Hi, folks. This is the Cyberways podcast, and we

translate our academic knowledge about information security into stuff that you

can use as a security professional. We think it's a unique mission. We think you'll

like it. I'm Tom Stafford. Craig Van Slyke. Tom and I are your hosts on

your journey to knowledge. CyberWays is brought to you by the Louisiana Tech

College of Business' Center For Information Assurance. The center offers

undergraduate and graduate certificate programs in cybersecurity and

sponsors academic research focused on behavioral aspects of cybersecurity

security and information privacy. Hello, everybody, and welcome back to

Cyberway. It's a production of the Louisiana Tech University Center For Information

Assurance supported by a Just Business grant from college of business

Dean Chris Martin. Today we have with us Karen Renaud

and Mark Dupuy. They are doing some fascinating

research on cybersecurity insights taken from world

religions. Recent article appeared in Computers and Security. Doctor

Renault is a Scottish computer scientist at University of Strathclyde in

Glasgow, works in all manner of human centered security and

privacy. Doctor Dupuis is an associate professor with the Computing

and Software Systems Division, University of Washington, Bothell, where he also serves

as the graduate program coordinator. He has his PhD information

science from the University of Washington with an emphasis in cybersecurity.

Welcome, Karen and Mark. Thank you so much. Thank

you. Let's start with the big question that I

think is gonna underlie a lot of what we talk about today.

What's wrong with the way we currently practice cybersecurity? Rita,

Janet, I'm not It's not working because there's no

the number of attacks are not abating at all. So

when when you keep doing the same thing and it's still not working, you have

to think about, well, what do we what could we do differently in order to

have more success? So at at a meta level, seems like

we're not very successful. And I think in an organizational

setting, I think one of the things that's not working is it's often kind of

a us versus them. And if you think about it in an organizational

setting, why are we doing that? It should be us,

the employees, and the leadership against them, the

people that are trying to cause harm to us as opposed to,

the infighting that often takes place. It's it's counterproductive. And

as Karen said, we're not we're not getting anywhere. We're not we're not,

making improvements, and that's the problem. The other thing is that we have

this paradigm in organizational cybersecurity, which is

formulate the policy, disseminate the policy, and

enforce the policy. And then when things go wrong, we just go

back to disseminate again, and then we enforce again.

And so it's almost as if it's it's like a vaccination. And if you just

make the vaccination take, everything's gonna be fine. But

this is we've been doing this for over 2 decades, and it's not very

successful. So we have to start asking ourselves, what could

we do differently? So one of the things that I was looking at

y'all's body of research. One of the the things that struck

me was that we seem to

focus way too much on, negative emotions.

You think that's one of the problems? Well, so Mark and I met at

Hicks some the very first time. And I said to him,

Mark, I want to do some research into the use of fear in cyber. And

Mark was on board. That was the first paper we did.

And we felt that a lot of the dissemination that is done in

cybersecurity is a hook into people's minds was

if you don't do this stuff, things are gonna be really bad. You're gonna get

punished, and the hackers are gonna get in and so on. And so fear is

being weaponized. And what Mark and I discovered was

that this is a very damaging thing to do to people because fear is

is an emotion that actually hurts you, and it lasts for much longer

than we realize. But, Mark, maybe you could tell them about the password

one that well, maybe I should we shouldn't go into that kind of depth

now. Sorry. Well yeah. You know, I I think I'll just just briefly I

think the thing I'll say is with with fear and other

negative emotions, when when people get scared, they don't make

the best decisions, but yet we're trying to use these negative emotions like fear to

try and get them to do what we want them to do. So it's it

seems kinda silly in in many respects that we're trying to get them to

be compliant with these policies by scaring them

when all of a sudden, and from a cognitive standpoint, they're gonna be less adept

at doing what we want them to do. So I I you know, it's just

it's very, counterproductive in many respects. And

as, you know, some of our research has shown too that not only are we

eliciting fear, but we're also increasing other negative emotions and

decreasing positive emotions. So what are the other implications for this?

