Subscribe
Share
Share
Embed
Technology and Security (TS) explores the intersections of emerging technologies and security. Monthly deep dives on AI governance, national security, cognitive warfare, and emerging technology with Dr Miah Hammond-Errey. Guests include intelligence leaders, researchers, and policymakers from Australia and globally. https://miahhe.com/about-ts | https://stratfutures.com
TECHNOLOGY AND SECURITY // Transcript Andrew Reeves
Miah Hammond-Errey: Welcome to Technology and Security. TS is a podcast exploring the intersections of emerging technologies and national security. I'm your host, Dr. Miah Hammond-Errey. I'm the founding CEO of Strat Futures Pty Ltd and an adjunct associate professor at Deakin University. My guest today is Andrew Reeves.
Dr. Andrew Reeves is the deputy director of Yves Cyber at the University of New South Wales. He is a registered organizational psychologist and cybersecurity leader specialising in the human aspects of cybersecurity. Andrew has worked across not-for-profit consultancy and academic sectors. He was previously the director of organizational and behavioural research at CyberMinds, which promotes mental well-being and resilience among cybersecurity organizations. He is a visiting fellow at the University of Adelaide.
Thank you again for joining me on the Technology and Security Podcast, Andrew. I'm really excited to have you here.
Dr. Andrew Reeves: Yeah, I'm very excited to be on myself. We're coming to you today from the lands of the Gadigal people. I pay my respects to elders past, present and emerging and acknowledge their continuing connection to land, sea and community.
Miah Hammond-Errey: As I started with there, you've got an unusual background for a cybersecurity leader in that you started as an organizational psychologist. How did you end up at the intersection of human behaviour and cybersecurity?
Dr. Andrew Reeves: Great question. I do consider myself a bit of a weirdo when it comes to
cybersecurity. I think a lot of us that work in cybersecurity are weirdos in our own way. Fell into it. It was training to be an organizational psychologist interested in how people behave at work. lead to optimal behaviour at work, good decisions, things like that. And also the factors that lead to some decisions at work and poor behaviour. Then I was lucky enough to go to a briefing by researchers in defence who were all organizational psychologists themselves. And they said, look, most cyber-attacks involve human error in some way. I've told the story before that it really felt like a light bulb. It combined the... the passion I had for psychology with the sort of previous career I had, which was in IT. And the more I've gotten into it, the more I've found that human vulnerabilities are so important in cybersecurity.
Miah Hammond-Errey: That was a perfect segue. So let's go to our first segment. What are some of the interdependencies and vulnerabilities between psychology, technology and security that you wish were better understood?
Dr. Andrew Reeves: I think the main one, and it's been talked about for a while, but the main thing I think we keep overlooking is that there is a human involved. We talk about it a lot with scams, about how human behaviour ultimately enables or undermines those scams from occurring. But I think in other areas, we forget that there's a human involved. The attacker is a human, right? To some extent, we're moving past that and maybe we'll have more agentic and automated attackers, but there is still often a human involved, at least at the moment. The defender, the person looking over the systems and keeping them secure, whether that's a SOC analyst or a system admin or many other roles, they themselves are human. So they have the ability to make fantastic decisions and the ability to make less than great. decisions. And then, of course, the everyday person, the end user, the victim, the target of attacks, they're a person as well. So for the defenders, the good guys, the people defending the network, we're trying to make their decisions better. We're trying to use the understanding that we have from psychology to help them be their best at work. And at the moment, I don't think we're doing that well. And arguably, there's quite a mental health crisis occurring in that sector at the moment. In the attacker group, we're actually using the exact same models of decision-making and performance at work, but we're turning them upside down because we want the attackers to make worse decisions and to get confused and to get frustrated and to give up. But both of those are complementary to our traditional technological ends to take that. psychological expertise and try to influence decision making.
Miah Hammond-Errey: So your work is really interesting because you've actually done work across all three. So the attackers, the defenders and the victims. Let's talk a little bit about cyber deception. Can you explain a little bit more about what it is and why it's such an underutilized tool?
Dr. Andrew Reeves: Cyber deception is a broad term to refer to attempts to deceive the attacker. So often we hear about how we get deceived by attackers all the time, but this is about how we can actually deceive them. Now, there's lots of controversy around whether you can hack back and things like that. Deception isn't trying to do anything like that. What it's trying to do is set up our own networks in such a way that it makes the attacker's life harder while making the defender's life easier. attacker's perspective, once they get in, we want our networks to look difficult and complex and annoying, but we need the network to look easy from the defender's perspective. We end up with this problem sometimes that we implement certain techniques that do succeed in making the attacker's life harder, like IP shuffling or whatever, but it also makes the defender's life harder, the sysadmin's life harder. And arguably, that means we haven't really gone anywhere.
