Blind spots and biases: Experts get real at IMPACT 2024 USA

Even seasoned practitioners mess up sometimes. We all do.

And when we do, we make our own lives harder, sure. 

But who else is affected? The people we’re supposed to be helping.

It’s not your fault. Security advice is hard to get right. There’s so much to consider, like:

• • How do I get across the important stuff without bombarding people?
  • How do I know if anyone’s actually learning anything from my training programme?
  • How do I know if any of this is making a difference to people’s security behaviors?

And perhaps hardest of all:

How do we (security professionals) navigate our own biases and assumptions … when we’re not even aware of them?

So, for IMPACT 2024 USA, we rounded up a panel of stellar human risk management experts to get their teeth into this tough topic.

Wait, what’s IMPACT?

It’s an annual event for the human risk management community, hosted by CybSafe and supported by some of the biggest players in the industry.

It’s where you can get the juiciest insight from recent research on human risk management.

And get this: IMPACT 2024 was double the fun and (you guessed it) double the impact. Because not only did the event return to the UK for a triumphant fourth year, it soared across the Atlantic for a groundbreaking inaugural event in the US of A.

So regardless of whether you say courgette or zucchini, IMPACT is a rid-i-culously valuable opportunity for anyone thinking about human risk.

Make sure this was the last IMPACT you missed: Join our mailing list.

Let’s meet the panel…

• • Juhi Ramireddi, Engineering Manager in Product Security for Peloton Interactive. Juhi oversees the product security element at fitness giant Peloton. She manages a team of application and device security engineers, working closely with product engineers.
  • Josh Gordon, Manager overseeing Security Services at Steward Health Care. Steward is a privately owned operator of hospitals across the US. One of the teams he leads is the Security and Awareness Training team.
  • Lisa Plaggemier, Executive Director at the National Cyber Security Alliance (NCA). Lisa’s a prominent security influencer, known for her stellar record of engaging and empowering businesses and their employees to protect themselves and their data.
  • And Oz Alashe, CybSafe’s CEO and founder, moderated the session.

This panel really knows its stuff. This lot is uber-accomplished, with a wealth of experience across different areas of human risk management. 

And, as we’ll see, there’s a lot they want you to know. So let’s delve into the heart of the debate.

1. Putting the story in security: More marketers, please!

Some of the security comms out there would make a grown marketer weep, according to the panel.

The problem? Cybersecurity is suffering from a lack of marketing and comms expertise.

“I’m super biased because I’m a former CMO,” says Lisa. “We need more marketers and more advertising people.” Lisa wants security practitioners to understand and make use of the huge value in using marketing insight to engaging, digestible, actionable security awareness campaigns. 

Burying people under a laundry list of dos and don’ts isn’t helping people to make more secure choices, Lisa continues. “I still see company newsletter articles that are using size ten font, have no images on them, and the articles are hundreds and hundreds and hundreds of words long. Nobody’s going to read that … No marketer would ever say you should tell people to do two hundred different things … That’s just second nature—you know that nobody’s going to do any of them.”

“I still see company newsletter articles that are using size ten font, have no images on them, and the articles are hundreds and hundreds and hundreds of words long. Nobody’s going to read that.” – Lisa Plaggemier, National Cyber Security Alliance

As anyone with an email inbox knows, marketing is ever more personalized to individuals. Cybersecurity messaging needs to be the same, adds Juhi: “Data gathering is key, so we can understand knowledge gaps and target them. As well as preferred learning styles and preferred ways of taking in information.” Lisa is in agreement, saying: “We need more customized, personalized messaging and training … Everybody in the marketing space is personalizing everything as much as they possibly can.”

Josh is putting this into action, with a communications professional on his team: “She’s taking our forty-five-minute training and breaking it up into four ten-minute quarterly sessions.” And one of the best things about this team member? “She’s not a cybersecurity person,” Josh adds. 

In other words, a team member with a lack of cyber expertise is a secret weapon, able to filter out techie jargon and instead help craft messaging that lands with non-experts.

A team member with a lack of cyber expertise is a secret weapon.

Marketing magic is, in part, about the power of storytelling, and Lisa wants cybersecurity practitioners to leverage this power in security awareness. There are a lot of compelling narratives that can grab people’s attention and build engagement. And you can easily get metrics like open rates, and time spent on content can be used to measure the success of storytelling approaches.

Meanwhile, Juhi has the utmost respect for how marketers make the most of data: 

“These folks are skilled at understanding how to get specific types of information to a specific audience,” she says. “I think the thing that comes before even getting the information to them is the data-gathering part … There are dedicated comms folks in organizations that are really great at this.”

Lisa’s on the same page here, agreeing that marketers are dab hands with data: “What do you think Google does with all that data they collect from us? They sell it to marketers, who then turn around and put personalized messaging and advertising in front of us.”

