Exploring the human side of cybersecurity and its societal implications with Dr. Jason Nurse on the "Redefining Society" podcast.
Guest: ✨ Jason Nurse, Reader in Cyber Security, University of Kent, UK [@UniKent]
On LinkedIn | https://www.linkedin.com/in/jasonrcnurse
On Twitter | https://twitter.com/jasonnurse
____________________________
Host: Marco Ciappelli, Co-Founder at ITSPmagazine [@ITSPmagazine] and Host of Redefining Society Podcast
On ITSPmagazine | https://www.itspmagazine.com/itspmagazine-podcast-radio-hosts/marco-ciappelli
_____________________________
This Episode’s Sponsors
BlackCloak 👉 https://itspm.ag/itspbcweb
Bugcrowd 👉 https://itspm.ag/itspbgcweb
Episode Introduction
In a recent captivating episode of the "Redefining Society" podcast, host Marco Ciappelli engaged in an insightful conversation with Dr. Jason Nurse, an associate professor of cybersecurity at the University of Kent and director of science and research at CyberSafe. The dialogue delved deep into the realms of cybersecurity, its implications on modern society, and the pivotal role of human behavior in enhancing digital security.
The Human Aspect of Cybersecurity
The podcast highlighted an often overlooked aspect of cybersecurity – the human element. Despite the rapid evolution of technology and cyber threats, the conversation reiterated the significant impact human behavior has on cybersecurity. Dr. Nurse emphasized the interdisciplinary nature of cybersecurity, touching on its relevance not only to technical domains but also to individuals, homes, and society at large. His research on smart home security, IoT security, and cyber psychology underscores the necessity to consider the human side as integral to understanding and improving cybersecurity measures.
Generational Perspectives on Cyber Risks
A thought-provoking part of the discussion revolved around the generational differences in the perception and handling of cyber risks. Dr. Nurse pointed out how digital natives, despite being more technologically adept, might not fully grasp the tangibility and severity of online threats. This generational gap underlines the importance of educating all demographics about cyber risks and the necessary precautions to mitigate them.
The Rise of Social Engineering and Ransomware Attacks
One significant threat highlighted in the podcast is social engineering, particularly phishing attacks, which have become a common method for cybercriminals to breach systems. Adding to the concern is the alarming increase in ransomware attacks, crippling businesses and even vital public sectors such as healthcare and education. These attacks underline the critical need for continuous vigilance and education to protect against these ever-evolving threats.
Facing Cybersecurity Helplessness
The conversation touched on a concerning trend - a growing sense of helplessness among individuals regarding their online security. This sentiment arises from the continuous news of data breaches and cyberattacks, despite individual efforts to secure their digital presence. The podcast emphasized the importance of combating this learned helplessness by empowering individuals with knowledge and tools to protect themselves and their data.
Redefining our Cyber Societal Framework
Towards the conclusion, Marco raised a compelling question on what needs to be redefined in our society to address cybersecurity challenges more effectively. The consensus leaned towards emphasizing the human aspect of cybersecurity in organizational strategies. Understanding and integrating the human perspective in cyber defense mechanisms is crucial in crafting more effective, inclusive, and adaptive cybersecurity strategies.
In essence, the "Redefining Society" podcast with Dr. Jason Nurse sheds light on the critical intersection of human behavior and cybersecurity. As our society becomes increasingly intertwined with technology, addressing cybersecurity from a human-centric perspective becomes indispensable in creating a safer digital world for everyone.
_____________________________
Resources
____________________________
To see and hear more Redefining Society stories on ITSPmagazine, visit:
https://www.itspmagazine.com/redefining-society-podcast
Watch the webcast version on-demand on YouTube: https://www.youtube.com/playlist?list=PLnYu0psdcllTUoWMGGQHlGVZA575VtGr9
Are you interested in sponsoring an ITSPmagazine Channel?
👉 https://www.itspmagazine.com/advertise-on-itspmagazine-podcast
The Role Behavioral Science In Understanding And Improving Cybersecurity Posture In A Technological Society | A Conversation with Jason Nurse | Redefining Society with Marco Ciappelli
Please note that this transcript was created using AI technology and may contain inaccuracies or deviations from the original audio file. The transcript is provided for informational purposes only and should not be relied upon as a substitute for the original recording, as errors may exist. At this time, we provide it “as it is,” and we hope it can be helpful for our audience.
