Dec. 22, 2021

Significance of the Human Element in Cybersecurity

Renowned authority in human-technology interactions and Presidential appointee Prof. Missy Cummings of Duke University, spoke to the importance of understanding human motivation and behavior to proactively predict and detect deception. In a very candid and engaging conversation, Prof. Cummings expressed her concern about cybersecurity as a field not receiving the necessary scientific recognition and support. "Cybersecurity is not like changing the oil of your car, it is its own science," she said while discussing the various aspects of cybersecurity knowledge creation and dissemination. She also talks about her class on the Human Element in Cybersecurity and how she draws from various scientific knowledge bases (such as cognitive science, systems theory, game theory, and queuing theory) to provide a rich learning experience.

To access and download the entire podcast summary with discussion highlights --

https://www.dchatte.com/episode-15-significance-of-the-human-element-in-cybersecurity/

Renowned authority in human-technology interactions and Presidential appointee Prof. Missy Cummings of Duke University, spoke to the importance of understanding human motivation and behavior to proactively predict and detect deception. In a very candid and engaging conversation, Prof. Cummings expressed her concern about cybersecurity as a field not receiving the necessary scientific recognition and support. "Cybersecurity is not like changing the oil of your car, it is its own science," she said while discussing the various aspects of cybersecurity knowledge creation and dissemination. She also talks about her class on the Human Element in Cybersecurity and how she draws from various scientific knowledge bases (such as cognitive science, systems theory, game theory, and queuing theory) to provide a rich learning experience.

To access and download the entire podcast summary with discussion highlights --

https://www.dchatte.com/episode-15-significance-of-the-human-element-in-cybersecurity/

 

Connect with Host Dr. Dave Chatterjee and Subscribe to the Podcast

Please subscribe to the podcast so you don't miss any new episodes! And please leave the show a rating if you like what you hear. New episodes release every two weeks.

Connect with Dr. Chatterjee on these platforms:

LinkedIn: https://www.linkedin.com/in/dchatte/

Website: https://dchatte.com/

Cybersecurity Readiness Book: https://www.amazon.com/Cybersecurity-Readiness-Holistic-High-Performance-Approach/dp/1071837338

Transcript

Introducer:

Welcome to the Cybersecurity Readiness Podcast

 

 


Introducer:

Series with Dr. Dave Chatterjee. Dr. Chatterjee is the author of

 

 


Cybersecurity Readiness:

A Holistic and High-Performance

 

 


Cybersecurity Readiness:

Approach by SAGE Publishing. He has been studying cybersecurity

 

 


Cybersecurity Readiness:

for over a decade, authored and edited scholarly papers,

 

 


Cybersecurity Readiness:

delivered talks, conducted webinars, consulted with

 

 


Cybersecurity Readiness:

companies, and served on a cybersecurity SWAT team with

 

 


Cybersecurity Readiness:

Chief Information Security officers. Dr. Chatterjee is an

 

 


Cybersecurity Readiness:

Associate Professor of Management Information Systems

 

 


Cybersecurity Readiness:

at the Terry College of Business, the University of

 

 


Cybersecurity Readiness:

Georgia, and Visiting Professor at Duke University's Pratt

 

 


Cybersecurity Readiness:

School of Engineering.

 

 


Dr. Dave Chatterjee:

Hello, everyone, I'm delighted to

 

 


Dr. Dave Chatterjee:

welcome you to this episode of the Cybersecurity Readiness

 

 


Dr. Dave Chatterjee:

Podcast Series. Today, I have the pleasure of talking with

 

 


Dr. Dave Chatterjee:

Professor Missy Cummings, of the Pratt School of Engineering,

 

 


Dr. Dave Chatterjee:

Duke University, about the significance of the human

 

 


Dr. Dave Chatterjee:

element in cybersecurity. Professor Cummings is a renowned

 

 


Dr. Dave Chatterjee:

authority in human-technology interactions. In October 2021,

 

 


Dr. Dave Chatterjee:

the Biden administration named Cummings as a new Senior Advisor

 

 


Dr. Dave Chatterjee:

for safety at the National Highway Traffic Safety

 

 


Dr. Dave Chatterjee:

Administration. A naval officer and military pilot from 1988 to

 

 


Dr. Dave Chatterjee:

1999, Missy was one of the Navy's first female fighter

 

 


Dr. Dave Chatterjee:

pilots. She is an incredibly gifted and accomplished

 

 


Dr. Dave Chatterjee:

academic. It's truly an honor to have her as a guest on the

 

 


Dr. Dave Chatterjee:

Cybersecurity Readiness Podcast show. Missy, welcome! Thanks for

 

 


Dr. Dave Chatterjee:

making time. I'd like to get started by asking, how does your

 

 


Dr. Dave Chatterjee:

work on human safety in automation and robotics inform

 

 


Dr. Dave Chatterjee:

cybersecurity research?

 

 


Missy Cummings:

Well, first, let me say thank you for having me,

 

 


Missy Cummings:

it's a real pleasure to be here, and as a researcher, I'm

 

 


Missy Cummings:

relatively new to conducting research in this field. But it

 

 


Missy Cummings:

really came about because of the work that I've been doing in

 

 


Missy Cummings:

human interaction with autonomous systems. And I would

 

 


Missy Cummings:

say the real point of my entry was, as we were starting to in

 

 


Missy Cummings:

my lab, we were starting to evaluate how much humans err in

 

 


Missy Cummings:

the construction of artificial intelligence and how human

 

 


Missy Cummings:

subjectivity can cause problems in the design of AI, I think

 

 


Missy Cummings:

that one of the natural kind of gotcha points there, was then

 

 


Missy Cummings:

the influence of humans who are designing these technologies,

 

 


Missy Cummings:

and then cybersecurity vulnerabilities. And so I just

 

 


Missy Cummings:

naturally ended up going down that path, because there are so

 

 


Missy Cummings:

many problems with vulnerabilities and artificial

 

 


Missy Cummings:

intelligence. And it's still such a nascent field, people

 

 


Missy Cummings:

don't even understand how and where the vulnerabilities are

 

 


Missy Cummings:

when we create AI. Then then I got fascinated as I started to

 

 


Missy Cummings:

dip my toes in the water, I started to think about

 

 


Missy Cummings:

deception. And because that's fundamentally what cybersecurity

 

 


Missy Cummings:

is, and social engineering, as you and your audience will know,

 

 


Missy Cummings:

is the number one threat access that people, companies, face in

 

 


Missy Cummings:

cybersecurity attacks. And so I started really getting

 

 


Missy Cummings:

fascinated by, we spend so much time trying to prevent

 

 


Missy Cummings:

deception. What if we could get inside the heads of people to

 

 


Missy Cummings:

maybe predict how when why people deceive and start

 

 


Missy Cummings:

thinking about it from the other end? And so, I have some

 

 


Missy Cummings:

research underway with various other collaborators where we're

 

 


Missy Cummings:

thinking about how to model deception kind of proactively,

 

 


Missy Cummings:

because, you know, I, you want to keep your friends close, but

 

 


Missy Cummings:

your enemies closer, right. So, yeah, so if we could figure out

 

 


Missy Cummings:

how to get in the minds of the people who are doing the

 

 


Missy Cummings:

deceiving, the hacking, that is another way to mitigate

 

 


Missy Cummings:

cybersecurity attacks.