But beyond delivering digestible, relevant information, the most successful brands build a relationship with their audience, and HRM needs to do the same. What’s the answer? We need to go beyond simply providing information. How? 

Through storytelling, says Lisa: “You really have to look at the consumer world to understand a little bit more about how people consume content,” she says. The words of a VP of marketing that she met many years ago stuck with her: “Don’t feed them lunch, make them hungry.”

“There are some fascinating human interest stories in the world of cyber,” she continues, “and we water it all down to ‘don’t click on stuff’ instead of drawing people in with better use of storytelling.” 

“There are some fascinating human interest stories in the world of cyber, and we water it all down to ‘don’t click on stuff’ instead of drawing people in with better use of storytelling.”

It comes down to this: Marketing principles and practices can have a big impact within HRM. They can play a big role in creating compelling and impactful interventions that resonate with your people. Marketing strategies such as storytelling can build trust and encourage ongoing engagement with cybersecurity.

2. Early starts and engineering: Training needs an almighty overhaul

When it came to training, the panel didn’t hold back. They called for a fundamental shift in how we approach security awareness training. And it starts with the kids.

Because Josh can barely believe that we’re not more widely instilling security awareness from a young age. “Why are we educating people at this point in their careers? Shouldn’t it have started a lot earlier? My daughter’s eight years old and she’s had a computer at school since six. I think if you ingrain it at a young age we’d all definitely have a much easier time.”

“Why are we educating people at this point in their careers? Shouldn’t it have started a lot earlier?” – Josh Gordon, Steward Health Care

Juhi’s all for starting earlier too: “I actually drove a program back in Singapore at my alma mater, where we looked at: Instead of security engineering being a separate module, how can we incorporate some of that in existing engineering content?” 

Juhi thinks the training status quo is letting down engineers and technical experts: “A lot of the time, security engineering training is things that you can get off of the internet,” she points out. In response, Juhi and her focus on “processes like vulnerability management, where we use tools and assessments and penetration testing to find vulnerabilities in the products that we build. Then we use that as a feedback loop to see patterns in the kinds of vulnerabilities that are coming out of engineering, and use that as a pipeline into training.”

As we touched on when talking about marketing, personalization and microlearning are badly needed. Both Josh and Juhi highlighted the limitations of lengthy, one-size-fits-all training programs.

This is where we need to leverage automation, Josh says. “When you have a 50,000-people organization you can’t just go out and find out how each person [digests information]. … This is an example of where I’d love to see the academics collaborate more with the vendors.”

(This is precisely why CybSafe has a team of behavioral scientists, as well as world-class developers … and of course those marvelous marketing pros too.)

It’s abundantly clear to our powerhouse panel: Training needs to start early, get personal, chop up the chunks. Ultimately, it needs to be unashamedly and relentlessly holistic. If it isn’t, we’re failing people who need knowledge and skills to stay safe.

3. Flying high: Awareness (definitely) isn’t enough

If you’re here, reading this, you’ll know that security awareness training isn’t enough on its own. 

Or, let’s put that another way. Behavior change is unlikely the direct outcome of training. Knowledge is. And knowledge is, largely, a means to an end.

Yet many practitioners make the assumption that getting training = behavior change. 

Our panel wants everyone to critically examine this belief. And they want everyone to add other factors alongside training, or altering training.

Many practitioners make the assumption that getting training = behavior change.

So first, how can we make training better? Lisa had an example that she was keen to share.

“I’ve never had a year where I didn’t do one humorous campaign, just to get people’s attention,” Lisa says. “I actually had somebody contact me once after they reported an incident and tell me that it was because of the humorous campaign. Attribution doesn’t get any clearer than that.” Straight-up knowledge delivery isn’t appealing or engaging, yet with a dash of humor it can be far more palatable. This isn’t to say that humor leads to heaps of behavior change on its own, but it can be an effective ingredient.

And second, what else can we throw in the mix, alongside training?

“One of the things we’ve actually started to think about,” Josh says, “is who actually really needs to receive external emails? If they don’t need to receive them, they don’t. If they need one or two separate email domains to come in then we allow it, but other than that we just block all external email.” (Cue members of the audience clamoring to have external emails blocked.)

“Who really needs to receive external emails?” – Josh Gordon, Steward Health Care

Juhi broadens the scope of the discussion by bringing engineering into the mix. She is always keen to consider “how we can shift engineering behavior in a preemptive way so that we develop products that are ‘less hackable’.” Or, in other words, products that are secure by design.

In fact, secure by design was a key topic of IMPACT this year, and this panel discussion was no exception. “We’re kind of banging our heads against the wall until the tech sector gets serious about secure by design,” Lisa says. “We have to assume people make mistakes.” Lisa was keen to stress the importance of building in security features from a product’s inception, as this will reduce human error.

