In this episode of the Redefining CyberSecurity podcast, host Sean Martin discusses the challenges of security awareness and other information security training programs, products, and operations with Julie Haney from NIST, emphasizing the importance of a human-centric approach.
Guest: Julie Haney, Computer scientist and Human-Centered Cybersecurity Program Lead at National Institute of Standards and Technology [@NISTcyber]
On Linkedin | https://www.linkedin.com/in/julie-haney-037449119/
On Twitter | https://x.com/jmhaney8?s=21&t=f6qJjVoRYdIJhkm3pOngHQ
____________________________
Host: Sean Martin, Co-Founder at ITSPmagazine [@ITSPmagazine] and Host of Redefining CyberSecurity Podcast [@RedefiningCyber]
On ITSPmagazine | https://www.itspmagazine.com/itspmagazine-podcast-radio-hosts/sean-martin
____________________________
This Episode’s Sponsors
Imperva | https://itspm.ag/imperva277117988
Pentera | https://itspm.ag/penteri67a
___________________________
Episode Notes
In this episode of the Redefining CyberSecurity podcast, host Sean Martin engages in an insightful conversation with Julie Haney, the leader of the human-centered cybersecurity program at NIST. The discussion revolves around the challenges organizations face in implementing security awareness and other information security training programs, products, and operations.
During the conversation, Julie introduces the NIST phish scale, a tool that helps training coordinators contextualize phishing click rates. It considers user context and alignment with individual roles, allowing organizations to tailor their phishing simulation exercises to engage employees effectively. This approach goes beyond numbers and focuses on the human factor in cybersecurity.
Sean and Julie discuss the various challenges organizations encounter when implementing security awareness programs. These challenges include obtaining leadership support, allocating sufficient resources, and finding engaging approaches for a diverse workforce. They emphasize the importance of collecting user-generated security incidents and gathering feedback to identify areas for improvement and enhance awareness programs.
Throughout the conversation, Sean and Julie highlight the significance of understanding and addressing human factors in cybersecurity. They stress that effective security awareness and training programs should go beyond compliance and consider the individual's mindset, attitudes, and behaviors. Additionally, they discuss the lack of effective metrics to measure program success and impact, emphasizing the need for organizations to gather data and feedback to continuously improve their programs.
Overall, this episode offers practical insights and advice for organizations seeking to enhance their security awareness and training initiatives. It emphasizes the importance of a human-centric approach and provides valuable tools, such as the NIST phish scale, to help organizations tailor their programs to engage employees effectively.
So, tune in to this episode as Sean and Julie take a journey into the challenges and solutions surrounding security awareness in the ever-evolving world of cybersecurity.
____________________________
Watch this and other videos on ITSPmagazine's YouTube Channel
Redefining CyberSecurity Podcast with Sean Martin, CISSP playlist:
📺 https://www.youtube.com/playlist?list=PLnYu0psdcllS9aVGdiakVss9u7xgYDKYq
ITSPmagazine YouTube Channel:
📺 https://www.youtube.com/@itspmagazine
Be sure to share and subscribe!
____________________________
Resources
Human-Centered Cybersecurity: https://csrc.nist.gov/projects/human-centered-cybersecurity
NIST Unveils Newly Named Human-Centered Cybersecurity Program: https://www.nist.gov/blogs/cybersecurity-insights/nist-unveils-newly-named-human-centered-cybersecurity-program
Julie's LinkedIn post about NIST Unveils Newly Named Human-Centered Cybersecurity Program: https://www.linkedin.com/feed/update/urn:li:activity:7113240410604363778/
____________________________
To see and hear more Redefining CyberSecurity content on ITSPmagazine, visit:
https://www.itspmagazine.com/redefining-cybersecurity-podcast
Are you interested in sponsoring an ITSPmagazine Channel?
👉 https://www.itspmagazine.com/sponsor-the-itspmagazine-podcast-network
Please note that this transcript was created using AI technology and may contain inaccuracies or deviations from the original audio file. The transcript is provided for informational purposes only and should not be relied upon as a substitute for the original recording, as errors may exist. At this time, we provide it “as it is,” and we hope it can be helpful for our audience.
_________________________________________
[00:00:00] Sean Martin: Well, everybody, this is Sean Martin, your host for the Redefining Cybersecurity podcast here on ITSP Magazine Podcast Network, where I get to, uh, have amazing people on to help me understand better, and hopefully you understand better, our listeners, how to operationalize security and, uh, There's a lot to that.
