Subscribe
Share
Share
Embed
Cybersecurity is complex. Its user experience doesn’t have to be. Heidi Trost interviews information security experts about how we can make it easier for people—and their organizations—to stay secure.
Heidi: Welcome, everyone, to Human Centered Security. I'm your host, Heidi Trost, and I'm joined here today by Matt Wallaert. He is the founder of Behavioral Science and Organizations. Is that how you say it, or is it Besci.io?
Matt: We mostly call it Besci.Io. It stands for in organizations, but most people know us as Besci.
Heidi: Well, you get the URL and the name in the, the same sentence. He's the author of "Start at the End." He just had, you know, small, small gigs as the former head of behavioral science at Microsoft, Clover Health, LendingTree, and Frog. And I first heard of Matt even before I read his book. I heard him on a cyber security podcast, and he's, his, what he was saying struck me as something that I had not heard on cyber security podcasts before, and it was very refreshing and very nice to hear, and it sounded like great advice.
And it was talking about, you know, if folks at your organization get phishing emails, like what are some ways that you can prevent them from responding to those phishing emails? And your advice was, was very, very smart. So I'll try to summarize it very succinctly. I think it was, uh, when you were working at Clover Health and you were talking about, oh, if you get an email from Medicare that seems like it's urgent, first of all, it's probably only going to be filtered through one person. So if it's not coming through that one person, you can assume that it's a phishing email. Also, if it's super urgent and saying you need to do this in 20 minutes, which is, you know, a keystone of all, you know, phishing emails, Medicare is not going to ask you to do something in 20 minutes. That's just not how it's going to work.
Matt: Have you met Medicare? They can't do anything in 20 minutes. It often takes 20 years. So, you know, 20 minutes, they're not operating at that speed.
Heidi: So Matt, Matt had me at Medicare. All he had to say was Medicare and phishing in the same sentence. And I was, I was hooked.
One of the things that I've read is you know, you say that every business is in the business of changing behavior. And I was wondering if you could expand a little bit about that.
Matt: Absolutely. So, um, first of all, thanks for having me. I'm very jealous. I have this terrible last name with extra vowels.
And you're like, I'm your host Heidi Trost. I'm like, that is very slick and not at all what I have managed to do with my terrible acting. Um, so thank you so much for having me. So when I talk about every business is a behavior change business, we really think of businesses in three parts, right? There's some business model, which is a set of behaviors we're going to monetize.
There's some behavioral model. How are we going to get people to do that more than they would ordinarily do it? And then there's some operational model. How are we going to build those interventions at scale? Right? So we often talk about What is the right thing? That's the business model. Then build the right thing, then build the thing right, right?
And there's a whole science to sort of build the thing right and pick the right behavior. You know any any company you can think of monetizes some behavior and it's really easy with consumer companies, right? What does Spotify monetize, what do they want you to do?
Heidi: Listen to the music.
Matt: Yeah, listen, they don't care like any kind of listening, we got it. Podcast, music, books, or the podcast.
Heidi: Yes, by the way subscribe to Human-Centered Security.
Matt: There you go. See I can work a product . So they have a set of behavior they care about. And then they have some ways of monetizing that, right? Subscription and ads generally, right? For, for, uh, for Spotify. And you've got to do this for any business.
What does Pepsi want you to do? Drink. Cool. Like, and we monetize that via direct sales. Netflix wants you to watch. Uber wants you to go places. Like everybody has some behavior that they then monetize. Now, sometimes when I say this, at tech stars or someplace, there'll be a SaaS company.
That's like, yeah, but not in B2B. And I'm like, yes, in B2B, absolutely. Right? Like there's always something you want people to do. Right? You know, someone will say, Oh, we're an API company. I'm like, cool. You want people to use APIs, right? Like if they don't use them, right? You're like, then, then you don't have a business, man.
Like, that's what you monetize is usage. So yeah, you need people to use the APIs. Right. That's like saying, well. Pepsi is not a behavior change company because they like make drinks and I'm like, yeah, but if nobody drinks them, they don't have a business, right? Like it is one of those things where like think B2B people often, you know, get in this place where, and it's actually something I find very refreshing about the cyber security community in that I often feel like they are very sensitive to humans being the weak link.
