Clinical psychologist Beatrice Cadet, Scientist Integrator at Netherland's Organization for Applied Scientific Research (TNO), draws upon multiple concepts such as 'learned helplessness' to explain why people still fall for phishing attacks despite the training. Beatrice emphasizes the need to factor in human behavioral traits and motivational triggers when developing social engineering solutions and training.

Time Stamps

00:49 -- Please share some highlights of your professional journey.

03:51 -- From a psychologist's lens, what do the social engineering trends look like? What can we expect in the future?

08:13 -- You talked about the need for socio-technical solutions to counter social engineering, and there are a lot of solutions out there. What are some of these solutions?

10:17 -- Unfortunately, we are in an environment where we have to be mindful, we have to be careful, and we have to prioritize. Your thoughts?

13:20 -- Do you think we'll ever get to that stage where humans don't have to worry about making mistakes; because we have great technologies that will cover us?

16:48 -- We are naturally not inclined to be proactive. Your thoughts?

18:56 -- You said, "I want to debunk the emotional aspects of social engineering. We need to be more pragmatic about it. We all fall for it at some point. But how to best avoid it and recover." Expand a little bit about the emotional aspects of social engineering.

24:35 -- From a psychologist's standpoint, what are your thoughts on the Zero Trust approach to cybersecurity governance?

27:37 -- It is so important that human psychology is taken into consideration by involving subject matter experts, such as yourself when training programs are developed. Would you like to add to that?

34:41 -- The more I think about it, it makes sense to have a Zero Trust approach. Your thoughts?

37:17 -- I'd like to give you the opportunity to share some final words.

Memorable Beatrice Cadet Quotes/Statements

"I think deep fakes are here to stay. They are likely to be used (by criminals) more and more."

"Social engineering can be approached in two ways -- using psychology, i.e., human manipulation to conduct technical cyber-attacks, and using technologies and technical tricks to manipulate people."

"Social engineering is nothing new, and we're still falling for the same old trick."

"Technology is being increasingly used to manipulate people even more effectively."

"When I think of social solutions, I refer to the awareness that comes with training. "

"With so much social engineering going on, we cannot expect everyone to always be at their best and ready to check everything."

"If you don't have awareness and mindset, you can do every possible training you want, it won't have the desired effect."

"People really need to understand why cybersecurity training is important; if you don't get their buy-in, the training will be ineffective."

"It has been shown in cybersecurity research that the reason why sometimes things don't work, or people still fall for phishing, is because they know that no matter what they do, or they think that no matter what they do, they will get scammed anyway."

"Beyond being well aware of social engineering campaigns and cybercrime in general, it's also very important to be self-aware, and to know your limits, to know that sometimes you might be overstressed and overwhelmed. And you're not going to be able to make the same type of decision as if you're perfectly healthy and mentally well-balanced."

"The only generalization we can make is that there are no generalizations that can be made."

Connect with Host Dr. Dave Chatterjee and Subscribe to the Podcast

Please subscribe to the podcast, so you don't miss any new episodes! And please leave the show a rating if you like what you hear. New episodes release every two weeks.

Connect with Dr. Chatterjee on these platforms:

LinkedIn: https://www.linkedin.com/in/dchatte/

Website: https://dchatte.com/

Cybersecurity Readiness Book: https://www.amazon.com/Cybersecurity-Readiness-Holistic-High-Performance-Approach/dp/1071837338

https://us.sagepub.com/en-us/nam/cybersecurity-readiness/book275712

Latest Publication: https://www.imd.org/ibyimd/magazine/preventing-security-breaches-must-start-at-the-top/

Welcome to the Cybersecurity Readiness Podcast

Series with Dr. Dave Chatterjee. Dr. Chatterjee is the author of

the book Cybersecurity Readiness: A Holistic and

High-Performance Approach, a SAGE publication. He has been

studying cybersecurity for over a decade, authored and edited

scholarly papers, delivered talks, conducted webinars and

workshops, consulted with companies and served on a

cybersecurity SWAT team with Chief Information Security

officers. Dr. Chatterjee is Associate Professor of

Management Information Systems at the Terry College of

Business, the University of Georgia. As a Duke University

Visiting Scholar, Dr. Chatterjee has taught in the Master of

Engineering in Cybersecurity program at the Pratt School of

Engineering.