That's partly why, to answer your question of of why we're not seeing uptake to some extent and why it's niche. Partly because there is a hesitancy to do this because it seems quite advanced and most CISOs are just trying to keep up with what they need to do from compliance and just putting out low -hanging fruit. There are also historical examples of where certain pieces of deception, which has been around for ages, you know, hunting pots and hunting tokens and nothing new, If they're not implemented well, it can actually cause the opposite problem and you get a lot of false flags and things. And then the third thing I'd say why we don't hear about it too much is because there is a separation between how we should even talk about deception. There's a school of thought that says if we're going to use deception, we should make sure that the attacker never knows that we're using because... the point is that we want it to be a tripwire, or we want it to alert us that there's someone in our network, and therefore we need to make sure the attacker never knows about it. But there's a completely different train of thought that says, if the purpose of what we're doing is to make the attacker's life harder, maybe foregrounding the fact that we are using deception against you, if you come into our network, be warned you will be up against. are active attempts to mislead and undermine you. Maybe even putting that knowledge in the attacker's head achieves part of the goal that we're trying to do. And it's really interesting to see even how different states and different nations are taking approach. Cliche, America is going down a bit more of that loud and public. view on deception, and UK and EU are more doing a hidden and slow approach.
So I think it would be really interesting to see which one has most bang for their buck. But for
that reason, I think that it is being deployed more than we are hearing about.
Deliberately, it's being kept silent.
Miah Hammond-Errey: Yeah, absolutely. The way you've described deception sounds to me a lot more like strategic defense or deterrence. Deception itself seems to cut against that
instinct we have, which is just to harden everything. And you alluded to it, but I guess,
can you just draw out what kind of cultural shifts really good deception require?
Dr. Andrew Reeves: You hit the nail on the head. It is a massive cultural shift that's required. Some of the work we did, and we have a couple of research papers out about it, we're looking at... Even down to the level of, say, a sock, how did they... to change the way they do things in order to implement deception. And really, it's a huge shift in the culture. It's a huge shift in the role requirements because you're no longer always acting in a reactive manner where you are simply receiving and triaging alerts. You are being more proactive and deliberative in how you put things on the network. And one of the applications of deception is that once you've detected an attacker in your network, you either just watch them or you lure them into a relatively sandboxed environment and observe for as long as you can, what sort of things are they going after, which tells you something about them and what techniques are they going after and how sophisticated do they seem to be, which helps inform your threat. actor profile for future defence purposes.
Dr. Andrew Reeves: But that itself feels very uncomfortable for a lot of people working in the industry. And it kind of comes back to what I was saying before about how there's a bit of a mental health crisis happening in the industry and the people working in the industry are under a lot of pressure because they know that they will get blamed if something goes wrong. We very rarely blame the attacker. publicly at least, we tend to blame the defender for missing something. To them, the idea of allowing the attacker to stay in and holding that confidence that, oh, don't worry, we've captured them and we're just monitoring them, is understandably terrifying in a lot of ways.
Miah Hammond-Errey: You have done some really interesting research, though, to better understand how attackers move through a network when they're aware of the presence of deception. Can you share a little bit more?
Dr. Andrew Reeves: We ran a study where we had a cohort of red teamers and penetration testers who were, of course, playing the part of the attacker. We gave them a simulated network and we gave them a few starting points and a particular end goal. We then revealed to them that there was deception on the network that we were using. We didn't say specifically what we were using, but we gave them examples like honey tokens and honey pots that were there on the network somewhere. And that was all the details we had. We then had them repeat the exact same process where they tried to get from start. to end. What they didn't know is that there actually wasn't any deception on the network. It was the exact same network. All we were manipulating was their awareness of that or that perception that there was deception there. People became very cautious and questioning of things that they thought obvious beforehand. So as an example, there was a crusty, dusty old, I think it was a Windows XP Service Pack 1 machine on this network.
We left it there because this was a mirror of a real-world network, and it really was there on
that. So we thought, whatever, we'll leave it there. And because that's such a low-hanging fruit,
a lot of the red team has hit that as a very early port of call as they moved through the network,
because it was just easy, right? It was an obvious way to escalate through the network.
