Become a Creator today!Start creating today - Share your story with the world!
Start for free
00:00:00
00:00:01
Understand the Defender to Understand the Attacker with Dr. Max Kilger
160 Plays1 year ago
In this inaugural episode, Dr. Stacy Thayer and Dr. Max Kilger discuss human behavior, cybersecurity, and why it matters.
Recommended
Transcript
Introduction to Cyber Psych Podcast
00:00:21
Speaker
Hello and welcome to Cyber Psych, an autography podcast where we talk with industry professionals about the human side of technology, how it relates to security, and how it impacts the overall business. I'm your host, Dr. Stacey Thayer, and I'm a cyber psychologist and senior manager of research and engagement in autography. And I'm really excited to be here today with our special guest, Dr. Max Kilger, who's professor of practice at University of Texas in San Antonio.
00:00:46
Speaker
He has numerous publications on the areas that influence decision making, the interaction of people with technology, the motivations of malicious online actors, and understanding the changing social structure in the computer hacking community, as well as the nature of the emerging cyber threats and cyber terrorism. He's also a founding and board member of the HoneyNet Project. So Max, thank you so much for being here today.
00:01:13
Speaker
Thank you for inviting me, Stacy. Nice to see you again. Nice to see you. So can you just tell us a little bit about your background? I was so excited to talk to you because you're also one of these people who's really at the intersection of psychology and security. And I've read some of your publications and your work and followed your work for a while. And I'd love to hear how you got into it. And you're starting because you went to school for psychology originally, right? Yeah, that's right.
00:01:43
Speaker
I've been using computers for over 50 years. So I'm a computer nerd, computer geek. And eventually I ended up at Stanford. And I'm a Stanford trained social psychologist. And I happened to get there right at the start of the personal computer revolution.
00:02:05
Speaker
And it was, it was amazing. It was a priceless educational experience being there in Silicon Valley and going, you know, going to Xerox PARC and meeting Wozniak and going to SIGGRAPH meetings and just a truly amazing time to see how digital technology was evolving and how it was changing.
00:02:29
Speaker
not only the way that people interact with computers and machines, but also how those interactions changed how we interacted with each other. So it was pretty fabulous. Wow. That's an amazing time to be in that area.
Shift to Cyber Threats
00:02:49
Speaker
So then what brought you into
00:02:52
Speaker
security. I mean, there's a lot of areas of technology. What about security and malicious actors and the hacking community? I know you know a lot about the history of the hacking community. And what appealed that about that? Sure. So originally, my, my great plan when I was in graduate school was basically to, oh, look how it's changing society and how we live and how we work all this digital technology and
00:03:17
Speaker
The plan was I ought to become professor and do the rubber chicken circuit and talk to corporations and conferences and stuff and make money as a public speaker about all the interesting and good things that were happening. And it turned out that there was an event shortly after I graduated
00:03:43
Speaker
that sort of turned me from this to basically the dark side. And so I eventually said, oh, I don't want to talk about all the good stuff. What's really interesting is all the malicious things, all the not so fabulous things that are happening with digital technology.
00:04:03
Speaker
Now, it turns out a person, I know a colleague, Julie Albright, she went the route I went. She said, oh, I'm going to talk to corporations and talk about how it's changing our lives and things like that. Really fabulous and happy for her. I'm just so grateful that I took this left turn and got into the security field. Wow, nice.
Honey Net Project & Cyber Threat Tools
00:04:29
Speaker
And so when you were one of the founding members of the Honey Net Project, can you talk a little bit about the Honey Net Project and what you were doing there? Because I remember it's around the time when, well, our past first crossed. And I remember reading your chapter on it, it was fascinating, the social dynamics and psychology of it all. That's a pretty, yeah, that's basically kind of how it changed my life. And actually, it goes way back to about 2001.
00:04:55
Speaker
as when one day I was reading something and I found a blog by this fellow named Lance Bitzner and he was talking about the psychology of hackers and I read it and I said, yeah, okay, but you know, I have some ideas as well. And so I wrote back to him and made some suggestions and we had some chats back and forth and he said, hey, you know, we were starting this sort of this organization, the Honey Net Project, it's like seven guys in the basement.