Hello, everyone, Happy New Year. I'm

delighted to welcome you to this episode of the Cybersecurity

Readiness Podcast Series. Our discussion today will focus on

finding a balance between our natural need to trust and the

caution that needs to be there to deal with all forms of online

cyber attacks. In fact, I experienced a phishing attack

this morning, and I'll get into that later on. I'm delighted to

welcome Beatrice Cadet from Amsterdam, Netherlands. Beatrice

is a scientist integrator at Netherland's Organisation for

Applied Scientific Research (TNO). With a background in

intelligence and psychology, Beatrice has specialized in

cybersecurity by taking an integrative approach working on

bridging the gap between human and the technical aspects. So

Beatrice, before we get into the details of managing trust, let's

talk about you a little bit, share with the listeners some

highlights of your professional journey.

Yes. So again, thank you so much for having me,

I'm excited about the discussion that we're about to have. So,

about me as you just said, I studied with a master's in

intelligence and security management from Strasbourg

University in France, that gave me quite a multidisciplinary

background within the social sciences area. From there, I

knew I was interested in tech. So I tried to target my

internships more into the online safety and security, which led

me to work for a startup in Dublin that is called Zico that

works for online safety for children. And then I thought I

needed to gain some technical knowledge to properly work in

cyber security, which led me to the Netherlands where I still am

today. And I worked for a company called Red Sox Security,

cyber threat intelligence. So I really dove into the technical

world and worked with a technical team, my goal being to

get some knowledge and some skills. But eventually I found a

really interesting position to be a social scientist or more

human approach person within the technical world and the

technical people. And from them to my current position where

indeed, I know that what we do is quite multidisciplinary.

However, online safety and security, information

manipulation. So that's the core of the content that we're

working on within the type of work we do could be a scientific

article, as much as trainings or workshops for police or the

Ministry of Defense, right now. I'm focusing now on the human

factors. So that got me to start a bachelor in psychology just to

add that to the background in security, and mostly

cybersecurity. And I got hooked, and I became a clinical

psychologist.

Wonderful. In fact, I don't believe I've

had a clinical psychologist on my show yet. So you are the

first one.

nice!

I'm looking forward to learning a lot from

your insights and expertise. So from your lens, from a

psychologist's lens, what does the social engineering trends

look like? What can we expect in the future?

Yes. So one thing I always say is that, of

course, criminals innovate, also a lot in social engineering. So

we see new tricks and new ways to catch people, especially with

new technologies. And I think that's something to really look,

look up look to, and look at, sorry, because, for example,

deep fakes, and it's something that we need to look for in the

future, but that is also already here. I think deep fakes will be

more and more used. And we've seen it this year already. I

mean, 2022 We've seen it, so more and more defects. They use

technology more and more to manipulate people. And I always

say that social engineering can be approached from the two ways,

right. So it's using psychology, or I mean human manipulation to

conduct a technical cyber attacks, but it could also be

using technologies and technical tricks to actually manipulate

people. So that's something I like to highlight when I talk

about social engineering. So as I said, Yeah, innovation, so new

tricks, but one thing that I always see is that all tricks

also always, are always here. And when I was working on cyber

threat intelligence, I would work on some phishing labs and

try to analyze some phishing campaigns. And I would find some

campaigns that beside having different types of indicators of

compromise, different different IP addresses, for example, the

visual aspect of the campaign would be exactly the same. So

for example, Elon Musk is giving away 20 Bitcoins. And so that

shows that social engineering in the end is nothing new, and that

we're still falling for the same old trick. And it's not proper

to cybersecurity, social engineering has existed since

forever. So with that in mind, I think, yeah, what we can see in

the trends and in the landscape for the upcoming year and years

is really looking at the old trick, look, still trying to

bring more awareness because we're still falling for the same

sort of campaigns. And additionally, technology is

being more and more used to manipulate people even more

effectively.

