How to Really Make Sure that Cybersecurity is Everyone’s Job (Part 2)

EP 89: How to Really Make Sure that Cybersecurity is Everyone’s Job (Part 2)

Our bi-weekly Inflection Point bulletin will help you keep up with the fast-paced evolution of cyber risk management.

Sign Up Now!

About this episode

September 28, 2021
What if you could intentionally build a cybersecurity subculture inside your organization? You can! Learn how to pull the right levers with your hosts Kip Boyle, vCISO with Cyber Risk Opportunities, and Jake Bernstein, Partner with K&L Gates.

Episode Transcript

Speaker 1: Welcome to the Cyber Risk Management Podcast. Our mission is to help you thrive as a cyber risk manager. On today's episode, your virtual chief information security officer is Kip Boyle, and your virtual cyber security council is Jake Bernstein. Visit them at cyberriskopportunities.com. And focallaw.com.

Jake: So Kip, what are we going to talk about today?

Kip: I think, Jake, it's good to be back here with you recording another podcast episode. But today is part two of our discussion about cyber security culture which we're trying to ground in behavioral science, right? Because we have this fantastic lead on this topic from the most recent edition of the Verizon Data Breach Investigations report. And so last episode, we started digging into it and now what we want to do is we want to look at examples in case studies. So yeah, this is the episode that I just really couldn't wait, last time we talked to actually get to. So we've got a Liberty Mutual case study.

And that was embedded in the original paper that we looked at last time, right? Harang and Pearlson. And so last time we just, we dug into the first part of that paper, we were looking at the concepts and stuff. But now we're going to look at how those concepts were applied in a real situation. So, and then we're going to segue, we're going to look at another one as well, another case study too. So, but let's take them in turns. Now, the Liberty Mutual one.

This one came from six months of structured interviews. So that's how they drew out the information that they published. And they interviewed key leaders and stakeholders. That included the inaudible and people all the way down to the service desk level. So it was a very, very good study. And what we want to do is look at the context of the situation and then we want to look at the external influences because that was part of the model. We want to look at the decisions that managers made as far as the organizational mechanisms that they put into place and used in order to shift to their culture. And we're going to also going to take a look at beliefs and values and attitudes. All of this is very important. And how did those get modified or created in the Liberty Mutual environment? And then we'll round it up with the discussion of the actual behaviors and what happened. So, okay. Jake let's crosstalk.

Jake: All right. So, first the context. So Liberty Mutual holding group well known for its LIMU series of advertisements which are often hilarious, is the parent of Liberty Mutual insurance group, which is the diversified global insurer. At the time of the case study, it was the fourth largest property and casualty insurer in the United States. Employed more than 50,000 people in over 800 offices around the world. And it knew that managing cyber security risk was critical to its success.

Kip: What a great laboratory for this.

Jake: Absolutely. And so, they are considered a financial services firm, ,insurance is a regulated industry. So, they did have one of the first pieces of context was the external rules and regulation. So they knew they had to comply with certain regulations. Also part of their context was peer influence. So, peer organizations spent considerably on tech to improve their security. Back in 2017 when this study was conducted, you had your firewalls, your intrusion, anomaly detection, password controls, network kill switches, these were all common solutions, right?

Kip: Yeah.

Jake: But at the same time, threat actors were continuously moving forward advancing their own TTPs, Techniques, Tactics and Processes in new and more complex ways to breach defenses. And what people found of course, this is obvious in retrospect, is that the most advanced technological solutions could be rendered powerless by one click of a successful phishing campaign. So, ultimately Liberty Mutual understood that its reputation was absolutely critical, right? People don't buy insurance from a company they can't trust.

Kip: Yeah. If you think about what insurance companies sell, it's one of the most high value intangible items that you can get. It's really nothing more than a promise. And you can wrap it up on fancy paper and put in boxes and things like that on it, put it in a nice looking folder. But at the end of the day, it's just a promise that when something awful happens, that company is going to be there to help you get back on your feet. And I worked in an insurance company for seven years.

Jake: That's right. You did.

Kip: So, I mean, and Liberty Mutual was a competitor of ours, right? So when I read this paper I absolutely was engaged in this because I could easily imagine what this environment was like and I could easily compare it to what I had to do in the insurance company.

Jake: I'm not sure you really had to imagine it, you lived it.