00:05:25
Speaker
You kind of sound like you know what you're doing. Do you want to join? I said, yeah, sure. And so that's kind of how it happened for the first few years meeting in Lance's basement in his house in Illinois. But Lance was pretty interesting. We started developing all sorts of honeypot projects and software and analytical tools and things like that.
00:05:55
Speaker
Lance said, we have the world's worst business model. We invent really cool and interesting stuff and we give it away for free. Maybe not even the smartest move, but a number of early people that were associated with having a project later went on to start their own companies and
00:06:20
Speaker
a lot of money and were very successful. So basically it's grown over the years. It started in the US and then it spread internationally. And we kept creating tools and doing analyses and doing workshops and conferences. It was a pretty amazing time, I have to say. Yeah. When I was at Black Hat a few weeks ago, we were talking about how
00:06:50
Speaker
much of the industry has evolved since 2001, even 2008, 2009, that it was really even before there was much of an industry back when it was DEFCON, just a couple hundred people getting together and hanging out. And now it's this industry piece that's just evolved almost unrecognizable from what it was back then.
00:07:16
Speaker
Absolutely. Back then it was kind of like, Oh, look, this is kind of cool. See what I can do. It's like, Oh, look, we can kind of figure out what the bad guys are doing. Oh, and it was just sort of like, it was fun and it was kind of a hobby and we would create tools and do analyses and give them out for free. And slowly we sort of evolved with the industry and it was an amazing early experience that changed my life forever.
00:07:49
Speaker
So one of the things that I noticed is, so back then, and there's a lot of profiling of hackers and some of their motivators and all incredibly important things.
00:08:03
Speaker
Lately, as the industry has grown, it's almost been now kind of a boomerang shift where we're also looking at the defenders, right?
Psychology in Cybersecurity
00:08:11
Speaker
So, okay, we've got the psychology of the attackers, but what's the psychology of the defenders as there's been an increase in burnout and stress and really trying to understand how to recruit people. I mean, the role of psychology in the industry itself. And so I would love to get your thoughts about that. So like, you know, for one, just
00:08:33
Speaker
how have you seen the role of psychology play into this industry? There's always psychology of all different industries, whether it's academia or whatever, but the security industry I think is unique. So I'd love to get your thoughts and how your background has helped you understand some of the dynamics of the security industry. Oh yeah, that's actually a pretty fabulous question. Back in the old days, back in 2000-ish, the profiles and the
00:09:02
Speaker
understanding of the hacking community and the people in it from a psychological or social cycle perspective was horrifyingly bad. It was just horrible. There wasn't any theory and people just sort of said what their pet ideas were and it was just terrible. And so that's one of the reasons why I got interested in it.
00:09:27
Speaker
And I think that having the technical background and also the social psych training and research background really blended stuff together. But in the early days, it wasn't very well received.
00:09:48
Speaker
Back in that the combining psychology and social psychology and cybersecurity. I remember the first few years in the honey net project doing what we called the spooka Palooza tour, which is we hit, you know, a bunch of the agencies. And I've learned very quickly in the first couple of talks that software engineers and computer scientists and, and
00:10:17
Speaker
coders and things, they just didn't get it. It's just like, you know, who's this psychology guy? And after a couple of sort of, you know, bombing like a comedian in a comedy club a couple of times going, oh, this material is not working, I'd invent a story.
00:10:38
Speaker
that I would tell in the first couple of minutes that would basically engage those people. And they would think about it and go, oh, maybe this psychology guy has got something. Maybe I'll listen to him. And from then on, of course, life was a lot better. And over the years, more and more people have gotten interested in it. I remember years ago, the government calling me up one day and saying, hey, you know, we'd like
00:11:08
Speaker
you to list off everybody you know who is a social scientist interested in digital technology and the people and the relationships and also has a technical background. I said, well, you know, sadly, I think I can count them on two hands, but here they are.
