,

but I think there's there are some psychologists that

would say that the sanctions actually might

have a an increasing effect on violations

by those who are suffer from psychopathy, because that's

part of the thrill. You know, if you don't get caught, there's not

a chance of getting caught, then you don't get that thrill out of it. And

so I I just wonder, that might be an interesting avenue of

research as well. But I don't think I've read anything in

cybersecurity that's talked about that. No. I don't my

understanding is that nobody has studied this in in the cybersecurity context.

So I have I cannot really I

think the closest we get to that are the the very interesting findings in in

in Mikko's prior work, particularly about people wanting to

I don't wanna say get even with the boss for the boss being stringent, but

the the the whole ledger keeping, scale

balancing part of, deciding to act out just because you think

they're being too stringent. Yeah. That

might be. But What do you have coming in the

pipeline? What new ideas will are you working on to get into the literature

on on how to manage cybersecurity?

You mean sanctions or cybersecurity in general? Just

interested in what you're working on and how our reader our listeners might be

keeping their eye out for it if they're interested. Nowadays, I'm

also doing a lot of work on cybercrime, actually.

So I do understand cybercrime,

especially to how cybercrime happens and how to

how we can use communication between the offender and victim to actually

understand and prevent and prevent cybercrime. So that's

that's one thing I'm doing. It's not really on cybersecurity

manage management, of course, it has implications for cybersecurity management.

What what parallels do you see between that work

and and what you've done, around the sanctions within an organization?

Are you seeing any any commonalities across those 2 or too

early to tell? The cybercrime cases that we are

actually looking, These are cases where people

very careful and clever ways, victimized,

people and, you know, now sanctions. Well, if you don't

understand that you are being victimized, so how the sanctions could

really apply effectively. So that kind of case is I don't think the sanctions

help here. It's more about again, you know, we

need tools for ordinary people, and

and employees to to understand actually more cyber

crimes and, you know, what kind of how people may try to

use you in order to, get your money or or or some information

from the firm. So it's more about the risks and how to protect yourself?

Yeah. I think we're also seeing the threat actors becoming

vastly more sophisticated than they used to be. That may be that may be an

AI thing. I don't know. The the people I talk to over here where we

are, because we we have a a classified work workspace over by the air force

base, and they're the opinion that the, the national actors that are

trying to breach their network are using AI to do it, and only AI can

counter that. That's a lot of the phishing attempts I'm seeing

lately are vastly better than they used to be. So it's a risky environment

increasingly so, I think. You can use generic phishing

where, you know, you've sent the same message to, you know, million of

people and hope some of these will will be your victims,

and then you might be more specific or targeted

attacks where you actually find a lot of information

on the target, and then you make your attack and, you know, of

of course, these these targeted cases are much more successful in

phishing or other type of social engineering. So

so, Mikko, as we close out, we typically ask what your 4 or 5

practical recommendations would be for the security managers who'll be listening to this.

What are the things they can add to their list of to dos to keep

the company safe as they, practice the craft?

So first, you need to actually decide

how you're using active or passive use of sanctions. And and now I

realized I don't actually what we have discussed is basically

so far, is active use of sanctions. Active use of sanctions means

that, you know, you you monitor cases and you give sanctions to

employees. But there's also also passive use of sanctions.

So passive use of sanctions, some might prefer to these as a

theory of covering your ass by sanctions. So basic idea is that

you introduce sanctions, mainly to protect yourself or the

firm from the plane. With this passive approach of

using sanctions, you actually only use sanctions when

something bad happens. So you introduce sanctions,

but you actually will use them only if something very bad happens.

I call it back you know, passive use of sanctions. So So something pandemic

you can say, hey. We have sanctions in place. Now we can play in this

guy or whatever. Now if you use active use of

sanctions, that means that they require a justification,

and they may backfire. They use justification because you actively monitor

and keep sanctions. And, especially, to hire other sanctions,

the more most carefully they have to be justified. And if

you don't actively use sanctions, they will lose some of their effectiveness as

a preventive tool. You know, same I idea as in the,

climbing over the speed example if, you know, you are

removing all the police radars, people will increase climbing over the

speed limit. And now the use of sanctions,

especially I mean, active use of sanctions. If employees don't find them

justifiable, they tend to backfire, and you should

already think about that kind of scenarios.

And in this case, if your sanctions do not backfire, you don't justify

these, well, sanctions may become worse than

useless because the, because the side effects, such as

employees dislike in cybersecurity are worse than they prevent

the effect. These are the 4, 5 key points.

This has been Cyberways. It's a production of the Louisiana

Tech College of Business Center For Information Assurance, courtesy

of the Just Business grant from Dean Chris Martin.

This podcast is available wherever you consume podcasts,

and we'd be grateful if you tell your friends about it. And if you find

it useful to you, let us know. Let our guests know.

I'm I'm sure doctor Sipponen is available to talk to you if you

need more advice, because as he says, he does a lot of consulting in this

area. We hope you found this to be interesting, and we hope you

find the, the information to be useful in keeping your company more secure.

Until next time. Thank you. Thank you. Appreciate it.

And it is important to say that the Cyberways podcast is funded through the just

business grant program of Louisiana Tech College of

Business, and, we're grateful for that. So join us next time on

the Cyberways podcast, which is available on all major

podcast platforms. We want you to subscribe or follow or

whatever button your favorite podcast app has. Thank you very

much.