However, once we revealed that we were using Deception on the network, they all started avoiding it. because it seemed way too good to be true. And such an obvious honeypot is one of the quotes. And again, there were no honeypots on the network. So to some extent, that vulnerability was shielded simply by manipulating the awareness of the attacker. And that's partly why certain organisations, as I mentioned, particularly some big ones in the States, are being very loud and open about their use of deception, because they want to capitalize on that. If an attacker gets in, maybe some of our true vulnerabilities will be shielded or at least will slow them down because they'll think it's too good to be true and they'll avoid it. So we saw people were taking vastly different paths through the network. They were having to spend a lot more time going after vulnerabilities that they were less familiar with simply because the ones they were most familiar with felt too good to be true. So it was really fascinating.
And then a lot of them started doing things like, oh, I don't even trust that this system
administrator that I'm trying to compromise their access, I don't even trust that this person
exists. Maybe they themselves are a fake persona on the network. So they started reviewing LinkedIn and other social media to try to detect if that person truly exists, which itself is an avenue for... poisoning their reconnaissance, right? Essentially, as you said, it's similar to a lot of
how we do other types of influence and warfare, but applying it onto the network, I think, is a place that hasn't been fully capitalized on yet.
Miah Hammond-Errey: Yeah, it's really interesting. It definitely goes back to that interdependency comment you had first up, which is that irrespective of how advanced the systems or technologies or processes might be, we're still looking at that human component, which... It will be interesting to see if you start looking at automated attacks or shifting one component of that equation, whether or not the humans that are still in that system will think about it differently. I'm going to pivot. So you and I are currently working together on what I think is a really exciting project.
So the University of New South Wales, IF Cyber and Strat Futures are currently mapping the cybersecurity implications of emerging technologies in Australia over the next two to five years.
Can you describe a little bit about this project, why it's important? and maybe very briefly the
methodology.
Dr. Andrew Reeves: As you said, this I think is a really interesting piece of work that we're doing together. And essentially what we're trying to look at is we're trying to build what we're calling an Australian cybersecurity problem book, which is informed by what sort of technologies are emerging currently that are going to be particularly critical for Australia over the next two to five years. And then once we have a view on what those technologies are, we look at what are the likely cybersecurity implications of those. And the reason we're doing that is to say, if we can to some extent predict that these sorts of things might be plausible in two to five years time, maybe we should be getting ready now for how we secure those things,
both by... but also what sort of research projects should we be focusing on right now? And so it'll inform parts of the research that we fund. And of course, we'll also be giving the outcomes of this to certain government agencies who might be able to use that to inform where their
research funding goes as well. So for the methodology, very briefly, the way we're running the project is by collecting as much information that's already out there, like the Department of Industry Science and Resources list. of the critical technologies that they believe are most important to Australia's national interest. So we're looking at all of those different fields. We have done a very expansive and in-depth review of academic literature. We've developed quite a novel and interesting LLM process, which reviews data sources, including R. literature review, including the white papers that people have sent through to us, including a survey. We've had about 50 or 60 experts in different emerging technology fields have completed that survey. And then we've also had input from sources such as your own podcast and the experts that you have on there and what they've talked about has all fed into this review document that for us says, this is where we think things what things are going to look like in two to five years time and then we've put that to a workshop of experts to pull it apart tell us where we got it right tell us where we got it wrong we're doing an online version of that too where experts from around the world will pull it apart and say where we need to change things and then once we've got that to a point where we're pretty happy with it We'll then give it to a series of cybersecurity risk assessors to start saying, here's the risks we should be focusing on. Here's the things we should be preparing for now. So that's the sort of phase that we're heading to at the moment. But it's a fantastic project, and I'm really excited to see it progress.
Miah Hammond-Errey: We finished the analysis of the data and we've put that to a workshop and finalized the first research deliverable, which is an emerging technology assessment. So not to put you on the spot, Andrew, but you are fresh off analysing and reviewing the outcomes. What technologies and developments do you think are absolutely critical for us to focus on and that maybe we haven't been paying enough attention to?
Dr. Andrew Reeves: That's a good question. I'm by no means an expert across all of these different areas. we're looking at is everything from quantum to biotechnology. And as a psychologist, that's a little out of my wheelhouse. But I think what has been really interesting to see is that what is underpinning the pace of change is not necessarily any one technology, but it's the way lots of different technologies are starting to interact with each other.
So for example, we have a focus area and there's a huge amount of research being done on
biotechnology, right? And that itself, like a neural link technology or brain computer interfaces,
that itself has cybersecurity implications. And I think that's already being discussed. But what's
interesting is that almost completely separately from that, we have a broader discussion and
societal discussion happening around AI and the technologies that underpin that and the ethics of that.