_________________________________________
[00:00:00] Marco Ciappelli: Hello, everybody. Here we go. It's been a while due to some travel on my side that I haven't recorded, but I think I still remember how to have a podcast. So we'll see. You guys will judge. I'm actually excited to have this conversation with Dr. Jez, a nurse. He's already actually been on the show with Sean on redefining cyber security.
He's actually an expert in behavioral science and how that's obviously part. Big part of cybersecurity, we think, is all the technology and the machine, but it's actually, it's probably our machine, our brain, that is the one that is more, uh, vulnerable sometimes. That's, uh, that'll be social engineering. But without further ado, I want to introduce this conversation, which is going to be kind of like a one on one recap on how cybersecurity is Uh in in all sense affecting our life.
It's not just as the password is for the small businesses The breaches we hear all the time is identity And uh, and many other fun things that we would rather not worry about but unfortunately we have to think about those So to help us doing that Everybody stay tuned. There is dr. Jason nurse. Hi, Jason.
Welcome to the show
[00:01:19] Jason Nurse: Hi marco. Uh, very nice to be here
[00:01:21] Marco Ciappelli: Yeah, I'm excited. I like to talk about cyber security, although I get excited about other things like smart cities and autonomous vehicles and all the things robotic, artificial intelligence. But, and you can say I'm right or I'm wrong. Cyber security is still part of every single one of that.
Even when we talk about space and satellite. There we go, communication, right?
[00:01:50] Jason Nurse: Yeah, the reality is that cyber is everywhere now. Um, I mean, when I, when I started, when I got really involved in the topic of cyber security, back then it was, uh, information security. And everyone was talking about, you know, the whole world was, Information security.
Let's focus on information. And then I remember a brief period where I was finishing my PhD and it was briefly e security and everyone was talking about e security. And it was, you know, the e was kind of adopted from email and people tried to apply security. And, and now, you know, since then, you know, probably, probably very quickly, very soon afterwards, there was cyber security and that Really, you know that that really kind of caught on really really well It relates to technology everywhere and as the world sort of embeds technology and basically everything that we're doing Cybersecurity becomes much much more important and yeah, it spans everywhere really you can't get away from it
[00:02:40] Marco Ciappelli: And the big question is many times people want to get away from it.
They don't want to understand how to The fact that they need to update their operating system, their, their phone and change the password. And I know it's, it's tough, but we'll, we'll get there. Maybe the behavior, it's going to take a good part of this. Let's start with a little introduction about you, who is Jason Nurse.
And, uh, you kind of already hinted at your interest in this. So give me the bigger picture. The bigger picture here.
[00:03:11] Jason Nurse: Yeah. So, so yes, uh, hi, I'm Jason Nurse. I am an associate professor in, I'm an associate professor of cyber security at the University of Kent in the UK. I'm also director of science and research at CyberSafe.
Um, so, uh, Jason is really a chap who's very, very interested and passionate about understanding cyber security and its impact on society. Uh, especially the sort of various new forms of technology that we have seen over the last 10 or so years. I mean, the world has really, really advanced quite significantly.
And a lot of my research and emphasis has really been on cyber security. What I like to call sort of the, the, the interdisciplinary aspects of cybersecurity. So how cybersecurity relates to individuals, to, to, to the, the, you know, persons, to homes, to buildings. A lot of my research, for example, has focused on Smart home security, IoT security, focus quite a bit on cyber psychology and topics like that, which sort of not only talk about social security as sort of a technical subject, but its implication and its impact on individuals and sort of our daily lives.
So that's sort of me. Part academic, uh, part industry folk, but really just passion, a passionate person, passionate about understanding the impact of cybersecurity on society.
[00:04:29] Marco Ciappelli: That's great. And this is the kind of conversation I like to do. I mean, nowadays we're making plans to be at RSA conference in San Francisco, Black Hat, InfoSecurity Europe in London, all event that we are actually covering in person.
And my role is always like, all right, you guys talk about all the, the seams, the sass, all the systems that you have. I like to talk about the human aspect. And I have to say that since the beginning, Of ITSP magazine when I start talking about this kind of things coming from a sociological Perspective I've always been interested in.
All right, that's all cool. But there is not an easy button This is I understand and like I said at the beginning it's it's about our behavior and and Maybe we can start with this. Is the fact that we can't really touch cyber security, like, like we close the door, we lock the car, we whatever, because it's there, it's physical.
