Significance of the Human Element in Cybersecurity
Renowned authority in human-technology interactions and Presidential appointee Prof. Missy Cummings of Duke University, spoke to the importance of understanding human motivation and behavior to proactively predict and detect deception. In a very candid and engaging conversation, Prof. Cummings expressed her concern about cybersecurity as a field not receiving the necessary scientific recognition and support. "Cybersecurity is not like changing the oil of your car, it is its own science," she said while discussing the various aspects of cybersecurity knowledge creation and dissemination. She also talks about her class on the Human Element in Cybersecurity and how she draws from various scientific knowledge bases (such as cognitive science, systems theory, game theory, and queuing theory) to provide a rich learning experience.
To access and download the entire podcast summary with discussion highlights --
https://www.dchatte.com/episode-15-significance-of-the-human-element-in-cybersecurity/
Renowned authority in human-technology interactions and Presidential appointee Prof. Missy Cummings of Duke University, spoke to the importance of understanding human motivation and behavior to proactively predict and detect deception. In a very candid and engaging conversation, Prof. Cummings expressed her concern about cybersecurity as a field not receiving the necessary scientific recognition and support. "Cybersecurity is not like changing the oil of your car, it is its own science," she said while discussing the various aspects of cybersecurity knowledge creation and dissemination. She also talks about her class on the Human Element in Cybersecurity and how she draws from various scientific knowledge bases (such as cognitive science, systems theory, game theory, and queuing theory) to provide a rich learning experience.
To access and download the entire podcast summary with discussion highlights --
https://www.dchatte.com/episode-15-significance-of-the-human-element-in-cybersecurity/
Connect with Host Dr. Dave Chatterjee and Subscribe to the Podcast
Please subscribe to the podcast so you don't miss any new episodes! And please leave the show a rating if you like what you hear. New episodes release every two weeks.
Connect with Dr. Chatterjee on these platforms:
LinkedIn: https://www.linkedin.com/in/dchatte/
Website: https://dchatte.com/
Cybersecurity Readiness Book: https://www.amazon.com/Cybersecurity-Readiness-Holistic-High-Performance-Approach/dp/1071837338
Introducer:
Welcome to the Cybersecurity Readiness Podcast
Introducer:
Series with Dr. Dave Chatterjee. Dr. Chatterjee is the author of
Cybersecurity Readiness:
A Holistic and High-Performance
Cybersecurity Readiness:
Approach by SAGE Publishing. He has been studying cybersecurity
Cybersecurity Readiness:
for over a decade, authored and edited scholarly papers,
Cybersecurity Readiness:
delivered talks, conducted webinars, consulted with
Cybersecurity Readiness:
companies, and served on a cybersecurity SWAT team with
Cybersecurity Readiness:
Chief Information Security officers. Dr. Chatterjee is an
Cybersecurity Readiness:
Associate Professor of Management Information Systems
Cybersecurity Readiness:
at the Terry College of Business, the University of
Cybersecurity Readiness:
Georgia, and Visiting Professor at Duke University's Pratt
Cybersecurity Readiness:
School of Engineering.
Dr. Dave Chatterjee:
Hello, everyone, I'm delighted to
Dr. Dave Chatterjee:
welcome you to this episode of the Cybersecurity Readiness
Dr. Dave Chatterjee:
Podcast Series. Today, I have the pleasure of talking with
Dr. Dave Chatterjee:
Professor Missy Cummings, of the Pratt School of Engineering,
Dr. Dave Chatterjee:
Duke University, about the significance of the human
Dr. Dave Chatterjee:
element in cybersecurity. Professor Cummings is a renowned
Dr. Dave Chatterjee:
authority in human-technology interactions. In October 2021,
Dr. Dave Chatterjee:
the Biden administration named Cummings as a new Senior Advisor
Dr. Dave Chatterjee:
for safety at the National Highway Traffic Safety
Dr. Dave Chatterjee:
Administration. A naval officer and military pilot from 1988 to
Dr. Dave Chatterjee:
1999, Missy was one of the Navy's first female fighter
Dr. Dave Chatterjee:
pilots. She is an incredibly gifted and accomplished
Dr. Dave Chatterjee:
academic. It's truly an honor to have her as a guest on the
Dr. Dave Chatterjee:
Cybersecurity Readiness Podcast show. Missy, welcome! Thanks for
Dr. Dave Chatterjee:
making time. I'd like to get started by asking, how does your
Dr. Dave Chatterjee:
work on human safety in automation and robotics inform
Dr. Dave Chatterjee:
cybersecurity research?
Missy Cummings:
Well, first, let me say thank you for having me,
Missy Cummings:
it's a real pleasure to be here, and as a researcher, I'm
Missy Cummings:
relatively new to conducting research in this field. But it
Missy Cummings:
really came about because of the work that I've been doing in
Missy Cummings:
human interaction with autonomous systems. And I would
Missy Cummings:
say the real point of my entry was, as we were starting to in
Missy Cummings:
my lab, we were starting to evaluate how much humans err in
Missy Cummings:
the construction of artificial intelligence and how human
Missy Cummings:
subjectivity can cause problems in the design of AI, I think
Missy Cummings:
that one of the natural kind of gotcha points there, was then
Missy Cummings:
the influence of humans who are designing these technologies,
Missy Cummings:
and then cybersecurity vulnerabilities. And so I just
Missy Cummings:
naturally ended up going down that path, because there are so
Missy Cummings:
many problems with vulnerabilities and artificial
Missy Cummings:
intelligence. And it's still such a nascent field, people
Missy Cummings:
don't even understand how and where the vulnerabilities are
Missy Cummings:
when we create AI. Then then I got fascinated as I started to
Missy Cummings:
dip my toes in the water, I started to think about
Missy Cummings:
deception. And because that's fundamentally what cybersecurity
Missy Cummings:
is, and social engineering, as you and your audience will know,
Missy Cummings:
is the number one threat access that people, companies, face in
Missy Cummings:
cybersecurity attacks. And so I started really getting
Missy Cummings:
fascinated by, we spend so much time trying to prevent
Missy Cummings:
deception. What if we could get inside the heads of people to
Missy Cummings:
maybe predict how when why people deceive and start
Missy Cummings:
thinking about it from the other end? And so, I have some
Missy Cummings:
research underway with various other collaborators where we're
Missy Cummings:
thinking about how to model deception kind of proactively,
Missy Cummings:
because, you know, I, you want to keep your friends close, but
Missy Cummings:
your enemies closer, right. So, yeah, so if we could figure out
Missy Cummings:
how to get in the minds of the people who are doing the
Missy Cummings:
deceiving, the hacking, that is another way to mitigate
Missy Cummings:
cybersecurity attacks.
