Organizations continue to invest heavily in cybersecurity technology, yet breaches persist at alarming rates. This conversation explores why building a culture of cybersecurity rooted in values, attitudes, and beliefs may be the missing piece that transforms how organizations approach resilience and protection.
Most organizations treat cybersecurity as a technology problem. They invest in layers of defense, run phishing tests, and deploy identity and access management tools. Yet headlines about breaches keep coming. Dr. Keri Pearlson, Senior Lecturer and Principal Research Scientist at the MIT Sloan School of Management, argues that the real opportunity lies not in more technology but in changing how people across the organization think about and value cybersecurity.
In this episode of the Human-Centered Cybersecurity Series, co-hosted by Julie Haney, Computer Scientist and Lead of the Human-Centered Cybersecurity Program at the National Institute of Standards and Technology (NIST), Dr. Keri Pearlson introduces her framework for cybersecurity culture built around values, attitudes, and beliefs. Rather than simply training employees on what to do, the focus shifts to shaping why they do it. When people genuinely believe cybersecurity matters, they take action without waiting for mandates or programs to tell them how.
Dr. Pearlson shares vivid examples from her research: a CISO who hired a marketing professional to run the cybersecurity culture program, a CEO who opens every all-hands meeting with a five-minute cybersecurity story, and organizations that use creative rewards like chocolate chip cookies and digital badges to reinforce positive behaviors. She also outlines a five-stage maturity model for cybersecurity culture, from ad hoc efforts all the way to a dynamic culture that self-regulates as new threats like AI-driven vulnerabilities emerge.
The conversation also tackles the relationship between organizational culture and cybersecurity culture, the role of group-level accountability, and why consequences matter just as much as rewards. Dr. Pearlson makes the case that cybersecurity should move from being viewed as an infrastructure play to a strategic advantage, one that can attract customers, reduce costs, and build competitive differentiation.
For any leader looking to move the needle on security culture, this episode offers a research-backed roadmap and practical steps that anyone can take starting tomorrow.
Sean Martin, Co-Founder at ITSPmagazine, Studio C60, and Host of Redefining CyberSecurity Podcast & Music Evolves Podcast | Website: https://www.seanmartin.com/
Dr. Keri Pearlson, Senior Lecturer and Principal Research Scientist at MIT Sloan School of Management | On LinkedIn: https://www.linkedin.com/in/kpearlson/
Julie Haney (Co-Host), Computer Scientist and Lead, Human-Centered Cybersecurity Program at National Institute of Standards and Technology (NIST) | On LinkedIn: https://www.linkedin.com/in/julie-haney-037449119/
Learn more about Dr. Keri Pearlson's research: https://mitsloan.mit.edu/faculty/directory/keri-pearlson
Learn more about the NIST Human-Centered Cybersecurity Program: https://csrc.nist.gov/projects/human-centered-cybersecurity
Cybersecurity at MIT Sloan (CAMS): https://cams.mit.edu/
The Future of Cybersecurity Newsletter | https://www.linkedin.com/newsletters/7108625890296614912/
More Redefining CyberSecurity Podcast episodes | https://www.seanmartin.com/redefining-cybersecurity-podcast
Redefining CyberSecurity Podcast on YouTube | https://www.youtube.com/playlist?list=PLnYu0psdcllS9aVGdiakVss9u7xgYDKYq
dr. keri pearlson, julie haney, mit sloan, nist, sean martin, cybersecurity culture, security culture, values attitudes beliefs, cyber resilience, human-centered cybersecurity, security awareness, phishing, cybersecurity maturity model, security behavior, cybersecurity strategy, redefining cybersecurity, cybersecurity podcast, redefining cybersecurity podcast
[00:00:00]
[00:00:36] Sean Martin: And hello everybody. You're very welcome to a new episode of Redefining Cybersecurity here on ITSP Magazine. This is Sean Martin, your host. And this is probably, probably this is one of the, the funnest, times I get to do the show when it's in collaboration with my good friend Julie Haney. And we look at human-centered cybersecurity, the, the humanness of, what we're doing [00:01:00] here.
In, in addition to the tech, and it's always good to see you, Julie. Thanks for, thanks for pulling this one together.
[00:01:05] Julie Haney: Of course. Good to see you too, Sean.
[00:01:08] Sean Martin: And, yeah, as always, I'm excited for, the, the topic and it's rooted in, in good research and good work. And, you're, you've brought, Keri along to, join us for this conversation.
So I'll, I'll give you the honor of, of, uh. Tell us a bit more about the topic and and then we'll pass it over to Keri to, to, have a good chat.
[00:01:32] Julie Haney: Yeah. Yeah. Very, very excited to have, Dr. Keri Pearlson on as our guest today. Keri is a senior lecturer and principal research scientist at the Massachusetts Institute of Technology, mit. Sloan School, and she previously served as the executive director of the cybersecurity at MIT Sloan Research, Research Consortium.
so I, I, I think we met [00:02:00] Keri probably over the last year or so. We've had a few, fascinating conversations since then. And what I have found is that Keri has a wealth of knowledge about a very important topic in cybersecurity and that's security culture. so really looking forward to diving more into that today.
so welcome Keri. thanks so much for, for being a guest on the podcast.