 

 


Dr. Dave Chatterjee:

Great. Welcome to the field. I'm

 

 


Dr. Dave Chatterjee:

delighted to have you as a colleague in this area. As you

 

 


Dr. Dave Chatterjee:

know, as you alluded to this, cybersecurity has to be

 

 


Dr. Dave Chatterjee:

approached multi-dimensionally, there's a technical side to it,

 

 


Dr. Dave Chatterjee:

there is a very strong human side to it, there is an

 

 


Dr. Dave Chatterjee:

organizational side to it. So, when you speak about the human

 

 


Dr. Dave Chatterjee:

factor, when you talk about deception, trying to understand

 

 


Dr. Dave Chatterjee:

deception, it also brings to mind what motivates people? And

 

 


Dr. Dave Chatterjee:

I say, say that from the standpoint of cybersecurity

 

 


Dr. Dave Chatterjee:

training, as you know, we all get trained uniformly,

 

 


Dr. Dave Chatterjee:

consistently. But when it comes to applying the, the, what we've

 

 


Dr. Dave Chatterjee:

learned, the implementation of that varies from person to

 

 


Dr. Dave Chatterjee:

person for a variety of reasons, some of which relates to

 

 


Dr. Dave Chatterjee:

behavioral traits. Is that something that you can relate to

 

 


Dr. Dave Chatterjee:

and speak about a little more about the importance of the

 

 


Dr. Dave Chatterjee:

human factor from the standpoint of cybersecurity training?

 

 


Missy Cummings:

Well, first, I would just tell the audience,

 

 


Missy Cummings:

and I'm not sure if you can make these documents available, but

 

 


Missy Cummings:

I'd be happy to give everybody my syllabus from the class that

 

 


Missy Cummings:

I just finished teaching called the human element and

 

 


Missy Cummings:

cybersecurity, because it really speaks to that. What are all the

 

 


Missy Cummings:

core fundamental first principles to cybersecurity,

 

 


Missy Cummings:

human behavior, and even some systems engineering? And I will

 

 


Missy Cummings:

tell you, I would kind of argue first with your assumption that

 

 


Missy Cummings:

we're all sort of uniformly trained. Oh, haha, I mean, I'm

 

 


Missy Cummings:

kind of laughing holding my stomach, oh, my gosh, the one

 

 


Missy Cummings:

thing that I really started to uncover when I was developing

 

 


Missy Cummings:

this class on humans and cybersecurity is, it is just

 

 


Missy Cummings:

amazing to me, how uneven the training space is that out

 

 


Missy Cummings:

there. And, you know, I mean, there's a lot of truth to the

 

 


Missy Cummings:

fact that maybe big companies take cybersecurity more

 

 


Missy Cummings:

seriously, because they're bigger targets. And thus, maybe

 

 


Missy Cummings:

they have better cybersecurity practices. Maybe I say maybe,

 

 


Missy Cummings:

because we see big companies all the time really get in a bind,

 

 


Missy Cummings:

because they have very sloppy cybersecurity practices. And so

 

 


Missy Cummings:

one of the things that I think is a very interesting Venn

 

 


Missy Cummings:

diagram, for the way companies think about cybersecurity is

 

 


Missy Cummings:

they think about it last, kind of, if at all. And that is also

 

 


Missy Cummings:

the same problem that just basic human factors consideration has

 

 


Missy Cummings:

in the design of any product, right? So if we design a

 

 


Missy Cummings:

technology with autonomy, maybe if at all, we consider the human

 

 


Missy Cummings:

and it's the same thing for cybersecurity. And so then

 

 


Missy Cummings:

there's that shared Venn diagram, which means that if

 

 


Missy Cummings:

it's a human security issue, cybersecurity issue, then you're

 

 


Missy Cummings:

definitely not going to get it funded, right. Companies don't

 

 


Missy Cummings:

want to spend the money or the time and the effort. And yes, it

 

 


Missy Cummings:

takes time and effort, and I'm a big fan of having the US

 

 


Missy Cummings:

government start to put in at least requirements for companies

 

 


Missy Cummings:

that work with them. Right, as a, as a veteran, and, and a

 

 


Missy Cummings:

person who works with the government, my identity is

 

 


Missy Cummings:

constantly stolen through the government, you know, through

 

 


Missy Cummings:

every kind of breach that the government has my ID is stolen.

 

 


Missy Cummings:

So I would like to close that gap. But it is difficult for

 

 


Missy Cummings:

private companies, you know, if you don't mandate it, and it's

 

 


Missy Cummings:

funny, because there is there's kind of a shared similar

 

 


Missy Cummings:

argument over vaccines, you know, like, we're all at risk.

 

 


Missy Cummings:

When a company refuses to embrace at least standard

 

 


Missy Cummings:

cybersecurity practices. We're not asking them to go one above.

 

 


Missy Cummings:

So I do think that this the problem that we're having in

 

 


Missy Cummings:

this country and in other countries is really still one of

 

 


Missy Cummings:

the more core issues of what do companies really value, they say

 

 


Missy Cummings:

in the boardroom, that they evaluate that they value ESG

 

 


Missy Cummings:

(Environmental, Social, and Governance) and cybersecurity,

 

 


Missy Cummings:

I'm afraid this is still really at the lip service level as

 

 


Missy Cummings:

opposed to actually being real.

 

 


Dr. Dave Chatterjee:

Absolutely. You've covered a lot of ground.

 

 


Dr. Dave Chatterjee:

Let's see if I can follow up on some of the things that you were

 

 


Dr. Dave Chatterjee:

talking about. When I mentioned about standardized cybersecurity

 

 


Dr. Dave Chatterjee:

training, I was referring to, let's say, a company hires an

 

 


Dr. Dave Chatterjee:

organization to train their employees in detecting or

 

 


Dr. Dave Chatterjee:

preventing phishing attacks. Let's say a group of 10 people

 

 


Dr. Dave Chatterjee:

get trained. Research finds that subsequent to training, some of

 

 


Dr. Dave Chatterjee:

them perform better on the phishing tests than others. And

 

 


Dr. Dave Chatterjee:

they have associated the difference in the results to

 

 


Dr. Dave Chatterjee:

human curiosity, perception of potential personal losses and

 

 


Dr. Dave Chatterjee:

other factors. So, I was coming at it from that perspectives.

 

 


Dr. Dave Chatterjee:

That irrespective of the quality of training imparted, effective

 

 


Dr. Dave Chatterjee:

assimilation depends on factors such as innate curiosity, greed,

 

 


Dr. Dave Chatterjee:

perception of potential loss and more. But anyhow, switching

 

 


Dr. Dave Chatterjee:

gears a bit, you mentioned about your class, and I was reviewing

 

 


Dr. Dave Chatterjee:

your learning objectives. And one of them that got my

 

 


Dr. Dave Chatterjee:

attention is about analyzing and measuring unintentional human

 

 


Dr. Dave Chatterjee:

errors and malicious behavior. Just curious, how do you go

 

 


Dr. Dave Chatterjee:

about doing that? How do you go about measuring that?