Well, cyber security is more like, first of all, why is it not safe by default? And why it's so hard to understand. And I think that could be a good, a good conversation started. From a behavioral perspective, I guess.
[00:05:49] Jason Nurse: Yeah, no, it's a really good question, and you sort of hit the nail right on its head where you mentioned, um, we just don't have the approach to cybersecurity, um, or to online security, let's say, uh, as people have in the offline or sort of more physical world.
You know, if you tell someone, you know, be careful with your home or when you're leaving your home, ensure you lock your windows, you know, you shut your door, you check your windows are closed. Online, it's a very, very different thing. And there are reasons for that, actually. From a, let's say from a psychology perspective, one of the realities is that.
The online world is so intangible to many that it makes it really difficult to understand and engage with that risk and the risk to online. Um, you know, many people as they were growing up, they were sort of accustomed with the things like stranger danger and sort of, you know, if you don't, if you put your phone down here, you leave your laptop here, so you might come back and not find it.
But the online engagement where someone can Someone maybe thousands of miles away can steal money from you or trick you into doing something. But for many people, and especially certain generations, it can be really really hard to kind of get to grips with that. One is just because we haven't been familiar with that, and some people haven't grown up with that understanding.
The other one is because the online world is so intangible. Uh, for many people, it's really difficult sometimes to get to grips with that. And this sort of explains why some people do things online that they would never do offline. And so the behavioural science, um, and the behavioural component actually makes a big difference there.
And it really helps us to understand why people want to do things online. If you tell them, be careful of phishing email or this person, that message, you might not actually be a real person. These are all reasons why this is actually such a challenging thing to deal with.
[00:07:26] Marco Ciappelli: Is there a difference because you know, I'm a Generation X.
So I grew up with analog and then I jumped on the computers, dial up modem, and I like to be kind of nostalgic about this and I understand. What what we do. There's some that decided not to get so interested into that, but that there is the native like people nowadays They're born with a smartphone. They don't even know how to dial a rotary phone, which is kind of funny for me But you know, it's it's the truth um, do you see a difference, uh generational difference in the way that does it help to be native digital
[00:08:10] Jason Nurse: Um, I think it can be, but I think one of the interesting things is, so one way to think that, especially when you think about, you know, growing up, um, almost digital native and sort of being familiar with the technologies and being familiar with the smartphones, the tablets, um, everything being internet connected, um, for some, in some ways, yes, it helps because it means that people can engage with technology much better, much quicker, um, and they can sort of almost keep pace much better than, You know, someone that's probably a bit older, Gen X, and so on.
But the reality and what we're seeing sometimes is that the younger generations, um, in some regard, they sort of still don't connect that well with the risks because one, they think that it's not. Once again, it's the reality about the tangibility of risk. The other thing is that they think, oh, it can't be so impactful, or it can't have that big an impact.
Uh, and sometimes it's, they're sort of just lost in that dialogue of making that risk real, making that risk tangible. And in some ways, even if we think about general security. So, some of my research also really tries to understand, um, why people Can we explain people's behavior or lack of behavior with respect to certain things in the context of security by understanding the psychology of people's behavior?
And one of the things there is that, for example, some people will behave much more risky at work because they have a feeling that the work security systems will be there to protect them. And I think we get a little bit of that with the digital natives, in that they sort of think, Okay, well. If I buy an iPhone, for example, I'm sure Apple has things in place to protect me, so I should be good.
I should be able to do what I want. And I think we get some, some, a little bit of that as well. And I mean, one thing I always find even particularly interesting is, and this is one thing that I ask my students, um, when I, when I do my lectures, I ask them, you know, how many of you have, uh, antivirus software on your phones or anything like that?
And they say, what antivirus software? Why would I have that? And then they'd say, Well, you know, our mobile phones these days, our computers 10 years ago, and 10 years ago, we all had antivirus on our computers because we all thought, oh, there might be a virus, someone might be impacted, someone might be infected.
And these days, of course, people's mobile phones is the gateway to their life. But we still don't get that level of tangibility with risk. And I think part of it is just because You know, young generations still grappling with understanding what's going on and being digital native and being something's online, something's offline, but in older generations, sometimes actually a little bit better understanding that risk, weirdly enough, and I think this is why it's really difficult to characterize people in the context of what happens with cyber because everyone almost approaches cyber a little bit different.
Sometimes it's based on their experiences, sometimes it's based on their thinking, their decision making, their perceptions and all that kind of stuff comes into play.
