Most organizations use sanctions as a way of enforcing cybersecurity policies and encouraging sound security behaviors. But few organizations ever test whether these sanctions are effective. Often they aren't; in fact, when used improperly sanctions can backfire. In this episode of Cyber Ways, Tom and Craig talk about sanctions and their effectiveness with Dr. Mikko Siponen of the University of Alabama's Culverhouse College of Business. Dr. Siponen is among the world's leading scholars when it comes to understanding the effects of sanctions on cybersecurity behaviors. Listen and learn how your organization can use sanctions more effectively.
Dr. Mikko Siponen is Professor of Business Cybersecurity and Management at the University of Alabama's Culverhouse College of Business. He holds advanced degrees in Software Engineering, Information Systems, and Philosophy. A leading scholar in Information Systems, he ranks among the top 30 worldwide based on publications in premier journals. Professor Siponen is the only Finnish IS professor invited to join The Finnish Academy of Science and Letters. His expertise spans cybersecurity management, IS development, and philosophical aspects of IS. He has extensive experience as a visiting professor, consultant, and research leader internationally, with a particular focus on cybersecurity management.
Cyber Ways is brought to you by the Center for Information Assurance, which is housed in the College of Business at Louisiana Tech University. The podcast is made possible through a "Just Business Grant," which is funded by the University's generous donors.
https://business.latech.edu/cyberways/
Hi, folks. This is the Cyberways podcast, and we
Speaker:translate our academic knowledge about information security into stuff that you
Speaker:can use as a security professional. We think it's a unique mission. We think you'll
Speaker:like it. I'm Tom Stafford. Craig Van Slyke. Tom and I are your hosts on
Speaker:your journey to knowledge. Cyberways is brought to you by the Louisiana
Speaker:Tech College of Business's Center For Information Assurance. The center offers
Speaker:undergraduate and graduate certificate programs in cybersecurity and
Speaker:sponsors academic research focused on behavioral aspects of
Speaker:cybersecurity and information privacy. Hello,
Speaker:everybody, and welcome back in to cyber ways. This is a
Speaker:production of the Louisiana Tech Center For Information Assurance in the College of
Speaker:Business. It's a DHS NSA certified center of academic excellence in
Speaker:cybersecurity, and we consider one of our jobs is to connect
Speaker:you with the people that know what's happening in security research so you can
Speaker:take advantage of the very best findings in the most timely manner.
Speaker:Our our special guest today is doctor Mikko Sipinan. He is professor of
Speaker:business, cyber security, and management at the University of Alabama's
Speaker:Culverhouse College of Business. He holds advanced degrees,
Speaker:several advanced degrees, in software engineering, information
Speaker:systems, and my favorite of his group of degrees, philosophy.
Speaker:He's a leading scholar in information systems, one of the thought leaders in our
Speaker:behavioral information assurance workshop group. He
Speaker:ranks amongst the top 30 worldwide for publication,
Speaker:taking 2. He ranks among the top 40
Speaker:worldwide based on his publications in premier journals.
Speaker:Professor Siponen is the only Finnish IS professor who's been invited to join the
Speaker:Finnish Academy of Science in Letters, and his expertise spans
Speaker:cybersecurity management, IS development, and philosophical aspects of
Speaker:information systems. He has extensive experience as a visiting professor, a
Speaker:consultant, and a research leader internationally with his particular
Speaker:focus on cybersecurity management. Mikko, welcome to our podcast.
Speaker:Thank you. It's great to be here, and nice to discuss about sanctions and
Speaker:how they work, and what kind of things you should avoid
Speaker:if you are planning to use sanctions in your firm. So
Speaker:what has had my attention for a number of years in the, the workshop group
Speaker:that we all attend is, the role of sanctions and how they have
Speaker:an effect on better cyber security. And, so
Speaker:I I guess the question at the top of this, do sanctions work? How do
Speaker:they work? Sanctions can work,
Speaker:but if you don't use them carefully, they can also be worse than useless.
Speaker:So that's why you have to be very careful when you're
Speaker:using sanctions. And today, I will discuss
Speaker:what we know and, you know, what kind of things you should avoid and so
Speaker:on. So you you need to make sure that you understand what makes
Speaker:sanctions effective and what to avoid. And,
Speaker:luckily, many of of these questions about the effectiveness
Speaker:of sanctions have already been answered in the in the scientific literature.
Speaker:Actually, in cybersecurity management, sanctions have been studied over 30
Speaker:years, especially in information systems, IS side of
Speaker:cybersecurity security literature. Talk to us about the factors that
Speaker:determine whether sanctions are effective or not. Yeah. There are
Speaker:quite many. The most studied aspects are
Speaker:what people call certainty of sanctions and the severity of
Speaker:sanctions. So let's start with these 2 first. So the
Speaker:certainty of sanctions means, basically, likelihood of getting
Speaker:caught. So it means the likelihood that active
Speaker:your activities will be detected and identified for the purpose of
Speaker:sanction. And I will keep very soon, I will give you examples. Okay. The
Speaker:other well known well studied aspect of sanction
Speaker:is is the severity of punishment. It basically means
Speaker:that if you get caught or somebody get caught, you
Speaker:know, how harsh or big is the
Speaker:penalty. And in the literature, these are
Speaker:often presented in a way that the higher is the certainty
Speaker:and severity, the less risky cyber
Speaker:cybersecurity behavior will follow. And, of course,
Speaker:on these two dimensions, there are few many which
Speaker:I'll, explain later. People are talking about likelihood
Speaker:of getting caught and and the severity of punishment. These
Speaker:are refers to people or, in this case, users'
Speaker:perception. For example, they they perception of
Speaker:the likelihood of detection and and severity of punishment. So let's
Speaker:illustrate this this with a very simple example first,
Speaker:which is familiar to everybody, namely driving over the speed limit.
Speaker:What the certainty of detection means, it means that
Speaker:if you believe that there is a police radar, you know, when you drive,
Speaker:on a highway, you are more likely to drive within the speed limit.
Speaker:So more radar, more the more likelihood you believe there's a police radar,
Speaker:the less you are likely you are driving over the speed limit. That's the
Speaker:likelihood of getting caught, also known as certainty of
Speaker:detection. The other thing is severity of the punishment.
Speaker:It basically mean in the in the driving over the speed limit
Speaker:example, that the higher is the the ticket fine, the less likely
Speaker:you are you are expected drive within the speed limit. And now, I
Speaker:mean, in that kind of cases, applying
Speaker:sanction is quite easy and straightforward. But if
Speaker:you apply these elements to
Speaker:cybersecurity cases, it's a little bit
Speaker:challenging. So let's take a phishing as an example. And let's illustrate
Speaker:one idea only. The third time you have detect detection,
Speaker:also known as the likelihood of getting caught. So if you're
Speaker:a cybersecurity manager and, you know, you apply this principle,
Speaker:You should ensure that the employees believe that if they click a phishing link or
Speaker:share their password, the company will monitor such in
Speaker:incidents and impose sanctions on them. So what is the problem
Speaker:here? Well, the situation in in cybersecurity
Speaker:and, of course, this depends case by case, but in the phishing
Speaker:example, it's actually very different from the speeding example. Because in
Speaker:the speeding example, people usually have
Speaker:they know their car speed. Right? The only
Speaker:contribution might be what is the actual speed limit on the road,
Speaker:and then do their navigators often provide that information.
Speaker:But if you think about the phishing victimization case, none of
Speaker:this is true. Employees often lack the necessary
Speaker:knowledge to separate phishing message from real one. And, you
Speaker:know, if you impose sanctions in that case, the sanctions may backfire because
Speaker:employees really believe how I should, you know, know these things.
Speaker:That's why applying sanctions in cybersecurity cases is tricky.
Speaker:And there are many other concerns. One is sanctions
Speaker:experience. If you believe the original theory
Speaker:developed in seventies by guy named Gibbs so he was
Speaker:basically saying that you can use sanctions. The
Speaker:sanctions require sanctions experience.
Speaker:And there are 2 kind of sanction experience if you follow
Speaker:the original idea. There are general and there are specific.
Speaker:The specific means that employees have received
Speaker:sanctions themselves. So they have own experience
Speaker:of receiving sanctions. That's called specific experience.
Speaker:The other experience is general experience. General
Speaker:experience means that you have not received sanctions
Speaker:yourself, but you have seen other received received sanctions. For example, you
Speaker:may have never received a ticket for driving over the speed limit, but you
Speaker:know it's actually happening. People are getting caught and people get
Speaker:ticket. Okay. So so all of these conditions, if
Speaker:you can think about the driving over the speed limit example, I
Speaker:easily met. Be because people have either seen
Speaker:that, you know, this actually happened. You know? People are driving over the speed limit.
Speaker:They get caught, and they get a ticket, or they have their own
Speaker:experience of that. Or, well, in many cases, both. But in
Speaker:cybersecurity cases, that may not be the case.
Speaker:For example, think about password reuse,
Speaker:meaning you are using the same password in different accounts. Have anybody
Speaker:ever received sanctions for password reuse when hardly anyone has
Speaker:personal experience of receiving sanctions in, you know, many
Speaker:cases like my example of password reuse,
Speaker:then there's no really interference experience.
Speaker:If we read the theory and we believe the theory, sanctions
Speaker:would not work in that kind of cases. Because without this
Speaker:this experience that you have own experience of receiving sanctions,
Speaker:or you have seen that other people receive sanctions, the
Speaker:sanctions should not work if we believe the theory.
Speaker:There's a difference between sanctions, which somebody else is
Speaker:imposing on you, and risk. So,
Speaker:like, I I I've never heard of anybody being, you know, receiving a sanction
Speaker:for reusing the password, but I've heard of people that got
Speaker:hacked from reusing a password. So that that's a very different
Speaker:thing. Right? Yeah. It's a different thing. And and and well, if
Speaker:okay. If you believe the theory, here it means that
Speaker:that you need to have sanction experience. Sanction experience does not mean that
Speaker:somebody hacked, but somebody hacked and then
Speaker:because of the hacking, the firm punished somebody.
Speaker:Of course, the sanctions might be formal or might be informal. Informal
Speaker:means that, you know, you get the warning or something. So that
Speaker:basically the sanctions experience means. Okay? And if
Speaker:you believe the theory, it means that you have seen that
Speaker:employees in the firm has received sanctions
Speaker:by the firm by not following cybersecurity
Speaker:policies, or they have own experience, or they have seen that, you know, somebody
Speaker:else actually received sanctions. And, again, the
Speaker:theory is saying, if that not the case, sanctions should not work.
Speaker:Now I'm saying, the theory is actually wrong
Speaker:here. Because if if you look the evidence, as I
Speaker:said, we have been studying sanctions 30 years.
Speaker:And if you look to scientific evidence, it points out that
Speaker:sanctions do have some effect in cybersecurity
Speaker:cases, even there would be no sanction experience.
Speaker:So my conclusion here is that sanctions could be more
Speaker:effective if you have a sanction experience,
Speaker:meaning you have received sanctions or you have seen people have received
Speaker:sanctions by the firm for violating cybersecurity policies.
Speaker:But if if firms are actually giving sanctions,
Speaker:that's tricky as you know, when you
Speaker:impose sanctions, you actually start to punish people or give warnings, the
Speaker:sanctions may backfire. People don't like sanctions and so
Speaker:on, and they may turn against you.
Speaker:That's an interesting stream in the literature that I've noticed. The the articles you and
Speaker:your your coauthors have been writing is the the possibility
Speaker:resentment arising from the organization enforcing its
Speaker:security mandate. I want to go back to the, the
Speaker:the driving too fast in traffic example, because I'm going to be traveling up through
Speaker:your part of the woods in a couple of weeks. Straight past Tuscaloosa, I
Speaker:generally travel about 10 miles over the speed limit with a radar detector.
Speaker:The thing in my mind is I always slow down if everybody else slows down,
Speaker:and I always slow down if I see blue lights flashing, meaning somebody's been caught
Speaker:in a speed trap. That leads me to ask the employees knowing
Speaker:about, the punishable acts, knowing about what might get sanctioned,
Speaker:that's an aspect of this too, isn't it? Their awareness of a of a security
Speaker:protocol that might be applied against them? Yeah. So the
Speaker:employees' knowledge should have a big role here, and especially if
Speaker:you read the theory. So the original theory assumes that that
Speaker:that users know already what is illegal
Speaker:or, in in our case, cybersecurity policies and what
Speaker:is allowed and not allowed by the cybersecurity policies. But
Speaker:often the users may not know the policies. We have
Speaker:run number of studies on on these things, and, you know, most
Speaker:employees do not remember the details in cybersecurity policies. So
Speaker:that's, of course, challenge. And there's also another issue, other
Speaker:another knowledge issue related to how to do the right thing in
Speaker:terms of cybersecurity because cybersecurity
Speaker:policies may instruct let's take a pass password example
Speaker:again. Okay? Cybersecurity policies may say, hey. Use
Speaker:long random unique password for each account. But
Speaker:then, you know, policy does not actually tell you how to do it, how how
Speaker:you manage this, you know, how you remap accountless long unique passwords. And
Speaker:they may not be training on this. Of course, this
Speaker:issue is not specific to use of sanctions, but that kind of challenge is
Speaker:there is in terms of employees' knowledge that they don't know the cybersecurity
Speaker:policies. And even they know, they don't necessarily
Speaker:know how to do the right thing because the company doesn't give them enough
Speaker:information. Training is not adequate and so on. Of course, as I mentioned, this
Speaker:issue is not specific to, return steering. Maybe we can explore that a
Speaker:little bit more. As you were talking about that, I
Speaker:started thinking about if if you're driving along the highway and you don't notice
Speaker:that the speed limit changes, you don't necessarily
Speaker:react to seeing that officer on the side of the road because you think you're
Speaker:going the speed limit. Well, then if you get a ticket
Speaker:and it turns out the speed limit sign was behind the branch of a
Speaker:tree, you're gonna experience a lot of resentment. And
Speaker:I think maybe or let me ask, do you think that the same sort of
Speaker:thing is in play with cybersecurity? So we've got these
Speaker:policies, either we haven't received training on them or the
Speaker:policies are really complicated. We violate the policies,
Speaker:get caught, get punished. It seems like that would lead to
Speaker:resentment, wouldn't it? Yeah. I mean, big
Speaker:thing here is that a very different thing if you don't
Speaker:know the the rules. And and as I mentioned,
Speaker:for many firms, you just give the policies. There's some generic
Speaker:training. It means that people may not really
Speaker:understand, you know, why they have to follow these policies. And sometimes the policies are
Speaker:not actually good ones. You know? They are. There might be conflict between what the
Speaker:cybersecurity policies are saying and what the firms want you to
Speaker:do. For common example is that security guys are saying don't
Speaker:click any, links. And then, you know, administration is
Speaker:actually saying, just do this training and click a link. So, you know, that's a
Speaker:con Look at this document to see what I'm writing you about. They do that
Speaker:all the time where we were. Yeah. So there's basic con conflict that, you
Speaker:know, cybersecurity policy is in the conflict, but you should do in the
Speaker:work. And that's actually past cybersecurity management, not about the the
Speaker:return as theory as such. Whether using sanctions or not,
Speaker:it's important that the policies make sense, employees understand the
Speaker:cybersecurity policies. And they also know how to cope, as
Speaker:I mentioned. You know? If you start to say, hey. For every account,
Speaker:you have 30 account. Every account use unique long
Speaker:password, but you don't tell how to actually manage this, then, you know, you are
Speaker:not really helping employees. And then don't and then don't use a password manager because
Speaker:that that's, risks. I know yeah. Well, and I
Speaker:I don't know about where you are, but we have annual training.
Speaker:Yeah. And it's, what, Tom, 4 hours, 5
Speaker:hours of just all kinds of training. It's a chunk of time. Yeah.
Speaker:And the security training is buried in the middle of that,
Speaker:and you're kind of tuned out. You know, all you wanna do is get through
Speaker:the training. That's why I wonder if that's a reason that people
Speaker:react poorly when they are sanctioned because they feel like
Speaker:the training isn't very effective. It goes back to your awareness.
Speaker:So what what about, can I can I can I quickly comment that? Sure.
Speaker:Sure. So this is a almost like universal
Speaker:problem. So not specific to, sanctions, of
Speaker:course. It also have implications for sanctions because if you don't know the policies, you
Speaker:don't know how to how how to react. But often, you know
Speaker:and and the people who are listening to this, if if they are cybersecurity managers,
Speaker:you know, or you are responsible for the cybersecurity, you should ask,
Speaker:have you ever asked from the provider who is actually giving you the
Speaker:training how effective the training is? Mhmm. So for example, if you take a vaccine,
Speaker:you, you know, you ask, like, how effective? Is is this giving me 80% of
Speaker:protection or 70% of protection and so on? You know, if you have a
Speaker:cybersecurity training, you should ask the provider, give me
Speaker:test results. How effective the training is?
Speaker:Right. So, you know, is it actually no. If if I have an let's say,
Speaker:anti phishing training, how effective this training
Speaker:is against the you know, how how much is lower the
Speaker:rate of victimization? And most providers, they have never
Speaker:even tested. You know, while you're selling or buying
Speaker:products with you don't know how effective they are. And if they aren't effect effective
Speaker:are you actually wasting employees' time? Do you think that's just checking a
Speaker:box? Yeah. You know? That that's a lot of because lot of cybersecurity
Speaker:management, that's that's a really different topic. Lot of cybersecurity management
Speaker:is people call it best practice, but it basically does that, you know, tick
Speaker:box compliance that you can say to auditors that, hey. We have we have been
Speaker:to you know, we have covered this. Right. You don't really you don't really care
Speaker:or you don't know how to, you know, what is actually quality here. You just
Speaker:say, hey, we did this. Next item, we did this. Right.
Speaker:Right. Well, you said something earlier that I wanted to come back
Speaker:and revisit, which is that employees typically don't know the full
Speaker:totality of the information security policy of the organization, and
Speaker:that implies that the, the information security officers need to be able to
Speaker:communicate not only the restrictions and the prohibitions,
Speaker:but also the sanctions associated with violating them in a more
Speaker:in an effective and reasonable way. How can the security managers
Speaker:get that word out in a way that will take that will be effective with
Speaker:the other employees? In communicating sanctions, there are
Speaker:a couple of things. First, you need to understand the firm culture
Speaker:and the nature of the firm business. So if sanctions are not
Speaker:self evident and depending on the firm culture and
Speaker:existing cybersecurity education efforts, you
Speaker:must explain why the sanctions are necessary if you want to use them
Speaker:effectively. Also, you should think about putting
Speaker:yourself in employee shoes. You know, say, hey. How about these sanctions?
Speaker:Would you accept these sanctions if you would be the employee?
Speaker:If you want to introduce sanctions, you should pilot test ideas with
Speaker:you people. Discuss the concept and get feedback on
Speaker:how they think about this. And, of course, you need management support.
Speaker:And in any reason and this is really depending on
Speaker:the country or state or even, you know, the the what kind of,
Speaker:firm. Is it public firm or is it, like, private firm? But, you know, some
Speaker:cases, some countries, some states, there might be strong work
Speaker:union. And if there's a work strong union, they may actually challenge you
Speaker:unless you are well prepared. A lot of cases in my, consulting
Speaker:work where, you know, lot of things we introduce and then the work union came
Speaker:and, you know, are you actually you know, what you are doing for our creative
Speaker:employees. You have to know your firm culture well, what kind
Speaker:of culture it is, put you on employees' shoes, pilot test
Speaker:ideas, get management support, and so
Speaker:on. So for our listeners who are generally managers responsible
Speaker:for determining how to, manage security violations, how do
Speaker:they determine the right level of sanction? In our protection motivation work that we're
Speaker:all familiar with tends to suggest that if you have too heavy a
Speaker:hammer, people are gonna shy away out of, perceptual screening,
Speaker:essentially. The old fear appeals argument, don't scare them too much. How does the
Speaker:CISA determine the right level of sanctions so they're,
Speaker:maximally effective? 1st, I think you should under as I mentioned,
Speaker:you should understand the firm's culture, and that's very
Speaker:different. And here, actually, I think many
Speaker:many scientists make a mistake. You know? If you if you let let's assume you
Speaker:you have very liberal university and philosophy department. That's an extreme example.