You know, I actually find them an audience more ready to talk about this than a lot of other audiences, at least in the technical community, right? If you're deep in Python, it's hard to be like, ah, yes, I'm changing, you know, like, but security, they get it, right? Like people don't do a certain set of things none of this technical security actually matters.
Heidi: Yeah. Well, yes, I have some conflicting thoughts on that.
Matt: This is what we need. We need things with conflict, right? Too often, you know, there are these panels where everybody like nods along and pretends like we all agree. No, like, let's get into it. Okay, disagree with me, Heidi.
Heidi: Well, I, I don't necessarily disagree with you, but I think I want to pull on some threads where I think you're getting at and I think where folks can really learn from you. One is being really clear on the behavior that you're trying to change. I think this resonates with a lot of people. So I'm just going to use this as an example, but you said, I think in one of the talks that I've heard you, uh, in one of the more recent talks I've heard, you say like products, folks will say, Oh, I just want people to like love the product.
It's like, okay, what does love mean?
Matt: And the security example of that is I want people to be more secure. I want people to be more secure. What does that mean? I walk around with like a security score above my head and I, you know. There's something physically, literally that you want me, you know, I used to get into this with the, I love the cybersec people at Clover health.
We obviously had a lot of health data we needed to protect. It was very important. And you know, they'd say people like, we, you know, we want people to have complex passwords. And I'm like, cool, like having a thing maybe, but like, do you, you want them to create, uh, like is, is the behavior that you want that they'll create it themselves?
Is it you just, it's just important that they have one? Can we create it for them? Like, can we do it really, like... A ton of the work falls into place if you can be clear up front what behavior you want. And I can do the best science driven, experiment driven, like causally clear, job of getting people to do a behavior, but if it's not the right behavior, it's not the behavior you care about then I just wasted all of that time. So aiming is the most important step of this whole process.
Heidi: And I think at least in cybersecurity, it seems like the hardest sometimes, right? Like you want to encourage secure outcomes. Okay. Well, what does that mean? What does that mean in the context of your organization? And I think sometimes folks lean on the words or like the concept of behavior change and take them too literally when really, like, can we create safer systems, right? And that, that will encourage the behaviors that you want.
It will encourage safer outcomes, but it's just like a different way of maybe looking at it.
Matt: Yeah, absolutely. I mean, I think a joke I, I sometimes use in, in when I teach this is... you know, I talk about a chair as a device to get somebody to sit, which seems like a weird kind of way of thinking about a chair.
But when you think about it that way, and somebody says, well, I want you to design me a chair, maybe you don't want me to design a chair. Maybe it's a beanbag. Maybe it's a bench. Maybe it's a pair of anti gravity pants. And I just kind of like lean back Jetson style and it props me up. Like you want some outcome that is sitting. Saying, well, it has to be chairs.
I find this around passwords all the time, right? People are like, make me a more secure way to do passwords. And I'm like, I don't feel like you're questioning why we have passwords in the...
Heidi: Right. You're not asking the right questions.
Matt: Yeah. Like this isn't necessarily the, I can do that. I believe I could do a lovely, wonderful research project that will get people to make more complex passwords.
I believe in the ability to change the behavior that is making more complex passwords. And if you really, really want that, I probably can make it happen, but I'm not a hundred percent sure that that's what you really want.
Heidi: Do you have advice for folks who are, you know, we're all we're all trying to improve security outcomes But how do folks ask better questions and how do they get their team to that that place?
Matt: Yeah, so one of the questions I don't think gets asked enough is the sufficiency question. So people get very bogged down in in how we're going to make it happen. I say, pretend I'm a genie, right? Pretend Matt rubs his fuzzy bald head and he snaps his finger and this thing is true. Would that be good enough?
For example, write behavioral statements. I often use Uber as an example. And when I say, what does Uber want you to do? Somebody will be like, book a ride. Well, let's take that to the, so one of the way you can test this is to take it to the extreme. We rub Matt's fuzzy bald head. He snaps his fingers, everybody in the world books a ride and then immediately cancels it.