 

 


Missy Cummings:

Well, for unintentional behaviors, you

 

 


Missy Cummings:

know, it's it's actually in our wheelhouse of everyday ways to

 

 


Missy Cummings:

measure human performance, you can measure, and I'm sure most

 

 


Missy Cummings:

companies who are very proactive do this, you know, whether or

 

 


Missy Cummings:

not people click on phishing emails, the kinds of behaviors,

 

 


Missy Cummings:

I recently had my students conduct analysis of email

 

 


Missy Cummings:

patterns, you can actually take someone's email and understand

 

 


Missy Cummings:

just by the logs of the email, of when they're opened, how long

 

 


Missy Cummings:

they're opened, how much people interact with email, whether

 

 


Missy Cummings:

they're just reading them or writing them, you can actually

 

 


Missy Cummings:

get a very good model of a person's workload over time. And

 

 


Missy Cummings:

indeed, you know, we do see phishing attacks, success on

 

 


Missy Cummings:

basically at two different times number one, when people are

 

 


Missy Cummings:

super busy, and they don't take the time to read an email, or

 

 


Missy Cummings:

the kind of the the counter to that is, when people are really

 

 


Missy Cummings:

bored. And there's an email that comes in, that's just

 

 


Missy Cummings:

interesting enough to make somebody want to click that

 

 


Missy Cummings:

attachment or click the link. And so if, if you can actually

 

 


Missy Cummings:

develop a good model of a human's engagement in their

 

 


Missy Cummings:

everyday work practices, you can actually figure out when is the

 

 


Missy Cummings:

right time to deceive them. And, you know, one of the problems

 

 


Missy Cummings:

with working doing work in this space is I have my students

 

 


Missy Cummings:

develop these models, or I have them develop plans for how to

 

 


Missy Cummings:

how to hack, and then you know, we don't we can't actually do

 

 


Missy Cummings:

them, you know, for ethical purposes. I mean, I keep telling

 

 


Missy Cummings:

my students over and over, you know, these are, you know, we're

 

 


Missy Cummings:

just here for a learning engagement. And then I had a

 

 


Missy Cummings:

student, they all had a final project where they had to go

 

 


Missy Cummings:

figure out some kind of project related cybersecurity, and they

 

 


Missy Cummings:

could propose their own. And I had one student proposed that,

 

 


Missy Cummings:

that he would go onto GitHub and find out where everyone was

 

 


Missy Cummings:

vulnerable in how they're using GitHub. And I thought that was

 

 


Missy Cummings:

good from just a, you know, let's just do a descriptive

 

 


Missy Cummings:

analysis. But then later, I found that he was going in and

 

 


Missy Cummings:

trying to hack people through GitHub and say, Look, I was just

 

 


Missy Cummings:

doing I mean, no, no, no, no, no, you know, I think that's a

 

 


Missy Cummings:

that is kind of the interesting thing. First of all, if you're

 

 


Missy Cummings:

on GitHub, be careful because my student knows how to go in and

 

 


Missy Cummings:

hack you. But it's just it's so easy to do. And there's so many

 

 


Missy Cummings:

points of access now that I think that that line between

 

 


Missy Cummings:

what is what is just trying to do good research, or, you know,

 

 


Missy Cummings:

trying to prevent and learn more about hacking. I do wonder

 

 


Missy Cummings:

sometimes did I actually create some hackers?

 

 


Dr. Dave Chatterjee:

And And it's funny, because you

 

 


Dr. Dave Chatterjee:

mentioned about students going into GitHub and trying to figure

 

 


Dr. Dave Chatterjee:

out how to hack and many of them are technically inclined,

 

 


Dr. Dave Chatterjee:

they'll figure it out, in fact, lots of information out there

 

 


Dr. Dave Chatterjee:

for that. That brings up a very fundamental question that's very

 

 


Dr. Dave Chatterjee:

close to my heart. And that is, as you know, when organizations

 

 


Dr. Dave Chatterjee:

get breached, and when it's a phishing attack, the person or

 

 


Dr. Dave Chatterjee:

the group of people who are compromised, they are not the

 

 


Dr. Dave Chatterjee:

cybersecurity experts. They are not the ones who are technically

 

 


Dr. Dave Chatterjee:

very savvy, at least that's information that's publicly

 

 


Dr. Dave Chatterjee:

available. Given that perspectives, as educators,

 

 


Dr. Dave Chatterjee:

what's your opinion on how widespread cybersecurity

 

 


Dr. Dave Chatterjee:

education should be? Who all should we be reaching out to as

 

 


Dr. Dave Chatterjee:

educators, as trainers? Does that make sense?

 

 


Missy Cummings:

Yeah, so, you know, I think it's a great

 

 


Missy Cummings:

question, because companies are going to say, well, you know,

 

 


Missy Cummings:

we're going to get we're going to give everybody training

 

 


Missy Cummings:

cybersecurity training on how to how not to click on that link.

 

 


Missy Cummings:

And a lot of companies will want to be a one and done, right. I'm

 

 


Missy Cummings:

just going to give one training session and be done.

 

 


Missy Cummings:

Unfortunately, cybersecurity follows what I would consider

 

 


Missy Cummings:

safety critical event model which means that you can think

 

 


Missy Cummings:

of airlines and, you know, just aviation in general, there'll be

 

 


Missy Cummings:

an accident. And then right after the accident, everyone is

 

 


Missy Cummings:

super safe. And so you could if you think about it's, you know,

 

 


Missy Cummings:

there's a sharp up uptick in safety, and then there's this

 

 


Missy Cummings:

degradation time period over time, then everybody gets unsafe

 

 


Missy Cummings:

again, and then there's an accident, and it spikes up

 

 


Missy Cummings:

again. And indeed, that's exactly what happens in

 

 


Missy Cummings:

cybersecurity. So we're, we're, you know, there'll be a breach

 

 


Missy Cummings:

from one company that a bunch of ever all the other companies

 

 


Missy Cummings:

will do a one and done, and then they'll forget about

 

 


Missy Cummings:

cybersecurity training. And then there's another breach and so we

 

 


Missy Cummings:

just keep that cycle, what we need to be is more proactive

 

 


Missy Cummings:

about, what would the, what would that look like? Could you

 

 


Missy Cummings:

be more proactive in predicting what that time cycle is? And I

 

 


Missy Cummings:

think the other problem is we need to do it. It is difficult

 

 


Missy Cummings:

because the threat vectors are changing so radically, for

 

 


Missy Cummings:

example, COVID, just introduced an entirely new area of

 

 


Missy Cummings:

cybersecurity. So I think companies need to not be so

 

 


Missy Cummings:

predictable, in the way that they respond and understand

 

 


Missy Cummings:

that, that did it. Cybersecurity is a living process, it's not

 

 


Missy Cummings:

just a check in the box. Now, I also appreciate how hard it is

 

 


Missy Cummings:

to keep everybody engaged in my class, we ended up analyzing

 

 


Missy Cummings:

various different companies, training programs. And you know,

 

 


Missy Cummings:

it's easy to get stale. And so how to keep that tech, how to

 

 


Missy Cummings:

keep their training programs fresh, and people engaged. I

 

 


Missy Cummings:

it's just like all training for anything to do with safety. It's

 

 


Missy Cummings:

hard to keep people engaged until some bad event happens.

