1 00:00:05,359 --> 00:00:09,040 Hi, folks. This is the Cyberways podcast, and we 2 00:00:09,040 --> 00:00:12,799 translate our academic knowledge about information security into stuff that you 3 00:00:12,799 --> 00:00:16,465 can use as a security professional. We think it's a unique mission. We think you'll 4 00:00:16,465 --> 00:00:20,145 like it. I'm Tom Stafford. Craig Van Slyke. Tom and I are your hosts on 5 00:00:20,145 --> 00:00:23,685 your journey to knowledge. Cyberways is brought to you by the Louisiana 6 00:00:23,825 --> 00:00:27,345 Tech College of Business's Center For Information Assurance. The center offers 7 00:00:27,345 --> 00:00:30,910 undergraduate and graduate certificate programs in cybersecurity and 8 00:00:30,910 --> 00:00:34,350 sponsors academic research focused on behavioral aspects of 9 00:00:34,350 --> 00:00:37,950 cybersecurity and information privacy. Hello, 10 00:00:37,950 --> 00:00:41,475 everybody, and welcome back in to cyber ways. This is a 11 00:00:41,475 --> 00:00:45,074 production of the Louisiana Tech Center For Information Assurance in the College of 12 00:00:45,074 --> 00:00:48,914 Business. It's a DHS NSA certified center of academic excellence in 13 00:00:48,914 --> 00:00:52,355 cybersecurity, and we consider one of our jobs is to connect 14 00:00:52,355 --> 00:00:56,114 you with the people that know what's happening in security research so you can 15 00:00:56,114 --> 00:00:59,870 take advantage of the very best findings in the most timely manner. 16 00:01:00,010 --> 00:01:03,770 Our our special guest today is doctor Mikko Sipinan. He is professor of 17 00:01:03,770 --> 00:01:07,310 business, cyber security, and management at the University of Alabama's 18 00:01:07,370 --> 00:01:11,105 Culverhouse College of Business. He holds advanced degrees, 19 00:01:11,105 --> 00:01:14,625 several advanced degrees, in software engineering, information 20 00:01:14,625 --> 00:01:17,845 systems, and my favorite of his group of degrees, philosophy. 21 00:01:18,305 --> 00:01:21,905 He's a leading scholar in information systems, one of the thought leaders in our 22 00:01:21,905 --> 00:01:25,750 behavioral information assurance workshop group. He 23 00:01:25,750 --> 00:01:29,130 ranks amongst the top 30 worldwide for publication, 24 00:01:30,790 --> 00:01:34,150 taking 2. He ranks among the top 40 25 00:01:34,150 --> 00:01:36,810 worldwide based on his publications in premier journals. 26 00:01:37,705 --> 00:01:41,384 Professor Siponen is the only Finnish IS professor who's been invited to join the 27 00:01:41,384 --> 00:01:44,685 Finnish Academy of Science in Letters, and his expertise spans 28 00:01:44,985 --> 00:01:48,505 cybersecurity management, IS development, and philosophical aspects of 29 00:01:48,505 --> 00:01:52,265 information systems. He has extensive experience as a visiting professor, a 30 00:01:52,265 --> 00:01:55,979 consultant, and a research leader internationally with his particular 31 00:01:55,979 --> 00:01:59,200 focus on cybersecurity management. Mikko, welcome to our podcast. 32 00:02:00,060 --> 00:02:03,900 Thank you. It's great to be here, and nice to discuss about sanctions and 33 00:02:03,900 --> 00:02:07,454 how they work, and what kind of things you should avoid 34 00:02:07,515 --> 00:02:11,355 if you are planning to use sanctions in your firm. So 35 00:02:11,355 --> 00:02:15,194 what has had my attention for a number of years in the, the workshop group 36 00:02:15,194 --> 00:02:18,955 that we all attend is, the role of sanctions and how they have 37 00:02:18,955 --> 00:02:22,620 an effect on better cyber security. And, so 38 00:02:22,620 --> 00:02:26,220 I I guess the question at the top of this, do sanctions work? How do 39 00:02:26,220 --> 00:02:30,000 they work? Sanctions can work, 40 00:02:30,459 --> 00:02:34,239 but if you don't use them carefully, they can also be worse than useless. 41 00:02:35,099 --> 00:02:38,944 So that's why you have to be very careful when you're 42 00:02:38,944 --> 00:02:42,004 using sanctions. And today, I will discuss 43 00:02:42,944 --> 00:02:45,905 what we know and, you know, what kind of things you should avoid and so 44 00:02:45,905 --> 00:02:49,665 on. So you you need to make sure that you understand what makes 45 00:02:49,665 --> 00:02:52,990 sanctions effective and what to avoid. And, 46 00:02:53,930 --> 00:02:57,630 luckily, many of of these questions about the effectiveness 47 00:02:57,850 --> 00:03:01,150 of sanctions have already been answered in the in the scientific literature. 48 00:03:02,170 --> 00:03:05,814 Actually, in cybersecurity management, sanctions have been studied over 30 49 00:03:05,814 --> 00:03:09,575 years, especially in information systems, IS side of 50 00:03:09,575 --> 00:03:13,254 cybersecurity security literature. Talk to us about the factors that 51 00:03:13,254 --> 00:03:16,875 determine whether sanctions are effective or not. Yeah. There are 52 00:03:17,670 --> 00:03:21,129 quite many. The most studied aspects are 53 00:03:21,510 --> 00:03:25,030 what people call certainty of sanctions and the severity of 54 00:03:25,030 --> 00:03:28,709 sanctions. So let's start with these 2 first. So the 55 00:03:28,709 --> 00:03:32,310 certainty of sanctions means, basically, likelihood of getting 56 00:03:32,310 --> 00:03:35,844 caught. So it means the likelihood that active 57 00:03:36,084 --> 00:03:39,605 your activities will be detected and identified for the purpose of 58 00:03:39,605 --> 00:03:43,444 sanction. And I will keep very soon, I will give you examples. Okay. The 59 00:03:43,444 --> 00:03:47,290 other well known well studied aspect of sanction 60 00:03:47,290 --> 00:03:50,890 is is the severity of punishment. It basically means 61 00:03:50,890 --> 00:03:54,730 that if you get caught or somebody get caught, you 62 00:03:54,730 --> 00:03:58,250 know, how harsh or big is the 63 00:03:58,250 --> 00:04:02,075 penalty. And in the literature, these are 64 00:04:02,075 --> 00:04:05,855 often presented in a way that the higher is the certainty 65 00:04:05,915 --> 00:04:09,515 and severity, the less risky cyber 66 00:04:09,995 --> 00:04:13,400 cybersecurity behavior will follow. And, of course, 67 00:04:14,260 --> 00:04:17,700 on these two dimensions, there are few many which 68 00:04:17,700 --> 00:04:21,399 I'll, explain later. People are talking about likelihood 69 00:04:21,459 --> 00:04:25,265 of getting caught and and the severity of punishment. These 70 00:04:25,265 --> 00:04:28,565 are refers to people or, in this case, users' 71 00:04:28,625 --> 00:04:32,245 perception. For example, they they perception of 72 00:04:32,785 --> 00:04:36,625 the likelihood of detection and and severity of punishment. So let's 73 00:04:36,625 --> 00:04:40,405 illustrate this this with a very simple example first, 74 00:04:40,710 --> 00:04:44,170 which is familiar to everybody, namely driving over the speed limit. 