Mhmm. Your concern is But we have this extensive criminal

justice lens through which we view cybersecurity, and those of

us who go to the to all the rude meetings see it all the time.

All the leading authors started with a perspective of

enforcement as as Karen so aptly put it. You know, promulgate

the policy, enforce the policy, punish the people that don't adhere to it.

It just doesn't feel like good organizational

behavior, from a managerial perspective to be trying to get

people to do the proper thing with

negative reinforcement as opposed to building a positive

culture, which which I I'm hoping is where we're we're headed at some point, but

we don't see much research on it, do we? No. And I

understand the fear. Right? Because I speak to CSOs a

lot, and they're worried. They're they're the ones whose head is

on the on the plateau when things go wrong. They're the ones who who have

to answer the stories for the board, you know, why did we get hacked?

So that fear is then being transmitted, and that's why they get

all heavy with the normal average person in the organization.

So the whole thing about the blaming and the fear culture is really

unhelpful across the board. So I would agree with you, Tom.

So your paper is about a religious view on

cyber security, and I see that as eminently positive. You know, religion is

a positive force in our life. It it speaks

to doing good and and being good, and I'm very interested in

how you bridge to that particular lens

as a way of considering cybersecurity behavior in a new perspective.

So I spent some time in Germany a few years ago, and I

picked up 2 books before I left to read while I was there. The one

was by Scott Atren, which is called talking to the enemy, and

the other one was, Jonathan Haight, The Righteous Minds.

Nothing to do with cyber. But both of these books really struck me

in terms of trying to understand why people do what they

do, and both of them spoke about our values.

And then I started wondering what were the values that we were

trying to get people to adopt in cybersecurity.

And then I picked up a book by Alain de Beauforton, which is called religion

for atheists. And then I realized, well, hang on. Why don't

we learn from the people who do espouse values? Because religions

all have values that their adherence espouse. So

what what could we take? And but Du Boisoten says, don't

throw the baby out with the bathwater. Let's look at religion and take the

good parts and learn from it because they're very successful,

and and and then don't take the stuff that's not so great. And so that's

kind of where this idea came from. And I I zoomed Mark

from, from Germany, and he said, yeah. I'm in.

So that's that's where the ideas came from. So what did you

hope to find in, in applying this new focus on on cybersecurity?

Well, I think a lot of it is, you know, like Karen said is, you

know, religions have those that have stood the test of time have stood the test

of time for for a reason. And and some of them have,

you know, a lot of them have stood the test of time, have adapted, evolved,

and changed, as times have changed, as our society has

changed. And, by doing that, they have,

met the needs of of the people they're serving, of of their believers.

And, and there's something that could be learned from that. And we

think about some of these religions have been around for 1000

of years And, you know, in cybersecurity, you

know, being around for, you know, 20, 30 years at the

most, really. And so what can we do as

such a new discipline? What can we take from religion

and and try and learn from it? Because, you know, as we said earlier, we're

not we're not successful. We're not we're not very successful in what we're doing, and

the problems are only getting worse. So let's let's be humble

enough. Right? Let's let's show some humility and let's try and learn from

these other areas like religion and and see what we

can take. And instead of just this compliance and and this

punishment of people that are trying just

to do their day to day jobs, most of them are not in there to

do cybersecurity. They're being tasked with it

in often an unfair way when they're there to

do pretty much anything but cybersecurity. But what what can we take

from other places, other, you know, other disciplines like religion

and and learn from it to help us to help us be more successful.

And, you know, as Karen said, you know, there there's there's a lot to be

learned from. So let's learn a little bit from religion.

I wanna dig into just what religion is. So it's one of those things where

we all know what it is, but we don't really know kind of what it's

made up of. Can you talk to us a little bit about what actually

religion does or what its components are? When I I started

writing this paper, I thought, well, the first thing to do is define. Right? Whenever

you have a new concept in a paper, you have to define it. And it

turned out that people are struggle to define religion.