 

 


Missy Cummings:

But I think if you have a very clever chief risk officer, and

 

 


Missy Cummings:

that's another big issue that I don't see enough companies

 

 


Missy Cummings:

working on is, you know, we want to have a CTO and a CFO, but,

 

 


Missy Cummings:

you know, only the big companies think that they can afford to

 

 


Missy Cummings:

have a chief risk officer. And and, indeed, you know, all these

 

 


Missy Cummings:

companies that have paid out all these ransoms, you know, I

 

 


Missy Cummings:

wonder how that would have worked for them, if they would

 

 


Missy Cummings:

have put the chief risk officer in place.

 

 


Dr. Dave Chatterjee:

You're, you're so spot on, in fact, risk

 

 


Dr. Dave Chatterjee:

factor, or assessment of risk should be integral towards

 

 


Dr. Dave Chatterjee:

evaluating every initiative that a company is planning to pursue.

 

 


Dr. Dave Chatterjee:

And when I say every initiative, I'm talking about strategic

 

 


Dr. Dave Chatterjee:

initiatives, and there are lots of frameworks out there that

 

 


Dr. Dave Chatterjee:

guide organizations to do so. So the question is who's following

 

 


Dr. Dave Chatterjee:

to what extent and you kind of talked about this reactive

 

 


Dr. Dave Chatterjee:

mindset, this reactive mentality. And, you know, I

 

 


Dr. Dave Chatterjee:

think it's easier said than done, that we should be

 

 


Dr. Dave Chatterjee:

proactive, we all should be proactive, but the reality of it

 

 


Dr. Dave Chatterjee:

is, most of us, we respond to fear, we respond to incidents,

 

 


Dr. Dave Chatterjee:

when it happens to us, we sit up and try to do things to take

 

 


Dr. Dave Chatterjee:

corrective action. But when it's not happening to us, and when

 

 


Dr. Dave Chatterjee:

everything seems to be going fine, it's like a company not

 

 


Dr. Dave Chatterjee:

experiencing any attacks, they tend to ignore the good work

 

 


Dr. Dave Chatterjee:

that's probably happening behind the scenes thanks to their

 

 


Dr. Dave Chatterjee:

cybersecurity team and others. So it's a it's a chicken and an

 

 


Dr. Dave Chatterjee:

egg problem. But definitely being proactive is critical. And

 

 


Dr. Dave Chatterjee:

the importance of top management actively engaging, you mentioned

 

 


Dr. Dave Chatterjee:

about how serious top management is, is often hard to gauge. And

 

 


Dr. Dave Chatterjee:

I don't know if that has anything to do with the

 

 


Dr. Dave Chatterjee:

consequences of the attacks. There are some large companies

 

 


Dr. Dave Chatterjee:

out there who have been attacked and ask per public records, they

 

 


Dr. Dave Chatterjee:

have taken action so that those attacks don't happen or they

 

 


Dr. Dave Chatterjee:

reduce those risks, but they're not going away. It's not like

 

 


Dr. Dave Chatterjee:

their future is at stake. It's the medium size businesses that

 

 


Dr. Dave Chatterjee:

tend to go away; 60% of the medium size businesses that have

 

 


Dr. Dave Chatterjee:

been hacked, have gone under, if my stats are correct here. So I

 

 


Dr. Dave Chatterjee:

worry more about the organizations which are resource

 

 


Dr. Dave Chatterjee:

constrained. And to what extent they are making those fearless

 

 


Dr. Dave Chatterjee:

calls of finding the right balance between pursuing their

 

 


Dr. Dave Chatterjee:

organizational goals and mission without compromising on having a

 

 


Dr. Dave Chatterjee:

certain level of cybersecurity readiness. Any reactions

 

 


Dr. Dave Chatterjee:

thoughts to that?

 

 


Missy Cummings:

Oh, sure. So I have my students tell me at the

 

 


Missy Cummings:

end of every class, what they would do if they were a hacker

 

 


Missy Cummings:

and what would they do if they were a chief risk officer and

 

 


Missy Cummings:

they had learned what they learned during whatever that

 

 


Missy Cummings:

particular lecture is, and one common theme that happened

 

 


Missy Cummings:

repeatedly after the various lectures were that I would hack

 

 


Missy Cummings:

a startup company for problem, you know, thing X, right?

 

 


Missy Cummings:

Because startups are really trying hard to make a product,

 

 


Missy Cummings:

make a splash, get more series funding. And indeed, just like

 

 


Missy Cummings:

trying to plan for human interaction issues,

 

 


Missy Cummings:

cybersecurity is again seen as oh, well, this is a nice to

 

 


Missy Cummings:

have, it's not a must have. And so I'm just going to push this

 

 


Missy Cummings:

down the road. And I would actually say that, to me, in my

 

 


Missy Cummings:

mind, if I were a venture capitalist, that would be one of

 

 


Missy Cummings:

the first questions that I would ask a bunch of startups that I

 

 


Missy Cummings:

was looking to invest in is, look, I understand it's a high

 

 


Missy Cummings:

wire act. But in the end, if you've got a cybersecurity

 

 


Missy Cummings:

vulnerability, and it could take down the entire operation, then

 

 


Missy Cummings:

why should anybody invest in that? And I certainly see this

 

 


Missy Cummings:

anywhere where we've got a lot of these new startup

 

 


Missy Cummings:

technologies, where they're using, for example, GPS, whether

 

 


Missy Cummings:

we're talking about drones, or cars, or small sidewalk delivery

 

 


Missy Cummings:

drones. It is so easy to do a GPS spoof on a vehicle, any kind

 

 


Missy Cummings:

of vehicle and I would actually say that is my number one

 

 


Missy Cummings:

question. When I ask people who are working in these

 

 


Missy Cummings:

transportation and or delivery spaces. What are you doing about

 

 


Missy Cummings:

GPS cybersecurity, and they look at me like a deer in the

 

 


Missy Cummings:

headlights? Ah,

 

 


Missy Cummings:

what I did out GPS spoofing, what's that? And so I think, Oh,

 

 


Missy Cummings:

my goodness,

 

 


Missy Cummings:

we are in serious trouble. You know, so awareness. Again, one

 

 


Missy Cummings:

of these issues. And, you know, I think it might be I, I know

 

 


Missy Cummings:

that there's a lot of money to be made in cybersecurity. But I

 

 


Missy Cummings:

also think that universities are really good about providing

 

 


Missy Cummings:

workspaces, and they want to, you know, help, do help

 

 


Missy Cummings:

startups, angel funding, that kind of thing. But I also wish

 

 


Missy Cummings:

that we would spend more time and thinking about, Okay, well,

 

 


Missy Cummings:

what would angel funding look like, just for cybersecurity for

 

 


Missy Cummings:

startups, because that actually has dual benefit, not only does

 

 


Missy Cummings:

it keep that company safe, but then that end above itself could

 

 


Missy Cummings:

be its own product,

 

 


Dr. Dave Chatterjee:

Absolutely, in fact, brings to mind one of

 

 


Dr. Dave Chatterjee:

my prior guests, who got funding to start his company Trusona,

 

 


Dr. Dave Chatterjee:

and they focus on passwordless authentication. So I think

 

