Episode 24

full
Published on:

26th Sep 2024

Are cybersecurity sanctions effective? A conversation with Dr. Mikko Siponen

Most organizations use sanctions as a way of enforcing cybersecurity policies and encouraging sound security behaviors. But few organizations ever test whether these sanctions are effective. Often they aren't; in fact, when used improperly sanctions can backfire. In this episode of Cyber Ways, Tom and Craig talk about sanctions and their effectiveness with Dr. Mikko Siponen of the University of Alabama's Culverhouse College of Business. Dr. Siponen is among the world's leading scholars when it comes to understanding the effects of sanctions on cybersecurity behaviors. Listen and learn how your organization can use sanctions more effectively.

Guest bio:

Dr. Mikko Siponen is Professor of Business Cybersecurity and Management at the University of Alabama's Culverhouse College of Business. He holds advanced degrees in Software Engineering, Information Systems, and Philosophy. A leading scholar in Information Systems, he ranks among the top 30 worldwide based on publications in premier journals. Professor Siponen is the only Finnish IS professor invited to join The Finnish Academy of Science and Letters. His expertise spans cybersecurity management, IS development, and philosophical aspects of IS. He has extensive experience as a visiting professor, consultant, and research leader internationally, with a particular focus on cybersecurity management.

Key Topics Discussed:

Sanctions and Cybersecurity Policies:

  • Effectiveness of Sanctions:
  • Sanctions can work even without prior direct experience.
  • Firsthand sanction experiences may enhance effectiveness.
  • Can backfire if perceived as unjust, leading to resentment.
  • Employees' Awareness and Knowledge:
  • Typically lack detailed knowledge of cybersecurity policies.
  • Inadequate training contributes to confusion and non-compliance.
  • Policies often conflict with practical organizational needs (e.g., link clicking).

Training and Effectiveness:

  • Deficiencies in Training:
  • Often generic and check-the-box nature, hence ineffective.
  • Rarely measured for effectiveness by providers.
  • Recommendations for Improvement:
  • Demand effectiveness metrics from training providers.
  • Training should reduce cybersecurity risks significantly.

Practical Implications and Recommendations:

  • Sanctions as a Deterrent:
  • Active Sanctions:
  • Monitored closely but can backfire if perceived as unjust.
  • Passive Sanctions:
  • Applied only when necessary, safer from backlash.
  • Communication and Awareness:
  • Clear, effective communication of cybersecurity policies and sanctions is crucial.
  • Must bridge the gap between policy and practical enforcement.
  • Balancing Fairness and Consistency:
  • Consistency across departments is vital to ensure fairness.
  • Fair sanctions are essential to prevent demotivation and resentment.
  • Sanction Implementation Tips:
  • Consider firm culture and employee perspectives.
  • Pilot test sanctions; gather employee feedback.
  • Obtain management support and recognize the impact of unions.

Understanding Employee Behavior:

  • Psychological Impact:
  • Sanctions can have long-term negative effects on employee perception.
  • Need for research on the psychological impact, especially for rule-breakers.

Current Research:

  • Dr. Mikko Siponen working on:
  • Understanding and prevention of cybercrime through offender-victim communication.

Industry Trends:

  • Increasing sophistication of threat actors, potentially enhanced by AI.

Takeaways for Security Managers:

  • Sanctions need careful, context-sensitive application.
  • Ensure policies are known, understood, and perceived as fair and justified.
  • Training must be specific, engaging, and measured for effectiveness.

Cyber Ways is brought to you by the Center for Information Assurance, which is housed in the College of Business at Louisiana Tech University. The podcast is made possible through a "Just Business Grant," which is funded by the University's generous donors.

https://business.latech.edu/cyberways/


Transcript
Speaker:

Hi, folks. This is the Cyberways podcast, and we

Speaker:

translate our academic knowledge about information security into stuff that you

Speaker:

can use as a security professional. We think it's a unique mission. We think you'll

Speaker:

like it. I'm Tom Stafford. Craig Van Slyke. Tom and I are your hosts on

Speaker:

your journey to knowledge. Cyberways is brought to you by the Louisiana

Speaker:

Tech College of Business's Center For Information Assurance. The center offers

Speaker:

undergraduate and graduate certificate programs in cybersecurity and

Speaker:

sponsors academic research focused on behavioral aspects of

Speaker:

cybersecurity and information privacy. Hello,

Speaker:

everybody, and welcome back in to cyber ways. This is a

Speaker:

production of the Louisiana Tech Center For Information Assurance in the College of

Speaker:

Business. It's a DHS NSA certified center of academic excellence in

Speaker:

cybersecurity, and we consider one of our jobs is to connect

Speaker:

you with the people that know what's happening in security research so you can

Speaker:

take advantage of the very best findings in the most timely manner.

