Human-Centered Security

In this episode we talk about:

• The security risks associated with IoT devices.
• Why IoT devices can be less secure than, for example, a mobile device.
• Supply chain security.
• How UX designers can more effectively communicate risk to their users.

Prior to founding Finite State, Matt spent 15 years leading the research and development of advanced solutions to some of the hardest problems in cyber security, with experience across the spectrum of offensive and defensive cyber operations. Notably, he was the technical founder and CTO of Battelle's Cyber Innovations business unit. Throughout his career, Matt has spearheaded complex national security programs ranging from detection of malicious integrated circuits in the supply chain to next generation intrusion detection systems for low-power embedded systems. Matt directed numerous intelligence programs related to the security of embedded and IoT devices and has been a speaker on the subject at events around the world.

You can follow Finite State on Twitter and LinkedIn.

In this episode, we talk about:

• How anthropology can help security teams uncover the “why” behind security breaches.
• Why it’s important for designers to familiarize themselves with information security risk management. 
• What designers should know about quality assurance applied to security.
• How to fight for the time needed to build security into products.

Patricia Ensworth is a business anthropologist whose work focuses on the human factors affecting the development and maintenance of innovative products, services, and systems. As a technology project manager at leading global financial services firms (Merrill Lynch, Moody’s UBS, Citigroup, Morgan Stanley) she came to specialize in risk analysis and quality assurance, often recently in relation to cybersecurity vulnerabilities. Her consulting firm Harborlight Management Services LLC provides organizational research and management training to clients in a broad range of industries, as well as government agencies and non-profits. She is the author of The Accidental Project Manager: Surviving the Transition from Techie to Manager (Wiley 2001) and numerous technical articles about multicultural teamwork in software engineering. She is also an Adjunct Assistant Professor teaching in a graduate business degree program at New York University.

In this episode, we talk about:

• Why human factors is important when it comes to cybersecurity and why it’s still a relatively unexplored topic.
• The importance of communication and empathy in cybersecurity.
• Dr. Robinson’s research around low and medium vulnerabilities—and how their potential use in combination warrants additional attention.
• Dr. Robinson’s most recent research around “vulnerability chaining blindness” and why the words we use and a shared understanding are crucial for making progress in cybersecurity.

Dr. Nikki Robinson is a Security Architect and holds a Doctorate of Science in CyberSecurity, as well as several industry certifications (CISSP, CEH, MCITP, etc). She is currently working on a PhD in Human Factors and research in blending psychology and cybersecurity. With a background in IT Operations and Engineering, she moved into security several years ago.

• Connect with Dr. Nikki Robinson on LinkedIn
• Listen to Dr. Nikki Robinson’s podcast: The Resilient Cyber Podcast

During this episode, we talk about:

• How an insider threat at her own company led Robin into cybersecurity.
• Why looking at the human side of errors and using a framework like HFCAS can help identify the root cause of the problem.
• How Robin’s research challenges the idea that “humans are the weakest link.”
• How HFACS can be applied to cybersecurity’s existing frameworks.

Robin Bylenga is a seasoned client-facing expert, having drawn her initial skills early in her career as a flight attendant. Prior to entering cybersecurity, she was the CEO and Founder of Pedal Chic, the first women-specific bike shop in North America. She built the brand, won national awards, and designed a full line of bicycles for a niche market. Then her company suffered an insider threat attack. That experience changed the course of her life and brought her to a new career and the opportunity to adapt the Human Factors Analysis and Classification System (HFACS) framework to cyber.

Learn more about Robin's research at https://hfacs-cyber.com/

In this episode, we talk about:

• How security experts can more effectively communicate with end users.
• The issue of delayed consequences in the digital realm and how that impacts how people behave.
• The role accountability plays in improving information security.

Ryan Cloutier is the principal security consultant for SecurityStudio. He is an experienced IT/cybersecurity professional with over 15 years experience developing cybersecurity programs for Fortune 500 organizations. Ryan is a virtual Chief Information Security Officer for K12 districts across the country and is Certified Information Systems Security Professional (CISSP) and is proficient in cloud security, dev-ops, and sec-ops methodologies, security policy, process, audit, compliance, network security, and application security architecture. Ryan also co-hosts a weekly security podcast and is included on the top 100 most influential people in cybersecurity.

You can also find Ryan:

• On Twitter @cloutiersec
• On The Security Shitshow
• During the episode, Ryan mentions S2me (by SecurityStudio), a free security risk assessment resource

In this episode we talk about:

• Thinking about cybersecurity risk from a UX practitioner’s perspective.
• Balancing ease of use while not introducing unnecessary risk.
• Building personas and scenarios for bad actors so you can make conscious decisions about how controls might be circumvented.
• The importance of content strategy and collaborating with UX writers.
• Tips for conducting user research when it’s difficult to get access to end users.

