1
00:00:05,359 --> 00:00:09,095
Hi, folks. This is the Cyberways podcast, and we

2
00:00:09,095 --> 00:00:12,855
translate our academic knowledge about information security into stuff that you

3
00:00:12,855 --> 00:00:16,535
can use as a security professional. We think it's a unique mission. We think you'll

4
00:00:16,535 --> 00:00:20,150
like it. I'm Tom Stafford. Craig Van Slyke. Tom and I are your hosts on

5
00:00:20,150 --> 00:00:23,990
your journey to knowledge. CyberWays is brought to you by the Louisiana Tech

6
00:00:23,990 --> 00:00:27,404
College of Business' Center For Information Assurance. The center offers

7
00:00:27,404 --> 00:00:30,925
undergraduate and graduate certificate programs in cybersecurity and

8
00:00:30,925 --> 00:00:34,704
sponsors academic research focused on behavioral aspects of cybersecurity

9
00:00:34,910 --> 00:00:38,590
security and information privacy. Hello, everybody, and welcome back to

10
00:00:38,590 --> 00:00:42,270
Cyberway. It's a production of the Louisiana Tech University Center For Information

11
00:00:42,270 --> 00:00:46,065
Assurance supported by a Just Business grant from college of business

12
00:00:46,065 --> 00:00:49,765
Dean Chris Martin. Today we have with us Karen Renaud

13
00:00:49,825 --> 00:00:53,390
and Mark Dupuy. They are doing some fascinating

14
00:00:53,530 --> 00:00:56,970
research on cybersecurity insights taken from world

15
00:00:56,970 --> 00:01:00,445
religions. Recent article appeared in Computers and Security. Doctor

16
00:01:00,445 --> 00:01:04,045
Renault is a Scottish computer scientist at University of Strathclyde in

17
00:01:04,045 --> 00:01:07,645
Glasgow, works in all manner of human centered security and

18
00:01:07,645 --> 00:01:11,409
privacy. Doctor Dupuis is an associate professor with the Computing

19
00:01:11,409 --> 00:01:15,250
and Software Systems Division, University of Washington, Bothell, where he also serves

20
00:01:15,250 --> 00:01:18,994
as the graduate program coordinator. He has his PhD information

21
00:01:18,994 --> 00:01:22,454
science from the University of Washington with an emphasis in cybersecurity.

22
00:01:23,075 --> 00:01:26,515
Welcome, Karen and Mark. Thank you so much. Thank

23
00:01:26,515 --> 00:01:30,360
you. Let's start with the big question that I

24
00:01:30,360 --> 00:01:33,260
think is gonna underlie a lot of what we talk about today.

25
00:01:34,040 --> 00:01:37,865
What's wrong with the way we currently practice cybersecurity? Rita,

26
00:01:37,865 --> 00:01:41,545
Janet, I'm not It's not working because there's no

27
00:01:41,865 --> 00:01:45,370
the number of attacks are not abating at all. So

28
00:01:45,510 --> 00:01:49,030
when when you keep doing the same thing and it's still not working, you have

29
00:01:49,030 --> 00:01:52,870
to think about, well, what do we what could we do differently in order to

30
00:01:52,870 --> 00:01:56,545
have more success? So at at a meta level, seems like

31
00:01:56,545 --> 00:02:00,005
we're not very successful. And I think in an organizational

32
00:02:00,225 --> 00:02:03,860
setting, I think one of the things that's not working is it's often kind of

33
00:02:03,860 --> 00:02:07,640
a us versus them. And if you think about it in an organizational

34
00:02:07,700 --> 00:02:11,445
setting, why are we doing that? It should be us,

35
00:02:11,445 --> 00:02:15,125
the employees, and the leadership against them, the

36
00:02:15,125 --> 00:02:18,505
people that are trying to cause harm to us as opposed to,

37
00:02:19,060 --> 00:02:22,580
the infighting that often takes place. It's it's counterproductive. And

38
00:02:22,580 --> 00:02:25,860
as Karen said, we're not we're not getting anywhere. We're not we're not,

39
00:02:26,100 --> 00:02:29,834
making improvements, and that's the problem. The other thing is that we have

40
00:02:29,834 --> 00:02:33,355
this paradigm in organizational cybersecurity, which is

41
00:02:33,355 --> 00:02:37,090
formulate the policy, disseminate the policy, and

42
00:02:37,090 --> 00:02:40,930
enforce the policy. And then when things go wrong, we just go

43
00:02:40,930 --> 00:02:44,605
back to disseminate again, and then we enforce again.

44
00:02:44,765 --> 00:02:48,045
And so it's almost as if it's it's like a vaccination. And if you just

45
00:02:48,045 --> 00:02:51,805
make the vaccination take, everything's gonna be fine. But

46
00:02:51,805 --> 00:02:55,340
this is we've been doing this for over 2 decades, and it's not very

47
00:02:55,340 --> 00:02:59,180
successful. So we have to start asking ourselves, what could

48
00:02:59,180 --> 00:03:02,965
we do differently? So one of the things that I was looking at

49
00:03:02,965 --> 00:03:06,485
y'all's body of research. One of the the things that struck

50
00:03:06,485 --> 00:03:10,110
me was that we seem to

51
00:03:10,110 --> 00:03:13,570
focus way too much on, negative emotions.

52
00:03:14,270 --> 00:03:17,950
You think that's one of the problems? Well, so Mark and I met at

53
00:03:17,950 --> 00:03:21,665
Hicks some the very first time. And I said to him,

54
00:03:21,665 --> 00:03:25,265
Mark, I want to do some research into the use of fear in cyber. And

55
00:03:25,265 --> 00:03:27,844
Mark was on board. That was the first paper we did.

56
00:03:29,099 --> 00:03:32,860
And we felt that a lot of the dissemination that is done in

57
00:03:32,860 --> 00:03:36,614
cybersecurity is a hook into people's minds was

58
00:03:36,834 --> 00:03:39,715
if you don't do this stuff, things are gonna be really bad. You're gonna get

59
00:03:39,715 --> 00:03:42,995
punished, and the hackers are gonna get in and so on. And so fear is

60
00:03:42,995 --> 00:03:46,620
being weaponized. And what Mark and I discovered was

61
00:03:46,620 --> 00:03:50,380
that this is a very damaging thing to do to people because fear is

62
00:03:50,380 --> 00:03:54,015
is an emotion that actually hurts you, and it lasts for much longer

63
00:03:54,015 --> 00:03:57,394
than we realize. But, Mark, maybe you could tell them about the password

64
00:03:57,694 --> 00:04:01,535
one that well, maybe I should we shouldn't go into that kind of depth

65
00:04:01,535 --> 00:04:05,000
now. Sorry. Well yeah. You know, I I think I'll just just briefly I

66
00:04:05,000 --> 00:04:08,599
think the thing I'll say is with with fear and other

67
00:04:08,599 --> 00:04:12,444
negative emotions, when when people get scared, they don't make

68
00:04:12,444 --> 00:04:16,285
the best decisions, but yet we're trying to use these negative emotions like fear to

69
00:04:16,285 --> 00:04:19,005
try and get them to do what we want them to do. So it's it

70
00:04:19,005 --> 00:04:22,720
seems kinda silly in in many respects that we're trying to get them to

71
00:04:22,720 --> 00:04:26,500
be compliant with these policies by scaring them

72
00:04:27,115 --> 00:04:30,875
when all of a sudden, and from a cognitive standpoint, they're gonna be less adept

73
00:04:30,875 --> 00:04:33,595
at doing what we want them to do. So I I you know, it's just

74
00:04:33,675 --> 00:04:37,470
it's very, counterproductive in many respects. And

75
00:04:37,470 --> 00:04:40,990
as, you know, some of our research has shown too that not only are we

76
00:04:40,990 --> 00:04:44,655
eliciting fear, but we're also increasing other negative emotions and

77
00:04:44,655 --> 00:04:47,955
decreasing positive emotions. So what are the other implications for this?