Speaker:

Our our special guest today is doctor Mikko Sipinan. He is professor of

Speaker:

business, cyber security, and management at the University of Alabama's

Speaker:

Culverhouse College of Business. He holds advanced degrees,

Speaker:

several advanced degrees, in software engineering, information

Speaker:

systems, and my favorite of his group of degrees, philosophy.

Speaker:

He's a leading scholar in information systems, one of the thought leaders in our

Speaker:

behavioral information assurance workshop group. He

Speaker:

ranks amongst the top 30 worldwide for publication,

Speaker:

taking 2. He ranks among the top 40

Speaker:

worldwide based on his publications in premier journals.

Speaker:

Professor Siponen is the only Finnish IS professor who's been invited to join the

Speaker:

Finnish Academy of Science in Letters, and his expertise spans

Speaker:

cybersecurity management, IS development, and philosophical aspects of

Speaker:

information systems. He has extensive experience as a visiting professor, a

Speaker:

consultant, and a research leader internationally with his particular

Speaker:

focus on cybersecurity management. Mikko, welcome to our podcast.

Speaker:

Thank you. It's great to be here, and nice to discuss about sanctions and

Speaker:

how they work, and what kind of things you should avoid

Speaker:

if you are planning to use sanctions in your firm. So

Speaker:

what has had my attention for a number of years in the, the workshop group

Speaker:

that we all attend is, the role of sanctions and how they have

Speaker:

an effect on better cyber security. And, so

Speaker:

I I guess the question at the top of this, do sanctions work? How do

Speaker:

they work? Sanctions can work,

Speaker:

but if you don't use them carefully, they can also be worse than useless.

Speaker:

So that's why you have to be very careful when you're

Speaker:

using sanctions. And today, I will discuss

Speaker:

what we know and, you know, what kind of things you should avoid and so

Speaker:

on. So you you need to make sure that you understand what makes

Speaker:

sanctions effective and what to avoid. And,

Speaker:

luckily, many of of these questions about the effectiveness

Speaker:

of sanctions have already been answered in the in the scientific literature.

Speaker:

Actually, in cybersecurity management, sanctions have been studied over 30

Speaker:

years, especially in information systems, IS side of

Speaker:

cybersecurity security literature. Talk to us about the factors that

Speaker:

determine whether sanctions are effective or not. Yeah. There are

Speaker:

quite many. The most studied aspects are

Speaker:

what people call certainty of sanctions and the severity of

Speaker:

sanctions. So let's start with these 2 first. So the

Speaker:

certainty of sanctions means, basically, likelihood of getting

Speaker:

caught. So it means the likelihood that active

Speaker:

your activities will be detected and identified for the purpose of

Speaker:

sanction. And I will keep very soon, I will give you examples. Okay. The

Speaker:

other well known well studied aspect of sanction

Speaker:

is is the severity of punishment. It basically means

Speaker:

that if you get caught or somebody get caught, you

Speaker:

know, how harsh or big is the

Speaker:

penalty. And in the literature, these are

Speaker:

often presented in a way that the higher is the certainty

Speaker:

and severity, the less risky cyber

Speaker:

cybersecurity behavior will follow. And, of course,

Speaker:

on these two dimensions, there are few many which

Speaker:

I'll, explain later. People are talking about likelihood

Speaker:

of getting caught and and the severity of punishment. These

Speaker:

are refers to people or, in this case, users'

Speaker:

perception. For example, they they perception of

Speaker:

the likelihood of detection and and severity of punishment. So let's

Speaker:

illustrate this this with a very simple example first,

Speaker:

which is familiar to everybody, namely driving over the speed limit.

Speaker:

What the certainty of detection means, it means that

Speaker:

if you believe that there is a police radar, you know, when you drive,

Speaker:

on a highway, you are more likely to drive within the speed limit.

Speaker:

So more radar, more the more likelihood you believe there's a police radar,

Speaker:

the less you are likely you are driving over the speed limit. That's the

Speaker:

likelihood of getting caught, also known as certainty of

Speaker:

detection. The other thing is severity of the punishment.

Speaker:

It basically mean in the in the driving over the speed limit

Speaker:

example, that the higher is the the ticket fine, the less likely

Speaker:

you are you are expected drive within the speed limit. And now, I

Speaker:

mean, in that kind of cases, applying

Speaker:

sanction is quite easy and straightforward. But if

Speaker:

you apply these elements to

Speaker:

cybersecurity cases, it's a little bit

Speaker:

challenging. So let's take a phishing as an example. And let's illustrate

Speaker:

one idea only. The third time you have detect detection,

Speaker:

also known as the likelihood of getting caught. So if you're

Speaker:

a cybersecurity manager and, you know, you apply this principle,

Speaker:

You should ensure that the employees believe that if they click a phishing link or

Speaker:

share their password, the company will monitor such in

Speaker:

incidents and impose sanctions on them. So what is the problem

Speaker:

here? Well, the situation in in cybersecurity

Speaker:

and, of course, this depends case by case, but in the phishing

Speaker:

example, it's actually very different from the speeding example. Because in

Speaker:

the speeding example, people usually have

Speaker:

they know their car speed. Right? The only

Speaker:

contribution might be what is the actual speed limit on the road,

Speaker:

and then do their navigators often provide that information.