I can't agree with you more, when you

say, we are still falling for the same tricks. We as humans,

we are naturally inclined to trust, we are very vulnerable or

susceptible or gullible, we end up believing what we see. Early

in the morning, I saw an email supposedly from a major credit

card company, and I have a card with them, stating that a

certain amount could not be paid, so I need to log in and

make the payment. It looked so genuine. They had the graphics,

right, they had the logos, right. And it was very well

crafted. It wasn't the typical phishing emails with grammatical

errors and stuff like that. I was almost thinking of clicking

on that link. But then I said, No, I won't, I'm just going to

call them. And yes, I did expand the subject line to check on the

address. I couldn't tell if it was a genuine address, or a fake

address. Instead of clicking on anything, or replying, I just

called them this morning, and said, I received this email and

she went into my account checked and said, Sir, very smart of

you, you picked up on something that you should not be clicking

on. The reason I share this example is, that I have now

become so paranoid, anytime I see an email, I scan it

thoroughly. I refuse to click on any attachments unless I know

for sure who the sender is. And when in doubt, verify, right?

Just call and ask. So it was kind of interesting that I had

that experience this morning, and we are now discussing about

whether to trust or not to trust.

Yeah, good timing!

Yeah, I know, good timing. Beatrice,

during our planning discussion, you mentioned a few things that

I want to pick up on. You talked about the need for

socio-technical solutions to counter social engineering. And

there are a lot of solutions out there. It might be very valuable

for you to highlight for the benefit of the listeners, what

are some of these solutions?

Yes. So when I mentioned the need for social

technical solutions, I think, for example, on the technical

side to the filtering solutions, for example, for the email, if

we're talking about phishing emails, yes, I think this is a

good first step. We need that in place, we need that to be

efficient. When I think of social solutions, it all comes

with awareness, it all comes with training. And the reason

why I say this social technical solutions, because there is so

much so many campaigns, so much social engineering going on,

that we cannot expect everyone to always be at their best ready

to check everything. And I would like to rebound on the example,

you just mentioned your example from this morning, You're in the

fields, so you're more aware, maybe and you may be a little

bit more used to it. So that gives you a bit more awareness,

maybe than most people, but also you took the time and that was

time consuming know to have to check all the different

elements, to doubt, and then still to call them. So not

everyone always has that time or decides to always take that

time. So that's why even though people would be very well

trained into spotting every single phishing email

whatsoever, I think there would still be some vulnerabilities at

some points, the same way, that a filter on the emails also has

some vulnerabilities and might not filter all the phishing

emails or filter too many of them. So yeah, that's a few

examples I can think of now, when I'm talking about social

technical solutions.

Yeah, I mean, I don't enjoy calling

credit card companies in the morning, to follow up follow up

on things because it takes up a lot of my time. Yeah. And that's

not the way I want to start my day. But we are in this

environment where we have to be vigilant, we have to be patient.

It brings to mind an episode I did recently on multifactor

authentication and the fatigue that's associated with it. The

subject matter expert told me that many developers don't want

to go through that authentication process,

especially when they are dealing with 15-20 different

applications. Because it is bothersome, it is time

consuming, they become impatient. Unfortunately, we are

in an environment where we have to be mindful, we have to be

careful, we have to prioritize. Finances are something that I

carefully monitor, especially my credit card transactions. If I

know anything that could be problematic, I immediately get

into an investigative mood and I probe further. I give it a

priority, though it's not something that I would like to

give priority, but I am left with no choice. So that's kind

of the way I do things. And I'm sure many others, your thoughts?

Yes. And I think it's great. Ideally, we should

always be very mindful of every single emails, every single

text, even every single phone call or interaction with people.