A few words mean so many things and, uh, for those who followed ITSP Magazine for a while, you might know that Marco, my co founder, and I started ITSP Magazine. For the very reason of the topic that I'm going to discuss today and that the human element of cyber security and, uh, we did that in the context of all the human elements of cyber, uh, both as a user and as a practitioner and as a leader and, and, tagline, it's impact on society as a whole.
So a collection of humans and, uh, we So when I saw a post from my guest, Julie Haney, hey, Julie, thanks for joining me. Thanks for having me. I said, we have to talk about this. Anytime we get some insight on what the human has to do with cyber. I'm totally interested. And, uh, Julie. Is working on some stuff with NIST around the human centered cybersecurity program, which we're going to get into.
Um, and Julie, before we do that though, a few words about who you are. Are you human?
[00:01:43] Julie Haney: What, what, what? I am human. I have not recently been generated by an AI. Um, yeah, I am human. Um, yeah, I lead the human centered cybersecurity program at the National Institute of Standards of Technology, otherwise known as NIST.
[00:02:03] Sean Martin: And you're very humble when you say that. Tell us a little bit about your journey into that role. Maybe some of the things that led you to that point.
[00:02:12] Julie Haney: Yeah, it definitely was not a direct route. So, like many security people, I started off in computer science. Got a degree in computer science and went to work for the Department of Defense.
As a security professional for many years, I started off doing vulnerability assessments, telling people all of the things that were wrong on their network and how they could fix those. Wrote a lot of security guidance and spent a lot of my time Trying to get organizations to implement various security mitigations, better protect, um, their information, their networks, their people, um, and, you know, throughout all of that, uh, you know, one of the things that I learned early on is technology is not always the problem or rather, you know, technology exists and, and it can do the things that we want to do, um, when it comes to cybersecurity, but there's a lot of other reasons That's why people and organizations really struggle with cybersecurity.
Um, and those are all really centered around that human element. It's about people. If we think about it, cybersecurity is for people, designed by people, used by people, exploited by people. So people are really at the center. Um, and so You know, when I just, you know, learned about like, well, how are, why is cybersecurity failing?
What are all the reasons for that? Um, and, you know, it goes back to things that are, um, you know, generated and have to do with people. So policies that People make policies, uh, processes, um, organizational security culture, uh, you know, people understanding or not understanding cyber security and what's expected of them, um, poor usability of, uh, security, um, tools, technologies, processes, policies, um, training is a, is a big element.
So all of these go back to people. And I was really interested in learning more of the science behind what I had been observing. So, uh, late in life, uh, later in life, not too late in life, but later in life, I went back, um, to graduate school to study human centered computing and, um, started doing research about the human element of cybersecurity, um, and, uh, had an opportunity to, um, To do a temporary assignment with NIST, um, and their usability group and loved it and ended up, uh, eventually transferring over there, um, to, to kind of, you know, continue doing that type of research and really getting at, um, the center of cyber security, which is that, that human, those people.
[00:05:13] Sean Martin: So there's a couple, and there's a few things I'll, I'll put the links to these items here. There's a. There's a POST and there's a PROGRAM, and... One speaks to usable, usable cybersecurity, which I think is the old name of what you're working on, and now it's human centered cybersecurity. And maybe that's a good place to start.
Why the change? And maybe an overview of what does it mean to have user centered cybersecurity? Cybersecurity. We were joking before we started recording. Is that user awareness training or or what? Right. Yeah, why why why those terms? Why the change? What does it mean?
[00:05:57] Julie Haney: Yeah, so the usable cybersecurity program has been around at NIST for 10, 12 years now, and I've been at NIST about five and a half years, um, and, um, it really did, it was rooted in usability.
So when we talk about usability, we, we talk about whether something, um, can people perform a task with effectiveness, efficiency and satisfaction? So kind of looking at those, um, three elements. And so The program was founded in kind of usability of like passwords, different types of authentication mechanisms, biometrics, those types of things.
Um, and, and we still do those. You know those that type of research and looking into to problems from that usability perspective But um, we really go beyond that and we've been going beyond that for a while Um, so it's not just about kind of like a usability of an interface Which is I think what people kind of think of right like of you know, like this tool or this web You know how unusable this you know particular website is um We really are going beyond that to look at people's perceptions, their attitudes about security, and how that impacts how they interact with cyber security.