Speaker:Most employees think that sanctions would be absurd unless you you really explain
Speaker:them carefully, and perhaps you are never able to do that. In contrast, if you
Speaker:go to military organizations, almost everybody almost know,
Speaker:hey. There will be sanctions. You know? It's it's a normal thing. In Northern
Speaker:Europe or France, employees expect more autonomy, so sanctions must be
Speaker:justified more than other countries. In turn, if you go,
Speaker:like, US in the Middle East, sanctions are more commonly used. So, you know, you
Speaker:need to know your firm culture. In cultures where
Speaker:sanctions are not in firms culture with sanctions are not commonly used, then you really
Speaker:need to justify the sanctions and especially if there are harder sanctions.
Speaker:But as I mentioned, this is really depends on the firm's culture, so it's
Speaker:it's very firm specific issue. But you can also compare the
Speaker:cybersecurity sanctions with other sanctions. What kind of sanctions
Speaker:the firm is giving other type of violations?
Speaker:And, again, same commerce apply. Put yourself into employee shoes.
Speaker:Pilot testing to idea ideas with few people. And, of course, you need to get
Speaker:management support, as I mentioned, also.
Speaker:Sounds like sanctions could backfire if they're not engineered
Speaker:properly. How how could a a a manager avoid
Speaker:sanctioning in a way that would have the an unintended effect?
Speaker:Backfire basically means that you increase sanctions for
Speaker:improving cybersecurity behavior. Perhaps cybersecurity behavior increases,
Speaker:but then you have negative effects, kind of side
Speaker:effects. People don't like sanctions as a result of which
Speaker:they work work motivation may decrease. They may
Speaker:start to hate cybersecurity, or they may start to hate
Speaker:IT or even leave the firm. In in in case of
Speaker:cybersecurity, one concern is also privacy.
Speaker:It can depends on the culture and even people, what they think about privacy. Some
Speaker:for some people, private is very important. For some people, it's not.
Speaker:The privacy is important in cybersecurity cases because often
Speaker:when you actively use sanctions, you have to monitor.
Speaker:Right? And that's may involve violating employees'
Speaker:privacy. And because of privacy concerns, people may start to
Speaker:hate cybersecurity, hate to IT because they think that they
Speaker:are the one and the same thing and so on. And we have studied that.
Speaker:We have one study where short term, that was field field
Speaker:experiments in Europe. So short term, the cybersecurity behavior
Speaker:increased. Longer term, the sanctions were not
Speaker:effective in cybersecurity behavior, but there was backfire effect
Speaker:that people didn't trust the company and lot of negative
Speaker:views regarding the company and so on. So in order to
Speaker:avoid the backfire effect, you must
Speaker:understand that the employees get the
Speaker:importance of cyber stick policies and the reasons behind
Speaker:regulating some actions by sanctions. This is depending on
Speaker:the firm's nature. If you are military organization, this is easy. If you are in
Speaker:a university, very hard, depending on the firm
Speaker:culture. But the idea is that you if you use sanctions actively,
Speaker:you need to justify them if they are not already self evident for employees. And
Speaker:many organizations, they are not self evident for employees. And, you know, they
Speaker:need to understand why the activities sanctioned
Speaker:by sanctions are important to to cover and and so on. If they don't
Speaker:understand that, if they're not accurate that they think that it's a you know, you
Speaker:are just violating their privacy or you are just, making their work
Speaker:more harder, then you most likely will get get the
Speaker:backfire effect. I'm hearing a pretty
Speaker:consistent subtext of fairness. So a lot of the things
Speaker:that you're mentioning that can cause the sanctions to backfire would
Speaker:be when the employees don't feel like it's fair. Yeah. You know, you're
Speaker:violating my privacy. You know,
Speaker:I didn't understand. You didn't communicate. They're too harsh.
Speaker:But but I wonder if unevenness and
Speaker:sanctions is a problem. I know at universities and and a
Speaker:lot of other organizations, different departments or different functional
Speaker:areas have different subcultures.
Speaker:And so if you're talking to somebody in another department,
Speaker:then, you know, I they get to leave early on Fridays, and, you know, nobody
Speaker:cares when you come in. And your boss says, you better be in at
Speaker:your desk at 8, and you better not be out that door before 5.
Speaker:That seems like it could cause a lot of problems. Is that an issue with
Speaker:the security sanctions as well? Well, that's an excellent question. I I
Speaker:don't think that nobody knows the answer to that. Alright. Future
Speaker:research. Yeah. Okay. So I think what I'm taking
Speaker:from this is if, if the security
Speaker:provisions they're required to follow aren't common sense, if they don't already know
Speaker:it, It needs to be carefully explained in a in an explicit
Speaker:manner by the manager Absolutely. In order to justify its application. So
Speaker:it's almost as though explaining the the security policy
Speaker:achieves a lot of what has to happen. It's that 1%,
Speaker:those with a certain sense of psychopathy who are gonna break the rules anyway that
Speaker:need to understand they're gonna get punished if they don't comply. You know,
Speaker:if you think about the employees' compliance with cybersecurity policies,
Speaker:lot of cases where almost every organization should do
Speaker:better, and that's not necessary sanctions. Specific issue is that,
Speaker:you know, you should make effort that the employees understand the policies and
Speaker:why, you know, the policies are like they are. I don't know
Speaker:that there's research into this in in the context of cybersecurity,
Speaker:but I think there's there are some psychologists that
Speaker:would say that the sanctions actually might
Speaker:have a an increasing effect on violations
Speaker:by those who are suffer from psychopathy, because that's
Speaker:part of the thrill. You know, if you don't get caught, there's not
Speaker:a chance of getting caught, then you don't get that thrill out of it. And
Speaker:so I I just wonder, that might be an interesting avenue of
Speaker:research as well. But I don't think I've read anything in
Speaker:cybersecurity that's talked about that. No. I don't my
Speaker:understanding is that nobody has studied this in in the cybersecurity context.
Speaker:So I have I cannot really I
Speaker:think the closest we get to that are the the very interesting findings in in
Speaker:in Mikko's prior work, particularly about people wanting to
Speaker:I don't wanna say get even with the boss for the boss being stringent, but
Speaker:the the the whole ledger keeping, scale
Speaker:balancing part of, deciding to act out just because you think
Speaker:they're being too stringent. Yeah. That
Speaker:might be. But What do you have coming in the
Speaker:pipeline? What new ideas will are you working on to get into the literature
Speaker:on on how to manage cybersecurity?
Speaker:You mean sanctions or cybersecurity in general? Just
Speaker:interested in what you're working on and how our reader our listeners might be
Speaker:keeping their eye out for it if they're interested. Nowadays, I'm
Speaker:also doing a lot of work on cybercrime, actually.
Speaker:So I do understand cybercrime,
Speaker:especially to how cybercrime happens and how to
Speaker:how we can use communication between the offender and victim to actually
Speaker:understand and prevent and prevent cybercrime. So that's
Speaker:that's one thing I'm doing. It's not really on cybersecurity
Speaker:manage management, of course, it has implications for cybersecurity management.
Speaker:What what parallels do you see between that work
Speaker:and and what you've done, around the sanctions within an organization?
Speaker:Are you seeing any any commonalities across those 2 or too
Speaker:early to tell? The cybercrime cases that we are
Speaker:actually looking, These are cases where people
Speaker:very careful and clever ways, victimized,
Speaker:people and, you know, now sanctions. Well, if you don't
Speaker:understand that you are being victimized, so how the sanctions could
Speaker:really apply effectively. So that kind of case is I don't think the sanctions
Speaker:help here. It's more about again, you know, we
Speaker:need tools for ordinary people, and
Speaker:and employees to to understand actually more cyber
Speaker:crimes and, you know, what kind of how people may try to
Speaker:use you in order to, get your money or or or some information
Speaker:from the firm. So it's more about the risks and how to protect yourself?