78
00:04:48,175 --> 00:04:51,570
Mhmm. Your concern is But we have this extensive criminal

79
00:04:51,570 --> 00:04:55,410
justice lens through which we view cybersecurity, and those of

80
00:04:55,410 --> 00:04:58,850
us who go to the to all the rude meetings see it all the time.

81
00:04:58,850 --> 00:05:01,675
All the leading authors started with a perspective of

82
00:05:02,615 --> 00:05:06,315
enforcement as as Karen so aptly put it. You know, promulgate

83
00:05:06,375 --> 00:05:09,980
the policy, enforce the policy, punish the people that don't adhere to it.

84
00:05:10,280 --> 00:05:12,220
It just doesn't feel like good organizational

85
00:05:13,800 --> 00:05:17,475
behavior, from a managerial perspective to be trying to get

86
00:05:17,475 --> 00:05:20,855
people to do the proper thing with

87
00:05:20,915 --> 00:05:24,650
negative reinforcement as opposed to building a positive

88
00:05:24,650 --> 00:05:28,090
culture, which which I I'm hoping is where we're we're headed at some point, but

89
00:05:28,090 --> 00:05:31,875
we don't see much research on it, do we? No. And I

90
00:05:31,875 --> 00:05:35,315
understand the fear. Right? Because I speak to CSOs a

91
00:05:35,315 --> 00:05:39,155
lot, and they're worried. They're they're the ones whose head is

92
00:05:39,155 --> 00:05:42,560
on the on the plateau when things go wrong. They're the ones who who have

93
00:05:42,560 --> 00:05:46,100
to answer the stories for the board, you know, why did we get hacked?

94
00:05:46,400 --> 00:05:50,065
So that fear is then being transmitted, and that's why they get

95
00:05:50,065 --> 00:05:53,605
all heavy with the normal average person in the organization.

96
00:05:55,185 --> 00:05:58,700
So the whole thing about the blaming and the fear culture is really

97
00:05:58,700 --> 00:06:01,760
unhelpful across the board. So I would agree with you, Tom.

98
00:06:02,220 --> 00:06:06,060
So your paper is about a religious view on

99
00:06:06,060 --> 00:06:09,865
cyber security, and I see that as eminently positive. You know, religion is

100
00:06:09,865 --> 00:06:13,305
a positive force in our life. It it speaks

101
00:06:13,305 --> 00:06:16,870
to doing good and and being good, and I'm very interested in

102
00:06:16,870 --> 00:06:20,629
how you bridge to that particular lens

103
00:06:20,629 --> 00:06:24,250
as a way of considering cybersecurity behavior in a new perspective.

104
00:06:25,030 --> 00:06:28,695
So I spent some time in Germany a few years ago, and I

105
00:06:28,695 --> 00:06:31,895
picked up 2 books before I left to read while I was there. The one

106
00:06:31,895 --> 00:06:35,720
was by Scott Atren, which is called talking to the enemy, and

107
00:06:35,720 --> 00:06:39,180
the other one was, Jonathan Haight, The Righteous Minds.

108
00:06:39,400 --> 00:06:43,160
Nothing to do with cyber. But both of these books really struck me

109
00:06:43,160 --> 00:06:46,825
in terms of trying to understand why people do what they

110
00:06:46,825 --> 00:06:49,805
do, and both of them spoke about our values.

111
00:06:50,745 --> 00:06:54,185
And then I started wondering what were the values that we were

112
00:06:54,185 --> 00:06:56,610
trying to get people to adopt in cybersecurity.

113
00:06:57,870 --> 00:07:01,230
And then I picked up a book by Alain de Beauforton, which is called religion

114
00:07:01,230 --> 00:07:05,035
for atheists. And then I realized, well, hang on. Why don't

115
00:07:05,035 --> 00:07:08,795
we learn from the people who do espouse values? Because religions

116
00:07:08,795 --> 00:07:12,470
all have values that their adherence espouse. So

117
00:07:12,470 --> 00:07:16,229
what what could we take? And but Du Boisoten says, don't

118
00:07:16,229 --> 00:07:19,990
throw the baby out with the bathwater. Let's look at religion and take the

119
00:07:19,990 --> 00:07:22,405
good parts and learn from it because they're very successful,

120
00:07:23,665 --> 00:07:27,425
and and and then don't take the stuff that's not so great. And so that's

121
00:07:27,425 --> 00:07:31,090
kind of where this idea came from. And I I zoomed Mark

122
00:07:31,090 --> 00:07:34,710
from, from Germany, and he said, yeah. I'm in.

123
00:07:34,930 --> 00:07:38,475
So that's that's where the ideas came from. So what did you

124
00:07:38,775 --> 00:07:42,395
hope to find in, in applying this new focus on on cybersecurity?

125
00:07:43,095 --> 00:07:46,920
Well, I think a lot of it is, you know, like Karen said is, you

126
00:07:47,000 --> 00:07:50,520
know, religions have those that have stood the test of time have stood the test

127
00:07:50,520 --> 00:07:53,935
of time for for a reason. And and some of them have,

128
00:07:54,335 --> 00:07:57,294
you know, a lot of them have stood the test of time, have adapted, evolved,

129
00:07:57,294 --> 00:08:00,735
and changed, as times have changed, as our society has

130
00:08:00,735 --> 00:08:04,510
changed. And, by doing that, they have,

131
00:08:04,830 --> 00:08:08,370
met the needs of of the people they're serving, of of their believers.

132
00:08:09,545 --> 00:08:13,385
And, and there's something that could be learned from that. And we

133
00:08:13,385 --> 00:08:17,065
think about some of these religions have been around for 1000

134
00:08:17,065 --> 00:08:20,680
of years And, you know, in cybersecurity, you

135
00:08:20,680 --> 00:08:24,520
know, being around for, you know, 20, 30 years at the

136
00:08:24,520 --> 00:08:28,155
most, really. And so what can we do as

137
00:08:28,155 --> 00:08:31,535
such a new discipline? What can we take from religion

138
00:08:31,835 --> 00:08:35,339
and and try and learn from it? Because, you know, as we said earlier, we're

139
00:08:35,339 --> 00:08:38,860
not we're not successful. We're not we're not very successful in what we're doing, and

140
00:08:38,860 --> 00:08:42,380
the problems are only getting worse. So let's let's be humble

141
00:08:42,380 --> 00:08:46,155
enough. Right? Let's let's show some humility and let's try and learn from

142
00:08:46,155 --> 00:08:49,915
these other areas like religion and and see what we

143
00:08:49,915 --> 00:08:53,450
can take. And instead of just this compliance and and this

144
00:08:53,450 --> 00:08:57,290
punishment of people that are trying just

145
00:08:57,290 --> 00:09:00,250
to do their day to day jobs, most of them are not in there to

146
00:09:00,250 --> 00:09:03,755
do cybersecurity. They're being tasked with it

147
00:09:03,755 --> 00:09:07,375
in often an unfair way when they're there to

148
00:09:08,170 --> 00:09:11,930
do pretty much anything but cybersecurity. But what what can we take

149
00:09:11,930 --> 00:09:15,710
from other places, other, you know, other disciplines like religion

150
00:09:16,145 --> 00:09:19,765
and and learn from it to help us to help us be more successful.