Kip: Yeah, I really did live it. And so, and it's funny too. 2017, I mean, that's what? Four years ago. But that's forever.

Jake: It feels like forever.

Kip: It's forever ago. I mean, in terms of the pace of innovation, in terms of what the cyber attackers are doing. And of course, with the pandemic and everything weirding everything out, I mean, 2017 was like, "Oh my God." But because we're talking about people, right? We're just talking about people here, that doesn't change, right? So this is totally valid. If you're listening to this you're, "Like 2017, oh my God, that's ancient." Oh, okay. In tech terms, it is. But in people terms, nope. Nope, It's totally relevant. So, all right. So that's the external context, all right. So now let's think about the organizational mechanisms, let's explore those. So, the first thing that happened was the CSO and his team drove activities that were designed to establish and reinforce the desired values, attitudes and beliefs among this workforce.

This is 50,000 people, right? 50,000 people is the target audience here. And what they are trying to do is, they're trying to shift people's values, attitudes, and beliefs about the importance of data security. Now, I'll bet it was very uneven when they started. I'll bet some people were just paragons of virtue when it came to these values, attitudes and beliefs. But I'm sure that they didn't have across the board a really level set. So, they spent resources to develop what they called, it was a persona, the responsible defender, right? So this was a persona, I think it was even an icon, right? It wasn't like a stylized of it.

Jake: Who knows? Now you are confusing our case studies. The night was from Verizon. But the crosstalk. Yeah, the second one. But the Liberty Mutual one, it was branded, the paper didn't discuss exactly what it looked like.

Kip: Okay.

Jake: There was a little trademark there next to things so.

Kip: Well, they probably had an icon or they probably had a logo, or maybe even like a little character, right? A little stylized character. But in any event, they spent resources. And what this really was in other terms was a marketing campaign. I mean, that's what this really is. I mean, I've been study marketing Jake, for like the last two years, I've been immersing myself in marketing. I'm a small business owner and I've got to figure out how to market, that we can help people and do that in a way they can understand. Well, this is really not that different, right? You are trying to get people to take up this idea of being a responsible defender. And so, they spent money, they built a global platform for messaging. They had communications plans. They figured out how to provide rewards to incentivize the right behavior and to reinforce the right behavior.

They had activities and processes all around cyber security and again, creating these values, attitudes and beliefs, right? Now, this is a challenge for most CSOs, I think because most CSOs are really coming from a very technological systems background. And I can tell you, I never learned about any of this stuff in school and my performance evaluations before I became a CSO had nothing to do with any of this, right? So this is breakthrough stuff. Now the CSO also created a specific leadership role that was to be focused on cybersecurity culture, and it was called Product Owner Cyber Security Awareness, right.

Jake: That's huge.

Kip: Yeah, that's the actual job title. I mean, if you think about it, right? That was probably fully loaded, $200,000 to $300,000 of annual spend just on that person, right? So you got cost of direct salary, compensation, overhead, you load it all up and that's a substantial commitment to this, right? So you cannot accuse them of underfunding this at least far as we've gotten so far. And the role was, "Hey, you need to create and manage a culture of data protection." And notice they said a culture of data protection, not a culture of cyber security, words matter, words absolutely matter when you're trying to shift people's perceptions and be behavior, right?

Jake: They really do. And the fact that Liberty Mutual settled on data protection was really interesting to me because if you go across the Atlantic and into Europe, you'll notice that you don't really see the phrase... You don't really see the phrases or the words, privacy and cyber security. What you find is data protection. And it starts with the GDPR, that is the General Data Protection Regulation. And there's some questions about, maybe it's just a translation thing, right? You're trying to create a title that can be translated to all these different languages and maybe that's part of it. But I will tell you that there is a significance. Data protection as a phrase really encompasses both privacy and cyber security. That's where you see it used. And I'm starting to use that more often. And even my own practice group, I was really tempted at the start to try to convince the powers to rebrand in cyber security, but the actual name is data protection, privacy and security.

And that really just, I think to me, like cyber security feels like it's important. We like it, we know what it means, right? But if you're like, "Everyone has to be involved in cyber security, that might be difficult for a lot of people to feel like they can really add much to it and we'll talk about that." But data protection, well, all we want is to protect the data that we work with. So I think it was a really smart move.