00:11:29
Speaker
But now, today, things have really evolved and there are a lot more social scientists that are interested in it. And you're right, we're not only studying the threat actors, we're also studying the defenders. And that's a really pretty positive thing. I'm really happy and excited to see that. That's been one of my missions for the last
00:11:50
Speaker
to decades, basically trying to convince people that the human element of information security is a critically important element and that it's not just, you know, hardware and code. Yeah.
00:12:09
Speaker
Do you think that the way that we study attackers and profile attackers from the attacker side, do they look, I know they look at certainly the technology and where are the gaps in different technologies and different ways that they can access data or whatever their attack is going to be, but do you think they think about
00:12:32
Speaker
the psychology of a company or what they're going through, or, oh, this company has had a lot of layoffs, or this company just hired a new CSO. Therefore, they might not quite have everything altogether. There may be gaps. So not just the technical vulnerabilities, but the human vulnerabilities as well when they're making an attack.
Human Vulnerabilities in Cyber Strategies
00:12:54
Speaker
Oh, yeah. No, I think that's definitely the case.
00:12:58
Speaker
And so, for example, I sit on a board of a recently emerging out of stealth company called Picnic. And those guys are really interesting. They basically, I've sort of been consulting with them. They sort of crawl the web and pick up information about all of the company's employees.
00:13:25
Speaker
and their vendors and basically are able to sort of put it in some algorithms that we've worked on and basically produce sort of a threat score for every employee.
00:13:38
Speaker
And then it says, hey, look, you're looking pretty bad over here in this area. We suggest you do blah, blah, blah, blah. And so that's actually been kind of interesting and exciting. And also the malicious actors. So you've seen a lot of social engineering happening. And we're from some malicious actors. And that's pretty interesting.
00:14:06
Speaker
A lot of it for many years has been kind of mechanical social engineering. It's like, oh, here's a book and here's some techniques to use to basically social engineer somebody. It's sort of like you get a cookbook and you read the ingredients, you stick them together and hopefully you come out with a cake.
00:14:26
Speaker
And so to a great extent, basically that's what's been powering some of the psychology side of the threat actors in terms of the ones who are using it. The thing that I sort of get concerned about is that eventually some of these threat actors may begin to start applying theory from psychology and social psychology to leverage what they're doing
00:14:55
Speaker
And that, of course, is concerning. Yeah. And when I'm walking through the trade shows or talking to people, there's these amazing, amazing technologies out there. And I think one of the things that is so important, of course, is the user's ability to use said software and to work together as a team and to not silo in organizations.
00:15:23
Speaker
There's a lot of things that Netography does looking at that, but making sure there's open lines of communication. And Reno is looking at the psychology of things, how much, and there's so much breakdown even within an organization and communication a lot of times that I imagine it would be just tremendously easy to work that to an attacker's advantage. That's definitely really true. And that's how some malicious actors are now approaching it, basically.
00:15:53
Speaker
compiling their reverse threat hunting. They're basically looking for vulnerable individuals and then producing dossiers or profiles of them and then using psychological theory to figure out how to manipulate them to basically exploit them. Yeah. Yeah. They're evolving. They're evolving. They're evolving.
00:16:19
Speaker
So, and you've also written several papers on the psychology of cyber terrorism and human behavior. Could you speak a little bit about that a little bit here, kind of some of your findings and how from kind of a macro and micro level, does your theories on cyber terrorism then apply, but also within an organization, are there parallels, big picture, little picture?
Cyber Terrorism Paradigms
00:16:41
Speaker
Okay, that's a good question. So I've been working in the area of cyber terrorism for some time.
00:16:47
Speaker
I, until the pandemic hit every once or twice a year, I would fly to NATO's Center of Excellence for Counterterrorism and join its multinational team and teach the counterterrorism courses in the cyber domain.
00:17:08
Speaker
two critical dichotomies that the dichotomy really have to think about when you first start thinking about cyber terrorism is basically there are two paradigms. There's one where traditional terrorists basically use digital technology for command and control, for fundraising, for recruiting, for these usual kinds of things. And then, so that's like terrorist use of cyberspace.