151
00:09:20,465 --> 00:09:23,665
And, you know, as Karen said, you know, there there's there's a lot to be

152
00:09:23,665 --> 00:09:26,880
learned from. So let's learn a little bit from religion.

153
00:09:27,740 --> 00:09:30,940
I wanna dig into just what religion is. So it's one of those things where

154
00:09:30,940 --> 00:09:34,325
we all know what it is, but we don't really know kind of what it's

155
00:09:34,325 --> 00:09:37,385
made up of. Can you talk to us a little bit about what actually

156
00:09:38,165 --> 00:09:41,870
religion does or what its components are? When I I started

157
00:09:41,870 --> 00:09:45,550
writing this paper, I thought, well, the first thing to do is define. Right? Whenever

158
00:09:45,550 --> 00:09:48,270
you have a new concept in a paper, you have to define it. And it

159
00:09:48,270 --> 00:09:51,765
turned out that people are struggle to define religion.

160
00:09:52,545 --> 00:09:56,385
So, having read a number of people who said, you know, nobody can

161
00:09:56,385 --> 00:09:59,300
agree on it, So, okay, let's go and look at it from a different way.

162
00:09:59,300 --> 00:10:02,920
And I found somebody called Durkheim, who's a very well known German academic,

163
00:10:03,300 --> 00:10:07,095
who said that religion has 3 dimensions. It's

164
00:10:07,095 --> 00:10:10,935
believing, belonging, and doing. And

165
00:10:10,935 --> 00:10:14,630
then when I found some other papers that also tried to say, these are

166
00:10:14,630 --> 00:10:18,310
the characteristics of religions, I found that they also fell into those three

167
00:10:18,310 --> 00:10:21,745
dimensions. And that made it a lot easier to an to kind of

168
00:10:21,985 --> 00:10:25,745
start interpreting how what we are doing and what

169
00:10:25,745 --> 00:10:29,345
religions do. Can you tell us a little bit about the problem? Part is that,

170
00:10:29,345 --> 00:10:32,829
you know, if you go to somebody who's an adherent of a particular religion, they

171
00:10:32,829 --> 00:10:36,589
can tell you what they believe in. And they also

172
00:10:36,589 --> 00:10:40,295
know what kinds of things they should do. So they may believe in in

173
00:10:40,835 --> 00:10:44,035
if it's a Christian, they would believe that they have to be kind to other

174
00:10:44,035 --> 00:10:47,410
people and forgive people when things people do bad things to them and that sort

175
00:10:47,410 --> 00:10:50,930
of thing. So the believing and the doing is easy to understand. But the

176
00:10:50,930 --> 00:10:54,464
belonging was the one that was really came across strongly in all the

177
00:10:54,464 --> 00:10:58,225
the religious related literature because people get a

178
00:10:58,225 --> 00:11:01,824
sense of belonging to their community. They meet weekly with their

179
00:11:01,824 --> 00:11:05,480
community a lot of the time. And that sense that I am a

180
00:11:05,480 --> 00:11:09,320
Christian or I am a Muslim or whatever, that was part of became

181
00:11:09,320 --> 00:11:12,865
part of their identity. And so those three things were the

182
00:11:12,865 --> 00:11:16,625
aspects of religion that people seem to, you know,

183
00:11:16,625 --> 00:11:19,670
cohere to. There's also the nature of, I think,

184
00:11:20,230 --> 00:11:23,589
the belonging aspect of of of your model to

185
00:11:23,589 --> 00:11:27,430
me speaks to what I've always considered to be the important part

186
00:11:27,430 --> 00:11:31,115
of cybersecurity, which is belonging to the team that secures

187
00:11:31,175 --> 00:11:34,855
the company. Mhmm. And I I see that as a a very useful

188
00:11:34,855 --> 00:11:38,375
metaphor taking religious perspective. Yeah. I I I

189
00:11:38,375 --> 00:11:41,790
think, you know, the the belonging part

190
00:11:41,790 --> 00:11:45,550
is in many respects, the one big area where we're

191
00:11:45,550 --> 00:11:49,375
lacking maybe more than the others. Because I mean, we we all can believe,

192
00:11:49,375 --> 00:11:52,335
oh, you need to do this. You need to be aware of this. You need

193
00:11:52,335 --> 00:11:56,115
to watch out for that. Make sure you do this and and so on. But

194
00:11:56,760 --> 00:12:00,540
building that sense of community that, hey, we're all in this together,

195
00:12:00,840 --> 00:12:04,375
that, we know mistakes are gonna happen, that we we realize

196
00:12:04,375 --> 00:12:08,055
this is tough to do, that we're not all, at at the

197
00:12:08,055 --> 00:12:11,850
same level of understanding these different threats and so on. That,

198
00:12:11,850 --> 00:12:15,209
I I I believe, is really where we're lacking and we're not doing a good

199
00:12:15,209 --> 00:12:19,050
job of. And I think you look at successful religions, you look

200
00:12:19,050 --> 00:12:22,755
at people that, want to go to church, and it's not always just

201
00:12:22,755 --> 00:12:26,515
to sit there and and listen

202
00:12:26,515 --> 00:12:30,279
to a sermon for an hour, but it's oftentimes those other

203
00:12:30,279 --> 00:12:33,899
activities. It's gathering for to share a meal together. It's it's

204
00:12:34,120 --> 00:12:37,820
it's just being with one another. It's it's that sense of belonging,

205
00:12:37,880 --> 00:12:41,305
that community that you have that we just don't

206
00:12:41,305 --> 00:12:45,065
see in in cybersecurity. It's

207
00:12:45,065 --> 00:12:48,889
it's it's this very this top down approach. It's this punishment approach.

208
00:12:48,889 --> 00:12:52,490
And, you know, I I think as we think about the

209
00:12:52,490 --> 00:12:56,065
success of religions and and a sense of belonging, we

210
00:12:56,065 --> 00:12:59,745
just we are so lacking with respect to that sense of belonging in

211
00:12:59,745 --> 00:13:03,470
cybersecurity. Can I take a tangent here? As you were

212
00:13:03,949 --> 00:13:07,709
were all talking about this, I was trying to

213
00:13:07,709 --> 00:13:11,069
translate in my mind the idea of

214
00:13:11,069 --> 00:13:13,455
belonging to something like a church or a religion

215
00:13:14,495 --> 00:13:18,335
versus a sense of belonging at work. And so my

216
00:13:18,335 --> 00:13:22,180
church and my religion, for a lot of people that are

217
00:13:22,180 --> 00:13:24,920
religious, it's very intertwined with their personal lives.

218
00:13:25,780 --> 00:13:29,625
So it is part of their life. I grew up in the Baptist

219
00:13:29,625 --> 00:13:33,144
church, and it was you know, it could be 3 nights a

220
00:13:33,144 --> 00:13:36,285
week going and doing something all day on Sunday.

221
00:13:36,930 --> 00:13:40,770
So that was intimate part of who you were. And

222
00:13:40,770 --> 00:13:43,650
I don't know if we get there with work. I know work is part of

223
00:13:43,650 --> 00:13:47,205
our identity, but I I wonder if it's a problem of

224
00:13:47,205 --> 00:13:50,505
intensity or the extent to which it's intertwined

225
00:13:51,525 --> 00:13:54,185
in our real lives. You know, we tend to separate

226
00:13:55,190 --> 00:13:58,950
work and personal lives, but religion is part of

227
00:13:58,950 --> 00:14:02,790
the personal life. That's a really interesting point because it

228
00:14:02,790 --> 00:14:06,335
is work and I guess we have our work tribe and we have our home

229
00:14:06,335 --> 00:14:09,855
tribes. But I did another piece of research which is under

230
00:14:09,855 --> 00:14:13,430
review right now with some other people in Germany. We asked

231
00:14:13,430 --> 00:14:16,790
people, if they ever discussed cybersecurity with other

232
00:14:16,790 --> 00:14:20,550
people, and they all said no. And then we asked them whether they

233
00:14:20,550 --> 00:14:23,975
would like to discuss cyber with other people, and most of them said yes.

234
00:14:24,435 --> 00:14:27,395
So it's the kind of thing that people don't talk to each other about at

235
00:14:27,395 --> 00:14:31,240
all, where people in the same religion would talk about their religion. So

236
00:14:31,240 --> 00:14:35,080
it's almost as though people don't feel that that's something they can do.

237
00:14:35,080 --> 00:14:38,760
Whereas a if there's 2 Christians, 2 Muslims, any Buddhists,

238
00:14:38,760 --> 00:14:42,475
they would talk about this religion of theirs. Right? So it's almost like it's a

239
00:14:42,475 --> 00:14:46,235
solo sport right now instead of a team sport at work. That's

240
00:14:46,235 --> 00:14:49,695
an apt point. I I've always felt that

241
00:14:49,900 --> 00:14:53,660
many organizations were groups of people each traveling their

242
00:14:53,660 --> 00:14:57,440
own way and the challenge of the manager is always to harness their activities

243
00:14:57,660 --> 00:15:01,365
in concert with each other. When it comes to something so mission critical,

244
00:15:01,365 --> 00:15:04,585
it's protecting the company's assets from external access.

245
00:15:05,660 --> 00:15:08,800
So so do you think part of the problem is the negativity

246
00:15:09,260 --> 00:15:13,040
around cybersecurity? So we don't talk about doing cybersecurity

247
00:15:13,260 --> 00:15:17,055
well. It's when there's an incident, when something bad happens. And

248
00:15:17,055 --> 00:15:20,815
who wants to talk about that? I wonder if it's all wrapped up in the

249
00:15:20,815 --> 00:15:24,480
fear of the virus. And 3 people fall for a fish, but 3

250
00:15:24,480 --> 00:15:28,260
1,000 didn't, who are we talking about? We're talking about those 3.

251
00:15:29,040 --> 00:15:32,725
And and so, yes, it it's it's a kind of an a mindset that

252
00:15:32,725 --> 00:15:36,345
we felt when we were looking at religion really ought to change

253
00:15:36,725 --> 00:15:40,360
and this mutually supporting thing. Because when I've studied events

254
00:15:40,360 --> 00:15:44,200
where there have been cyber, breaches, the first thing that happens is the

255
00:15:44,200 --> 00:15:47,880
person who's responsible, who may be clicked on the fish or something, they're

256
00:15:47,880 --> 00:15:51,625
immediately ostracized. They're immediately pushed into the corner and

257
00:15:51,625 --> 00:15:55,385
how dare you do this and how could you have been so stupid. That's that's

258
00:15:55,385 --> 00:15:58,450
not what a church would do. They would try to help the person do better.

259
00:15:58,530 --> 00:16:02,370
Or not the church, but I mean people in the same religion. Or

260
00:16:02,370 --> 00:16:06,210
or burn you at the stake. 1 or 2. Never. Not

261
00:16:06,210 --> 00:16:09,805
anymore. Not anymore. Sorry. That was a long time ago. Karen makes a point though.

262
00:16:09,805 --> 00:16:13,404
Craig and I both come from the Baptist heritage and then and the Baptist

263
00:16:13,404 --> 00:16:17,085
creed of faith is everybody's going to hell unless they do their best to be

264
00:16:17,085 --> 00:16:20,860
a good person. No. That's that's putting it too strongly. Everybody's inherently

265
00:16:20,920 --> 00:16:24,600
a sinner and seeking forgiveness and doing good

266
00:16:24,600 --> 00:16:28,135
works is the avenue away from, the outcome.

267
00:16:28,135 --> 00:16:31,335
And I I see the parallel with what you what you just put voice to

268
00:16:31,335 --> 00:16:35,000
your current. I think too is it's it's

269
00:16:35,000 --> 00:16:38,540
almost difficult to wrap our mind around how would we do this with cybersecurity.

270
00:16:38,840 --> 00:16:42,520
But, difficult but not impossible. Right? Because I I

271
00:16:42,520 --> 00:16:46,345
think about places I worked previously where, you know, maybe

272
00:16:46,345 --> 00:16:49,865
a smaller office environment where maybe there's 50

273
00:16:49,865 --> 00:16:53,530
to 75 people working there where, you know, we would

274
00:16:53,530 --> 00:16:57,370
have potlucks and and different things. We would have, decorate

275
00:16:57,370 --> 00:17:01,085
our office for Halloween and these other activities and have fun things and and

276
00:17:01,245 --> 00:17:04,925
build that sense of community. Well, you know, like like Karen said, you know, you

277
00:17:04,925 --> 00:17:08,464
know, what if there is a a fishing simulation exercise and,

278
00:17:08,720 --> 00:17:12,480
yeah, 3 people fall for it, but everyone else does it? Well, what if we

279
00:17:12,480 --> 00:17:15,700
have a a pizza party or something, right, some kind of celebration,

280
00:17:16,695 --> 00:17:20,535
for all those that didn't fall for? We don't even mention the fact that

281
00:17:20,535 --> 00:17:24,349
there's a few that didn't. And and we just, you know, again, build that

282
00:17:24,349 --> 00:17:27,810
sense of community. And we we talk about, how successful

283
00:17:28,109 --> 00:17:31,885
we were, or or celebrate these things and and come

284
00:17:31,885 --> 00:17:35,485
together. And and I think because it sounds so foreign, it seems

285
00:17:35,485 --> 00:17:39,250
silly to think about that. But and that may not be the exact approach,

286
00:17:39,330 --> 00:17:43,090
but I don't think it's impossible to think about how we can build this

287
00:17:43,090 --> 00:17:46,770
sense of belonging in cybersecurity because the fact of the matter

288
00:17:46,770 --> 00:17:50,505
is is this isn't a solo sport. We're not in this

289
00:17:50,565 --> 00:17:54,325
individually. We're in this together, but we do act like and

290
00:17:54,325 --> 00:17:58,140
it's treated like we're in this individually. At the end of

291
00:17:58,140 --> 00:18:01,980
the day, you know, the organization will be impacted. We're

292
00:18:01,980 --> 00:18:05,420
all impacted directly and indirectly at at some point in

293
00:18:05,420 --> 00:18:09,245
time. So we need to kind of start getting creative with how

294
00:18:09,245 --> 00:18:12,684
we're gonna create the sense of belonging and community

295
00:18:12,684 --> 00:18:13,664
within organizations.

