Episode 23

full
Published on:

28th May 2024

Religion and security with Karen Renaud and Marc Dupuis

In this thought-provoking episode of Cyber Ways, Tom and Craig discuss the intriguing topic of cybersecurity and religion with guests Dr. Karen Renaud and Dr. Marc Dupuis. Karen and Marc share insights from their research exploring the intersection of cybersecurity and world religions, offering a fresh perspective on enhancing cybersecurity practices.

Key Points Covered:

- The innovative research by Karen and Marc on leveraging positive values from world religions to influence cybersecurity behavior.

- The discussion on the drawbacks of fear-based cybersecurity practices and the importance of fostering a positive culture within organizations.

- Insights into the role of community, belonging, and sacred values in both religious communities and cybersecurity environments.

- The parallels drawn between religious principles and cybersecurity practices, emphasizing adaptability, forgiveness, and the sense of belonging.

- The significance of incorporating nonnegotiable values and building a culture that supports cybersecurity from top to bottom within organizations.

As Karen and Marc shed light on the impact of incorporating religious values into cybersecurity, they advocate for a different perspective on how a sense of community, forgiveness, and grace can transform cybersecurity practices. Join Tom, Craig, Karen, and Marc as they explore the potential for positive change in cybersecurity culture by drawing upon timeless principles from world religions.

Don't miss out on this enlightening episode of Cyber Ways and discover the transformative power of integrating religious values into cybersecurity practices. Tune in to gain a new perspective on building trust, community, and resilience in the ever-evolving landscape of cybersecurity.

Subscribe now to Cyber Ways for more insightful discussions on innovative approaches to information security and stay ahead in the realm of cybersecurity. Go to https://cyber-ways-podcast.captivate.fm to subscribe.

Guest bios

Karen Renaud is a Scottish computing Scientist at the University of Strathclyde in Glasgow, working on all aspects of Human-Centered Security and Privacy.  She is particularly interested in deploying behavioural science techniques to improve security behaviours, and in encouraging end-user privacy-preserving behaviours. She collaborates with academics in 5 continents and incorporates findings and techniques from multiple disciplines in her research. 

Marc J. Dupuis, Ph.D., is an Associate Professor within the Computing and Software Systems Division at the University of Washington Bothell where he also serves as the Graduate Program Coordinator. Dr. Dupuis earned a Ph.D. in Information Science at the University of Washington with an emphasis on cybersecurity. His research focuses on human factors related to cybersecurity, especially how psychological traits affect cybersecurity behaviors.

Transcript
Speaker:

Hi, folks. This is the Cyberways podcast, and we

Speaker:

translate our academic knowledge about information security into stuff that you

Speaker:

can use as a security professional. We think it's a unique mission. We think you'll

Speaker:

like it. I'm Tom Stafford. Craig Van Slyke. Tom and I are your hosts on

Speaker:

your journey to knowledge. CyberWays is brought to you by the Louisiana Tech

Speaker:

College of Business' Center For Information Assurance. The center offers

Speaker:

undergraduate and graduate certificate programs in cybersecurity and

Speaker:

sponsors academic research focused on behavioral aspects of cybersecurity

Speaker:

security and information privacy. Hello, everybody, and welcome back to

Speaker:

Cyberway. It's a production of the Louisiana Tech University Center For Information

Speaker:

Assurance supported by a Just Business grant from college of business

Speaker:

Dean Chris Martin. Today we have with us Karen Renaud

Speaker:

and Mark Dupuy. They are doing some fascinating

Speaker:

research on cybersecurity insights taken from world

Speaker:

religions. Recent article appeared in Computers and Security. Doctor

Speaker:

Renault is a Scottish computer scientist at University of Strathclyde in

Speaker:

Glasgow, works in all manner of human centered security and

Speaker:

privacy. Doctor Dupuis is an associate professor with the Computing

Speaker:

and Software Systems Division, University of Washington, Bothell, where he also serves

Speaker:

as the graduate program coordinator. He has his PhD information

Speaker:

science from the University of Washington with an emphasis in cybersecurity.

Speaker:

Welcome, Karen and Mark. Thank you so much. Thank

Speaker:

you. Let's start with the big question that I

Speaker:

think is gonna underlie a lot of what we talk about today.

Speaker:

What's wrong with the way we currently practice cybersecurity? Rita,

Speaker:

Janet, I'm not It's not working because there's no

Speaker:

the number of attacks are not abating at all. So

Speaker:

when when you keep doing the same thing and it's still not working, you have

Speaker:

to think about, well, what do we what could we do differently in order to

Speaker:

have more success? So at at a meta level, seems like

Speaker:

we're not very successful. And I think in an organizational

Speaker:

setting, I think one of the things that's not working is it's often kind of

Speaker:

a us versus them. And if you think about it in an organizational

Speaker:

setting, why are we doing that? It should be us,

Speaker:

the employees, and the leadership against them, the

Speaker:

people that are trying to cause harm to us as opposed to,

Speaker:

the infighting that often takes place. It's it's counterproductive. And

Speaker:

as Karen said, we're not we're not getting anywhere. We're not we're not,

Speaker:

making improvements, and that's the problem. The other thing is that we have

Speaker:

this paradigm in organizational cybersecurity, which is

Speaker:

formulate the policy, disseminate the policy, and

Speaker:

enforce the policy. And then when things go wrong, we just go

Speaker:

back to disseminate again, and then we enforce again.