So, having read a number of people who said, you know, nobody can

agree on it, So, okay, let's go and look at it from a different way.

And I found somebody called Durkheim, who's a very well known German academic,

who said that religion has 3 dimensions. It's

believing, belonging, and doing. And

then when I found some other papers that also tried to say, these are

the characteristics of religions, I found that they also fell into those three

dimensions. And that made it a lot easier to an to kind of

start interpreting how what we are doing and what

religions do. Can you tell us a little bit about the problem? Part is that,

you know, if you go to somebody who's an adherent of a particular religion, they

can tell you what they believe in. And they also

know what kinds of things they should do. So they may believe in in

if it's a Christian, they would believe that they have to be kind to other

people and forgive people when things people do bad things to them and that sort

of thing. So the believing and the doing is easy to understand. But the

belonging was the one that was really came across strongly in all the

the religious related literature because people get a

sense of belonging to their community. They meet weekly with their

community a lot of the time. And that sense that I am a

Christian or I am a Muslim or whatever, that was part of became

part of their identity. And so those three things were the

aspects of religion that people seem to, you know,

cohere to. There's also the nature of, I think,

the belonging aspect of of of your model to

me speaks to what I've always considered to be the important part

of cybersecurity, which is belonging to the team that secures

the company. Mhmm. And I I see that as a a very useful

metaphor taking religious perspective. Yeah. I I I

think, you know, the the belonging part

is in many respects, the one big area where we're

lacking maybe more than the others. Because I mean, we we all can believe,

oh, you need to do this. You need to be aware of this. You need

to watch out for that. Make sure you do this and and so on. But

building that sense of community that, hey, we're all in this together,

that, we know mistakes are gonna happen, that we we realize

this is tough to do, that we're not all, at at the

same level of understanding these different threats and so on. That,

I I I believe, is really where we're lacking and we're not doing a good

job of. And I think you look at successful religions, you look

at people that, want to go to church, and it's not always just

to sit there and and listen

to a sermon for an hour, but it's oftentimes those other

activities. It's gathering for to share a meal together. It's it's

it's just being with one another. It's it's that sense of belonging,

that community that you have that we just don't

see in in cybersecurity. It's

it's it's this very this top down approach. It's this punishment approach.

And, you know, I I think as we think about the

success of religions and and a sense of belonging, we

just we are so lacking with respect to that sense of belonging in

cybersecurity. Can I take a tangent here? As you were

were all talking about this, I was trying to

translate in my mind the idea of

belonging to something like a church or a religion

versus a sense of belonging at work. And so my

church and my religion, for a lot of people that are

religious, it's very intertwined with their personal lives.

So it is part of their life. I grew up in the Baptist

church, and it was you know, it could be 3 nights a

week going and doing something all day on Sunday.

So that was intimate part of who you were. And

I don't know if we get there with work. I know work is part of

our identity, but I I wonder if it's a problem of

intensity or the extent to which it's intertwined

in our real lives. You know, we tend to separate

work and personal lives, but religion is part of

the personal life. That's a really interesting point because it

is work and I guess we have our work tribe and we have our home

tribes. But I did another piece of research which is under

review right now with some other people in Germany. We asked

people, if they ever discussed cybersecurity with other

people, and they all said no. And then we asked them whether they

would like to discuss cyber with other people, and most of them said yes.

So it's the kind of thing that people don't talk to each other about at

all, where people in the same religion would talk about their religion. So

it's almost as though people don't feel that that's something they can do.

Whereas a if there's 2 Christians, 2 Muslims, any Buddhists,

they would talk about this religion of theirs. Right? So it's almost like it's a

solo sport right now instead of a team sport at work. That's

an apt point. I I've always felt that

many organizations were groups of people each traveling their

own way and the challenge of the manager is always to harness their activities

in concert with each other. When it comes to something so mission critical,

it's protecting the company's assets from external access.