00:17:38
Speaker
I don't really call that cyber terrorism. On the other hand, there are individuals, malicious individuals who are using digital technology as the weapon. And so those I classify as true cyber terrorists. And it's sort of interesting to sort of think about the definition of terrorism. There are over 100 definitions of terrorism. So, you know,
00:18:05
Speaker
pick your flavor, not generally very helpful, right? But the one that I use that I developed is basically looking at, so the generating fear and anxiety in a specific population
00:18:32
Speaker
And so basically using digital technology. So for example, the example I like to use is basically imagine you've seen a lot of these ransomware attacks on hospitals and things like that, right?
00:18:49
Speaker
And basically, there are six motivations, money, ego, entertainment, cause, entrance to social group, and status. And basically, when you think of a ransomware attack on a hospital, you think the motivation is basically money. It's basically what they're after. However, if you look at it from the victim's perspective, say,
00:19:12
Speaker
Either a patient in the hospital or family or friend of a patient in the hospital if you take that definition of terrorism and Apply it to the situation of the ransomware in the hospital where basically critical services get cut off That's basic terrorism using cyber and so the definitions of cyber terrorism are beginning to evolve and
00:19:40
Speaker
For a number of years, people have said, cyber terrorism. Ah, hooey. There's nothing like that. You're being over, you're frightening people, et cetera, et cetera. But in fact, that's not really the case. It's really sort of emerging.
Future of Cyber Terrorism
00:19:59
Speaker
And I've sort of looked at specific epics in the,
00:20:07
Speaker
timeline of people in digital technology. So basically the first epic was the hacking community or the hacker movement. And so, you know, a number of years ago that rose and rose and rose and rose and it sort of plateaued and now it's kind of on the way down. That epic is on the way down.
00:20:33
Speaker
And what happened is if you look at some of the social scientists, social movement theory, so there's this woman, Nancy Whittier, a pretty fabulous smart woman, who talks about spinning social movements off. And so off the happy community movement or epic spun the cybercrime epic, right?
00:20:59
Speaker
We're actually in that epic now. And of course, it's still gaining ground and will be in ground for some time. And in theory, at some point, it's going to plateau and then do the same behavior that the hacking community one did. And so I sat down and I said, well, hmm, what's next? Epic one, epic two. Well, what's epic three? And so looking at various social move theorists like Heron Huang,
00:21:29
Speaker
and some of the classic folks decided that Epic 3 is probably the emergence of a cyber terror movement in community. I think that
00:21:42
Speaker
probably has a non-trivial probability of happening. And so I sort of say, well, you know, the EPIC-1 has sort of matured. EPIC-2 is basically still growing. And EPIC-3, the cyber terror EPIC, is basically gestating. Hasn't shown up yet, but it's coming. OK. And so if you are at an organization, say you're
00:22:11
Speaker
you're a CISO, you're a security leader, or even just a security professional. What do you do with that information, I guess? You can look at it and say, okay, here's my network defense check here, and your technical checklist. When faced with some of the social or psychological challenges in the security industry,
00:22:36
Speaker
First off, what do you think are the biggest challenges for a business or if you are a CISO, so let's say, okay, now, boom, you're a CISO, you're a security leader. What do you think about? What keeps you up? And then what are their challenges and what do they do with that information? Because I think sometimes they can be trained in the technical side of things, but training people on humans, human training is a whole other
00:22:59
Speaker
All other ball of wax, you're absolutely right. You're actually a faculty, a set of faculty members here and I are proposing to put together a set of sort of mini credentials and mini courses for our cybersecurity people, as well as the humanities or social sciences people and mix them together to try and produce a synergy. So we'll see if NEH goes for that.