Speaker:

But if you think about the phishing victimization case, none of

Speaker:

this is true. Employees often lack the necessary

Speaker:

knowledge to separate phishing message from real one. And, you

Speaker:

know, if you impose sanctions in that case, the sanctions may backfire because

Speaker:

employees really believe how I should, you know, know these things.

Speaker:

That's why applying sanctions in cybersecurity cases is tricky.

Speaker:

And there are many other concerns. One is sanctions

Speaker:

experience. If you believe the original theory

Speaker:

developed in seventies by guy named Gibbs so he was

Speaker:

basically saying that you can use sanctions. The

Speaker:

sanctions require sanctions experience.

Speaker:

And there are 2 kind of sanction experience if you follow

Speaker:

the original idea. There are general and there are specific.

Speaker:

The specific means that employees have received

Speaker:

sanctions themselves. So they have own experience

Speaker:

of receiving sanctions. That's called specific experience.

Speaker:

The other experience is general experience. General

Speaker:

experience means that you have not received sanctions

Speaker:

yourself, but you have seen other received received sanctions. For example, you

Speaker:

may have never received a ticket for driving over the speed limit, but you

Speaker:

know it's actually happening. People are getting caught and people get

Speaker:

ticket. Okay. So so all of these conditions, if

Speaker:

you can think about the driving over the speed limit example, I

Speaker:

easily met. Be because people have either seen

Speaker:

that, you know, this actually happened. You know? People are driving over the speed limit.

Speaker:

They get caught, and they get a ticket, or they have their own

Speaker:

experience of that. Or, well, in many cases, both. But in

Speaker:

cybersecurity cases, that may not be the case.

Speaker:

For example, think about password reuse,

Speaker:

meaning you are using the same password in different accounts. Have anybody

Speaker:

ever received sanctions for password reuse when hardly anyone has

Speaker:

personal experience of receiving sanctions in, you know, many

Speaker:

cases like my example of password reuse,

Speaker:

then there's no really interference experience.

Speaker:

If we read the theory and we believe the theory, sanctions

Speaker:

would not work in that kind of cases. Because without this

Speaker:

this experience that you have own experience of receiving sanctions,

Speaker:

or you have seen that other people receive sanctions, the

Speaker:

sanctions should not work if we believe the theory.

Speaker:

There's a difference between sanctions, which somebody else is

Speaker:

imposing on you, and risk. So,

Speaker:

like, I I I've never heard of anybody being, you know, receiving a sanction

Speaker:

for reusing the password, but I've heard of people that got

Speaker:

hacked from reusing a password. So that that's a very different

Speaker:

thing. Right? Yeah. It's a different thing. And and and well, if

Speaker:

okay. If you believe the theory, here it means that

Speaker:

that you need to have sanction experience. Sanction experience does not mean that

Speaker:

somebody hacked, but somebody hacked and then

Speaker:

because of the hacking, the firm punished somebody.

Speaker:

Of course, the sanctions might be formal or might be informal. Informal

Speaker:

means that, you know, you get the warning or something. So that

Speaker:

basically the sanctions experience means. Okay? And if

Speaker:

you believe the theory, it means that you have seen that

Speaker:

employees in the firm has received sanctions

Speaker:

by the firm by not following cybersecurity

Speaker:

policies, or they have own experience, or they have seen that, you know, somebody

Speaker:

else actually received sanctions. And, again, the

Speaker:

theory is saying, if that not the case, sanctions should not work.

Speaker:

Now I'm saying, the theory is actually wrong

Speaker:

here. Because if if you look the evidence, as I

Speaker:

said, we have been studying sanctions 30 years.

Speaker:

And if you look to scientific evidence, it points out that

Speaker:

sanctions do have some effect in cybersecurity

Speaker:

cases, even there would be no sanction experience.

Speaker:

So my conclusion here is that sanctions could be more

Speaker:

effective if you have a sanction experience,

Speaker:

meaning you have received sanctions or you have seen people have received

Speaker:

sanctions by the firm for violating cybersecurity policies.

Speaker:

But if if firms are actually giving sanctions,

Speaker:

that's tricky as you know, when you

Speaker:

impose sanctions, you actually start to punish people or give warnings, the

Speaker:

sanctions may backfire. People don't like sanctions and so

Speaker:

on, and they may turn against you.