Speaker:

And so it's almost as if it's it's like a vaccination. And if you just

Speaker:

make the vaccination take, everything's gonna be fine. But

Speaker:

this is we've been doing this for over 2 decades, and it's not very

Speaker:

successful. So we have to start asking ourselves, what could

Speaker:

we do differently? So one of the things that I was looking at

Speaker:

y'all's body of research. One of the the things that struck

Speaker:

me was that we seem to

Speaker:

focus way too much on, negative emotions.

Speaker:

You think that's one of the problems? Well, so Mark and I met at

Speaker:

Hicks some the very first time. And I said to him,

Speaker:

Mark, I want to do some research into the use of fear in cyber. And

Speaker:

Mark was on board. That was the first paper we did.

Speaker:

And we felt that a lot of the dissemination that is done in

Speaker:

cybersecurity is a hook into people's minds was

Speaker:

if you don't do this stuff, things are gonna be really bad. You're gonna get

Speaker:

punished, and the hackers are gonna get in and so on. And so fear is

Speaker:

being weaponized. And what Mark and I discovered was

Speaker:

that this is a very damaging thing to do to people because fear is

Speaker:

is an emotion that actually hurts you, and it lasts for much longer

Speaker:

than we realize. But, Mark, maybe you could tell them about the password

Speaker:

one that well, maybe I should we shouldn't go into that kind of depth

Speaker:

now. Sorry. Well yeah. You know, I I think I'll just just briefly I

Speaker:

think the thing I'll say is with with fear and other

Speaker:

negative emotions, when when people get scared, they don't make

Speaker:

the best decisions, but yet we're trying to use these negative emotions like fear to

Speaker:

try and get them to do what we want them to do. So it's it

Speaker:

seems kinda silly in in many respects that we're trying to get them to

Speaker:

be compliant with these policies by scaring them

Speaker:

when all of a sudden, and from a cognitive standpoint, they're gonna be less adept

Speaker:

at doing what we want them to do. So I I you know, it's just

Speaker:

it's very, counterproductive in many respects. And

Speaker:

as, you know, some of our research has shown too that not only are we

Speaker:

eliciting fear, but we're also increasing other negative emotions and

Speaker:

decreasing positive emotions. So what are the other implications for this?

Speaker:

Mhmm. Your concern is But we have this extensive criminal

Speaker:

justice lens through which we view cybersecurity, and those of

Speaker:

us who go to the to all the rude meetings see it all the time.

Speaker:

All the leading authors started with a perspective of

Speaker:

enforcement as as Karen so aptly put it. You know, promulgate

Speaker:

the policy, enforce the policy, punish the people that don't adhere to it.

Speaker:

It just doesn't feel like good organizational

Speaker:

behavior, from a managerial perspective to be trying to get

Speaker:

people to do the proper thing with

Speaker:

negative reinforcement as opposed to building a positive

Speaker:

culture, which which I I'm hoping is where we're we're headed at some point, but

Speaker:

we don't see much research on it, do we? No. And I

Speaker:

understand the fear. Right? Because I speak to CSOs a

Speaker:

lot, and they're worried. They're they're the ones whose head is

Speaker:

on the on the plateau when things go wrong. They're the ones who who have

Speaker:

to answer the stories for the board, you know, why did we get hacked?

Speaker:

So that fear is then being transmitted, and that's why they get

Speaker:

all heavy with the normal average person in the organization.

Speaker:

So the whole thing about the blaming and the fear culture is really

Speaker:

unhelpful across the board. So I would agree with you, Tom.

Speaker:

So your paper is about a religious view on

Speaker:

cyber security, and I see that as eminently positive. You know, religion is

Speaker:

a positive force in our life. It it speaks

Speaker:

to doing good and and being good, and I'm very interested in

Speaker:

how you bridge to that particular lens

Speaker:

as a way of considering cybersecurity behavior in a new perspective.

Speaker:

So I spent some time in Germany a few years ago, and I

Speaker:

picked up 2 books before I left to read while I was there. The one

Speaker:

was by Scott Atren, which is called talking to the enemy, and

Speaker:

the other one was, Jonathan Haight, The Righteous Minds.

Speaker:

Nothing to do with cyber. But both of these books really struck me

Speaker:

in terms of trying to understand why people do what they

Speaker:

do, and both of them spoke about our values.

Speaker:

And then I started wondering what were the values that we were

Speaker:

trying to get people to adopt in cybersecurity.

Speaker:

And then I picked up a book by Alain de Beauforton, which is called religion

Speaker:

for atheists. And then I realized, well, hang on. Why don't

Speaker:

we learn from the people who do espouse values? Because religions

Speaker:

all have values that their adherence espouse. So

Speaker:

what what could we take? And but Du Boisoten says, don't

Speaker:

throw the baby out with the bathwater. Let's look at religion and take the

Speaker:

good parts and learn from it because they're very successful,

Speaker:

and and and then don't take the stuff that's not so great. And so that's

Speaker:

kind of where this idea came from. And I I zoomed Mark

Speaker:

from, from Germany, and he said, yeah. I'm in.