Natalie Hill is a senior product designer with over 20 years of professional experience and a Master of Science in Information Studies. Her niche is enterprise UX. She loves finding elegant solutions to complex design problems and understanding the psychology that drives human behavior. Natalie considers cybersecurity one of the most important things in the world and has spent the last four years designing network, web, and email security solutions.

Natalie is a seasoned guitar player who enjoys playing live with a band in non-pandemic times. She is also on the board of directors of the nonprofit Girls Rock Austin, an organization dedicated to empowering girls, transgender, and non-binary youth through music education, mentorship, and self-care.

During this episode, we talk about:

• Why looking for a silver bullet for cybersecurity is hopeless. Like any human issue, it is a multi-dimensional and complex.
• Expectations versus outcomes: how we must take into account how “things will play out when you involve people.”
• "Changing how people think and behave is complicated, non-linear, painstaking, and does not conform to your expectations.” Despite this, understanding and accounting for people when it comes to cybersecurity is critically important.
• What organizations are missing and what organizations are doing well when it comes to accounting for people in cybersecurity.

Alexander Stein, PhD is an expert in human behavior and decision-making, and founder and managing principal of Dolus Advisors, a pyschodynamic management consultancy that advises CEOs, senior management teams, and boards in issues involving leadership, culture, governance, ethics, risk, and other organizational matters with complex psychological underpinnings. Dr. Stein is an internationally regarded authority in human risk and the psychodynamics of fraud and is frequently engaged as a specialist advisor in multi-jurisdictional, corruption, and executive misconduct matters and also helps companies mitigate and address human factor vulnerabilities in cybersecurity. He also consults with companies that develop and deliver technologies that assume decision-making functions in human affairs to mitigate unintended consequences to people, organizations, and society. Dr. Stein is a widely published and cited writer and thought leader, currently a regular contributor to Forbes on the psychology of leadership and misbehavior in business, and a frequent podcast and webinar guest, on-camera expert commentator, and keynote speaker and panelist.

Find more information on Dr. Stein and Dolus Advisors:

• Dolus Advisors
• The Briefing, Dolus Advisors’ periodic digest of thought-leadership and analysis
• Dr. Stein on LinkedIn
• Dolus Advisors on LinkedIn
• Humans and technology: A complicated and fascinating pair, RSA Conference Podcast, Episode 33, March 3, 2020
• To Phish or Not to Phish? That is the Question, Wizer Training Webinar, January 13, 2021
• Pitfalls of Outsourcing Self-Awareness to AI, Forbes, January 6, 2019 

Laura Nespoli is founder of Meshin Movement, a brand strategy consultancy. Laura has spent her career serving as a strategic problem-solver and brand storyteller across the sales marketing spectrum in many facets--from agency to client-side, media to creative, market

research to integrated marketing planning. Her professional focus is in helping brands and teams reveal business opportunity and advantage while her passion is rooted in inspiring ideas that serve the world for greater good. 

During this episode we talk about:

• Incorporating cybersecurity into the "fabric of your organization’s brand."
• How to create meaning and understanding that leads to a new behavior.
• The FOGG Behavior Model: motivation, ability, and a prompt must converge for a behavior to happen.
• How to deal with our natural aversion to complexity.
• How purpose is a way to create more unified understanding of what everyone is working towards and helps people put more meaning around the security-related tasks that may have otherwise been perceived as meaningless. 

Dr. Margaret Cunningham is an experimental psychologist and the Principal Research Scientist for Human Behavior at Forcepoint’s X-Lab.  In this role, she serves as the behavioral science subject matter expert in an interdisciplinary security team driving the development of human-centric security solutions. Previously, she supported the Human Systems Integration branch of The Department of Homeland Security.  

In this episode, we talk about:

• Why saying “people are the weakest link” is not a productive mindset when it comes to cybersecurity.
• How we can thoughtfully create systems/designs that mitigate the risk of human limitations.
• The Human Factors Analysis and Classification System (whether you are in UX or cybersecurity, you will likely find this framework interesting).
• The nuances around errors and rulebreaking and how we can, ideally, learn from our employees’ behavior to make the systems and the organization better.

Brian Murphy, a security specialist at GreyCastle Security, is a technology, information security, and risk management professional. He assists with the development and implementation of cybersecurity solutions for a variety of industries. Brian has knowledge of PCI, SOX, GLBA compliance requirements, as well as ISO and NIST standards and regulations.

On this episode we talk about:

• How we are constantly doing risk assessments in our everyday life. At least, we should be.
• How using analogies and stories help people connect with something new, like cybersecurity.
• Shifting the mindset to ensure the cybersecurity team's goals tie back to the business’ goals.
• The importance of culture and providing an environment where employees and the cybersecurity team are constantly learning.