Speaker:

That's an interesting stream in the literature that I've noticed. The the articles you and

Speaker:

your your coauthors have been writing is the the possibility

Speaker:

resentment arising from the organization enforcing its

Speaker:

security mandate. I want to go back to the, the

Speaker:

the driving too fast in traffic example, because I'm going to be traveling up through

Speaker:

your part of the woods in a couple of weeks. Straight past Tuscaloosa, I

Speaker:

generally travel about 10 miles over the speed limit with a radar detector.

Speaker:

The thing in my mind is I always slow down if everybody else slows down,

Speaker:

and I always slow down if I see blue lights flashing, meaning somebody's been caught

Speaker:

in a speed trap. That leads me to ask the employees knowing

Speaker:

about, the punishable acts, knowing about what might get sanctioned,

Speaker:

that's an aspect of this too, isn't it? Their awareness of a of a security

Speaker:

protocol that might be applied against them? Yeah. So the

Speaker:

employees' knowledge should have a big role here, and especially if

Speaker:

you read the theory. So the original theory assumes that that

Speaker:

that users know already what is illegal

Speaker:

or, in in our case, cybersecurity policies and what

Speaker:

is allowed and not allowed by the cybersecurity policies. But

Speaker:

often the users may not know the policies. We have

Speaker:

run number of studies on on these things, and, you know, most

Speaker:

employees do not remember the details in cybersecurity policies. So

Speaker:

that's, of course, challenge. And there's also another issue, other

Speaker:

another knowledge issue related to how to do the right thing in

Speaker:

terms of cybersecurity because cybersecurity

Speaker:

policies may instruct let's take a pass password example

Speaker:

again. Okay? Cybersecurity policies may say, hey. Use

Speaker:

long random unique password for each account. But

Speaker:

then, you know, policy does not actually tell you how to do it, how how

Speaker:

you manage this, you know, how you remap accountless long unique passwords. And

Speaker:

they may not be training on this. Of course, this

Speaker:

issue is not specific to use of sanctions, but that kind of challenge is

Speaker:

there is in terms of employees' knowledge that they don't know the cybersecurity

Speaker:

policies. And even they know, they don't necessarily

Speaker:

know how to do the right thing because the company doesn't give them enough

Speaker:

information. Training is not adequate and so on. Of course, as I mentioned, this

Speaker:

issue is not specific to, return steering. Maybe we can explore that a

Speaker:

little bit more. As you were talking about that, I

Speaker:

started thinking about if if you're driving along the highway and you don't notice

Speaker:

that the speed limit changes, you don't necessarily

Speaker:

react to seeing that officer on the side of the road because you think you're

Speaker:

going the speed limit. Well, then if you get a ticket

Speaker:

and it turns out the speed limit sign was behind the branch of a

Speaker:

tree, you're gonna experience a lot of resentment. And

Speaker:

I think maybe or let me ask, do you think that the same sort of

Speaker:

thing is in play with cybersecurity? So we've got these

Speaker:

policies, either we haven't received training on them or the

Speaker:

policies are really complicated. We violate the policies,

Speaker:

get caught, get punished. It seems like that would lead to

Speaker:

resentment, wouldn't it? Yeah. I mean, big

Speaker:

thing here is that a very different thing if you don't

Speaker:

know the the rules. And and as I mentioned,

Speaker:

for many firms, you just give the policies. There's some generic

Speaker:

training. It means that people may not really

Speaker:

understand, you know, why they have to follow these policies. And sometimes the policies are

Speaker:

not actually good ones. You know? They are. There might be conflict between what the

Speaker:

cybersecurity policies are saying and what the firms want you to

Speaker:

do. For common example is that security guys are saying don't

Speaker:

click any, links. And then, you know, administration is

Speaker:

actually saying, just do this training and click a link. So, you know, that's a

Speaker:

con Look at this document to see what I'm writing you about. They do that

Speaker:

all the time where we were. Yeah. So there's basic con conflict that, you

Speaker:

know, cybersecurity policy is in the conflict, but you should do in the

Speaker:

work. And that's actually past cybersecurity management, not about the the

Speaker:

return as theory as such. Whether using sanctions or not,

Speaker:

it's important that the policies make sense, employees understand the

Speaker:

cybersecurity policies. And they also know how to cope, as

Speaker:

I mentioned. You know? If you start to say, hey. For every account,

Speaker:

you have 30 account. Every account use unique long

Speaker:

password, but you don't tell how to actually manage this, then, you know, you are

Speaker:

not really helping employees. And then don't and then don't use a password manager because

Speaker:

that that's, risks. I know yeah. Well, and I

Speaker:

I don't know about where you are, but we have annual training.

Speaker:

Yeah. And it's, what, Tom, 4 hours, 5

Speaker:

hours of just all kinds of training. It's a chunk of time. Yeah.

Speaker:

And the security training is buried in the middle of that,

Speaker:

and you're kind of tuned out. You know, all you wanna do is get through

Speaker:

the training. That's why I wonder if that's a reason that people

Speaker:

react poorly when they are sanctioned because they feel like

Speaker:

the training isn't very effective. It goes back to your awareness.