75 00:04:44,470 --> 00:04:47,850 What the certainty of detection means, it means that 76 00:04:48,390 --> 00:04:51,690 if you believe that there is a police radar, you know, when you drive, 77 00:04:52,150 --> 00:04:55,450 on a highway, you are more likely to drive within the speed limit. 78 00:04:56,075 --> 00:04:59,915 So more radar, more the more likelihood you believe there's a police radar, 79 00:04:59,915 --> 00:05:03,275 the less you are likely you are driving over the speed limit. That's the 80 00:05:03,275 --> 00:05:06,715 likelihood of getting caught, also known as certainty of 81 00:05:06,715 --> 00:05:09,855 detection. The other thing is severity of the punishment. 82 00:05:10,620 --> 00:05:13,680 It basically mean in the in the driving over the speed limit 83 00:05:14,140 --> 00:05:17,980 example, that the higher is the the ticket fine, the less likely 84 00:05:17,980 --> 00:05:21,660 you are you are expected drive within the speed limit. And now, I 85 00:05:21,660 --> 00:05:25,325 mean, in that kind of cases, applying 86 00:05:25,325 --> 00:05:29,165 sanction is quite easy and straightforward. But if 87 00:05:29,165 --> 00:05:32,605 you apply these elements to 88 00:05:32,605 --> 00:05:36,445 cybersecurity cases, it's a little bit 89 00:05:36,445 --> 00:05:39,750 challenging. So let's take a phishing as an example. And let's illustrate 90 00:05:39,890 --> 00:05:43,510 one idea only. The third time you have detect detection, 91 00:05:44,770 --> 00:05:48,530 also known as the likelihood of getting caught. So if you're 92 00:05:48,530 --> 00:05:52,230 a cybersecurity manager and, you know, you apply this principle, 93 00:05:53,314 --> 00:05:56,754 You should ensure that the employees believe that if they click a phishing link or 94 00:05:56,754 --> 00:05:59,955 share their password, the company will monitor such in 95 00:06:00,115 --> 00:06:03,555 incidents and impose sanctions on them. So what is the problem 96 00:06:03,555 --> 00:06:06,534 here? Well, the situation in in cybersecurity 97 00:06:06,914 --> 00:06:10,460 and, of course, this depends case by case, but in the phishing 98 00:06:10,460 --> 00:06:14,220 example, it's actually very different from the speeding example. Because in 99 00:06:14,220 --> 00:06:17,920 the speeding example, people usually have 100 00:06:18,300 --> 00:06:22,055 they know their car speed. Right? The only 101 00:06:22,055 --> 00:06:25,815 contribution might be what is the actual speed limit on the road, 102 00:06:25,815 --> 00:06:28,795 and then do their navigators often provide that information. 103 00:06:29,495 --> 00:06:33,120 But if you think about the phishing victimization case, none of 104 00:06:33,120 --> 00:06:36,580 this is true. Employees often lack the necessary 105 00:06:36,640 --> 00:06:40,400 knowledge to separate phishing message from real one. And, you 106 00:06:40,400 --> 00:06:44,000 know, if you impose sanctions in that case, the sanctions may backfire because 107 00:06:44,000 --> 00:06:47,300 employees really believe how I should, you know, know these things. 108 00:06:47,805 --> 00:06:51,585 That's why applying sanctions in cybersecurity cases is tricky. 109 00:06:52,445 --> 00:06:56,225 And there are many other concerns. One is sanctions 110 00:06:56,285 --> 00:06:58,945 experience. If you believe the original theory 111 00:07:00,060 --> 00:07:03,500 developed in seventies by guy named Gibbs so he was 112 00:07:03,500 --> 00:07:06,860 basically saying that you can use sanctions. The 113 00:07:06,860 --> 00:07:09,840 sanctions require sanctions experience. 114 00:07:10,620 --> 00:07:14,395 And there are 2 kind of sanction experience if you follow 115 00:07:14,395 --> 00:07:17,775 the original idea. There are general and there are specific. 116 00:07:19,595 --> 00:07:23,035 The specific means that employees have received 117 00:07:23,035 --> 00:07:26,630 sanctions themselves. So they have own experience 118 00:07:26,690 --> 00:07:30,230 of receiving sanctions. That's called specific experience. 119 00:07:31,010 --> 00:07:34,450 The other experience is general experience. General 120 00:07:34,450 --> 00:07:38,230 experience means that you have not received sanctions 121 00:07:39,275 --> 00:07:43,115 yourself, but you have seen other received received sanctions. For example, you 122 00:07:43,115 --> 00:07:46,875 may have never received a ticket for driving over the speed limit, but you 123 00:07:46,875 --> 00:07:50,395 know it's actually happening. People are getting caught and people get 124 00:07:50,395 --> 00:07:54,090 ticket. Okay. So so all of these conditions, if 125 00:07:54,090 --> 00:07:57,930 you can think about the driving over the speed limit example, I 126 00:07:57,930 --> 00:08:01,470 easily met. Be because people have either seen 127 00:08:02,010 --> 00:08:05,785 that, you know, this actually happened. You know? People are driving over the speed limit. 128 00:08:05,785 --> 00:08:09,225 They get caught, and they get a ticket, or they have their own 129 00:08:09,225 --> 00:08:12,665 experience of that. Or, well, in many cases, both. But in 130 00:08:12,665 --> 00:08:16,345 cybersecurity cases, that may not be the case. 131 00:08:16,345 --> 00:08:19,330 For example, think about password reuse, 132 00:08:20,190 --> 00:08:23,870 meaning you are using the same password in different accounts. Have anybody 133 00:08:23,870 --> 00:08:27,470 ever received sanctions for password reuse when hardly anyone has 134 00:08:27,470 --> 00:08:31,225 personal experience of receiving sanctions in, you know, many 135 00:08:31,225 --> 00:08:33,804 cases like my example of password reuse, 136 00:08:34,985 --> 00:08:37,245 then there's no really interference experience. 