There is an old military pilot's saying that sky diving is like practicing bleeding. The point is that bleeding is unpleasant, often unavoidable and something that you can probably just figure out as you go along, so why worry about it before then? Except that you absolutely should not just figure it out as you go along. You absolutely should know basic first aid and have an idea of how to stop bleeding should it occur. Alas, this same attitude often makes a hard job harder: implementing your  NIST CSF  Respond Plan or Recover Plan in the face of an outage. And yes, this is another example of how behavioral science greatly improves cybersecurity. Human beings avoid negative stimuli and seek out positive stimuli. We all know this, but many of us pretend that this isn't true or worse, that it isn't true of us or our team . But it is true and if you don't actively make this work for you it will absolutely work against you. What does this have to do with cybersecurity, you...

As part of our continuing series about how and why we bring behavioral science to cybersecurity let us consider that cybersecurity is a team sport. How so?  To start, your organization has a team engaged in direct competition with other teams. The other teams are criminals, vandals, spies and disasters such as hardware failure, software bugs and bad weather. Underestimate your competition at your peril. Like a sports team you cybersecurity team has members with different talents. This is fine because the game you are playing has different positions (roles) as laid out by the  NIST CSF : Identify--requires analytic skills to identify what is really important Protect--requires management to set priorities and IT understanding to make policy & procedure Detect--requires a dogged determination to remain vigilant at all times Respond--requires a good plan and the ability to execute under pressure in an ad hoc team Recover--requires a good plan and the ability to balance the co...

Building on our current elevator pitch this post will talk about how and why we apply behavioral science to the Identify pillar of the  NIST CSF . On the face of it, the Identity pillar is the pillar that everyone "gets" because it is so delightfully straightforward and lacking in veils of technological mystery: list all the digital assets your cybersecurity is supposed to protect. There are at least three complicating factors here when I watch this process in action in the wild: the problem of obviousness, the problem of obscurity and the problem of command. Each of these problems has their solution in behavioral science, not technology or methodology. What Is A Digital Asset? In this context, a digital asset is a data set or computer system that you need to do your job. Sounds pretty simple, doesn't it? The Obvious Is Not Always Obvious The commonplace gets overlooked, we all know this. This facet of human nature bites you twice in this process. First, you will tend to...

Like everyone else, we get asked "what's your elevator pitch?" We always have one, but we find it a useful exercise to revisit and revise ours to better fit this ever-changing world of cybersecurity. Here is our latest elevator pitch.

A previous post decried the sad state of the common company-wide mandatory annual cybersecurity training. This training is ineffective and sometimes even counterproductive. We say "counterproductive" in that it reduces cybersecurity awareness to mindless adherence to simple rules such as "don't click on stuff in email." In that post we talked about what we feel such training should contain . In this post we will describe what we feel such training should achieve . Cybersecurity training for the masses should enlist those masses in the cybersecurity cause. Instead of hoping that people don't do anything dangerous the goal should be reports of oddness, of the unexpected or the strange. As dull as it sounds, looking into the odd, the unexpected or the strange is a great way to track down actual problems. For example I recently saw an email that was very sophisticated  spear phishing attack. This email was shown to me as a curiosity by another IT professional....

A colleague recently tried to be polite about Pythia Cyber's willingness to help organizations overhaul their annual mandatory company-wide cybersecurity training. She was polite but persistent in her questioning the wisdom of this move. Her comments became ever sharper though. Such training is usually a fig leaf for insurance reasons, Nobody takes it seriously. It doesn't accomplish anything. All such training I have ever had has been boring and useless and even a little condescending. I agreed that all of the observations were usually true. So then she tried a different tack: why is Pythia Cyber's training any different? This was a very useful question. Our training is different because our goal is to improve cybersecurity rather than checking bureaucratic boxes. Instead of the scolding tone and the list of dumb things to avoid doing, we use the NIST CSF to frame enlisting your people in the cybersecurity cause. We recommend that you start by surveying your people to find...