Dr. Dave Chatterjee:
Great. Welcome to the field. I'm
Dr. Dave Chatterjee:
delighted to have you as a colleague in this area. As you
Dr. Dave Chatterjee:
know, as you alluded to this, cybersecurity has to be
Dr. Dave Chatterjee:
approached multi-dimensionally, there's a technical side to it,
Dr. Dave Chatterjee:
there is a very strong human side to it, there is an
Dr. Dave Chatterjee:
organizational side to it. So, when you speak about the human
Dr. Dave Chatterjee:
factor, when you talk about deception, trying to understand
Dr. Dave Chatterjee:
deception, it also brings to mind what motivates people? And
Dr. Dave Chatterjee:
I say, say that from the standpoint of cybersecurity
Dr. Dave Chatterjee:
training, as you know, we all get trained uniformly,
Dr. Dave Chatterjee:
consistently. But when it comes to applying the, the, what we've
Dr. Dave Chatterjee:
learned, the implementation of that varies from person to
Dr. Dave Chatterjee:
person for a variety of reasons, some of which relates to
Dr. Dave Chatterjee:
behavioral traits. Is that something that you can relate to
Dr. Dave Chatterjee:
and speak about a little more about the importance of the
Dr. Dave Chatterjee:
human factor from the standpoint of cybersecurity training?
Missy Cummings:
Well, first, I would just tell the audience,
Missy Cummings:
and I'm not sure if you can make these documents available, but
Missy Cummings:
I'd be happy to give everybody my syllabus from the class that
Missy Cummings:
I just finished teaching called the human element and
Missy Cummings:
cybersecurity, because it really speaks to that. What are all the
Missy Cummings:
core fundamental first principles to cybersecurity,
Missy Cummings:
human behavior, and even some systems engineering? And I will
Missy Cummings:
tell you, I would kind of argue first with your assumption that
Missy Cummings:
we're all sort of uniformly trained. Oh, haha, I mean, I'm
Missy Cummings:
kind of laughing holding my stomach, oh, my gosh, the one
Missy Cummings:
thing that I really started to uncover when I was developing
Missy Cummings:
this class on humans and cybersecurity is, it is just
Missy Cummings:
amazing to me, how uneven the training space is that out
Missy Cummings:
there. And, you know, I mean, there's a lot of truth to the
Missy Cummings:
fact that maybe big companies take cybersecurity more
Missy Cummings:
seriously, because they're bigger targets. And thus, maybe
Missy Cummings:
they have better cybersecurity practices. Maybe I say maybe,
Missy Cummings:
because we see big companies all the time really get in a bind,
Missy Cummings:
because they have very sloppy cybersecurity practices. And so
Missy Cummings:
one of the things that I think is a very interesting Venn
Missy Cummings:
diagram, for the way companies think about cybersecurity is
Missy Cummings:
they think about it last, kind of, if at all. And that is also
Missy Cummings:
the same problem that just basic human factors consideration has
Missy Cummings:
in the design of any product, right? So if we design a
Missy Cummings:
technology with autonomy, maybe if at all, we consider the human
Missy Cummings:
and it's the same thing for cybersecurity. And so then
Missy Cummings:
there's that shared Venn diagram, which means that if
Missy Cummings:
it's a human security issue, cybersecurity issue, then you're
Missy Cummings:
definitely not going to get it funded, right. Companies don't
Missy Cummings:
want to spend the money or the time and the effort. And yes, it
Missy Cummings:
takes time and effort, and I'm a big fan of having the US
Missy Cummings:
government start to put in at least requirements for companies
Missy Cummings:
that work with them. Right, as a, as a veteran, and, and a
Missy Cummings:
person who works with the government, my identity is
Missy Cummings:
constantly stolen through the government, you know, through
Missy Cummings:
every kind of breach that the government has my ID is stolen.
Missy Cummings:
So I would like to close that gap. But it is difficult for
Missy Cummings:
private companies, you know, if you don't mandate it, and it's
Missy Cummings:
funny, because there is there's kind of a shared similar
Missy Cummings:
argument over vaccines, you know, like, we're all at risk.
Missy Cummings:
When a company refuses to embrace at least standard
Missy Cummings:
cybersecurity practices. We're not asking them to go one above.
Missy Cummings:
So I do think that this the problem that we're having in
Missy Cummings:
this country and in other countries is really still one of
Missy Cummings:
the more core issues of what do companies really value, they say
Missy Cummings:
in the boardroom, that they evaluate that they value ESG
Missy Cummings:
(Environmental, Social, and Governance) and cybersecurity,
Missy Cummings:
I'm afraid this is still really at the lip service level as
Missy Cummings:
opposed to actually being real.
Dr. Dave Chatterjee:
Absolutely. You've covered a lot of ground.
Dr. Dave Chatterjee:
Let's see if I can follow up on some of the things that you were
Dr. Dave Chatterjee:
talking about. When I mentioned about standardized cybersecurity
Dr. Dave Chatterjee:
training, I was referring to, let's say, a company hires an
Dr. Dave Chatterjee:
organization to train their employees in detecting or
Dr. Dave Chatterjee:
preventing phishing attacks. Let's say a group of 10 people
Dr. Dave Chatterjee:
get trained. Research finds that subsequent to training, some of
Dr. Dave Chatterjee:
them perform better on the phishing tests than others. And
Dr. Dave Chatterjee:
they have associated the difference in the results to
Dr. Dave Chatterjee:
human curiosity, perception of potential personal losses and
Dr. Dave Chatterjee:
other factors. So, I was coming at it from that perspectives.
Dr. Dave Chatterjee:
That irrespective of the quality of training imparted, effective
Dr. Dave Chatterjee:
assimilation depends on factors such as innate curiosity, greed,
Dr. Dave Chatterjee:
perception of potential loss and more. But anyhow, switching
Dr. Dave Chatterjee:
gears a bit, you mentioned about your class, and I was reviewing
Dr. Dave Chatterjee:
your learning objectives. And one of them that got my
Dr. Dave Chatterjee:
attention is about analyzing and measuring unintentional human
Dr. Dave Chatterjee:
errors and malicious behavior. Just curious, how do you go
Dr. Dave Chatterjee:
about doing that? How do you go about measuring that?