[00:10:55] Marco Ciappelli: Yeah, it's definitely complicated. It is. Sometimes I make, I make jokes and they're not really jokes. It's true. Like I think about in the United States, there is the Smokey the Bear.
You're probably familiar or you heard it. It's about, you know, it's, it's on You. To prevent a fire in the forest, right? It's and it's a public Campaign that was very successful back in the days. I think in the 50s or something like that I wasn't born at that time, but you still see it, you know is a public service campaign and I just don't know So if we are doing enough of a good job as, as educator in a large perspective to actually start hammering on this since when kids are young, or I feel like it's, it's, yeah, don't accept, you know, candies for stranger, don't accept the ride if you don't know where to go.
I don't think we're doing this. We've been cyber security and I don't know why so.
[00:12:07] Jason Nurse: Yeah. Yeah. Yeah. Yeah. Yeah. It's a good point. And one that I've seen is that different countries are grappling with this in different ways. So some of the education is provided in schools. Some of it is provided by some more, let's say, more public awareness campaigns.
The reality is that for many Uh, countries, it's, it's, they're trying to pin down how best to do it and what to cover. Uh, and from what I've seen, different countries just approach things in such different ways. And, so, if I, if I look at the UK as an example, there is some education on these type of topics in schools.
There's some education on after school clubs. There's some education, um, in different NGOs. Some would get some information from governments. One thing that's tricky, probably the first thing I'll say, is that sometimes this information doesn't all align. Um, you know, sometimes you would get one source saying one thing, another source saying something else, another source saying something else.
And I think this even sort of exemplifies the challenge of when it comes to being secure online. You know, one question I'll even ask you, Marco, is, and this is a question I pose to my students all the time, and I say, Okay, tell me what's a good password. Or tell me how to create a good password. And, and you'll hear some people saying, okay, well me choose something incredibly complex.
Uh, and then I say, okay, that's one option. And some people then say, well, actually that's quite very difficult for me to remember how I'm gonna remember that. Oh, I'll write it down and I'll, I'll stick it somewhere. . Okay, cool. And then I, I say as soon some of the students and, yeah, yeah. I know I, some of the students and, and you know, they say, um, so for example, in the UK we have this, this guidance from the, from the National Cybersecurity Center called, um, three Random Words.
So the idea is you pick three random words, you stick them together, that gives you something that's low enough to be a good password, but also you can remember it so you don't have to necessarily write it down because you put it in an unsafe location. But the general point here, and the general gist here, is even when it comes to kids, The difficulty of properly understanding or clearly understanding, you know, what they should be told and how do we get guidance consistent is a challenge that even countries, many countries just don't align on.
Um, but the reality is, of course, attackers, threats are coming from everywhere. So it's, It's an interesting problem and it's definitely one that many, many countries are trying to grapple with because when it comes to educating kids, when it comes to educating parents, what I've seen now actually in a number of situations is that sometimes kids are sort of the go to for security advice in some homes and some families because kids are that digital native.
So, you know, oh, how do I You know, a mom goes or dad goes to the kid and say, how do I, how do I fix this mobile phone? Like this isn't, can you install this for me, which is an interesting dynamic when you think about all of a sudden the 13, 14, 15, 16 year old now knows how to use all, you know, some significant technology in the home.
Better than the parents do. So I think this is why it's all very interesting watching it play out.
[00:14:57] Marco Ciappelli: Yeah, and I I can see that and it's it's but the level of complexity it's it's such that even a You know just an individual that knows enough. I mean unless you are a cyber security expert or a hacker You know a good one Um, or a bad one because they know a lot of stuff You know, I don't know if I want to trust that part uh You It's it's like I think about when I was a kid, my dad will be like, Oh, the speaker is not working on the stereo system.
You fix it. The TV is not changing channel. You fix it. But that was, you know, wired. It was analog. It was there. And now there is this entire complexity that goes. So let's go here from your research. What are The most significant threats, the one that we really should look into when it comes down to, you know, our daily life, maybe the small business, the mom and pop shop, I mean, you decide where you're going to go with that, just to kind of focalize on to, you know, Few things.
I mean, you mentioned passwords. That's already one. We hope they go away and they are going away. So that's a good thing. Yeah, slowly, but slowly. We're getting there. They've been around since way too long. I don't know. Probably the Greeks or the Egyptian. I don't even know. They probably use password back there.
