Dive into this episode of the Redefining CyberSecurity Podcast where Dr. Cori Faklaris of UNC Charlotte reveals groundbreaking insights into the human factors shaping cybersecurity practices, from innovative tools for measuring security attitudes to combating smishing attacks. Explore how her team’s collaborative initiatives are empowering local communities and transforming academic research into practical solutions.
Guests:
Julie Haney, Computer scientist and Human-Centered Cybersecurity Program Lead, National Institute of Standards and Technology [@NISTcyber]
On LinkedIn | https://www.linkedin.com/in/julie-haney-037449119/
On Twitter | https://x.com/jmhaney8?s=21&t=f6qJjVoRYdIJhkm3pOngHQ
Dr. Cori Faklaris, Assistant Professor, University of North Carolina at Charlotte [@unccharlotte], Director, Security and Privacy Experiences (SPEX) research group [@SPEX_lab]
On LinkedIn | https://www.linkedin.com/in/corifaklaris/
On Twitter | https://twitter.com/heycori
On Mastodon | https://hci.social/@Heycori
On Facebook | https://www.facebook.com/heycori
____________________________
Host: Sean Martin, Co-Founder at ITSPmagazine [@ITSPmagazine] and Host of Redefining CyberSecurity Podcast [@RedefiningCyber]
On ITSPmagazine | https://www.itspmagazine.com/sean-martin
___________________________
Episode Notes
In this new episode of the Redefining CyberSecurity Podcast, host Sean Martin and co-host Julie Haney welcomed Dr. Cori Faklaris, an assistant professor at the University of North Carolina, Charlotte, to discuss the intricate relationship between human-centered research and cybersecurity. Dr. Faklaris, who leads the Security and Privacy Experience Research Group at the university, shared valuable insights on the intersection of human behavior and security practices.
The episode delved into Dr. Faklaris' extensive research on security attitudes and behaviors. She introduced the Security Attitudes (SA) scales, particularly the SA-6 and SA-13, which are tools designed to measure people's security attitudes. These scales provide a reliable and valid means to gauge individuals' perspectives on cybersecurity, which can be critical for organizations looking to enhance their security training programs. By regularly measuring security attitudes before and after training, organizations can assess the effectiveness of their initiatives and identify areas for improvement. Dr. Faklaris emphasized the importance of considering not just attitudes but also social norms and perceived behavioral control when examining security behaviors.
A significant portion of the discussion centered around the challenges posed by smishing—phishing attacks conducted via SMS. Dr. Faklaris highlighted that younger people and college students are particularly vulnerable to such attacks. Her research indicates that demographic factors can influence susceptibility to smishing, underscoring the need for targeted awareness campaigns and tailored security measures.
The episode also touched on the broader implications of trust and usability in communication systems, with Dr. Faklaris stressing the importance of clear and trustworthy communication channels to prevent user fatigue and mistrust. In addition to her academic endeavors, Dr. Faklaris is spearheading a new cybersecurity clinic at UNC Charlotte. This initiative aims to support local organizations, particularly small businesses and non-profits, by providing them with valuable cybersecurity guidance and services free of charge. The clinic, which will involve student teams working on real-world problems, seeks to bridge the gap between academic research and practical application while fostering community engagement and providing hands-on experience to students.
The episode serves as a treasure trove of insights for security leaders and practitioners, offering practical advice on enhancing security training and awareness programs. By leveraging research-backed methods and fostering community partnerships, organizations can better navigate the complex human factors that influence cybersecurity practices. Dr. Faklaris' work serves as a powerful reminder of the critical role human-centered approaches play in building robust and effective security frameworks.
Top Questions Addressed
___________________________
Watch this and other videos on ITSPmagazine's YouTube Channel
Redefining CyberSecurity Podcast with Sean Martin, CISSP playlist:
📺 https://www.youtube.com/playlist?list=PLnYu0psdcllS9aVGdiakVss9u7xgYDKYq
ITSPmagazine YouTube Channel:
📺 https://www.youtube.com/@itspmagazine
Be sure to share and subscribe!
___________________________
Resources
___________________________
To see and hear more Redefining CyberSecurity content on ITSPmagazine, visit:
https://www.itspmagazine.com/redefining-cybersecurity-podcast
Are you interested in sponsoring this show with an ad placement in the podcast?
Learn More 👉 https://itspm.ag/podadplc
Decoding Human-Centered Cybersecurity with Security Attitudes | A Conversation with Dr. Cori Faklaris | Redefining CyberSecurity with Sean Martin
Please note that this transcript was created using AI technology and may contain inaccuracies or deviations from the original audio file. The transcript is provided for informational purposes only and should not be relied upon as a substitute for the original recording, as errors may exist. At this time, we provide it “as it is,” and we hope it can be helpful for our audience.
_________________________________________
Sean Martin: [00:00:00] And hello, everybody. You're very welcome to a new episode of redefining cyber security podcast. I am your host one of two for this special edition of the show where Julie Haney joins me as co host. And I feel like I just want to hand the reins over to Julie. She brings some of the cool guests over and really drive some great conversations.