Missy Cummings:
Well, for unintentional behaviors, you
Missy Cummings:
know, it's it's actually in our wheelhouse of everyday ways to
Missy Cummings:
measure human performance, you can measure, and I'm sure most
Missy Cummings:
companies who are very proactive do this, you know, whether or
Missy Cummings:
not people click on phishing emails, the kinds of behaviors,
Missy Cummings:
I recently had my students conduct analysis of email
Missy Cummings:
patterns, you can actually take someone's email and understand
Missy Cummings:
just by the logs of the email, of when they're opened, how long
Missy Cummings:
they're opened, how much people interact with email, whether
Missy Cummings:
they're just reading them or writing them, you can actually
Missy Cummings:
get a very good model of a person's workload over time. And
Missy Cummings:
indeed, you know, we do see phishing attacks, success on
Missy Cummings:
basically at two different times number one, when people are
Missy Cummings:
super busy, and they don't take the time to read an email, or
Missy Cummings:
the kind of the the counter to that is, when people are really
Missy Cummings:
bored. And there's an email that comes in, that's just
Missy Cummings:
interesting enough to make somebody want to click that
Missy Cummings:
attachment or click the link. And so if, if you can actually
Missy Cummings:
develop a good model of a human's engagement in their
Missy Cummings:
everyday work practices, you can actually figure out when is the
Missy Cummings:
right time to deceive them. And, you know, one of the problems
Missy Cummings:
with working doing work in this space is I have my students
Missy Cummings:
develop these models, or I have them develop plans for how to
Missy Cummings:
how to hack, and then you know, we don't we can't actually do
Missy Cummings:
them, you know, for ethical purposes. I mean, I keep telling
Missy Cummings:
my students over and over, you know, these are, you know, we're
Missy Cummings:
just here for a learning engagement. And then I had a
Missy Cummings:
student, they all had a final project where they had to go
Missy Cummings:
figure out some kind of project related cybersecurity, and they
Missy Cummings:
could propose their own. And I had one student proposed that,
Missy Cummings:
that he would go onto GitHub and find out where everyone was
Missy Cummings:
vulnerable in how they're using GitHub. And I thought that was
Missy Cummings:
good from just a, you know, let's just do a descriptive
Missy Cummings:
analysis. But then later, I found that he was going in and
Missy Cummings:
trying to hack people through GitHub and say, Look, I was just
Missy Cummings:
doing I mean, no, no, no, no, no, you know, I think that's a
Missy Cummings:
that is kind of the interesting thing. First of all, if you're
Missy Cummings:
on GitHub, be careful because my student knows how to go in and
Missy Cummings:
hack you. But it's just it's so easy to do. And there's so many
Missy Cummings:
points of access now that I think that that line between
Missy Cummings:
what is what is just trying to do good research, or, you know,
Missy Cummings:
trying to prevent and learn more about hacking. I do wonder
Missy Cummings:
sometimes did I actually create some hackers?
Dr. Dave Chatterjee:
And And it's funny, because you
Dr. Dave Chatterjee:
mentioned about students going into GitHub and trying to figure
Dr. Dave Chatterjee:
out how to hack and many of them are technically inclined,
Dr. Dave Chatterjee:
they'll figure it out, in fact, lots of information out there
Dr. Dave Chatterjee:
for that. That brings up a very fundamental question that's very
Dr. Dave Chatterjee:
close to my heart. And that is, as you know, when organizations
Dr. Dave Chatterjee:
get breached, and when it's a phishing attack, the person or
Dr. Dave Chatterjee:
the group of people who are compromised, they are not the
Dr. Dave Chatterjee:
cybersecurity experts. They are not the ones who are technically
Dr. Dave Chatterjee:
very savvy, at least that's information that's publicly
Dr. Dave Chatterjee:
available. Given that perspectives, as educators,
Dr. Dave Chatterjee:
what's your opinion on how widespread cybersecurity
Dr. Dave Chatterjee:
education should be? Who all should we be reaching out to as
Dr. Dave Chatterjee:
educators, as trainers? Does that make sense?
Missy Cummings:
Yeah, so, you know, I think it's a great
Missy Cummings:
question, because companies are going to say, well, you know,
Missy Cummings:
we're going to get we're going to give everybody training
Missy Cummings:
cybersecurity training on how to how not to click on that link.
Missy Cummings:
And a lot of companies will want to be a one and done, right. I'm
Missy Cummings:
just going to give one training session and be done.
Missy Cummings:
Unfortunately, cybersecurity follows what I would consider
Missy Cummings:
safety critical event model which means that you can think
Missy Cummings:
of airlines and, you know, just aviation in general, there'll be
Missy Cummings:
an accident. And then right after the accident, everyone is
Missy Cummings:
super safe. And so you could if you think about it's, you know,
Missy Cummings:
there's a sharp up uptick in safety, and then there's this
Missy Cummings:
degradation time period over time, then everybody gets unsafe
Missy Cummings:
again, and then there's an accident, and it spikes up
Missy Cummings:
again. And indeed, that's exactly what happens in
Missy Cummings:
cybersecurity. So we're, we're, you know, there'll be a breach
Missy Cummings:
from one company that a bunch of ever all the other companies
Missy Cummings:
will do a one and done, and then they'll forget about
Missy Cummings:
cybersecurity training. And then there's another breach and so we
Missy Cummings:
just keep that cycle, what we need to be is more proactive
Missy Cummings:
about, what would the, what would that look like? Could you
Missy Cummings:
be more proactive in predicting what that time cycle is? And I
Missy Cummings:
think the other problem is we need to do it. It is difficult
Missy Cummings:
because the threat vectors are changing so radically, for
Missy Cummings:
example, COVID, just introduced an entirely new area of
Missy Cummings:
cybersecurity. So I think companies need to not be so
Missy Cummings:
predictable, in the way that they respond and understand
Missy Cummings:
that, that did it. Cybersecurity is a living process, it's not
Missy Cummings:
just a check in the box. Now, I also appreciate how hard it is
Missy Cummings:
to keep everybody engaged in my class, we ended up analyzing
Missy Cummings:
various different companies, training programs. And you know,
Missy Cummings:
it's easy to get stale. And so how to keep that tech, how to
Missy Cummings:
keep their training programs fresh, and people engaged. I
Missy Cummings:
it's just like all training for anything to do with safety. It's
Missy Cummings:
hard to keep people engaged until some bad event happens.