[00:02:26] Dr. Keri Pearlson: Thank you Julie, and thank you Sean. I'm delighted to be here.
[00:02:30] Julie Haney: Awesome. so as we, we often start out, kind of the first question, is it just if you could share with everyone, what's your career progression? How did you get into cybersecurity in the first place?
[00:02:44] Dr. Keri Pearlson: Well, you know, it's kind of, uh, by accident actually, I was, working in analytics, doing, analytics. Leadership programs for a company, in the, in the, a private company. [00:03:00] And I was trying to find a speaker for an upcoming event we had, and I contacted. professor Stuart Madnick at MIT who had been on my thesis committee when I did my doctoral work, and asked him if he was interested in speaking.
And he said, well, no, I can't do that, but I need an executive director for my cybersecurity research group here at MIT. Why don't you come join me and we'll do that? And I was like, oh, well that sounds really fun. It sounds interesting. And this was about 10 years ago. So cyber was. Hot and important, but nothing like it is today.
So at the time I joined to really pull together this, group who was made up of researchers and of, executives in cybersecurity. we were looking at critical infrastructure companies. We were trying to raise all boats in the area of cybersecurity, but as I got into my role as executive director and brought in a lot of my previous research background, I realized that there's some really [00:04:00] interesting questions here that I would like to explore.
So, earlier last year, I. Migrated out of the executive director role and into a peer research scientist role where I've been able to devote, a hundred percent of my time to looking at things like cyber resilience and cyber culture and board's role in cybersecurity and supply chain, and many of the organizational and leadership issues that keep coming up in cybersecurity.
So that's how I got where I am today.
[00:04:27] Julie Haney: Awesome. I, it, it's, it's funny there's so many people who have gotten to cyber accidentally, because someone pulled, someone pulled them in. so that, that, that's great. And we're very happy to have you in cybersecurity as well.
[00:04:42] Dr. Keri Pearlson: I am happy to be here.
[00:04:44] Julie Haney: So, so to get to get us started, I know you have a very different way of thinking about how organizations should be approaching cybersecurity. can you tell us a little more about that?
[00:04:59] Dr. Keri Pearlson: Sure. [00:05:00] So, a little bit more about my background. I did, doctoral, work and at Harvard Business School back many years ago, in the nineties. In the eighties and at that time I was very interested in the intersection between technology and organizations. And I've always been looking at how technology affects people and the jobs they do and how the jobs they do affect the kind of technology that they use and how both of those interact with business strategy.
So as I got more interested in the cybersecurity issues, I realized that a lot of what we're talking about in cybersecurity just. It's working. I wouldn't say it's not working, but it's just not working well enough. In other words, if everybody's spending all this money on cybersecurity protections and different layers of defense, and we still keep seeing headlines pointing out new cyber breaches and new attack vectors, then what are we gonna do so we can slow that down?
What are we gonna do to stop it? So. I started talking with, some of the [00:06:00] managers that I've, and the leaders that I know in the cyberspace, and we kept saying, well, companies need to be resilient. They need to be resilient. The light bulb went on. We need to be thinking not so much about protection.
Protection's super important, and I'm not saying don't protect yourself, but I think what we really need to do is focus on resilience. And the resilience is. Protection, but it's also about recovery, response and recovery. So if you go back to the NIST model, the the six buckets, we, we see a lot of people focusing on identify, protect, detect, and then they get around to respond and recover.
And they're like, oh, okay, well, we'll do it when we need to. and, and the truth is that we need to, now's the time. We need to be building in the processes that are, allow us to be, to respond and recover, but we also need to build our processes. So that they're resilient so that they can have minimal damage, should there be some sort of cyber incident.
And that means a different mindset. So it's not that we don't wanna invest in putting in identity and access [00:07:00] management and doing pen testing and all those things that we're already doing. I think those are super important, as I've said. But I think we need to also be thinking about mechanisms that allow us to be cyber resilient.
So let me give you a couple examples. one example is, organizations that, build like tabletop exercises. So they bring all their people together that would be, responsible for responding to an incident, and they simulate the incident. They don't just talk about it, they don't just give each other presentations on what they would do.
They actually simulate it. They put themselves in a situation where they say. Well, let's suppose that we had a a a a, a ransomware, attack going on right now. What would we do? Who would we call? And they call 'em, and they, they, they try it out so they can flex those muscles before they need those muscles.
And another example of course, is culture. Thinking about how do we get the people in our organization to be more resilient and be thinking about cybersecurity, all the time, but particularly so that as. The [00:08:00] need arises. We have an army of people in our organizations that are there and ready to go and helpful, not just in doing the jobs that they do, but in helping us get back to operational efficiency, if that's what we need to get back to. So I think about it as a resilience.
[00:08:16] Sean Martin: And if I can ask, Keri, the, I often think that yes, it's a, it's a process and a method and you have to practice it, but it just like everything else in, or most everything else in, in cybersecurity and certainly when businesses try to build out their operations, it often boils back down to the technology as well.
And I think when we, when we look at that, you have to have a backup in place, right? For example. So you set up the backup. We may or may not test it, but we don't really think of the full story. What, what's the scenario? And I'm wondering your, your view on that in terms of the culture, really understanding what [00:09:00] does resilience mean instead of do we have a backup and can we recover?