When really it... It's quite obvious how those two things go together, and suddenly you start
seeing how not only is AI currently affecting our cognition in lots of ways,
whether it's distracting us and making us hyperfixate on certain things, but just how that will be
even more the case once brain-computer interfaces are actually at commercial scale and they're
already out there. So I think it's those points of overlap which really comes to the...
the thrust of what we try to do as an institute in the Institute for Cybersecurity at UNSW, because our whole remit, our whole purpose for existing is to connect different disciplines together. That's all we do. Again, it's why I'm so excited by this project, but a lot of these problems are not going to be solved just by the continued development in any one field. It's about connecting those fields together. Another example is how often with these technologies, we run into the I think, yeah, for the work we're doing right now, the thing that keeps jumping up to me is just how interdisciplinary and how collaborative we need to be.
Miah Hammond-Errey: Yeah, like one of the things that has been really interesting for me is just how the pace of change across all of those areas of technology. So that the emerging tech assessment looks across all of the seven fields in the DISR list of technologies in the national interest. And one of the things that just really stuck out at me is just how frequently the need for adaptation and learning came up in, you know, expert after expert kept saying, and they were only talking about their specific area of expertise. But when you took that, across the whole data set, the need for organisations to be able to learn and adapt both in organisational models, but also individually, I think is going to place a really different, a need for a different emphasis, both as individuals and then organisations in terms of learning. So that's an exciting space.
Dr. Andrew Reeves: Yeah, that speed of organisational learning, I completely agree, is a really interesting space to be. It puts leaders in an interesting position as well, because it means, again, I'm putting my psychologist hat on, it means there's more and more need to be willing to operationalize things that you're not particularly familiar with or comfortable with yourself. And learning how to do that as a leader is a skill. That's something you need to practice at. It's not a comfortable place for a lot of people, and potentially that's where we're going to have to see a lot more leadership development happening. So one of the first outputs for listeners will be an emerging technology assessment, which is really kind of a high-level overview. Later on in this research, we'll release a much larger document with cybersecurity implications and more added to that. I want to quickly touch on AI because we've spent quite a lot of time talking about it and thinking about it.
Miah Hammond-Errey: Are there any AI and cybersecurity trends you think we need to be watching?
Dr. Andrew Reeves: It's a bit of a cliche, but America seems to be going down the route of... deregulation, encouraging competition, free market. And we're seeing others, let's say the EU, for example, are taking a more controlled approach. So I'm interested to watch that as a trend. And then Australia will obviously be watching to see what lessons we should be learning from that. So that's one of the big things that I think is a trend that we should be watching. The other trend that we should be watching that almost touches on the point I was making before. and that you made as well about the speed of institutional learning, is to watch how organizations start to mature their AI risk, understanding their AI risk profiles. Are we going to see something similar to what cybersecurity did and has done over the last even 5, 10, 15 years, where boards start to really interrogate and understand cybersecurity at that level? Are we going to see it play out in much the same way with AI? Or are we actually going to take some of the learnings of what was done well and what was not done well during that time? So there's a couple of trends there where I think it could go one of two ways, and I think it's definitely worth watching.
Miah Hammond-Errey: You have actually done some research on cybersecurity education training and awareness programs and why they often fail. You've argued that they can cause advice fatigue rather than improving awareness and behavioural change. That's quite damning for what is a pretty big industry. What works then for actually changing human security behaviour?
Dr. Andrew Reeves: What works is looking at the system that people work in rather than simply trying to educate. So I try to use the term behavioural change rather than say like an awareness program or something like that. I don't think, again, controversial opinion, I don't think the problem we have is a lack of awareness. I think people are aware that there are scams and there are things they should be doing differently and that what we have is competing priorities.
A lot of things we've seen in research, not so much my research, but other papers that are out
there, has said that when people fall for scams, they often do realise it or at least are
suspicious almost immediately. But a lot of the time, they don't tell anyone because they feel
embarrassed and they feel ashamed. Fair enough. the worst thing that's the exact opposite of what we want. Say an employee of our organisation falls for a phishing scam and it's that first step for an attacker into the network. If they report that and let someone know, it can be dealt with. It comes back to a psychological thing because it's psychological safety, again, which is a regulatory requirement now that businesses must prevent psychosocial hazards at work. I often make the argument that we shouldn't just be doing that from the human good argument, which obviously is a big part of the reason why we should be doing it. But if you're not convinced by that, maybe you'll be convinced by the fact that creating psychologically safe environments actually encourages people to do the right thing, even when it comes to cybersecurity. I think there's such an opportunity there to create systems which enable the behaviour. that we want and make it harder to do the wrong thing.