Kip: I think so too. And boy, you just opened up something that I think we should unpack some other time around privacy, because there's a whole dimension to privacy that we really... I don't think we've talked very much about which is being smart about the data you choose to collect.

Jake: Yes. That's a different episode Kip. That's a different episode.

Kip: It is, but it's a really important part of privacy that almost has zero to do with cybersecurity. Like we can protect it once you collect it, but please don't collect it if you don't need it. Because that's just extra burden. Okay. Well, anyway, we can unpack that later.

Jake: This concludes the interruption about privacy.

Kip: Right. Okay. Let's return to the point here. The point is that there were organizational mechanisms that Liberty Mutual put into place. I talked about a couple of them already so let's keep going there was more. So there were rewards and punishments, right? There were carrots and sticks. And it started with simple phishing exercises and a punishment or a stick was if you failed, if you clicked on the link and you shouldn't have, well then, you would get into a training class right away. That would try to correct you on the spot and try to teach you what the right thing to do was. But and a lot of people do that, but it didn't stop there. Well, this is a part that I love is that individual performance evaluations included cyber security behaviors. And that could be positive or negative, right? So they got the supervisors involved in and human resources.

Jake: And that's really important. And particularly it's important that it was both. And I said, could be. Really, it was both positive and negative. They would call out if you did, if you were particularly good at reporting phishing emails, that went into your evaluation, right? You got credit for doing that.

Kip: You should. And you should get credit, right? That's really effective. For anybody who's listening to us right now, if you're a parent, if you've ever parented, right? I mean, you are in the business of regulating behavior of your children, right?

Jake: Yes, you are.

Kip: Setting boundaries and when those boundaries are violated, enforcing those boundaries and encouraging your kids to stay within those boundaries. Now, I'm not saying that this is about parenting, I'm saying this is about human behavior. And humans are humans. So, you want to absolutely praise people for the stuff they do that you want. And that's just so important. That is so important. There's a whole positive psychology dimension to this that we could open up, but just take my word for it, this is really important. Other organizational mechanisms included cyber security training and they did that all the time. And they made it engaging, they made it light and frequent and brief and cultural references, right? So in other words, tying it back to the customers of Liberty Mutual, making a contextual for them, right?

Not some weird kind of thing that doesn't seem to fit in anywhere, right? So it was made relevant. And then multiple communications channels. I'll never forget going to the marketing department at the insurance company where I worked at and saying to them, "Would you please help me because I am just dying here. I'm just not able to get my message out." Well they said, "Well, what are you doing?" And I go, "I'm sending these carefully worded emails." And they're like, "Well, what else are you doing?" And I go, "That's it." And they're like, "Poor child, come to us. We will help you."

Jake: It is true.

Kip: And they shared with me all the tools that they used for doing marketing campaigns out to the public, right? In order to people aware that our company existed and to tell them what we could do and to encourage them to call us so they could talk to us. Well, they gave me all their tools and explained to me how it all worked. And, oh my gosh, it was amazing. Multiple communications channels. Yes, it's the same message, sent multiple ways, shared multiple ways. And it's wonderful. So they did that, right? And so, we're talking about videos and digital displays and blogs, alerts and emails and postcards and events and even live training. These are all necessary, especially when you have a workforce of 50,000 people, right? You've just got to do it this way.

And then lastly, when there were major news stories about cyber security, Liberty Mutual leaders used them to raise awareness, right? So when the Equifax Data Breach happened, they put that in the spotlight and they said, "Let's pay attention to this, let's see what we can learn from it. Let's try not to end up in this situation." We're talking here about organizational learning, how can an entire organization look at an example and then actually change the way they do things in order to not end up like them. So, anyway, so that's a tour of the organizational mechanisms, some specifics, which if you've listened to the last episode, right now we're starting to put some substance onto those concepts.

Jake: Exactly. That's exactly right. And we're using the terms directly from the previous episode out of the cybersecurity culture model. That's really important. So, along those lines, next up is how they used the culture of data protection to create and maintain specific cyber security values, attitudes and beliefs. And if you recall, these can be split into three groups, right? You've got the leadership, you've got groups and then you've got individuals. So I'm going to run through this pretty quickly. First, Liberty Mutual demonstrated that cyber security was a top management priority by supporting cyber security initiatives and allocating resources to tools and activities. Clearly we've been talking about that. Leadership then further reinforced the importance through top management participation in those activities. In fact, the CSO was the face of the campaign literally, high level management continuously worked on their own cybersecurity knowledge to ensure that they understood what cyber criminals were looking for in victim organizations, very important.