Speaker:

So what what about, can I can I can I quickly comment that? Sure.

Speaker:

Sure. So this is a almost like universal

Speaker:

problem. So not specific to, sanctions, of

Speaker:

course. It also have implications for sanctions because if you don't know the policies, you

Speaker:

don't know how to how how to react. But often, you know

Speaker:

and and the people who are listening to this, if if they are cybersecurity managers,

Speaker:

you know, or you are responsible for the cybersecurity, you should ask,

Speaker:

have you ever asked from the provider who is actually giving you the

Speaker:

training how effective the training is? Mhmm. So for example, if you take a vaccine,

Speaker:

you, you know, you ask, like, how effective? Is is this giving me 80% of

Speaker:

protection or 70% of protection and so on? You know, if you have a

Speaker:

cybersecurity training, you should ask the provider, give me

Speaker:

test results. How effective the training is?

Speaker:

Right. So, you know, is it actually no. If if I have an let's say,

Speaker:

anti phishing training, how effective this training

Speaker:

is against the you know, how how much is lower the

Speaker:

rate of victimization? And most providers, they have never

Speaker:

even tested. You know, while you're selling or buying

Speaker:

products with you don't know how effective they are. And if they aren't effect effective

Speaker:

are you actually wasting employees' time? Do you think that's just checking a

Speaker:

box? Yeah. You know? That that's a lot of because lot of cybersecurity

Speaker:

management, that's that's a really different topic. Lot of cybersecurity management

Speaker:

is people call it best practice, but it basically does that, you know, tick

Speaker:

box compliance that you can say to auditors that, hey. We have we have been

Speaker:

to you know, we have covered this. Right. You don't really you don't really care

Speaker:

or you don't know how to, you know, what is actually quality here. You just

Speaker:

say, hey, we did this. Next item, we did this. Right.

Speaker:

Right. Well, you said something earlier that I wanted to come back

Speaker:

and revisit, which is that employees typically don't know the full

Speaker:

totality of the information security policy of the organization, and

Speaker:

that implies that the, the information security officers need to be able to

Speaker:

communicate not only the restrictions and the prohibitions,

Speaker:

but also the sanctions associated with violating them in a more

Speaker:

in an effective and reasonable way. How can the security managers

Speaker:

get that word out in a way that will take that will be effective with

Speaker:

the other employees? In communicating sanctions, there are

Speaker:

a couple of things. First, you need to understand the firm culture

Speaker:

and the nature of the firm business. So if sanctions are not

Speaker:

self evident and depending on the firm culture and

Speaker:

existing cybersecurity education efforts, you

Speaker:

must explain why the sanctions are necessary if you want to use them

Speaker:

effectively. Also, you should think about putting

Speaker:

yourself in employee shoes. You know, say, hey. How about these sanctions?

Speaker:

Would you accept these sanctions if you would be the employee?

Speaker:

If you want to introduce sanctions, you should pilot test ideas with

Speaker:

you people. Discuss the concept and get feedback on

Speaker:

how they think about this. And, of course, you need management support.

Speaker:

And in any reason and this is really depending on

Speaker:

the country or state or even, you know, the the what kind of,

Speaker:

firm. Is it public firm or is it, like, private firm? But, you know, some

Speaker:

cases, some countries, some states, there might be strong work

Speaker:

union. And if there's a work strong union, they may actually challenge you

Speaker:

unless you are well prepared. A lot of cases in my, consulting

Speaker:

work where, you know, lot of things we introduce and then the work union came

Speaker:

and, you know, are you actually you know, what you are doing for our creative

Speaker:

employees. You have to know your firm culture well, what kind

Speaker:

of culture it is, put you on employees' shoes, pilot test

Speaker:

ideas, get management support, and so

Speaker:

on. So for our listeners who are generally managers responsible

Speaker:

for determining how to, manage security violations, how do

Speaker:

they determine the right level of sanction? In our protection motivation work that we're

Speaker:

all familiar with tends to suggest that if you have too heavy a

Speaker:

hammer, people are gonna shy away out of, perceptual screening,

Speaker:

essentially. The old fear appeals argument, don't scare them too much. How does the

Speaker:

CISA determine the right level of sanctions so they're,

Speaker:

maximally effective? 1st, I think you should under as I mentioned,

Speaker:

you should understand the firm's culture, and that's very

Speaker:

different. And here, actually, I think many

Speaker:

many scientists make a mistake. You know? If you if you let let's assume you

Speaker:

you have very liberal university and philosophy department. That's an extreme example.