Miah Hammond-Errey: Absolutely. we really need to look towards how can we nudge human behaviour in the right direction, because everything you said is correct. And I would add, I think most people want to do the right thing. The vast majority of employees don't want to be the entry point for a cyber attack. And so actually helping them to achieve their obligations in, as you say, what can feel like a very competing and challenging environment. Particularly as the sense of urgency on technology and adoption and pace picks up, people do still and continue to feel nervous and unsettled by that. I'm going to jump back to finish the conversation about emerging tech assessment.
Miah Hammond-Errey: In five years, what is the AI conversation that we'll regret not having had today?
Dr. Andrew Reeves: Oh, that's a great question. It's a conversation that to some extent is happening, but perhaps it's happening more in niche areas and it should be more out there. But I would say the conversation is just about whether we, not answering the question of can we do something, but asking the question of should we. What else has surprised or interested you throughout this research? Yeah, maybe you go first on that one. I'm interested to see what you say.
Miah Hammond-Errey: Okay, so mine is... a little bit long winded, but basically. The pervasive data collection we see in a current digital environment combined with hyper-personalization and algorithmic curation have created that landscape of influence and interference. And for a long time, it's felt like a handful of lone voices talking about that as being concerning. And I feel through this research... that that is becoming a groundswell. Many established voices, academics, many members of industry, government experts are also really concerned about this and wanting to embrace technology in a way that is consistent with our principles and values of democracy in Australia. And that makes me really happy to be an Australian and really excited to be a part of that conversation.
Dr. Andrew Reeves: That's a great answer. I completely agree with a lot of that. And I think to some extent, we're seeing more and more salient examples of that, which helps. move the conversation along, even reminded of the Vanuatu cyber incident, which was an influence operation combined with a cybersecurity operation. So just seeing how influence is going to continue to be part of this conversation and why, again, cybersecurity is an element of statecraft. It's going to need to be an element of how Australia sets itself up on the national stage. and how we define who we are. Cybersecurity is part of that. And whether that's by helping our natives and, of course, defending against state actors that don't have our interests at heart, I think that's going to be a bigger, bigger piece.
Miah Hammond-Errey: Let's go to the contest spectrum. What's a cooperation, competition or conflict you see coming in the next 12 months? The next 12 months?
Dr. Andrew Reeves: I'd probably link this back to what I was saying before about deception. in that some of the approaches to deception that we're seeing are quite split, whereas half of the world is keeping it quiet and the other half are being loud and proud. And there are examples happening, particularly in the UK, but other places as well, where they're quite actively testing which of those approaches is the most effective. So that's the kind of question. two schools of thought that I think are really going to start butting heads, particularly in the next year or so. And I'm quite keen to see which one comes out.
I think, as with everything, anytime you do research, the answer ends up being, it depends,
rather than this is better or that's better. And we've even done a bit of research that says
exactly that. But yeah, I'm interested to see how that plays out. Absolutely.
Miah Hammond-Errey: So then let's go to another segment. It's called Alliances. What relationships should Australia and Australian companies focus on to stay competitive?
Dr. Andrew Reeves: I think there's a tension at the moment between the desire for Australia to have a sovereign capability when it comes to all sorts of different emerging technologies. Of course, we talk about it in AI a lot, but even clean energy generation and things like that, there's clearly a push to have more of a sovereign capability in that regard. Teamed with the fact that do this well and to do this fast, we need to collaborate. And we have fantastic collaborations with big players, whether that's the US, EU, and even China. So there's that tension that we're being pulled in two directions. We want to collaborate and to do as much as possible together, but we also need to make sure we're joining sovereign capability. So to answer the question of what should organizations be doing? I think what we're starting to see play out is that for more established, and we're seeing it in our data as well that we're analysing, for more established technology, there's still collaboration. And if it's improvement to established technology, that collaboration is still continuing in earnest. But for the more frontier, unproven tech, that is becoming increasingly ring-fenced and strategically. protected. So I think that's what we're mostly going to see, and that's what organizations should probably start to do.
Miah Hammond-Errey: Yeah. I mean, what's super interesting there and knowing the same data that you're talking about is what a nuanced discussion that can be. So you're pulling a few threads there on things like AI, on clean energy generation and access, on biotechnology, on the tech stack aspects of data centers and so on, and cloud access. And the kind of discussion like that, the tension between... localization and globalization, if you like, sometimes discussed as sovereignty or agency or depending on how you frame it, they're different in each case. And a lot of this is driven by cost. I think that's a really interesting finding from the research and hearing you talk about it in terms of the way... companies can build relationships in their own fields of excellence. I think that's incredible advice for Australian companies to really understand how their field is different from that broader discussion.
Dr. Andrew Reeves: Yeah, and we've seen great examples of that. I mean, we've seen telcos and banks doing industry-to-industry sharing across different nations around the world, and that's to some extent separate from the nation states themselves collaborating in that way.