Speaker:Yeah. I think we're also seeing the threat actors becoming
Speaker:vastly more sophisticated than they used to be. That may be that may be an
Speaker:AI thing. I don't know. The the people I talk to over here where we
Speaker:are, because we we have a a classified work workspace over by the air force
Speaker:base, and they're the opinion that the, the national actors that are
Speaker:trying to breach their network are using AI to do it, and only AI can
Speaker:counter that. That's a lot of the phishing attempts I'm seeing
Speaker:lately are vastly better than they used to be. So it's a risky environment
Speaker:increasingly so, I think. You can use generic phishing
Speaker:where, you know, you've sent the same message to, you know, million of
Speaker:people and hope some of these will will be your victims,
Speaker:and then you might be more specific or targeted
Speaker:attacks where you actually find a lot of information
Speaker:on the target, and then you make your attack and, you know, of
Speaker:of course, these these targeted cases are much more successful in
Speaker:phishing or other type of social engineering. So
Speaker:so, Mikko, as we close out, we typically ask what your 4 or 5
Speaker:practical recommendations would be for the security managers who'll be listening to this.
Speaker:What are the things they can add to their list of to dos to keep
Speaker:the company safe as they, practice the craft?
Speaker:So first, you need to actually decide
Speaker:how you're using active or passive use of sanctions. And and now I
Speaker:realized I don't actually what we have discussed is basically
Speaker:so far, is active use of sanctions. Active use of sanctions means
Speaker:that, you know, you you monitor cases and you give sanctions to
Speaker:employees. But there's also also passive use of sanctions.
Speaker:So passive use of sanctions, some might prefer to these as a
Speaker:theory of covering your ass by sanctions. So basic idea is that
Speaker:you introduce sanctions, mainly to protect yourself or the
Speaker:firm from the plane. With this passive approach of
Speaker:using sanctions, you actually only use sanctions when
Speaker:something bad happens. So you introduce sanctions,
Speaker:but you actually will use them only if something very bad happens.
Speaker:I call it back you know, passive use of sanctions. So So something pandemic
Speaker:you can say, hey. We have sanctions in place. Now we can play in this
Speaker:guy or whatever. Now if you use active use of
Speaker:sanctions, that means that they require a justification,
Speaker:and they may backfire. They use justification because you actively monitor
Speaker:and keep sanctions. And, especially, to hire other sanctions,
Speaker:the more most carefully they have to be justified. And if
Speaker:you don't actively use sanctions, they will lose some of their effectiveness as
Speaker:a preventive tool. You know, same I idea as in the,
Speaker:climbing over the speed example if, you know, you are
Speaker:removing all the police radars, people will increase climbing over the
Speaker:speed limit. And now the use of sanctions,
Speaker:especially I mean, active use of sanctions. If employees don't find them
Speaker:justifiable, they tend to backfire, and you should
Speaker:already think about that kind of scenarios.
Speaker:And in this case, if your sanctions do not backfire, you don't justify
Speaker:these, well, sanctions may become worse than
Speaker:useless because the, because the side effects, such as
Speaker:employees dislike in cybersecurity are worse than they prevent
Speaker:the effect. These are the 4, 5 key points.
Speaker:This has been Cyberways. It's a production of the Louisiana
Speaker:Tech College of Business Center For Information Assurance, courtesy
Speaker:of the Just Business grant from Dean Chris Martin.
Speaker:This podcast is available wherever you consume podcasts,
Speaker:and we'd be grateful if you tell your friends about it. And if you find
Speaker:it useful to you, let us know. Let our guests know.
Speaker:I'm I'm sure doctor Sipponen is available to talk to you if you
Speaker:need more advice, because as he says, he does a lot of consulting in this
Speaker:area. We hope you found this to be interesting, and we hope you
Speaker:find the, the information to be useful in keeping your company more secure.
Speaker:Until next time. Thank you. Thank you. Appreciate it.
Speaker:And it is important to say that the Cyberways podcast is funded through the just
Speaker:business grant program of Louisiana Tech College of
Speaker:Business, and, we're grateful for that. So join us next time on
Speaker:the Cyberways podcast, which is available on all major
Speaker:podcast platforms. We want you to subscribe or follow or
Speaker:whatever button your favorite podcast app has. Thank you very
Speaker:much.