Julie is great. Great to have you on again where we get to talk about the Human centered research and cybersecurity and, and, uh, how do we, how do we recognize that the human is at the center of all this, we build the stuff, we protect the stuff, we use the stuff, we break the stuff, we are the stuff. So, it's, uh, always fun.
So Julia, I'm gonna, Julia, I'm gonna let you do the honors of introducing our esteemed guest today.
Julie Haney: Great, thanks Sean. So today, um, we're excited to have Dr. Cori Fekleris on. She [00:01:00] is a researcher, obviously, in this area of usable human centered security and privacy. She's an assistant professor at the University of North Carolina, Charlotte.
Where she leads the security and privacy experience research group. Um, and I met Corey probably a few years ago at a conference. We've had a few great conversations and I have found her to be super smart and enthusiastic and positive. And she's done some really cool research, which she's going to talk about today.
Um, so we're very excited to have her on. So Corey, welcome to the podcast.
Dr. Cori Faklaris: Thank you so much. I'm a, I'm an enthusiastic podcast listener, not just of, of this and this topic, but. all sorts of podcasts. So I'm so excited to help contribute to the genre.
Sean Martin: Can you, can you say that with attitude?
Dr. Cori Faklaris: I'm so excited to be here.
I love this podcast. [00:02:00]
Julie Haney: Can he quote you on that? Um, Yeah, so, so Corey, I, I know that I and a lot of other people are always really fascinated to hear about people's career journey and I've got to say you have one of the more interesting career journeys among the researchers that I've met in this field. So, uh, why don't you tell us all about how did you find your way into doing research and being an assistant professor?
Dr. Cori Faklaris: Yeah, thanks for asking me. I do, I do love to talk about this because when I started feeling my way through this, I didn't have models. And so I just like to say straight off, like, if you're considering a career change or you're not sure where to go, I feel you. I was there and you can find the help and you're always welcome to reach out.
to me for, for assistance. Um, so, so where I started with this, I started in journalism. So when I was much younger and thinking about where I [00:03:00] wanted to be and what I wanted to do, I wanted to do things that engaged my intellectual curiosity, but also where I could be really useful to the world and to the people I cared about.
Now this could just as easily Explain cyber security as a, as a job path. But at that time, when I was a teenager, especially, um, my role models weren't that computer science or technology were the places to do that. Now, that was an incorrect assumption, mental model and assumption on my part. But my assumption was, well, if I went into that, I'd be just sitting in a basement somewhere, you know, with Cheetos all over my face and my shirt and typing away at the glow of a green screen in my face.
And, you know, if you love it and that's your life, more power to you. For me, I wanted to have a job where I could engage with people and tackle some of the important human problems of the world. So journalism at that point seemed like a great path for me. And I went to the University of Illinois at Urbana [00:04:00] Champaign, but you know, importantly, too, when I was a kid, and then going on to college, even, I was always surrounded by people who were in computer science and technology, and, and I really caught a bug of, like, loving technology and being very enthusiastic about the future.
And the technological horizon. So it wasn't that I didn't love computers back then, but just it didn't, didn't seem like there was a place for me there. Um, uh, but I did find a sense of belonging in journalism at that point. Um, I would sometimes sneak over to the computer science building for some of their lectures.
But I got to interview Mark Andreessen way back then as a venture capitalist now. But back then he was at the National Center for Supercomputing Applications, Urbana Champaign in Illinois. Um, and, uh, so I, I knew that was back when the internet was the, the cool new thing and the amazing technology disruptor that it did turn out to be.
Um, I still went into journalism, [00:05:00] even though I could see right away, like, Oh, this is going to change everything. And. Probably not for the better where, uh, journalism is concerned. Um, but, but it was, it was still a great career. I, I wore a lot of different hats in my career as a journalist. Um, so I think I had a different job title or different job responsibilities every year.
I started out as a reporter. I covered crime in courts. Again, in cybersecurity and IT, that was a good foundation for that. Um, because there is so much cybercrime that happens. But I quickly, I quickly moved into editing because I figured out that behind the scenes, especially in newspapers, that's where, that's where it's at.
If you want to make a difference and really shape things. I became a news designer, so I helped develop the look of newspapers as well as to some degree of our web report, but, um, I really got my hands dirty. I got into the guts of the computer system, and that's where I really found IT [00:06:00] and UX design. Uh, so, so I learned on my own.
Uh, and and learning from materials on the Internet. Like, how do you how do you design things that people really want to use, but that also are providing for really productive use of the systems and respecting in journalism, the specific cyber security and privacy concerns that we had. Um, and so, so I always describe myself, my real title of being a doer of things no one wants to do.
But I was really lucky that it, it also scratched that itch that I had for information technology and for computer science. Um, and I realized I was really good at working with computers and then finally decided that I wanted a degree in that. So, so that happened, you know, at that point, the internet had caught up with the business model for newspapers, uh, and so I thought, yeah, this is a great moment to start taking classes again and start thinking about what's the next chapter for me.
Um, and [00:07:00] so, so that led me to IU Indianapolis because that campus was right down the street. from where I was, I was living in, um, in Indianapolis, Indiana. I worked at the Indianapolis Star. Uh, and so, so I could just go on my lunch breaks, walk over to go to class. Uh, and then later on I decided, um, I was also making a good living.