296
00:18:18,600 --> 00:18:22,395
That that fits with what Karen said about mindset. That's one of

297
00:18:22,395 --> 00:18:25,615
the things I'm hearing here is we need to really have a shift in mindset.

298
00:18:26,475 --> 00:18:30,160
To to get at this, you interviewed a number of religious leaders

299
00:18:30,160 --> 00:18:33,140
from a variety of different religious traditions.

300
00:18:34,240 --> 00:18:38,035
So what did you find? When we analyzed, we didn't specifically ask him about belonging,

301
00:18:38,035 --> 00:18:41,795
believing, and doing. We just asked him in a bunch of questions, which I think

302
00:18:41,795 --> 00:18:45,155
we've included in the paper. And what happened when we

303
00:18:45,155 --> 00:18:48,960
analyzed it was, well, unsurprisingly, belonging, believing, and doing

304
00:18:49,260 --> 00:18:53,100
kind of filtered up, and we could group them into those 3 stupid

305
00:18:53,100 --> 00:18:56,914
themes. And what came across with with the

306
00:18:56,914 --> 00:19:00,514
one the final question was, you know, how could cybersecurity learn? And they all

307
00:19:00,514 --> 00:19:03,315
said, oh, you know, you need not to be so harsh on people when they

308
00:19:03,315 --> 00:19:07,010
make mistakes. Cyber is hard. And we saw a sense of forgiveness coming

309
00:19:07,010 --> 00:19:10,230
across, a sense of grace for the imperfect

310
00:19:10,370 --> 00:19:14,144
human. And that we kind of had expected that, but it was really

311
00:19:14,144 --> 00:19:16,085
gratifying when we heard it from them.

312
00:19:17,904 --> 00:19:21,424
But the interesting part was they said the one guy said,

313
00:19:21,424 --> 00:19:24,970
well, you know, when did he did cybersecurity training when he was a

314
00:19:24,970 --> 00:19:28,730
student at university? It it was just like a checkbox thing. He did

315
00:19:28,730 --> 00:19:31,850
it online. He finished it. He answered the questions, and he was done for the

316
00:19:31,850 --> 00:19:35,514
next year. But he said at his church, when they get

317
00:19:35,514 --> 00:19:39,215
together, they talk about concepts. They talk about the difficulties they're having

318
00:19:39,320 --> 00:19:43,100
when they have their community get together. So he said, why don't we do that?

319
00:19:43,480 --> 00:19:46,915
That was exactly what I was hoping if somebody was going to tell me.

320
00:19:47,475 --> 00:19:51,175
You know, he was he made he made that contrast for me.

321
00:19:51,555 --> 00:19:55,235
One one of the issues that I see from an organizational theory perspective

322
00:19:55,235 --> 00:19:58,710
is the notion of agency. The organization

323
00:19:58,929 --> 00:20:02,530
is formed as an informal and sometimes

324
00:20:02,530 --> 00:20:06,125
actually formalized contract between the people who own the company, the

325
00:20:06,125 --> 00:20:09,005
principals, and the people they hire to do the work for them, the agents, and

326
00:20:09,005 --> 00:20:12,684
the agents are economically rational. They will they

327
00:20:12,684 --> 00:20:15,880
will do things they shouldn't do if they feel like they can get away with

328
00:20:15,880 --> 00:20:19,720
it and and it's to their benefit. Mhmm. The distinction in the religious

329
00:20:19,720 --> 00:20:23,335
view is the principal agent component is not

330
00:20:23,335 --> 00:20:26,635
there. There's no economic rationality. There's there's no

331
00:20:27,255 --> 00:20:27,321
if you think about it, no pragmatic payoff for being good other than being good

332
00:20:27,321 --> 00:20:27,995
for goodness' sake, which is

333
00:20:35,240 --> 00:20:38,495
faith, which I find very I find that to be a very compelling aspect of

334
00:20:38,495 --> 00:20:42,035
this religious view that you take of cybersecurity. People doing

335
00:20:42,495 --> 00:20:46,250
good security for its own sake, rather than because it's

336
00:20:46,250 --> 00:20:49,950
their job or because the boss will sanction them. But also maybe

337
00:20:50,010 --> 00:20:53,555
learning to do what's right for the community. Right?

338
00:20:53,555 --> 00:20:57,015
Rather than just doing what's what I'm scared not to do.

339
00:20:57,475 --> 00:21:00,930
I've long felt that the, the criminal justice perspective on

340
00:21:00,930 --> 00:21:04,390
cybersecurity, had issues

341
00:21:04,450 --> 00:21:08,210
because it it treats people as problems when in fact your

342
00:21:08,210 --> 00:21:11,975
solution is isn't it? Yes. So that

343
00:21:11,975 --> 00:21:15,735
that leads into something that I thought was perhaps the

344
00:21:15,735 --> 00:21:19,560
most interesting part of the paper, and that's the idea

345
00:21:19,700 --> 00:21:23,540
of sacred values. Tom, you were kind of alluding to that.

346
00:21:23,540 --> 00:21:26,680
You know, be good for goodness sake. It's because that's what you do

347
00:21:27,415 --> 00:21:31,175
regardless of everything else. If it costs you money, if it costs

348
00:21:31,175 --> 00:21:34,555
you your position, costs you your material wealth,

349
00:21:35,240 --> 00:21:39,080
you still do we we talk about doing doing what's right

350
00:21:39,080 --> 00:21:41,900
because it's right. That's a sacred value.

351
00:21:42,675 --> 00:21:46,195
So what are sacred values and how do they

352
00:21:46,195 --> 00:21:49,255
apply in this context? Mark.

353
00:21:49,875 --> 00:21:52,910
This this is not a quiz, so Well, I mean, well, what

354
00:21:53,510 --> 00:21:56,950
row. I was gonna real quickly, maybe touch

355
00:21:56,950 --> 00:22:00,585
on the prior question if that's okay. And I

356
00:22:00,585 --> 00:22:04,025
I think it's just some interesting insight from the

357
00:22:04,025 --> 00:22:06,685
religious leaders with kind of that sense of

358
00:22:07,465 --> 00:22:10,690
belonging where, you know, they they touched on

359
00:22:11,390 --> 00:22:15,150
how we are all different, and we have a lot of differences

360
00:22:15,150 --> 00:22:18,755
between us, but how we should focus also on what's common

361
00:22:18,755 --> 00:22:22,515
between us. And it's kind of that sense of belonging, you know, bringing us together

362
00:22:22,515 --> 00:22:26,180
as a community and how we are there to help each other,

363
00:22:26,340 --> 00:22:30,020
help us as as people. And by doing that, we can

364
00:22:30,020 --> 00:22:33,700
create that sense of trust, between us. You know? And I see