So so do you think part of the problem is the negativity

around cybersecurity? So we don't talk about doing cybersecurity

well. It's when there's an incident, when something bad happens. And

who wants to talk about that? I wonder if it's all wrapped up in the

fear of the virus. And 3 people fall for a fish, but 3

1,000 didn't, who are we talking about? We're talking about those 3.

And and so, yes, it it's it's a kind of an a mindset that

we felt when we were looking at religion really ought to change

and this mutually supporting thing. Because when I've studied events

where there have been cyber, breaches, the first thing that happens is the

person who's responsible, who may be clicked on the fish or something, they're

immediately ostracized. They're immediately pushed into the corner and

how dare you do this and how could you have been so stupid. That's that's

not what a church would do. They would try to help the person do better.

Or not the church, but I mean people in the same religion. Or

or burn you at the stake. 1 or 2. Never. Not

anymore. Not anymore. Sorry. That was a long time ago. Karen makes a point though.

Craig and I both come from the Baptist heritage and then and the Baptist

creed of faith is everybody's going to hell unless they do their best to be

a good person. No. That's that's putting it too strongly. Everybody's inherently

a sinner and seeking forgiveness and doing good

works is the avenue away from, the outcome.

And I I see the parallel with what you what you just put voice to

your current. I think too is it's it's

almost difficult to wrap our mind around how would we do this with cybersecurity.

But, difficult but not impossible. Right? Because I I

think about places I worked previously where, you know, maybe

a smaller office environment where maybe there's 50

to 75 people working there where, you know, we would

have potlucks and and different things. We would have, decorate

our office for Halloween and these other activities and have fun things and and

build that sense of community. Well, you know, like like Karen said, you know, you

know, what if there is a a fishing simulation exercise and,

yeah, 3 people fall for it, but everyone else does it? Well, what if we

have a a pizza party or something, right, some kind of celebration,

for all those that didn't fall for? We don't even mention the fact that

there's a few that didn't. And and we just, you know, again, build that

sense of community. And we we talk about, how successful

we were, or or celebrate these things and and come

together. And and I think because it sounds so foreign, it seems

silly to think about that. But and that may not be the exact approach,

but I don't think it's impossible to think about how we can build this

sense of belonging in cybersecurity because the fact of the matter

is is this isn't a solo sport. We're not in this

individually. We're in this together, but we do act like and

it's treated like we're in this individually. At the end of

the day, you know, the organization will be impacted. We're

all impacted directly and indirectly at at some point in

time. So we need to kind of start getting creative with how

we're gonna create the sense of belonging and community

within organizations.

That that fits with what Karen said about mindset. That's one of

the things I'm hearing here is we need to really have a shift in mindset.

To to get at this, you interviewed a number of religious leaders

from a variety of different religious traditions.

So what did you find? When we analyzed, we didn't specifically ask him about belonging,

believing, and doing. We just asked him in a bunch of questions, which I think

we've included in the paper. And what happened when we

analyzed it was, well, unsurprisingly, belonging, believing, and doing

kind of filtered up, and we could group them into those 3 stupid

themes. And what came across with with the

one the final question was, you know, how could cybersecurity learn? And they all

said, oh, you know, you need not to be so harsh on people when they

make mistakes. Cyber is hard. And we saw a sense of forgiveness coming

across, a sense of grace for the imperfect

human. And that we kind of had expected that, but it was really

gratifying when we heard it from them.

But the interesting part was they said the one guy said,

well, you know, when did he did cybersecurity training when he was a

student at university? It it was just like a checkbox thing. He did

it online. He finished it. He answered the questions, and he was done for the

next year. But he said at his church, when they get

together, they talk about concepts. They talk about the difficulties they're having

when they have their community get together. So he said, why don't we do that?

That was exactly what I was hoping if somebody was going to tell me.

You know, he was he made he made that contrast for me.