00:23:26
Speaker
But also when you look at the environment, one of the things that I see that's encouraging are things that are emerging like threat hunting, right? Traditionally, cyber has always been sort of like defensive, hide in the corner, build a fence, make sure nobody gets through, et cetera. But now people are becoming more proactive and they're threat hunting and they're going out to try and say,
00:23:54
Speaker
Well, what are the threats out there and what are the characteristics of those threats and how do we figure out how to identify them and how do we figure out how to protect from them and things like that? I think that's an incredible improvement over the old days. And I think we're going to see a lot more of that coming in the future. And so, you know, I would encourage you to see those, especially from, you know, large organizations that can afford to do it to, you know,
00:24:23
Speaker
in large things like threat hunting and branch out and begin to think about what future emerging threats might happen. That's actually one of my favorite things to do. I did some stuff for NATO Allied Transformation Command on the future battlefield. But basically, if you can anticipate future emerging threats and produce scenarios, whether it's cyber terrorism or just traditional, you know, malicious online actors,
00:24:53
Speaker
Then basically you can, if you're in the government, you can convince policymakers to say, hey, look, here are the threats we think are on the horizon. Here there are sort of probabilities we think that they might emerge. And then the policymakers can put resources and effort into those areas, those scenarios to sort of like buying insurance.
00:25:18
Speaker
Basically, if that scenario comes up, you're already ahead of the game. You understand what's happening, you understand the consequences, you understand some of the ways that you can attenuate or perhaps eliminate the threat. And so, you know, that sort of strategy can also be transferred to large organizations and C-cells.
Mental Health in Cybersecurity
00:25:39
Speaker
So then when I think about the different layers of psychology, so there's profiling, and then there's
00:25:48
Speaker
your own mental health too. And it seems like the security industry more and more has been going through somewhat of a mental health crisis. Well, the whole world could be really, but what I kind of look at, I go, okay, what are the challenges unique? You know, why is there such turnover? Why is burnout such a hot topic? What's happening and what are unique about these individuals? In your opinion, what do you think is unique about the security industry? So one,
00:26:18
Speaker
some of the challenges that they face? Like, why do you think burnout is such a huge issue? Do you think we could do a better job at taking care of our mental health? And like I said, I could go off into the whole world, you know, talking about different areas about this, but to keep it to the security industry, I'd love to get your, your input on how we take care of ourselves and each other in the industry.
00:26:39
Speaker
Well, that's a really fabulous question. And you're right. I mean, it's a pretty stressful occupation. And there are a number of different factors that contribute to that. The first, of course, is basically the gap between the number of information security professionals that are out there and the number of positions or jobs that are open. You're basically getting overworked. There are hundreds of thousands of open cybersecurity positions that they can't seem to fill.
00:27:09
Speaker
And so basically you have to do two people's jobs or two and a half people's jobs or things like that. So that adds to the sort of psychological
00:27:18
Speaker
damage that happens to information professionals, information security professionals. That's one thing. The second thing, of course, is the consequences of a breach or an attack. And it's not like, oh, we lost $1,000. It's like, oh, we lost $20 million worth of IP and things like that. So there's that pressure of the consequences that are so serious.
00:27:49
Speaker
There's also the dimension of basically the changing threat environment. It's always changing. It's not like, oh, well, okay, we learned our stuff. We just do these things. We're okay. It's constantly changing, which means you're always constantly on guard and suspicious and looking to see what's happening next and unsure of like, is this a threat? Is this not a threat? And so that generates a lot of stress in information security professionals.
00:28:19
Speaker
And it's really pretty tough. And also you have to sort of keep up with the latest technologies. You can't just sort of float and say, okay, I got my certs, I'm okay. And so there's, then also you're often isolated to some extent. You don't get to talk, there are lots of silos. You don't get to talk to infosec people in other companies because no one wants to talk about the dirty laundry.
00:28:48
Speaker
or what's happening, right? And so there are these incredible psychological pressures on information security professionals, which really sort of causes them to kind of burn out pretty early. And that's true in industry and also true in government and in the intelligence community. Yeah, it is a really good point, the isolation of it. I mean, one by nature, one of the things I say is that most
00:29:19
Speaker
Most people that go into any technology, not just security, but whether they're coding, developers, whatever, they're usually not doing it because talking to people is their favorite thing to do. Usually it's a good computer to human relationship there. And so sometimes that, right, you can't necessarily talk with your peers about, well, this is what I do with that kind of transparency and that connection that most of us do need at some point.