The thing is, as you said earlier in this talk, is it

biologically human beings are inclined to trust. And then of

course, it depends on the personality, not everyone will

have the same extent, that same inclination to trust, and also

depends on your experiences. And I would say one of the problems

with cybersecurity in general is that most people don't feel the

burn, when dependence of you know how you learn that fire

burns, well, you burn your finger, it's painful, and you

tend not to do it again, because you learned from the pain. Most

people that got cut with cyber security issue, so a phishing

email or whatsoever, they might not know that they have, that

their data is out on the Dark Web, or they might know that

there has been a data leak, for example, but they don't really

know what it represents. So I think it's also very difficult

for people who are not very knowledgeable or used to

cybersecurity to choose to put that as a priority the same way

that you do. Yep. So yeah, I think that is a very important

factor to consider. And as you said, there's so many emails as

well. And to go back on that need for social technical

solution. That's also why I think it's important because

there's so many simulations coming all the time from

different directions, that it's very difficult to keep

everything as a priority and to be untrusting of

everything you have come across every day.

Exactly. And we multiprocess so much

these days, right? And we are using different devices. Yes.

And so it's like second nature to us, we're just doing stuff.

So to have that natural filter, that a little bit of security

paranoia, which would force us to stop, think, take unnecessary

action, before we move on to the next thing. For that to become

muscle memory, for lack of a better word that comes through

training, you're exactly right. That also comes through, again,

I'm not a psychologist, but I'm gonna put myself out there and

hypothesize or suggest that we have to start really believing

that this is a problem. And like you used the excellent,

excellent analogy or metaphor of the burn that do we really need

to get burned to appreciate what should be done proactively. We

have to kind of learn to be a little more cautious and cant

just throw caution to the winds as they say. I was speaking with

a subject matter expert in the last episode that was published,

and she's a expert in cybersecurity technologies. And

I asked her a question, I said, Do you think we'll ever get to

that stage where humans don't have to worry about making

mistakes, because we have great technologies that will cover for

us? And she answered in the affirmative. She said yes, I am

optimistic that there will come a time sooner than later where

we don't have have to be this vigilant. And I hope that her

words come through. But until then we just have to be careful,

right?

Yeah, exactly. And also be very pragmatic about

it, it most likely will happen, I think, maybe coming to the

state where we don't have to be that worried about it will be

that first because we have more training. So we have more

feeling of control on what we can do about it, that's very

important. But also a point where we'll have better

technology, maybe to counter this, complimentary, but also

that we'll have more resilience processes, so that you will know

that, okay, even if you're making mistakes, there are ways

to recover, or there are ways to, unless all the developments,

maybe with insurances or like processes where you can, okay,

making mistakes, but you're not alone in there. Because as of

now, there are very little processes in place. And even

with the police, they're trying to have more people report cyber

crime, but it's still very low. So I think that as a compliment

could also help us get to a stage where we're a little bit

more. Yeah, yeah, he's all about it. Yep, that can be done as

well on something you say, with training and the importance of

mindset. There is one concept, it's a sort of pyramid of

different concepts, you need to get to effective training. And

the bottom line of the pyramid is actually awareness and

mindset. And if you don't have that, you can do every single

training you want, it won't have the effect that you're

expecting, you really need to have people understand why

they're training on this, why they have to work on this

specific skills or specific concept, or issue. And if you

don't have that, you won't get the effects you want. So that's

really important to understand why we need actually to get

better at this

Yep, that connects with what I often say

is, we have to get the user buy-in, unless the buy-in is

there, unless the user recognizes the importance of

doing certain things, or following certain guidelines,

following certain best practices, they may not be

willing to do so. And as much as we might preach that, lets, be

proactive, let's not be reactive. But unfortunately, the

results, the statistics, suggest that we are reactive. And we

learn best after a major catastrophe. If we can use the

pandemic as an example, despite all these great organizations

out there, terrific scientists out there, we still couldn't, we

were not proactive about it, we made a great recovery. Thanks to

the scientists, we have the vaccines and all credit to them,

thanks to all the healthcare workers who've done yeomen

service. But having said that, I'm not so sure that we have

another round of a pandemic, are we better prepared for it now

that we have experienced one? I'm not so sure, I'm still very

pessimistic about it. Because we are naturally not again, this is

a hunch I'm not a psychologist, maybe you can shed some light,

we are naturally not inclined to be proactive.