'cause those are 2D very different things. One is tech driven, one is more of a really around the culture.
[00:09:11] Dr. Keri Pearlson: Yeah, good question, Sean. So let me give you a little bit more about how I think about culture and then I'll, I'll circle back to your technology versus, organization question. So I'm not saying that technology is not important. Don't hear that. And in fact, my background includes technology. I'm an engineer by training.
I'm a math major. I'm a techie girl. In fact, I call myself a, a cyber girl, a techie girl. But I'm really interested in how people in inter interact with organizations and that's. Kind of what I think about when I think about resilience. So when I think about cybersecurity culture, we're talking about the values, attitudes, and beliefs that drive cyber secure behaviors.
That's exactly how I define culture. The values, attitudes, and beliefs that drive cyber secure behaviors. So I can give you lots of examples. We can get into that. But when, when you take that approach, it doesn't mean the [00:10:00] technology is not important. It doesn't really mean anything about the technology.
What it means is we wanna put mechanisms in place. So that our people in our organization have the values, attitudes, and beliefs that motivate them to do the right, or in some cases, to not do the wrong behaviors. In other words, we don't want people clicking on phishing emails. We teach them over and over and over, not to click on phishing emails.
People still click on phishing emails. Why is that? Well, part of it is the phishing emails are getting better and they're harder to figure out, but part of it is they don't really see the value in spending the time thinking about is this a a phishing email or not? They don't really believe that it's important for them to worry about that until that happens, and then it's a little late to worry about it.
So we wanna instill the values, attitudes, and beliefs that are necessary for people to take the actions that we're training them to do. So where does the technology come in? So when we think about resilience. certainly we need backups and certainly we need to, to test our backups and we need all of the technologies in [00:11:00] place to recover from a technological perspective.
But there are things our people can do to, help us be, resil, also be resilient. And those are things like, being, being more aware of. If they do something to tell us, don't click on a phishing email and then go shut your computer and just pretend it didn't happen. You know, which people do. They don't wanna get in trouble.
think about your process and before you access something online, make sure that you, have done whatever you need to do in your mind to make, to, to make sure that it's as clean as possible. Don't click on a link you don't know. If you do something, say something. If a friend needs help, help them talk about cybersecurity.
So there are a lot of things we can do to build those values, attitudes, and beliefs in our organization. So that, uh. The people can be a piece of the solution, not just a cog in the wheel of our organization. And, you know, something that might get in the way of being resilient. Again, happy to give you lots of examples, but that's kind of what I mean, [00:12:00] that, that more than backups, it's, it's the, the people side and the process side that often gets lost.
When we start to talk about backups, we stop to think about our processes going or, or our, our people really being part of that.
[00:12:13] Julie Haney: Hmm. Yeah, I, and I do, I absolutely wanna get into some, some specific examples 'cause I know you have some great stories. but I mean, first I wanna, I wanna ask when building security culture in the organization, who's responsible for that or who, who plays a role in security culture?
[00:12:35] Dr. Keri Pearlson: Yeah, I love that question. so obviously my first answer is everybody plays a role and we'll get to that. When we talk about, you know, a mature culture, for example, or a very effective culture, where I think the, the, the question you're asking Julie is almost like, where do you start? And, I, I've seen organizations where the.
Chief Information Security Officer, the CISO takes responsibility for [00:13:00] the culture, but he or she can't be the one to build the culture. They have, they own everything. Everything stops at their desk. So we need, normally somebody is appointed as. Sort of the culture czar or the evangelist or, uh, in one company it's the, the culture product owner, because everything in their organization is a product.
and so it, somebody is appointed to build a culture. In some organizations, I've seen that be a full-time job. In fact, I've seen it be a full-time job with a team. In some companies, I've seen that be a part-time job until they realize the value of it. I've seen, CISO's partner with HR. so that you're somebody who really understands the human resource processes, but the most effective person I've seen be the culture builder, if you will, as a marketing person.
in a, in one company I looked at, they, the CISO hired, a marketing person to, uh. Build, run, build and run the cybersecurity culture. And I thought that was a brilliant move. And why is that? Well, what do [00:14:00] marketing people do? They change hearts and minds. And what do we need to do in a culture? We need to change hearts and minds.
We need people to really see that this is something valuable and worthwhile and believe that it's important. And so this person brought all of her experience in marketing to the problem of building the um. The, the motivation for, in their case, a, a culture of data protection. So a culture where everybody in the organization was protecting the, the data, and that was their culture of cybersecurity.
So who owns it? It's usually whoever owns, the, the cybersecurity. But again, they own everything. And, but who does it usually somebody else who's appointed to put in all the different mechanisms in place.
[00:14:43] Julie Haney: now to the stories, because I, I know you, you have some, you've collected some great ones over the years, and I think storytelling is a. It can be so powerful. So can you share with us, just a couple examples of how organizations went about [00:15:00] trying to build a strong security culture?
[00:15:03] Dr. Keri Pearlson: Yeah, good question. so, I, I've written a lot about what, what I call my security, my. Security culture framework, and it basically says values, attitudes, attitudes and beliefs drive behaviors. But what drives values, attitudes, and beliefs. And, I've, I've listed a number of different mechanisms, managerial levers that managers can use to build.