“We’re kind of banging our heads against the wall until the tech sector gets serious about secure by design.” – Lisa Plaggemier, National Cyber Security Alliance

Oz gave an unconventional example of how to effect behavior change with zero training: Studies show, he says, “that if you place a fly in the urinal, people aim better, reducing the amount of waste and mess on the wall by up to eighteen percent.”

This is significant because of all the things that didn’t happen, Oz points out. “Nobody got taught a single thing, nobody was communicated to about doing that, they didn’t have a message sent to them, nobody even reminded them.”

“In our evidence-based community,” he says, “one of the things that I think we should be taking away from all of this is if we come back to what we’re trying to achieve, there are potentially lots of different ways it could be done.”

“Sometimes you might want to be changing or influencing what people know, sometimes it might be wanting to influence what they feel, sometimes it might be wanting to influence how they behave, and sometimes it might be wanting to influence how engaged they are.”

The takeaway? Practitioners need a focus on outcomes, not just knowledge. And for that, we need to all think outside the training box, and drop the assumptions.

4. Metrics, Mustangs, and MFA: Was it worth it?

How might we, as a community, more effectively measure return on investment (ROI)? Josh posed this question, and it was echoed by several audience members too. “Is it zero clicks on a phishing email?” Josh asks. “Is it reducing clicks on live emails? What is the specific measurement and what is the goal, or are you just doing it for a checkbox type of thing?”

“What is the specific measurement and what is the goal, or are you just doing it for a checkbox type of thing?” – Josh Gordon, Steward Health Care

Central to the discussion is using data to optimize training. Juhi called attention to the value of measuring user response and engagement. “We’ve seen previously that security training at a specific volume, and for a specific duration, actually desensitizes specific audiences and specific pockets of the organization. So, at that point, less is more.”

It’s no secret that measuring ROI isn’t simple though. Lisa talked about her experiences of the challenges of attribution. If we’re throwing lots of interventions out there, how do we know which one(s) made the difference behaviorally? It’s often impossible to isolate the impact of a single factor.

Still, anecdotal evidence isn’t to be sniffed at. Plus, you don’t have to try to gather it single-handed. This is why Juhi loves champions: “I think some amount of data-gathering is also not just the metrics but also what we hear when we engage with the folks on the ground, anecdotally,” she reflects.

“I think some amount of data-gathering is also not just the metrics but also what we hear when we engage with the folks on the ground, anecdotally.” – Juhi Ramireddi, Peloton Interactive

Lisa draws on her previous role with Ford to illustrate the power of correlation. “If we won a race we’d sell more Mustangs or Thunderbirds the next day. But trying to get data and trying to figure out what is exactly the one thing that you said or did, the tactic or the messaging that pushes somebody over the edge to actually change behavior … any behavioral scientist will tell you that’s kind of impossible to figure out.”

And maybe that’s okay. Maybe, for many, a glimpse of the bigger picture is a vast improvement. “I think you just have to keep going and look for big-picture trends, changes in people’s attitudes, changes in people’s behavior,” Lisa suggests. Questions about the “nitty gritty,” she points out, are “usually asked by business or security people who are trying to cut budget, trying to say, ‘We don’t need to be doing this stuff because we can’t tell if it’s working.’”

At this point prioritization comes back into the discussion, as Lisa touches on National Cybersecurity Awareness Month’s themes, which over the past few years have held a definite pattern: “Right now we’re [the NCA] sticking as much as we can with those four behaviors that we talked about last October and the October before … and guess what, we’re going to talk about those this October and we’re trying to talk about them all year long.” 

Why? “Until we see significant movement in those four things, we shouldn’t stop. Once the whole world is using MFA, we’ll stop talking about it and we’ll talk about something else instead.”

“You have to just lather, rinse, repeat, constantly,” Lisa adds. “It has to be a constant drum beat in the background.”

“You have to just lather, rinse, repeat, constantly. It has to be a constant drum beat in the background at your organization, that we care about security.” – Lisa Plaggemier, National Cyber Security Alliance

So what’s the bottom line here? “If we’re serious about helping people, we have to be more focused on measuring whether what we’re doing is having the impact that we set out to have,” Oz says. But, as the conversation highlights, that doesn’t mean getting lost in the minutiae of pinning down every single metric, and more about making sure that the needle’s moving in the right direction.

There’s plenty more where that came from

Feeling stuffed? This has been a veritable banquet of food for thought.

And yet … this conversation is only a small part of what made IMPACT 2024 so eye-opening.

Missed out on all the fun? Download all the unmissable insights and headlines in one report: IMPACT: The Findings. 

It’s your cheat sheet to the biggest takeaways in human cyber risk. The latest academic research on the human aspect of cybersecurity. No filler, all hits.

What’s inside:

• • Finding and addressing vulnerabilities in your security strategy,
  • Why we get in our own way when trying to help people act safer,
  • Why cybersecurity is so messy…and why that’s okay!
  • The huge divide in our community, and how we might be able to close it,
  • And so, so much more.

Get your hands on it right now, right here: