Artwork for podcast The Cybersecurity Readiness Podcast Series
To trust or not to trust: the overwhelming challenge
Episode 4318th January 2023 • The Cybersecurity Readiness Podcast Series • Dr. Dave Chatterjee
00:00:00 00:40:41

Share Episode

Shownotes

Clinical psychologist Beatrice Cadet, Scientist Integrator at Netherland's Organization for Applied Scientific Research (TNO), draws upon multiple concepts such as 'learned helplessness' to explain why people still fall for phishing attacks despite the training. Beatrice emphasizes the need to factor in human behavioral traits and motivational triggers when developing social engineering solutions and training.

To access and download the entire podcast summary with discussion highlights --

https://www.dchatte.com/episode-43-to-trust-or-not-to-trust-the-overwhelming-challenge/


Connect with Host Dr. Dave Chatterjee and Subscribe to the Podcast

Please subscribe to the podcast, so you don't miss any new episodes! And please leave the show a rating if you like what you hear. New episodes release every two weeks.

Connect with Dr. Chatterjee on these platforms:

LinkedIn: https://www.linkedin.com/in/dchatte/

Website: https://dchatte.com/

Cybersecurity Readiness Book: https://www.amazon.com/Cybersecurity-Readiness-Holistic-High-Performance-Approach/dp/1071837338

https://us.sagepub.com/en-us/nam/cybersecurity-readiness/book275712

Latest Publication: https://www.imd.org/ibyimd/magazine/preventing-security-breaches-must-start-at-the-top/

Transcripts

Introducer:

Welcome to the Cybersecurity Readiness Podcast

Introducer:

Series with Dr. Dave Chatterjee. Dr. Chatterjee is the author of

Introducer:

the book Cybersecurity Readiness: A Holistic and

Introducer:

High-Performance Approach, a SAGE publication. He has been

Introducer:

studying cybersecurity for over a decade, authored and edited

Introducer:

scholarly papers, delivered talks, conducted webinars and

Introducer:

workshops, consulted with companies and served on a

Introducer:

cybersecurity SWAT team with Chief Information Security

Introducer:

officers. Dr. Chatterjee is Associate Professor of

Introducer:

Management Information Systems at the Terry College of

Introducer:

Business, the University of Georgia. As a Duke University

Introducer:

Visiting Scholar, Dr. Chatterjee has taught in the Master of

Introducer:

Engineering in Cybersecurity program at the Pratt School of

Introducer:

Engineering.

Dr. Dave Chatterjee:

Hello, everyone, Happy New Year. I'm

Dr. Dave Chatterjee:

delighted to welcome you to this episode of the Cybersecurity

Dr. Dave Chatterjee:

Readiness Podcast Series. Our discussion today will focus on

Dr. Dave Chatterjee:

finding a balance between our natural need to trust and the

Dr. Dave Chatterjee:

caution that needs to be there to deal with all forms of online

Dr. Dave Chatterjee:

cyber attacks. In fact, I experienced a phishing attack

Dr. Dave Chatterjee:

this morning, and I'll get into that later on. I'm delighted to

Dr. Dave Chatterjee:

welcome Beatrice Cadet from Amsterdam, Netherlands. Beatrice

Dr. Dave Chatterjee:

is a scientist integrator at Netherland's Organisation for

Dr. Dave Chatterjee:

Applied Scientific Research (TNO). With a background in

Dr. Dave Chatterjee:

intelligence and psychology, Beatrice has specialized in

Dr. Dave Chatterjee:

cybersecurity by taking an integrative approach working on

Dr. Dave Chatterjee:

bridging the gap between human and the technical aspects. So

Dr. Dave Chatterjee:

Beatrice, before we get into the details of managing trust, let's

Dr. Dave Chatterjee:

talk about you a little bit, share with the listeners some

Dr. Dave Chatterjee:

highlights of your professional journey.

Beatrice Cadet:

Yes. So again, thank you so much for having me,

Beatrice Cadet:

I'm excited about the discussion that we're about to have. So,

Beatrice Cadet:

about me as you just said, I studied with a master's in

Beatrice Cadet:

intelligence and security management from Strasbourg

Beatrice Cadet:

University in France, that gave me quite a multidisciplinary

Beatrice Cadet:

background within the social sciences area. From there, I

Beatrice Cadet:

knew I was interested in tech. So I tried to target my

Beatrice Cadet:

internships more into the online safety and security, which led

Beatrice Cadet:

me to work for a startup in Dublin that is called Zico that

Beatrice Cadet:

works for online safety for children. And then I thought I

Beatrice Cadet:

needed to gain some technical knowledge to properly work in

Beatrice Cadet:

cyber security, which led me to the Netherlands where I still am

Beatrice Cadet:

today. And I worked for a company called Red Sox Security,

Beatrice Cadet:

cyber threat intelligence. So I really dove into the technical

Beatrice Cadet:

world and worked with a technical team, my goal being to

Beatrice Cadet:

get some knowledge and some skills. But eventually I found a

Beatrice Cadet:

really interesting position to be a social scientist or more

Beatrice Cadet:

human approach person within the technical world and the

Beatrice Cadet:

technical people. And from them to my current position where

Beatrice Cadet:

indeed, I know that what we do is quite multidisciplinary.

Beatrice Cadet:

However, online safety and security, information

Beatrice Cadet:

manipulation. So that's the core of the content that we're

Beatrice Cadet:

working on within the type of work we do could be a scientific

Beatrice Cadet:

article, as much as trainings or workshops for police or the

Beatrice Cadet:

Ministry of Defense, right now. I'm focusing now on the human

Beatrice Cadet:

factors. So that got me to start a bachelor in psychology just to

Beatrice Cadet:

add that to the background in security, and mostly

Beatrice Cadet:

cybersecurity. And I got hooked, and I became a clinical

Beatrice Cadet:

psychologist.

Dr. Dave Chatterjee:

Wonderful. In fact, I don't believe I've

Dr. Dave Chatterjee:

had a clinical psychologist on my show yet. So you are the

Dr. Dave Chatterjee:

first one.

Beatrice Cadet:

nice!