Speaker:

So that's that's where the ideas came from. So what did you

Speaker:

hope to find in, in applying this new focus on on cybersecurity?

Speaker:

Well, I think a lot of it is, you know, like Karen said is, you

Speaker:

know, religions have those that have stood the test of time have stood the test

Speaker:

of time for for a reason. And and some of them have,

Speaker:

you know, a lot of them have stood the test of time, have adapted, evolved,

Speaker:

and changed, as times have changed, as our society has

Speaker:

changed. And, by doing that, they have,

Speaker:

met the needs of of the people they're serving, of of their believers.

Speaker:

And, and there's something that could be learned from that. And we

Speaker:

think about some of these religions have been around for 1000

Speaker:

of years And, you know, in cybersecurity, you

Speaker:

know, being around for, you know, 20, 30 years at the

Speaker:

most, really. And so what can we do as

Speaker:

such a new discipline? What can we take from religion

Speaker:

and and try and learn from it? Because, you know, as we said earlier, we're

Speaker:

not we're not successful. We're not we're not very successful in what we're doing, and

Speaker:

the problems are only getting worse. So let's let's be humble

Speaker:

enough. Right? Let's let's show some humility and let's try and learn from

Speaker:

these other areas like religion and and see what we

Speaker:

can take. And instead of just this compliance and and this

Speaker:

punishment of people that are trying just

Speaker:

to do their day to day jobs, most of them are not in there to

Speaker:

do cybersecurity. They're being tasked with it

Speaker:

in often an unfair way when they're there to

Speaker:

do pretty much anything but cybersecurity. But what what can we take

Speaker:

from other places, other, you know, other disciplines like religion

Speaker:

and and learn from it to help us to help us be more successful.

Speaker:

And, you know, as Karen said, you know, there there's there's a lot to be

Speaker:

learned from. So let's learn a little bit from religion.

Speaker:

I wanna dig into just what religion is. So it's one of those things where

Speaker:

we all know what it is, but we don't really know kind of what it's

Speaker:

made up of. Can you talk to us a little bit about what actually

Speaker:

religion does or what its components are? When I I started

Speaker:

writing this paper, I thought, well, the first thing to do is define. Right? Whenever

Speaker:

you have a new concept in a paper, you have to define it. And it

Speaker:

turned out that people are struggle to define religion.

Speaker:

So, having read a number of people who said, you know, nobody can

Speaker:

agree on it, So, okay, let's go and look at it from a different way.

Speaker:

And I found somebody called Durkheim, who's a very well known German academic,

Speaker:

who said that religion has 3 dimensions. It's

Speaker:

believing, belonging, and doing. And

Speaker:

then when I found some other papers that also tried to say, these are

Speaker:

the characteristics of religions, I found that they also fell into those three

Speaker:

dimensions. And that made it a lot easier to an to kind of

Speaker:

start interpreting how what we are doing and what

Speaker:

religions do. Can you tell us a little bit about the problem? Part is that,

Speaker:

you know, if you go to somebody who's an adherent of a particular religion, they

Speaker:

can tell you what they believe in. And they also

Speaker:

know what kinds of things they should do. So they may believe in in

Speaker:

if it's a Christian, they would believe that they have to be kind to other

Speaker:

people and forgive people when things people do bad things to them and that sort

Speaker:

of thing. So the believing and the doing is easy to understand. But the

Speaker:

belonging was the one that was really came across strongly in all the

Speaker:

the religious related literature because people get a

Speaker:

sense of belonging to their community. They meet weekly with their

Speaker:

community a lot of the time. And that sense that I am a

Speaker:

Christian or I am a Muslim or whatever, that was part of became

Speaker:

part of their identity. And so those three things were the

Speaker:

aspects of religion that people seem to, you know,

Speaker:

cohere to. There's also the nature of, I think,

Speaker:

the belonging aspect of of of your model to

Speaker:

me speaks to what I've always considered to be the important part

Speaker:

of cybersecurity, which is belonging to the team that secures

Speaker:

the company. Mhmm. And I I see that as a a very useful

Speaker:

metaphor taking religious perspective. Yeah. I I I

Speaker:

think, you know, the the belonging part

Speaker:

is in many respects, the one big area where we're

Speaker:

lacking maybe more than the others. Because I mean, we we all can believe,

Speaker:

oh, you need to do this. You need to be aware of this. You need

Speaker:

to watch out for that. Make sure you do this and and so on. But

Speaker:

building that sense of community that, hey, we're all in this together,

Speaker:

that, we know mistakes are gonna happen, that we we realize

Speaker:

this is tough to do, that we're not all, at at the

Speaker:

same level of understanding these different threats and so on. That,

Speaker:

I I I believe, is really where we're lacking and we're not doing a good

Speaker:

job of. And I think you look at successful religions, you look

Speaker:

at people that, want to go to church, and it's not always just

Speaker:

to sit there and and listen

Speaker:

to a sermon for an hour, but it's oftentimes those other

Speaker:

activities. It's gathering for to share a meal together. It's it's

Speaker:

it's just being with one another. It's it's that sense of belonging,

Speaker:

that community that you have that we just don't

Speaker:

see in in cybersecurity. It's

Speaker:

it's it's this very this top down approach. It's this punishment approach.

Speaker:

And, you know, I I think as we think about the

Speaker:

success of religions and and a sense of belonging, we

Speaker:

just we are so lacking with respect to that sense of belonging in

Speaker:

cybersecurity. Can I take a tangent here? As you were

Speaker:

were all talking about this, I was trying to

Speaker:

translate in my mind the idea of

Speaker:

belonging to something like a church or a religion

Speaker:

versus a sense of belonging at work. And so my

Speaker:

church and my religion, for a lot of people that are

Speaker:

religious, it's very intertwined with their personal lives.

Speaker:

So it is part of their life. I grew up in the Baptist

Speaker:

church, and it was you know, it could be 3 nights a

Speaker:

week going and doing something all day on Sunday.

Speaker:

So that was intimate part of who you were. And

Speaker:

I don't know if we get there with work. I know work is part of

Speaker:

our identity, but I I wonder if it's a problem of

Speaker:

intensity or the extent to which it's intertwined

Speaker:

in our real lives. You know, we tend to separate

Speaker:

work and personal lives, but religion is part of

Speaker:

the personal life. That's a really interesting point because it

Speaker:

is work and I guess we have our work tribe and we have our home

Speaker:

tribes. But I did another piece of research which is under

Speaker:

review right now with some other people in Germany. We asked

Speaker:

people, if they ever discussed cybersecurity with other

Speaker:

people, and they all said no. And then we asked them whether they

Speaker:

would like to discuss cyber with other people, and most of them said yes.

Speaker:

So it's the kind of thing that people don't talk to each other about at

Speaker:

all, where people in the same religion would talk about their religion. So

Speaker:

it's almost as though people don't feel that that's something they can do.

Speaker:

Whereas a if there's 2 Christians, 2 Muslims, any Buddhists,

Speaker:

they would talk about this religion of theirs. Right? So it's almost like it's a

Speaker:

solo sport right now instead of a team sport at work. That's

Speaker:

an apt point. I I've always felt that

Speaker:

many organizations were groups of people each traveling their

Speaker:

own way and the challenge of the manager is always to harness their activities

Speaker:

in concert with each other. When it comes to something so mission critical,

Speaker:

it's protecting the company's assets from external access.

Speaker:

So so do you think part of the problem is the negativity

Speaker:

around cybersecurity? So we don't talk about doing cybersecurity

Speaker:

well. It's when there's an incident, when something bad happens. And

Speaker:

who wants to talk about that? I wonder if it's all wrapped up in the

Speaker:

fear of the virus. And 3 people fall for a fish, but 3

Speaker:

1,000 didn't, who are we talking about? We're talking about those 3.

Speaker:

And and so, yes, it it's it's a kind of an a mindset that

Speaker:

we felt when we were looking at religion really ought to change

Speaker:

and this mutually supporting thing. Because when I've studied events

Speaker:

where there have been cyber, breaches, the first thing that happens is the

Speaker:

person who's responsible, who may be clicked on the fish or something, they're

Speaker:

immediately ostracized. They're immediately pushed into the corner and

Speaker:

how dare you do this and how could you have been so stupid. That's that's

Speaker:

not what a church would do. They would try to help the person do better.

Speaker:

Or not the church, but I mean people in the same religion. Or

Speaker:

or burn you at the stake. 1 or 2. Never. Not

Speaker:

anymore. Not anymore. Sorry. That was a long time ago. Karen makes a point though.

Speaker:

Craig and I both come from the Baptist heritage and then and the Baptist

Speaker:

creed of faith is everybody's going to hell unless they do their best to be

Speaker:

a good person. No. That's that's putting it too strongly. Everybody's inherently

Speaker:

a sinner and seeking forgiveness and doing good

Speaker:

works is the avenue away from, the outcome.

Speaker:

And I I see the parallel with what you what you just put voice to

Speaker:

your current. I think too is it's it's

Speaker:

almost difficult to wrap our mind around how would we do this with cybersecurity.

Speaker:

But, difficult but not impossible. Right? Because I I

Speaker:

think about places I worked previously where, you know, maybe

Speaker:

a smaller office environment where maybe there's 50

Speaker:

to 75 people working there where, you know, we would

Speaker:

have potlucks and and different things. We would have, decorate

Speaker:

our office for Halloween and these other activities and have fun things and and

Speaker:

build that sense of community. Well, you know, like like Karen said, you know, you

Speaker:

know, what if there is a a fishing simulation exercise and,

Speaker:

yeah, 3 people fall for it, but everyone else does it? Well, what if we

Speaker:

have a a pizza party or something, right, some kind of celebration,

Speaker:

for all those that didn't fall for? We don't even mention the fact that

Speaker:

there's a few that didn't. And and we just, you know, again, build that

Speaker:

sense of community. And we we talk about, how successful

Speaker:

we were, or or celebrate these things and and come

Speaker:

together. And and I think because it sounds so foreign, it seems

Speaker:

silly to think about that. But and that may not be the exact approach,

Speaker:

but I don't think it's impossible to think about how we can build this

Speaker:

sense of belonging in cybersecurity because the fact of the matter

Speaker:

is is this isn't a solo sport. We're not in this

Speaker:

individually. We're in this together, but we do act like and

Speaker:

it's treated like we're in this individually. At the end of

Speaker:

the day, you know, the organization will be impacted. We're

Speaker:

all impacted directly and indirectly at at some point in

Speaker:

time. So we need to kind of start getting creative with how

Speaker:

we're gonna create the sense of belonging and community

Speaker:

within organizations.

