Most organizations use sanctions as a way of enforcing cybersecurity policies and encouraging sound security behaviors. But few organizations ever test whether these sanctions are effective. Often they aren't; in fact, when used improperly sanctions can backfire. In this episode of Cyber Ways, Tom and Craig talk about sanctions and their effectiveness with Dr. Mikko Siponen of the University of Alabama's Culverhouse College of Business. Dr. Siponen is among the world's leading scholars when it comes to understanding the effects of sanctions on cybersecurity behaviors. Listen and learn how your organization can use sanctions more effectively.

Dr. Mikko Siponen is Professor of Business Cybersecurity and Management at the University of Alabama's Culverhouse College of Business. He holds advanced degrees in Software Engineering, Information Systems, and Philosophy. A leading scholar in Information Systems, he ranks among the top 30 worldwide based on publications in premier journals. Professor Siponen is the only Finnish IS professor invited to join The Finnish Academy of Science and Letters. His expertise spans cybersecurity management, IS development, and philosophical aspects of IS. He has extensive experience as a visiting professor, consultant, and research leader internationally, with a particular focus on cybersecurity management.

Sanctions and Cybersecurity Policies:

• Effectiveness of Sanctions:
• Sanctions can work even without prior direct experience.
• Firsthand sanction experiences may enhance effectiveness.
• Can backfire if perceived as unjust, leading to resentment.
• Employees' Awareness and Knowledge:
• Typically lack detailed knowledge of cybersecurity policies.
• Inadequate training contributes to confusion and non-compliance.
• Policies often conflict with practical organizational needs (e.g., link clicking).

Training and Effectiveness:

• Deficiencies in Training:
• Often generic and check-the-box nature, hence ineffective.
• Rarely measured for effectiveness by providers.
• Recommendations for Improvement:
• Demand effectiveness metrics from training providers.
• Training should reduce cybersecurity risks significantly.

Practical Implications and Recommendations:

• Sanctions as a Deterrent:
• Active Sanctions:
• Monitored closely but can backfire if perceived as unjust.
• Passive Sanctions:
• Applied only when necessary, safer from backlash.
• Communication and Awareness:
• Clear, effective communication of cybersecurity policies and sanctions is crucial.
• Must bridge the gap between policy and practical enforcement.
• Balancing Fairness and Consistency:
• Consistency across departments is vital to ensure fairness.
• Fair sanctions are essential to prevent demotivation and resentment.
• Sanction Implementation Tips:
• Consider firm culture and employee perspectives.
• Pilot test sanctions; gather employee feedback.
• Obtain management support and recognize the impact of unions.

Understanding Employee Behavior:

• Psychological Impact:
• Sanctions can have long-term negative effects on employee perception.
• Need for research on the psychological impact, especially for rule-breakers.

Current Research:

• Dr. Mikko Siponen working on:
• Understanding and prevention of cybercrime through offender-victim communication.

Industry Trends:

• Increasing sophistication of threat actors, potentially enhanced by AI.

Takeaways for...

In this thought-provoking episode of Cyber Ways, Tom and Craig discuss the intriguing topic of cybersecurity and religion with guests Dr. Karen Renaud and Dr. Marc Dupuis. Karen and Marc share insights from their research exploring the intersection of cybersecurity and world religions, offering a fresh perspective on enhancing cybersecurity practices.

Key Points Covered:

- The innovative research by Karen and Marc on leveraging positive values from world religions to influence cybersecurity behavior.

- The discussion on the drawbacks of fear-based cybersecurity practices and the importance of fostering a positive culture within organizations.

- Insights into the role of community, belonging, and sacred values in both religious communities and cybersecurity environments.

- The parallels drawn between religious principles and cybersecurity practices, emphasizing adaptability, forgiveness, and the sense of belonging.

- The significance of incorporating nonnegotiable values and building a culture that supports cybersecurity from top to bottom within organizations.

As Karen and Marc shed light on the impact of incorporating religious values into cybersecurity, they advocate for a different perspective on how a sense of community, forgiveness, and grace can transform cybersecurity practices. Join Tom, Craig, Karen, and Marc as they explore the potential for positive change in cybersecurity culture by drawing upon timeless principles from world religions.

Don't miss out on this enlightening episode of Cyber Ways and discover the transformative power of integrating religious values into cybersecurity practices. Tune in to gain a new perspective on building trust, community, and resilience in the ever-evolving landscape of cybersecurity.

Subscribe now to Cyber Ways for more insightful discussions on innovative approaches to information security and stay ahead in the realm of cybersecurity. Go to https://cyber-ways-podcast.captivate.fm to subscribe.

Guest bios

Karen Renaud is a Scottish computing Scientist at the University of Strathclyde in Glasgow, working on all aspects of Human-Centered Security and Privacy. She is particularly interested in deploying behavioural science techniques to improve security behaviours, and in encouraging end-user privacy-preserving behaviours. She collaborates with academics in 5 continents and incorporates findings and techniques from multiple disciplines in her research.

Marc J. Dupuis, Ph.D., is an Associate Professor within the Computing and Software Systems Division at the University of Washington Bothell where he also serves as the Graduate Program Coordinator. Dr. Dupuis earned a Ph.D. in Information Science at the University of Washington with an emphasis on cybersecurity. His research focuses on human factors related to cybersecurity, especially how psychological traits affect cybersecurity behaviors.

Discover the forces shaping your financial data's safety as we sit down with the eminent Jake Lee Jaeung, the Clifford Ray King Endowed Professor of Information Systems. In a landscape where cybercriminals lurk at every digital corner, we dissect how a blend of routine activity theory and practical cybersecurity can alter the terrain to our advantage. Together, we plunge into Jake's rigorous study with 461 financial institution employees and unravel the factors that skew risk perception and the likelihood of data breaches.

With Jake's expertise, we peel back the layers of data security, challenging the conventional wisdom that greater transparency equals higher risk. This episode illuminates how the value of information, the effectiveness of guardians, and the strategic reduction of data availability can form a robust shield against unauthorized access. We also navigate the nuanced chess game of social engineering defenses, providing valuable insights and tangible actions that can be applied across industries to shield your organization's most precious assets from the prying eyes of the digital underworld.

Intro audio for the Cyber Ways Podcast

Outro audio for Cyber Ways Podcast

Cyber Ways is brought to you by the Center for Information Assurance, which is housed in the College of Business at Louisiana Tech University. The podcast is made possible through a "Just Business Grant," which is funded by the University's generous donors.

https://business.latech.edu/cyberways/