Um, you know, really getting at, um, um, That those relationships that people have with cyber security, and it's not always about usability, right? There's like a lot of social factors that impact how we view, you know, online security and privacy. So, you know, we were kind of finding even as we marketed ourselves internally within our own organization, people kind of thought, oh you you all do like usability evaluations and like we don't really And I was like, whoa, we can like We can do more than that.
We can, like, step back and look at organizational factors that might impact, you know, how security is going. Um, you mentioned security awareness training. There could be a usability component to that, but that's, you know, beyond usability. I mean, that's about how, how are people learning about, um, security?
Do they find that to be relevant to them? Do they see their responsibility in that? Are they getting enough instructions that they can make good security decisions? Um, so all of that encompasses. There is part of human centered cybersecurity. And so we've been talking as a group for a while that we wanted to, a name that better reflected that, and maybe cleared up some of the misconceptions that were kind of putting us in this little silo of only usability evaluations.
[00:08:42] Sean Martin: I love it. Then can we, can we further define the scope here? Um, a lot of what I heard you say. Connects me to the end user, um, and not necessarily the security practitioner, which happened to be end users as well in some, right? They don't get a free pass on that, even though we might, might think they do.
Um, does it focus primarily on end users, employees within the business? Does it go outside the company to customers of the business? Kind of, where does, where does that go?
[00:09:17] Julie Haney: It definitely is beyond end users. I mean, that, that's definitely, you know, we do look at end users. So kind of like general public, you know, typical employees, like cybersecurity, non experts, we definitely do projects related to them.
Um, now myself, especially having been a security professional, I have a special place in my heart for trying to help security people because they are heroes. They do amazing things. They're overwhelmed. Um, so how can we help? Do research to help them do their jobs better with, you know, you know, with more, like, satisfaction and, and, um, how can we arm them with the knowledge that they need to then also improve the experience of the end users that they support?
So we definitely look at, at specialized groups of people, um, you know, we're starting, um, a voting project looking more, um, eventually going to be looking more at, um, election officials and some of the challenges that they have with cyber security, implementing cyber security. So it's. Our work really encompasses all of the stakeholders in cybersecurity.
So it's not just, you know, end user.
[00:10:34] Sean Martin: Yeah. I can see the election officials, the campaigns. I know we we've interviewed some folks on campaign stuff in the past and strategies. People contributing. It's sensitive information and who has access. How do they do it? How do you secure it? All that stuff is fun.
Um, I want to maybe get, get your insight on, do you have a few projects or programs that you can share? Um, what initiated them? What was the outcome of them? Pick one or two maybe that, uh, a passion area for you, maybe? Sure.
[00:11:16] Julie Haney: Um, so one, um, area that we've, um, we actually have several projects related to this is you mentioned security awareness and training, uh, kind of a hot topic, um, with a lot of organizations, um, and, um, So we have a project to help security awareness and training coordinators who are doing fishing simulation exercises.
Um, so, um, some of my colleagues have developed something called the NIST Fish Scale. Um, To help those training coordinators contextualize their phishing click rates. So it's not all about the numbers. Um, there's a lot more that goes into it. It's, you know, about determining whether or not a particular phishing, assimilated phishing email was more difficult.
Or easier and it's not just kind of from like the typical like phishing queues like for spelling or grammar errors There's a lot of user context that goes into that as well. So does that phishing email align with like my duties as Uh, you know in my organization. So if I get a like a financial related Email and I work in finance.
I'm more likely to click on it. So I'm trying to help those Coordinators to contextualize their phishing simulation click rates and to better tailor those to their employees, to their workforce. Um, so that's part of the security awareness. And we've also done some work looking at government security awareness, um, programs.
Again, from the security awareness professional perspective, what are the challenges that they are having in implementing these programs, um, in their organizations? Are they like more compliance based with like, you need to get a hundred percent, you know, people trained, which what does that mean? It means people, a hundred percent of the people took the training doesn't mean that you had an impact.
So looking at it from those perspectives, um, and that information has. That's really informed, um, the group at NIST that's working on a new special publication about building, um, a security awareness and training program. Um, so we tend to do a lot that kind of feeds into the people that are writing kind of like the official NIST guidance.