So what are the things that we should do?
[00:16:25] Jason Nurse: Yeah, I think I would go especially with, um, probably two things I would, I would mention, and they're somewhat interrelated, actually. So the first one is a sort of social engineering, uh, or what most people know as phishing, phishing attacks, uh, phishing scams. And I think this, I flagged this because, um, So phishing, for those of you potentially that might not know, this is when you get a message, uh, that pretends to be that the aim of the message, or the person behind the message, is trying to deceive you and trick you into believing that maybe someone is who they're, um, someone is who they're actually not.
Um, and try to get you to perform some action that you typically would not, um, aim to do. So for example, you receive A text message claiming to be from your bank, um, telling you there's a problem with your account. Please click this link to log in and update your account. So, I think social engineering phishing talks right.
It has been for a number of years, and whether it is the individual, the you or me, or whether it is a small, small business, or whether it is even a large business, it's the key way in which attackers use phishing. It's still the key way in which attackers breach systems as cybercriminals criminals breach systems So I think phishing is probably the key one.
I would flag Immediately and then one I would mention that actually and this is especially for the for let's say the small to medium sized businesses Is ransomware So ransomware is basically, think of it like this. There's some malware that, um, some malicious software that gets on your system.
Potentially it's via phishing. So maybe someone sent you a message and you think it was someone else, you downloaded an attachment, or you access some website. This malicious software downloaded on your computer and it executed. So it ran. Um, and what it essentially, what mal, what, um, raspberry essentially does is it, it, it, it encrypts your system.
So basically it blocks access to you or, or blocks you from accessing your system. And it only allows access, it only allows your system to be decrypted, or let's say unlocked, if you pay some ransom, if you pay some amount of money to some source. Usually this is via bitcoin or something like this.
Ransomware is, has just, over the last five years in particular, it has taken off. It's a significant threat. It hits businesses, it puts many businesses, um, you know, it sort of actually causes many organizations to be put out of business. It has impacted schools, it has impacted hospitals, children's hospitals, it has impacted governments.
It's just, it's been such a significant threat that governments across the world are sort of still scrambling a bit to deal, to understand how best to, to deal with it. And of course, to go after the perpetrators that are causing these locks.
[00:19:04] Marco Ciappelli: Yeah. And, and the interesting thing is that both You mentioned, uh, well, phishing started with phishing, social engineering, they trick you into doing something and ransomware is a consequence of, of that one.
So there's still that tricky part that you need to keep your eyes open because there is really, I mean, I know that company will have a list of threat detection and intelligence, so they, they know what they need to block, they know what they need not to block, but. Then even the individual when they're not in the company, when they're not in You know, within the network, then they're vulnerable again.
So I know a lot goes into training, a lot goes into getting it into, into your mind. And, and it goes back to, to that thing where, sure, you can have a great door and all the windows locked, but if you're going to leave the key in front under the mask.
[00:20:03] Jason Nurse: Exactly, exactly, exactly, exactly. Exactly. And the reality is that, you know, for many, many individuals, it's, it's, it's really thinking about that really holistically.
And I've seen situations where attackers, um, understand that corporate networks might be super secure. So what they do, they go after individual from their personal network or their personal mobile phones, and then use that to
[00:20:25] Marco Ciappelli: delete from, exactly,
[00:20:27] Jason Nurse: exactly, exactly. Because the reality is that attackers are getting.
Wiser. Attackers are getting much more clever. The, the entire cyber criminal space now is run like a business. Um, and even, uh, I'll just mention this really briefly. Um, but one thing I would like to flag that I've seen a real increase, a steady increase on now is attackers using generative AI and similar systems, especially, you know, No, we're not.
We're not. I said briefly.
[00:20:50] Marco Ciappelli: I could, I could, I can talk about AI all the time.
[00:20:54] Jason Nurse: Um, but this is why, I mean, I don't, I don't think we could really not at least mention it, but I've seen an
uptick.
Exactly. I've seen an uptick of. of stories of different bits, um, where attackers are leveraging the systems to write much more convincing, um, phishing emails.
Not only that, but also craft emails, so more or less spear phishing emails. And then also, one of the big differences that, you know, attackers really struggle with one time is, Being able to target or let's say approach individuals in their own native language. Now all of a sudden you have a mechanism where you can craft efficiently mail.
You can get, um, you know, generate a system to completely, to, to, to basically, uh, translate completely perfectly into, uh, Uh, particular person's language and they use that. So yeah, that's, that's my bit that I won't stress it anymore.