At the group level, you had we just talked about the traditional marketing techniques. They had slogans like responsible defender and our information, our responsibility. I love these, right? That drove home the idea that cyber security was everyone's responsibility. What this data has created strong community norms and beliefs. That's a component of the model. Employees noticed how this could affect the perception of teamwork. And for example, employees would compare about phishing exercises to see who clicked on what. We call that engagement, right? Yeah, that's huge.

Kip: And you can do it in a way without feeling shame, that's important.

Jake: Exactly. Yep. Inter-department collaboration, served to create a sense of group culture. One cyber security leader at Liberty Mutual described how and this is a quote, "The success of creating a culture of data protection hinged on partnerships built with others across the enterprise. Being able to build alliances is a key to success in my role. And when it's time to get the work done, we have gotten strong support from across the enterprise. Everyone on the core team gets it." So there you go. I think that's, that's a rousing endorsement of the process. On the individual level, it's employees self-efficacy is very important. And this came out through the employee interviews. Remember we talked about how as part of this process, they conducted widespread interviews. But I thought this was pretty clever.

One of the things that Liberty Mutual did was built this little model called the quote, pillars of data protection. And it was nothing more than a a simple set of guidelines for everyone to follow. But what it did was result in employees with a high degree of cyber security policy awareness, people knew what was going on. And then this to me, what was expected this to me is really I think one of the most important takeaways. I know you are kind of... You are a light bulb was the use of multiple types of media, right? To spread the message. This for me, and this is a typical lawyer thing is huge. The decision to write the internal information security policy in an accessible manner and to make liberal use of kind of what this means to me, boxes and explanations to maximize the personal impact. That is mind-blowingly almost obvious in a sense, but not obvious at the same time.

Kip: You mean, not common.

Jake: Certainly was created, not common at all. It created high cyber threat awareness throughout the organization. And the threat awareness is so crucial. If you think about what we do and what we see on a daily basis in clients, threat awareness is so critical. And I don't mean like in an abstract yeah, "There's threats out there." But this seems like it was designed to get people to understand. And when people understand and have that self-efficacy, it really does, it creates the ability to have the behaviors.

Kip: Well, and it also makes it concrete. Because a lot of cybersecurity and data protection and privacy is very, very abstract and difficult for people to conceptualize. And so anything you can do to make it more concrete is amazing. That's one of the reasons why I show the FBI wanted posters for top sought after cyber criminals whenever I make a presentation where it's appropriate to show that. Because I want people to know that there are real people behind this cyber crime epidemic pandemic, and they should know what their faces look like because that's what makes it tangible. I want to go back to something that we talked about here that I think a lot of people get confused, as part of building this culture of data protection, they were trying to make it clear that that data protection was everyone's responsibility. Okay, that's great. But where other people have tried this and I think where they've gone wrong, is that you cannot say it's everyone's responsibility and stop there because then everybody thinks it's everybody else's responsibility.

Jake: Yep.

Kip: So what made this work is not only did they say that it's everyone's responsibility, but they also made that show up in the individual performance evaluation. And that's what grounds it into a person's consciousness that, "I'm part of the everyone, because now this is on my performance value."

Jake: And they equipped the workforce to follow through on this, right? It wasn't just like, "Everyone's responsible."

Kip: Right.

Jake: It was, "And this is how you do it."

Kip: Yes. "Here are the tools, here's how, here's why, here's the concrete threat." And all that, right? They made it real. I mean, this is stunning. This whole paper and the other one we're going to talk about, is a blueprint for how to do this right. And it's wonderful that this exists. And these are academic studies, but they're very practical. There's a lot of practicality here. And I think that's one of the reasons why we wanted to do a second episode on this topic to make sure that people realize, that it's not just concepts and frameworks and models, it's real. And there's two organizations, two big ones that actually did it. Okay. So now, let's talk about behaviors now which is kind of where I was trying to segue to. So, the Liberty Mutual leaders made a very concerted effort to get the right behaviors into people, remember it's behavior modification. Where they would reduce risk and they would increase the security of their data. And an initial goal was to generate awareness of cyber resilience for every employee. Not just IT, mind blowing, what? It's not just a technology problem.