So I was able to save a lot of money and decided at some point, I can quit my job. I can take that leap and just become like a freelancer and a consultant and go to school full time. And so I got my master's of science degree there in human computer interaction. Um, I think that was in, I ended up getting it, I think in 2017.
Um, but, but while I was doing that, There. I think that's really when I got turned on to human centered computing, and that's when I really hit me. I could have always been in this field and talking to humans, making a difference for humans that I care [00:08:00] about while also working on technology. And so so that suddenly I realized I have a set.
I had that sense of belonging in computer science and that that really got fostered at Indiana University. And they encouraged me to go Oh, Go, go shoot for the moon. Try to get a degree at one of the top schools. And so I was really fortunate to get accepted for a doctoral program at Carnegie Mellon University, which I consider to be the best school out there for cybersecurity education.
Um, and, uh, and there, there we are, then I was just off and running.
Sean Martin: Love that journey. Obviously, I'm, I'm a partial to journalism. So I started engineering and moved into journalism. And, um, the reason I Did that as I couldn't, I could see where the human interaction was, but I couldn't always have a conversation with a human to understand what they're thinking, why they're [00:09:00] thinking something a certain way, why I know we're going to talk about this, why they would think something a certain way and do something different, right?
Even, even though. You think you've made it obvious in the user interface, or you think you have the culture that supports whatever they're, you're trying to establish as, as the right way to do something. Um, so you kind of, you're applying what you've learned in journalism and in your other studies to do this research now.
So how, how does the human element kind of stay woven through there? What were we able to take from your past experiences to really do the work you're doing now?
Dr. Cori Faklaris: I think that's a great question. Yeah, I think, um, one thing is kind of a mindset. And I know the engineering mindset for when I was younger. I think that's that actually was a difficulty for me going into journalism, because I also [00:10:00] had to learn the human part.
And I am good at that. Um, decomposing processes and looking at where to optimize the processes. But humans aren't that that easy. Yeah, uh, and and you have to, uh, you have to engineer things in a slightly different way and use different methods. And but it's also a whole mindset. So, so one thing is I approach things with trying to find ways to build empathy.
For the humans who were involved with the technologies. So sometimes those are the end users. So for instance, I've done a couple of different studies of account sharing. This is something that probably no system is really built for, right? We usually build a system. So it's one user has one account and that's the assumption.
And that's sort of the terms of service too, for. for using that service and for, um, it's built into the, to the guidelines. But most people probably have a spouse or a friend or work colleague and they need to share that [00:11:00] resource or they might have other motivations. For instance, if you're in a relationship up until maybe a year ago, A common rite of passage in the U.
S. was to share your Netflix account with whoever you're in a relationship with. And so, for instance, I was roommates with a woman and she was still on her ex fiancé's Netflix account. And it was interesting. That was like the last vestige of the relationship. And they still, they still cared and appreciated about each other.
So that was a way of maintaining that relationship. At a distance, even though they weren't really in each other's lives anymore. But of course, Netflix for them, this was kind of a business disaster. So it turned out because it, uh, but also for, uh, but at least they had built a system where it was really easy to share accounts and do it securely and somewhat privately other systems, such as if, if I was using my Google photos account up until maybe three or four years ago.
I might have had to actually share my individual [00:12:00] password and username to share my photos, but, but now Google Photos also, you know, that's an account where you can easily share with friends and family and sharing photos is a very natural human thing to do that. that we've all done since the introduction of photography.
So, so it's, it's wonderful to see Google and others support, support these kinds of things to get around so that people don't have to work around the system. We can actually build in secure private solutions that also account for, for what people actually need in their lives. So, so that's one, that's one facet of this.
So you, you want to have empathy, but then also as a journalist, you have, um, methods to find out about people's lives and to build rapport. So, so interviews just like this, for instance, where, uh, but also different types of interviews, but you can, you can talk to them on the computer, you can do phone interviews.
A lot of times you might want to actually go to where somebody is at. You want to go to their [00:13:00] context, whether it's their workplace or their home, and just sit and observe what they're doing and ask them questions. And that gets at that issue that you brought up of sometimes people aren't very reflective.
They do things, but they don't really think about why they do them or they, Think they're doing one thing, but they're actually doing another thing. So as a journalist, your use, you develop lots of ways to assess this out and to think and reflect critically on where is there a gap between what somebody is telling me and what some fair, you know, more observational data, maybe there's something in financial records or in system logs.
It's like, well, you told me you're doing this, but the system log actually tells me you're doing something else. Um, and maybe they didn't even.
Julie Haney: Yeah. So speaking of gaps, um, or maybe possible disconnects, I wanted to get into, um, some of the research you did when you were at CMU over the course of [00:14:00] several years. Um, and you were looking at people's security attitudes
and
specifically how do you measure those security attitudes? So, so Sean alluded to before that sometimes, you know, people's attitudes or what they say doesn't always match up to their behaviors.
So why. Is it important for us to, to study those security attitudes and what's that relationship between attitudes and behavior?