Um, so that's definitely one, um, vein of research, um, that, um, We've had, we've had a lot of good feedback about, um, and we feel like it's, it's making a real impact. Um,
[00:13:56] Sean Martin: can we stick with that one for a moment? Sure. Yeah. Go for it. Maybe, maybe we'll get to that one. But I want to dig into that one a little bit because I think as a, as an organization, um, My sense across the board is we need to do something for X.
And, and that's not our area of expertise. We bake muffins or cupcakes or whatever. And, uh, or we, we sell widgets to, uh, to, uh, the aerospace industry. We're not security professionals, but we have a security team, but all these different things, especially when we start talking about end user security awareness training, it's not.
It's not firewall rules, right? This is human. This is the way people think and react and individually and together and, and how they're influenced and, and what incentivizes all this stuff, right? Is, is human based. So what are some of the challenges? And I'm sure this is how you look at these programs and projects to help help people get started.
What are some of the challenges you see organizations facing? Is it understanding? What the objective is, is it finding the products? Is it supporting them with the right team? All of the above. So tell me, tell me a little more about some of the challenges they face and how the work you do maybe helps unlock or overcome some of those.
Yeah.
[00:15:31] Julie Haney: Um, so I think. A lot of, um, a lot of problems has to, it was very interesting because we asked people, do you feel like you have leadership support? And like most people are like, oh yeah, we definitely do. And then it was like, do you feel like you have like enough like resources or staff? Oh no, not at all, not at all.
So there's a disconnect there, right? Um, So it's not always prioritized, or it's, um, you know, I mentioned the C word, compliance, before. Um, organizations tend to look at security awareness as a once a year compliance activity, you know, especially in the government. I know there's other sectors that there's a requirement that everyone do security awareness training.
Um, and so they, you know, are focused on like, we got to get people trained. It's a once a year thing. The problem is you do the once a year, people are just rushing through it, you know, there's no reinforcement throughout the year. And so that kind of constant reinforcement, um, the sending reminders, the having activities throughout the year is so important.
And a lot of organizations get that, but they're kind of struggling to find like, well, what's the most engaging thing from my employees, right? Like, what's going to really like... Bring them in, get their attention, um, you know, I get emails all the time that have to do with, you know, security awareness type of topics and I'm just like, delete, delete, delete.
Um, so, so how do you, how do you... Have, have this kind of these, how are you engaging a very diverse group of employees who like to receive information in very different ways? Um, and so I think a lot of organizations kind of struggle with like, well, how do I do that? Um, you know, there's, there's a lot of, you know, creative approaches, you know, people talked about.
These escape rooms, you know, they had it like a security awareness type of escape rooms, or they had different activities throughout the year that are more engaging types of, you know, Games, things like that. So I think, like, I think a lot of organizations struggle to find material past the kind of one and done.
Um, The other huge challenge is that a lot of organizations have no idea how successful their programs are or not, because they're not gathering the types of measures of effectiveness or metrics that they need. need to really determine that. So, you know, they have like an X number of people completed the training, um, but they don't have any impact measures, right?
So how is this actually changing people's behaviors and their attitudes? And so, um, you know, collecting things like user, what I'm calling user generated security incidents, right? So, um, So how many, um, how many people are, um, you know, leaving their smart card in their reader? How many instances do we have?
How many people are clicking on phishing emails or getting infected with malware? How many people are calling the help desk? The help desk is like a treasure trove of information about things that people are struggling with, right? Um, they're the first line. So are we looking at those things? And then getting like that's the symptom that there's a problem and like getting that the root cause well Why are people struggling with this?
and to do that you need to go and like actually like talk to people and get the impact and survey people and um, you know hear from them about You know, what's going on? Like, what can we do to help? And how that information can then inform your security awareness program, right? So if people are really struggling with phishing, maybe we need to ramp that up.
Or maybe we just had a huge phishing campaign and look, we see like the number of people reporting phishes are going up. Like, that's good. Like, that's an indicator maybe that we did something right. So I think a lot of organizations don't know what type of data to collect and how to show. That their programs actually make an impact and they also need that data to improve their program, right?
So to keep, you know, addressing problem areas or maybe their specific groups that need more help. Um, so they're kind of left in the dark about, you know, what to do next, um, without, without those measures or effectiveness.
[00:20:10] Sean Martin: So I'm, I'm imagining a number of the listeners going, all right, I have a program, I use some tech, I better, I have a, I should look at how I can use my data better, um, tied to objectives.