137 00:08:38,825 --> 00:08:42,585 If we read the theory and we believe the theory, sanctions 138 00:08:42,585 --> 00:08:46,330 would not work in that kind of cases. Because without this 139 00:08:46,330 --> 00:08:49,470 this experience that you have own experience of receiving sanctions, 140 00:08:50,010 --> 00:08:53,370 or you have seen that other people receive sanctions, the 141 00:08:53,370 --> 00:08:56,565 sanctions should not work if we believe the theory. 142 00:08:56,965 --> 00:09:00,325 There's a difference between sanctions, which somebody else is 143 00:09:00,325 --> 00:09:04,165 imposing on you, and risk. So, 144 00:09:04,165 --> 00:09:08,005 like, I I I've never heard of anybody being, you know, receiving a sanction 145 00:09:08,005 --> 00:09:11,840 for reusing the password, but I've heard of people that got 146 00:09:11,840 --> 00:09:15,520 hacked from reusing a password. So that that's a very different 147 00:09:15,520 --> 00:09:19,280 thing. Right? Yeah. It's a different thing. And and and well, if 148 00:09:19,440 --> 00:09:23,280 okay. If you believe the theory, here it means that 149 00:09:23,280 --> 00:09:26,915 that you need to have sanction experience. Sanction experience does not mean that 150 00:09:27,134 --> 00:09:30,894 somebody hacked, but somebody hacked and then 151 00:09:30,894 --> 00:09:34,514 because of the hacking, the firm punished somebody. 152 00:09:35,535 --> 00:09:39,370 Of course, the sanctions might be formal or might be informal. Informal 153 00:09:39,370 --> 00:09:43,130 means that, you know, you get the warning or something. So that 154 00:09:43,130 --> 00:09:46,890 basically the sanctions experience means. Okay? And if 155 00:09:46,890 --> 00:09:50,670 you believe the theory, it means that you have seen that 156 00:09:51,050 --> 00:09:54,805 employees in the firm has received sanctions 157 00:09:55,425 --> 00:09:58,805 by the firm by not following cybersecurity 158 00:09:58,945 --> 00:10:02,465 policies, or they have own experience, or they have seen that, you know, somebody 159 00:10:02,465 --> 00:10:06,100 else actually received sanctions. And, again, the 160 00:10:06,100 --> 00:10:09,639 theory is saying, if that not the case, sanctions should not work. 161 00:10:09,939 --> 00:10:13,540 Now I'm saying, the theory is actually wrong 162 00:10:13,540 --> 00:10:16,980 here. Because if if you look the evidence, as I 163 00:10:16,980 --> 00:10:20,625 said, we have been studying sanctions 30 years. 164 00:10:20,705 --> 00:10:24,305 And if you look to scientific evidence, it points out that 165 00:10:24,305 --> 00:10:27,685 sanctions do have some effect in cybersecurity 166 00:10:27,825 --> 00:10:30,805 cases, even there would be no sanction experience. 167 00:10:31,745 --> 00:10:35,110 So my conclusion here is that sanctions could be more 168 00:10:35,110 --> 00:10:37,930 effective if you have a sanction experience, 169 00:10:38,550 --> 00:10:42,310 meaning you have received sanctions or you have seen people have received 170 00:10:42,310 --> 00:10:45,770 sanctions by the firm for violating cybersecurity policies. 171 00:10:46,390 --> 00:10:49,565 But if if firms are actually giving sanctions, 172 00:10:50,105 --> 00:10:53,705 that's tricky as you know, when you 173 00:10:53,705 --> 00:10:57,385 impose sanctions, you actually start to punish people or give warnings, the 174 00:10:57,385 --> 00:11:01,225 sanctions may backfire. People don't like sanctions and so 175 00:11:01,225 --> 00:11:04,390 on, and they may turn against you. 176 00:11:04,930 --> 00:11:08,610 That's an interesting stream in the literature that I've noticed. The the articles you and 177 00:11:08,610 --> 00:11:11,830 your your coauthors have been writing is the the possibility 178 00:11:11,970 --> 00:11:15,570 resentment arising from the organization enforcing its 179 00:11:15,570 --> 00:11:18,795 security mandate. I want to go back to the, the 180 00:11:19,654 --> 00:11:23,015 the driving too fast in traffic example, because I'm going to be traveling up through 181 00:11:23,015 --> 00:11:26,615 your part of the woods in a couple of weeks. Straight past Tuscaloosa, I 182 00:11:26,615 --> 00:11:30,315 generally travel about 10 miles over the speed limit with a radar detector. 183 00:11:30,920 --> 00:11:34,600 The thing in my mind is I always slow down if everybody else slows down, 184 00:11:34,600 --> 00:11:38,120 and I always slow down if I see blue lights flashing, meaning somebody's been caught 185 00:11:38,120 --> 00:11:41,720 in a speed trap. That leads me to ask the employees knowing 186 00:11:41,720 --> 00:11:45,339 about, the punishable acts, knowing about what might get sanctioned, 187 00:11:45,635 --> 00:11:48,755 that's an aspect of this too, isn't it? Their awareness of a of a security 188 00:11:48,755 --> 00:11:52,355 protocol that might be applied against them? Yeah. So the 189 00:11:52,355 --> 00:11:56,195 employees' knowledge should have a big role here, and especially if 190 00:11:56,195 --> 00:11:59,735 you read the theory. So the original theory assumes that that 191 00:12:00,035 --> 00:12:03,570 that users know already what is illegal 192 00:12:03,630 --> 00:12:07,390 or, in in our case, cybersecurity policies and what 193 00:12:07,390 --> 00:12:11,070 is allowed and not allowed by the cybersecurity policies. But 194 00:12:11,070 --> 00:12:14,910 often the users may not know the policies. We have 195 00:12:14,910 --> 00:12:18,635 run number of studies on on these things, and, you know, most 196 00:12:18,635 --> 00:12:22,315 employees do not remember the details in cybersecurity policies. So 197 00:12:22,315 --> 00:12:26,155 that's, of course, challenge. And there's also another issue, other 198 00:12:26,235 --> 00:12:29,835 another knowledge issue related to how to do the right thing in 199 00:12:29,835 --> 00:12:33,060 terms of cybersecurity because cybersecurity 200 00:12:33,200 --> 00:12:37,040 policies may instruct let's take a pass password example 201 00:12:37,040 --> 00:12:40,720 again. Okay? Cybersecurity policies may say, hey. Use 202 00:12:40,720 --> 00:12:44,535 long random unique password for each account. But 203 