Are you, are you okay with that? And they're like, no. Well, I'm like, well then probably book a ride is not the behavior that you ultimately care about. Right. And so that's the sufficiency test. Pretend everybody in the world did literally the thing you said you wanted them to do. Was that, is that it? Are you done?
Can you go home? And if so, great, you probably have picked something core. But if not, if you're like, ah man, it's only a precursor to another thing that I want, then let's really start with the thing that you're actually trying to get, the thing that you would be truly satisfied with. So that's one of the things I think you can pull, pull the thread on is like, pretend this was true, would it be enough?
Heidi: Yeah, I love that. That's really great. The other thing you talk about that I think is really compelling are promoting and inhibiting pressures. Can you introduce the audience to what those mean?
Matt: Yeah, so so as Heidi knows I am a lying liar. I don't actually change people's behavior, right? I can't like pop open Heidi's head and find the like more secure button and hit it and she's magically more secure. What behavioral scientists actually change is pressures.
So the idea is that every behavior in the world occurs or doesn't occur because of promoting and inhibiting pressures. There are things making that behavior probabilistically more likely, and there are things that making that behavior probabilistically less likely. So what we're actually doing as behavioral scientists is intervening on those pressures, right?
What we're really doing is rebalancing stronger promoting pressures, weaker inhibiting pressures, or vice versa, if we don't want people to not do something. Stronger inhibiting pressures, weaker promoting pressures. But that's what we're really interacting with. So when we do research, for example, we don't, what we're really trying to understand is why a behavior occurs.
What are the pressures? That, that, that lead to this behavior happening or not. Um, and once you take that sort of lens, it changes everything you do. So as an example of that, we don't do any personas. I hate personas, right?
Heidi: I was going to ask you about personas and I know you hate them. Um, but I think our UX folks would be very interested in, in knowing why you hate them because I, I find it very compelling the reasons that you give.
Matt: So science is a fundamentally de-biasing process. The whole point of science is to remove bias, not to add bias. And all personas do is add bias, right? This is Heidi and she lives in Manhattan and she has a little dog and she like is 32 years old and blah, blah, blah, blah. Like. You're just adding in a bunch of irrelevant shit.
You gave her a name and put some blonde hair on her, but that's not helping me. That's just adding other... now, all the biases that I have about the name Heidi, and all the biases that I have about a little dog, and all the biases I have about blonde hair, are like injecting themselves. I don't want any of that.
We always talk about the same five groups, right? And we do this because they're what we call MECE, right? Mutually Exclusive. You can only be in one. But Collectively Exhaustive. Everybody in the world is in one. Heidi, what is your favorite physical activity to do? What do you like to do in the world?
Heidi: Horseback riding.
Matt: Horseback riding, perfect! Literally everyone in the world fits into one of five categories with regard to horseback riding. They either never horseback ride, often horseback ride, sometimes horseback ride, just started becoming a horseback rider, or just stopped becoming a horseback rider.
And we can look at the differences between those groups, compare and contrast them to understand what pressures are at play. So let's say Matt is in the stopped group. Uh, he grew up horse riding, which I happen to do, right? I grew up on horseback. He doesn't do it much.
My grandfather was a horseman for the, for forest service. He died getting bucked off a horse. He spent almost his whole life on a horse. His whole profession was horses. My grandmother still lives on the ranch with my two uncles raising Paso Finos. One of the uncles is a farrier.
I got a whole, we are as horses.
Heidi: So you get it. You get it?
Matt: Oh yeah, I get it. And yet, and yet I'm in the stop category. All right. I'm in the category of people who that behavior has decreased. So you could interview me or, and I could say, you know, I just don't love horseback riding the way I used to.
It was really something I did for my mom. And, you know, now that, you know, we don't live close together, it's just something that, you know, I don't enjoy as much anymore. That's very different than, oh no, I still love horses, but I live in San Diego and I don't really have a lot of access or proximity to the ranch, which is all the way back up in Oregon.
Those are really different, right? One of those is a promoting pressure explanation. Hey, it's not that horses are hard to get to. I could get to horses if I wanted to. I just don't like it as much anymore without my mom. That's very different than, oh, no, I still love horses.