Miah Hammond-Errey: Listeners of this podcast will know that my company Strat Futures has a cognitive readiness and resilience platform to help leaders who make high stakes decisions. So, it's going to come as no surprise to my listeners that I'm really interested in the work you've done touching on the point of where psychology meets the threat landscape. From where you sit, how much does the cognitive readiness of the defender change? the outcomes, whether that's a defender specifically on a network or a decision maker?
Dr. Andrew Reeves: That's a good question. There are certainly examples where it changes it a lot. We did one study where we were looking at, it was sort of a two-part study, but at first we were looking at how SOC analysts make decisions as to whether something is a legitimate threat versus a false positive. by actual observation and interview to see what are they actually using to make those decisions. And then we were looking at, based on that, would implementing deception assets onto the network help or hinder that decision-making? And some of the stuff that came out of that was just fascinating. I mean, I had one person say to me, he said, if it gets to Friday afternoon, we have so many false positives on the network that I know that if I were to highlight a whole bunch of alerts, and just go right-click Resolve and get rid of a lot of them, I am going to be fine 99 times out of 100 because that's how much deluge of alerts that you're getting through.
We actually are funding a different piece of work here through the Institute as well. It's called
the CLAS system, the Cognitive Load Assessment System, that's looking at how can we track through relatively unobtrusive means how cognitively alert SOC operators are. use that as an estimate of accuracy, and then not so much to punish them if they're tired, because everyone gets tired, but more as a feedback loop to them and just give them that feedback so that they can start to improve their own decision making. So I think cognitive load has a huge place there.
And you touched on leaders as well, like decision makers, not just the SOC analysts. A study we ran years ago now was looking at whether senior decision makers in cybersecurity are any more or less vulnerable to the effects of fatigue when they're at work, when they're making critical decisions. And perhaps unexpectedly, we found that the leaders weren't any better than anyone else at avoiding the effects of fatigue.
But what they did do is that the way they attributed blame was different. So the people that,
you know...-unquote lower levels in the cybersecurity hierarchy, were more likely to say that the system is failing or the system's hard to use, and that's what's causing the fatigue that then
causes the mistakes. But the senior decision makers were more likely to say that it was a personal issue and blame the individual that ate the mistake, even if that individual was themselves, which is really interesting finding.
Miah Hammond-Errey: Sleep is an absolute foundation of cognitive performance, of human performance in general. I was really fascinated, particularly when I read that it was more nuanced than other research had found. So yeah, can you share it?
Dr. Andrew Reeves: Yeah. That research actually came from a really interesting discussion. I used to work for one of the big fallbacks and I was having a discussion with someone there. I wasn't in cybersecurity there, but I was having a discussion with someone from their cybersecurity department. And they said there was this piece of work that they were doing where They'd found this group of people that were employees at the bank, and their security behaviour was always just worse than everyone else's. And particularly what they were tracking at the time was password entropy, strength of password. And this group was always worse than everyone else. And they looked into why, you know. Had they done the training? Where did they come from? What was their age group? What was their demographic? None of that was particularly predictive. What they found was that the system had been set up such that every three months you had to update your password, right? Which isn't really advice anymore, but at the time was advice.
And they found that just a quirk of the system was that you would be prompted to update your
password at exactly to the minute three months after you set up your first password. So it depended on when you started. And these people, for whatever reason, their first day was a Friday, which meant from then on, they were always getting prompted to update their password on a Friday afternoon. So that led to this particular research project. And as you said, the finding we found was it was more nuanced. The question we wanted to ask was, do people behave in a less secure manner at work when they are fatigued, when they're cognitively tired? And the answer is sometimes. What we found is that if you've tried to motivate them, so if they've gone to a training program or they've watched a video or whatever, and they actually feel motivated to do better, maybe the next time a password prompt comes up, they're really motivated to make a really great password and it's unique and all the rest of it. If they're tired at the point that that happens, it'll actually be worse than had they not tried at all. And it's something that... was counterintuitive at first but does make sense from a psychological point of view we often follow habits and what we might call heuristic thinking where we just we take shortcuts and those shortcuts are not the worst they're not the best they sort of sit in the middle if you try to be really systematic and effortful in your decision making you'll normally do better so essentially what we were saying in this study is that you can send people to training programs as much as you want and that'll motivate them but if the system they're using is frustrating and tires them out and it's a pain to use that will negate a lot of the benefits that you may have otherwise achieved but generally speaking good cyber decisions happen when you're cognitively alert but as you said that's not always going to be possible there's always going to be situations where we're tired
Miah Hammond-Errey: I'm going to go to a segment. It's called Grounded. What should we stay focused on, connected to and grounded in this year to keep sane amid the chaos?