Dr. Dave Chatterjee:

I'm looking forward to learning a lot from

Dr. Dave Chatterjee:

your insights and expertise. So from your lens, from a

Dr. Dave Chatterjee:

psychologist's lens, what does the social engineering trends

Dr. Dave Chatterjee:

look like? What can we expect in the future?

Beatrice Cadet:

Yes. So one thing I always say is that, of

Beatrice Cadet:

course, criminals innovate, also a lot in social engineering. So

Beatrice Cadet:

we see new tricks and new ways to catch people, especially with

Beatrice Cadet:

new technologies. And I think that's something to really look,

Beatrice Cadet:

look up look to, and look at, sorry, because, for example,

Beatrice Cadet:

deep fakes, and it's something that we need to look for in the

Beatrice Cadet:

future, but that is also already here. I think deep fakes will be

Beatrice Cadet:

more and more used. And we've seen it this year already. I

Beatrice Cadet:

mean, 2022 We've seen it, so more and more defects. They use

Beatrice Cadet:

technology more and more to manipulate people. And I always

Beatrice Cadet:

say that social engineering can be approached from the two ways,

Beatrice Cadet:

right. So it's using psychology, or I mean human manipulation to

Beatrice Cadet:

conduct a technical cyber attacks, but it could also be

Beatrice Cadet:

using technologies and technical tricks to actually manipulate

Beatrice Cadet:

people. So that's something I like to highlight when I talk

Beatrice Cadet:

about social engineering. So as I said, Yeah, innovation, so new

Beatrice Cadet:

tricks, but one thing that I always see is that all tricks

Beatrice Cadet:

also always, are always here. And when I was working on cyber

Beatrice Cadet:

threat intelligence, I would work on some phishing labs and

Beatrice Cadet:

try to analyze some phishing campaigns. And I would find some

Beatrice Cadet:

campaigns that beside having different types of indicators of

Beatrice Cadet:

compromise, different different IP addresses, for example, the

Beatrice Cadet:

visual aspect of the campaign would be exactly the same. So

Beatrice Cadet:

for example, Elon Musk is giving away 20 Bitcoins. And so that

Beatrice Cadet:

shows that social engineering in the end is nothing new, and that

Beatrice Cadet:

we're still falling for the same old trick. And it's not proper

Beatrice Cadet:

to cybersecurity, social engineering has existed since

Beatrice Cadet:

forever. So with that in mind, I think, yeah, what we can see in

Beatrice Cadet:

the trends and in the landscape for the upcoming year and years

Beatrice Cadet:

is really looking at the old trick, look, still trying to

Beatrice Cadet:

bring more awareness because we're still falling for the same

Beatrice Cadet:

sort of campaigns. And additionally, technology is

Beatrice Cadet:

being more and more used to manipulate people even more

Beatrice Cadet:

effectively.

Dr. Dave Chatterjee:

I can't agree with you more, when you

Dr. Dave Chatterjee:

say, we are still falling for the same tricks. We as humans,

Dr. Dave Chatterjee:

we are naturally inclined to trust, we are very vulnerable or

Dr. Dave Chatterjee:

susceptible or gullible, we end up believing what we see. Early

Dr. Dave Chatterjee:

in the morning, I saw an email supposedly from a major credit

Dr. Dave Chatterjee:

card company, and I have a card with them, stating that a

Dr. Dave Chatterjee:

certain amount could not be paid, so I need to log in and

Dr. Dave Chatterjee:

make the payment. It looked so genuine. They had the graphics,

Dr. Dave Chatterjee:

right, they had the logos, right. And it was very well

Dr. Dave Chatterjee:

crafted. It wasn't the typical phishing emails with grammatical

Dr. Dave Chatterjee:

errors and stuff like that. I was almost thinking of clicking

Dr. Dave Chatterjee:

on that link. But then I said, No, I won't, I'm just going to

Dr. Dave Chatterjee:

call them. And yes, I did expand the subject line to check on the

Dr. Dave Chatterjee:

address. I couldn't tell if it was a genuine address, or a fake

Dr. Dave Chatterjee:

address. Instead of clicking on anything, or replying, I just

Dr. Dave Chatterjee:

called them this morning, and said, I received this email and

Dr. Dave Chatterjee:

she went into my account checked and said, Sir, very smart of

Dr. Dave Chatterjee:

you, you picked up on something that you should not be clicking

Dr. Dave Chatterjee:

on. The reason I share this example is, that I have now

Dr. Dave Chatterjee:

become so paranoid, anytime I see an email, I scan it

Dr. Dave Chatterjee:

thoroughly. I refuse to click on any attachments unless I know

Dr. Dave Chatterjee:

for sure who the sender is. And when in doubt, verify, right?

Dr. Dave Chatterjee:

Just call and ask. So it was kind of interesting that I had

Dr. Dave Chatterjee:

that experience this morning, and we are now discussing about

Dr. Dave Chatterjee:

whether to trust or not to trust.

Beatrice Cadet:

Yeah, good timing!

Dr. Dave Chatterjee:

Yeah, I know, good timing. Beatrice,

Dr. Dave Chatterjee:

during our planning discussion, you mentioned a few things that

Dr. Dave Chatterjee:

I want to pick up on. You talked about the need for

Dr. Dave Chatterjee:

socio-technical solutions to counter social engineering. And

Dr. Dave Chatterjee:

there are a lot of solutions out there. It might be very valuable

Dr. Dave Chatterjee:

for you to highlight for the benefit of the listeners, what

Dr. Dave Chatterjee:

are some of these solutions?