I'm still super motivated towards horses. They're just hard to get to. And why that matters is because in the next step where we intervene, we're gonna intervene based on those pressures. So if what we hear is, hey, if Matt's fallen out of love with horses, well, maybe you could introduce your son to horses, or maybe I could introduce you to Heidi who lives next door and likes horses, right?
Maybe I could find you another social facilitator that would help you enjoy it again. Versus hey, let me help you understand where there are horses near you. Oh, I hear that you still love them. Let me understand where that help you understand how you could get easier access to them and give you a coupon or a subscription or whatever that makes you easy access. But if you try and give me a subscription to to you know, if you give me a 50 discount on a horse rental well if I don't want to go to a horse if my mom's not here, that doesn't help me any, right?
And vice versa, right? If you're like, man, let me introduce you to Heidi. She really loves horses. And I'm like, that doesn't help me. There are no horses here, right? Like, the problem is not that I'm out of love with horses. It's just that there aren't horses around. So knowing those promoting and inhibiting pressures and how they're actually affecting people can help us make things.
And in security, this is particularly important because we often have very biased interpretations of why people don't do something, right? Rather like medicine, right? Like, you know, why don't people take their meds? Ah, because they're lazy and stupid and, you know, like, doctors have a very down looking view of their patients a lot of the time.
It's happened to security. Why don't people have secure passwords? Well, because they're lazy and stupid. Well, maybe. Also, maybe they just don't see it as super important, right? Like, if my bank gets hacked, the bank will cover it. Like, you know, I don't I'm not, you know, protecting secret pictures of, you know, me with Fidel Castro.
Like, I don't have anything, you know, worth stealing. Like, people just might not have the promoting pressure. And so getting people to map out those promoting and inhibiting pressures really specifically, rather than just assuming that, you know, eh, it's blank can be really key in reducing those biases, right?
That's why I don't want personas. I don't want to add biases. I want to subtract biases so that we can get to that core truth that then we can act on.
Heidi: Yeah. I love this. It's like, what can go wrong on the way to getting to the behavior that you want, which is like a threat modeling concept. But I, I really like the promoting and inhibiting pressures idea because it changes the intervention. If you're focused on the wrong things, then your intervention is wrong. It's just, it's not going to work out the way you want.
Matt: Think about the amount, we're at the tail end of Cybersecurity Awareness Month here. Think, think about the amount of, oh man, security is really important. Yeah. No shit. Like no one is sitting around here going like, eh, security's not that important. Right? Like nobody at this point is being like, yeah, I just want to willy nilly be insecure. It's hard to do. You know, they want me to have a different password for every website. I must have. I don't know. Easily over a thousand accounts.
You want me to memorize over a thousand random combinations of letters and numbers? That is inhibiting pressure. It's not promoting pressure. And yet, what did you hear? Time and time again, all month long, "Security is very important." We even call it Cybersecurity Awareness Month. Like, the problem is that people are not aware that cybersecurity is important.
Right?
Heidi: Yeah, I think that's like one of the biggest problems and the most, probably the most annoying and abrasive things that I see with cybersecurity is that there's, there seems to be, everyone's intention is good and they're trying, you know, they're trying to encourage the right behaviors, but when you don't understand, like you said, the promoting and inhibiting pressures, the intervention is just not going to achieve the outcome that you want.
So that makes me think of threat actors... almost seem to be, must be listening to your talks because they seem to understand what promoting and inhibiting pressures are and they're using that against people, right?
Matt: And what that implies to me is we have to be just as good or better, right? It's a war. It's always been a war. Security has always been a war with escalation between us and those who want to take advantage of people's data, right?
And so it is incumbent on us to get better than them at this. And believe me, they are listening. Right? Cigarette companies are listening. Like, the whole point of, of writing the book and introducing concepts, and I say this in the book, is like, I'm not telling you something cigarette companies don't already know.
They're already doing this to you. Threat actors are already doing this to you. The reason I'm telling you about this is so that you can do it back, so that you can defend yourself, so that you can be, go into that battle equally armored. Right? To, to, you know, deprogram smoking as fast as they're programming smoking.
And it's always going to be an arms race. And it's always going to be who's better at behavioral science. It's always going to, they're always going to try and beat you. We just need to get better at it than they are.