Missy Cummings:
But I think if you have a very clever chief risk officer, and
Missy Cummings:
that's another big issue that I don't see enough companies
Missy Cummings:
working on is, you know, we want to have a CTO and a CFO, but,
Missy Cummings:
you know, only the big companies think that they can afford to
Missy Cummings:
have a chief risk officer. And and, indeed, you know, all these
Missy Cummings:
companies that have paid out all these ransoms, you know, I
Missy Cummings:
wonder how that would have worked for them, if they would
Missy Cummings:
have put the chief risk officer in place.
Dr. Dave Chatterjee:
You're, you're so spot on, in fact, risk
Dr. Dave Chatterjee:
factor, or assessment of risk should be integral towards
Dr. Dave Chatterjee:
evaluating every initiative that a company is planning to pursue.
Dr. Dave Chatterjee:
And when I say every initiative, I'm talking about strategic
Dr. Dave Chatterjee:
initiatives, and there are lots of frameworks out there that
Dr. Dave Chatterjee:
guide organizations to do so. So the question is who's following
Dr. Dave Chatterjee:
to what extent and you kind of talked about this reactive
Dr. Dave Chatterjee:
mindset, this reactive mentality. And, you know, I
Dr. Dave Chatterjee:
think it's easier said than done, that we should be
Dr. Dave Chatterjee:
proactive, we all should be proactive, but the reality of it
Dr. Dave Chatterjee:
is, most of us, we respond to fear, we respond to incidents,
Dr. Dave Chatterjee:
when it happens to us, we sit up and try to do things to take
Dr. Dave Chatterjee:
corrective action. But when it's not happening to us, and when
Dr. Dave Chatterjee:
everything seems to be going fine, it's like a company not
Dr. Dave Chatterjee:
experiencing any attacks, they tend to ignore the good work
Dr. Dave Chatterjee:
that's probably happening behind the scenes thanks to their
Dr. Dave Chatterjee:
cybersecurity team and others. So it's a it's a chicken and an
Dr. Dave Chatterjee:
egg problem. But definitely being proactive is critical. And
Dr. Dave Chatterjee:
the importance of top management actively engaging, you mentioned
Dr. Dave Chatterjee:
about how serious top management is, is often hard to gauge. And
Dr. Dave Chatterjee:
I don't know if that has anything to do with the
Dr. Dave Chatterjee:
consequences of the attacks. There are some large companies
Dr. Dave Chatterjee:
out there who have been attacked and ask per public records, they
Dr. Dave Chatterjee:
have taken action so that those attacks don't happen or they
Dr. Dave Chatterjee:
reduce those risks, but they're not going away. It's not like
Dr. Dave Chatterjee:
their future is at stake. It's the medium size businesses that
Dr. Dave Chatterjee:
tend to go away; 60% of the medium size businesses that have
Dr. Dave Chatterjee:
been hacked, have gone under, if my stats are correct here. So I
Dr. Dave Chatterjee:
worry more about the organizations which are resource
Dr. Dave Chatterjee:
constrained. And to what extent they are making those fearless
Dr. Dave Chatterjee:
calls of finding the right balance between pursuing their
Dr. Dave Chatterjee:
organizational goals and mission without compromising on having a
Dr. Dave Chatterjee:
certain level of cybersecurity readiness. Any reactions
Dr. Dave Chatterjee:
thoughts to that?
Missy Cummings:
Oh, sure. So I have my students tell me at the
Missy Cummings:
end of every class, what they would do if they were a hacker
Missy Cummings:
and what would they do if they were a chief risk officer and
Missy Cummings:
they had learned what they learned during whatever that
Missy Cummings:
particular lecture is, and one common theme that happened
Missy Cummings:
repeatedly after the various lectures were that I would hack
Missy Cummings:
a startup company for problem, you know, thing X, right?
Missy Cummings:
Because startups are really trying hard to make a product,
Missy Cummings:
make a splash, get more series funding. And indeed, just like
Missy Cummings:
trying to plan for human interaction issues,
Missy Cummings:
cybersecurity is again seen as oh, well, this is a nice to
Missy Cummings:
have, it's not a must have. And so I'm just going to push this
Missy Cummings:
down the road. And I would actually say that, to me, in my
Missy Cummings:
mind, if I were a venture capitalist, that would be one of
Missy Cummings:
the first questions that I would ask a bunch of startups that I
Missy Cummings:
was looking to invest in is, look, I understand it's a high
Missy Cummings:
wire act. But in the end, if you've got a cybersecurity
Missy Cummings:
vulnerability, and it could take down the entire operation, then
Missy Cummings:
why should anybody invest in that? And I certainly see this
Missy Cummings:
anywhere where we've got a lot of these new startup
Missy Cummings:
technologies, where they're using, for example, GPS, whether
Missy Cummings:
we're talking about drones, or cars, or small sidewalk delivery
Missy Cummings:
drones. It is so easy to do a GPS spoof on a vehicle, any kind
Missy Cummings:
of vehicle and I would actually say that is my number one
Missy Cummings:
question. When I ask people who are working in these
Missy Cummings:
transportation and or delivery spaces. What are you doing about
Missy Cummings:
GPS cybersecurity, and they look at me like a deer in the
Missy Cummings:
headlights? Ah,
Missy Cummings:
what I did out GPS spoofing, what's that? And so I think, Oh,
Missy Cummings:
my goodness,
Missy Cummings:
we are in serious trouble. You know, so awareness. Again, one
Missy Cummings:
of these issues. And, you know, I think it might be I, I know
Missy Cummings:
that there's a lot of money to be made in cybersecurity. But I
Missy Cummings:
also think that universities are really good about providing
Missy Cummings:
workspaces, and they want to, you know, help, do help
Missy Cummings:
startups, angel funding, that kind of thing. But I also wish
Missy Cummings:
that we would spend more time and thinking about, Okay, well,
Missy Cummings:
what would angel funding look like, just for cybersecurity for
Missy Cummings:
startups, because that actually has dual benefit, not only does
Missy Cummings:
it keep that company safe, but then that end above itself could
Missy Cummings:
be its own product,
Dr. Dave Chatterjee:
Absolutely, in fact, brings to mind one of
Dr. Dave Chatterjee:
my prior guests, who got funding to start his company Trusona,
Dr. Dave Chatterjee:
and they focus on passwordless authentication. So I think
Dr. Dave Chatterjee:
that's a good product, or that's a good approach to strive for,
Dr. Dave Chatterjee:
there is no perfect approach. But that's definitely something
Dr. Dave Chatterjee:
to, you know, move in that direction. Another thought comes
Dr. Dave Chatterjee:
to mind as we are having this discussion. You know, we are
Dr. Dave Chatterjee:
making progress technologically, you do a lot of work in the
Dr. Dave Chatterjee:
field in the area of AI. We are making these fancy cars, they
Dr. Dave Chatterjee:
are supposed to self drive, which is all great. But we also
Dr. Dave Chatterjee:
recognize that the more technologically advanced we get,
Dr. Dave Chatterjee:
the more vulnerable we become, for a variety of reasons,
Dr. Dave Chatterjee:
including information security. So that begs the question, or
Dr. Dave Chatterjee:
that's, that's something that I address in class when I tell
Dr. Dave Chatterjee:
students, that technology is great. But mindless use of
Dr. Dave Chatterjee:
technology is big kind of stupid. Making judicious use of
Dr. Dave Chatterjee:
technology. And and that relates to cybersecurity from the
Dr. Dave Chatterjee:
standpoint of, yes, I want to run after my strategic goals.