Beatrice Cadet:

Yes. So when I mentioned the need for social

Beatrice Cadet:

technical solutions, I think, for example, on the technical

Beatrice Cadet:

side to the filtering solutions, for example, for the email, if

Beatrice Cadet:

we're talking about phishing emails, yes, I think this is a

Beatrice Cadet:

good first step. We need that in place, we need that to be

Beatrice Cadet:

efficient. When I think of social solutions, it all comes

Beatrice Cadet:

with awareness, it all comes with training. And the reason

Beatrice Cadet:

why I say this social technical solutions, because there is so

Beatrice Cadet:

much so many campaigns, so much social engineering going on,

Beatrice Cadet:

that we cannot expect everyone to always be at their best ready

Beatrice Cadet:

to check everything. And I would like to rebound on the example,

Beatrice Cadet:

you just mentioned your example from this morning, You're in the

Beatrice Cadet:

fields, so you're more aware, maybe and you may be a little

Beatrice Cadet:

bit more used to it. So that gives you a bit more awareness,

Beatrice Cadet:

maybe than most people, but also you took the time and that was

Beatrice Cadet:

time consuming know to have to check all the different

Beatrice Cadet:

elements, to doubt, and then still to call them. So not

Beatrice Cadet:

everyone always has that time or decides to always take that

Beatrice Cadet:

time. So that's why even though people would be very well

Beatrice Cadet:

trained into spotting every single phishing email

Beatrice Cadet:

whatsoever, I think there would still be some vulnerabilities at

Beatrice Cadet:

some points, the same way, that a filter on the emails also has

Beatrice Cadet:

some vulnerabilities and might not filter all the phishing

Beatrice Cadet:

emails or filter too many of them. So yeah, that's a few

Beatrice Cadet:

examples I can think of now, when I'm talking about social

Beatrice Cadet:

technical solutions.

Dr. Dave Chatterjee:

Yeah, I mean, I don't enjoy calling

Dr. Dave Chatterjee:

credit card companies in the morning, to follow up follow up

Dr. Dave Chatterjee:

on things because it takes up a lot of my time. Yeah. And that's

Dr. Dave Chatterjee:

not the way I want to start my day. But we are in this

Dr. Dave Chatterjee:

environment where we have to be vigilant, we have to be patient.

Dr. Dave Chatterjee:

It brings to mind an episode I did recently on multifactor

Dr. Dave Chatterjee:

authentication and the fatigue that's associated with it. The

Dr. Dave Chatterjee:

subject matter expert told me that many developers don't want

Dr. Dave Chatterjee:

to go through that authentication process,

Dr. Dave Chatterjee:

especially when they are dealing with 15-20 different

Dr. Dave Chatterjee:

applications. Because it is bothersome, it is time

Dr. Dave Chatterjee:

consuming, they become impatient. Unfortunately, we are

Dr. Dave Chatterjee:

in an environment where we have to be mindful, we have to be

Dr. Dave Chatterjee:

careful, we have to prioritize. Finances are something that I

Dr. Dave Chatterjee:

carefully monitor, especially my credit card transactions. If I

Dr. Dave Chatterjee:

know anything that could be problematic, I immediately get

Dr. Dave Chatterjee:

into an investigative mood and I probe further. I give it a

Dr. Dave Chatterjee:

priority, though it's not something that I would like to

Dr. Dave Chatterjee:

give priority, but I am left with no choice. So that's kind

Dr. Dave Chatterjee:

of the way I do things. And I'm sure many others, your thoughts?

Beatrice Cadet:

Yes. And I think it's great. Ideally, we should

Beatrice Cadet:

always be very mindful of every single emails, every single

Beatrice Cadet:

text, even every single phone call or interaction with people.

Beatrice Cadet:

The thing is, as you said earlier in this talk, is it

Beatrice Cadet:

biologically human beings are inclined to trust. And then of

Beatrice Cadet:

course, it depends on the personality, not everyone will

Beatrice Cadet:

have the same extent, that same inclination to trust, and also

Beatrice Cadet:

depends on your experiences. And I would say one of the problems

Beatrice Cadet:

with cybersecurity in general is that most people don't feel the

Beatrice Cadet:

burn, when dependence of you know how you learn that fire

Beatrice Cadet:

burns, well, you burn your finger, it's painful, and you

Beatrice Cadet:

tend not to do it again, because you learned from the pain. Most

Beatrice Cadet:

people that got cut with cyber security issue, so a phishing

Beatrice Cadet:

email or whatsoever, they might not know that they have, that

Beatrice Cadet:

their data is out on the Dark Web, or they might know that

Beatrice Cadet:

there has been a data leak, for example, but they don't really

Beatrice Cadet:

know what it represents. So I think it's also very difficult

Beatrice Cadet:

for people who are not very knowledgeable or used to

Beatrice Cadet:

cybersecurity to choose to put that as a priority the same way

Beatrice Cadet:

that you do. Yep. So yeah, I think that is a very important

Beatrice Cadet:

factor to consider. And as you said, there's so many emails as

Beatrice Cadet:

well. And to go back on that need for social technical

Beatrice Cadet:

solution. That's also why I think it's important because

Beatrice Cadet:

there's so many simulations coming all the time from

Beatrice Cadet:

different directions, that it's very difficult to keep

Beatrice Cadet:

everything as a priority and to be untrusting of

Beatrice Cadet:

everything you have come across every day.

Dr. Dave Chatterjee:

Exactly. And we multiprocess so much

Dr. Dave Chatterjee:

these days, right? And we are using different devices. Yes.

Dr. Dave Chatterjee:

And so it's like second nature to us, we're just doing stuff.

Dr. Dave Chatterjee:

So to have that natural filter, that a little bit of security

Dr. Dave Chatterjee:

paranoia, which would force us to stop, think, take unnecessary

Dr. Dave Chatterjee:

action, before we move on to the next thing. For that to become

Dr. Dave Chatterjee:

muscle memory, for lack of a better word that comes through

Dr. Dave Chatterjee:

training, you're exactly right. That also comes through, again,

Dr. Dave Chatterjee:

I'm not a psychologist, but I'm gonna put myself out there and

Dr. Dave Chatterjee:

hypothesize or suggest that we have to start really believing

Dr. Dave Chatterjee:

that this is a problem. And like you used the excellent,

Dr. Dave Chatterjee:

excellent analogy or metaphor of the burn that do we really need

Dr. Dave Chatterjee:

to get burned to appreciate what should be done proactively. We

Dr. Dave Chatterjee:

have to kind of learn to be a little more cautious and cant

Dr. Dave Chatterjee:

just throw caution to the winds as they say. I was speaking with

Dr. Dave Chatterjee:

a subject matter expert in the last episode that was published,

Dr. Dave Chatterjee:

and she's a expert in cybersecurity technologies. And

Dr. Dave Chatterjee:

I asked her a question, I said, Do you think we'll ever get to

Dr. Dave Chatterjee:

that stage where humans don't have to worry about making

Dr. Dave Chatterjee:

mistakes, because we have great technologies that will cover for

Dr. Dave Chatterjee:

us? And she answered in the affirmative. She said yes, I am

Dr. Dave Chatterjee:

optimistic that there will come a time sooner than later where

Dr. Dave Chatterjee:

we don't have have to be this vigilant. And I hope that her

Dr. Dave Chatterjee:

words come through. But until then we just have to be careful,

Dr. Dave Chatterjee:

right?

Beatrice Cadet:

Yeah, exactly. And also be very pragmatic about

Beatrice Cadet:

it, it most likely will happen, I think, maybe coming to the

Beatrice Cadet:

state where we don't have to be that worried about it will be

Beatrice Cadet:

that first because we have more training. So we have more

Beatrice Cadet:

feeling of control on what we can do about it, that's very

Beatrice Cadet:

important. But also a point where we'll have better

Beatrice Cadet:

technology, maybe to counter this, complimentary, but also

Beatrice Cadet:

that we'll have more resilience processes, so that you will know

Beatrice Cadet:

that, okay, even if you're making mistakes, there are ways

Beatrice Cadet:

to recover, or there are ways to, unless all the developments,

Beatrice Cadet:

maybe with insurances or like processes where you can, okay,

Beatrice Cadet:

making mistakes, but you're not alone in there. Because as of

Beatrice Cadet:

now, there are very little processes in place. And even

Beatrice Cadet:

with the police, they're trying to have more people report cyber

Beatrice Cadet:

crime, but it's still very low. So I think that as a compliment

Beatrice Cadet:

could also help us get to a stage where we're a little bit

Beatrice Cadet:

more. Yeah, yeah, he's all about it. Yep, that can be done as

Beatrice Cadet:

well on something you say, with training and the importance of

Beatrice Cadet:

mindset. There is one concept, it's a sort of pyramid of

Beatrice Cadet:

different concepts, you need to get to effective training. And

Beatrice Cadet:

the bottom line of the pyramid is actually awareness and

Beatrice Cadet:

mindset. And if you don't have that, you can do every single

Beatrice Cadet:

training you want, it won't have the effect that you're

Beatrice Cadet:

expecting, you really need to have people understand why

Beatrice Cadet:

they're training on this, why they have to work on this

Beatrice Cadet:

specific skills or specific concept, or issue. And if you

Beatrice Cadet:

don't have that, you won't get the effects you want. So that's

Beatrice Cadet:

really important to understand why we need actually to get

Beatrice Cadet:

better at this

Dr. Dave Chatterjee:

Yep, that connects with what I often say

Dr. Dave Chatterjee:

is, we have to get the user buy-in, unless the buy-in is

Dr. Dave Chatterjee:

there, unless the user recognizes the importance of

Dr. Dave Chatterjee:

doing certain things, or following certain guidelines,

Dr. Dave Chatterjee:

following certain best practices, they may not be

Dr. Dave Chatterjee:

willing to do so. And as much as we might preach that, lets, be

Dr. Dave Chatterjee:

proactive, let's not be reactive. But unfortunately, the

Dr. Dave Chatterjee:

results, the statistics, suggest that we are reactive. And we

Dr. Dave Chatterjee:

learn best after a major catastrophe. If we can use the

Dr. Dave Chatterjee:

pandemic as an example, despite all these great organizations

Dr. Dave Chatterjee:

out there, terrific scientists out there, we still couldn't, we

Dr. Dave Chatterjee:

were not proactive about it, we made a great recovery. Thanks to

Dr. Dave Chatterjee:

the scientists, we have the vaccines and all credit to them,

Dr. Dave Chatterjee:

thanks to all the healthcare workers who've done yeomen

Dr. Dave Chatterjee:

service. But having said that, I'm not so sure that we have

Dr. Dave Chatterjee:

another round of a pandemic, are we better prepared for it now

Dr. Dave Chatterjee:

that we have experienced one? I'm not so sure, I'm still very

Dr. Dave Chatterjee:

pessimistic about it. Because we are naturally not again, this is

Dr. Dave Chatterjee:

a hunch I'm not a psychologist, maybe you can shed some light,

Dr. Dave Chatterjee:

we are naturally not inclined to be proactive.

Beatrice Cadet:

And I would fear that maybe if there would be

Beatrice Cadet:

another pandemic, we would try to apply the lessons from the

Beatrice Cadet:

one we just we've just been through, which is still been

Beatrice Cadet:

happening. Right. I would hope that we would learn to be

Beatrice Cadet:

proactive by taking the lessons learned, but also looking

Beatrice Cadet:

towards the future as well. And mixing that up together. Yes.

Beatrice Cadet:

And it's similar to what could be happening sometimes in

Beatrice Cadet:

cybersecurity that we just think, oh, yeah, there is that

Beatrice Cadet:

threat. So we apply this, but the threats are moving, and it's

Beatrice Cadet:

always a cat and mouse game. So how do we become as defenders as

Beatrice Cadet:

innovative as the criminals, right? How do we try to make the

Beatrice Cadet:

gap between the two sides a little bit smaller, that's also

Beatrice Cadet:

very important.

Dr. Dave Chatterjee:

Exactly. And I want to emphasize what you

Dr. Dave Chatterjee:

just said, it is important to learn from the past. But it's

Dr. Dave Chatterjee:

also important to recognize that the future might present

Dr. Dave Chatterjee:

challenges that have to be dealt with, and we may not be prepared

Dr. Dave Chatterjee:

for it from our past experiences. So therefore, it

Dr. Dave Chatterjee:

requires a mix of Yes, informed insights from the past plus the

Dr. Dave Chatterjee:

innovations that's going on because we have to think

Dr. Dave Chatterjee:

proactively of what are the future types of attacks that

Dr. Dave Chatterjee:

might be launched, and how can we protect ourselves? When I say

Dr. Dave Chatterjee:

how can we I'm talking about individuals, groups,

Dr. Dave Chatterjee:

organizations, nations at any level, I think this approach us

Dr. Dave Chatterjee:

a deliberate a proactive approach is is valuable

Dr. Dave Chatterjee:

irrespective. So awesome! Once again, going back to my planning

Dr. Dave Chatterjee:

document here, I took notes when we were talking and you made a

Dr. Dave Chatterjee:

very poignant statement. You said "overall, I want to debunk

Dr. Dave Chatterjee:

the emotional aspects of social engineering. We need to be more

Dr. Dave Chatterjee:

pragmatic about it. We all fall for it at some point. But how to

Dr. Dave Chatterjee:

best avoid it and recover. Expand a little bit about

Dr. Dave Chatterjee:

emotional aspects of social engineering?

Beatrice Cadet:

Yes. So I would say motional, maybe also a

Beatrice Cadet:

little bit seeing it as a buzzword we hear so often that

Beatrice Cadet:

humans are the weakest link, and it's because of the people and

Beatrice Cadet:

stuff. And yes, it is true. Because in the end, even though

Beatrice Cadet:

cybercrime cybersecurity is all about tech, behind the

Beatrice Cadet:

computers, behind the phones, you have humans on both sides of

Beatrice Cadet:

it. So completely agree with this. But being sort of alarming

Beatrice Cadet:

about social engineering as much as it is good and important and

Beatrice Cadet:

necessary, it has to have its limits. Because first, there is

Beatrice Cadet:

a point that we haven't mentioned yet. But there's a

Beatrice Cadet:

psychological concept that is called learned helplessness is

Beatrice Cadet:

that people feel so overwhelmed, and they feel like no matter

Beatrice Cadet:

what they do, it won't help anything. So and many people

Beatrice Cadet:

have that. And it has been shown in research in cybersecurity,

Beatrice Cadet:

that the reason why sometimes things don't work, or people

Beatrice Cadet:

still fall for phishing and stuff, is because they know that

Beatrice Cadet:

no matter what they do, or they think that no matter what they

Beatrice Cadet:

do, they will get scammed anyway. And it's so overwhelming

Beatrice Cadet:

that they prefer to just drop it and be like, Yeah, I have

Beatrice Cadet:

nothing to hide or whatever happened happens. So that's why

Beatrice Cadet:

I think like being a bit less emotional about social

Beatrice Cadet:

engineering being a threat, but being just pragmatic about it,

Beatrice Cadet:

like it is there, it has always been there, it will still be

Beatrice Cadet:

there, I think that could be actually a very good step

Beatrice Cadet:

towards being more protected against it. So that's the core

Beatrice Cadet:

point I would like to make. Yes,

Dr. Dave Chatterjee:

well made, when you said learned

Dr. Dave Chatterjee:

helplessness, it immediately brought to mind an experience

Dr. Dave Chatterjee:

that I had a couple of years ago when I was gathering data for my

Dr. Dave Chatterjee:

book. And I spoke to a senior leader of a major healthcare

Dr. Dave Chatterjee:

company. And he made a very interesting statement. He said,

Dr. Dave Chatterjee:

we are such a large organization, we have so many

Dr. Dave Chatterjee:

systems interfacing with other external systems, we connect

Dr. Dave Chatterjee:

with all kinds of IoT devices, it's very overwhelming to stay

Dr. Dave Chatterjee:

on top of everything and know where our vulnerabilities are,

Dr. Dave Chatterjee:

where we are, we are strong. So you almost feel helpless. And

Dr. Dave Chatterjee:

you're kind of hoping, to use his words, that we get attacked,

Dr. Dave Chatterjee:

so we get to know where our weaknesses are. And of course,

Dr. Dave Chatterjee:

that is not the approach or mindset that I recommend, or

Dr. Dave Chatterjee:

anybody for that matter would recommend. But that speaks to

Dr. Dave Chatterjee:

what you just said about learned helplessness. Whether it's a

Dr. Dave Chatterjee:

leader of a major organization, or whether individuals, I have

Dr. Dave Chatterjee:

gone through some cybersecurity certifications, some

Dr. Dave Chatterjee:

cybersecurity training, they can get complicated, there's so much

Dr. Dave Chatterjee:

to learn so much to know. And so for a regular person who just

Dr. Dave Chatterjee:

wants to do their thing and be happy and not get too caught up

Dr. Dave Chatterjee:

with this stuff. They're like, Oh, I don't want to know the

Dr. Dave Chatterjee:

details. If something were to happen, I'll deal with it when

Dr. Dave Chatterjee:

it happens. So that's precisely I think, what ends up happening

Dr. Dave Chatterjee:

with humans, because human mind can only absorb or deal with so

Dr. Dave Chatterjee:

much complexity, right? We have, we have our cognitive

Dr. Dave Chatterjee:

limitations. And when it goes beyond that, we are like, Okay,

Dr. Dave Chatterjee:

nevermind, let's just hope for the best I'm not gonna try

Dr. Dave Chatterjee:

anymore. So I think that point is extremely well made,

Beatrice Cadet:

We have our cognitive limitations, yet, we

Beatrice Cadet:

still make 1000s and 1000s of decisions every day without even

Beatrice Cadet:

noticing it. So that's the whole thing. Also, we're going back to

Beatrice Cadet:

trust, trusting, not trusting so many decisions are automated.

Beatrice Cadet:

And we can control everything. And also, criminals know that

Beatrice Cadet:

they're also human beings, and they know how to trick us. So

Beatrice Cadet:

that overwhelming feeling they know how to use it. And for

Beatrice Cadet:

example, you get your email, you saw in the morning, and you said

Beatrice Cadet:

something about your card in the morning when you just woke up,

Beatrice Cadet:

maybe so then it's even harder to be rational. And they know

Beatrice Cadet:

exactly how to do this. So yes, bringing a bit more peace to it

Beatrice Cadet:

being like, Okay, this is it. You need to be aware of this. We

Beatrice Cadet:

need to train on this. We need to get better at this but also

Beatrice Cadet:

without Yeah. dramatizing it, I think it's very important to

Beatrice Cadet:

actually make concrete progress.