Jake: I know, right.

Kip: Fresh air.

Jake: Yes.

Kip: I can breathe fresh air. This is great. And eventually, as I said, they added these security actions into the employee role behaviors and I have no doubt they were role specific, right? So if I'm a customer service agent, I'm not going to be asked and expected to do the things to protect data that an IT systems administrator is going to be expected to do. I can only do what I can do. And maybe it's something and we'll actually see it on Verizon. Because I think they did a really wonderful job of exposing the very specific measurements that they did in this area. But anyway, the point is that, there was role specific behaviors that they were looking for. And so for example, when people would increase the reporting of suspicious activity, they would click less on phishing emails and they would even secure their own personal devices better, right?

And they saw people doing this, and that's that's they knew that the overall approach was working. When it comes to marketing, I went and talked to this is a little aside here, but I think this is really important. It's very difficult to measure the results of marketing. I went to talk to the chief marketing officer of the insurance company where I worked at and I said to him I go, "Gosh, I love what you're doing. As an employee, I love the messages that are going out into the world. I'm really proud of what we're saying." And then I asked him I go, "How do you know how much to spend on all this?" And he goes, "Kip." He goes, "This is a truth of marketing I'm about to tell you. 50% of all marketing money is wasted because we've spent it on the wrong stuff." And I was kind of like, "What? You know this already and you keep doing it." And he said, the problem is that we have no idea which 50% is the waste.

Jake: Very, very true.

Kip: Because it's just so hard to measure. But here what we're getting is we're getting measurements actually, because of the approach that's being taken here. And because you've got an audience that you can watch every day, right? Marketing to the consumer population, you can't watch, you can't watch those folks, right? It's very difficult to know if your messages are having the impact, right? Well, with surveillance capitalism we're getting better at that, but the point is that an internal marketing program, you can actually watch the folks that you're trying to do behavior modification on and you can actually see if it's working, and they could actually see that it was working. So responsible defender as a program, not only resulted in this, but it also emphasized something that is talked about in the Harang and Pearson paper which is extra role behaviors, right?
This is when people go above and beyond. I mean, that's kind of the street way of saying it. And I'm going to read you a quote from one of the cybersecurity leaders quote, "Everyone thinks of themselves as first responders. And they will alert us if they see a suspicious email or other activity, they see it as learning more about what to do or not to do, and they don't feel bad about it. It provides more motivation to get it right in the future." So, "Wow, they're going the extra mile on data security and isn't that what we all want?"

Jake: It is. And specifically they were doing that cooperative, the helping and the voicing. Those are the two behaviors that get described. And I do want to just mention too that one of the things that they did was they built in security actions to employee in roll behaviors. So that was the other concept out of the model was in role versus extra role behaviors. And I think what they saw to get to your measurement point was leadership saw increased reports of suspicious activity. Decrease clicks on phishing email. And this blew my mind, even the securing of the employees personal technologies.

Kip: Mm-hmm (affirmative). crosstalk.

Jake: Like that's really huge. So look, the Harang and Pearlman paper concludes by explaining how Liberty Mutual's investment in technology and all of these organizational measures really paid off. And to me, it provides research generated evidence of advice that we often give, right? Which is, technology is important, but it's not enough on its own, people process technology.

Kip: Yeah. And management for a cylinder engine.

Jake: Absolutely. No, Kip, time check. I think we push ahead. Let's do the Verizon White Paper.

Kip: Okay. Everybody. So we're at about 30 minutes of content here and that's generally what we shoot for. But Jake's right. There's another paper that's closely related to the Liberty Mutual one. And we just figured let's go ahead and pack it in here because we want you to have all this benefits. So, we're going to go through this expeditiously, but not too fast I hope. But in any event, these papers are freely available. It's not a problem for you to go get them for yourself. We really want you to, we're hoping that by sharing this with you now on the episode that you're actually going to go get these papers and try to figure out, can you do this? What will it take? So, let's talk about this. So there's another white paper that was released by Verizon Media. Now, Verizon Media is different than Verizon Wireless and it's different than Verizon the people who...

Jake: Business. inaudible.