00:29:47
Speaker
Yeah, of course. So it's actually true having, you know, studied the hacker community for many, many years that once you get them started, they're actually quite social and they'll chat, they'll talk a lot and things like that. But it's, it's sort of providing the right environment to do that in, uh, in terms of trust and, uh, uh, non-pressure and then disclosure and things like that, where basically those, those things happen. So then, then you can't get them to shut up.
00:30:18
Speaker
I think having just come off of Hacker Summer Camp, all the different events that are there, it's like, yeah, the amount of bonding and communication and we need each other.
Role of Hacker Conventions
00:30:32
Speaker
I think that's one of the things when walking through DefCon and looking at that, it's like, yes, this is where so many people come to find their people. Because also a lot of times in organizations, when I've talked to people,
00:30:44
Speaker
They do feel isolated within the organization, because not many people speak their language, so to speak. They're annoyed by them. Like, what do you mean I have to change my password again? And yeah, I find that that can be isolated until they get together and then can hopefully share and open up. There are more things as well. So when I was in graduate school, one of the things we did, we looked at,
00:31:13
Speaker
verbal and unverbal communication. And so, especially in the early days, before you had, you know, video conferences and stuff like that, basically the communication was via very limited bandwidth, like a post on a blog site or, you know, Instagram or Twitter or something that has a very sort of narrow bandwidth in terms of human communications.
00:31:42
Speaker
But there are so many things that happen in a face-to-face discussion. Even today with us right here, there are the bandwidth isn't what it should be in terms versus a face-to-face conversation. And there are all sorts of things like looking while speaking, looking while listening, gestures, influences,
00:32:08
Speaker
Oh, just all sorts of stuff that doesn't get communicated. There's a huge bandwidth when you're face to face in terms of communication back and forth. And when you don't have that, that's when conflict often arises and other issues. And so that's a real problem for a mission security professional. That's why hacker conventions are so critical
00:32:36
Speaker
to the sort of equilibrium of the hacker community. Basically, you'll see people who basically have flamed each other and hate each other for a year or years, sort of show up at DEF CON at the same bar. And there's a bit of grumbling as something that by the end of day two, they're buying each other's beers because this bandwidth communication, human communication is so much wider and these
00:33:06
Speaker
Issues these human issues get worked out whereas in when you're doing it through technology often isn't the case I'm trying to blank on the name of the communication model, but I what I remember about the most it's something like We only hear I think I want to say it's seven percent of the words that people actually say and everything else is nonverbal communication when you know, it's all body language and tone of voice and
00:33:35
Speaker
when you're communicating online, and I'm sure you're probably seeing those meme parodies of, you know, what if we talk to each other like we talk online, you know, you know, I'm quitting social media off, you know, this new dynamic of communications and the academic community, what I found anyway is that
00:33:53
Speaker
By the time the APA, the American Psychological Association catches up to technology, it takes almost a year or so to get research published, and by then it's outdated. And certainly I run into this with my students when I teach. But yeah, this online communication, I'm obviously, I need it. I'm a big fan. But I remember when I did my research, it was 2002, and I had to find people that spent over six hours online, and it was really hard to do.
00:34:23
Speaker
really hard to do. And now, my minimum was people who spent less than two hours online. I don't think I could find that anymore. But we don't know because we haven't studied, okay, let's take all these communication models for how we communicate in a business world. And what does that look like when we communicate online, that even just the role of the emoji or, you know, tone of voice and, you know, the factor of noise,
00:34:50
Speaker
I can dig out on this forever, clearly, but I love this stuff. And emojis have emerged from the fact that you had that narrow bandwidth. And it's like you wanted to express this particular feeling or emotion. It's like, oh, I don't know how to do. Oh, look, here's a smiley face. Here's a laughing person with stuff like that. And so yeah. And part of it has been that there haven't been very many social scientists that have been really interested in
00:35:18
Speaker
digital communications and how digital technology changes people. Until more recently, there are beginning to be more social scientists and academia that are doing this, but we're a pretty small crowd still.