Dr. Andrew Reeves: As people start to learn that information on the internet is obviously not always believable, never has been, but these days detecting what is and isn't real and fake is getting harder and harder. The optimist in me says we should start focusing more on what the immediate community and the immediate of what we see around us. We'll start to lower our sight a bit. to say, well, I can't necessarily know that this report that I've read about something that happened on the other side of the world is true and that it actually happened like that, but I can know what happens in my neighbourhood and I can know what happens in front of me. So to stay grounded in the chaos, just reminding ourselves to focus on our immediate surroundings and things we can actually change and be aware when your emotions are being hijacked. We can get so whipped up by reading about something really horrible and unfair that's happened around the other side of the world.
I saw one the other day that was about someone had their packages stolen off the front of their
property, and that was being shared because it annoyed people to see it. It has nothing to do with me. I'm on the other side of the world. So why am I allowing my emotions to be affected by that, by something that I can't even hand on heart say definitely happened? So yeah, stay grounded by focusing on what's around you.
Miah Hammond-Errey: It's kind of great advice because we can't actively change a system that is incentivized to continue sharing that, particularly the reminder of awareness of emotion, which has a huge impact in both performance and, of course, sense of well-being and satisfaction.
Miah Hammond-Errey: You've done so much interesting research on things like burnout, sleep, cognitive load. We've touched on a few of them. Before we move on, is there anything that you are most excited about? in your research right now that you want to share?
Dr. Andrew Reeves: I think the main thing I'm excited about is this project that me and you were working on together. I think that it's such a, yeah, and obviously I have to say that, it's just such a useful piece of work because there is so much advice out there, particularly for leaders, people in government agencies. There's arguably too much advice and competing advice as we're seeing in our own data. It can be really hard to know. How do we actually pull this all together? We've got these seven areas in the data list. That's great. But there's so much nuance underneath that. There's so much overlap potential across those areas, particularly as certain technologies evolve. So I'm really excited for this to come out, particularly, as you said, we have that first. research publication that will be coming out soon. And then we have the full problem book coming out later. It won't be the final say in these things because no one gets the final say in what technology is going to happen in two to five years time. But it is a way to distil a huge amount of information into a way that preserves the complexity and preserves the nuance and allows decision makers to read through, prioritise, come to conclusions and get some grasp on these really complex areas, which is something we don't have at the moment, I don't think. So yeah, really excited for this one to come out.
Miah Hammond-Errey: Yeah, awesome. Me too. I've got a couple of quick, quick segments. What do you see as the biggest shifts for leaders and leadership from emerging
technologies?
Dr. Andrew Reeves: Good question. Again, I think we've touched on it a bit around that institutional learning philosophy. So for the leaders, There's more and more of a need to learn quick. And that's true for organizations more broadly to learn and adopt and adapt quickly.
But that's also an individual skill that I think we'll see need to be more and more required for
people in leadership positions.
Miah Hammond-Errey: Have you got three top tips to help people learn quickly?
Dr. Andrew Reeves: Where's the psychology tips? Oh, that's a good one. The first one I would say is be kind to yourself, right? Because you're immediately going to be in places that you are not familiar and not comfortable and your worst critique will probably be from yourself. The second thing is to admit to yourself and admit to others where you're not the expert on something. So you're setting that expectation as leaders. You can sometimes feel like you must know all the answers, but you're not going to here. And the third thing I would say is share successes and share failures with other leaders. Maybe you don't want to have to share it with everyone. But, you know, I've seen some fantastic examples, even in say the CISO community, and they have even like a group WhatsApp of CISOs saying, here's what went well and here's what didn't. And oh my God, I did this and I should have done that. And that sort of learning from each other, I think is incredibly important.
Miah Hammond-Errey: Let's go to a segment called Disconnect. How do you wind down and unplug? Yeah.
Dr. Andrew Reeves: So I'm a big fan of, I think the Japanese call it forest bathing, which sounds odd, but it essentially means walking in forests, right? You just go for a long walk through nature, essentially. I really find it incredibly valuable. It's essentially a grounding technique. It's
essentially a mindfulness technique. That's genuinely how I unplug. Particularly when I've had to make a lot of high pressure, difficult decisions. And when it feels like there's no time to make those decisions accurately, anything you can do to find an inner slowness and inner calm, I think is really important. And that's what does it to me. Reconnecting with nature immediately slows my thinking down and it can make a 20 minute walk feel like two hours. And the amount of good thinking I get done in that time is really valuable.