00:12:44,535 --> 00:12:47,654 then, you know, policy does not actually tell you how to do it, how how 204 00:12:47,654 --> 00:12:51,415 you manage this, you know, how you remap accountless long unique passwords. And 205 00:12:51,415 --> 00:12:55,015 they may not be training on this. Of course, this 206 00:12:55,015 --> 00:12:58,850 issue is not specific to use of sanctions, but that kind of challenge is 207 00:12:58,850 --> 00:13:02,470 there is in terms of employees' knowledge that they don't know the cybersecurity 208 00:13:02,610 --> 00:13:06,370 policies. And even they know, they don't necessarily 209 00:13:06,370 --> 00:13:10,065 know how to do the right thing because the company doesn't give them enough 210 00:13:10,385 --> 00:13:14,225 information. Training is not adequate and so on. Of course, as I mentioned, this 211 00:13:14,225 --> 00:13:17,905 issue is not specific to, return steering. Maybe we can explore that a 212 00:13:17,905 --> 00:13:21,425 little bit more. As you were talking about that, I 213 00:13:21,425 --> 00:13:25,185 started thinking about if if you're driving along the highway and you don't notice 214 00:13:25,185 --> 00:13:28,699 that the speed limit changes, you don't necessarily 215 00:13:29,079 --> 00:13:32,839 react to seeing that officer on the side of the road because you think you're 216 00:13:32,839 --> 00:13:36,300 going the speed limit. Well, then if you get a ticket 217 00:13:37,079 --> 00:13:40,839 and it turns out the speed limit sign was behind the branch of a 218 00:13:40,839 --> 00:13:44,545 tree, you're gonna experience a lot of resentment. And 219 00:13:44,545 --> 00:13:48,225 I think maybe or let me ask, do you think that the same sort of 220 00:13:48,225 --> 00:13:51,825 thing is in play with cybersecurity? So we've got these 221 00:13:51,825 --> 00:13:55,345 policies, either we haven't received training on them or the 222 00:13:55,345 --> 00:13:59,150 policies are really complicated. We violate the policies, 223 00:13:59,150 --> 00:14:02,990 get caught, get punished. It seems like that would lead to 224 00:14:02,990 --> 00:14:06,430 resentment, wouldn't it? Yeah. I mean, big 225 00:14:06,430 --> 00:14:10,110 thing here is that a very different thing if you don't 226 00:14:10,110 --> 00:14:13,575 know the the rules. And and as I mentioned, 227 00:14:13,955 --> 00:14:17,395 for many firms, you just give the policies. There's some generic 228 00:14:17,395 --> 00:14:20,995 training. It means that people may not really 229 00:14:20,995 --> 00:14:24,515 understand, you know, why they have to follow these policies. And sometimes the policies are 230 00:14:24,515 --> 00:14:28,170 not actually good ones. You know? They are. There might be conflict between what the 231 00:14:28,390 --> 00:14:32,070 cybersecurity policies are saying and what the firms want you to 232 00:14:32,070 --> 00:14:35,590 do. For common example is that security guys are saying don't 233 00:14:35,590 --> 00:14:39,270 click any, links. And then, you know, administration is 234 00:14:39,270 --> 00:14:42,145 actually saying, just do this training and click a link. So, you know, that's a 235 00:14:42,145 --> 00:14:45,265 con Look at this document to see what I'm writing you about. They do that 236 00:14:45,265 --> 00:14:48,945 all the time where we were. Yeah. So there's basic con conflict that, you 237 00:14:48,945 --> 00:14:52,705 know, cybersecurity policy is in the conflict, but you should do in the 238 00:14:52,705 --> 00:14:56,490 work. And that's actually past cybersecurity management, not about the the 239 00:14:56,490 --> 00:15:00,190 return as theory as such. Whether using sanctions or not, 240 00:15:00,570 --> 00:15:04,010 it's important that the policies make sense, employees understand the 241 00:15:04,010 --> 00:15:07,770 cybersecurity policies. And they also know how to cope, as 242 00:15:07,770 --> 00:15:11,445 I mentioned. You know? If you start to say, hey. For every account, 243 00:15:11,904 --> 00:15:15,345 you have 30 account. Every account use unique long 244 00:15:15,345 --> 00:15:18,625 password, but you don't tell how to actually manage this, then, you know, you are 245 00:15:18,625 --> 00:15:22,385 not really helping employees. And then don't and then don't use a password manager because 246 00:15:22,385 --> 00:15:26,220 that that's, risks. I know yeah. Well, and I 247 00:15:26,220 --> 00:15:29,760 I don't know about where you are, but we have annual training. 248 00:15:30,620 --> 00:15:34,060 Yeah. And it's, what, Tom, 4 hours, 5 249 00:15:34,060 --> 00:15:37,580 hours of just all kinds of training. It's a chunk of time. Yeah. 250 00:15:37,580 --> 00:15:40,605 And the security training is buried in the middle of that, 251 00:15:41,404 --> 00:15:44,764 and you're kind of tuned out. You know, all you wanna do is get through 252 00:15:44,764 --> 00:15:48,524 the training. That's why I wonder if that's a reason that people 253 00:15:48,524 --> 00:15:51,665 react poorly when they are sanctioned because they feel like 254 00:15:52,445 --> 00:15:55,345 the training isn't very effective. It goes back to your awareness. 255 00:15:55,850 --> 00:15:59,690 So what what about, can I can I can I quickly comment that? Sure. 256 00:15:59,690 --> 00:16:02,830 Sure. So this is a almost like universal 257 00:16:03,370 --> 00:16:07,130 problem. So not specific to, sanctions, of 258 00:16:07,130 --> 00:16:10,935 course. It also have implications for sanctions because if you don't know the policies, you 259 00:16:10,935 --> 00:16:14,555 don't know how to how how to react. But often, you know 260 00:16:14,775 --> 00:16:18,235 and and the people who are listening to this, if if they are cybersecurity managers, 261 00:16:18,775 --> 00:16:21,995 you know, or you are responsible for the cybersecurity, you should ask, 262 00:16:22,615 --> 00:16:26,310 have you ever asked from the provider who is actually giving you the 263 00:16:26,310 --> 00:16:30,090 training how effective the training is? Mhmm. So for example, if you take a vaccine, 264 00:16:30,630 --> 00:16:34,070 you, you know, you ask, like, how effective? Is is this giving me 80% of 265 00:16:34,070 --> 00:16:37,910 protection or 70% of protection and so on? You know, if you have a 266 00:16:37,910 --> 00:16:41,535 cybersecurity training, you should ask the provider, give me 267 00:16:41,535 --> 00:16:44,435 test results. How effective the training is? 268 00:16:45,055 --> 00:16:48,175 Right. So, you know, is it actually no. If if I have an let's say, 269 00:16:48,335 --> 00:16:51,855 anti phishing training, how effective this training 270 00:16:51,855 --> 00:16:55,589 is against the you know, how how much is lower the 271 00:16:55,589 --> 00:16:59,269 rate of victimization? And most providers, they have never 272 00:16:59,269 --> 00:17:03,110 even tested. You know, while you're selling or buying 273 00:17:03,110 --> 00:17:06,630 products with you don't know how effective they are. And if they aren't effect effective 274 00:17:06,630 --> 00:17:10,390 are you actually wasting employees' time? Do you think that's just checking a 275 00:17:10,390 --> 00:17:13,875 box? Yeah. You know? That that's a lot of because lot of cybersecurity 276 00:17:13,875 --> 00:17:17,714 management, that's that's a really different topic. Lot of cybersecurity management 277 00:17:17,714 --> 00:17:21,474 is people call it best practice, but it basically does that, you know, tick 278 00:17:21,474 --> 00:17:24,755 box compliance that you can say to auditors that, hey. We have we have been 279 00:17:24,755 --> 00:17:28,580 to you know, we have covered this. Right. You don't really you don't really care 280 00:17:28,880 --> 00:17:32,000 or you don't know how to, you know, what is actually quality here. You just 281 00:17:32,000 --> 00:17:35,220 say, hey, we did this. Next item, we did this. Right. 282 00:17:35,440 --> 00:17:39,280 Right. Well, you said something earlier that I wanted to come back 283 00:17:39,280 --> 00:17:42,995 and revisit, which is that employees typically don't know the full 284 00:17:42,995 --> 00:17:46,835 totality of the information security policy of the organization, and 285 00:17:46,835 --> 00:17:50,195 that implies that the, the information security officers need to be able to 286 00:17:50,195 --> 00:17:53,975 communicate not only the restrictions and the prohibitions, 287 00:17:54,115 --> 00:17:57,779 but also the sanctions associated with violating them in a more 288 00:17:57,860 --> 00:18:01,620 in an effective and reasonable way. How can the security managers 289 00:18:01,620 --> 00:18:04,899 get that word out in a way that will take that will be effective with 290 00:18:04,899 --> 00:18:08,740 the other employees? In communicating sanctions, there are 291 00:18:08,740 --> 00:18:11,960 a couple of things. First, you need to understand the firm culture 292 00:18:12,555 --> 00:18:16,395 and the nature of the firm business. So if sanctions are not 293 00:18:16,395 --> 00:18:19,915 self evident and depending on the firm culture and 294 00:18:19,915 --> 00:18:23,675 existing cybersecurity education efforts, you 295 00:18:23,675 --> 00:18:27,509 must explain why the sanctions are necessary if you want to use them 296 00:18:27,509 --> 00:18:31,350 effectively. Also, you should think about putting 297 00:18:31,350 --> 00:18:34,889 yourself in employee shoes. You know, say, hey. How about these sanctions? 298 00:18:35,110 --> 00:18:38,409 Would you accept these sanctions if you would be the employee? 299 00:18:39,005 --> 00:18:42,845 If you want to introduce sanctions, you should pilot test ideas with 300 00:18:42,845 --> 00:18:46,625 you people. Discuss the concept and get feedback on 301 00:18:46,925 --> 00:18:50,145 how they think about this. And, of course, you need management support. 302 00:18:51,130 --> 00:18:54,809 And in any reason and this is really depending on 303 00:18:54,809 --> 00:18:58,409 the country or state or even, you know, the the what kind of, 304 00:18:58,730 --> 00:19:02,570 firm. Is it public firm or is it, like, private firm? But, you know, some 305 00:19:02,570 --> 00:19:05,929 cases, some countries, some states, there might be strong work 306 00:19:05,929 --> 00:19:09,575 union. And if there's a work strong union, they may actually challenge you 307 00:19:09,575 --> 00:19:13,035 unless you are well prepared. A lot of cases in my, consulting 308 00:19:13,495 --> 00:19:17,335 work where, you know, lot of things we introduce and then the work union came 309 00:19:17,335 --> 00:19:20,960 and, you know, are you actually you know, what you are doing for our creative 310 00:19:20,960 --> 00:19:24,720 employees. You have to know your firm culture well, what kind 311 00:19:24,720 --> 00:19:28,160 of culture it is, put you on employees' shoes, pilot test 312 00:19:28,160 --> 00:19:31,520 ideas, get management support, and so 313 00:19:31,520 --> 00:19:35,235 on. So for our listeners who are generally managers responsible 314 00:19:35,295 --> 00:19:39,055 for determining how to, manage security violations, how do 315 00:19:39,055 --> 00:19:42,815 they determine the right level of sanction? In our protection motivation work that we're 316 00:19:42,815 --> 00:19:46,620 all familiar with tends to suggest that if you have too heavy a 317 00:19:46,620 --> 00:19:50,300 hammer, people are gonna shy away out of, perceptual screening, 318 00:19:50,300 --> 00:19:53,900 essentially. The old fear appeals argument, don't scare them too much. How does the 319 00:19:53,900 --> 00:19:57,180 CISA determine the right level of sanctions so they're, 320 00:19:57,420 --> 00:20:01,175 maximally effective? 1st, I think you should under as I mentioned, 321 00:20:01,175 --> 00:20:05,015 you should understand the firm's culture, and that's very 322 00:20:05,015 --> 00:20:07,755 different. And here, actually, I think many 323 00:20:08,775 --> 00:20:12,540 many scientists make a mistake. You know? If you if you let let's assume you 324 00:20:12,620 --> 00:20:16,400 you have very liberal university and philosophy department. That's an extreme example. 