Heidi: 100 percent agree. How do you know what to focus on? Like where, how do you determine where the biggest ROI is?
Matt: So, remember what I said, I am the genie, not Aladdin, so that's someone else's job. But what I would say is this, I would say, far too often, people rely on their instinctual understanding of how valuable a behavior is.
So I'll give you the example of when I was at Clover, one of the requests that came down from the executive team was, can you get people flu shots? And I said offhand, how much do you think that's worth? And they said, well, we think we probably make about 10 bucks every time somebody gets a flu shot. So I did went and did a bunch of math with some actuary people.
Turns out it's a hundred bucks. They're off by an order of magnitude. And this was a senior leader of the company because most people are just doing that. They're going, I don't know, this seems valuable. How valuable is having a complex password? I don't know. Has anybody done the math? It's doable math, right?
Heidi: Well, and also I feel like, I think Jared, I don't know if you are familiar with Jared Spool... I think he said this so I can't take credit for it, but he also says like, look at the other end of it. Think about all the customer service requests that you're going to get for the people who have to reset their password or having issues logging in.
Is that what you're going to say?
Matt: Well, so, so this is. When we think about the $100, the reason that there was a difference between $10 and $100 with the flu shot is because they were just, they were just estimating it based on our Stars and HEDIS measures. So they thought, well, if our Stars measures get better, which is what the government pays us on, we'll make $10.
But in reality, they didn't think, we went and ran some math and we said, well, how many people got admitted to the hospital with the flu, right? And how much did that cost us? Right? So it is about doing a total cost calculation, not just a very limit. And this happens all the time in security. I think people are like, well, based on the amount of money we lost last year on breaches of this type or across the industry, how much money we lost on breaches of this type.
That seems to me to be a very narrow way to define value. And you need to take a much more holistic sort of understanding of how much is this genuinely costing us? Because if that were true, if we did it that way, nope, people get mad when I point this out on stage, but it's true. The most secure thing is something no one can log into.
No one can log into their Netflix anymore. It's a hundred percent secure. There is no login page. You can't log in. Now they can't access the service that they've paid for, but cybersecurity is like, we did our job. It's a hundred percent secure. No one can log in. We didn't even create accounts.
Heidi: Yeah, well, I mean, there does seem to be, well, so there's a balance, right?
And then there's also misaligned incentives. Did we talk about this already? Like misaligned incentives within the organization where the product manager is like, I want to get people signed up as fast as we possibly can, whereas the security or people are like, well, maybe we should like encourage them to, uh, enable two factor authentication because that's like the best way for them to secure their account. Product people are like, no, we can't do that. That's going to reduce the amount of people who sign up. Right. Like having those conversations.
Matt: Yes. And too often, I think, and by the way, I don't think this is the fault of the cybersecurity folks.
Right, so I don't think this is a fault based thing. I think there's a lot of brain damage that results in essentially two siderism. So, like, the PM is advocating this, and the security person is advocating this, and then it has to be adjudicated by somebody above them, who, by the way, cares a hell of a lot more about growth than they do about security, and security people always lose.
And so what that does is, they just get more and more retrenched. Whereas, if you could just nudge people, Hey, we're on the same team, right? We want the same thing. And part of that is getting to a behavioral outcome that we care about and often that's about extending the length of time, right? So if we talk about the moment of sign up yeah, the product manager is going to be like I want as many people to be signed up as possible and you want me to to have a... and those are in direct conflict.
But if we said hey, What I want to maximize is the number of people who are still signed up a year from now, right? Well, now security has a lot more room to play, right? And by the way, security people, you can't just say it. You have to prove it. Prove that people who get their password hacked leave the product right? And quantify that. So that you can say, Hey, look, 7 percent of the people who left the product left it over perceptions of security.
We can get those seven people back, right? There has to be some universalism in how we're choosing to talk about something, and it is incumbent on security people to know the business well enough to be able to have that articulated conversation. If you don't know how many people turned out of your service for security reasons, how can you possibly make a demand of the product managers?
Heidi: That's a really good point and it makes me think of like there are different inflection points in the user journey where security makes a huge difference. And can mean the difference between someone either not signing up at all because they don't trust you... you know the way that you've described security and privacy like makes them very nervous and they're like, I think I'll go with your competitor.