365
00:22:33,700 --> 00:22:37,485
that not really being done very well in organizations. It's it's often like,

366
00:22:37,485 --> 00:22:40,765
oh, this person doesn't know what they're doing, but they're gonna click on that phishing

367
00:22:40,765 --> 00:22:44,180
email. They're gonna hurt us as an organization and and so

368
00:22:44,180 --> 00:22:47,780
on. And so, you know, that was some interesting insight with respect to

369
00:22:47,780 --> 00:22:51,555
belonging. And then you look at believing, an interesting comment

370
00:22:51,555 --> 00:22:54,515
from one of the religious leaders was, you know, go where the people are rather

371
00:22:54,515 --> 00:22:58,355
than just expecting the people to come. And, you know, again, I

372
00:22:58,355 --> 00:23:01,980
I thought it was just some very interesting insight

373
00:23:02,280 --> 00:23:06,120
of, you know, hey. You know, reach out. Don't just

374
00:23:06,120 --> 00:23:09,565
wait for something bad to happen, but be proactive. You know, be

375
00:23:09,565 --> 00:23:13,405
available to the to these people that, again, are not there

376
00:23:13,405 --> 00:23:16,765
to do cybersecurity but are being tasked with it in an often and

377
00:23:16,765 --> 00:23:20,330
unfair manner, but be available to them.

378
00:23:20,870 --> 00:23:24,230
So, you know, that it's just some other things that I wanted to to

379
00:23:24,230 --> 00:23:27,965
share. One of the things that somebody said was be humble.

380
00:23:28,424 --> 00:23:32,125
The people who are asking other folks to do cybersecurity actions

381
00:23:32,549 --> 00:23:36,390
should be humble and not act like they know everything. And that that

382
00:23:36,390 --> 00:23:39,990
was interesting as well. I'm intrigued by the notion of

383
00:23:39,990 --> 00:23:43,555
morality. I always have been. And morality is

384
00:23:43,555 --> 00:23:46,995
deeply seated in the concept of religion. I I wonder if maybe

385
00:23:46,995 --> 00:23:50,595
it it it transfers over to your research perspective

386
00:23:50,595 --> 00:23:54,280
because my sense of organizations is companies

387
00:23:54,340 --> 00:23:57,320
have no religion. They are the inherently amoral

388
00:23:58,020 --> 00:24:01,855
entities. They do what is legal. And sometimes as I tell

389
00:24:01,855 --> 00:24:05,075
my students, amorality is doing what is not

390
00:24:05,215 --> 00:24:08,675
prescribed by law or what you think you might not be caught at.

391
00:24:09,370 --> 00:24:12,510
And you know it's not right, but you don't think you're gonna get caught. Organizations

392
00:24:12,890 --> 00:24:16,670
are not moral, centers,

393
00:24:16,810 --> 00:24:20,475
if you will. And then that I think that has to change

394
00:24:20,475 --> 00:24:24,235
because cybersecurity requires everybody caring for the good of the all as

395
00:24:24,235 --> 00:24:28,029
opposed to everybody looking out for themselves. Don't you think? Yes. Can I just

396
00:24:28,029 --> 00:24:31,870
get back to the sacred values that, Craig asked about? When

397
00:24:31,870 --> 00:24:35,044
I when I read Scott Atron's book, he said that,

398
00:24:35,285 --> 00:24:38,725
people, you know, you could challenge other values they

399
00:24:38,725 --> 00:24:42,405
had. But when you went near their sacred values, they it was not

400
00:24:42,405 --> 00:24:46,180
negotiable. Right? And so what I kept thinking was we

401
00:24:46,180 --> 00:24:49,700
don't even try to incalculate the values into people in

402
00:24:49,700 --> 00:24:53,325
cyber. We give them a list of do's and don'ts. We don't actually

403
00:24:53,325 --> 00:24:56,545
try to make that part of them that becomes nonnegotiable.

404
00:24:57,565 --> 00:25:00,865
And and you were talking about integrity. I've done a study into whistleblowers,

405
00:25:01,085 --> 00:25:04,820
and they also said, we saw this and we had to

406
00:25:04,820 --> 00:25:08,340
speak because it was our integrity that was a

407
00:25:08,340 --> 00:25:11,995
question. So for them, that integrity was their kind of

408
00:25:11,995 --> 00:25:15,595
sacred value. But we that it seems to be a completely alien

409
00:25:15,595 --> 00:25:19,270
concept in cyber at the moment that we we try to find

410
00:25:19,270 --> 00:25:22,630
the values that people should endorse and

411
00:25:22,630 --> 00:25:26,345
embrace. Let me see if I can tie this back to what what

412
00:25:26,345 --> 00:25:29,885
Tom was talking about. So morality

413
00:25:30,985 --> 00:25:34,680
isn't a static, universal thing. I mean, we have

414
00:25:34,980 --> 00:25:38,740
some things that we view as largely universal, but

415
00:25:38,740 --> 00:25:42,340
you brought up a really important point in your paper that ties into all of

416
00:25:42,340 --> 00:25:45,005
this. So the idea is if we can get

417
00:25:45,865 --> 00:25:49,245
employees to tie into the security sacred values,

418
00:25:50,200 --> 00:25:53,260
then they'll do anything to avoid violating those values.

419
00:25:53,960 --> 00:25:57,740
But then you brought up a really important point and I'm literally gonna read it.

420
00:25:58,235 --> 00:26:01,995
While cybersecurity professionals could easily commit to these values, talking

421
00:26:01,995 --> 00:26:05,740
about the cybersecurity sacred values, we

422
00:26:05,740 --> 00:26:09,580
do not know the extent to which individual employees will be able to commit

423
00:26:09,580 --> 00:26:13,260
to these relatively broad categories and or convert them

424
00:26:13,260 --> 00:26:17,085
into action, nor do we know whether they are effective

425
00:26:17,145 --> 00:26:20,765
candidates to serve as the higher values foundation

426
00:26:20,904 --> 00:26:24,420
grounding our vision. Yeah. I think that's the rub.

427
00:26:25,120 --> 00:26:28,800
That the sacred values for the employees getting some and

428
00:26:28,800 --> 00:26:32,255
Tom, you kind of talked about this idea of alignment in in

429
00:26:32,255 --> 00:26:36,015
management. I think that's gonna be the neat trick, and if we can

430
00:26:36,015 --> 00:26:39,720
figure out how to do that, a lot of other things may fall into place.