One one of the issues that I see from an organizational theory perspective

is the notion of agency. The organization

is formed as an informal and sometimes

actually formalized contract between the people who own the company, the

principals, and the people they hire to do the work for them, the agents, and

the agents are economically rational. They will they

will do things they shouldn't do if they feel like they can get away with

it and and it's to their benefit. Mhmm. The distinction in the religious

view is the principal agent component is not

there. There's no economic rationality. There's there's no

if you think about it, no pragmatic payoff for being good other than being good

for goodness' sake, which is

faith, which I find very I find that to be a very compelling aspect of

this religious view that you take of cybersecurity. People doing

good security for its own sake, rather than because it's

their job or because the boss will sanction them. But also maybe

learning to do what's right for the community. Right?

Rather than just doing what's what I'm scared not to do.

I've long felt that the, the criminal justice perspective on

cybersecurity, had issues

because it it treats people as problems when in fact your

solution is isn't it? Yes. So that

that leads into something that I thought was perhaps the

most interesting part of the paper, and that's the idea

of sacred values. Tom, you were kind of alluding to that.

You know, be good for goodness sake. It's because that's what you do

regardless of everything else. If it costs you money, if it costs

you your position, costs you your material wealth,

you still do we we talk about doing doing what's right

because it's right. That's a sacred value.

So what are sacred values and how do they

apply in this context? Mark.

This this is not a quiz, so Well, I mean, well, what

row. I was gonna real quickly, maybe touch

on the prior question if that's okay. And I

I think it's just some interesting insight from the

religious leaders with kind of that sense of

belonging where, you know, they they touched on

how we are all different, and we have a lot of differences

between us, but how we should focus also on what's common

between us. And it's kind of that sense of belonging, you know, bringing us together

as a community and how we are there to help each other,

help us as as people. And by doing that, we can

create that sense of trust, between us. You know? And I see

that not really being done very well in organizations. It's it's often like,

oh, this person doesn't know what they're doing, but they're gonna click on that phishing

email. They're gonna hurt us as an organization and and so

on. And so, you know, that was some interesting insight with respect to

belonging. And then you look at believing, an interesting comment

from one of the religious leaders was, you know, go where the people are rather

than just expecting the people to come. And, you know, again, I

I thought it was just some very interesting insight

of, you know, hey. You know, reach out. Don't just

wait for something bad to happen, but be proactive. You know, be

available to the to these people that, again, are not there

to do cybersecurity but are being tasked with it in an often and

unfair manner, but be available to them.

So, you know, that it's just some other things that I wanted to to

share. One of the things that somebody said was be humble.

The people who are asking other folks to do cybersecurity actions

should be humble and not act like they know everything. And that that

was interesting as well. I'm intrigued by the notion of

morality. I always have been. And morality is

deeply seated in the concept of religion. I I wonder if maybe

it it it transfers over to your research perspective

because my sense of organizations is companies

have no religion. They are the inherently amoral

entities. They do what is legal. And sometimes as I tell

my students, amorality is doing what is not

prescribed by law or what you think you might not be caught at.

And you know it's not right, but you don't think you're gonna get caught. Organizations

are not moral, centers,

if you will. And then that I think that has to change

because cybersecurity requires everybody caring for the good of the all as

opposed to everybody looking out for themselves. Don't you think? Yes. Can I just

get back to the sacred values that, Craig asked about? When

I when I read Scott Atron's book, he said that,

people, you know, you could challenge other values they

had. But when you went near their sacred values, they it was not

negotiable. Right? And so what I kept thinking was we

don't even try to incalculate the values into people in

cyber. We give them a list of do's and don'ts. We don't actually

try to make that part of them that becomes nonnegotiable.

And and you were talking about integrity. I've done a study into whistleblowers,

and they also said, we saw this and we had to

speak because it was our integrity that was a

question. So for them, that integrity was their kind of

sacred value. But we that it seems to be a completely alien

concept in cyber at the moment that we we try to find

the values that people should endorse and

embrace. Let me see if I can tie this back to what what

Tom was talking about. So morality

isn't a static, universal thing. I mean, we have

some things that we view as largely universal, but

you brought up a really important point in your paper that ties into all of

this. So the idea is if we can get

employees to tie into the security sacred values,

then they'll do anything to avoid violating those values.