Or it happens at sign up or it happens when they can't log in again, or it happens when they get an email that says there's been suspicious activity on your account. And they're like, uh, what do I do with this? Like there are different moments where this happens. And again, it ties back to the bottom line.
Someone has to make a decision whether, okay, forget it. I don't even care about this account anyway. I'm, I'm just not going back. Or two, like, I don't think I can trust you anymore. Like, well, how on earth did my account get hacked? Or, you know, they're calling your customer support and, you know, spending, spending, they're not spending any money, but, you know, you're accruing those customer support costs.
So everything really is kind of tied to the bottom line. It's just a matter of figuring it out.
Matt: And you said something very subtle and important in there, which is the difference between something feeling secure and being secure, right? Which has been said on cyber security stages for 20 years now, and I still don't think people have actually internalized it, right?
Like, if we talk about behavior change, look, you want to get the product managers on your side? Say, hey, I'd love to run a session for you, not on making things more secure, just on making them feel secure. Right? I'm going to give you what you want, right? Growth goals are going to go up if people feel secure.
We're not going to talk about technical security at all. We're not going to talk about actual security at all. We're going to talk about perceptual security. And you run that and you win them over. And they're going to be a hell of a lot more likely to then do the actually secure thing, right? When you come back, if you're giving them the thing they want, which is perceptual security.
And instead what happens is somebody in cybersec decides that they, like, are going to use this as an opportunity to, like, flagellate the rest of the organization about the difference between feeling secure and being secure, and that that's not real security, and neckbeard, neckbeard, neckbeard.
Fuck off, man! Like, that's not actually, like, helping us at all, right? Cybersecurity so often perceives itself as like outside the domain of the company itself. They're like the black sheep of the family and all they ever do is tell people no. Well, cool. Maybe find a way to tell people yes, occasionally.
Heidi: Yes, I'm working on another podcast episode that addresses that exactly, like the security is like the house of no, and it's like, how do we shift the perception to the house of yes, and that you're driving innovation, you can foster innovation.
So a hundred percent.
Matt: Tell me how to make users perceive something as more secure. Like that is, you know how to do that. I don't like, please, please, please, I'm inviting you into the conversation. And by the way. Probably you can get them to be actually more secure, technically more secure in that process of getting them perceptually more secure.
Heidi: Yeah. I think that's a really interesting thing to kind of, uh, to drive home because in, in the user research that I've done, people don't necessarily say the word security or like use security terms. But if you dig really deep into what they're talking about, it's more related to trust. And can I trust the thing is going to happen the way that I expect it to happen?
When I, you know, when I put in my credit card, you know, I expect, you know, the thing to arrive at my doorstep. I don't expect my credit card number to be stolen and used. Same thing for other like security and privacy concerns. Users are expecting things to go a certain way. And when they don't, when their expectations are violated, you know, that's where problems occur.
So I think, yeah, go ahead.
Matt: I have a great example from the last.
Heidi: Perfect.
Matt: So. I recently attended the Grace Hopper Celebration of Women in Computing, one of my favorite conferences every year. There's an India edition this year. I'm sponsoring some women to attend the India edition. Right? So I need to donate some money to an Indian organization through an Indian payment portal.
Which of course was not nearly as easy as I had hoped it would be. And I wasn't sketched out by the website because I know this organization super well and I'm presuming that they picked a partner that was reasonable. And then it rejected my credit card, which I kind of expected because that always happens the first time and you have to go tell it it's not fraud and do it again.
But while I was waiting for that to happen, I noticed that it had PayPal and I, and I was like, oh, I'll just use PayPal because generally PayPal is better at those sorts of things, right? Cause they have different international program. And then PayPal failed. And that's when I started losing trust. Right? You're doing the technically more trustful thing, which is you're rejecting this payment.
You're, you're refusing to take my money. But let me tell you, if I went into a coffee shop and I said, I want a coffee and they brought out the coffee and I said, I'd like to pay for my coffee. And then I tried to hand them the money and they wouldn't take the money. I'm going to lose my trust with you, man.