These values, attitudes, and beliefs. So lemme tell you a few stories. One is, I just did the marketing person who, put all sorts of things together. She did things like, little movie clips that, were a famous movie, that, that popular movies that people would know, but she put people from her company in the movie clips so that it was very personalized.
But the storyline was James Bond or. You know, whatever the, the, the popular thing or mission impossible. I, so that was, that's some one way they were building values, attitudes, [00:16:00] and beliefs. Again, we're thinking values, attitudes, and beliefs. We're not thinking drive the behaviors. We're thinking of changing the, the way people think about it.
Another organization, this one's a bank, the CEO. Not the cyber person, but the CEO starts every all hands meeting with a five minute cybersecurity story. It could be something that he saw in the newspaper or on the on the web. It could be something his golf buddies mentioned to him. It could have been something he experienced.
It could be something the cyber people on his team told him about. But think what happens when the CEO starts his all hands meeting with the cybersecurity story that sends the message to his direct reports. Cyber's important to him, and that becomes important to them and so forth down the line. So every single person listening to this podcast could build cybersecurity culture in their organization or in their family, even by talking about it.
Talk about cybersecurity and make it be something that's just common discussion. And then that drives the. That the value that it's important to you. And if it's [00:17:00] important to you, it's gonna be important to the people around you. And they're gonna be a little bit more aware and a little bit more aware, makes them a little bit more secure.
Another example I have is, you know, punishments and rewards I talk about, I don't talk about 'em as punishments. I talk about 'em as motivations, but rewards and consequences. one organization, they wanted to drive the. cybersecurity belief that reporting things were good. So what did they do?
They offered a cookie, the chocolate chip kind, not the electronic kind. They offered a chocolate chip cookie to anybody who reported a cyber incident in or si cyber concern in their organization. And the evangelist in that case bought a few dozen cookies and you know, thought he'd have 'em for. A while, and it turns out within 10 minutes people have reported that enough reports that all the cookies were gone.
It was the reward. People just wanted the reward. It's not that they automatically found something that there were so many breaches in 10 minutes, it's that they, there was a reward. [00:18:00] Another organization does, badging if you complete certain requirements, to prove that you're a. A cyber hero, you get a little badge that goes on your email that says, I'm a cyber hero.
You know what? People want those badges. What does it cost to make a badge? I mean, you could use chat GPT and create a graphic in like five minutes, right? And it could cost zero. and yet it's so motivating to people to have some sort of reward like that and to, to show that they've done something right.
Another organization does exactly that. They create cyber heroes. And they talk about them. They feature them either on their website, not just in October, which is cyber month, but all year long, they feature cyber heroes. And it, it, it changes people's values, attitudes and beliefs. They want to be like these people.
They want to be rewarded and that drives behaviors that you, that we wanna see. So there's a few examples of things I've seen that, organizations have done and I've, I've documented. Probably dozens and dozens of examples, but those three, those few really [00:19:00] strike me because it's just so vivid and it's something anybody can do.
[00:19:04] Sean Martin: great, great examples, and as you're, as you're. Then one thing kept coming to mind, which is it sounds like, and maybe you can correct me if I'm wrong or, or confirm that I'm correct, that it sounds like the, the, the culture of the company already had a, a sense of caring and that these programs kind of naturally fit in to that culture.
And I'm wondering if, if that's the case for these scenarios for others that you've, that you've explored and. How does, how does, how does a good culture help a cyber culture be successful? How does a bad one make it more difficult? Does one have to change the other? I dunno, there's kind of a weird mix that could go on there, right?
[00:19:50] Dr. Keri Pearlson: Yeah. Yeah. You know, that's very insightful, Sean. I mean, really, we, we only have one culture in our organization, so when I talk about a cyber culture, I'm really, I'm, I'm [00:20:00] making a distinction as if there were two cultures and they're not, I mean, organizations have a culture, and they have values, attitudes, and beliefs, so you couldn't have.
A cyber culture with different values, attitudes, and beliefs than the culture has. So it's really just one culture. and what I'm talking about is really driving those values, attitudes, and beliefs so that you, they're in line with the kind of behaviors that we wanna see. So, when you say a, a good culture or bad culture, or, you know, is there one culture that's more supportive of cybersecurity than another?
I would say it's, I wouldn't classify it so much as caring, although it might, you might say that, um. I would classify it more as a kind of environment where, managers understand that people will do what they are motivated to do, what they value to do, what they, what they value. And if, if managers are trying to run their organization in a command and control environment where they tell them what they.
What behaviors to do, and then they expect people to do them. That doesn't work in very many [00:21:00] places. I mean, it does work in the military because the value system is such that you do what your commander tells you to do or your supervisor tells you to do. And a and a startup, eh, not so much. You know, and a lot of other large companies, you know, maybe you, you listen to your direct supervisor more, they tell you what to do.
You, you do it because you value that the relationship with your supervisor. I would say a culture where there's, the, where you understand what drives the values, attitudes, and beliefs, is, is a culture that would support doing these kinds of things for cybersecurity behaviors. I've seen organizations and, and I've given these examples and obviously talked to this with, with lots of people and I've seen people say to me.