325 00:20:17,100 --> 00:20:20,780 Most employees think that sanctions would be absurd unless you you really explain 326 00:20:20,780 --> 00:20:24,540 them carefully, and perhaps you are never able to do that. In contrast, if you 327 00:20:24,540 --> 00:20:28,315 go to military organizations, almost everybody almost know, 328 00:20:28,315 --> 00:20:32,075 hey. There will be sanctions. You know? It's it's a normal thing. In Northern 329 00:20:32,075 --> 00:20:35,835 Europe or France, employees expect more autonomy, so sanctions must be 330 00:20:35,835 --> 00:20:39,435 justified more than other countries. In turn, if you go, 331 00:20:39,435 --> 00:20:43,110 like, US in the Middle East, sanctions are more commonly used. So, you know, you 332 00:20:43,110 --> 00:20:46,490 need to know your firm culture. In cultures where 333 00:20:46,790 --> 00:20:50,390 sanctions are not in firms culture with sanctions are not commonly used, then you really 334 00:20:50,390 --> 00:20:54,170 need to justify the sanctions and especially if there are harder sanctions. 335 00:20:55,325 --> 00:20:59,085 But as I mentioned, this is really depends on the firm's culture, so it's 336 00:20:59,085 --> 00:21:02,925 it's very firm specific issue. But you can also compare the 337 00:21:02,925 --> 00:21:06,705 cybersecurity sanctions with other sanctions. What kind of sanctions 338 00:21:07,005 --> 00:21:09,745 the firm is giving other type of violations? 339 00:21:10,610 --> 00:21:14,230 And, again, same commerce apply. Put yourself into employee shoes. 340 00:21:14,450 --> 00:21:17,810 Pilot testing to idea ideas with few people. And, of course, you need to get 341 00:21:17,810 --> 00:21:21,590 management support, as I mentioned, also. 342 00:21:22,050 --> 00:21:25,350 Sounds like sanctions could backfire if they're not engineered 343 00:21:25,410 --> 00:21:28,765 properly. How how could a a a manager avoid 344 00:21:29,465 --> 00:21:32,605 sanctioning in a way that would have the an unintended effect? 345 00:21:33,065 --> 00:21:36,765 Backfire basically means that you increase sanctions for 346 00:21:37,065 --> 00:21:40,525 improving cybersecurity behavior. Perhaps cybersecurity behavior increases, 347 00:21:41,305 --> 00:21:44,880 but then you have negative effects, kind of side 348 00:21:44,880 --> 00:21:48,580 effects. People don't like sanctions as a result of which 349 00:21:48,880 --> 00:21:52,480 they work work motivation may decrease. They may 350 00:21:52,480 --> 00:21:56,184 start to hate cybersecurity, or they may start to hate 351 00:21:56,184 --> 00:21:59,865 IT or even leave the firm. In in in case of 352 00:21:59,865 --> 00:22:03,325 cybersecurity, one concern is also privacy. 353 00:22:03,945 --> 00:22:07,784 It can depends on the culture and even people, what they think about privacy. Some 354 00:22:07,865 --> 00:22:11,710 for some people, private is very important. For some people, it's not. 355 00:22:11,930 --> 00:22:15,230 The privacy is important in cybersecurity cases because often 356 00:22:16,170 --> 00:22:19,710 when you actively use sanctions, you have to monitor. 357 00:22:20,250 --> 00:22:23,930 Right? And that's may involve violating employees' 358 00:22:23,930 --> 00:22:27,565 privacy. And because of privacy concerns, people may start to 359 00:22:27,565 --> 00:22:31,325 hate cybersecurity, hate to IT because they think that they 360 00:22:31,325 --> 00:22:34,685 are the one and the same thing and so on. And we have studied that. 361 00:22:34,685 --> 00:22:38,525 We have one study where short term, that was field field 362 00:22:38,525 --> 00:22:42,040 experiments in Europe. So short term, the cybersecurity behavior 363 00:22:42,040 --> 00:22:45,560 increased. Longer term, the sanctions were not 364 00:22:45,560 --> 00:22:49,340 effective in cybersecurity behavior, but there was backfire effect 365 00:22:49,400 --> 00:22:53,020 that people didn't trust the company and lot of negative 366 00:22:54,725 --> 00:22:58,345 views regarding the company and so on. So in order to 367 00:22:58,485 --> 00:23:01,924 avoid the backfire effect, you must 368 00:23:01,924 --> 00:23:05,365 understand that the employees get the 369 00:23:05,365 --> 00:23:08,424 importance of cyber stick policies and the reasons behind 370 00:23:09,130 --> 00:23:12,970 regulating some actions by sanctions. This is depending on 371 00:23:12,970 --> 00:23:16,650 the firm's nature. If you are military organization, this is easy. If you are in 372 00:23:16,650 --> 00:23:20,169 a university, very hard, depending on the firm 373 00:23:20,169 --> 00:23:23,805 culture. But the idea is that you if you use sanctions actively, 374 00:23:24,585 --> 00:23:28,265 you need to justify them if they are not already self evident for employees. And 375 00:23:28,265 --> 00:23:31,945 many organizations, they are not self evident for employees. And, you know, they 376 00:23:31,945 --> 00:23:35,669 need to understand why the activities sanctioned 377 00:23:35,669 --> 00:23:39,350 by sanctions are important to to cover and and so on. If they don't 378 00:23:39,350 --> 00:23:42,950 understand that, if they're not accurate that they think that it's a you know, you 379 00:23:42,950 --> 00:23:46,730 are just violating their privacy or you are just, making their work 380 00:23:47,445 --> 00:23:50,965 more harder, then you most likely will get get the 381 00:23:50,965 --> 00:23:54,265 backfire effect. I'm hearing a pretty 382 00:23:54,404 --> 00:23:58,245 consistent subtext of fairness. So a lot of the things 383 00:23:58,245 --> 00:24:02,030 that you're mentioning that can cause the sanctions to backfire would 384 00:24:02,030 --> 00:24:05,710 be when the employees don't feel like it's fair. Yeah. You know, you're 385 00:24:05,710 --> 00:24:09,550 violating my privacy. You know, 386 00:24:09,550 --> 00:24:13,170 I didn't understand. You didn't communicate. They're too harsh. 387 00:24:14,145 --> 00:24:17,665 But but I wonder if unevenness and 388 00:24:17,665 --> 00:24:21,505 sanctions is a problem. I know at universities and and a 389 00:24:21,505 --> 00:24:25,285 lot of other organizations, different departments or different functional 390 00:24:25,345 --> 00:24:28,325 areas have different subcultures. 391 00:24:29,480 --> 00:24:32,860 And so if you're talking to somebody in another department, 392 00:24:33,560 --> 00:24:37,160 then, you know, I they get to leave early on Fridays, and, you know, nobody 393 00:24:37,160 --> 00:24:40,840 cares when you come in. And your boss says, you better be in at 394 00:24:40,840 --> 00:24:44,625 your desk at 8, and you better not be out that door before 5. 