Dr. Dave Chatterjee:

Fantastic. So let's talk a little bit about

Dr. Dave Chatterjee:

the zero trust approach. And if I understand this approach

Dr. Dave Chatterjee:

properly, essentially, the assumption is being made that

Dr. Dave Chatterjee:

let's try to be as secure as possible every step of the way.

Dr. Dave Chatterjee:

Use a combination of physical, technical and administrative

Dr. Dave Chatterjee:

controls, have a micro have micro segmented networks. So

Dr. Dave Chatterjee:

when a user wants to move from one network to another, they

Dr. Dave Chatterjee:

have to again authenticate. So have checks and balances every

Dr. Dave Chatterjee:

step of the way. I was reading somewhere, they used an example

Dr. Dave Chatterjee:

of going to a rock concert, and you get checked in once, but

Dr. Dave Chatterjee:

then you again, get checked in and again, kept checked in

Dr. Dave Chatterjee:

before you get to your seat. So having these multiple layers of

Dr. Dave Chatterjee:

defense, for lack of a better word, or another very popular

Dr. Dave Chatterjee:

terminology out there is defense in depth, those are being

Dr. Dave Chatterjee:

advocated big time they are being considered best practices.

Dr. Dave Chatterjee:

From a psychologist's standpoint, what is your

Dr. Dave Chatterjee:

perception on this zero trust framework? Or zero trust

Dr. Dave Chatterjee:

approach to cybersecurity governance?

Beatrice Cadet:

Yeah. So as a psychologist in cybersecurity,

Beatrice Cadet:

my first thought is thinking yes, indeed, that that makes

Beatrice Cadet:

sense. And layering security is yeah, it's just just makes

Beatrice Cadet:

sense, right. But then, as a psychologist first what comes to

Beatrice Cadet:

my mind is, we need to pay attention that all of those

Beatrice Cadet:

measures, and all of those technical aspects, physical

Beatrice Cadet:

points of security, are adapted to how human behave, you know,

Beatrice Cadet:

because often we try to create solutions. So I'm thinking

Beatrice Cadet:

concrete, technical solutions that are actually not adapted to

Beatrice Cadet:

how users behave. And that can be the key to failure, if we

Beatrice Cadet:

don't think about it. So I think it's a great, great point to

Beatrice Cadet:

have those different policies in place to have those different

Beatrice Cadet:

infrastructure security infrastructures in place, but we

Beatrice Cadet:

need to make sure that they're not too heavy for the user. And

Beatrice Cadet:

of course, it's easy for me to say this, right? It's ideally,

Beatrice Cadet:

we always want this, but it's important to develop it as well

Beatrice Cadet:

always, with the user in mind and thinking, okay, how can we,

Beatrice Cadet:

instead of thinking, let's develop the best technical

Beatrice Cadet:

solution, and then fit it into the user process, we need to

Beatrice Cadet:

think ahead and think, Okay, we need to have a sort of technical

Beatrice Cadet:

solutions in place, how do we make sure that the user will

Beatrice Cadet:

adopt it? And of course, the user might have to adapt to

Beatrice Cadet:

adopt, but how can we make sure we we do that in the easiest way

Beatrice Cadet:

possible. And then when it comes to thinking, zero trust, I think

Beatrice Cadet:

as much as it's great for policies and technical

Beatrice Cadet:

solutions, we need to again, as we said earlier, remind

Beatrice Cadet:

ourselves that having a human being always suspect something,

Beatrice Cadet:

won't happen. It's just not possible all day every day.

Dr. Dave Chatterjee:

Exactly. And I hope listeners if they

Dr. Dave Chatterjee:

have anything to do with training in their organizations,

Dr. Dave Chatterjee:

or if they have the insolence, I hope that whoever is involved in

Dr. Dave Chatterjee:

developing a training program include the psychologists in the

Dr. Dave Chatterjee:

team, because you need technical specialist, no doubt, you need

Dr. Dave Chatterjee:

strategists, no doubt, but you also need the psychologists who

Dr. Dave Chatterjee:

understand human behavior, because, after all, these

Dr. Dave Chatterjee:

solutions, many of the solutions if not all, many of the

Dr. Dave Chatterjee:

solutions, which involve human interaction, or which are going

Dr. Dave Chatterjee:

to be used by humans, unless you understand human psyche, human

Dr. Dave Chatterjee:

mindset, the solutions are not going to be very effective. I'd

Dr. Dave Chatterjee:

like to briefly mention a research that was carried out a

Dr. Dave Chatterjee:

couple of years ago, where they trained a group of people to see

Dr. Dave Chatterjee:

whether post training, the percentage who fell for phishing

Dr. Dave Chatterjee:

attacks would drastically decline. Unfortunately, the

Dr. Dave Chatterjee:

research found the variation wasn't significant. In other

Dr. Dave Chatterjee:

words, the training didn't prove to be the phishing-related

Dr. Dave Chatterjee:

training didn't prove to be effective, and the researchers

Dr. Dave Chatterjee:

justified the explanation or tried to explain the findings by

Dr. Dave Chatterjee:

saying that there are so many human factors such as innate

Dr. Dave Chatterjee:

curiosity, for lack of a better better word greediness. If we

Dr. Dave Chatterjee:

see an email which is promising a certain sum of money if we

Dr. Dave Chatterjee:

click a link and play a game or throw a dice whatever we are

Dr. Dave Chatterjee:

inclined to do so because we want to believe that yes, there

Dr. Dave Chatterjee:

is some something to be gained from this action, it may not be

Dr. Dave Chatterjee:

fake, we almost force ourselves to believe it, because we have

Dr. Dave Chatterjee:

the need for money, let's say or, and like you said earlier,

Dr. Dave Chatterjee:

we are many of us are often naturally inclined to trust. So

Dr. Dave Chatterjee:

it is so important that the human psychology is taken into

Dr. Dave Chatterjee:

consideration by involving subject matter experts such as

Dr. Dave Chatterjee:

yourself when training programs are developed. Would you like to

Dr. Dave Chatterjee:

add to that?