Well, you know, we might be able to get away with rewards, but we couldn't get away with consequences with punishments. One organization I studied was an operational technology company, so, things could blow up if there was a, a malware introduced into their software systems. I mean, they've done all the right things.
They've air gapped. [00:22:00] They, they, you know, they've done everything that they could do physically, but it's, things are still connected. They can get, they can get infected, whether it's, you know, remote maintenance person plugging into something or whatever it might be. So this organization takes a very strong stance that if you click on email, they do phishing tests, you click on a phish, the first time you meet you, you get a little program.
You have to take, you know, the, the, those really annoying five minute, detours from your daily work where you have to sit down and. Take a class. and if you click on a second time, you, your manager gets involved. Your third time HR gets involved. The fourth time, if you're still clicking on phishing tests, you're given a warning.
And if you click on it five times, you're fired. And I've given that example in a lot of the, the programs that I've taught in, a lot of executives I've, I've consulted with. And every now and then someone says, oh, we can't fire someone for clicking on a phishing email. And I say, well, okay, you don't have to be that.
That, extreme. But what do you do if they keep clicking on it? Oh, we do nothing. Well then what do you [00:23:00] expect people to learn from that? You know, they're gonna learn that there really are no consequences to bad behaviors. They're not gonna believe that, that they should do something, that you know, that you tell them to do if they don't want to.
And so that, that sets up an environment where. if there are no consequences to your actions, then people are gonna do what they want regardless. They're not gonna necessarily follow the, the, the me, the, the levers that people push. I'll give you another example. I mean, here at MIT. I joined MIT about 10 years ago, nine years ago actually.
And, when I joined there was a, a orientation class that you had to take and I took it and there was a little cybersecurity component to it. And I was so excited because I was learning not only what, what cyber was about, but how my organization manages this people side of cyber. So I took it. And then I realized that, you know, there are people around here at MIT who've been here 50 years, five zero years.
There are people who've been here more than that. When did [00:24:00] they take the orientation class that taught them about cybersecurity? They probably never had it. And, and, you know, are, are we worried that they might do something that might, they might interject something into the system or inadvertently click on something?
Well, not too worried about MIT because, you know, we've got, protections in place and we've got mechanisms in place and our whole architecture is designed in a way. Everybody's their own little thing, but it could happen. People could introduce something into the system, think about the organization that that doesn't design itself with that in mind with, you know, a thousand flowers blooming kind of environment like we have here at MIT.
You know, if, if, if people, if they don't have, haven't thought through how that process works, then and they aren't, they have people that have never had the. Training program and they have no consequences. Oh, that's a piece I forgot. Here at MITA lot of people who've never had the training program have tenure.
They're not going anywhere. If they don't take the training program, they're not gonna get fired. So there's zero consequences if they don't [00:25:00] take the training program in cybersecurity. But as I said, our organization has other mechanisms that, address that. But think about the organization that hasn't thought through it from that perspective, and they, they don't have any consequences.
And they don't, they, they don't motivate people in a way that changes their values, attitudes and beliefs. That's the kind of culture that's gonna have a little trouble building the cybersecurity culture.
[00:25:23] Julie Haney: Yeah, those are fantastic examples again, and I, you know, one of the things that we talk a lot about in, in human-centered cybersecurity, are extrinsic motivation versus intrinsic. And, and you've mentioned a lot of the, kind of the external to extrinsic, like the, the rewards consequences. and I was just wondering your thoughts about.
Kind of the long-term impact of the extrinsic are, are those sustainable over time and, and is it important to move [00:26:00] people into the intrinsic motivations where they are kind of doing cybersecurity and, and, and being cognizant of their behaviors because they have internalized that and feel that it's an important thing to do.
[00:26:13] Dr. Keri Pearlson: Yeah, I, I don't make the distinction the quite the same way you do Julie. I, I, I guess. Thinking about it from that angle, the idea of building values, attitudes, and beliefs is the intrinsic part. You know, what I'm trying to do is change your values, attitudes, and beliefs so that you are motivated to do the right thing.
And that's exactly where the resilience. Angle comes in too, because I can't train you on every single thing that might happen that I need you to do. So I can't just say it's gonna come from phishing exer from from a phish, and make sure that you never click on a phish. That would be, really limiting to the, organization's ability to be resilient.
What I need is for my people in the organization to not only. do what I, what I'm motivating them to do. IE not click on a phish, [00:27:00] but be intrinsically motivated to find whatever the other thing might be. So I think that, that there are, I think both are sustainable. So the rewards, the punishment or the consequences, the, performance evaluation, having your leaders talk about cybersecurity.
I mean, if they, if, if everyone in a very. Let's say effective culture. Stop talking about cybersecurity today. that culture would be one where the organ, where people had the intrinsic motivation to keep going because what we've done is changed their values, attitudes, and beliefs. so that the extrinsic motivators wouldn't necessarily, wouldn't be necessary to keep the.
Values, attitudes and beliefs are the culture going. but I do think that, it's, it's difficult to change values, attitudes, and beliefs without extre the external motivators. And so I do think there needs to be, uh, some consistency and particularly over time and, you know, there's a piece of, of the human.