Speaker:

That that fits with what Karen said about mindset. That's one of

Speaker:

the things I'm hearing here is we need to really have a shift in mindset.

Speaker:

To to get at this, you interviewed a number of religious leaders

Speaker:

from a variety of different religious traditions.

Speaker:

So what did you find? When we analyzed, we didn't specifically ask him about belonging,

Speaker:

believing, and doing. We just asked him in a bunch of questions, which I think

Speaker:

we've included in the paper. And what happened when we

Speaker:

analyzed it was, well, unsurprisingly, belonging, believing, and doing

Speaker:

kind of filtered up, and we could group them into those 3 stupid

Speaker:

themes. And what came across with with the

Speaker:

one the final question was, you know, how could cybersecurity learn? And they all

Speaker:

said, oh, you know, you need not to be so harsh on people when they

Speaker:

make mistakes. Cyber is hard. And we saw a sense of forgiveness coming

Speaker:

across, a sense of grace for the imperfect

Speaker:

human. And that we kind of had expected that, but it was really

Speaker:

gratifying when we heard it from them.

Speaker:

But the interesting part was they said the one guy said,

Speaker:

well, you know, when did he did cybersecurity training when he was a

Speaker:

student at university? It it was just like a checkbox thing. He did

Speaker:

it online. He finished it. He answered the questions, and he was done for the

Speaker:

next year. But he said at his church, when they get

Speaker:

together, they talk about concepts. They talk about the difficulties they're having

Speaker:

when they have their community get together. So he said, why don't we do that?

Speaker:

That was exactly what I was hoping if somebody was going to tell me.

Speaker:

You know, he was he made he made that contrast for me.

Speaker:

One one of the issues that I see from an organizational theory perspective

Speaker:

is the notion of agency. The organization

Speaker:

is formed as an informal and sometimes

Speaker:

actually formalized contract between the people who own the company, the

Speaker:

principals, and the people they hire to do the work for them, the agents, and

Speaker:

the agents are economically rational. They will they

Speaker:

will do things they shouldn't do if they feel like they can get away with

Speaker:

it and and it's to their benefit. Mhmm. The distinction in the religious

Speaker:

view is the principal agent component is not

Speaker:

there. There's no economic rationality. There's there's no

Speaker:

if you think about it, no pragmatic payoff for being good other than being good

Speaker:

for goodness' sake, which is

Speaker:

faith, which I find very I find that to be a very compelling aspect of

Speaker:

this religious view that you take of cybersecurity. People doing

Speaker:

good security for its own sake, rather than because it's

Speaker:

their job or because the boss will sanction them. But also maybe

Speaker:

learning to do what's right for the community. Right?

Speaker:

Rather than just doing what's what I'm scared not to do.

Speaker:

I've long felt that the, the criminal justice perspective on

Speaker:

cybersecurity, had issues

Speaker:

because it it treats people as problems when in fact your

Speaker:

solution is isn't it? Yes. So that

Speaker:

that leads into something that I thought was perhaps the

Speaker:

most interesting part of the paper, and that's the idea

Speaker:

of sacred values. Tom, you were kind of alluding to that.

Speaker:

You know, be good for goodness sake. It's because that's what you do

Speaker:

regardless of everything else. If it costs you money, if it costs

Speaker:

you your position, costs you your material wealth,

Speaker:

you still do we we talk about doing doing what's right

Speaker:

because it's right. That's a sacred value.

Speaker:

So what are sacred values and how do they

Speaker:

apply in this context? Mark.

Speaker:

This this is not a quiz, so Well, I mean, well, what

Speaker:

row. I was gonna real quickly, maybe touch

Speaker:

on the prior question if that's okay. And I

Speaker:

I think it's just some interesting insight from the

Speaker:

religious leaders with kind of that sense of

Speaker:

belonging where, you know, they they touched on

Speaker:

how we are all different, and we have a lot of differences

Speaker:

between us, but how we should focus also on what's common

Speaker:

between us. And it's kind of that sense of belonging, you know, bringing us together

Speaker:

as a community and how we are there to help each other,

Speaker:

help us as as people. And by doing that, we can

Speaker:

create that sense of trust, between us. You know? And I see

Speaker:

that not really being done very well in organizations. It's it's often like,

Speaker:

oh, this person doesn't know what they're doing, but they're gonna click on that phishing

Speaker:

email. They're gonna hurt us as an organization and and so

Speaker:

on. And so, you know, that was some interesting insight with respect to

Speaker:

belonging. And then you look at believing, an interesting comment

Speaker:

from one of the religious leaders was, you know, go where the people are rather

Speaker:

than just expecting the people to come. And, you know, again, I

Speaker:

I thought it was just some very interesting insight

Speaker:

of, you know, hey. You know, reach out. Don't just

Speaker:

wait for something bad to happen, but be proactive. You know, be

Speaker:

available to the to these people that, again, are not there

Speaker:

to do cybersecurity but are being tasked with it in an often and

Speaker:

unfair manner, but be available to them.