Dr. Dave Chatterjee:
But I better be properly anchored because I can't afford
Dr. Dave Chatterjee:
to lose my operating engines, my databases, my systems, because
Dr. Dave Chatterjee:
if I lose them, then it's the short term thinking, I might go
Dr. Dave Chatterjee:
wander. Having that rich perspective where you're growth
Dr. Dave Chatterjee:
driven, you understand what it takes to take the company to the
Dr. Dave Chatterjee:
next level. But you also recognize the different pieces
Dr. Dave Chatterjee:
of the puzzle that helps anchor the company and one of which is
Dr. Dave Chatterjee:
cybersecurity. Providing that kind of holistic education, I
Dr. Dave Chatterjee:
think is where universities come in. You mentioned about
Dr. Dave Chatterjee:
companies providing students cybersecurity training, and
Dr. Dave Chatterjee:
absolutely every company has their own customized approach.
Dr. Dave Chatterjee:
But I think at the university level, we can offer them a much
Dr. Dave Chatterjee:
more comprehensive insight into what it takes to whether you
Dr. Dave Chatterjee:
create a company and run it or whether you run it and how the
Dr. Dave Chatterjee:
different pieces fit together and how and why it is important
Dr. Dave Chatterjee:
to keep cyber security as an integral part of of the overall
Dr. Dave Chatterjee:
strategy. I in fact, suggest that I've said it very you know
Dr. Dave Chatterjee:
emphatically that cybersecurity is a strategic competency. It's
Dr. Dave Chatterjee:
a competency that organizations need to develop, and master over
Dr. Dave Chatterjee:
a period of time if they want to thrive in the years to come.
Dr. Dave Chatterjee:
Thoughts reactions?
Missy Cummings:
Yeah, wow. I mean, we are about to go down a
Missy Cummings:
rabbit hole, you did not want to go down. And that is because I
Missy Cummings:
have a huge beef with the academic world in the way that
Missy Cummings:
it thinks about cybersecurity, or more broadly, something we
Missy Cummings:
call assured autonomy. And so the idea is autonomous systems
Missy Cummings:
have can operate, and most do operate in a non-deterministic
Missy Cummings:
fashion. And so that opens up a whole new can of worms for
Missy Cummings:
cybersecurity. But and I'm not just speaking about autonomous
Missy Cummings:
systems, I think more broadly, wherever you've got digital
Missy Cummings:
systems, cybersecurity by the academic world, and who am I
Missy Cummings:
speaking of I'm speaking of most of the most of the top tier
Missy Cummings:
research universities, top 30. Most of these organizations
Missy Cummings:
treat cybersecurity as a stepchild in the sense that they
Missy Cummings:
do not see it as legitimate research, that this is
Missy Cummings:
engineering, and it's not research. And so we should not
Missy Cummings:
teach it as a formalized set of courses. Now. It sounds you many
Missy Cummings:
people listening to this be like what the academic institutions
Missy Cummings:
don't think that cybersecurity is a legitimate field? And I'm
Missy Cummings:
here to tell you, they don't. Now that's not true, because
Missy Cummings:
obviously, Duke, it's not sure everywhere, Duke has just
Missy Cummings:
recently stood up a cybersecurity program. But you
Missy Cummings:
know, that is the exception rather than the rule. And be and
Missy Cummings:
people will say that's not basic science. What is basic science
Missy Cummings:
about cybersecurity? And so this is actually one of the reasons I
Missy Cummings:
developed this course, in cybersecurity in humans to so
Missy Cummings:
that people could understand. Do you know what the basic science
Missy Cummings:
that we cover my courses, we start with cognitive science, we
Missy Cummings:
embed game theory, we engage we talk about queueing theory, we
Missy Cummings:
talk about systems thinking, right? So there are so many core
Missy Cummings:
scientific clusters of learning that underpin cybersecurity. And
Missy Cummings:
by the way, that was just for one course, if we started
Missy Cummings:
talking about what what would we find in other courses, formal
Missy Cummings:
methods, and lots more statistical learning. And so
Missy Cummings:
there are many, many core scientific areas that are the
Missy Cummings:
foundation for cybersecurity. So it is actually really my
Missy Cummings:
criticism. And by the way, my criticism is severe, because I
Missy Cummings:
think that the inability of our nation, our nation's agencies,
Missy Cummings:
like the National Science Foundation, and even other top
Missy Cummings:
30 universities, to really grasp this means that this country is
Missy Cummings:
in a serious, vulnerable position. And if we're not
Missy Cummings:
funding the research, then we're not funding the technology and
Missy Cummings:
innovation development that needs to happen to put us out in
Missy Cummings:
front. We are not out in front in cybersecurity, the US is not
Missy Cummings:
the leaders in cybersecurity, the US can be brought to its
Missy Cummings:
knees by a bunch of hackers in Nigeria. I mean, that's, that's
Missy Cummings:
actually that's how you have to ask yourself, if we're so
Missy Cummings:
awesome, why is it that that someone from a country that is,
Missy Cummings:
you know, not nearly as well developed as our country as our
Missy Cummings:
nation can have so many problems by people where the bar of entry
Missy Cummings:
is virtually nothing. So I do wish that we would, as a
Missy Cummings:
country, and in academia raise the alarm bells that this is
Missy Cummings:
these are legitimate areas of study, trying to get more
Missy Cummings:
journals stood up in this area and more traditional, you know,
Missy Cummings:
types of ways that we disseminate research results.