Beatrice Cadet:

Yes, there are two points I wrote down for

Beatrice Cadet:

myself. Let's start with the role of a psychologist in such a

Beatrice Cadet:

team, I think is in knowing how people function knowing how to

Beatrice Cadet:

investigate how specific groups of people function And as well

Beatrice Cadet:

or specific individuals even. And that's something that I

Beatrice Cadet:

often hear. So I speak with a lot of technical people, of

Beatrice Cadet:

course, and I give a guest lecture every year at the Hague

Beatrice Cadet:

University of Applied Science, and it's a technical crowd. And

Beatrice Cadet:

what I recognize often is that technical people tend to think

Beatrice Cadet:

as one zero. And I don't want to generalize, because that's

Beatrice Cadet:

exactly the point I'm about to make. But I hear that very

Beatrice Cadet:

often. And I get some people asking me, but how do you know

Beatrice Cadet:

this for people? How do you approach this for people? And

Beatrice Cadet:

there's no exact rule. And that's one thing you learn when

Beatrice Cadet:

you study psychology, is that okay? You will learn specific,

Beatrice Cadet:

especially, in my case, clinical psychology, you will learn

Beatrice Cadet:

specific syndromes or how to recognize things, but the

Beatrice Cadet:

experience will never be the same for two individuals. So you

Beatrice Cadet:

really need to learn how specific people function and

Beatrice Cadet:

apply that knowledge to the knowledge, the general knowledge

Beatrice Cadet:

we have on human beings, and then bring that to the group of

Beatrice Cadet:

developers or whoever you're working with. And so there's

Beatrice Cadet:

that role that psychologists can have in a team. But then there's

Beatrice Cadet:

also the role of often translating between different

Beatrice Cadet:

disciplines, you mentioned, strategies, technical people

Beatrice Cadet:

that you may have in a team. And that that's a position I've

Beatrice Cadet:

often been myself, of actually understanding how the different

Beatrice Cadet:

group of people working on the project, think and communicate,

Beatrice Cadet:

and how to because multidisciplinary work is still

Beatrice Cadet:

very complicated. And it's very valuable, and it's what we need

Beatrice Cadet:

to go towards. But it's very complicated. So having a

Beatrice Cadet:

psychologist sometimes can help bind these different disciplines

Beatrice Cadet:

together. So yeah, that was the first point that I had on what

Beatrice Cadet:

you just

Dr. Dave Chatterjee:

said. And what was the other one? You

Dr. Dave Chatterjee:

said? You made? Two points? Yeah. The other one was,

Beatrice Cadet:

general knowledge on cognitive

Beatrice Cadet:

psychology. So yeah, this is how the brain works. This, this is

Beatrice Cadet:

how people make decisions and stuff. This is very important,

Beatrice Cadet:

of course. But one thing that we tend to forget is that one

Beatrice Cadet:

person won't make the same kinds of decisions every single day,

Beatrice Cadet:

the context is so important to how you will make a decision.

Beatrice Cadet:

And even the most rational person may at some point, make a

Beatrice Cadet:

very emotional decision. And so that's also what you're talking

Beatrice Cadet:

about, we're talking about a seeing that email that will

Beatrice Cadet:

promise you some money. And then in a moment of weakness, you

Beatrice Cadet:

might decide that, Oh, you want to believe in this. And what you

Beatrice Cadet:

say is really true, because sometimes we decide to trust for

Beatrice Cadet:

the wrong reasons. And so we're out for the wrong reasons, or

Beatrice Cadet:

because of some sort of contextual influence. And my

Beatrice Cadet:

colleagues and I two years ago, wrote a paper on disinformation

Beatrice Cadet:

during COVID-19. And one of the statements that we made in the

Beatrice Cadet:

discussion is that maybe the context of the lockdown and, and

Beatrice Cadet:

the pandemic happening, influence why so many people

Beatrice Cadet:

started to believe in disinformation, and people that

Beatrice Cadet:

might not believe in it before the pandemic, but in this

Beatrice Cadet:

specific context, with that much uncertainty with mental

Beatrice Cadet:

disorders being on the rise, so I'm thinking anxiety and

Beatrice Cadet:

depression, this, like anxiety and depression, they affects

Beatrice Cadet:

your emotional system, right. And we saw that the narratives

Beatrice Cadet:

that were played in disinformation, played on the

Beatrice Cadet:

emotions that are affected by depression and anxiety. So that

Beatrice Cadet:

being hopelessness, having difficulties dealing with

Beatrice Cadet:

uncertainty, being very anxious, being very angry, and so yeah,

Beatrice Cadet:

those people in normal times, they might have not fallen for

Beatrice Cadet:

this. But now they were triggered on specific aspects of

Beatrice Cadet:

the human factors in a specific context. And that's why it

Beatrice Cadet:

worked. So that's why I think, beyond the being well aware

Beatrice Cadet:

about social engineering campaigns and cybercrime in

Beatrice Cadet:

general, it's also very important to be self aware, and

Beatrice Cadet:

to know that, to know your own limits, actually, to know that

Beatrice Cadet:

sometimes you might be overstressed and overwhelmed.

Beatrice Cadet:

And you're not going to be able to make the same type of

Beatrice Cadet:

decision as if you're perfectly healthy and mentally well

Beatrice Cadet:

balanced. And nobody will be mentally well balanced every

Beatrice Cadet:

single day. So I think, a very important point to consider for

Beatrice Cadet:

everyone, because we're all dealing with emails with

Beatrice Cadet:

technologies and with cybercrime, but also the people

Beatrice Cadet:

making the trainings or searching for the right

Beatrice Cadet:

solutions.