Dr. Cori Faklaris: That is a really fascinating mechanism. Like if you look at humans as maybe the most complex system that we'll ever deal with, you know, As somebody said to me once, there are two hard problems in computer science.
The hardest problem being people. People are the hardest problem in computer science. And then the second problem being convincing people that people are the hardest problem in computer science, of course. So, so attitudes really affect [00:15:00] our behaviors and then our intention to behave in a certain way. So, so, Objectively speaking, you know, you could stand back and say, well, this is the correct course of action, or this is the appropriate way to prioritize resources, but actually, you know, we usually don't look at things like that.
We have attitudes are an important predecessor that affect our intentions to do something or what we actually do. Um, and there's actually a theory about this in psychology. It's called the reasoned action paradigm. So when people engage in actions that they have to reason through and usually cybersecurity and privacy and at all levels is about this attitudes are a key sort of antecedent.
So you have beliefs about something that's going to give rise to attitudes. And that's, that's like how you feel about it, you know, or what's your disposition towards it. So usually I'd say. Most of us are not going to have a wholly positive attitude towards cybersecurity in various forms, [00:16:00] because it's usually pretty burdensome.
It's a preventive behavior. That's probably not our priority in a situation. For instance, it's, it's usually not my intention. to share accounts securely if I'm watching Netflix. My intention is probably to be entertained, to catch up on the latest in pop culture, and maybe to solidify my relationship with my significant other by cuddling up on the couch in, in, in front of a good movie.
Um, so, so being, being secure is not really key. part of those, those series of goals. But, um, but we want people to be secure and we want to help them protect their, their privacy. Uh, and so, so knowing their attitudes can help us think about like their mental models, but also, um, you know, are they likely to on their own form an intention to engage in, in a behavior, say like sharing an account securely, because it, it likely involves more steps than.
Just sharing an account by [00:17:00] like writing down your password on a piece of paper and passing it to somebody, which is really not what you should do. You shouldn't do it that way. You should use a password manager. Maybe you share accounts through a password manager, or maybe you use a system like Netflix has where it's easy to add another user to the account.
Um, and, uh, and so some of those things involve much more steps. And so people have to be able to reason through that and they, They're not going to do any of that if they don't have at least somewhat of a positive attitude towards it. It doesn't have to be a completely positive attitude, but maybe there's an, there's a mix of attitudes similar to what we have with exercise, where you're not really looking forward to, or positive about the idea of getting up at 5am to take a run.
But what you are really positive about and, and really engaged with and attentive to is, you know, Your health, your physical health, um, your mental well being, your appearance. And so those are the things, those attitudes will drive [00:18:00] you to form an intention to get up at 5 a. m. And then to actually run when you get up.
Sean Martin: So how, how do these, I guess, are just our daily living set these attitudes? As you're talking about some of this, I, the word bias keeps coming into mind. I'm biased to certain things. Um I mean, using your workout example, I, I wouldn't wake up at five to go to a gym, but to wake up at five to go on a 30 mile bike ride, I would, I would enjoy that.
Dr. Cori Faklaris: That's right. Yeah. It's, it's actually a little different than an attitude. It's a preference.
Sean Martin: Right.
Dr. Cori Faklaris: Yeah. So there's, there's more to it actually than attitudes, but
Sean Martin: so this is good then. So tell me what the definition of attitude is and where, where that kind of fits into the bigger picture of who we are as humans.
Well, I'm, I'm, I'm a [00:19:00] horse today, but who we are as people in general.
Dr. Cori Faklaris: Yeah, I'd say, I'd say a nice thing when you think about these like theories or frameworks of why people do the things they do is to make it as simple as possible. And so, so I, there's actually classically, there's actually three things that precede an intention and action.
One is attitudes. And that's kind of a catch all for these, these more fine grained concepts such as like what you actually prefer to do or what you have experience in doing. So, um, so that might feed into your attitude about something. Um, the second bucket of things though is social norms. And so another strand of my research is looking at how social influences, um, Uh, you know, the attitudes and social influences can combine and be very powerful per se.
Same way. I don't really want to go on a run because it's solitary. Um, but I still have a positive attitude about exercise. I might actually decide to go to a Zumba [00:20:00] class. I can't imagine they'd be held at five a. m., but let's say they are because my other friends are going to be there. And so combined with my overall positive attitude towards exercise my engagement with, with the ideas of exercise and my attentiveness to health recommendations around exercise, then my friends are going to be there too.
Oh, that's, that's like a snap, a snap decision. Like, of course I'm getting out of bed. Um, and I'm, I'm going to put on my, my prettiest, uh, dresses. exercise outfit and go join my friends because that'll be very powerful. And then the third, the third bucket is your, what's called perceived behavioral control.
So in a way, you know, you can have positive attitudes. You could even have great social influences, but you have to sort of perceive in your mind that you can actually do that thing. So, so say like, uh, I thought, Oh, that'd be really 30 mile hike up the mountain, but maybe my perception is, It's probably accurate that [00:21:00] I'm going to collapse if I just get up one day at 5 a.
m. and do that without any training or preparation. And it won't matter how many of my friends are going on the hike. Well, maybe, maybe I would try to go on the hike, but, uh, but in fact, I bet I would feel like I don't want to be embarrassed in front of my friends by going on there. Plus I would probably have like a very mixed attitude, probably pretty negative.