Missy Cummings:
One good area is the Department of Defense, regardless of how
Missy Cummings:
you feel about the DOD, the bottom line is, they see that
Missy Cummings:
it's a problem. And certainly the US government is trying to
Missy Cummings:
do more in this space. So the more that we the government
Missy Cummings:
agencies start to embrace and mandate that their efforts
Missy Cummings:
funded in the area of cybersecurity, the better will
Missy Cummings:
be but I still think we're just missing a core recognition at
Missy Cummings:
universities that cybersecurity is not like changing the oil of
Missy Cummings:
your car. It is its own science.
Dr. Dave Chatterjee:
Absolutely. Wow. I love the fact that you
Dr. Dave Chatterjee:
went down that path. I could continue in that direction, but
Dr. Dave Chatterjee:
I'll keep my reactions and remarks short. Like you said,
Dr. Dave Chatterjee:
you use the example of cybersecurity to make the point
Dr. Dave Chatterjee:
that many might feel that doing research in this area is not
Dr. Dave Chatterjee:
considered scientific. And again, I do not want to assume
Dr. Dave Chatterjee:
stuff, but to keep it simple, research is about solving
Dr. Dave Chatterjee:
problems. And as you try to solve problems, you end up
Dr. Dave Chatterjee:
coming up with theories, better understandings, which
Dr. Dave Chatterjee:
ultimately, you know, can transcend, transcend, and can
Dr. Dave Chatterjee:
enhance your ability to explain multiple phenomena. And talking
Dr. Dave Chatterjee:
about the theoretical development that can come from
Dr. Dave Chatterjee:
cybersecurity research, the work that I've done so far, I see so
Dr. Dave Chatterjee:
many connections, because 17 Success Factors came out in my
Dr. Dave Chatterjee:
work when I was trying to identify what it takes to create
Dr. Dave Chatterjee:
and sustain a high performance information security culture.
Dr. Dave Chatterjee:
And each of those factors have strong grounding in research,
Dr. Dave Chatterjee:
you know, that has been pursued over decades, one of which, of
Dr. Dave Chatterjee:
course, is the role of top management. So there is a lot of
Dr. Dave Chatterjee:
connectivity. Now, I approach research a little differently, I
Dr. Dave Chatterjee:
do not do research, to inform theory or to enhance theory. I
Dr. Dave Chatterjee:
like to do research which I find interesting, which is going to
Dr. Dave Chatterjee:
have impact. And then in the process, if I create great
Dr. Dave Chatterjee:
theory, that's great. But But no, I think your points are
Dr. Dave Chatterjee:
extremely well made. And talking about the role of government and
Dr. Dave Chatterjee:
the private sector, you will remember that we had the the
Dr. Dave Chatterjee:
Colonial Pipeline breach. And that resulted in some
Dr. Dave Chatterjee:
congressional hearings. And the senior executives, the senior
Dr. Dave Chatterjee:
leadership of this organization, along with others, who are
Dr. Dave Chatterjee:
managing the critical infrastructures, they are now
Dr. Dave Chatterjee:
being pushed or asked for major disclosure, in other words,
Dr. Dave Chatterjee:
provide more transparency, that you are doing enough to protect
Dr. Dave Chatterjee:
our national assets. And I'm kind of surprised that it took a
Dr. Dave Chatterjee:
breach to get there. I would think it is common sense that
Dr. Dave Chatterjee:
whether your organization is protecting national assets or
Dr. Dave Chatterjee:
any other asset, any other consumer asset, you must do your
Dr. Dave Chatterjee:
due diligence, you must report to the relevant stakeholders,
Dr. Dave Chatterjee:
there must be adequate transparency, so I kind of get
Dr. Dave Chatterjee:
surprised when I see these. Okay, here are the new things we
Dr. Dave Chatterjee:
will be doing. And government, private sector, they are
Dr. Dave Chatterjee:
separate, but in many ways they need to come together.
Dr. Dave Chatterjee:
Similarly, academic organizations, academic
Dr. Dave Chatterjee:
disciplines, yes, we have our specializations, but I hope you
Dr. Dave Chatterjee:
will agree that cybersecurity is an example that is a phenomenon
Dr. Dave Chatterjee:
that requires cross disciplinary expertise and involvement. So
Dr. Dave Chatterjee:
you shouldn't be leaving anybody outside and say, Well, this is
Dr. Dave Chatterjee:
the domain for such and such field. And they are the ones who
Dr. Dave Chatterjee:
should be doing research in this area. So having that openness to
Dr. Dave Chatterjee:
collaboration, to cross functional involvement, whether
Dr. Dave Chatterjee:
it's in practice or in academia, is critical to dealing with
Dr. Dave Chatterjee:
problems of this magnitude, where it is just not enough for
Dr. Dave Chatterjee:
a specific company, or a government to effectively deal
Dr. Dave Chatterjee:
with the threat. We need the entire ecosystem,
Dr. Dave Chatterjee:
organizationally, across countries to come together and
Dr. Dave Chatterjee:
fight the good fight. So that's how cybersecurity kind of brings
Dr. Dave Chatterjee:
us together, just like COVID has proved to us over and over again
Dr. Dave Chatterjee:
that whether we like it or not, we are all highly
Dr. Dave Chatterjee:
interconnected. If we don't do our part, we are not going to be
Dr. Dave Chatterjee:
able to deal with this pandemic effectively. Cybersecurity is
Dr. Dave Chatterjee:
the same kind of problem, the more interconnected the systems
Dr. Dave Chatterjee:
become. While there have definite benefits of that, the
Dr. Dave Chatterjee:
more vulnerable we become. And we can't, each one of us has a
Dr. Dave Chatterjee:
role to play See, look the other way, there's going to be a
Dr. Dave Chatterjee:
breach at some level with long term impact. So that's my little
Dr. Dave Chatterjee:
spiel,
Dr. Dave Chatterjee:
You got me going there. Thoughts reactions?