395 00:24:45,965 --> 00:24:49,165 That seems like it could cause a lot of problems. Is that an issue with 396 00:24:49,165 --> 00:24:52,925 the security sanctions as well? Well, that's an excellent question. I I 397 00:24:52,925 --> 00:24:56,730 don't think that nobody knows the answer to that. Alright. Future 398 00:24:56,730 --> 00:25:00,570 research. Yeah. Okay. So I think what I'm taking 399 00:25:00,570 --> 00:25:04,110 from this is if, if the security 400 00:25:04,170 --> 00:25:07,930 provisions they're required to follow aren't common sense, if they don't already know 401 00:25:07,930 --> 00:25:11,615 it, It needs to be carefully explained in a in an explicit 402 00:25:11,615 --> 00:25:15,455 manner by the manager Absolutely. In order to justify its application. So 403 00:25:15,455 --> 00:25:18,915 it's almost as though explaining the the security policy 404 00:25:19,215 --> 00:25:22,355 achieves a lot of what has to happen. It's that 1%, 405 00:25:23,410 --> 00:25:26,930 those with a certain sense of psychopathy who are gonna break the rules anyway that 406 00:25:26,930 --> 00:25:30,770 need to understand they're gonna get punished if they don't comply. You know, 407 00:25:30,770 --> 00:25:33,830 if you think about the employees' compliance with cybersecurity policies, 408 00:25:34,690 --> 00:25:38,370 lot of cases where almost every organization should do 409 00:25:38,370 --> 00:25:41,774 better, and that's not necessary sanctions. Specific issue is that, 410 00:25:42,715 --> 00:25:46,235 you know, you should make effort that the employees understand the policies and 411 00:25:46,235 --> 00:25:49,995 why, you know, the policies are like they are. I don't know 412 00:25:49,995 --> 00:25:53,774 that there's research into this in in the context of cybersecurity, 413 00:25:54,154 --> 00:25:57,810 but I think there's there are some psychologists that 414 00:25:57,810 --> 00:26:01,650 would say that the sanctions actually might 415 00:26:01,650 --> 00:26:05,110 have a an increasing effect on violations 416 00:26:05,650 --> 00:26:09,490 by those who are suffer from psychopathy, because that's 417 00:26:09,490 --> 00:26:13,284 part of the thrill. You know, if you don't get caught, there's not 418 00:26:13,284 --> 00:26:16,845 a chance of getting caught, then you don't get that thrill out of it. And 419 00:26:16,845 --> 00:26:20,365 so I I just wonder, that might be an interesting avenue of 420 00:26:20,365 --> 00:26:24,125 research as well. But I don't think I've read anything in 421 00:26:24,125 --> 00:26:27,809 cybersecurity that's talked about that. No. I don't my 422 00:26:27,809 --> 00:26:31,110 understanding is that nobody has studied this in in the cybersecurity context. 423 00:26:31,330 --> 00:26:35,090 So I have I cannot really I 424 00:26:35,090 --> 00:26:38,690 think the closest we get to that are the the very interesting findings in in 425 00:26:38,690 --> 00:26:42,434 in Mikko's prior work, particularly about people wanting to 426 00:26:42,595 --> 00:26:46,035 I don't wanna say get even with the boss for the boss being stringent, but 427 00:26:46,035 --> 00:26:49,635 the the the whole ledger keeping, scale 428 00:26:49,635 --> 00:26:53,315 balancing part of, deciding to act out just because you think 429 00:26:53,315 --> 00:26:56,690 they're being too stringent. Yeah. That 430 00:26:56,690 --> 00:27:00,450 might be. But What do you have coming in the 431 00:27:00,450 --> 00:27:04,150 pipeline? What new ideas will are you working on to get into the literature 432 00:27:04,290 --> 00:27:06,070 on on how to manage cybersecurity? 433 00:27:07,905 --> 00:27:11,425 You mean sanctions or cybersecurity in general? Just 434 00:27:11,425 --> 00:27:15,185 interested in what you're working on and how our reader our listeners might be 435 00:27:15,185 --> 00:27:18,945 keeping their eye out for it if they're interested. Nowadays, I'm 436 00:27:18,945 --> 00:27:22,630 also doing a lot of work on cybercrime, actually. 437 00:27:22,850 --> 00:27:25,429 So I do understand cybercrime, 438 00:27:26,850 --> 00:27:30,530 especially to how cybercrime happens and how to 439 00:27:30,929 --> 00:27:34,289 how we can use communication between the offender and victim to actually 440 00:27:34,289 --> 00:27:37,575 understand and prevent and prevent cybercrime. So that's 441 00:27:38,035 --> 00:27:41,635 that's one thing I'm doing. It's not really on cybersecurity 442 00:27:41,635 --> 00:27:44,934 manage management, of course, it has implications for cybersecurity management. 443 00:27:45,235 --> 00:27:48,295 What what parallels do you see between that work 444 00:27:49,180 --> 00:27:52,960 and and what you've done, around the sanctions within an organization? 445 00:27:53,420 --> 00:27:57,180 Are you seeing any any commonalities across those 2 or too 446 00:27:57,180 --> 00:28:00,880 early to tell? The cybercrime cases that we are 447 00:28:01,180 --> 00:28:04,785 actually looking, These are cases where people 448 00:28:04,785 --> 00:28:08,165 very careful and clever ways, victimized, 449 00:28:09,345 --> 00:28:12,865 people and, you know, now sanctions. Well, if you don't 450 00:28:12,865 --> 00:28:16,705 understand that you are being victimized, so how the sanctions could 451 00:28:16,705 --> 00:28:20,520 really apply effectively. So that kind of case is I don't think the sanctions 452 00:28:20,520 --> 00:28:24,280 help here. It's more about again, you know, we 453 00:28:24,280 --> 00:28:28,039 need tools for ordinary people, and 454 00:28:28,039 --> 00:28:31,845 and employees to to understand actually more cyber 455 00:28:31,845 --> 00:28:35,304 crimes and, you know, what kind of how people may try to 456 00:28:36,965 --> 00:28:40,745 use you in order to, get your money or or or some information 457 00:28:40,804 --> 00:28:44,345 from the firm. So it's more about the risks and how to protect yourself? 