[00:21:44] Marco Ciappelli: Actually, I'm going to add to that. I'm going to add to that because in more B2B kind of conversation, um, we, we got to a certain point where we were mentioning, the fact that now you can replicate somebody's voice.
So you get a call. I talk to people that are in the industry, CISOs, that they Somebody in the family get on and it's not them, but even if they do know that it's not them, there is that emotional moment where you're like, but what if it is so it's really going to a completely different level of all of a sudden the voice of your your nephew or your grandmother or your son can call you and it's that person.
I mean, you want to get our voice. Here it is. On the podcast, right? Yeah. So it gets even more complicated, which brings me to the next chunk of conversation, which is probably going to be towards bringing us over the end, which is, is there a certain point that People just give up and say, damn it, there is nothing I can do about it.
I see, I get an email from, I don't know, the, the telecom provider. I get that from, uh,, some large corporation that, of course, they have millions and millions of emails. My email was there, my social security, it's compromised. And ultimately do people, again, do they just give up knowing that eventually it's That's going to happen from a behavioral perspective.
I'm afraid that, um, we really need to do a great job, which I think the cyber security industry is doing to do this. There is the education part, but if the user just Give up. I think that's, that's bad.
[00:23:39] Jason Nurse: It is. And the, the unfortunate reality. So, so every year I participate in a bit of research around understanding people's attitudes and behaviors as it relates to security.
And one thing that I want to, I want to fly that, that surprises me, but also sort of depresses me a little bit. It won't lie every year is that, um, we ask people, you know, um, Do you think online security is achievable, impossible, worth my time, under my control, and questions like this? And over the last couple of years we've just been seeing more and more that more and more people just believe that online security is not achievable, it's not possible, and that it's not under their control.
Because the reality is that as we, as we get more and more involved online as a society, we sort of give our data, we trust our data with a bunch of different providers. Now Almost bit by bit, a lot of these providers, one by one, uh, fall victim to attacks. And some of these breaches result in, okay, name, email, let's say I'm much more basic.
But in some of these breaches, uh, one that, that, uh, I remember it was about probably about a month or so ago now, one breach so significant that it resulted in the DNA of thousands of individuals being lost. And I think the reality is that, yes, we really have a problem because when someone might put a clock on and say, well, I'm doing all I can do for my little self to protect myself, but the organizations that I'm trusting my data to, it's still getting lost.
So what's the point? And that's what we see in the survey, that more and more people, they're gradually thinking, well, what's the point? I'm doing my bit, but I have to engage with these online services, but they're losing my data. And this is a really big problem. And, you know, something that we refer to generally speaking as learned helplessness in that people just sort of believe, well, what's the point?
I'm helpless. I can't do anything about it. So what's the point. And that's where we really need to get people away from, because then their security behavior lapses even more. Then they start to care less about what they're actually doing and the part that they can play. They start to think less about privacy.
And it basically just provides attackers with. Even more low hanging fruits for them to exploit
[00:25:48] Marco Ciappelli: and I'm going to reconnect as we go towards the end the idea that the fact that is intangible unless until it touched, you know, real money, real family member or the ransomware hit an hospital. So the machine or the ambulance cannot go around anymore.
I mean, we've seen all of this. All these example, um, breach where you mentioned the DNA, but I remember another one, I think in Finland on some other North European country where they access mental health data. Yes, I remember seeing that one, yes, yes, yes, it gets personal. That's where I'm going. So this, you can start to touch it.
And, and feel it very close to, to home. But, um, even if you drive your car, you know, that there are chances you're going to get into an accident, but that doesn't stop you from having a good car in good performance, uh, putting your seatbelt on, it took a while to get to the seatbelt, but now I think almost everybody do it.
So the, the point is, even if you accept the fact that there is a percentage of insecurity, which is in everything we do. That doesn't mean you shouldn't do all you can. To, to avoid it. Exactly. So it's all clear. So here's my question for you and, uh, I, I have decided this weekend to, to start asking this if I remember to every and in every conversation at the end.
So the, the title of the podcast is Redefine Society, right? And sometimes I talk about maybe we need to redefine our social contract. Maybe we need to redefine our concept of privacy, maybe of identity, maybe. Yeah. On your opinion, what, what do we need to redefine in our society to, let's say, not fix, but address all this problem of cyber security in our behavior?