Kip: Thank you. Verizon Business who published the DBIR. So this is a different organization, so they studied themselves but they didn't because this was kind of a different subsidiary, right? So the Verizon team, Verizon Media team, so they reported that cultural mechanisms like choice architecture, communication techniques, incentivization, and training was successful when they tried it, that they were able to build a culture of cybersecurity. They did change values, attitudes and beliefs on employees, and they got really good results. Like the rate of employee credential capture by phishing in simulation was cut in half. So they significantly drove down the rate at which people would fall for that. And the number of accurate phishing reports doubled.

So this is just people going, "Hey, this is a phish, this is a phish." And telling somebody so that they could be blocked, right? Future phishing attacks and the use of their password manage tripled, right?

Jake: That's huge.

Kip: Yeah. They were actually able to measure this stuff. And there were three specific keys to their success. The way that they did it is a little different than the way Liberty Mutual did it. But first thing they did is they identified a kill chain breaking action. So, if you think about an attack and I don't know if we've talked about kill chain very much, but if you think about an attack, like a phishing attack, well, to send a phish that ultimately arrives in somebody's inbox and tempts them to click on something, there's a whole series of actions that you have to perform. And so the kill chain essentially says study that series of actions. And if you can figure out a weak point and disrupt one of those steps in this chain of actions, then you're going to kill the chain, right? So that's kill chain. And so, that was one thing they did. So they really focused on, for example, phishing. Okay. Now they identified one thing that they could do in order to disrupt a phishing attack. The second thing they did is they measured it and then the third thing they did is they tested mechanisms to improve the results or improve the numbers that they were generating. Okay.

Jake: Yeah.

Kip: So that's one of the things I love about the Verizon Report is that they they talk about this very, very procedural approach and I think people should really pay attention to this.

Jake: Absolutely. And look, there's a lot going on in this 18 page white paper, we really encourage you to read it. Particularly because like with the DVIR there's so many wonderful figures and graphics that we just can't accurately describe. And I'm going to start with context again, just to bring it back. And this was not entirely in the paper, but I'm adding it. So as Kip mentioned, this is about Verizon Media, which is the entity formally known as Oath, which itself is formerly known as companies like AOL and Yahoo. So this is a big organization of search, media and mobile operations. But my favorite part is that the Verizon Media security team had its own name and they were the Paranoids. Capital P, the Paranoids, capital P. And look, this isn't just a funny name, it actually starts to increase engagement on a cultural level right away, right?

Kip: Oh yeah. I mean, this is fantastic, right? I sometimes refer to myself as a professional paranoid.

Jake: I do as well.

Kip: And so right away when I saw this, I was like, oh, this is fantastic self referential deprecating humor. This is just fantastic. It tells people immediately like, "Okay, first of all, yes, we know we're paranoid, we're self aware of that." And then secondly, it tells them, and we don't take ourselves too seriously. It's just wonderful. Makes them so much more approachable.

Jake: It does.

Kip: So yeah. So that was great. Now, as part of the overall goal here to shift culture, the Paranoids created what they called a proactive engagement group. So this was actually part of their security organization. And there were three sub teams or subgroups in this proactive engagement group. One was the red team where they were doing simulated tax, right? The red team. They called themselves offensive engineering. I think that's an unfortunate counterpoint to their approachability. I don't know, this has a weird label, I've never really reconciled myself to that. But what they did of course, is they evaluated systems and services and processes and people, they were trying to discover systemic weaknesses, right? So that's part of the process that we just talked about a moment ago, that was one team. The second team was security education. And they are going to institutionalize the lessons from the red team.

So the red team is going to go, "Hey, we found a problem with the way Verizon Media is put together." So security education takes that. And they're like, "Okay, so now we got to figure out how to take what we've learned and role that out to the population. So we're going to scale learnings and scale it across the entire workforce. And we're going to do that through some required training." That was the second team. The third team was behavioral engineering, and they're looking at all this data and they're trying to figure out, "Okay, how are we going to baseline and then change the behaviors that we wanna see across our workforce?" Okay. So those are three subgroups in this proactive engagement role up group. Okay. Now, this can all be understood through the cyber security culture model. And it's a systemic approach to understand how to use these managerial mechanisms from the model, right? The Harang and Pearlman model to encourage the workforce to adopt certain values. So that's kind of how it was organized.