Speaker:

Most employees think that sanctions would be absurd unless you you really explain

Speaker:

them carefully, and perhaps you are never able to do that. In contrast, if you

Speaker:

go to military organizations, almost everybody almost know,

Speaker:

hey. There will be sanctions. You know? It's it's a normal thing. In Northern

Speaker:

Europe or France, employees expect more autonomy, so sanctions must be

Speaker:

justified more than other countries. In turn, if you go,

Speaker:

like, US in the Middle East, sanctions are more commonly used. So, you know, you

Speaker:

need to know your firm culture. In cultures where

Speaker:

sanctions are not in firms culture with sanctions are not commonly used, then you really

Speaker:

need to justify the sanctions and especially if there are harder sanctions.

Speaker:

But as I mentioned, this is really depends on the firm's culture, so it's

Speaker:

it's very firm specific issue. But you can also compare the

Speaker:

cybersecurity sanctions with other sanctions. What kind of sanctions

Speaker:

the firm is giving other type of violations?

Speaker:

And, again, same commerce apply. Put yourself into employee shoes.

Speaker:

Pilot testing to idea ideas with few people. And, of course, you need to get

Speaker:

management support, as I mentioned, also.

Speaker:

Sounds like sanctions could backfire if they're not engineered

Speaker:

properly. How how could a a a manager avoid

Speaker:

sanctioning in a way that would have the an unintended effect?

Speaker:

Backfire basically means that you increase sanctions for

Speaker:

improving cybersecurity behavior. Perhaps cybersecurity behavior increases,

Speaker:

but then you have negative effects, kind of side

Speaker:

effects. People don't like sanctions as a result of which

Speaker:

they work work motivation may decrease. They may

Speaker:

start to hate cybersecurity, or they may start to hate

Speaker:

IT or even leave the firm. In in in case of

Speaker:

cybersecurity, one concern is also privacy.

Speaker:

It can depends on the culture and even people, what they think about privacy. Some

Speaker:

for some people, private is very important. For some people, it's not.

Speaker:

The privacy is important in cybersecurity cases because often

Speaker:

when you actively use sanctions, you have to monitor.

Speaker:

Right? And that's may involve violating employees'

Speaker:

privacy. And because of privacy concerns, people may start to

Speaker:

hate cybersecurity, hate to IT because they think that they

Speaker:

are the one and the same thing and so on. And we have studied that.

Speaker:

We have one study where short term, that was field field

Speaker:

experiments in Europe. So short term, the cybersecurity behavior

Speaker:

increased. Longer term, the sanctions were not

Speaker:

effective in cybersecurity behavior, but there was backfire effect

Speaker:

that people didn't trust the company and lot of negative

Speaker:

views regarding the company and so on. So in order to

Speaker:

avoid the backfire effect, you must

Speaker:

understand that the employees get the

Speaker:

importance of cyber stick policies and the reasons behind

Speaker:

regulating some actions by sanctions. This is depending on

Speaker:

the firm's nature. If you are military organization, this is easy. If you are in

Speaker:

a university, very hard, depending on the firm

Speaker:

culture. But the idea is that you if you use sanctions actively,

Speaker:

you need to justify them if they are not already self evident for employees. And

Speaker:

many organizations, they are not self evident for employees. And, you know, they

Speaker:

need to understand why the activities sanctioned

Speaker:

by sanctions are important to to cover and and so on. If they don't

Speaker:

understand that, if they're not accurate that they think that it's a you know, you

Speaker:

are just violating their privacy or you are just, making their work

Speaker:

more harder, then you most likely will get get the

Speaker:

backfire effect. I'm hearing a pretty

Speaker:

consistent subtext of fairness. So a lot of the things

Speaker:

that you're mentioning that can cause the sanctions to backfire would

Speaker:

be when the employees don't feel like it's fair. Yeah. You know, you're

Speaker:

violating my privacy. You know,

Speaker:

I didn't understand. You didn't communicate. They're too harsh.

Speaker:

But but I wonder if unevenness and

Speaker:

sanctions is a problem. I know at universities and and a

Speaker:

lot of other organizations, different departments or different functional

Speaker:

areas have different subcultures.

Speaker:

And so if you're talking to somebody in another department,

Speaker:

then, you know, I they get to leave early on Fridays, and, you know, nobody

Speaker:

cares when you come in. And your boss says, you better be in at

Speaker:

your desk at 8, and you better not be out that door before 5.