But then you brought up a really important point and I'm literally gonna read it.

While cybersecurity professionals could easily commit to these values, talking

about the cybersecurity sacred values, we

do not know the extent to which individual employees will be able to commit

to these relatively broad categories and or convert them

into action, nor do we know whether they are effective

candidates to serve as the higher values foundation

grounding our vision. Yeah. I think that's the rub.

That the sacred values for the employees getting some and

Tom, you kind of talked about this idea of alignment in in

management. I think that's gonna be the neat trick, and if we can

figure out how to do that, a lot of other things may fall into place.

So what do you all think about that idea? I think that's a big part

of the challenge is it's creating that culture that is

going to work from, you know, from

the bottom to the top and vice versa. And that's that's

a really big challenge. It goes to these sacred values

that were espoused by the religious leaders, you know, working

together to support others. And it's not easy. Everyone is

there trying to, for the most part, do their job, make make

their money, go home, and and, you know, deal with their lives outside

of work. And when things are complicated

and, you know, you probably see eye rolls and you see other things

I have a couple kids, so I see that plenty. But then, you know, you

you're tasking them with other things that complicate matters. It can be

difficult to get that buy in. But if you

are successful and if you can do that, you can really see

some amazing things happen. And and it is possible. You know, you

see things that have been done. You look

at at Demian and what was done with Toyota in the 19

fifties. This humongous shift. These humongous shifts in

culture can happen, and they do happen, and they are effective.

Why can't this happen with cybersecurity in organizational settings?

It can. You know? We just need to figure it out. And I think this

is a starting place for some discussions of what this might look

like. You know, how this can be effectuated? You know, we still have some

work to do to figure that out and to try it out, but it it

is possible. It is. You're in my wheelhouse now

when you bring up Deming because Deming was issued by all the major

US automakers as being irrelevant. So he went to Toyota

out of desperation to sell his idea, and he he

landed in a culture which espouses

collectivism, which means the good of all as opposed to the good of the one,

whereas the companies who turned him down are strictly into economic

outcomes for the 1, maximized personal outcome, which is really, I think,

the the issue in the a moral approach to business. I I I don't

know. I'm I'm on a soapbox now, so I'll stop. But I I wanted to,

to ask you whether you think that the notion in the title of your

paper, shame, has an irrelevance or if that's just

something that we try to avoid by doing good. And if I

could just interject, that's that's another paper that's in this kind of

overall we need to do security differently theme. And

assuming that Mark and Karen are willing, we're going to have

them back to talk about that paper because it was just too much for one

episode. So I just want wanted to to kind of give the backstory

here. And that's one that we followed the fear one with because it felt as

if people were being shamed when they did make a mistake,

and that was my sense. And then when Mark gathered

all our bunch of data, it actually happened to loads of people where

they where they done something silly, clicked on a message or whatever.

And there was then the organization would people would yell at

them, and they would they would get, you know, ostracized

by their by their because now everyone had to go for the training

again, and everyone couldn't work that day while the folks, IT folks,

had to sort the computers out and everything. And the what the people

went through was awful. You know? And and what we

discovered was, interestingly, there's a difference between shame and guilt.

Guilt says, you did this silly thing. Here's what you can do to

make up for it. Shame says, you are the stupid

person. It's an attack on you as a as a human. So then

what you get is a self defense response. And what we also

discovered is that what you do when you shame people is create an insider

threat. It's very, very counterproductive.

The organization does not end up ahead like maybe they think they're gonna

end up ahead. So it's it's very counterproductive. So

we're we're gonna leave that as foreshadowing for our later

episode. We're starting to run up against our time

limit, so could you

give us kind of the 3 or 4 messages

that you want our practitioner listeners, our

cybersecurity professionals, to take away from what you found in

your work. I'm gonna punt that to Mark. I've I've spoken a

lot. Sorry. One thing I will say, and

maybe this isn't a direct answer to your question, but maybe one thing I'll say

just as a follow-up to the same question is is one thing we sought

out to do here was to learn

from world religions what we could apply to

cybersecurity and make cybersecurity better. One thing that

we did not seek to do was to porch portray

that world religions were without any issues

or faults of their own, that there weren't any problems or challenges. And I mentioned

that because, obviously, plenty of religions

use shame. They use fear. They use other things that we do

not think should be used in cybersecurity. So I did I did want to

mention that that we're trying to say, you know, what does make world religion

successful? How can we take that and apply that to cybersecurity?