Jake: Yep. And the Paranoids though, they went even farther by doing my favorite thing ever Kip. And what have I said on this show repeatedly that lawyers love to do, we love to define terms, okay.

Kip: Oh, you've said other things but I'll go with that.

Jake: Yeah. Defining terms. That's one of my favorite things to do. So actions, habits and behaviors. These might sound similar, but they have crucial differences essential to understanding cyber security culture. So an action is something a person does to completion. It's pretty straightforward. A habit is a shortcut made in the human brain for repeatable actions. And I'm going to give an example here. We want people to form a habit to rely on the company password manager to create secure passwords, right? And then finally, behaviors are defined as the combination of both actions and habits within a specific context of a situation, environment or stimulus. And so while the habit might be use a password manager, the desired behavior is when creating or updating accounts generate and store credentials using a password manager.

Kip: Yeah. That's great. And notice that it all goes back to an action, the definition of an action, which is something a person does to completion. Well, there's a whole chain of steps there, right? You've got to create an account, then you have to generate a password. Then you have to store that password and you have to store it in your password manager. A person can go take a wild left turn at any point in that sequence of events. So it's really important that those things get chained together and that ultimately the habit is, is that you do all those actions to completion. So I love the way it was broken down, put back together again, super, super helpful for this work. Now, the Paranoids knew that when they were trying to attempt to change a behavior, they had to identify a specific context for the desired action.

And they called this creating a behavioral goal. And here's how it works. So, they would ask the question in which specific context do we want a specific cohort or a person by role, to do what specific action? Right? So boy, talk about getting really hyper focused on something, right? And this is great. It is also like to an ambitious thinking person like me, that feels kind of also limiting at the same time. Because it's like, "No, I want everybody to use a password manager everywhere all the time, every time, blah, blah. I wanted it on their desktops and their mobile device and blah, blah, blah. No, no, no, Kip calm down." We have to focus on one specific context for one specific group of people and one specific action. "Okay, fine, I give up, I surrender." Another example might be when generating a new single sign on password. We want all employees to generate and store the password within our corporate approved password manager. Okay. So not just any password manager, not just the password manager in the Chrome web browser, but the one that we actually approved. Okay. So this is great. And so what they ended up doing is developing a three part proactive engagement method of define, measure and act. And ladies and gentlemen, if you're not stealing all of this, I wonder what's wrong with you? This is great stuff.

Jake: Yeah. Well, I mean... And look, the reason this went into the 20s, remember this all started because we saw a one page kind of mention of it in this 2021 DBIR. Yeah, exactly. And they, they obviously want this information out there and that's great. So look, this proactive engagement method, it's really smart, it systematizes something that would otherwise be abstract enough that I think would be very difficult to understand, right? It's simple. You identify the desired behavior goal. You find an appropriate measure and create a baseline. And then you take actions to affect the measured behavior, adjust them over time, wash, rinse, repeat, right?

Kip: This is science. You must love this, right?

Jake: It is science. And this is where I this is where I will fully admit that the script says, do we have enough time to discuss further things? And the answer is not really, but let's just mention some of these things Kip. I'll take choice architecture. Because this paper...

Kip: We're wrapping it up everybody, we're wrapping it up.

Jake: We are going to wrap it up. And this is not all that's in the Verizon white paper. It's really, really good. They go into excruciating detail, much like the DBIR about some of this stuff. And maybe we'll revisit it, but choice architecture refers to the practice of organizing context to influence individual choice by the use of defaults, framing and other choice options.

Kip: This is a lot of behavior science,

Jake: But this happens all the time. People are always doing this to us. Why not use it as a mechanism to increase corporate security?

Kip: Yeah. Yeah.

Jake: This is really, really smart.

Kip: Like choice architecture isn't something that was invented for the purposes of getting people to behave differently with security. No, no, no, no, no. This is a well established concept in behavior science. We're just bringing it to a place that it hasn't been brought to before. So you may have heard... You may have never heard of choice architecture before, but it's there, it's reliable and so you should use it.

Jake: And simple example, right? Just to make this less abstract. Is that in 2019 the Paranoids, pre-installed their corporate password manager, browser, extension and desktop application on every single managed device, desktop, laptop, mobile phone. And they simply made it the default choice. Look, there's a reason that back in the day, there was a huge war between Google and Microsoft as to whether Google or Bing would the default search engine on iPhone and Safari. Like there is a huge, huge benefit to being the default. That's what this is.