431
00:26:39,720 --> 00:26:43,240
So what do you all think about that idea? I think that's a big part

432
00:26:43,240 --> 00:26:46,934
of the challenge is it's creating that culture that is

433
00:26:46,934 --> 00:26:50,695
going to work from, you know, from

434
00:26:50,695 --> 00:26:54,370
the bottom to the top and vice versa. And that's that's

435
00:26:54,370 --> 00:26:58,070
a really big challenge. It goes to these sacred values

436
00:26:58,130 --> 00:27:01,970
that were espoused by the religious leaders, you know, working

437
00:27:01,970 --> 00:27:05,635
together to support others. And it's not easy. Everyone is

438
00:27:05,635 --> 00:27:09,475
there trying to, for the most part, do their job, make make

439
00:27:09,475 --> 00:27:13,290
their money, go home, and and, you know, deal with their lives outside

440
00:27:13,290 --> 00:27:16,670
of work. And when things are complicated

441
00:27:17,290 --> 00:27:20,715
and, you know, you probably see eye rolls and you see other things

442
00:27:21,195 --> 00:27:24,155
I have a couple kids, so I see that plenty. But then, you know, you

443
00:27:24,235 --> 00:27:27,840
you're tasking them with other things that complicate matters. It can be

444
00:27:27,840 --> 00:27:31,059
difficult to get that buy in. But if you

445
00:27:31,519 --> 00:27:35,365
are successful and if you can do that, you can really see

446
00:27:35,365 --> 00:27:39,205
some amazing things happen. And and it is possible. You know, you

447
00:27:39,205 --> 00:27:42,950
see things that have been done. You look

448
00:27:42,950 --> 00:27:46,309
at at Demian and what was done with Toyota in the 19

449
00:27:46,309 --> 00:27:49,830
fifties. This humongous shift. These humongous shifts in

450
00:27:49,830 --> 00:27:53,295
culture can happen, and they do happen, and they are effective.

451
00:27:53,995 --> 00:27:57,775
Why can't this happen with cybersecurity in organizational settings?

452
00:27:58,475 --> 00:28:02,040
It can. You know? We just need to figure it out. And I think this

453
00:28:02,040 --> 00:28:05,880
is a starting place for some discussions of what this might look

454
00:28:05,880 --> 00:28:09,615
like. You know, how this can be effectuated? You know, we still have some

455
00:28:09,615 --> 00:28:13,295
work to do to figure that out and to try it out, but it it

456
00:28:13,295 --> 00:28:17,010
is possible. It is. You're in my wheelhouse now

457
00:28:17,010 --> 00:28:20,610
when you bring up Deming because Deming was issued by all the major

458
00:28:20,610 --> 00:28:23,885
US automakers as being irrelevant. So he went to Toyota

459
00:28:24,425 --> 00:28:28,025
out of desperation to sell his idea, and he he

460
00:28:28,025 --> 00:28:30,525
landed in a culture which espouses

461
00:28:31,529 --> 00:28:35,210
collectivism, which means the good of all as opposed to the good of the one,

462
00:28:35,210 --> 00:28:38,830
whereas the companies who turned him down are strictly into economic

463
00:28:39,235 --> 00:28:43,075
outcomes for the 1, maximized personal outcome, which is really, I think,

464
00:28:43,075 --> 00:28:46,909
the the issue in the a moral approach to business. I I I don't

465
00:28:46,909 --> 00:28:50,049
know. I'm I'm on a soapbox now, so I'll stop. But I I wanted to,

466
00:28:50,590 --> 00:28:54,029
to ask you whether you think that the notion in the title of your

467
00:28:54,029 --> 00:28:57,485
paper, shame, has an irrelevance or if that's just

468
00:28:57,485 --> 00:29:01,325
something that we try to avoid by doing good. And if I

469
00:29:01,325 --> 00:29:05,030
could just interject, that's that's another paper that's in this kind of

470
00:29:05,590 --> 00:29:08,730
overall we need to do security differently theme. And

471
00:29:09,510 --> 00:29:13,270
assuming that Mark and Karen are willing, we're going to have

472
00:29:13,270 --> 00:29:16,675
them back to talk about that paper because it was just too much for one

473
00:29:16,675 --> 00:29:20,345
episode. So I just want wanted to to kind of give the backstory

474
00:29:20,345 --> 00:29:24,010
here. And that's one that we followed the fear one with because it felt as

475
00:29:24,010 --> 00:29:26,990
if people were being shamed when they did make a mistake,

476
00:29:27,690 --> 00:29:31,245
and that was my sense. And then when Mark gathered

477
00:29:31,544 --> 00:29:35,385
all our bunch of data, it actually happened to loads of people where

478
00:29:35,385 --> 00:29:38,970
they where they done something silly, clicked on a message or whatever.

479
00:29:39,510 --> 00:29:43,110
And there was then the organization would people would yell at

480
00:29:43,110 --> 00:29:46,585
them, and they would they would get, you know, ostracized

481
00:29:46,725 --> 00:29:50,485
by their by their because now everyone had to go for the training

482
00:29:50,485 --> 00:29:54,230
again, and everyone couldn't work that day while the folks, IT folks,

483
00:29:54,230 --> 00:29:57,990
had to sort the computers out and everything. And the what the people

484
00:29:57,990 --> 00:30:01,455
went through was awful. You know? And and what we

485
00:30:01,455 --> 00:30:04,914
discovered was, interestingly, there's a difference between shame and guilt.

486
00:30:05,615 --> 00:30:09,455
Guilt says, you did this silly thing. Here's what you can do to

487
00:30:09,455 --> 00:30:12,820
make up for it. Shame says, you are the stupid

488
00:30:12,820 --> 00:30:16,580
person. It's an attack on you as a as a human. So then

489
00:30:16,580 --> 00:30:20,055
what you get is a self defense response. And what we also

490
00:30:20,055 --> 00:30:23,415
discovered is that what you do when you shame people is create an insider

491
00:30:23,415 --> 00:30:26,795
threat. It's very, very counterproductive.

492
00:30:27,175 --> 00:30:30,990
The organization does not end up ahead like maybe they think they're gonna

493
00:30:30,990 --> 00:30:34,830
end up ahead. So it's it's very counterproductive. So

494
00:30:34,830 --> 00:30:38,269
we're we're gonna leave that as foreshadowing for our later

495
00:30:38,269 --> 00:30:41,855
episode. We're starting to run up against our time

496
00:30:41,855 --> 00:30:45,395
limit, so could you

497
00:30:45,535 --> 00:30:49,350
give us kind of the 3 or 4 messages

498
00:30:50,210 --> 00:30:53,730
that you want our practitioner listeners, our

499
00:30:53,730 --> 00:30:57,404
cybersecurity professionals, to take away from what you found in

500
00:30:57,404 --> 00:31:01,085
your work. I'm gonna punt that to Mark. I've I've spoken a

501
00:31:01,085 --> 00:31:04,924
lot. Sorry. One thing I will say, and

502
00:31:04,924 --> 00:31:08,330
maybe this isn't a direct answer to your question, but maybe one thing I'll say

503
00:31:08,330 --> 00:31:12,090
just as a follow-up to the same question is is one thing we sought

504
00:31:12,090 --> 00:31:15,445
out to do here was to learn

505
00:31:15,985 --> 00:31:19,585
from world religions what we could apply to

506
00:31:19,585 --> 00:31:23,070
cybersecurity and make cybersecurity better. One thing that

507
00:31:23,070 --> 00:31:26,850
we did not seek to do was to porch portray

508
00:31:27,630 --> 00:31:31,205
that world religions were without any issues

509
00:31:31,205 --> 00:31:34,885
or faults of their own, that there weren't any problems or challenges. And I mentioned

510
00:31:34,885 --> 00:31:38,670
that because, obviously, plenty of religions

511
00:31:38,730 --> 00:31:42,410
use shame. They use fear. They use other things that we do

512
00:31:42,410 --> 00:31:46,155
not think should be used in cybersecurity. So I did I did want to

513
00:31:46,155 --> 00:31:49,915
mention that that we're trying to say, you know, what does make world religion

514
00:31:49,915 --> 00:31:52,975
successful? How can we take that and apply that to cybersecurity?