Management side that, [00:28:00] we haven't really talked about, which is the people coming into the organization that haven't had the motivators that the other people have had. And we talked about, I mentioned the professor who had tenure that is never gonna take the cybersecurity training program, but the new people that come in aren't gonna have the same experiences.
So if the organization had a cyber breach, everybody's gonna be a little more motivated to kind of make sure it doesn't happen again. You know, if their job stopped or they were outta work for a day, or they got behind on their work, or they felt pain because there was a cyber incident, that's also a good motivator to change their values, attitudes, and beliefs.
But a new person comes in, they didn't have that, they're not gonna have that intrinsic motivation. So I think the, the mechanisms are important. The levers are important. and, and as a. Cyber culture evangelist. I would say that's, that person's job is to keep beating the drum, keep making sure that, that, that there are levers out there, but that person themselves can't change everybody's values, attitudes, and beliefs.
It really has to come from lots of other people in the [00:29:00] organization. I, e direct managers, not just cyber people, leaders, people who are influencers in the organization. We all know that those influencers, the people that people listen to because of their stature or they're, they're not necessarily.
Having, formal authority, but they have informal power. And, those people, those are the kinds of things we, we wanna get the leaders on board. The leading, the, the, the, the people, people follow on board. And that helps also. I dunno if I answered your question, but that's kind of how I see it.
[00:29:30] Sean Martin: And I'm, I'm glad you went to the, I'll call it the, the societal part of it, because I'm. thinking a couple scenarios ran through my mind. So, tenured person, not gonna get fired if they don't take the test, but they might care if they don't get a bonus, or they might care if they have to share in, in the, the increased cost of, cyber insurance because so many phishing, clicks happen in their, in their training program.
And the, the insurance company is [00:30:00] gonna not give a as good a rate and somebody has to pay for that. So. Maybe part of the, part of the program is you, you share on the cost of, of cyber risk insurance and your, your actions have a direct impact on that or your bonus have a, has a direct impact, results of, of your activities.
That's, that was one thing that came to mind and, and. Being in a, in a, in a, an apartment in New York where we have a lot of people in the building, we kind of hold each other accountable for cleanliness and safety and, and for example, somebody puts something out on the street and we get a fine for it.
The, the building has to pay. Right. And again, the community holds each other accountable. So I'm wondering your, your thoughts on that's, we can't be looking at other people's emails. We're looking, we're using the phishing phishing test as a, as a scenario. But how, how does, how does an organization leverage each, each one of us to help the rest of us be successful in [00:31:00] this?
[00:31:00] Dr. Keri Pearlson: Yeah, I love that question, Sean, and I, I, you're exactly right. When we think about building values, attitudes, and beliefs, there's three levels actually that I see. One level is the managers, and, and we talked about that. And by managers, I mean, your supervisors, your leaders, and the people who are charged like HR with building those kinds of programs.
the other is individuals, you know, individuals are self-motivated. Some know more than others. Some, value. Security or privacy, more than others. So they're gonna have different values, attitudes, and beliefs. But the third is the group, the team and, uh, the person building the cybersecurity culture, if you will, or the, the mechanisms that drive the values, attitudes, and beliefs can, would want to be thinking about the group level and how can we leverage the groups.
and, and it, it, it, it's the, the mechanisms I've seen, I have some stories about this one is, uh. the, cyber group in one company actually started, [00:32:00] sending out sort of friends messengers people, younger people in the organization to, to go to, other parts of the organization and help them feel like they knew more about what they were doing.
This was a, a program. Another, I have, another company actually did it externally. They were trying to help build, cyber secure behaviors external to their company. So they had a program where individuals. Could sign up and be part of this army that went out and helped nonprofits, for example, be more secure.
so I've seen, mechanisms at the that level, be very effective. another one, I mean, you don't wanna embarrass a friend who left their laptop open in a, you know, something exposed. But if your company has built mechanisms that you can somehow. Let them know, like put a little sticker like, you know, your computer was left open.
I'm just reminding you that, that we don't do that around or we don't wanna do that around here. Or you, you know, you might have inadvertently left trash on the ca on the sidewalk that you didn't mean to leave. You know, [00:33:00] you might inadvertently left your computer open when you didn't mean to. Just letting you know.
We noticed. And sometimes things like that, are, are important. It's the kind same kind of thing of. Holding the door open. You know, if you, you said you live in New York City, your doors are probably locked. You don't want somebody holding a door open for somebody they don't know. So somebody gets in the building, you have sort of VA values, attitudes, and beliefs around that.
It's the same kind of thing with cybersecurity. So when we build the mechanisms for values, attitudes, and beliefs, we wanna build in. Ways for those to happen group wise. Another thing I've seen, organizations do is reward or have consequences at the group level. You mentioned if somebody left trash on the sidewalk, the whole building would have to pay the fine.
that same kind of thing translates into some exact, exercises for companies. I've seen, one company I've worked with want everybody to use a password protector, you know, like LastPass or 1Password or something like that. And so what they did. Is they [00:34:00] passed them out to everybody and they passed. They, they made 'em available to everybody and they also made it available for you to use at home.