 


Dr. Dave Chatterjee:

that's a good product, or that's a good approach to strive for,

 

 


Dr. Dave Chatterjee:

there is no perfect approach. But that's definitely something

 

 


Dr. Dave Chatterjee:

to, you know, move in that direction. Another thought comes

 

 


Dr. Dave Chatterjee:

to mind as we are having this discussion. You know, we are

 

 


Dr. Dave Chatterjee:

making progress technologically, you do a lot of work in the

 

 


Dr. Dave Chatterjee:

field in the area of AI. We are making these fancy cars, they

 

 


Dr. Dave Chatterjee:

are supposed to self drive, which is all great. But we also

 

 


Dr. Dave Chatterjee:

recognize that the more technologically advanced we get,

 

 


Dr. Dave Chatterjee:

the more vulnerable we become, for a variety of reasons,

 

 


Dr. Dave Chatterjee:

including information security. So that begs the question, or

 

 


Dr. Dave Chatterjee:

that's, that's something that I address in class when I tell

 

 


Dr. Dave Chatterjee:

students, that technology is great. But mindless use of

 

 


Dr. Dave Chatterjee:

technology is big kind of stupid. Making judicious use of

 

 


Dr. Dave Chatterjee:

technology. And and that relates to cybersecurity from the

 

 


Dr. Dave Chatterjee:

standpoint of, yes, I want to run after my strategic goals.

 

 


Dr. Dave Chatterjee:

But I better be properly anchored because I can't afford

 

 


Dr. Dave Chatterjee:

to lose my operating engines, my databases, my systems, because

 

 


Dr. Dave Chatterjee:

if I lose them, then it's the short term thinking, I might go

 

 


Dr. Dave Chatterjee:

wander. Having that rich perspective where you're growth

 

 


Dr. Dave Chatterjee:

driven, you understand what it takes to take the company to the

 

 


Dr. Dave Chatterjee:

next level. But you also recognize the different pieces

 

 


Dr. Dave Chatterjee:

of the puzzle that helps anchor the company and one of which is

 

 


Dr. Dave Chatterjee:

cybersecurity. Providing that kind of holistic education, I

 

 


Dr. Dave Chatterjee:

think is where universities come in. You mentioned about

 

 


Dr. Dave Chatterjee:

companies providing students cybersecurity training, and

 

 


Dr. Dave Chatterjee:

absolutely every company has their own customized approach.

 

 


Dr. Dave Chatterjee:

But I think at the university level, we can offer them a much

 

 


Dr. Dave Chatterjee:

more comprehensive insight into what it takes to whether you

 

 


Dr. Dave Chatterjee:

create a company and run it or whether you run it and how the

 

 


Dr. Dave Chatterjee:

different pieces fit together and how and why it is important

 

 


Dr. Dave Chatterjee:

to keep cyber security as an integral part of of the overall

 

 


Dr. Dave Chatterjee:

strategy. I in fact, suggest that I've said it very you know

 

 


Dr. Dave Chatterjee:

emphatically that cybersecurity is a strategic competency. It's

 

 


Dr. Dave Chatterjee:

a competency that organizations need to develop, and master over

 

 


Dr. Dave Chatterjee:

a period of time if they want to thrive in the years to come.

 

 


Dr. Dave Chatterjee:

Thoughts reactions?

 

 


Missy Cummings:

Yeah, wow. I mean, we are about to go down a

 

 


Missy Cummings:

rabbit hole, you did not want to go down. And that is because I

 

 


Missy Cummings:

have a huge beef with the academic world in the way that

 

 


Missy Cummings:

it thinks about cybersecurity, or more broadly, something we

 

 


Missy Cummings:

call assured autonomy. And so the idea is autonomous systems

 

 


Missy Cummings:

have can operate, and most do operate in a non-deterministic

 

 


Missy Cummings:

fashion. And so that opens up a whole new can of worms for

 

 


Missy Cummings:

cybersecurity. But and I'm not just speaking about autonomous

 

 


Missy Cummings:

systems, I think more broadly, wherever you've got digital

 

 


Missy Cummings:

systems, cybersecurity by the academic world, and who am I

 

 


Missy Cummings:

speaking of I'm speaking of most of the most of the top tier

 

 


Missy Cummings:

research universities, top 30. Most of these organizations

 

 


Missy Cummings:

treat cybersecurity as a stepchild in the sense that they

 

 


Missy Cummings:

do not see it as legitimate research, that this is

 

 


Missy Cummings:

engineering, and it's not research. And so we should not

 

 


Missy Cummings:

teach it as a formalized set of courses. Now. It sounds you many

 

 


Missy Cummings:

people listening to this be like what the academic institutions

 

 


Missy Cummings:

don't think that cybersecurity is a legitimate field? And I'm

 

 


Missy Cummings:

here to tell you, they don't. Now that's not true, because

 

 


Missy Cummings:

obviously, Duke, it's not sure everywhere, Duke has just

 

 


Missy Cummings:

recently stood up a cybersecurity program. But you

 

 


Missy Cummings:

know, that is the exception rather than the rule. And be and

 

 


Missy Cummings:

people will say that's not basic science. What is basic science

 

 


Missy Cummings:

about cybersecurity? And so this is actually one of the reasons I

 

 


Missy Cummings:

developed this course, in cybersecurity in humans to so

 

 


Missy Cummings:

that people could understand. Do you know what the basic science

 

 


Missy Cummings:

that we cover my courses, we start with cognitive science, we

 

 


Missy Cummings:

embed game theory, we engage we talk about queueing theory, we

 

 


Missy Cummings:

talk about systems thinking, right? So there are so many core

 

 


Missy Cummings:

scientific clusters of learning that underpin cybersecurity. And

 

 


Missy Cummings:

by the way, that was just for one course, if we started

 

 


Missy Cummings:

talking about what what would we find in other courses, formal

 

 


Missy Cummings:

methods, and lots more statistical learning. And so

 

 


Missy Cummings:

there are many, many core scientific areas that are the

 

 


Missy Cummings:

foundation for cybersecurity. So it is actually really my

 

 


Missy Cummings:

criticism. And by the way, my criticism is severe, because I

 

 


Missy Cummings:

think that the inability of our nation, our nation's agencies,

 

 


Missy Cummings:

like the National Science Foundation, and even other top

 

 


Missy Cummings:

30 universities, to really grasp this means that this country is

 

 


Missy Cummings:

in a serious, vulnerable position. And if we're not

 

 


Missy Cummings:

funding the research, then we're not funding the technology and

 

 


Missy Cummings:

innovation development that needs to happen to put us out in

 

 


Missy Cummings:

front. We are not out in front in cybersecurity, the US is not

 

 


Missy Cummings:

the leaders in cybersecurity, the US can be brought to its

 

 


Missy Cummings:

knees by a bunch of hackers in Nigeria. I mean, that's, that's

 

 


Missy Cummings:

actually that's how you have to ask yourself, if we're so

 

 


Missy Cummings:

awesome, why is it that that someone from a country that is,

 

 


Missy Cummings:

you know, not nearly as well developed as our country as our

 

 


Missy Cummings:

nation can have so many problems by people where the bar of entry

 

 


Missy Cummings:

is virtually nothing. So I do wish that we would, as a

 

 


Missy Cummings:

country, and in academia raise the alarm bells that this is

 

 


Missy Cummings:

these are legitimate areas of study, trying to get more

 

 


Missy Cummings:

journals stood up in this area and more traditional, you know,

 

 


Missy Cummings:

types of ways that we disseminate research results.