Speaker:

So, you know, that it's just some other things that I wanted to to

Speaker:

share. One of the things that somebody said was be humble.

Speaker:

The people who are asking other folks to do cybersecurity actions

Speaker:

should be humble and not act like they know everything. And that that

Speaker:

was interesting as well. I'm intrigued by the notion of

Speaker:

morality. I always have been. And morality is

Speaker:

deeply seated in the concept of religion. I I wonder if maybe

Speaker:

it it it transfers over to your research perspective

Speaker:

because my sense of organizations is companies

Speaker:

have no religion. They are the inherently amoral

Speaker:

entities. They do what is legal. And sometimes as I tell

Speaker:

my students, amorality is doing what is not

Speaker:

prescribed by law or what you think you might not be caught at.

Speaker:

And you know it's not right, but you don't think you're gonna get caught. Organizations

Speaker:

are not moral, centers,

Speaker:

if you will. And then that I think that has to change

Speaker:

because cybersecurity requires everybody caring for the good of the all as

Speaker:

opposed to everybody looking out for themselves. Don't you think? Yes. Can I just

Speaker:

get back to the sacred values that, Craig asked about? When

Speaker:

I when I read Scott Atron's book, he said that,

Speaker:

people, you know, you could challenge other values they

Speaker:

had. But when you went near their sacred values, they it was not

Speaker:

negotiable. Right? And so what I kept thinking was we

Speaker:

don't even try to incalculate the values into people in

Speaker:

cyber. We give them a list of do's and don'ts. We don't actually

Speaker:

try to make that part of them that becomes nonnegotiable.

Speaker:

And and you were talking about integrity. I've done a study into whistleblowers,

Speaker:

and they also said, we saw this and we had to

Speaker:

speak because it was our integrity that was a

Speaker:

question. So for them, that integrity was their kind of

Speaker:

sacred value. But we that it seems to be a completely alien

Speaker:

concept in cyber at the moment that we we try to find

Speaker:

the values that people should endorse and

Speaker:

embrace. Let me see if I can tie this back to what what

Speaker:

Tom was talking about. So morality

Speaker:

isn't a static, universal thing. I mean, we have

Speaker:

some things that we view as largely universal, but

Speaker:

you brought up a really important point in your paper that ties into all of

Speaker:

this. So the idea is if we can get

Speaker:

employees to tie into the security sacred values,

Speaker:

then they'll do anything to avoid violating those values.

Speaker:

But then you brought up a really important point and I'm literally gonna read it.

Speaker:

While cybersecurity professionals could easily commit to these values, talking

Speaker:

about the cybersecurity sacred values, we

Speaker:

do not know the extent to which individual employees will be able to commit

Speaker:

to these relatively broad categories and or convert them

Speaker:

into action, nor do we know whether they are effective

Speaker:

candidates to serve as the higher values foundation

Speaker:

grounding our vision. Yeah. I think that's the rub.

Speaker:

That the sacred values for the employees getting some and

Speaker:

Tom, you kind of talked about this idea of alignment in in

Speaker:

management. I think that's gonna be the neat trick, and if we can

Speaker:

figure out how to do that, a lot of other things may fall into place.

Speaker:

So what do you all think about that idea? I think that's a big part

Speaker:

of the challenge is it's creating that culture that is

Speaker:

going to work from, you know, from

Speaker:

the bottom to the top and vice versa. And that's that's

Speaker:

a really big challenge. It goes to these sacred values

Speaker:

that were espoused by the religious leaders, you know, working

Speaker:

together to support others. And it's not easy. Everyone is

Speaker:

there trying to, for the most part, do their job, make make

Speaker:

their money, go home, and and, you know, deal with their lives outside

Speaker:

of work. And when things are complicated

Speaker:

and, you know, you probably see eye rolls and you see other things

Speaker:

I have a couple kids, so I see that plenty. But then, you know, you

Speaker:

you're tasking them with other things that complicate matters. It can be

Speaker:

difficult to get that buy in. But if you

Speaker:

are successful and if you can do that, you can really see

Speaker:

some amazing things happen. And and it is possible. You know, you

Speaker:

see things that have been done. You look

Speaker:

at at Demian and what was done with Toyota in the 19

Speaker:

fifties. This humongous shift. These humongous shifts in

Speaker:

culture can happen, and they do happen, and they are effective.

Speaker:

Why can't this happen with cybersecurity in organizational settings?