Is there something that we need to say? You know, maybe I can look at it the same way that we used to look at it 15 years ago, 20 years ago, 50 years ago. Um, Anything that comes to your mind?
[00:28:08] Jason Nurse: I would, I would really say the focus and the importance on the human side of cyber. Um, so I know it's been, it's been sort of giving traction, you know, for the last five, ten years even.
But the reality is I still engage many, many security professionals that still believe that cyber is the technology. Um, and that's what they view it. Cyber is the technology. Many organizations, their cyber security team, their cyber security focus is really on, do we have the tools? You know, pen testers do we sort of critically analyze the system from that particular way?
And they sort of view the human side of cyber as a little bit of an afterthought. Oh, if we get some time, let's consider that. Or, oh yes, phishing. Phishing is an issue, but you know what? We'll put the technology in place to deal with phishing. It might get through, but then we'll, we'll train people. We'll, we'll give them a model to do once a year and then that'll be fine.
I thought, I thought it would sort of say one thing. It would really be To get people, to get organizations to think much more clearly about what the human side of security actually means, and its importance actually, and its importance within organizations in addressing cyber security as a topic, as a, as a problem.
as a problem, as a challenge, because it's much more than just, um, it's much more than just the technical components. It's much more than just sort of one off security training. It's really about understanding people, understanding their context, ensuring that security works for them, ensuring that security fits their day to day, and basically thinking about that in the context of what people are actually doing.
Because the reality is that, and this is a quote I heard many, many years ago, but I'd love to sort of, uh, repeat it. Repeat or highlight is if security doesn't work for people, it doesn't work. Uh, and if it doesn't work for them, it's going to impact the organization in some way, shape, or form. It could be a breach now, it could be a breach in a couple months, a couple years.
This is what I would love to get organizations to think more clearly about, whether it be the small business or the mom and pop shop, or the large organizations that, you know, have, that have, and that invest quite, quite heavily in Cypher.
[00:30:13] Marco Ciappelli: Yeah, I agree. I mean, I think I think it's both. I mean, technology can help.
It can be a big filter. The car can go back to the example of the car. The car can get as good as detecting a car that breaks in front of you and slamming on the brake without you doing anything. Yeah, but it's still probably not going to protect you a hundred percent So you still need to at least for now drive it?
And and so I think for cyber security is the same thing. I mean you you almost need a license to use You know your your smartphone Did you pass the test on how to protect your data on your phone, but I don't know if we're ever gonna get there Well, listen, uh jason You , of course a lot to think about we we kind of focus on three specific things There could be obviously a lot more AI could definitely be Six or seven episodes just just for that.
Yeah, just by itself Just by itself, but uh, I think this is enough and I hope as I always hope that people that listen to this conversation Think a little bit more about the topic that we discuss and and if they do that I'm sure they can start looking at Few things differently and maybe just because of that, as you said, um, be a little bit more secure just because you're, you're thinking about it and you just don't expect technology to do.
I mean, I hope that there'll be an easy button to, I think, But my money on it? Hmm, not really, so we'll see, we'll see. Maybe, maybe you'll come back sometimes and we talk about the AI part of that, because from a behavioral perspective, I mean, the AI and generative AI and the way we're perceiving that, I don't know if you have interest in that.
I assume you do. It's, it's an entire new thing. Paradigma.
[00:32:10] Jason Nurse: Very much so, very much so. The average person and how they're thinking about it, how they're using it, how they interpret it. And you know, to be very honest, we've just seen the beginning, right? We've just seen, there's been a significant advance over the last year, but it's just the beginning.
It's just the beginning. Every day I'm seeing something else new coming out, something super exciting. That could empower our lives quite significantly.
[00:32:31] Marco Ciappelli: Exciting and sometimes unsettling. So there's always that part there is that part Jason, thank you so much for being on the show for everybody that wants to get in touch with you There'll be linked to your social media in the notes and I obviously invite people to share this conversation so that Maybe someone else that is missing it they get the opportunity to to reflect and think and maybe be a little bit more secure just because of this.
And of course subscribe to Redefining Society podcast and Jason. Thank you. Thank you very much for for stopping by.
[00:33:08] Jason Nurse: Thank you a lot for having me over Marco.
[00:33:10] Marco Ciappelli: All right. Take care everybody.
[00:33:13] Jason Nurse: Cheers. Bye
[00:33:14] Marco Ciappelli: Bye