 

 


Missy Cummings:

One good area is the Department of Defense, regardless of how

 

 


Missy Cummings:

you feel about the DOD, the bottom line is, they see that

 

 


Missy Cummings:

it's a problem. And certainly the US government is trying to

 

 


Missy Cummings:

do more in this space. So the more that we the government

 

 


Missy Cummings:

agencies start to embrace and mandate that their efforts

 

 


Missy Cummings:

funded in the area of cybersecurity, the better will

 

 


Missy Cummings:

be but I still think we're just missing a core recognition at

 

 


Missy Cummings:

universities that cybersecurity is not like changing the oil of

 

 


Missy Cummings:

your car. It is its own science.

 

 


Dr. Dave Chatterjee:

Absolutely. Wow. I love the fact that you

 

 


Dr. Dave Chatterjee:

went down that path. I could continue in that direction, but

 

 


Dr. Dave Chatterjee:

I'll keep my reactions and remarks short. Like you said,

 

 


Dr. Dave Chatterjee:

you use the example of cybersecurity to make the point

 

 


Dr. Dave Chatterjee:

that many might feel that doing research in this area is not

 

 


Dr. Dave Chatterjee:

considered scientific. And again, I do not want to assume

 

 


Dr. Dave Chatterjee:

stuff, but to keep it simple, research is about solving

 

 


Dr. Dave Chatterjee:

problems. And as you try to solve problems, you end up

 

 


Dr. Dave Chatterjee:

coming up with theories, better understandings, which

 

 


Dr. Dave Chatterjee:

ultimately, you know, can transcend, transcend, and can

 

 


Dr. Dave Chatterjee:

enhance your ability to explain multiple phenomena. And talking

 

 


Dr. Dave Chatterjee:

about the theoretical development that can come from

 

 


Dr. Dave Chatterjee:

cybersecurity research, the work that I've done so far, I see so

 

 


Dr. Dave Chatterjee:

many connections, because 17 Success Factors came out in my

 

 


Dr. Dave Chatterjee:

work when I was trying to identify what it takes to create

 

 


Dr. Dave Chatterjee:

and sustain a high performance information security culture.

 

 


Dr. Dave Chatterjee:

And each of those factors have strong grounding in research,

 

 


Dr. Dave Chatterjee:

you know, that has been pursued over decades, one of which, of

 

 


Dr. Dave Chatterjee:

course, is the role of top management. So there is a lot of

 

 


Dr. Dave Chatterjee:

connectivity. Now, I approach research a little differently, I

 

 


Dr. Dave Chatterjee:

do not do research, to inform theory or to enhance theory. I

 

 


Dr. Dave Chatterjee:

like to do research which I find interesting, which is going to

 

 


Dr. Dave Chatterjee:

have impact. And then in the process, if I create great

 

 


Dr. Dave Chatterjee:

theory, that's great. But But no, I think your points are

 

 


Dr. Dave Chatterjee:

extremely well made. And talking about the role of government and

 

 


Dr. Dave Chatterjee:

the private sector, you will remember that we had the the

 

 


Dr. Dave Chatterjee:

Colonial Pipeline breach. And that resulted in some

 

 


Dr. Dave Chatterjee:

congressional hearings. And the senior executives, the senior

 

 


Dr. Dave Chatterjee:

leadership of this organization, along with others, who are

 

 


Dr. Dave Chatterjee:

managing the critical infrastructures, they are now

 

 


Dr. Dave Chatterjee:

being pushed or asked for major disclosure, in other words,

 

 


Dr. Dave Chatterjee:

provide more transparency, that you are doing enough to protect

 

 


Dr. Dave Chatterjee:

our national assets. And I'm kind of surprised that it took a

 

 


Dr. Dave Chatterjee:

breach to get there. I would think it is common sense that

 

 


Dr. Dave Chatterjee:

whether your organization is protecting national assets or

 

 


Dr. Dave Chatterjee:

any other asset, any other consumer asset, you must do your

 

 


Dr. Dave Chatterjee:

due diligence, you must report to the relevant stakeholders,

 

 


Dr. Dave Chatterjee:

there must be adequate transparency, so I kind of get

 

 


Dr. Dave Chatterjee:

surprised when I see these. Okay, here are the new things we

 

 


Dr. Dave Chatterjee:

will be doing. And government, private sector, they are

 

 


Dr. Dave Chatterjee:

separate, but in many ways they need to come together.

 

 


Dr. Dave Chatterjee:

Similarly, academic organizations, academic

 

 


Dr. Dave Chatterjee:

disciplines, yes, we have our specializations, but I hope you

 

 


Dr. Dave Chatterjee:

will agree that cybersecurity is an example that is a phenomenon

 

 


Dr. Dave Chatterjee:

that requires cross disciplinary expertise and involvement. So

 

 


Dr. Dave Chatterjee:

you shouldn't be leaving anybody outside and say, Well, this is

 

 


Dr. Dave Chatterjee:

the domain for such and such field. And they are the ones who

 

 


Dr. Dave Chatterjee:

should be doing research in this area. So having that openness to

 

 


Dr. Dave Chatterjee:

collaboration, to cross functional involvement, whether

 

 


Dr. Dave Chatterjee:

it's in practice or in academia, is critical to dealing with

 

 


Dr. Dave Chatterjee:

problems of this magnitude, where it is just not enough for

 

 


Dr. Dave Chatterjee:

a specific company, or a government to effectively deal

 

 


Dr. Dave Chatterjee:

with the threat. We need the entire ecosystem,

 

 


Dr. Dave Chatterjee:

organizationally, across countries to come together and

 

 


Dr. Dave Chatterjee:

fight the good fight. So that's how cybersecurity kind of brings

 

 


Dr. Dave Chatterjee:

us together, just like COVID has proved to us over and over again

 

 


Dr. Dave Chatterjee:

that whether we like it or not, we are all highly

 

 


Dr. Dave Chatterjee:

interconnected. If we don't do our part, we are not going to be

 

 


Dr. Dave Chatterjee:

able to deal with this pandemic effectively. Cybersecurity is

 

 


Dr. Dave Chatterjee:

the same kind of problem, the more interconnected the systems

 

 


Dr. Dave Chatterjee:

become. While there have definite benefits of that, the

 

 


Dr. Dave Chatterjee:

more vulnerable we become. And we can't, each one of us has a

 

 


Dr. Dave Chatterjee:

role to play See, look the other way, there's going to be a

 

 


Dr. Dave Chatterjee:

breach at some level with long term impact. So that's my little

 

 


Dr. Dave Chatterjee:

spiel,

 

 


Dr. Dave Chatterjee:

You got me going there. Thoughts reactions?