So you could not only keep your work password safe, but you had a second instance to keep your home password safe and you can see the message they're sending. We think cyber's so important, we want you to be protected at home, not just in the office. But then what they did is they, they had a scoreboard by group, and they, so not by individual, but by group.
How many people were using the pass? The, the, the password protector? Password manager. So the ones at the top were the, the heroes, but the ones at the bottom were showing that they were, you know, not quite following along. And that motivated the group to wanna help each other, to climb the ladder of being successful.
So groups can help each other and you can put in processes that motivate groups.
[00:34:49] Sean Martin: Yeah, I love that last example. Yeah,
[00:34:51] Julie Haney: Oh yeah, it, it's funny, I worked in an organization before where when someone left their computer unlocked, someone would jump on and send an email to the entire [00:35:00] organization saying that they were bringing in donuts the next day. So
[00:35:03] Dr. Keri Pearlson: I love that
[00:35:05] Julie Haney: the public shaming.
[00:35:06] Dr. Keri Pearlson: food is a good motivator.
[00:35:10] Julie Haney: Yeah. Yeah. So I, so Keri, this, this has all been fantastic and, and I really love to. To leave the listeners with, some kind of practical advice or, or, you know, toward, toward the end of our discussion. And I know I, and you alluded to kind of, different levels of maturity of security culture. and so I'm wondering.
What are those stages of security culture, kind of that spectrum that you've seen, and how can organizations take some practical steps to, to progress along that spectrum so that they can mature their culture?
[00:35:54] Dr. Keri Pearlson: Yeah, good question. So my current research is looking at two things. One, I'm trying [00:36:00] to articulate a way to measure culture because if we could measure it, we could make it better. Whether it's maturity or effectiveness or whatever the right word is. For A, a better culture, stronger culture. I'm using the word effect.
These days 'cause it just rings a little more, actionable for managers. So how do we make our culture more effective? and as part of that, I've articulated five different stages. I don't know if they're the right. A progression. I do think the first one is accurate, and I do think the last one is accurate, but the ones in between, I'm still working on that.
The, the every organization has a culture and every organization has a cybersecurity culture, whether they've designed one or not. And so I call that ad hoc. Something, you have something, what does it look like? Well, usually, most organizations today are watching for phishing emails and they're probably training their people.
They're doing phishing tests. I'm, I'm yet to actually find an organization not doing any phishing tests. but today, [00:37:00] that wasn't the case. Even as. Recently as two or three years ago, but today, pretty much everybody is aware of phishing and they, they're tested on it if you're in an organization.
and so ad hoc, you probably see people that, that, that you see some, some mechanisms in place, to try to get their hands around a. Being more secure and, and Sean, you even brought up insurance. You know, maybe your insurance company. That's a really big resource for a lot of small and medium enterprises.
Insurance companies don't wanna have to pay you for a breach. They don't want you to have the cost of a breach if your business is shut down. They don't want you to have it. So they have resources to help organizations think about. Things like how can we be more secure? so you might have a, have an advisor, you might, and you're just, it's just kind of, haphazard what you do to try to build cybersecurity, but beliefs and at the other end of the spectrum, I, well, let's just call it stage four.
I have five stages. So stage four is where everybody in the organization's involved. It's sort of what we were just talking about, Sean. You know, people step [00:38:00] up because it's the right thing to do. People, they may not know exactly what you want them to do, but they understand that. This is an environment where it's important to be cyber secure or to protect our data or to watch our processes, and, so they do what they have to do or what we've trained them to do or the, the, they have the values, attitudes, and beliefs to make, to take action.
I think there's a fifth one, which I'm calling dynamic. I, I don't exactly know what it. What it looks like, per se, in all the details. 'cause I don't, I, I, I don't know that I've seen it yet, but in a, the, the next level, after everybody is on board and everybody's doing what they need to do is an a culture that just shifts dynamically automatically as the threats change.
So today we see a lot of ai. Induced potential vulnerabilities. and I, I actually, my, my other research project right now, I wanna understand AI security and how that is different or if it's different from, other kinds of cyber secure vulnerabilities in the organization. And so, [00:39:00] I think in that, in that, that introduces new kinds of vulnerabilities that maybe weren't the ones we were driving for in our.
Previous cybersecurity culture. And so the, the most effective culture automatically changes people in the organization say, oh, well, you know, AI's here and it might introduce some new vulnerabilities. Let me make myself educated so I know what to look for. Or, you know, let me take the, the, the lead. I'm not waiting for my managers to put a program in place or a reward system in place, or, you know, uh, some sort of, of punitive or damages or, or consequences in place.
I'm just gonna go learn it myself because it's dynamic and I know that this is. Something I need to do. So this most effective culture is one that kind of self regulates itself, or self manages self governs itself. The, the, the, the fourth one is where everybody feels it's their responsibility. Okay. So, but what, what is something that managers can do?
What can you do? What, what are three things? I'm gonna give you three things people can do tomorrow if they want. So to try to get, to move the needle, whether they're in an ad hoc or. You know, [00:40:00] it, everybody's thinking about things. So first of all, I think it's really important to shine light on the cybersecurity.
It's not a dirty word. It's not something we keep in the closet. We should talk about it. and we should talk about it maybe with our friends as well as our colleagues. It shouldn't be something we take a class on once a year or once a quarter should be something that just comes up and we, you know, we, we share ideas or we share.