Um, but you said something that, that many probably. Gloss over as they're listening, have a conversation with, with the people. Um, and so that leads me to two things. One, are we as security professionals able to have those conversations and let's assume maybe not everybody is, um, or comfortable with it. Um, which then leads me to the second point of there's more to the program than the tools, the process, the data, the results.
Um, how do you help people kind of encase the program with a broader scope? I'm thinking HR, marketing, um, people that can help get the word out and, and, and help people understand why and to have those conversations, maybe if it's not appropriate for, for security people to have them, but maybe, can you talk about the bigger, bigger circle there?
[00:21:25] Julie Haney: You just answered the question with exactly how I was going to answer it. Um, yeah, like, yes. Um, so, so first my argument for a security awareness profession, like, yes, like not everyone who is a security person is going to be like a great communicator. It's like that in a lot of, a lot of jobs. That's fine.
Not everyone needs to do that. You need some people that can definitely do that. Um, but a security awareness professional. should have that set of skills. Um, I think one of the issues is that they often just, you know, take some random security person and they're like, you're the security awareness person, right?
Like you don't necessarily have any other background, you know, security, but you don't like. You know, no, you don't necessarily have like great communication skills or interpersonal skills, or you don't know anything about like instructional design or anything like that. Um, so that, you know, I, I feel bad for those people.
They don't, they don't have the, the kind of skill set. So, so how do we, you know, Not everyone is going to have it all, right? So exactly what you said is that there needs to be more collaboration, more building these kind of interdisciplinary teams where people have skills that complement each other. So involving the communications team is huge.
I mean, we are finding that we haven't been making enough use of our great communications team, um, in, in our, um, in our area. Um, they're fantastic with helping like to craft messages and, and they know like, like can help you translate your techno speak into kind of plain language or get people's attention.
Um, so enlisting the help of people that are, you know, that know how to, um, Design, you know, are more into instructional design or learning and know how people learn. And, um, so it really does take a team, a diverse team of people to do that because you're rarely going to find the whole package in one person, um, with respect to like what's needed for security awareness.
[00:23:37] Sean Martin: That's the superhero cybersecurity.
[00:23:39] Julie Haney: There are, they exist. I've met a few and they're amazing. Um, but it, but they, they usually also have, have a team. It's really difficult to just do it alone.
[00:23:51] Sean Martin: Yeah. So I presume the work that comes out of your team and you're supporting teams around you, uh, with the. With the, uh, what are they called, basically who produces the final, uh, the final pieces.
I presume you cover a lot of that in the materials that you develop and share with folks. Um, kind of, is it a big picture view of here's how you approach it. Here are the things you need to consider. Examples of technology, examples of projects, examples of, how much does it cover in the stuff that you put together.
[00:24:32] Julie Haney: Um, yeah, we try to, hopefully I'm answering, I, I'm interpreting Kristen right, answering it, um, well, um, we try to have a practical spin on what we do, so to, to kind of go into those suggestions, um, for practitioners, um, you know, we, I mean, You know, we publish like researchy papers and things like that in our research forums, but we, we always try to kind of come back to like, what is our, our main goal is to get information into the hands of people that can do something about it.
And so, um, we do have the kind of those practical suggestions, um, you know, examples. One of the great things about some of the research that we do is that we have, like real world examples and lessons learned from, from other people doing similar types of jobs. And people have found that so valuable. It's just, you know, learning from other, like, what are other people doing?
I found in the security community. We're, we tend to be very, um, collaborative and we want to hear what other people are doing and, and their experiences. Um, and so we're just, we see ourselves as a conduit for helping some of that sharing as well.
[00:25:55] Sean Martin: Perfect answer, because I'm actually looking at some of the, the word I was looking for is publication, right? You produce a lot, you publish a lot of things, sorry. Yeah, yeah. And there's a ton of resources, papers and presentations and videos and blogs. Um, All of which can help paint a picture. Um, I guess, is there a, like an overview?
I'm just thinking, is there something that says start here? Is there a way, way to guide people to, and then maybe we should focus on fishing for a moment. Is there a start here place that people go? Or do they just randomly research and see all the stuff you've done?
[00:26:35] Julie Haney: Um, Oh, just a, a place for people to start with the error, with error information.
Um, well, we have, um, we recently revamped our human centered cybersecurity web pages. Um, there's a list of our kind of the topic areas that we're interested. Or that we've been working on. Um, so people can, can click there. Um, they can get an overview of what we're doing in the space and then they can see, um, it's organized by, you know, more like kind of papers or blogs, videos that those types of things, um, um, to get, um, you know, if there's a specific topic that they're interested in.
