adarma_logo_twgt-black[11615449]
adarma_logo_twgt-black[11615449]
Assessments
All Cybersecurity Assessments

Improve security maturity and capability while reducing risk
Cyber Maturity Assessment

Define, measure and improve your security posture
SOC Maturity Assessment

Understand and improve the capability and maturity of your SOC
SIEM Assessment

Your roadmap to increase the performance and value of your SIEM
Crisis Simulation Assessment

Stress-test your organisation’s cyber response capability

Latest Insights

Cyber Insiders is a cybersecurity podcast by Adarma.
Podcast
Nov 2

Cyber Insiders Podcast: Liz Banbury on Safeguarding Critical National Infrastructure
Threat Intelligence Exposure Management
Detection & Response
Managed SOC

Delivering today’s capability, while staying adaptable for tomorrow’s threat
Microsoft MDR Solution

Maximise the potential of your Microsoft E5 License
SOC Engineering

We help design, build, and integrate the security operations capability you need
Incident Response

Intelligence-led preparation, practice and real-world cyber incident response
Socket Platform
About Us
We Are Adarma

Your partner for effective cyber threat management
ESG

Protecting the promise of cyber resilience
Partners

Working in partnership to make the world a safer place
Careers

Become a Cyber Defender
Contact Us

Get in touch today
Insights
Cyber Hub
Cyber Insiders
News & Blog
SIEM Transformation
Future-Ready SOC Report
SecOps Excellence
Events
Share:
December 1, 2022

Cyber Insiders: Debi Ashenden – Patching with People Not Technology

In this episode we talk to Debi Ashenden, who is a Professor of Cybersecurity at the University of Adelaide about the social and human behavioural aspects of cybersecurity. Debi shares her perspective on the need to find ways to “patch with people” rather than with technology alone and discusses the impact of organisational psychology on cybersecurity.

From “social loafing” to the “free rider” and “sucker effect”, Debi delves into the various psychological factors that influence poor decision making around cybersecurity and explores the changing role of the CISO in driving user awareness and reducing human vulnerability.

Consultant, author and lecturer, Debi has over two decades of experience in the field of cybersecurity and holds the DST Group University of Adelaide Joint Chair in Cybersecurity. She is also a visiting professor at Royal Holloway at the University of London and has worked big names such as Barclaycard, Reuters and the MoD.   

Although she originally started out her academic career as an English literature major, Debi ended up doing a masters conversion degree into computer science and eventually joined DERA (The Defence Evaluation and Research Agency), which was then part of the MoD and is now Dstl (Defence Science and Technology Laboratory), to do her computer science masters project.  

It was while researching risk management that the human aspect of cybersecurity became a focal point for her, which at the time there had been little research into. “We’ve got all these tools for risk management, but people will always do bad things at the end of the day and that’s when I started thinking we need to know more about why people do what they do.”  

At that time, that psychological aspect was very much the missing part of cybersecurity research, she explains. If you’re using the term “human vulnerabilities,” she continues, it means you must also accept that cybersecurity is more than just the system. It stretches from the behaviour of the end user right the way through the system to the people at the other end who are trying to attack it. You must understand the cognitive process at both ends of that spectrum to truly understand security.  

When it comes to cybersecurity decisions, such as whether to comply or not, we like to believe people are very rational, she says, but in a real-world context there’s a whole host of heuristics and biases that come into play. That’s what we quite often fail to consider when thinking about cybersecurity solutions, she adds. Another issue, which can greatly impact those decisions, is the language used when communicating about cybersecurity to the end user.  

Rather than take a dictatorial approach, Debi advocates that we instead seek to move towards a point of concordance through open and honest communication. Rather than require people to simply comply, we should be negotiating with them to find a solution that works for them and works well for security, she explains.    

“I think CISOs today would certainly agree, that they tend to think that people want to do the right thing. It’s just a question of finding out how to enable them to do the right thing with minimum friction to their day-to-day working practises.” 

“I think if we put as much effort into open and honest dialogue with our end users, and we accept that end users are not one homogenous group, but are made up of lots of different tribes, then we can really start to see the benefits of patching with people. We patch with technology automatically but patching with people is about how you communicate with them, how you bring them on board, how you involve them in the security process and co-create solutions with them.” 

Similarly, Debi also highlights a strong need for more open and transparent dialogue between software developers and cybersecurity practitioners, and a diversity of opinion within the industry, which she believes will yield greater innovation and stronger problem solving.  

To learn more about the link between organisational psychology and cybersecurity adoption and the changing role of the CISO, listen to the full episode.  

Related Posts

Explore all
Podcast
Nov 2024

Cyber Insiders Podcast: Liz Banbury on Safeguarding Critical National Infrastructure

Blog
Oct 2024

An Introduction to the Cybersecurity Landscape for Retailers

Blog
Oct 2024

Adarma’s Commitment to Sustainability: Improved EcoVadis Scores in 2024

Contact Us