In this episode we talk to Debi Ashenden, who is a Professor of Cybersecurity at the University of Adelaide about the social and human behavioural aspects of cybersecurity. Debi shares her perspective on the need to find ways to “patch with people” rather than with technology alone and discusses the impact of organisational psychology on cybersecurity.
From “social loafing” to the “free rider” and “sucker effect”, Debi delves into the various psychological factors that influence poor decision making around cybersecurity and explores the changing role of the CISO in driving user awareness and reducing human vulnerability.
Consultant, author and lecturer, Debi has over two decades of experience in the field of cybersecurity and holds the DST Group University of Adelaide Joint Chair in Cybersecurity. She is also a visiting professor at Royal Holloway at the University of London and has worked big names such as Barclaycard, Reuters and the MoD.
Although she originally started out her academic career as an English literature major, Debi ended up doing a masters conversion degree into computer science and eventually joined DERA (The Defence Evaluation and Research Agency), which was then part of the MoD and is now Dstl (Defence Science and Technology Laboratory), to do her computer science masters project.
It was while researching risk management that the human aspect of cybersecurity became a focal point for her, which at the time there had been little research into. “We’ve got all these tools for risk management, but people will always do bad things at the end of the day and that’s when I started thinking we need to know more about why people do what they do.”
At that time, that psychological aspect was very much the missing part of cybersecurity research, she explains. If you’re using the term “human vulnerabilities,” she continues, it means you must also accept that cybersecurity is more than just the system. It stretches from the behaviour of the end user right the way through the system to the people at the other end who are trying to attack it. You must understand the cognitive process at both ends of that spectrum to truly understand security.
When it comes to cybersecurity decisions, such as whether to comply or not, we like to believe people are very rational, she says, but in a real-world context there’s a whole host of heuristics and biases that come into play. That’s what we quite often fail to consider when thinking about cybersecurity solutions, she adds. Another issue, which can greatly impact those decisions, is the language used when communicating about cybersecurity to the end user.
Rather than take a dictatorial approach, Debi advocates that we instead seek to move towards a point of concordance through open and honest communication. Rather than require people to simply comply, we should be negotiating with them to find a solution that works for them and works well for security, she explains.
“I think CISOs today would certainly agree, that they tend to think that people want to do the right thing. It’s just a question of finding out how to enable them to do the right thing with minimum friction to their day-to-day working practises.”
“I think if we put as much effort into open and honest dialogue with our end users, and we accept that end users are not one homogenous group, but are made up of lots of different tribes, then we can really start to see the benefits of patching with people. We patch with technology automatically but patching with people is about how you communicate with them, how you bring them on board, how you involve them in the security process and co-create solutions with them.”
Similarly, Debi also highlights a strong need for more open and transparent dialogue between software developers and cybersecurity practitioners, and a diversity of opinion within the industry, which she believes will yield greater innovation and stronger problem solving.
To learn more about the link between organisational psychology and cybersecurity adoption and the changing role of the CISO, listen to the full episode.