And some of that actually is because I don't perceive that, that I, I have that kind of control over my behavior where I can simply go on a hike. So, so there are other things other than attitudes that fall into that, but I think too, attitudes is in this formulation a pretty big bucket. And so we can, we can talk, and this is one thing I'd like to do in future research to tease out some of these other things such as your preferences, um, or your beliefs, um, that might feed into that.
Julie Haney: Yeah, that, that explanation is really, is really helpful. [00:22:00] So as you said, attitudes is kind of like one of the bigger buckets there. So you did some specific research on how do you measure people's security attitudes? So, and you develop some tools to, to kind of assess or evaluate people's attitudes. So tell us about, about those tools.
Dr. Cori Faklaris: Yeah, this is this is pretty hard as it turns out. It's the kind of thing that I think in retrospect only a PhD student would try to do because you don't know enough to know how much work it's actually going to be, but also you have time and resources when you are a PhD student. If anybody, by the way, is thinking about a doctoral program and you're the kind of person like me who loves to geek out on stuff.
It's a great way to do that, because you'll have five or six years. Somebody might have a grant that's paying your whole way, including your tuition and fees, which is also something I didn't realize until I started looking into [00:23:00] graduate programs. Then you can just sit there for eight hours a day like I did and say, how am I going to measure attitude?
So the first thing I did is I looked up what do they do in psychology? And so, so they've got some some methods for, for mapping. What people might have like statements that you can collect through interview data, and you can figure out ways, you know, you could turn that into a questionnaire where you can, you can map it to some sort of number.
So you have like a close, what they call closed ended survey question where it might be like one through five. One being like strongly disagree with the statement to five being strongly agree with the statement. We've all taken surveys like that. And, and that's the whole process there is that they get you to mark, to put yourself into one of those categories.
And so then they can map you into a number, uh, that corresponds to that category. And so then once we have those numbers, we can use math [00:24:00] to calculate like what, what, uh, what answers. are very strongly related to each other. And so they kind of cluster together and we can average them together or do some sort of other, um, some other math operation that makes it into one number.
And that's, that's how you come up with a rating of people's attitudes. And so, so what I did, um, is I collected a whole lot of data, a whole lot of. Survey answers where I just ask people a whole bunch of different questions or statements, ask them to rate those statements. Uh, these are drawn from interviews and from other people's research, uh, about like where people made statements about their attitudes about security practices.
Uh, and so we, once we did a whole bunch of, uh, rounds of data collection and data analysis, we, we identified there were these six statements that, that hung together very nicely [00:25:00] mathematically. And so we can say they're also not too similar to, because that's another thing. Um, so what we're doing is we're taking a lot of different measurements of the attitude and then we're averaging it together.
And that gives you a much more certain measurement than if you just have one statement that you have people rate. So that's, that's the very geeky explanation. Of what we did for that. That's how you, you turn a very nebulous concept such as attitudes into a number that I can use in equations and whatnot.
Um,
Sean Martin: well, then what, what, what's the outcome? The outcome. How do you then use that data to. Change something or realize this is how it is. We can't change it, whatever.
Dr. Cori Faklaris: Well, there's a couple ways you can use this kind of a measurement. Um, and so for one thing, now that we've done all these tests and we've been able to say it's pretty reliable.
Um, and so we were pretty [00:26:00] convinced, you know, if you measure at one point in time versus another point in time. It's, it's very reliable. It's measuring at the same rate and that's also seems pretty valid. So we matched, um, we matched how people did on, on our new measurement, the SA6 security attitude scale against other psychological measurements of, that are related to cyber security attitudes.
And we found that they're pretty closely correlated. Um, and so, so that gives us a lot of confidence that it's actually measuring security attitudes. It's not measuring anything else. So now that we have that confidence that it's reliable and valid, um, the first thing we can do with it is, is just help draw a picture of somebody.
Like who they are, what's in their head. Uh, and so rather than come up with our own questions or even have to go through interviews with somebody, which I love doing, but it's very time con uh, consuming and it can be very costly simply to find people and to schedule the time with them and to compensate them [00:27:00] fairly for their interview.
So if you can just give them the survey, it's, it's much more cost effective and you can have a number. Uh, and then also that number you can compare against our database, uh, or other published works and say, well, this is very, this is person's attitudes are very average because I'm comparing it to these other published benchmarks for this data.
And so this is right in line with this other average that's been published, or I might say, well, it's higher or it's lower. So that, that also can tell you something, I think, if you want to, um, Create an experiment. Maybe you, you want to, going back to my account sharing example, maybe you want to get rid of passwords.
That's a big goal for all of us in human centered security because passwords are kind of terrible. Uh, so maybe you want to replace them with an alternative such as pass keys, or also maybe you want to do something that's a little less cryptographically intensive, such as simply creating a magic [00:28:00] link.