Speaker:

That seems like it could cause a lot of problems. Is that an issue with

Speaker:

the security sanctions as well? Well, that's an excellent question. I I

Speaker:

don't think that nobody knows the answer to that. Alright. Future

Speaker:

research. Yeah. Okay. So I think what I'm taking

Speaker:

from this is if, if the security

Speaker:

provisions they're required to follow aren't common sense, if they don't already know

Speaker:

it, It needs to be carefully explained in a in an explicit

Speaker:

manner by the manager Absolutely. In order to justify its application. So

Speaker:

it's almost as though explaining the the security policy

Speaker:

achieves a lot of what has to happen. It's that 1%,

Speaker:

those with a certain sense of psychopathy who are gonna break the rules anyway that

Speaker:

need to understand they're gonna get punished if they don't comply. You know,

Speaker:

if you think about the employees' compliance with cybersecurity policies,

Speaker:

lot of cases where almost every organization should do

Speaker:

better, and that's not necessary sanctions. Specific issue is that,

Speaker:

you know, you should make effort that the employees understand the policies and

Speaker:

why, you know, the policies are like they are. I don't know

Speaker:

that there's research into this in in the context of cybersecurity,

Speaker:

but I think there's there are some psychologists that

Speaker:

would say that the sanctions actually might

Speaker:

have a an increasing effect on violations

Speaker:

by those who are suffer from psychopathy, because that's

Speaker:

part of the thrill. You know, if you don't get caught, there's not

Speaker:

a chance of getting caught, then you don't get that thrill out of it. And

Speaker:

so I I just wonder, that might be an interesting avenue of

Speaker:

research as well. But I don't think I've read anything in

Speaker:

cybersecurity that's talked about that. No. I don't my

Speaker:

understanding is that nobody has studied this in in the cybersecurity context.

Speaker:

So I have I cannot really I

Speaker:

think the closest we get to that are the the very interesting findings in in

Speaker:

in Mikko's prior work, particularly about people wanting to

Speaker:

I don't wanna say get even with the boss for the boss being stringent, but

Speaker:

the the the whole ledger keeping, scale

Speaker:

balancing part of, deciding to act out just because you think

Speaker:

they're being too stringent. Yeah. That

Speaker:

might be. But What do you have coming in the

Speaker:

pipeline? What new ideas will are you working on to get into the literature

Speaker:

on on how to manage cybersecurity?

Speaker:

You mean sanctions or cybersecurity in general? Just

Speaker:

interested in what you're working on and how our reader our listeners might be

Speaker:

keeping their eye out for it if they're interested. Nowadays, I'm

Speaker:

also doing a lot of work on cybercrime, actually.

Speaker:

So I do understand cybercrime,

Speaker:

especially to how cybercrime happens and how to

Speaker:

how we can use communication between the offender and victim to actually

Speaker:

understand and prevent and prevent cybercrime. So that's

Speaker:

that's one thing I'm doing. It's not really on cybersecurity

Speaker:

manage management, of course, it has implications for cybersecurity management.

Speaker:

What what parallels do you see between that work

Speaker:

and and what you've done, around the sanctions within an organization?

Speaker:

Are you seeing any any commonalities across those 2 or too

Speaker:

early to tell? The cybercrime cases that we are

Speaker:

actually looking, These are cases where people

Speaker:

very careful and clever ways, victimized,

Speaker:

people and, you know, now sanctions. Well, if you don't

Speaker:

understand that you are being victimized, so how the sanctions could

Speaker:

really apply effectively. So that kind of case is I don't think the sanctions

Speaker:

help here. It's more about again, you know, we

Speaker:

need tools for ordinary people, and

Speaker:

and employees to to understand actually more cyber

Speaker:

crimes and, you know, what kind of how people may try to

Speaker:

use you in order to, get your money or or or some information

Speaker:

from the firm. So it's more about the risks and how to protect yourself?

Speaker:

Yeah. I think we're also seeing the threat actors becoming

Speaker:

vastly more sophisticated than they used to be. That may be that may be an

Speaker:

AI thing. I don't know. The the people I talk to over here where we

Speaker:

are, because we we have a a classified work workspace over by the air force

Speaker:

base, and they're the opinion that the, the national actors that are

Speaker:

trying to breach their network are using AI to do it, and only AI can

Speaker:

counter that. That's a lot of the phishing attempts I'm seeing

Speaker:

lately are vastly better than they used to be. So it's a risky environment

Speaker:

increasingly so, I think. You can use generic phishing

Speaker:

where, you know, you've sent the same message to, you know, million of

Speaker:

people and hope some of these will will be your victims,

Speaker:

and then you might be more specific or targeted

Speaker:

attacks where you actually find a lot of information

Speaker:

on the target, and then you make your attack and, you know, of

Speaker:

of course, these these targeted cases are much more successful in

Speaker:

phishing or other type of social engineering. So

Speaker:

so, Mikko, as we close out, we typically ask what your 4 or 5

Speaker:

practical recommendations would be for the security managers who'll be listening to this.

Speaker:

What are the things they can add to their list of to dos to keep

Speaker:

the company safe as they, practice the craft?

Speaker:

So first, you need to actually decide

Speaker:

how you're using active or passive use of sanctions. And and now I

Speaker:

realized I don't actually what we have discussed is basically

Speaker:

so far, is active use of sanctions. Active use of sanctions means

Speaker:

that, you know, you you monitor cases and you give sanctions to

Speaker:

employees. But there's also also passive use of sanctions.