And I would fear that maybe if there would be

another pandemic, we would try to apply the lessons from the

one we just we've just been through, which is still been

happening. Right. I would hope that we would learn to be

proactive by taking the lessons learned, but also looking

towards the future as well. And mixing that up together. Yes.

And it's similar to what could be happening sometimes in

cybersecurity that we just think, oh, yeah, there is that

threat. So we apply this, but the threats are moving, and it's

always a cat and mouse game. So how do we become as defenders as

innovative as the criminals, right? How do we try to make the

gap between the two sides a little bit smaller, that's also

very important.

Exactly. And I want to emphasize what you

just said, it is important to learn from the past. But it's

also important to recognize that the future might present

challenges that have to be dealt with, and we may not be prepared

for it from our past experiences. So therefore, it

requires a mix of Yes, informed insights from the past plus the

innovations that's going on because we have to think

proactively of what are the future types of attacks that

might be launched, and how can we protect ourselves? When I say

how can we I'm talking about individuals, groups,

organizations, nations at any level, I think this approach us

a deliberate a proactive approach is is valuable

irrespective. So awesome! Once again, going back to my planning

document here, I took notes when we were talking and you made a

very poignant statement. You said "overall, I want to debunk

the emotional aspects of social engineering. We need to be more

pragmatic about it. We all fall for it at some point. But how to

best avoid it and recover. Expand a little bit about

emotional aspects of social engineering?