The Slack messaging platform uses magic links. So you can measure people's security attitudes before you do the intervention. Um, and then you can have them work with it for a while, and then you can measure them afterward. And, and that could be one way to find out, um, are you getting something of a return on your Uh, on your efforts to create something new.
So, so maybe, um, you might not see any, any more, any fewer cyber attacks because that's very difficult to tie to, um, sometimes to the preventive measures that we take. But what you could say is like, well, people had better attitude. Um, we have, you know, we can measure things like user satisfaction. And then along with that, maybe their attitude towards cybersecurity actually improved because now we're making it seem a lot less burdensome for them to do this.
Julie Haney: So, Corey, it sounds like something this, this could be something that could be used by organizations, maybe to kind of just kind of doing a [00:29:00] pulse on their workforce once in a while, right? Yeah. Like you said, like, to kind of just find out, like, what, like, what are the general attitudes now among our employees?
And then. Maybe implement some kind of new training program or changing the way that they do things and then periodically checking in Um can organizations use this scale and if you want to talk about what's the scale called and yes Yes,
Dr. Cori Faklaris: so the s the scale I called it S as in Sam, A as in Apple, hyphen six, just cause it seemed very descriptive.
It's the six item security attitude scale. This is the one that was published in 2019 at the Symposium on Usable Privacy and Security. You can go to my website, CoriFackleris. org. Um, maybe it's doc. I think it's dot com. I'm cori faclaris dot com. Uh, even though I'm no longer a business, but, uh, but I have it actually on my home page.
I have [00:30:00] directions to find the scale and to use the scale. Yeah. And also unlike other psychometric scales, I offer it free of charge. The only, the only condition is that you cite me and my co authors, uh, where you use it, and I would also think it'd be nice courtesy if you can tell us that you were using it and, and how it worked out for you, because we're always interested, uh, in what we can do to improve things and how things are going.
And along with this, we created two other, uh, Interesting scales that you can use with SA 6 or alone. And so we call that SA 13. And so that's just because we added seven more items to the original six. I have that published on a site called Archive. It's a little funky. It's A R capital X I V, the chi being the X symbol in Greek.
But at archive. org, a lot of academics such as myself will publish papers there. The caution is they have not gone through peer review. We put them up there when, [00:31:00] We, uh, we want to get things out and we don't want to go through the whole peer review process yet, so you can go there. That is also linked on my website at CoreyFackleris.
com. And again, that's, that's free of charge. You can use those just with the caveat, please cite us. And then also, we'd love it if you could tell us where you used it and what happened. Now, the additional items, those are two scales to measure, I think also really important concepts. The first one being, um, uh, are you in the middle of changing your mind about cybersecurity?
So, so maybe, uh, your decision is in flux. And so I think I call that concern ness. So how concerned are you to change what you're doing with cyber security? And then the third scale, I think is also very important, uh, is about obstacles. So how resistant are you to using cyber security? I've talked a lot, actually, Right.
I can hear myself talking, you know, a lot of our attitudes [00:32:00] actually are very negative about cybersecurity and privacy. Even if we're experts, a lot of times we don't do what we advise people to do because we're actually very resistant to. Uh, and so, so those items, there's four items there that can measure resistance.
And in conjunction with the others, the resistance measurement also might be really interesting way to take a pulse on people. You know, maybe their attitudes don't shift a whole lot, but if, if the resistance drops, that's a huge win. That's a huge win.
Sean Martin: Now, is this, can this be used for employees? Business partners, perhaps, but also I'm thinking like banks or financial institution or healthcare or whomever, where they're interacting with the company and they're sharing, I mean, we see some of this stuff, don't, don't put personal information in the form or we'll never ask you for whatever this kind of stuff to help guide.
Um, so how, [00:33:00] how can, well, first off, does it, can it be applied to all those users? And, uh, if so, how would an organization go about implementing the scale in?
Dr. Cori Faklaris: Those are great questions. So when I developed the scale, I deliberately developed it with a general audience in mind. So when I tested it against a general pool of survey takers, they weren't in a particular group.
Enterprise or a particular sector. So, so in theory, you could use it in any situation. Um, having said that, I think sometimes, and for certain situations, you might want something that's a little more tailored to that particular situation. Uh, I would have no problem with somebody rewording the item slightly if they wanted to, and you know, say like, uh, instead of referring to general security recommendations, they say like, Recommendations about keeping my banking information safe, say.
I think that's, that's not too far from how it was originally [00:34:00] developed. So I think you'd still be on pretty good ground in doing that. I'd still would like to know about it because maybe we can help you figure out. did you actually produce a reliable and valid measurement? Um, and, and then also there are other scales out there.
So I love, I think essay six and essay 13 are great partly because they're very short and they're very easy to compute and they are very flexible, but there are other scales out there in the literature that measure information security. Attitudes. Um, and some of those also might be more specific to, um, a context in which you want to measure attitudes about regulations that your enterprise might have, or also thinking about, um, some particular context, such as banking.
Uh, those might, those might. And, uh, when somebody looks at it, you know, you can look and read the scale and you would just know if you were an expert, you would say, like, well, that actually fits my context better, um, and you can try that out. [00:35:00]
Julie Haney: Yeah, really, really interesting and, uh, quality research you've done on security attitudes, Corey, but that is not the end of the story.