You know, headlines that we saw and we talk about it. I think in most organizations it's not the case. I think people wait till their cybersecurity month or, you know, the cyber evangelist puts out a new video and then all of a sudden they're talking about it. But it should be part of our everyday occurrence, just like water spilled on the floor.
Somebody cleans it up. Cybersecurity, something's going on. We talk about it. We, we fix it, we, we make it, something that we understand. So number one is talk about it. And I give the example, I'm the only cyber girl in my social circle. My friends are professionals. They're doctors and lawyers and real estate agents and hairdressers, and.
You know, [00:41:00] teachers. but I talk about what I do on my job every now and then. It's not like I'm always talking, I'm not boring, I'm not talking about it all the time. I'm not, you know, making sure that they're cyber experts. But every now and then I see a headline. I share it with my friends, and that makes everybody a little bit more aware just because there's something around and that makes them have the value that they should be aware, and that makes them a little bit more.
Likely to notice something in their world makes them a little more secure. So talk about it. The second thing is reward people who do the stuff you wanna see. You know, if, if you're, if somebody's doing something good, even in your family or in your, in your work environment, even if you're not their supervisor, just say something nice about it.
Wow, that's awesome. Glad you did that. You really helped us around here. I wouldn't even have thought to do that. I'm gonna do that. I'm gonna do what you did. You know, the more we reward people even with words. That's really, that words are really powerful. And the third thing, kind of along the lines with that is if you're a manager, make heroes.
You know, you make it. Find examples, make heroes out of the people who are doing the [00:42:00] right thing. the more you make heroes, the more other people wanna be heroes, and the more likely you are to, to change their values, attitudes, and beliefs. But. We think about it as values, attitudes, and beliefs. It drives a whole lot of activity other than training programs.
It's really not about what's the next training program or what's the next awareness campaign. It's really about how do we change the way people value something and how do we change the way they, they believe in it, and that will drive the behaviors that we wanna see.
[00:42:29] Sean Martin: So, so, so good. And, so, so many thoughts in my head. 'cause I, I, it, it's important to have a structure. You're, you're describing and articulating your view of this. Extremely well such that I can, I can take it in and hear it for my own. Views. I have my own view of what a program looks like as well, and I think some of the things I heard that I'll translate into my own words as being purposeful and meaningful in our thoughts and how we approach this.
Being open and [00:43:00] honest in our communications with, with ourselves and with our team, and ultimately being active with. What we want to achieve and have actually have a, a results driven outcome. And I, I'm, I'm gonna, I'm gonna challenge you with, maybe a six maturity level because it's something I ask on my show generally all the time, which is. We have all this knowledge in cybersecurity and we, we tend to use it for shoring up weaknesses and battling attacks and, and recovering from, from successful incidents. And I think there's knowledge there that we can actually make the business better, more efficient, more effective, that do better things for each other and for the customers and for society at large.
And. I think this is a perfect place for that, a sixth level of maturity where that can actually happen, where the, the cybersecurity culture as part of the bigger culture can actually make the business better, not just safer. So [00:44:00] I'll, I'll challenge you with that. Yeah.
[00:44:02] Dr. Keri Pearlson: Love that. I actually, I know we're almost out of time, but, a, a big, motive, uh, goal of mine is to change the discussion of cybersecurity from a infrastructure play to a strategic play. So that's pretty much saying just what you were saying, Sean, you know, if, if, if we could make cyber a competitive advantage, if we could make it a strategic advantage for our companies.
Rather than just an infrastructure play, everybody would get on board if you got more customers because you were more secure if you got, lower costs because you were more secure. If you were able to, attract employees because you were, you know, I more secure as an euphemism for all of these things we're talking about.
Then I think we would, we'd see cyber security incidences going down and we'd see resilient companies. Popping up everywhere, but we aren't quite there yet. I think people still think it's a technical problem. So back to your very original question, it's not a technology problem, it's an organizational opportunity.
[00:44:59] Sean Martin: Yeah. And all [00:45:00] the way back to your, your beginning of this conversation around resilience. I think we go back there as well. Well, this is fantastic. Uh. Dr. Pearlson, it's fantastic having you and, on the show and, and hearing your insights and hearing the stories you've, you've collected over the years. And Julie, always great to, to see and hear you and, and to, co-host this, human-centered Cybersecurity series with you on, redefining Cybersecurity.
So final word from you, Julie. And then, we'll, we'll say thanks to everybody listening and watching.
[00:45:31] Julie Haney: Thanks again, Sean. Keri, this has been fantastic. some great words of wisdom, some, some fantastic, takeaways and, and practical advice for organizations. So, hopefully we have a, we have a lot of people going back to their organizations and, and, at least, doing what they can do to, to change the security culture.
So thanks so much again, Keri, for, for being on today.
[00:45:57] Dr. Keri Pearlson: Thank you for having me.
[00:45:58] Sean Martin: And thanks everybody for [00:46:00] listening and watching. Do, stay tuned for more Redefining Cybersecurity in the Human-Centered Cybersecurity Series with Julie Haney and I, and, thanks for subscribing and sharing with your friends and enemies. And, stay tuned for more.