458 00:28:44,804 --> 00:28:48,230 Yeah. I think we're also seeing the threat actors becoming 459 00:28:48,289 --> 00:28:52,049 vastly more sophisticated than they used to be. That may be that may be an 460 00:28:52,049 --> 00:28:55,490 AI thing. I don't know. The the people I talk to over here where we 461 00:28:55,490 --> 00:28:59,250 are, because we we have a a classified work workspace over by the air force 462 00:28:59,250 --> 00:29:02,895 base, and they're the opinion that the, the national actors that are 463 00:29:02,895 --> 00:29:06,095 trying to breach their network are using AI to do it, and only AI can 464 00:29:06,095 --> 00:29:09,935 counter that. That's a lot of the phishing attempts I'm seeing 465 00:29:09,935 --> 00:29:13,475 lately are vastly better than they used to be. So it's a risky environment 466 00:29:13,535 --> 00:29:17,380 increasingly so, I think. You can use generic phishing 467 00:29:17,380 --> 00:29:21,140 where, you know, you've sent the same message to, you know, million of 468 00:29:21,140 --> 00:29:24,900 people and hope some of these will will be your victims, 469 00:29:24,900 --> 00:29:28,680 and then you might be more specific or targeted 470 00:29:28,820 --> 00:29:31,135 attacks where you actually find a lot of information 471 00:29:32,635 --> 00:29:36,394 on the target, and then you make your attack and, you know, of 472 00:29:36,394 --> 00:29:40,235 of course, these these targeted cases are much more successful in 473 00:29:40,235 --> 00:29:43,950 phishing or other type of social engineering. So 474 00:29:43,950 --> 00:29:47,790 so, Mikko, as we close out, we typically ask what your 4 or 5 475 00:29:47,790 --> 00:29:51,630 practical recommendations would be for the security managers who'll be listening to this. 476 00:29:51,630 --> 00:29:54,830 What are the things they can add to their list of to dos to keep 477 00:29:54,830 --> 00:29:57,490 the company safe as they, practice the craft? 478 00:29:59,155 --> 00:30:02,855 So first, you need to actually decide 479 00:30:03,955 --> 00:30:07,635 how you're using active or passive use of sanctions. And and now I 480 00:30:07,635 --> 00:30:11,415 realized I don't actually what we have discussed is basically 481 00:30:12,350 --> 00:30:15,790 so far, is active use of sanctions. Active use of sanctions means 482 00:30:15,790 --> 00:30:19,310 that, you know, you you monitor cases and you give sanctions to 483 00:30:19,310 --> 00:30:22,850 employees. But there's also also passive use of sanctions. 484 00:30:23,550 --> 00:30:27,345 So passive use of sanctions, some might prefer to these as a 485 00:30:27,345 --> 00:30:30,805 theory of covering your ass by sanctions. So basic idea is that 486 00:30:31,265 --> 00:30:34,865 you introduce sanctions, mainly to protect yourself or the 487 00:30:34,865 --> 00:30:38,545 firm from the plane. With this passive approach of 488 00:30:38,545 --> 00:30:42,200 using sanctions, you actually only use sanctions when 489 00:30:42,200 --> 00:30:45,419 something bad happens. So you introduce sanctions, 490 00:30:46,120 --> 00:30:49,580 but you actually will use them only if something very bad happens. 491 00:30:50,600 --> 00:30:54,245 I call it back you know, passive use of sanctions. So So something pandemic 492 00:30:54,305 --> 00:30:57,505 you can say, hey. We have sanctions in place. Now we can play in this 493 00:30:57,505 --> 00:31:01,345 guy or whatever. Now if you use active use of 494 00:31:01,345 --> 00:31:05,125 sanctions, that means that they require a justification, 495 00:31:06,360 --> 00:31:10,200 and they may backfire. They use justification because you actively monitor 496 00:31:10,200 --> 00:31:14,040 and keep sanctions. And, especially, to hire other sanctions, 497 00:31:14,040 --> 00:31:17,800 the more most carefully they have to be justified. And if 498 00:31:17,800 --> 00:31:21,625 you don't actively use sanctions, they will lose some of their effectiveness as 499 00:31:21,625 --> 00:31:25,145 a preventive tool. You know, same I idea as in the, 500 00:31:26,665 --> 00:31:30,425 climbing over the speed example if, you know, you are 501 00:31:30,425 --> 00:31:34,265 removing all the police radars, people will increase climbing over the 502 00:31:34,265 --> 00:31:37,700 speed limit. And now the use of sanctions, 503 00:31:38,560 --> 00:31:41,920 especially I mean, active use of sanctions. If employees don't find them 504 00:31:41,920 --> 00:31:45,440 justifiable, they tend to backfire, and you should 505 00:31:45,440 --> 00:31:48,645 already think about that kind of scenarios. 506 00:31:49,905 --> 00:31:53,605 And in this case, if your sanctions do not backfire, you don't justify 507 00:31:53,745 --> 00:31:57,345 these, well, sanctions may become worse than 508 00:31:57,345 --> 00:32:00,720 useless because the, because the side effects, such as 509 00:32:00,720 --> 00:32:04,480 employees dislike in cybersecurity are worse than they prevent 510 00:32:04,480 --> 00:32:07,620 the effect. These are the 4, 5 key points. 511 00:32:08,480 --> 00:32:12,020 This has been Cyberways. It's a production of the Louisiana 512 00:32:12,240 --> 00:32:16,035 Tech College of Business Center For Information Assurance, courtesy 513 00:32:16,035 --> 00:32:18,935 of the Just Business grant from Dean Chris Martin. 514 00:32:19,635 --> 00:32:23,095 This podcast is available wherever you consume podcasts, 515 00:32:23,475 --> 00:32:27,155 and we'd be grateful if you tell your friends about it. And if you find 516 00:32:27,155 --> 00:32:30,779 it useful to you, let us know. Let our guests know. 517 00:32:30,779 --> 00:32:34,539 I'm I'm sure doctor Sipponen is available to talk to you if you 518 00:32:34,539 --> 00:32:37,500 need more advice, because as he says, he does a lot of consulting in this 519 00:32:37,500 --> 00:32:41,260 area. We hope you found this to be interesting, and we hope you 520 00:32:41,260 --> 00:32:44,960 find the, the information to be useful in keeping your company more secure. 521 00:32:45,225 --> 00:32:48,845 Until next time. Thank you. Thank you. Appreciate it. 522 00:32:49,625 --> 00:32:53,385 And it is important to say that the Cyberways podcast is funded through the just 523 00:32:53,385 --> 00:32:56,745 business grant program of Louisiana Tech College of 524 00:32:56,745 --> 00:33:00,480 Business, and, we're grateful for that. So join us next time on 525 00:33:00,480 --> 00:33:03,920 the Cyberways podcast, which is available on all major 526 00:33:03,920 --> 00:33:07,600 podcast platforms. We want you to subscribe or follow or 527 00:33:07,600 --> 00:33:11,360 whatever button your favorite podcast app has. Thank you very 528 00:33:11,360 --> 00:33:11,860 much.