Um, You know, looking for suggestions of people, if people have other ideas of how to better organize it. Um, but that's, that's what we're, we're doing right now.
[00:27:30] Sean Martin: Love it. So I want to go to you, you're about to, uh, when I derailed us, you're about to give another, another example of a program or project. Oh,
[00:27:41] Julie Haney: yeah.
So this is a, this is an in progress. Um, and it's something, again, that I feel very passionate about. As I mentioned before, I was a security practitioner and I'm very interested in helping security practitioners. Um, So we've been, um, doing, um, a project to help bring the research and the practitioner communities together.
Um, because I think about when I was a practitioner. Um, how much I didn't know about, you know, kind of human behavior and what's already been done and, um, you know, what kind of research evidence is already out there that could help me do my job better. And I didn't know because I, you know, don't live in, I didn't live in that world and I was busy and, um, and I, you know, not everyone has the opportunity to go back to graduate school to study it like I did.
Um, so. You know, there's so much great research that's been done that could be really helpful to practitioners, but how do we get it to them? Um, and there's, you know, and this is not unique to cybersecurity at all, um, you know, this research practice gap, right? Um, Is, is, uh, kind of prevalent throughout all kinds of fields for, for all different types of reasons, right?
So, you know, there's often not that translation done between like the, you know, the very research oriented paper that goes into your methodology and great excruciating detail and all your statistical analysis. Like practitioners don't, They don't necessarily care about that. They care about kind of what you did in general and what you found, right?
So that translation doesn't always take place because. Researchers, they have a different incentive structure, right? They, they're incentivized by publishing papers and, and, you know, um, well respected forums and, and conferences and journals and, and, and, uh, you know, they don't, they're not, uh, evaluated based on like who they give this stuff to and does it have actual impact in practice.
But what we've been finding in The human centered cybersecurity community is these researchers really want to make an impact. They just, you know, they don't necessarily have the time or the resources to do it. They're not sure, um, how best to reach practitioners. Um, so we did, um, we did a couple surveys.
We did one, um, for practitioners and one for researchers. And, um, just kind of for the researchers trying to figure out, well, how are you kind of incorporating practitioners throughout your whole research life cycle so that you make sure that your research is relevant to them, right? And then at the end, that it's actionable, that they can find it, that it's in, You know, translated into something that's meaningful to them.
Um, and then looking from the practitioner perspective about, you know, how do they feel about kind of human centered cybersecurity in general? Is it something that they try to incorporate into their work? What's the challenge that they have doing that? How do they want to receive information? Um, so we're, we're kind of going through the results now and doing our analysis.
And in general, what we're finding is, is that both communities, they really want to share that information. They, there's just a lot of barriers in the way there's, so we need to look for solutions that doesn't put undue burden on either community. Um, so, you know, one of the really interesting things, um, when we were going through and reading about the research practice gap and other fields, um, there was a paper that suggested, um, The establishment of, uh, what they call evidence bridges.
So evidence meaning research evidence. And these are like intermediaries that take and synthesize research that is of interest to practitioners. So they have a pulse on practitioners and what practitioners care about. And they synthesize it into kind of a digestible. Um, you know, form, and that doesn't mean dumbed down.
It means, you know, more actionable and, and something shorter for practitioners to take. And so they're kind of, they act as this, and then they, they kind of bring the practitioner needs over to the research community. And we don't really have that in cyber security.
[00:32:03] Sean Martin: Um, I'll say we do. It's called CHAT GPT.
[00:32:09] Julie Haney: Well, you, you know, You know, ITSP is a, is a, can be an evidence bridge in some ways, right? If you invite people like me, um, who are researchers, and then you're asking me questions that are of interest to practitioners, you're kind of pulling out that information that people care about. Um, so, you know, how, how can we bring these two communities together?
Um, To share this information that's so important that security professionals don't, they don't learn about naturally, right? Like in their, like in their educational or their professional education, they're just not being exposed to this. So how can we.
[00:32:55] Sean Martin: Yeah. Cause I, I just did a podcast gentleman, uh, from Nigeria and he was talking about, it was a gruesome example, but when, when somebody is about to pull a trigger, their eyes do a certain thing.