Yes. So I would say motional, maybe also a

little bit seeing it as a buzzword we hear so often that

humans are the weakest link, and it's because of the people and

stuff. And yes, it is true. Because in the end, even though

cybercrime cybersecurity is all about tech, behind the

computers, behind the phones, you have humans on both sides of

it. So completely agree with this. But being sort of alarming

about social engineering as much as it is good and important and

necessary, it has to have its limits. Because first, there is

a point that we haven't mentioned yet. But there's a

psychological concept that is called learned helplessness is

that people feel so overwhelmed, and they feel like no matter

what they do, it won't help anything. So and many people

have that. And it has been shown in research in cybersecurity,

that the reason why sometimes things don't work, or people

still fall for phishing and stuff, is because they know that

no matter what they do, or they think that no matter what they

do, they will get scammed anyway. And it's so overwhelming

that they prefer to just drop it and be like, Yeah, I have

nothing to hide or whatever happened happens. So that's why

I think like being a bit less emotional about social

engineering being a threat, but being just pragmatic about it,

like it is there, it has always been there, it will still be

there, I think that could be actually a very good step

towards being more protected against it. So that's the core

point I would like to make. Yes,

well made, when you said learned

helplessness, it immediately brought to mind an experience

that I had a couple of years ago when I was gathering data for my

book. And I spoke to a senior leader of a major healthcare

company. And he made a very interesting statement. He said,

we are such a large organization, we have so many

systems interfacing with other external systems, we connect

with all kinds of IoT devices, it's very overwhelming to stay

on top of everything and know where our vulnerabilities are,

where we are, we are strong. So you almost feel helpless. And

you're kind of hoping, to use his words, that we get attacked,

so we get to know where our weaknesses are. And of course,

that is not the approach or mindset that I recommend, or

anybody for that matter would recommend. But that speaks to

what you just said about learned helplessness. Whether it's a

leader of a major organization, or whether individuals, I have

gone through some cybersecurity certifications, some

cybersecurity training, they can get complicated, there's so much

to learn so much to know. And so for a regular person who just

wants to do their thing and be happy and not get too caught up

with this stuff. They're like, Oh, I don't want to know the

details. If something were to happen, I'll deal with it when

it happens. So that's precisely I think, what ends up happening

with humans, because human mind can only absorb or deal with so

much complexity, right? We have, we have our cognitive

limitations. And when it goes beyond that, we are like, Okay,

nevermind, let's just hope for the best I'm not gonna try

anymore. So I think that point is extremely well made,

We have our cognitive limitations, yet, we

still make 1000s and 1000s of decisions every day without even

noticing it. So that's the whole thing. Also, we're going back to

trust, trusting, not trusting so many decisions are automated.

And we can control everything. And also, criminals know that

they're also human beings, and they know how to trick us. So

that overwhelming feeling they know how to use it. And for

example, you get your email, you saw in the morning, and you said

something about your card in the morning when you just woke up,

maybe so then it's even harder to be rational. And they know

exactly how to do this. So yes, bringing a bit more peace to it

being like, Okay, this is it. You need to be aware of this. We

need to train on this. We need to get better at this but also

without Yeah. dramatizing it, I think it's very important to

actually make concrete progress.

Fantastic. So let's talk a little bit about

the zero trust approach. And if I understand this approach

properly, essentially, the assumption is being made that

let's try to be as secure as possible every step of the way.

Use a combination of physical, technical and administrative

controls, have a micro have micro segmented networks. So

when a user wants to move from one network to another, they

have to again authenticate. So have checks and balances every

step of the way. I was reading somewhere, they used an example

of going to a rock concert, and you get checked in once, but

then you again, get checked in and again, kept checked in

before you get to your seat. So having these multiple layers of

defense, for lack of a better word, or another very popular

terminology out there is defense in depth, those are being

advocated big time they are being considered best practices.

From a psychologist's standpoint, what is your

perception on this zero trust framework? Or zero trust

approach to cybersecurity governance?

Yeah. So as a psychologist in cybersecurity,

my first thought is thinking yes, indeed, that that makes

sense. And layering security is yeah, it's just just makes

sense, right. But then, as a psychologist first what comes to

my mind is, we need to pay attention that all of those

measures, and all of those technical aspects, physical

points of security, are adapted to how human behave, you know,

because often we try to create solutions. So I'm thinking

concrete, technical solutions that are actually not adapted to

how users behave. And that can be the key to failure, if we

don't think about it. So I think it's a great, great point to

have those different policies in place to have those different

infrastructure security infrastructures in place, but we

need to make sure that they're not too heavy for the user. And

of course, it's easy for me to say this, right? It's ideally,

we always want this, but it's important to develop it as well

always, with the user in mind and thinking, okay, how can we,

instead of thinking, let's develop the best technical

solution, and then fit it into the user process, we need to

think ahead and think, Okay, we need to have a sort of technical

solutions in place, how do we make sure that the user will

adopt it? And of course, the user might have to adapt to

adopt, but how can we make sure we we do that in the easiest way

possible. And then when it comes to thinking, zero trust, I think

as much as it's great for policies and technical

solutions, we need to again, as we said earlier, remind

ourselves that having a human being always suspect something,

won't happen. It's just not possible all day every day.

Exactly. And I hope listeners if they

have anything to do with training in their organizations,

or if they have the insolence, I hope that whoever is involved in

developing a training program include the psychologists in the

team, because you need technical specialist, no doubt, you need

strategists, no doubt, but you also need the psychologists who

understand human behavior, because, after all, these

solutions, many of the solutions if not all, many of the

solutions, which involve human interaction, or which are going

to be used by humans, unless you understand human psyche, human

mindset, the solutions are not going to be very effective. I'd

like to briefly mention a research that was carried out a

couple of years ago, where they trained a group of people to see

whether post training, the percentage who fell for phishing

attacks would drastically decline. Unfortunately, the

research found the variation wasn't significant. In other

words, the training didn't prove to be the phishing-related

training didn't prove to be effective, and the researchers

justified the explanation or tried to explain the findings by

saying that there are so many human factors such as innate

curiosity, for lack of a better better word greediness. If we

see an email which is promising a certain sum of money if we

click a link and play a game or throw a dice whatever we are

inclined to do so because we want to believe that yes, there

is some something to be gained from this action, it may not be

fake, we almost force ourselves to believe it, because we have

the need for money, let's say or, and like you said earlier,

we are many of us are often naturally inclined to trust. So

it is so important that the human psychology is taken into

consideration by involving subject matter experts such as

yourself when training programs are developed. Would you like to

add to that?