Missy Cummings:
Oh, yeah, you know, the Colonial Pipeline for
Missy Cummings:
people in the business, nobody was surprised. Right? It was
Missy Cummings:
just a matter of time because Companies are extremely slow to
Missy Cummings:
change. And, you know, I'm not generally a fan of strong
Missy Cummings:
regulation. But when it comes to these safety critical elements
Missy Cummings:
of systems, you know, if I told you that you that we were going
Missy Cummings:
to let the FAA, you know, we were going to take care of the
Missy Cummings:
FAA out and let companies do whatever they wanted in terms of
Missy Cummings:
safety of airplanes, nobody would get on an airplane. Right.
Missy Cummings:
And so, you know, this is yet another safety critical system,
Missy Cummings:
where if we don't take care of some of these, especially for
Missy Cummings:
infrastructure, and other safety, critical systems,
Missy Cummings:
process control, for example. So yeah, you know, unfortunately,
Missy Cummings:
Henry Petroski, who's another professor at Duke, he talks
Missy Cummings:
about engineering failures, that sometimes engineering failures
Missy Cummings:
have to happen, because that is the only way that the industry
Missy Cummings:
is going to grow. Sadly, I think that applies to this as well.
Missy Cummings:
Right? And, and like we talked about, it's basically some kind
Missy Cummings:
of work sine curve where we have to keep it has to keep happening
Missy Cummings:
over and over again, for us to be reminded that we need to keep
Missy Cummings:
doing it. So you know, that's where I think that's where there
Missy Cummings:
is a lot of room to figure out like, Alright, then how should
Missy Cummings:
we if we know that there's going to be episodic movements and
Missy Cummings:
technologies being developed, and especially now all the
Missy Cummings:
vulnerabilities that artificial intelligence introduces, how can
Missy Cummings:
we start being proactive instead of being reactive? So that's
Missy Cummings:
where I'd like to spend some of my research efforts.
Dr. Dave Chatterjee:
Makes total sense. Going back to your core
Dr. Dave Chatterjee:
research in safety and automation, as you have pursued
Dr. Dave Chatterjee:
research in that area, hopefully you've seen progress. What do
Dr. Dave Chatterjee:
you expect to see in the field of cybersecurity, in the years
Dr. Dave Chatterjee:
to come? And I realize I'm asking you to wear your
Dr. Dave Chatterjee:
predictive hat, and look ahead and see what's coming. You think
Dr. Dave Chatterjee:
we will get a better handle on how to deal with these threats,
Dr. Dave Chatterjee:
whether it's through better technology, superior governance,
Dr. Dave Chatterjee:
or more effective regulation. Talking about regulation, I'm
Dr. Dave Chatterjee:
reminded of the effectiveness of the Sarbanes Oxley Act (SOX) to
Dr. Dave Chatterjee:
reduce fraudulent accounting activities. I wonder if we need
Dr. Dave Chatterjee:
similar legislation to get organizations and their
Dr. Dave Chatterjee:
leadership to comply with cybersecurity best practices?
Dr. Dave Chatterjee:
What do you see happening?
Missy Cummings:
Yeah, so I kind of think about this as a three
Missy Cummings:
circle Venn diagram. There's cybersecurity mitigation,
Missy Cummings:
people, technology and regulation, right. So there's a
Missy Cummings:
little bit to be done and all of that, I think regulation
Missy Cummings:
certainly needs to be more proactive in that keep companies
Missy Cummings:
and subcontractors who touch safety critical systems, this
Missy Cummings:
should just be mandatory. And they're, you know, there is
Missy Cummings:
movement along this front. But you know, I've been working in
Missy Cummings:
and around the government for the last, you know, 10 years.
Missy Cummings:
And so I've seen the big gaping holes, there's not one
Missy Cummings:
department in the government that I think has a good
Missy Cummings:
cybersecurity strategy. And by good, I mean, they know that
Missy Cummings:
they need help, but they just don't have all the right people
Missy Cummings:
that they need to make these programs safe. I mean, when
Missy Cummings:
we've got the National Security Agency being hacked, you know,
Missy Cummings:
we got serious problems, right. So. So I think that there's a
Missy Cummings:
lot to be done on the regulatory front. Because unfortunately, in
Missy Cummings:
the space companies, not all companies, but a lot of
Missy Cummings:
companies are not going to get at least good enough
Missy Cummings:
cybersecurity practices unless you force their hand. But I
Missy Cummings:
would actually say of those three Venn diagrams, that's the
Missy Cummings:
smallest. So I think we should spend a lot more time in
Missy Cummings:
technology developments. You know, the fact of the matter is,
Missy Cummings:
we should be able to stop phishing emails like that.
Missy Cummings:
There's no, there's no magic solution. There's, it's not like
Missy Cummings:
we got to solve cold fusion to figure that out. We've got some
Missy Cummings:
filtering technologies and some search technologies and some ID
Missy Cummings:
technologies, maybe even figuring out how to run ghost
Missy Cummings:
servers so that these problems don't happen. But, you know, we
Missy Cummings:
I think that that just and this is where research is needed,
Missy Cummings:
like how can we actually develop more efficient programs and
Missy Cummings:
another technology for example, that we need help on VPNs are
Missy Cummings:
like, you know, it's like trying to add a big analog system to
Missy Cummings:
your fast digital system. It just slows it down and people
Missy Cummings:
get so mad at VPNs and I know people from all sorts of
Missy Cummings:
companies who bypass the VPN just for this one thing, right?
Missy Cummings:
And then that's where they get compromised in some
Missy Cummings:
cybersecurity. So, you know, we should be able to solve that
Missy Cummings:
problem VPN don't have to slow technology down. So let's, let's
Missy Cummings:
improve that. So, you know, I think there's a lot more to be
Missy Cummings:
done on the technology front, I think there's a lot more to be
Missy Cummings:
done on the human front. I do wonder if companies ever sit
Missy Cummings:
back and say, why is it that we are so vulnerable to the time of
Missy Cummings:
COVID? Because people are lonely and bored, and the quality of
Missy Cummings:
work is not meaningful, right. So I think there's a lot for
Missy Cummings:
companies to do to think about. How can we make our work
Missy Cummings:
processes and environments such that hacking is not successful?