Speaker:

It can. You know? We just need to figure it out. And I think this

Speaker:

is a starting place for some discussions of what this might look

Speaker:

like. You know, how this can be effectuated? You know, we still have some

Speaker:

work to do to figure that out and to try it out, but it it

Speaker:

is possible. It is. You're in my wheelhouse now

Speaker:

when you bring up Deming because Deming was issued by all the major

Speaker:

US automakers as being irrelevant. So he went to Toyota

Speaker:

out of desperation to sell his idea, and he he

Speaker:

landed in a culture which espouses

Speaker:

collectivism, which means the good of all as opposed to the good of the one,

Speaker:

whereas the companies who turned him down are strictly into economic

Speaker:

outcomes for the 1, maximized personal outcome, which is really, I think,

Speaker:

the the issue in the a moral approach to business. I I I don't

Speaker:

know. I'm I'm on a soapbox now, so I'll stop. But I I wanted to,

Speaker:

to ask you whether you think that the notion in the title of your

Speaker:

paper, shame, has an irrelevance or if that's just

Speaker:

something that we try to avoid by doing good. And if I

Speaker:

could just interject, that's that's another paper that's in this kind of

Speaker:

overall we need to do security differently theme. And

Speaker:

assuming that Mark and Karen are willing, we're going to have

Speaker:

them back to talk about that paper because it was just too much for one

Speaker:

episode. So I just want wanted to to kind of give the backstory

Speaker:

here. And that's one that we followed the fear one with because it felt as

Speaker:

if people were being shamed when they did make a mistake,

Speaker:

and that was my sense. And then when Mark gathered

Speaker:

all our bunch of data, it actually happened to loads of people where

Speaker:

they where they done something silly, clicked on a message or whatever.

Speaker:

And there was then the organization would people would yell at

Speaker:

them, and they would they would get, you know, ostracized

Speaker:

by their by their because now everyone had to go for the training

Speaker:

again, and everyone couldn't work that day while the folks, IT folks,

Speaker:

had to sort the computers out and everything. And the what the people

Speaker:

went through was awful. You know? And and what we

Speaker:

discovered was, interestingly, there's a difference between shame and guilt.

Speaker:

Guilt says, you did this silly thing. Here's what you can do to

Speaker:

make up for it. Shame says, you are the stupid

Speaker:

person. It's an attack on you as a as a human. So then

Speaker:

what you get is a self defense response. And what we also

Speaker:

discovered is that what you do when you shame people is create an insider

Speaker:

threat. It's very, very counterproductive.

Speaker:

The organization does not end up ahead like maybe they think they're gonna

Speaker:

end up ahead. So it's it's very counterproductive. So

Speaker:

we're we're gonna leave that as foreshadowing for our later

Speaker:

episode. We're starting to run up against our time

Speaker:

limit, so could you

Speaker:

give us kind of the 3 or 4 messages

Speaker:

that you want our practitioner listeners, our

Speaker:

cybersecurity professionals, to take away from what you found in

Speaker:

your work. I'm gonna punt that to Mark. I've I've spoken a

Speaker:

lot. Sorry. One thing I will say, and

Speaker:

maybe this isn't a direct answer to your question, but maybe one thing I'll say

Speaker:

just as a follow-up to the same question is is one thing we sought

Speaker:

out to do here was to learn

Speaker:

from world religions what we could apply to

Speaker:

cybersecurity and make cybersecurity better. One thing that

Speaker:

we did not seek to do was to porch portray

Speaker:

that world religions were without any issues

Speaker:

or faults of their own, that there weren't any problems or challenges. And I mentioned

Speaker:

that because, obviously, plenty of religions

Speaker:

use shame. They use fear. They use other things that we do

Speaker:

not think should be used in cybersecurity. So I did I did want to

Speaker:

mention that that we're trying to say, you know, what does make world religion

Speaker:

successful? How can we take that and apply that to cybersecurity?

Speaker:

And so, you know, with that in mind, I think some of the things

Speaker:

that some of the major takeaways with respect

Speaker:

to these higher values and thinking about, you know, the idea of

Speaker:

for me, one of the big ones is a sense of belonging and

Speaker:

and building that community, caring for others, wanting

Speaker:

others to be successful, to succeed. And

Speaker:

that can only be accomplished if, you know, instead

Speaker:

of just punishing and looking at other people and saying, hey. You did this

Speaker:

wrong. Instead being like, hey. You know,

Speaker:

this this types of things happen. We know it's challenging. Let's figure out

Speaker:

how we can make this make everyone more successful. Let's you know, what

Speaker:

are we doing on our end that, we could do better?

Speaker:

You know? So it's not just the employee, but what is the organizational

Speaker:

what is the organization doing that, is making it more

Speaker:

difficult? You know, what could what can the organization be doing better? And

Speaker:

and, you know, just working together to support others, to share this knowledge,

Speaker:

to care for each other in in a real meaningful way. And so I

Speaker:

I think that that sense of belonging for me is is a really big

Speaker:

one that I think religions,

Speaker:

maybe in an often ideally idealized,

Speaker:

can do very successfully. With cyber, we seem to be stuck in a bit

Speaker:

of a a rut where we this is the way we do cybersecurity,

Speaker:

and things like generational AI has come have

Speaker:

come along, and we have to be able to adapt. But

Speaker:

because of the fear based approach, people are almost frozen in the way they're

Speaker:

doing stuff and that they're too scared to adapt. So it's really

Speaker:

about taking the good parts. I agree with Mark there absolutely.