Kip: Yeah. And if you can see how successful it's made tech companies, you can imagine that if it's used correctly in this context, it's going to be successful as well. It's going to breed a lot of success. Okay. So choice architecture was something that we wanted to mention. I'll mention two other things real quick and then we'll wrap it up. In terms of communication, inaudible, decomposed that a little bit too. They talked about things like top down passive competition. They talked about manager to manager peer workshops. They talked about bottom up nudging, active competition, incentivization. We can't unpack all that stuff in the time that remains in this episode. But again, we just want to reemphasize that there's a lot of really great stuff here. A lot of really well understood behavioral science going on in here.

And what I love about this paper, is it takes these strange words, like top down passive competition, but it makes it real by telling you exactly what they did. And you can read about that in the paper and incentivization tactics. This is the last thing we want to mention. These are management mechanisms that encourage people to change their attitudes rather than chasing them around with a stick, to actually incentivize people to behave in a different way in a way that felt good for folks who were trying to get new habits, right? And these are just things like giving people a gift when they report a phish, give them a gift, it doesn't have to be a big gift, right? It could be a chocolate bar. It could be a badge, it could be a title, right?

Jake: My favorite is the laptop sticker of that, you described the night. The little stylized kind of comic looking night. I would totally love one of those laptop stickers. I mean, people love that stuff.

Kip: And if you can only get it by changing your behavior and reporting a phish that you received, well man, stickers don't cost much for folks and they'll do it.

Jake: They don't. I mean, yeah, that really puts it in a stark relief. Doesn't it? Is that inaudible...

Kip: For a fraction of what you would spend on the next vendor promised blinky light thing, you could buy a pallet of stickers and get people to change completely the way they work. That sounds like a fantastic value prop.

Jake: Yep. And I do like how they also had this inaudible nice list that would to go on to dashboards. And again, this paper does talk about a few more things that we don't have time here to discuss. I'll just tell you what they were, create a transparent dashboard. That's like the idea of this naughty, nice list. Develop the feedback loop that prioritizes user experience that matters. And then this is critical, publicize success and iterate on deficiency. This is the story really illustrates key components of the Harang and Pearlson model. And I think it's just very well done. Again, thank you to Verizon and look forward to discussing things like this in the future.

Kip: Speaking of that, before we wrap the episode, I normally don't do this but I'm super excited. But we've actually reached out to some of the people who make the DBIR happen. And if we're very fortunate and they agree to do it, we could have some guests coming on in the future to talk about it. So, we're not making any commitments.

Jake: Was that a teaser for future episodes?

Kip: Yeah. Not making any promises here but that's what we're trying to make happen. So you'll find out about it.

Jake: Episode 89, we just decided to add some teaser to our future episodes. There you go.

Kip: I couldn't help it. I'm really excited, I love that report. I've been reading it since they first published it like going on 15 years or something like that right now. So it's now become an oldie and a goodie. All right. That wraps it up. We're done. In this episode of the Cyber Risk Management Podcast is in the can. Today we completed our two episode discussion of the cybersecurity culture model. And we looked at two case studies of the model at work and we want you to use it. But for now, we'll see you next time.

Jake: See you next time.

Speaker 1: Thanks for joining us today on the Cyber Risk Management Podcast. Remember that cyber risk management is a team sport, so include your senior decision makers, legal department, HR, and IT for full effectiveness. So if you wanna manage cyber as the dynamic business risk it has become, we can help find out. Find out more by visiting us at cyberriskopportunities.com and focallaw.com. Thanks for tuning in. See you next time.

Headshot of Kip BoyleYOUR HOST:

Kip Boyle
Cyber Risk Opportunities

Kip Boyle is a 20-year information security expert and is the founder and CEO of Cyber Risk Opportunities. He is a former Chief Information Security Officer for both technology and financial services companies and was a cyber-security consultant at Stanford Research Institute (SRI).


Jake Bernstein
K&L Gates LLC

Jake Bernstein, an attorney and Certified Information Systems Security Professional (CISSP) who practices extensively in cybersecurity and privacy as both a counselor and litigator.