Like take the fucking 5 bill so that I could have my coffee, dude. Right? And so there are so many like hidden pieces of violating my expectations. Where like, hey, if you reject my credit card and then PayPal, now I'm a little sketched out by you, honestly. Now I feel like I've given you two pieces of valuable financial information.
You haven't taken my money, which makes me feel like now you're really scammy, because we live in a capitalist world. Like, take my fucking money, man. Like, just take the five dollars and let's fucking go, right? Like, you know, if you hand the clerk five dollars for your coffee and he takes it, and then, but he doesn't, like, pull, he just, like, puts fingers on it and then holds it there with you like a bridge.
I'd fucking leave my coffee and the five dollars and just run. Right? Like, that dude's an alien. What is going on? Right? Like, but it's true. It's just these fundamental expectations about how things work. Right? And if you don't, that is your job. It's, like, you can call that design. You can call that user research.
You can call that product. And you can fork it over to them. But the moment you do that, you are condemned to the house of no. Right. But if you can bring me expertise around these things that I'm not necessarily thinking about, about how important it is that we actually do take your money, right, in an entirely inefficient way, now you're bringing me value, right?
Now you're speaking my language and I'm more willing to speak your language.
Heidi: Yeah. Yeah. I mean, the more and more I think about it, I feel like it is so, so very much tied to trust. And Rachel Botsman, I forgot the book she wrote, but she says trust is a confident relationship with the unknown, which is pretty much what you're saying, right?
Like you should go into a transaction. We all kind of know what to expect, right? And when it doesn't go as expected, you lose trust.
Matt: But people, but people, I think get the idea that if it doesn't go as expected in a negative direction. When I was a kid, I vividly remember being in 8th grade. And they made us do a stress inventory for the first time.
Because, you know, when I was a kid, science and health were like the same class. So they made us do a stress inventory. And one of the line items was parents fighting more. And I was like, fuck yeah, I could see why that would be stressful. If my parents started fighting more, I would understand why I would be stressed out by that.
I was in 8th grade, so I'm young. Like, I had hair once. Uh, it was a long time ago. I still, to this day, remember the next line item, which is parents fighting less. And I was like, that's weird. But then I tried to envision it and I was like, wow, if my parents fought all the time and then all of a sudden they just stopped fighting, that'd be fucking weird, man.
Like, that'd be really, really strange. And probably even more stressful than them fighting more. If they just were fighters and then all of a sudden they stopped fighting, I'd be like, oh man, now shit's really gonna hit the fan. And so, It doesn't always have to be violations of security in the negative sense of the word violation, right?
It can be violations in a positive direction where you're still, you know, the copy guys like, nah, this one's free. I'm like, I think I'd rather pay for it, dude.
Heidi: Well, yeah, it's funny. I hear folks talk about how. If like getting into something that you feel like should be, should have more hoops for you to jump through, like, say like getting into your like retirement account, if you feel like it's too easy, it's like, wait a second.
Why was that so easy? That seems really strange. Is this secure? Like, so yeah, like it kind of goes both ways. You really like, you have to understand the people using the product and what, what their expectations are. Yeah. I always find that very interesting.
All right. The last thing I wanted to say, and I probably should have said this from the beginning, is that thinking about behavior science in this way, thinking about promoting and inhibiting pressure is so important. Really encompasses the entire audience for human-centered security. So we have UX people who might be building consumer-facing products and they want they want folks to to be more secure they want, you know, they don't want their accounts to get hacked. They want to promote trust, but they also might be creating they might be UX people creating cybersecurity products for security practitioners, and then we also talked about people who are responsible for security within their organization.
So maybe they're part of the security awareness team, or maybe they're part. They're like, uh, in the office of the chief information security office. I don't know why. You got it, CISO, you got it, just say CISO. Just say CISO, yes. We all know, we're all security people, we know who a CISO is. Um, you know, or it could be the CISO, you know, themselves, who is thinking, Gosh, I wish people didn't perceive us as the House of No, and they perceived us as the House of Yes.
Like these, all of these, relate to behavior change in some way, right? And it all kind of, so I just wanted to kind of wrap a bow around this. No matter who you are within your organization, no matter what challenges you're facing, it's, it's about changing behavior, right? As you said, as I said at the very beginning, quoting you, every business is in the business of changing behavior.