Yes, there are two points I wrote down for

myself. Let's start with the role of a psychologist in such a

team, I think is in knowing how people function knowing how to

investigate how specific groups of people function And as well

or specific individuals even. And that's something that I

often hear. So I speak with a lot of technical people, of

course, and I give a guest lecture every year at the Hague

University of Applied Science, and it's a technical crowd. And

what I recognize often is that technical people tend to think

as one zero. And I don't want to generalize, because that's

exactly the point I'm about to make. But I hear that very

often. And I get some people asking me, but how do you know

this for people? How do you approach this for people? And

there's no exact rule. And that's one thing you learn when

you study psychology, is that okay? You will learn specific,

especially, in my case, clinical psychology, you will learn

specific syndromes or how to recognize things, but the

experience will never be the same for two individuals. So you

really need to learn how specific people function and

apply that knowledge to the knowledge, the general knowledge

we have on human beings, and then bring that to the group of

developers or whoever you're working with. And so there's

that role that psychologists can have in a team. But then there's

also the role of often translating between different

disciplines, you mentioned, strategies, technical people

that you may have in a team. And that that's a position I've

often been myself, of actually understanding how the different

group of people working on the project, think and communicate,

and how to because multidisciplinary work is still

very complicated. And it's very valuable, and it's what we need

to go towards. But it's very complicated. So having a

psychologist sometimes can help bind these different disciplines

together. So yeah, that was the first point that I had on what

you just

said. And what was the other one? You

said? You made? Two points? Yeah. The other one was,

general knowledge on cognitive

psychology. So yeah, this is how the brain works. This, this is

how people make decisions and stuff. This is very important,

of course. But one thing that we tend to forget is that one

person won't make the same kinds of decisions every single day,

the context is so important to how you will make a decision.

And even the most rational person may at some point, make a

very emotional decision. And so that's also what you're talking

about, we're talking about a seeing that email that will

promise you some money. And then in a moment of weakness, you

might decide that, Oh, you want to believe in this. And what you

say is really true, because sometimes we decide to trust for

the wrong reasons. And so we're out for the wrong reasons, or

because of some sort of contextual influence. And my

colleagues and I two years ago, wrote a paper on disinformation

during COVID-19. And one of the statements that we made in the

discussion is that maybe the context of the lockdown and, and

the pandemic happening, influence why so many people

started to believe in disinformation, and people that

might not believe in it before the pandemic, but in this

specific context, with that much uncertainty with mental

disorders being on the rise, so I'm thinking anxiety and

depression, this, like anxiety and depression, they affects

your emotional system, right. And we saw that the narratives

that were played in disinformation, played on the

emotions that are affected by depression and anxiety. So that

being hopelessness, having difficulties dealing with

uncertainty, being very anxious, being very angry, and so yeah,

those people in normal times, they might have not fallen for

this. But now they were triggered on specific aspects of

the human factors in a specific context. And that's why it

worked. So that's why I think, beyond the being well aware

about social engineering campaigns and cybercrime in

general, it's also very important to be self aware, and

to know that, to know your own limits, actually, to know that

sometimes you might be overstressed and overwhelmed.

And you're not going to be able to make the same type of

decision as if you're perfectly healthy and mentally well

balanced. And nobody will be mentally well balanced every

single day. So I think, a very important point to consider for

everyone, because we're all dealing with emails with

technologies and with cybercrime, but also the people

making the trainings or searching for the right

solutions.