Dr. Dave Chatterjee:

Very true, very true. Let me try to tease

Dr. Dave Chatterjee:

out some inferences from this discussion, from the standpoint

Dr. Dave Chatterjee:

of cybersecurity governance. First, humans are very complex

Dr. Dave Chatterjee:

beings, their behavior will not be consistent, will change with

Dr. Dave Chatterjee:

context, with situations, with the environment. And that has to

Dr. Dave Chatterjee:

be factored in whether you are conducting a training program,

Dr. Dave Chatterjee:

whether you're developing a technical solution. But what

Dr. Dave Chatterjee:

does that mean? That means you recognize that even the best of

Dr. Dave Chatterjee:

solutions, if it has a human involvement, can fail at a

Dr. Dave Chatterjee:

certain point in time on a certain day, because that

Dr. Dave Chatterjee:

particular person wasn't on their best game, something had

Dr. Dave Chatterjee:

happened, something had taken over they had, they were

Dr. Dave Chatterjee:

vulnerable, they felt weak for for a variety of different

Dr. Dave Chatterjee:

reasons. So therefore, the more I think about it, it makes sense

Dr. Dave Chatterjee:

to have a zero trust approach, a zero trust framework, because

Dr. Dave Chatterjee:

that's assuming that whether you trust or you don't trust, and if

Dr. Dave Chatterjee:

those things keep changing for a variety of reasons, we can't

Dr. Dave Chatterjee:

control that, but at least let's build or establish the checks

Dr. Dave Chatterjee:

and balances. To use your words, let's be pragmatic about it, and

Dr. Dave Chatterjee:

take a very practical approach, instal the necessary barriers

Dr. Dave Chatterjee:

through different types of controls. So we can still

Dr. Dave Chatterjee:

protect the organization, protect assets, and other

Dr. Dave Chatterjee:

resources from attacks that might happen because of human

Dr. Dave Chatterjee:

vulnerabilities. So that's kind of my long drawn, circuitous

Dr. Dave Chatterjee:

explanation or inferences of what we've been talking about.

Dr. Dave Chatterjee:

Would you like to add to that? Yeah, exactly.

Beatrice Cadet:

We need to accept that it's not black or

Dr. Dave Chatterjee:

All right. Well, as much as I would love to

Dr. Dave Chatterjee:

white. We're in an area that is rather gray and, some one person

Dr. Dave Chatterjee:

that can be very good at a phishing tests might still get

Dr. Dave Chatterjee:

caught at some point, depending on the context, depending on how

Dr. Dave Chatterjee:

well the criminal also built the campaign, because maybe it's

Dr. Dave Chatterjee:

continue this discussion, we are coming to the end of our time

Dr. Dave Chatterjee:

targeted, and they've done a great job of intelligence, and

Dr. Dave Chatterjee:

they know how to trick that person. Yeah. So we need to

Dr. Dave Chatterjee:

accept that and having Yeah, indeed, different layers of

Dr. Dave Chatterjee:

security, technical and human, allow to balance, when one of

Dr. Dave Chatterjee:

the two fails, and it will at some point, and also, yeah,

Dr. Dave Chatterjee:

having ways to recover properly. That's very important.

Dr. Dave Chatterjee:

allotted here. So I'd like to give you the opportunity to

Dr. Dave Chatterjee:

summarize or say anything that you'd like the listeners to take

Dr. Dave Chatterjee:

away from this discussion.

Beatrice Cadet:

Yes, thank you. So I think for the general

Beatrice Cadet:

audience, it's very important to become more aware of social

Beatrice Cadet:

engineering as a threat, because we're all facing it. And

Beatrice Cadet:

consequences can be very damaging, it's important to

Beatrice Cadet:

understand that it's important for everyone to understand that

Beatrice Cadet:

they can actually have some sort of control on it as little as

Beatrice Cadet:

checking your emails more properly, or knowing that

Beatrice Cadet:

checking the email address, for example, can save you from a

Beatrice Cadet:

phishing link, or just not clicking without checking, like

Beatrice Cadet:

this different kinds of things. And it's important for I think,

Beatrice Cadet:

authorities in general to understand that, yes, some

Beatrice Cadet:

people that work in the corporate environment will get

Beatrice Cadet:

some trainings, more or less effective, still at this stage,

Beatrice Cadet:

but they will and they have more awareness as well on that. But

Beatrice Cadet:

the whole population needs to get more awareness and training

Beatrice Cadet:

in general on social engineering. And then if we're

Beatrice Cadet:

thinking about decision makers and companies, yeah, understand

Beatrice Cadet:

that your employees are human beings. And you got people

Beatrice Cadet:

understand that human beings are not just yeah, one or zero, that

Beatrice Cadet:

they will fail at times, they are more complex than it's

Beatrice Cadet:

really difficult to generalize, the only generalization we can

Beatrice Cadet:

make is that there is no generalization that can be made.

Beatrice Cadet:

But then to end that summary, again, social engineering has

Beatrice Cadet:

always existed, we need to be very pragmatic about it, we're

Beatrice Cadet:

still falling for the old tricks. There is some innovation

Beatrice Cadet:

and we need to keep an eye on these developments. But there is

Beatrice Cadet:

something we can do about it. We have that power. And to finish

Beatrice Cadet:

on a positive note, I would say that I have also experienced in

Beatrice Cadet:

my surroundings, whether professional or personal, way

Beatrice Cadet:

more awareness and good practices coming from different

Beatrice Cadet:

types of people. So I think we're on the right track. We

Beatrice Cadet:

just need to keep on working on it and accepting that it's a

Beatrice Cadet:

gray area and having a multidisciplinary approach.

Dr. Dave Chatterjee:

Fantastic. Thank you so much, Beatrice, for

Dr. Dave Chatterjee:

your time and your thoughts. I look forward to many more such

Dr. Dave Chatterjee:

conversations.

Beatrice Cadet:

Thank you for having me.

Dr. Dave Chatterjee:

A special thanks to Beatrice cadet, for

Dr. Dave Chatterjee:

her time and insights. If you liked what you heard, please

Dr. Dave Chatterjee:

leave the podcast a rating and share it with your network.

Dr. Dave Chatterjee:

Also, subscribe to the show. So you don't miss any new episodes.

Dr. Dave Chatterjee:

Thank you for listening, and I'll see you in the next

Dr. Dave Chatterjee:

episode.

Introducer:

The information contained in this podcast is for

Introducer:

general guidance only. The discussants assume no

Introducer:

responsibility or liability for any errors or omissions in the

Introducer:

content of this podcast. The information contained in this

Introducer:

podcast is provided on an as-is basis with no guarantee of

Introducer:

completeness, accuracy, usefulness, or timeliness. The

Introducer:

opinions and recommendations expressed in this podcast are

Introducer:

those of the discussants and not of any organization.

Chapters

Video

More from YouTube