Speaker:

So passive use of sanctions, some might prefer to these as a

Speaker:

theory of covering your ass by sanctions. So basic idea is that

Speaker:

you introduce sanctions, mainly to protect yourself or the

Speaker:

firm from the plane. With this passive approach of

Speaker:

using sanctions, you actually only use sanctions when

Speaker:

something bad happens. So you introduce sanctions,

Speaker:

but you actually will use them only if something very bad happens.

Speaker:

I call it back you know, passive use of sanctions. So So something pandemic

Speaker:

you can say, hey. We have sanctions in place. Now we can play in this

Speaker:

guy or whatever. Now if you use active use of

Speaker:

sanctions, that means that they require a justification,

Speaker:

and they may backfire. They use justification because you actively monitor

Speaker:

and keep sanctions. And, especially, to hire other sanctions,

Speaker:

the more most carefully they have to be justified. And if

Speaker:

you don't actively use sanctions, they will lose some of their effectiveness as

Speaker:

a preventive tool. You know, same I idea as in the,

Speaker:

climbing over the speed example if, you know, you are

Speaker:

removing all the police radars, people will increase climbing over the

Speaker:

speed limit. And now the use of sanctions,

Speaker:

especially I mean, active use of sanctions. If employees don't find them

Speaker:

justifiable, they tend to backfire, and you should

Speaker:

already think about that kind of scenarios.

Speaker:

And in this case, if your sanctions do not backfire, you don't justify

Speaker:

these, well, sanctions may become worse than

Speaker:

useless because the, because the side effects, such as

Speaker:

employees dislike in cybersecurity are worse than they prevent

Speaker:

the effect. These are the 4, 5 key points.

Speaker:

This has been Cyberways. It's a production of the Louisiana

Speaker:

Tech College of Business Center For Information Assurance, courtesy

Speaker:

of the Just Business grant from Dean Chris Martin.

Speaker:

This podcast is available wherever you consume podcasts,

Speaker:

and we'd be grateful if you tell your friends about it. And if you find

Speaker:

it useful to you, let us know. Let our guests know.

Speaker:

I'm I'm sure doctor Sipponen is available to talk to you if you

Speaker:

need more advice, because as he says, he does a lot of consulting in this

Speaker:

area. We hope you found this to be interesting, and we hope you

Speaker:

find the, the information to be useful in keeping your company more secure.

Speaker:

Until next time. Thank you. Thank you. Appreciate it.

Speaker:

And it is important to say that the Cyberways podcast is funded through the just

Speaker:

business grant program of Louisiana Tech College of

Speaker:

Business, and, we're grateful for that. So join us next time on

Speaker:

the Cyberways podcast, which is available on all major

Speaker:

podcast platforms. We want you to subscribe or follow or

Speaker:

whatever button your favorite podcast app has. Thank you very

Speaker:

much.

All Episodes Previous Episode

Listen for free

Show artwork for Cyber Ways Podcast

About the Podcast

Cyber Ways Podcast
The Cyber Ways Podcast brings academic cyber security research into the "real world." We interview top academic researchers to find how their research can be put into practice by cyber security professionals. Our focus is on behavioral aspects of cyber security. Occasionally, we touch on related topics, such as information privacy and surveillance.Each episode discusses one published, peer-reviewed article to reveal the practical implications of the research. Your hosts, Tom Stafford and Craig Van Slyke, are both widely published information systems academics who keep one foot in the world of practice.The Cyber Ways Podcast is brought to you by the Center for Information Assurance at the Louisiana Tech University's College of Business. The Cyber Ways podcast is funded through a Just Business grant, made possible through the generosity of donors to the Louisiana Tech University College of Business.

About your host

Profile picture for Craig Van Slyke

Craig Van Slyke

Dr. Tom Stafford and Dr. Craig Van Slyke are both widely published information systems academics who keep one foot in the world of practice.

Stafford serves as editor-in-chief of The DATA BASE for Advances in Information Systems, the longest continually-published MIS journal, and has previously edited 13 special issues of notable journals including Communications of the ACM, IEEE Transactions, and MIS Quarterly. He co-chaired the 2018 Americas Conference for Information Systems and chaired 2019 Dewald Roode Workshop on Information Systems Security Research. He has been selected to serve as the chair for the 2025 International Conference for Information Systems, one of the most notable yearly research meetings in the field of business technology.

Van Slyke, former dean of the W.A. Franke College of Business at Northern Arizona University, has published over 40 articles in respected academic journals including Decision Sciences, Communications of the ACM, European Journal of Information Systems, and Journal of the Association for Information Systems. His fourth co-authored textbook, “Information Systems in Business: An Experiential Approach,” is in its fourth edition, and his first trade book, “On Leadership and Life: Essays on Leading and Living Well,” was published in 2017.