Matt: I think you said a really key thing in there, right? Because often we get that with regard to internal company users, and we get that with regard to external company users. But you said a really interesting one in there, which is the CISO really wishes that people didn't perceive him as a house of no.
Now perception is not a behavior, but what the CISO really means is things like, I really wish they would involve security at the kickoff of a project, right? That's a physical, literal behavior that we can measure. Cool. Well, there's a process called behavioral science. You can use like what are the promoting and inhibiting pressures to them doing that?
Like, why don't they include you at the beginning? Why would they include you at the beginning? Then you can test them, you know, what are all the possible things you might do about that? And let's run some experiments to see if we can cause this thing to be true. Yeah. Management is a behavioral science process.
Like all of these, it's not just like, well, it's just user behavior, right? Like everyone is a user of something, right? Everyone is consuming me as a service, right? Inside of an organization, my role, my department, my, my, my offering as a service. How can I help them consume that in the way that, that matches my intention?
Heidi: And to really like hit home, what you just said, because I should have rephrased the way that I said this. When you're thinking about changing perceptions, there's a behavior tied to that perception. So when I said, I want to change the perception to House of No to House of Yes, as you said, there is, you can measure that, right?
Like there, there is a behavior tied to that, and that's what you should be focused on. You just have to know what that behavior is, as we said from the very beginning.
Matt: And, and that's where that like, you know, extremity test can help. Imagine everybody still saw you as the House of No, but they brought you into every meeting.
Versus, everybody sees you as the house of yes, but they exclude you from everything. Which one of those worlds would you rather live in? Well, I'd rather be the house of no, but actually be in the meeting, thank you very much. Well, that tells you being the house of no or the house of yes is actually sort of irrelevant.
It's being in the meeting. I just believe that being the house of yes will make me more likely to be in the meeting. Cool, that's great. But as long as we're staying laser focused on being in the meeting as the unit of the thing that we give a shit about, yeah, you can have interventions all over the place.
Heidi: Mic drop.
I wish that we were, my video, there's no video on the podcast, it's only audio, but I wish you could see Matt and, and all, in all of his glory because it would have made make this so much more fun and thank goodness I have explicit marked on my podcast. So I won't get a deduction from Apple.
Matt: Just bleep it periodically.
No one will know.
Heidi: No, no, no, no, no. Matt. Thank you so much for sharing your insights. This I'm so, so thrilled to be able to share this with my audience and I, I'm sure that they are going to learn so much from this. So thank you again.
Matt: And thank you so much for having me and doing this work. I mean, I think refocusing security on the human principles of security on the outcomes that the human outcomes that we want from security is just such an important part of, of how we advance our security posture in the world.
And I do think it matters. You know, I have a strong, potentially overdeveloped sense of procedural justice and nothing, you know, watching old people get scammed out of their money and people, you know, the, the most vulnerable population, the problem security is rich people can afford it, right? And the people who really, you know, feel pain from this are the people who can least afford it, right?
Who can't buffer that $500 loss, who can't buffer, you know, even that $10, right? And so, you know, it is, it is, the poor feeding on the poor. And, and so to all of you out there, I appreciate the work that you, please see how important the work that you do is in creating a more just, reasonable society in which people have a chance to get ahead.
Because look, rich people will be fine, right? With like low security. It's the rest of us that need it. And, and, you know, as many movies as we see about impregnable vaults by billionaires, those are not the people you are helping and, and, and bless you for the work that you do. I appreciate you.
Heidi: If folks want to learn more about you, get in touch with you.
So there's Besci.io
Matt: There is, I also have, you know, my name, is very distinctive. So, you know, if you've searched for me, I'm very easy to find on, you know, most of the platforms. I have open office hours, so people can schedule time with me. Um, I also think they can read, they can read your book, they can read my book.
There's lots of, podcasts and things that they can listen to and watch, right? I think whatever way you want to learn there's a way in so don't let that be an inhibiting pressure, right? You know, there's there's tons of of opportunity. It's really about you deciding, hey, I'm going to be in the business of being a human security professional.
Heidi: Love it. Well, thanks again, Matt.
Matt: Thank you