You're doing some, some new stuff now, right? With your, with your new research group, um, you know, what, what have you all been working on?
Dr. Cori Faklaris: We have been so busy. It's been so fun. Um, first of all, I just love being a professor. Uh, after being in industry, it is a bit of a change to be in academia, but, but the freedom you have to, um, research whatever you want is very invigorating.
And I do really love working with students. It's, it's really just been a joy, um, and, and also to get their ideas because, you know, they often come in and they're brilliant people and I hired them for a reason. So one thing we're doing is actually is very important to the financial industry, and so we're looking into smishing, and so this is phishing when it involves SMS text [00:36:00] messages.
And there's a lot of cute names for variants of phishing, like vishing is when it's voice calls, I suppose you could also say, um, vishing if it's video phishing, um, maybe with deep fakes, we're going to cross that horizon, God knows. But for smishing, this It's actually became a huge problem during the pandemic, and, uh, and so, so we've received some funding, uh, from the Center for Cybersecurity, um, Automation and Analytics, uh, to understand smishing vulnerability a little better.
Uh, so what we found, we did a survey, a national survey of U. S. adult mobile phone users. And in a survey of more than a thousand of those people, we found, we looked at, like, what were the demographics of people, um, who, who responded to a test that we gave them about, like, is this a smish or is this not a smishing message?
We found that younger people and college students were the most vulnerable. And, uh, and [00:37:00] our industry partners that, that kind of jived with where they were at. They're like, yeah, our data anecdotally, we saw. There were a lot of young people and college students, but it's actually important for us to get that kind of data in a much bigger sample to say, like, it's not just randomness.
You know, we've we can say that in the survey, even though it wasn't a probability sample, but it's a very large sample. And so we can say, like, there is more support here for the idea that across the board, there's something that makes younger people and college students. more vulnerable to smishing. Um, and the second thing we found, and this hurts me as a communication person and somebody in journalism, uh, we're finding that people really struggle to correctly identify the legitimate messages.
So, why this really hurts me is our communication systems are not usable. If people can't actually tell what's fake and what's threatening from what's not fake and what's not threatening because people just shut down eventually [00:38:00] and they just identify everything is a fake, you know, and that really, that's really harmful to us as a society and as human beings, we need to have communication systems that we can trust.
We also have to feel like we're good. We're skilled enough to be able to judge whether a message is legitimate or not.
Sean Martin: Yeah, I am. We, we've lost Julie. Hopefully she comes back. .
Julie Haney: I know. I was like, oh, Julie .
Sean Martin: Um, I'm gonna keep going. We have so much here. Um
Julie Haney: mm-Hmm.
Sean Martin: that I, I wanna, wanna keep rolling. Hopefully she'll join us in a moment.
Uh, so the, you have this information and, well, I guess what I'm trying to figure out is you're saying it, it's hard for our communication mechanism and I, I forget what I heard the other night that, that it's probably not news to anybody but. The younger generation have a difficult, more difficult time perhaps [00:39:00] conversing in person, right?
And they, they trust texts more, or more comfortable anyway with, with text. Um, but in that we then lose the human part of it, right? If we're only talking through our phones.
Dr. Cori Faklaris: We, we could. I mean, I, I was just listening to a talk by David Polk last night, who's a journalist and futurist, and he was talking about AI, but he pointed out that, um, every single time we've had a new technology come into our lives, we kind of panic about it and things change how we, how we relate to technology changes, how we relate to each other changes, but it's not Some of that is going to be bad, but also sometimes we might overweight how bad it is.
We miss, we misjudge that maybe because we hear about the bad things. We don't hear about, say, the good things or nobody's studying the good thing. [00:40:00] I do think there's a kernel of I feel like that's where my bias is. Now that I'm getting older, I watch my students, and I watch how they're relating to each other, and I think that's so different from how I grew up.
And, and it does make me worry that, that this texting is, is maybe not the best thing. But honestly, there's a lot of advantages to texting. Uh, first of all, there's much less chance, sometimes there's much less chance that you'll be misunderstood, um, because you can see it, you can see the text. Now, still, you might say things and a lot of context gets lost.
There's a lot more bandwidth on communication face to face. But, um, but I think there are some advantages to texting, and so Just and they're so busy, too. I mean, I think younger people are so much busier than I was at that age. And so texting really fits into that. But of course, you know, I'd say attackers are great psychologists.
You know, I think some of the most successful cyber attacks happen because [00:41:00] somebody's got some great psychological insights into their targets and how their targets behave and how their targets live. So just like I'm observing young people and college students, so are attackers. And they might even be young people and college students.
So who better to understand that kind of population and to figure out like how to disarm them and also how to, you know, hijack, hijack them by creating that sense of urgency, which is what makes fishing so successful in the matter of the medium. Because that's another thing about humans. Um, if they're not reasoning through their actions, you can get them to do anything because they're not thinking about it.
Sean Martin: So, a lot of the folks listening to this show are security leaders and, and some practitioners as well. So they're probably responsible for security awareness training.