And so, you know, with that in mind, I think some of the things

that some of the major takeaways with respect

to these higher values and thinking about, you know, the idea of

for me, one of the big ones is a sense of belonging and

and building that community, caring for others, wanting

others to be successful, to succeed. And

that can only be accomplished if, you know, instead

of just punishing and looking at other people and saying, hey. You did this

wrong. Instead being like, hey. You know,

this this types of things happen. We know it's challenging. Let's figure out

how we can make this make everyone more successful. Let's you know, what

are we doing on our end that, we could do better?

You know? So it's not just the employee, but what is the organizational

what is the organization doing that, is making it more

difficult? You know, what could what can the organization be doing better? And

and, you know, just working together to support others, to share this knowledge,

to care for each other in in a real meaningful way. And so I

I think that that sense of belonging for me is is a really big

one that I think religions,

maybe in an often ideally idealized,

can do very successfully. With cyber, we seem to be stuck in a bit

of a a rut where we this is the way we do cybersecurity,

and things like generational AI has come have

come along, and we have to be able to adapt. But

because of the fear based approach, people are almost frozen in the way they're

doing stuff and that they're too scared to adapt. So it's really

about taking the good parts. I agree with Mark there absolutely.

The the religion does belonging pretty well. Let's try and figure that out.

Also, the the sacred values were the thing we've put in as our

as our this needs to be done because we didn't actually arrive at those.

We didn't have the bandwidth to do that with this study, but that's definitely

something we want to work on next. So when we

were talking about it, Shane earlier, Craig mentioned that it seems a

likely topic of your next paper, even though it's it's partially

covered here. Tell us about what the next step is in your research because this

is fascinating. We need an alternative to, pardon the metaphor, the

hellfire and brimstone of a criminal justice perspective in current cybersecurity

practice. So Mark and I are looking at this whole issue of

sacred values with a another friend, at one of the London

universities, and we're really hoping to arrive at a set of values

that we could offer to the cybersecurity community to

say, these are the things that we think that people could possibly

espouse in order to help them. For for secure cyber

security to become something that they don't even question that they just do, and

you wouldn't have to have the compliance stick to beat them with. We

also did a paper on regret, which is can be negative, but

it turned out it can also be a positive thing. So if you make a

mistake once, you can learn from it. I want to

be understood. Organizational theory, Leon Festinger. Everybody

knows him for cognitive dissonance, but attribution theory Uh-huh. Was his

big thing, organizationally. And then the notion is

people hate to fail, and they're more motivated by figuring out what

they did wrong and keeping that from happening again than they are

figuring out what went right. Because they expect to do well, but they don't expect

to fail and they wanna avoid failure. But I was actually what

triggered this, Craig, was we managed to put the name of a song in the

title. So the title is

from Edith Piaf. Nice. I've been wanting to

do that for years. So we've we've been talking

with doctor Karen LeNo and Mark Dupuy, today about their

fascinating perspective on cybersecurity and doing our part to

spread the faith of doing good in the workplace. This

is cyber ways, a production of Louisiana Tech University College

of Business supported by Dean Chris Martin's just business grant.

You can download it wherever podcasts are found, and we dearly love if you tell

your friends about us. See you next time. And it is important to say that

the Cyberways podcast is funded through the just business grant program

of Louisiana Tech College of Business, and, we're

grateful for that. So join us next time on the Cyberways podcast, which is

available on all major podcast platforms. We want you to

subscribe or follow or whatever button your favorite

podcast app has. Thank you very much.