Miah Hammond-Errey: I think every single person I've interviewed has said a variation of nature and exercise and often a combination.
Dr. Andrew Reeves: Yeah, yes. Because we're physical, you know, we're apes in suits, or at least I am today, is that we do respond to things. And, you know, one thing I've... we got drilled into this in my psychological training is often to try not to think your way out of something that's emotionally driven. It's classic advice for people having a panic attack because they'll often try to think of the solution to their problem while they're in a panic attack. It's like telling your laptop to solve its problem while it's sitting there overheating. The way to solve it is to cool it down and it's the same with your brain. And there's some direct levers we can pull, as you said, through exercise and through nature or interacting with animals, these things that immediately give us a visceral response and then we can start to think better.
Miah Hammond-Errey: One of the things I have become so interested in since starting the platform is the relationship between our physiological state and our cognitive state. So when you're trying to support people to improve cognitive performance, obviously, and yet still necessarily a key part of that is about physiological performance, about understanding your own biology. And as we interact more and more with technology, as we start to contemplate cyber physical systems, how critical that awareness of our own humanness is in our own human states, whether that's from sleep to physical training, adaptation to nutrition, to emotional regulation.
Dr. Andrew Reeves: Isn't it amazing as well that we are still, I mean, it's a relatively recent shift in psychology to even see the brain and the mind as inherently related to all the other parts of the body. For so long, we treated medicine and your GP does all of this and the psych and everything does this. We're still learning about how connected those two things are. And isn't it incredible that we are progressing so fast with artificial intelligence, and yet we're still learning some relatively basic things about how our own intelligence works? Also just how incredible the human brain and human biology is. That's why I was a psychologist. It amazes me what the brain can do. And the closer we get to mimicking it, the more you go, wow, it's incredible that this does that. On a relatively low power profile, right? Yeah. If you measure how much electricity, energy your brain is using, it's minuscule. Amazing. Incredibly efficient.
Miah Hammond-Errey: I want to go to a segment called Eyes and Ears. What have you been reading, listening to, or watching lately that might be of interest to my audience?
Dr. Andrew Reeves: So I have actually... been reading a book called The Invisible Hook.
You might be familiar with The Invisible Hand, which is that phrase about market forces and theory and things like that. The Invisible Hook actually, it applies market forces to pirates.
And it argues that the way that piracy was dealt with back in the golden age of pirates was not
just simply by making it illegal to be a pirate and buy better policing and things like that. It
argues that the reason piracy came to an end is because the incentive structure to be a pirate was broken. And it just meant that suddenly on a pirate ship, they couldn't trust each other. The captains couldn't trust the crew and the crew couldn't trust them. It just completely undermined the structure. And I think that learning, the reason I'm reading it is I think there's some fantastic applications to the world of cybersecurity. Because again, attackers are operating just almost outside of legal cases. There are state-sponsored attackers, those privateers. There's the opportunity to do what I think we've done well and potentially don't do as well anymore, which is attract people from the dark side to the good side and use all of the skills they've learned. for good. We do it to some extent, but I think we could do it better. And also finding ways to just break the relationships. Attackers, particularly people that operate independently, will often source their tools from others whose whole business function is to serve those tools to attackers who go out and do it and they just take a percentage of the profit, right? Which is similar to the captain and the ship and the crew. So there'll be ways to break that trust, to break that relationship. Yeah, it's a really interesting book. I'd recommend reading it.
Miah Hammond-Errey: My final segment is called Need to Know. Is there anything I didn't ask that would have been great to cover?
Dr. Andrew Reeves: That's a good question. One thing I've seen is that when it comes to psychology and cybersecurity, it's so common to see that when we detect a human issue,
we sort of just skip over it. It's really easy to just sort of think, oh, that's, oh, roll our
eyes. Oh, that's a human thing. whatever, nothing we can do and move on. But actually there is
quite a lot we can do. And there are people out there whose whole job is trained on psychological method. And I think a takeaway for me is if you see a problem that's down to human behaviour or the lack of it, don't ignore it, focus on it, and then try to engage with someone in your organization that loves doing that. There'll be people in OD that do that. There'll be people in HR that do that.
Miah Hammond-Errey: Andrew, thank you so much for joining me today on the Technology and Security Podcast.
Dr. Andrew Reeves: Thanks, Miah. It's been a great pleasure.
Miah Hammond-Errey: Thanks for listening to Technology and Security. I've been your host, Dr. Miah Hammond-Errey. This podcast is brought to you by Strat Futures. If there was a moment you enjoyed today or a question you have about the show send an email to the address in the show notes please rate review and subscribe to help promote technology and security.