515
00:31:54,040 --> 00:31:57,400
And so, you know, with that in mind, I think some of the things

516
00:31:57,400 --> 00:32:01,160
that some of the major takeaways with respect

517
00:32:01,160 --> 00:32:04,795
to these higher values and thinking about, you know, the idea of

518
00:32:04,835 --> 00:32:08,595
for me, one of the big ones is a sense of belonging and

519
00:32:08,595 --> 00:32:12,150
and building that community, caring for others, wanting

520
00:32:12,150 --> 00:32:15,850
others to be successful, to succeed. And

521
00:32:16,390 --> 00:32:20,225
that can only be accomplished if, you know, instead

522
00:32:20,225 --> 00:32:23,905
of just punishing and looking at other people and saying, hey. You did this

523
00:32:23,905 --> 00:32:27,670
wrong. Instead being like, hey. You know,

524
00:32:27,670 --> 00:32:31,510
this this types of things happen. We know it's challenging. Let's figure out

525
00:32:31,510 --> 00:32:35,355
how we can make this make everyone more successful. Let's you know, what

526
00:32:35,355 --> 00:32:39,135
are we doing on our end that, we could do better?

527
00:32:39,355 --> 00:32:43,020
You know? So it's not just the employee, but what is the organizational

528
00:32:43,240 --> 00:32:46,840
what is the organization doing that, is making it more

529
00:32:46,840 --> 00:32:50,615
difficult? You know, what could what can the organization be doing better? And

530
00:32:50,615 --> 00:32:54,455
and, you know, just working together to support others, to share this knowledge,

531
00:32:54,455 --> 00:32:58,215
to care for each other in in a real meaningful way. And so I

532
00:32:58,215 --> 00:33:01,880
I think that that sense of belonging for me is is a really big

533
00:33:01,880 --> 00:33:05,420
one that I think religions,

534
00:33:05,640 --> 00:33:08,300
maybe in an often ideally idealized,

535
00:33:09,385 --> 00:33:13,225
can do very successfully. With cyber, we seem to be stuck in a bit

536
00:33:13,225 --> 00:33:16,765
of a a rut where we this is the way we do cybersecurity,

537
00:33:17,225 --> 00:33:21,060
and things like generational AI has come have

538
00:33:21,060 --> 00:33:24,820
come along, and we have to be able to adapt. But

539
00:33:24,820 --> 00:33:28,635
because of the fear based approach, people are almost frozen in the way they're

540
00:33:28,635 --> 00:33:32,475
doing stuff and that they're too scared to adapt. So it's really

541
00:33:32,475 --> 00:33:35,775
about taking the good parts. I agree with Mark there absolutely.

542
00:33:36,509 --> 00:33:40,210
The the religion does belonging pretty well. Let's try and figure that out.

543
00:33:40,750 --> 00:33:44,350
Also, the the sacred values were the thing we've put in as our

544
00:33:44,350 --> 00:33:48,185
as our this needs to be done because we didn't actually arrive at those.

545
00:33:48,185 --> 00:33:51,625
We didn't have the bandwidth to do that with this study, but that's definitely

546
00:33:51,625 --> 00:33:55,470
something we want to work on next. So when we

547
00:33:55,470 --> 00:33:59,310
were talking about it, Shane earlier, Craig mentioned that it seems a

548
00:33:59,310 --> 00:34:03,005
likely topic of your next paper, even though it's it's partially

549
00:34:03,005 --> 00:34:06,045
covered here. Tell us about what the next step is in your research because this

550
00:34:06,045 --> 00:34:09,730
is fascinating. We need an alternative to, pardon the metaphor, the

551
00:34:09,730 --> 00:34:13,109
hellfire and brimstone of a criminal justice perspective in current cybersecurity

552
00:34:13,250 --> 00:34:16,755
practice. So Mark and I are looking at this whole issue of

553
00:34:16,755 --> 00:34:20,434
sacred values with a another friend, at one of the London

554
00:34:20,434 --> 00:34:24,054
universities, and we're really hoping to arrive at a set of values

555
00:34:25,000 --> 00:34:28,600
that we could offer to the cybersecurity community to

556
00:34:28,600 --> 00:34:32,140
say, these are the things that we think that people could possibly

557
00:34:32,360 --> 00:34:36,114
espouse in order to help them. For for secure cyber

558
00:34:36,114 --> 00:34:39,875
security to become something that they don't even question that they just do, and

559
00:34:39,875 --> 00:34:43,530
you wouldn't have to have the compliance stick to beat them with. We

560
00:34:43,530 --> 00:34:47,290
also did a paper on regret, which is can be negative, but

561
00:34:47,290 --> 00:34:49,850
it turned out it can also be a positive thing. So if you make a

562
00:34:49,850 --> 00:34:53,585
mistake once, you can learn from it. I want to

563
00:34:53,585 --> 00:34:57,224
be understood. Organizational theory, Leon Festinger. Everybody

564
00:34:57,224 --> 00:35:00,905
knows him for cognitive dissonance, but attribution theory Uh-huh. Was his

565
00:35:00,905 --> 00:35:04,390
big thing, organizationally. And then the notion is

566
00:35:04,390 --> 00:35:08,230
people hate to fail, and they're more motivated by figuring out what

567
00:35:08,230 --> 00:35:11,530
they did wrong and keeping that from happening again than they are

568
00:35:12,015 --> 00:35:15,295
figuring out what went right. Because they expect to do well, but they don't expect

569
00:35:15,295 --> 00:35:18,895
to fail and they wanna avoid failure. But I was actually what

570
00:35:18,895 --> 00:35:22,470
triggered this, Craig, was we managed to put the name of a song in the

571
00:35:22,470 --> 00:35:24,890
title. So the title is

572
00:35:27,110 --> 00:35:30,835
from Edith Piaf. Nice. I've been wanting to

573
00:35:30,835 --> 00:35:34,595
do that for years. So we've we've been talking

574
00:35:34,595 --> 00:35:38,290
with doctor Karen LeNo and Mark Dupuy, today about their

575
00:35:38,290 --> 00:35:42,050
fascinating perspective on cybersecurity and doing our part to

576
00:35:42,050 --> 00:35:45,755
spread the faith of doing good in the workplace. This

577
00:35:45,755 --> 00:35:49,595
is cyber ways, a production of Louisiana Tech University College

578
00:35:49,595 --> 00:35:53,210
of Business supported by Dean Chris Martin's just business grant.

579
00:35:53,369 --> 00:35:56,570
You can download it wherever podcasts are found, and we dearly love if you tell

580
00:35:56,570 --> 00:35:59,930
your friends about us. See you next time. And it is important to say that

581
00:35:59,930 --> 00:36:03,655
the Cyberways podcast is funded through the just business grant program

582
00:36:03,655 --> 00:36:07,494
of Louisiana Tech College of Business, and, we're

583
00:36:07,494 --> 00:36:11,310
grateful for that. So join us next time on the Cyberways podcast, which is

584
00:36:11,310 --> 00:36:15,150
available on all major podcast platforms. We want you to

585
00:36:15,150 --> 00:36:18,535
subscribe or follow or whatever button your favorite

586
00:36:18,535 --> 00:36:21,035
podcast app has. Thank you very much.