 

 


Missy Cummings:

Oh, yeah, you know, the Colonial Pipeline for

 

 


Missy Cummings:

people in the business, nobody was surprised. Right? It was

 

 


Missy Cummings:

just a matter of time because Companies are extremely slow to

 

 


Missy Cummings:

change. And, you know, I'm not generally a fan of strong

 

 


Missy Cummings:

regulation. But when it comes to these safety critical elements

 

 


Missy Cummings:

of systems, you know, if I told you that you that we were going

 

 


Missy Cummings:

to let the FAA, you know, we were going to take care of the

 

 


Missy Cummings:

FAA out and let companies do whatever they wanted in terms of

 

 


Missy Cummings:

safety of airplanes, nobody would get on an airplane. Right.

 

 


Missy Cummings:

And so, you know, this is yet another safety critical system,

 

 


Missy Cummings:

where if we don't take care of some of these, especially for

 

 


Missy Cummings:

infrastructure, and other safety, critical systems,

 

 


Missy Cummings:

process control, for example. So yeah, you know, unfortunately,

 

 


Missy Cummings:

Henry Petroski, who's another professor at Duke, he talks

 

 


Missy Cummings:

about engineering failures, that sometimes engineering failures

 

 


Missy Cummings:

have to happen, because that is the only way that the industry

 

 


Missy Cummings:

is going to grow. Sadly, I think that applies to this as well.

 

 


Missy Cummings:

Right? And, and like we talked about, it's basically some kind

 

 


Missy Cummings:

of work sine curve where we have to keep it has to keep happening

 

 


Missy Cummings:

over and over again, for us to be reminded that we need to keep

 

 


Missy Cummings:

doing it. So you know, that's where I think that's where there

 

 


Missy Cummings:

is a lot of room to figure out like, Alright, then how should

 

 


Missy Cummings:

we if we know that there's going to be episodic movements and

 

 


Missy Cummings:

technologies being developed, and especially now all the

 

 


Missy Cummings:

vulnerabilities that artificial intelligence introduces, how can

 

 


Missy Cummings:

we start being proactive instead of being reactive? So that's

 

 


Missy Cummings:

where I'd like to spend some of my research efforts.

 

 


Dr. Dave Chatterjee:

Makes total sense. Going back to your core

 

 


Dr. Dave Chatterjee:

research in safety and automation, as you have pursued

 

 


Dr. Dave Chatterjee:

research in that area, hopefully you've seen progress. What do

 

 


Dr. Dave Chatterjee:

you expect to see in the field of cybersecurity, in the years

 

 


Dr. Dave Chatterjee:

to come? And I realize I'm asking you to wear your

 

 


Dr. Dave Chatterjee:

predictive hat, and look ahead and see what's coming. You think

 

 


Dr. Dave Chatterjee:

we will get a better handle on how to deal with these threats,

 

 


Dr. Dave Chatterjee:

whether it's through better technology, superior governance,

 

 


Dr. Dave Chatterjee:

or more effective regulation. Talking about regulation, I'm

 

 


Dr. Dave Chatterjee:

reminded of the effectiveness of the Sarbanes Oxley Act (SOX) to

 

 


Dr. Dave Chatterjee:

reduce fraudulent accounting activities. I wonder if we need

 

 


Dr. Dave Chatterjee:

similar legislation to get organizations and their

 

 


Dr. Dave Chatterjee:

leadership to comply with cybersecurity best practices?

 

 


Dr. Dave Chatterjee:

What do you see happening?

 

 


Missy Cummings:

Yeah, so I kind of think about this as a three

 

 


Missy Cummings:

circle Venn diagram. There's cybersecurity mitigation,

 

 


Missy Cummings:

people, technology and regulation, right. So there's a

 

 


Missy Cummings:

little bit to be done and all of that, I think regulation

 

 


Missy Cummings:

certainly needs to be more proactive in that keep companies

 

 


Missy Cummings:

and subcontractors who touch safety critical systems, this

 

 


Missy Cummings:

should just be mandatory. And they're, you know, there is

 

 


Missy Cummings:

movement along this front. But you know, I've been working in

 

 


Missy Cummings:

and around the government for the last, you know, 10 years.

 

 


Missy Cummings:

And so I've seen the big gaping holes, there's not one

 

 


Missy Cummings:

department in the government that I think has a good

 

 


Missy Cummings:

cybersecurity strategy. And by good, I mean, they know that

 

 


Missy Cummings:

they need help, but they just don't have all the right people

 

 


Missy Cummings:

that they need to make these programs safe. I mean, when

 

 


Missy Cummings:

we've got the National Security Agency being hacked, you know,

 

 


Missy Cummings:

we got serious problems, right. So. So I think that there's a

 

 


Missy Cummings:

lot to be done on the regulatory front. Because unfortunately, in

 

 


Missy Cummings:

the space companies, not all companies, but a lot of

 

 


Missy Cummings:

companies are not going to get at least good enough

 

 


Missy Cummings:

cybersecurity practices unless you force their hand. But I

 

 


Missy Cummings:

would actually say of those three Venn diagrams, that's the

 

 


Missy Cummings:

smallest. So I think we should spend a lot more time in

 

 


Missy Cummings:

technology developments. You know, the fact of the matter is,

 

 


Missy Cummings:

we should be able to stop phishing emails like that.

 

 


Missy Cummings:

There's no, there's no magic solution. There's, it's not like

 

 


Missy Cummings:

we got to solve cold fusion to figure that out. We've got some

 

 


Missy Cummings:

filtering technologies and some search technologies and some ID

 

 


Missy Cummings:

technologies, maybe even figuring out how to run ghost

 

 


Missy Cummings:

servers so that these problems don't happen. But, you know, we

 

 


Missy Cummings:

I think that that just and this is where research is needed,

 

 


Missy Cummings:

like how can we actually develop more efficient programs and

 

 


Missy Cummings:

another technology for example, that we need help on VPNs are

 

 


Missy Cummings:

like, you know, it's like trying to add a big analog system to

 

 


Missy Cummings:

your fast digital system. It just slows it down and people

 

 


Missy Cummings:

get so mad at VPNs and I know people from all sorts of

 

 


Missy Cummings:

companies who bypass the VPN just for this one thing, right?

 

 


Missy Cummings:

And then that's where they get compromised in some

 

 


Missy Cummings:

cybersecurity. So, you know, we should be able to solve that

 

 


Missy Cummings:

problem VPN don't have to slow technology down. So let's, let's

 

 


Missy Cummings:

improve that. So, you know, I think there's a lot more to be

 

 


Missy Cummings:

done on the technology front, I think there's a lot more to be

 

 


Missy Cummings:

done on the human front. I do wonder if companies ever sit

 

 


Missy Cummings:

back and say, why is it that we are so vulnerable to the time of

 

 


Missy Cummings:

COVID? Because people are lonely and bored, and the quality of

 

 


Missy Cummings:

work is not meaningful, right. So I think there's a lot for

 

 


Missy Cummings:

companies to do to think about. How can we make our work

 

 


Missy Cummings:

processes and environments such that hacking is not successful?