Missy Cummings:
And how can we make everyone and at least participatory in trying
Missy Cummings:
to stop hacking and mitigation and make that a more integral
Missy Cummings:
part of our everyday work processes, instead of everybody
Missy Cummings:
eye rolling every time they have to go take a online
Missy Cummings:
cybersecurity training that no one's listening to, and they're
Missy Cummings:
doing something else. They're like cooking or doing their
Missy Cummings:
taxes or doing something while theoretically the online
Missy Cummings:
training is happening? So, you know, I think, I think there's a
Missy Cummings:
lot to be done, I think we are getting better. I don't mean to
Missy Cummings:
be the Debbie Downer and saying, it's all miserable, because
Missy Cummings:
obviously, we are making improvements. But I think that
Missy Cummings:
the number one change that needs to happen, for government and
Missy Cummings:
for industry, and for academia is to recognize it's kind of
Missy Cummings:
like COVID, look, this is here to stay. And the longer that you
Missy Cummings:
keep ignoring it, the worse it's going to get?
Dr. Dave Chatterjee:
Absolutely, absolutely. I'd like to go back
Dr. Dave Chatterjee:
to your class, the classes on human factors. And I'd like you
Dr. Dave Chatterjee:
to share with listeners, what are you trying to instill in
Dr. Dave Chatterjee:
students who take your class?
Missy Cummings:
I would say the number one consideration that I
Missy Cummings:
want my students to leave with, after they take my class, The
Missy Cummings:
Human Element in Cybersecurity is that cybersecurity is a
Missy Cummings:
systems-level problem. That there is no one you know, just
Missy Cummings:
stopping pfishing is not going to stop cybersecurity and that
Missy Cummings:
to take to address it properly, you need to think about it first
Missy Cummings:
from a requirements perspective, what does my company need? How
Missy Cummings:
does it need? Why does it need? when does it need? Or what
Missy Cummings:
facets of the company need what various mitigations and then
Missy Cummings:
integrate the cybersecurity aspect at all levels of product
Missy Cummings:
development. And understand that it's integral not an add-on
Missy Cummings:
harassment package, that higher level of management is imbuing
Missy Cummings:
upon the rest of the company. So yeah, systems-level thinking,
Missy Cummings:
cybersecurity, to me, they're one in the same.
Dr. Dave Chatterjee:
Okay, fantastic. Now, I'd like to go
Dr. Dave Chatterjee:
back to something you talked about relating to senior
Dr. Dave Chatterjee:
management, top management, because you'd appreciate that,
Dr. Dave Chatterjee:
at the end of the day, in a in an organization, the the tone is
Dr. Dave Chatterjee:
set at the top. Top management really has to make the
Dr. Dave Chatterjee:
commitment, they have to believe in it and do the needful. And
Dr. Dave Chatterjee:
you mentioned that based on your fieldwork, you found significant
Dr. Dave Chatterjee:
variance in that; I don't mean to misquote you, so correct me.
Dr. Dave Chatterjee:
But I'd like your thoughts and perspective on --besides
Dr. Dave Chatterjee:
regulation, what should it take to get top management to
Dr. Dave Chatterjee:
actively recognize this to be a key issue, that's something that
Dr. Dave Chatterjee:
you can't walk away from, and meet it head-on, and get the
Dr. Dave Chatterjee:
organization prepared to proactively deal with this
Dr. Dave Chatterjee:
challenge?
Missy Cummings:
Well, if right, if the regulatory lever is not
Missy Cummings:
going to be pulled, I think the next regulatory or the next
Missy Cummings:
internal regulation lever that should be pulled is probably a
Missy Cummings:
mandate from a board. For example, if it's a publicly
Missy Cummings:
traded company, or if it's a non public company, if they have a
Missy Cummings:
board, you have to have some kind of external lever of
Missy Cummings:
accountability. Because if you don't have that, you know, it
Missy Cummings:
depends. The companies who are successful in fending off
Missy Cummings:
hacking attempts are those that have good people that understand
Missy Cummings:
and are taking care of that, in the end that the CEO is, first
Missy Cummings:
of all, has hired those people and given them the latitude that
Missy Cummings:
they need to solve those problems. Unless the CEO, I
Missy Cummings:
really think cybersecurity is a leadership issue, because unless
Missy Cummings:
the CEO values it and demonstrate to the rest of the
Missy Cummings:
company that they value it, then everybody else is just going to
Missy Cummings:
follow the lead and be very haphazard. And so, you know, the
Missy Cummings:
resources have to be set aside. And it needs to be transparent
Missy Cummings:
and visible to the rest of the company that these things are
Missy Cummings:
valued. Instead of I see, I would say, for the bulk of
Missy Cummings:
companies out there, the CEOs just give lip service to
Missy Cummings:
cybersecurity and say, Yes, and, you know, maybe we've got McAfee
Missy Cummings:
and that's what we're doing. And unfortunately, that's not
Missy Cummings:
enough. And, you know, or maybe we force people to do some
Missy Cummings:
really cheap online training that people are not listening to
Missy Cummings:
while they're doing many other tasks. And so, you know, taking
Missy Cummings:
it seriously and instead of eye rolling and saying, well, this
Missy Cummings:
is just something I have to do instead of not something that I
Missy Cummings:
should do. I think that's the real problem.
Dr. Dave Chatterjee:
Fantastic! Well, that was terrific, Missy.
Dr. Dave Chatterjee:
Any final thoughts as we wrap up our discussion today?
Missy Cummings:
Leadership starts starts with the man or
Missy Cummings:
woman at the top.
Dr. Dave Chatterjee:
Fantastic. Well, looking forward for future
Dr. Dave Chatterjee:
discussions on this topic. This was really fun. Hope you had a
Dr. Dave Chatterjee:
good time. It was great. A special thanks to Professor
Dr. Dave Chatterjee:
Missy Cummings, for her time and insights. If you liked what you
Dr. Dave Chatterjee:
heard, please leave the podcast a rating and share it with your
Dr. Dave Chatterjee:
network. Also subscribe to the show, so you don't miss any new
Dr. Dave Chatterjee:
episodes. Thank you for listening, and I'll see you in
Dr. Dave Chatterjee:
the next episode.
Introducer:
The information contained in this podcast is for
Introducer:
general guidance only. The discussants assume no
Introducer:
responsibility or liability for any errors or omissions in the
Introducer:
content of this podcast. The information contained in this
Introducer:
podcast is provided on an as-is basis with no guarantee of
Introducer:
completeness, accuracy, usefulness, or timeliness. The
Introducer:
opinions and recommendations expressed in this podcast are
Introducer:
those of the discussants and not of any organization.