Very true, very true. Let me try to tease

out some inferences from this discussion, from the standpoint

of cybersecurity governance. First, humans are very complex

beings, their behavior will not be consistent, will change with

context, with situations, with the environment. And that has to

be factored in whether you are conducting a training program,

whether you're developing a technical solution. But what

does that mean? That means you recognize that even the best of

solutions, if it has a human involvement, can fail at a

certain point in time on a certain day, because that

particular person wasn't on their best game, something had

happened, something had taken over they had, they were

vulnerable, they felt weak for for a variety of different

reasons. So therefore, the more I think about it, it makes sense

to have a zero trust approach, a zero trust framework, because

that's assuming that whether you trust or you don't trust, and if

those things keep changing for a variety of reasons, we can't

control that, but at least let's build or establish the checks

and balances. To use your words, let's be pragmatic about it, and

take a very practical approach, instal the necessary barriers

through different types of controls. So we can still

protect the organization, protect assets, and other

resources from attacks that might happen because of human

vulnerabilities. So that's kind of my long drawn, circuitous

explanation or inferences of what we've been talking about.

Would you like to add to that? Yeah, exactly.

We need to accept that it's not black or

All right. Well, as much as I would love to

white. We're in an area that is rather gray and, some one person

that can be very good at a phishing tests might still get

caught at some point, depending on the context, depending on how

well the criminal also built the campaign, because maybe it's

continue this discussion, we are coming to the end of our time

targeted, and they've done a great job of intelligence, and

they know how to trick that person. Yeah. So we need to

accept that and having Yeah, indeed, different layers of

security, technical and human, allow to balance, when one of

the two fails, and it will at some point, and also, yeah,

having ways to recover properly. That's very important.

allotted here. So I'd like to give you the opportunity to

summarize or say anything that you'd like the listeners to take

away from this discussion.

Yes, thank you. So I think for the general

audience, it's very important to become more aware of social

engineering as a threat, because we're all facing it. And

consequences can be very damaging, it's important to

understand that it's important for everyone to understand that

they can actually have some sort of control on it as little as

checking your emails more properly, or knowing that

checking the email address, for example, can save you from a

phishing link, or just not clicking without checking, like

this different kinds of things. And it's important for I think,

authorities in general to understand that, yes, some

people that work in the corporate environment will get

some trainings, more or less effective, still at this stage,

but they will and they have more awareness as well on that. But

the whole population needs to get more awareness and training

in general on social engineering. And then if we're

thinking about decision makers and companies, yeah, understand

that your employees are human beings. And you got people

understand that human beings are not just yeah, one or zero, that

they will fail at times, they are more complex than it's

really difficult to generalize, the only generalization we can

make is that there is no generalization that can be made.

But then to end that summary, again, social engineering has

always existed, we need to be very pragmatic about it, we're

still falling for the old tricks. There is some innovation

and we need to keep an eye on these developments. But there is

something we can do about it. We have that power. And to finish

on a positive note, I would say that I have also experienced in

my surroundings, whether professional or personal, way

more awareness and good practices coming from different

types of people. So I think we're on the right track. We

just need to keep on working on it and accepting that it's a

gray area and having a multidisciplinary approach.

Fantastic. Thank you so much, Beatrice, for

your time and your thoughts. I look forward to many more such

conversations.

Thank you for having me.

A special thanks to Beatrice cadet, for

her time and insights. If you liked what you heard, please

leave the podcast a rating and share it with your network.

Also, subscribe to the show. So you don't miss any new episodes.

Thank you for listening, and I'll see you in the next

episode.

The information contained in this podcast is for

general guidance only. The discussants assume no

responsibility or liability for any errors or omissions in the

content of this podcast. The information contained in this

podcast is provided on an as-is basis with no guarantee of

completeness, accuracy, usefulness, or timeliness. The

opinions and recommendations expressed in this podcast are

those of the discussants and not of any organization.