They're responsible for looking [00:42:00] for, or working with the fraud team to identify, uh, fraud in their consumer, uh, transactions, uh, how, how can they leverage what you've created with your research to give them better insight into the programs that they're creating?
Dr. Cori Faklaris: Well, I think those are great questions.
And I know they. People pour a lot of resources into these and they want to see some sort of return on investment or at least some metrics that help give them some information like was this money well spent and did we actually make a difference? So, so I think, uh, SA 6 and SA 13, those types of measurements, I think we have really good measurements, but any other kinds of survey data, too, that you can get, maybe, Especially before and after the training.
That's what we do in education. We try to measure like before and after, like, and, and also, uh, make it [00:43:00] short, make it really short because your employees, uh, It's also, it's a huge burden on everybody to have to go through security awareness training and to do more and more on top of their other job stuff.
Um, so that's where SA 6 and SA 13 I think are helpful because they are very, very short. Um, and that can give you a baseline and then also kind of help you see trends over time. And maybe it helps you show, um, some return on investment. Um, and, and secondly, I would say, um, you know, like our smishing research is pretty, it's pretty, um, pretty preliminary.
But, uh, but I've also worked on some frameworks for why people accept security and privacy practices and also how do we reason about the role of social influence. And so, so another thing I would encourage, uh, stakeholders to do, think about how to incorporate some sort of social influence. So. Opinion leaders [00:44:00] are really critical to carrying out any kind of organizational change and any kind of not just awareness, but having people put things into action, which is what we really, really want.
So sometimes those opinion leaders are not necessarily found by job titles. You know, somebody who's an administrative assistant might be very, very powerful in terms of the social network. Um, and some people, uh, who might be in I. T. Also might have more people skills than other people. We don't really hire I.
T. And security people for Miss Nestle their their ability to relate to humans. But some people just have that natural gift. And so maybe they can be ambassadors and, uh, and You know what I, I know some organizations actually have a program called the cyber security buddy. And so they'll actually have like a liaison who can be attached to a unit and that that person can help them troubleshoot things and reason through things and, and, and [00:45:00] actually, um, really briefly, I have a program.
Uh, right now, uh, of research, I've just started to use a large language model, um, to power like a, I guess a chat bot or an AI assistant who can act as that cyber security buddy. And so if somebody wants to get in touch with me and see if they want to help test it out, we'd love to do that.
Julie Haney: Yeah, so to, I know we're, we're just about out of time.
So, um, but I know that, um, you've recently started a new initiative at your university that you're very passionate and excited about, um, that involves some partnering with the community, um, of the UNC Charlotte. So, if you want to just quickly tell us a little bit about that.
Dr. Cori Faklaris: Yes, I'm so excited. We've got some energy and interest to start a cyber security clinic here at UNC Charlotte.
So this envisioned clinic, we bring in organizations [00:46:00] in the community who might need some help, maybe, and especially small businesses, small not for profits. They might not have the energy to find those professionals or the budget. So we're really fortunate we have an excellent cyber security program.
Program here at the master's and undergraduate level and off all across campus. We've got students with transferable skills Who might not like when I was younger might not realize this could be a great career path for them So so we're starting this as a course and so then we'll we're recruiting organizations right now in the Charlotte area And we'd love people to bring us their issues that they want help with.
And then we'll put together student teams to do this as a capstone or as a course project. And the benefit too is that it would be free of charge. And, and, but the opposite part of that is we're raising money for that. And so we've got some grant proposals out and, but also if you're in the Charlotte area and you're looking for a [00:47:00] place to donate or to get involved too, if you're an industry professional who wants to volunteer to help the clinic.
Um, please get in contact with me or somebody else in the College of Computing and Informatics
Sean Martin: all about the community.
Dr. Cori Faklaris: Yeah,
Sean Martin: I love it. Well, this is, uh, I'll say without it. This has been great. I love this conversation. I'm serious. Um, I'm always appreciated for, uh, We're the guests that Julie brings to the show.
And this has been amazing. I love it's why we do this. I love the research angle of things. And to me, I have the pleasure sometimes to teach a security analytics course where it's all about taking data. And understanding it and doing something with it, telling a story and creating, driving some action.
And this is exactly that. And, uh, I'm hopeful that people listening can [00:48:00] do some of the things you suggested to, to measure and analyze and see how things are shifting over time. And, and then also get involved, um, participate in some of the community activities you have going.
Dr. Cori Faklaris: Yeah. Thank you so much for this opportunity to share my story and, and hopefully, yeah, give some people ideas and, and also to help spread the word about the great work that I and my colleagues are doing.
Sean Martin: Yeah, I love it.
Julie Haney: Thanks very much.
Dr. Cori Faklaris: Thank you.
Sean Martin: Thanks everybody for listening to this episode. We have many more. Coming, uh, Julie's been busy identifying some cool folks with cool topics. So we have much more coming your way and please do subscribe and share and connect with Dr. Corey for Clarice and see you in Charlotte, perhaps, who knows?
Julie Haney: That's great.
Sean Martin: All right. Thanks everybody. Thanks, Julie.
Julie Haney: Bye.