 

 


Missy Cummings:

And how can we make everyone and at least participatory in trying

 

 


Missy Cummings:

to stop hacking and mitigation and make that a more integral

 

 


Missy Cummings:

part of our everyday work processes, instead of everybody

 

 


Missy Cummings:

eye rolling every time they have to go take a online

 

 


Missy Cummings:

cybersecurity training that no one's listening to, and they're

 

 


Missy Cummings:

doing something else. They're like cooking or doing their

 

 


Missy Cummings:

taxes or doing something while theoretically the online

 

 


Missy Cummings:

training is happening? So, you know, I think, I think there's a

 

 


Missy Cummings:

lot to be done, I think we are getting better. I don't mean to

 

 


Missy Cummings:

be the Debbie Downer and saying, it's all miserable, because

 

 


Missy Cummings:

obviously, we are making improvements. But I think that

 

 


Missy Cummings:

the number one change that needs to happen, for government and

 

 


Missy Cummings:

for industry, and for academia is to recognize it's kind of

 

 


Missy Cummings:

like COVID, look, this is here to stay. And the longer that you

 

 


Missy Cummings:

keep ignoring it, the worse it's going to get?

 

 


Dr. Dave Chatterjee:

Absolutely, absolutely. I'd like to go back

 

 


Dr. Dave Chatterjee:

to your class, the classes on human factors. And I'd like you

 

 


Dr. Dave Chatterjee:

to share with listeners, what are you trying to instill in

 

 


Dr. Dave Chatterjee:

students who take your class?

 

 


Missy Cummings:

I would say the number one consideration that I

 

 


Missy Cummings:

want my students to leave with, after they take my class, The

 

 


Missy Cummings:

Human Element in Cybersecurity is that cybersecurity is a

 

 


Missy Cummings:

systems-level problem. That there is no one you know, just

 

 


Missy Cummings:

stopping pfishing is not going to stop cybersecurity and that

 

 


Missy Cummings:

to take to address it properly, you need to think about it first

 

 


Missy Cummings:

from a requirements perspective, what does my company need? How

 

 


Missy Cummings:

does it need? Why does it need? when does it need? Or what

 

 


Missy Cummings:

facets of the company need what various mitigations and then

 

 


Missy Cummings:

integrate the cybersecurity aspect at all levels of product

 

 


Missy Cummings:

development. And understand that it's integral not an add-on

 

 


Missy Cummings:

harassment package, that higher level of management is imbuing

 

 


Missy Cummings:

upon the rest of the company. So yeah, systems-level thinking,

 

 


Missy Cummings:

cybersecurity, to me, they're one in the same.

 

 


Dr. Dave Chatterjee:

Okay, fantastic. Now, I'd like to go

 

 


Dr. Dave Chatterjee:

back to something you talked about relating to senior

 

 


Dr. Dave Chatterjee:

management, top management, because you'd appreciate that,

 

 


Dr. Dave Chatterjee:

at the end of the day, in a in an organization, the the tone is

 

 


Dr. Dave Chatterjee:

set at the top. Top management really has to make the

 

 


Dr. Dave Chatterjee:

commitment, they have to believe in it and do the needful. And

 

 


Dr. Dave Chatterjee:

you mentioned that based on your fieldwork, you found significant

 

 


Dr. Dave Chatterjee:

variance in that; I don't mean to misquote you, so correct me.

 

 


Dr. Dave Chatterjee:

But I'd like your thoughts and perspective on --besides

 

 


Dr. Dave Chatterjee:

regulation, what should it take to get top management to

 

 


Dr. Dave Chatterjee:

actively recognize this to be a key issue, that's something that

 

 


Dr. Dave Chatterjee:

you can't walk away from, and meet it head-on, and get the

 

 


Dr. Dave Chatterjee:

organization prepared to proactively deal with this

 

 


Dr. Dave Chatterjee:

challenge?

 

 


Missy Cummings:

Well, if right, if the regulatory lever is not

 

 


Missy Cummings:

going to be pulled, I think the next regulatory or the next

 

 


Missy Cummings:

internal regulation lever that should be pulled is probably a

 

 


Missy Cummings:

mandate from a board. For example, if it's a publicly

 

 


Missy Cummings:

traded company, or if it's a non public company, if they have a

 

 


Missy Cummings:

board, you have to have some kind of external lever of

 

 


Missy Cummings:

accountability. Because if you don't have that, you know, it

 

 


Missy Cummings:

depends. The companies who are successful in fending off

 

 


Missy Cummings:

hacking attempts are those that have good people that understand

 

 


Missy Cummings:

and are taking care of that, in the end that the CEO is, first

 

 


Missy Cummings:

of all, has hired those people and given them the latitude that

 

 


Missy Cummings:

they need to solve those problems. Unless the CEO, I

 

 


Missy Cummings:

really think cybersecurity is a leadership issue, because unless

 

 


Missy Cummings:

the CEO values it and demonstrate to the rest of the

 

 


Missy Cummings:

company that they value it, then everybody else is just going to

 

 


Missy Cummings:

follow the lead and be very haphazard. And so, you know, the

 

 


Missy Cummings:

resources have to be set aside. And it needs to be transparent

 

 


Missy Cummings:

and visible to the rest of the company that these things are

 

 


Missy Cummings:

valued. Instead of I see, I would say, for the bulk of

 

 


Missy Cummings:

companies out there, the CEOs just give lip service to

 

 


Missy Cummings:

cybersecurity and say, Yes, and, you know, maybe we've got McAfee

 

 


Missy Cummings:

and that's what we're doing. And unfortunately, that's not

 

 


Missy Cummings:

enough. And, you know, or maybe we force people to do some

 

 


Missy Cummings:

really cheap online training that people are not listening to

 

 


Missy Cummings:

while they're doing many other tasks. And so, you know, taking

 

 


Missy Cummings:

it seriously and instead of eye rolling and saying, well, this

 

 


Missy Cummings:

is just something I have to do instead of not something that I

 

 


Missy Cummings:

should do. I think that's the real problem.

 

 


Dr. Dave Chatterjee:

Fantastic! Well, that was terrific, Missy.

 

 


Dr. Dave Chatterjee:

Any final thoughts as we wrap up our discussion today?

 

 


Missy Cummings:

Leadership starts starts with the man or

 

 


Missy Cummings:

woman at the top.

 

 


Dr. Dave Chatterjee:

Fantastic. Well, looking forward for future

 

 


Dr. Dave Chatterjee:

discussions on this topic. This was really fun. Hope you had a

 

 


Dr. Dave Chatterjee:

good time. It was great. A special thanks to Professor

 

 


Dr. Dave Chatterjee:

Missy Cummings, for her time and insights. If you liked what you

 

 


Dr. Dave Chatterjee:

heard, please leave the podcast a rating and share it with your

 

 


Dr. Dave Chatterjee:

network. Also subscribe to the show, so you don't miss any new

 

 


Dr. Dave Chatterjee:

episodes. Thank you for listening, and I'll see you in

 

 


Dr. Dave Chatterjee:

the next episode.

 

 


Introducer:

The information contained in this podcast is for

 

 


Introducer:

general guidance only. The discussants assume no

 

 


Introducer:

responsibility or liability for any errors or omissions in the

 

 


Introducer:

content of this podcast. The information contained in this

 

 


Introducer:

podcast is provided on an as-is basis with no guarantee of

 

 


Introducer:

completeness, accuracy, usefulness, or timeliness. The

 

 


Introducer:

opinions and recommendations expressed in this podcast are

 

 


Introducer:

those of the discussants and not of any organization.