Recognition of Cyberpsychology
00:35:35
Speaker
When I talk to people about cyberpsychology, the number one question is like, well, what is cyberpsychology? I haven't heard of it. 2002 was when I had my first publication. I mean, it was in the Journal of Cyberpsychology. I mean, that's 20 years ago, and it's still not an APA chapter division. There's only a handful of programs.
00:35:59
Speaker
So it's one of the reasons why I was so excited to talk to you because finding somebody who is at that intersection of security and psychology and social sciences Really what I found it has a unique perspective to share Sure, and I share that frustration people often go. Oh, what do you do? And it's like, you know, how do you describe that? So I had to actually you know craft a mission statement that basically made them happy and so I would say basically well
00:36:28
Speaker
My mission is to help develop a better, more comprehensive understanding of the relationships between people and digital technology from a national security perspective. And that basically covered it. And then they started to say, oh, okay, I kind of get that. Yeah, it puts it into the translatable terms. And I find people are really open to it and interested because again, it's not something that's covered.
00:36:58
Speaker
very often. There's talks here and there, and certainly we've seen more with, but usually the B-sides events and some of the local events. And I know there's one year RSA had a, there's the human connection theme or something along those lines a couple of years ago. So it's
00:37:18
Speaker
on the radar. It might be far off the radar. We're missing it, but I've seen it in recent years at least. Well, like we said, a little bit more in focus than it was maybe 20 years ago or so. I think you have pretty astute observations and it's sort of just emerging in industry. It's still pretty rare. It's still
00:37:44
Speaker
pretty rare in academia as well. The only place I actually sort of see it catching on is in the last few years in the intelligence community. Really?
Psychology in Intelligence Community
00:37:58
Speaker
Yeah. They were kind of ahead of the game, even though you wouldn't think they were, but they were. Interesting. What do you think what appealed to, or why were they drawn to it, or what do you think
00:38:14
Speaker
Well, because I think to some extent, for example, the intelligence community is a lot more open-minded about ideas that maybe are not like, oh, this is a traditional standard idea, sort of more out there, kind of out of the box kinds of theories and ideas. And of course they were getting charged with basically helping defend the country and figuring out why are people doing this? And so actually,
00:38:44
Speaker
They've been at it for a while and getting better all the time. IRPUB recently has been working on a bunch of stuff in the psych and digital threat area. Well, I talked for one last question. I'd love to know what advice or resources, this could be either pearls of wisdom, books, podcasts, anything like that, but for CSO security leaders and security professionals.
00:39:14
Speaker
Wow. That's a hard question to answer succinctly, but I mean, I guess if I had to, you know, give them the elevator pitch, I was waiting to go out of the elevator. You know, basically it's, it's, you can't just depend upon hardware and software and coding.
00:39:37
Speaker
You're really, you know, one of the weakest links in your organization is people and how they get manipulated and understanding the psychology of the threat environment is incredibly important. And so anything that you can do to sort of get out of this defensive, you know, sort of
00:39:59
Speaker
huddle like this and begin to reach out to do more proactive things like threat hunting and communications with other organizations.
00:40:14
Speaker
Those things are really incredibly important. If you want to prepare for the future, you basically have to think about the psychology and social psychology of the relationships between people in digital technology and start incorporating that. And I know that's pretty tough because organizations often skimp on their information security budgets. And when they do buy stuff,
00:40:42
Speaker
They buy racks of hardware and they buy infosec people and things like that. But you really have to invest forward in order to protect yourself. And that's often a tough pitch to make.
00:41:02
Speaker
Because it's sort of like, well, we've spent this much already. But it's like, well, yeah, but it's only a tiny proportion of your total expenses for the organization. It's like, perhaps you should be doubling that and looking into these other areas. Because in the future, it's the organizations that protect themselves and look ahead to future threats the best are the ones that are going to have the best chance of survival.
00:41:34
Speaker
Totally agree. Well, thank you so much for your time and insight. It's been such a pleasure to have you. Great fun, Stacey. All right. Well, to our listeners, thank you so much for tuning in to this episode of Cyber Psych, and we'll see you next time. Have a great one.