Speaker:

The the religion does belonging pretty well. Let's try and figure that out.

Speaker:

Also, the the sacred values were the thing we've put in as our

Speaker:

as our this needs to be done because we didn't actually arrive at those.

Speaker:

We didn't have the bandwidth to do that with this study, but that's definitely

Speaker:

something we want to work on next. So when we

Speaker:

were talking about it, Shane earlier, Craig mentioned that it seems a

Speaker:

likely topic of your next paper, even though it's it's partially

Speaker:

covered here. Tell us about what the next step is in your research because this

Speaker:

is fascinating. We need an alternative to, pardon the metaphor, the

Speaker:

hellfire and brimstone of a criminal justice perspective in current cybersecurity

Speaker:

practice. So Mark and I are looking at this whole issue of

Speaker:

sacred values with a another friend, at one of the London

Speaker:

universities, and we're really hoping to arrive at a set of values

Speaker:

that we could offer to the cybersecurity community to

Speaker:

say, these are the things that we think that people could possibly

Speaker:

espouse in order to help them. For for secure cyber

Speaker:

security to become something that they don't even question that they just do, and

Speaker:

you wouldn't have to have the compliance stick to beat them with. We

Speaker:

also did a paper on regret, which is can be negative, but

Speaker:

it turned out it can also be a positive thing. So if you make a

Speaker:

mistake once, you can learn from it. I want to

Speaker:

be understood. Organizational theory, Leon Festinger. Everybody

Speaker:

knows him for cognitive dissonance, but attribution theory Uh-huh. Was his

Speaker:

big thing, organizationally. And then the notion is

Speaker:

people hate to fail, and they're more motivated by figuring out what

Speaker:

they did wrong and keeping that from happening again than they are

Speaker:

figuring out what went right. Because they expect to do well, but they don't expect

Speaker:

to fail and they wanna avoid failure. But I was actually what

Speaker:

triggered this, Craig, was we managed to put the name of a song in the

Speaker:

title. So the title is

Speaker:

from Edith Piaf. Nice. I've been wanting to

Speaker:

do that for years. So we've we've been talking

Speaker:

with doctor Karen LeNo and Mark Dupuy, today about their

Speaker:

fascinating perspective on cybersecurity and doing our part to

Speaker:

spread the faith of doing good in the workplace. This

Speaker:

is cyber ways, a production of Louisiana Tech University College

Speaker:

of Business supported by Dean Chris Martin's just business grant.

Speaker:

You can download it wherever podcasts are found, and we dearly love if you tell

Speaker:

your friends about us. See you next time. And it is important to say that

Speaker:

the Cyberways podcast is funded through the just business grant program

Speaker:

of Louisiana Tech College of Business, and, we're

Speaker:

grateful for that. So join us next time on the Cyberways podcast, which is

Speaker:

available on all major podcast platforms. We want you to

Speaker:

subscribe or follow or whatever button your favorite

Speaker:

podcast app has. Thank you very much.

All Episodes Previous Episode

Listen for free

Show artwork for Cyber Ways Podcast

About the Podcast

Cyber Ways Podcast
The Cyber Ways Podcast brings academic cyber security research into the "real world." We interview top academic researchers to find how their research can be put into practice by cyber security professionals. Our focus is on behavioral aspects of cyber security. Occasionally, we touch on related topics, such as information privacy and surveillance.Each episode discusses one published, peer-reviewed article to reveal the practical implications of the research. Your hosts, Tom Stafford and Craig Van Slyke, are both widely published information systems academics who keep one foot in the world of practice.The Cyber Ways Podcast is brought to you by the Center for Information Assurance at the Louisiana Tech University's College of Business. The Cyber Ways podcast is funded through a Just Business grant, made possible through the generosity of donors to the Louisiana Tech University College of Business.

About your host

Profile picture for Craig Van Slyke

Craig Van Slyke

Dr. Tom Stafford and Dr. Craig Van Slyke are both widely published information systems academics who keep one foot in the world of practice.

Stafford serves as editor-in-chief of The DATA BASE for Advances in Information Systems, the longest continually-published MIS journal, and has previously edited 13 special issues of notable journals including Communications of the ACM, IEEE Transactions, and MIS Quarterly. He co-chaired the 2018 Americas Conference for Information Systems and chaired 2019 Dewald Roode Workshop on Information Systems Security Research. He has been selected to serve as the chair for the 2025 International Conference for Information Systems, one of the most notable yearly research meetings in the field of business technology.

Van Slyke, former dean of the W.A. Franke College of Business at Northern Arizona University, has published over 40 articles in respected academic journals including Decision Sciences, Communications of the ACM, European Journal of Information Systems, and Journal of the Association for Information Systems. His fourth co-authored textbook, “Information Systems in Business: An Experiential Approach,” is in its fourth edition, and his first trade book, “On Leadership and Life: Essays on Leading and Living Well,” was published in 2017.