And bottom line, he was trying to say is we as humans have signs or signals or things that we do before we take action. And if we can understand what that is, maybe we can get ahead of those things, uh, to help them not do something bad or, or to encourage them to do something good based on the signs that we're seeing.
Um, so. So it was very interesting to me that we have all this, all these studies and all this research, and to your point, It's interesting, but could be meaningful and impactful. Um, so you're talking about this gap. Um, what, what's your plan? What's NIST's plan for helping to, to close that gap? Do you see, is it communications?
Is it platforms? Is it just talking like this? What, what, what's the idea?
[00:34:13] Julie Haney: Yeah, I mean, we, so I, I will say that we're, we're kind of early, um, in our research because we want to have evidence to inform our, our recommendations at the end. And, and we plan to do kind of a follow up to, um, interview some people to get some more in depth information and their ideas for how do we, how do we bridge this gap as well.
Um, You know, I don't know what kind of the solutions we'll look for, but you know, what we're doing right now at NIST is we're, um, we're really starting to encourage more and support more forums that are bringing researchers and practitioners together. I'll mention one. Uh, here's, here's my disclaimer that the opinions and that I express here are only mine and do not represent those of NIST.
Um, but we, we actually, this is, I mean, this is official. We are co sponsoring, um, a conference called IMPACT, um, that will be, I believe it's March 21st in, um, Virginia, McLean, Virginia. Um, and, um, This is a conference that's been done, um, in the UK for the last several years. Um, and it is specifically for that, to bring researchers, you know, and practitioners together to allow researchers a forum that they can talk to practitioners about some of the research that they've done.
That's very, um, applicable to, to the, Um, and so it's coming to the US. Um, I don't know that it's been officially advertised. This might be, I might have just outed it. Um, but, uh, but it, but it will be soon if it hasn't. Um, and so, um, like those types of forums, we're very interested in, um, Bringing people together, um, you know, um, you know, how do we give researchers a platform to talk to practitioners and to get their feedback?
[00:36:29] Sean Martin: Well, I think, um, obviously there are a gazillion ways to, uh, to close that gap. Um, you, you mentioned us in this conversation and I'll, I'll just say now that you have, you have a friend. and ITSP Magazine to to open those conversations. I'm happy to, with you as my co host, uh, bring, bring researchers and practitioners together and let's just rap about stuff if, if that's of interest.
You have, you have an open door for that, so anytime, anytime you feel that's, uh, that's something that's there, we, we can certainly do that. Um, we're kind of getting close to the end here in terms of time. I'd like to give you a moment to I presume there are ways for people to get involved, right? Not just absorb information, but give back and contribute to the work that you're doing.
Are there ways for people to do that? Does it just connect with you, or are there ways to sign up for specific projects? Tell me a little bit about that.
[00:37:31] Julie Haney: Um, yeah, I mean, um, well, first of all, whenever, you know, this puts out a publication, um, you know, and it's open for public comments, please do comment on that, especially if there's, if there's something, um, some human element, um, uh, aspect that you want to comment on, you know, please do that.
Um, We don't necessarily have a great way to involve, um, um, kind of general public people, but, you know, definitely, um, you can connect with me on LinkedIn. I am very responsive. Um, so feedback is fantastic. Um, I have, uh, just recently started, uh, you know, whenever we, our group put something out, you know, we're sending a link to that.
Um, would love to hear, was it useful? Um, you know, did it make some kind of impact on you, maybe even, you know, on an individual level or your organization? Um, Are there, you know, are there things that we need to go into deeper? Are there other topics that are of particular interest? Um, you know, we want to get that feedback.
So, um, I think, you know, and that's one of the easiest ways. Um, also going to our website, my contact information is there. We have a, um, a male, uh, email address, um, a human dash cybersec. at NIST. gov. Um, feel free to, to email us there. Um, we, we are actually responsive. We do read the email and we do respond.
Um, so yeah, just, uh, send, send comments. Let us know how we're doing, how we can do better, what we need to look at. That's, that's a big priority in the security community that maybe we're
[00:39:22] Sean Martin: overlooking. All I can say is, uh, Kudos to you and the team. I mean, a huge, huge, uh, amount of effort and results already.
I mean, there's, there's stuff on authentication and cryptography and obviously we talked about phishing, but privacy as well, user perception behavior. I'm sure that's an interesting one. You mentioned the voting one earlier and, uh. I don't know if it's in concert or connection with NICE, but there's a youth security and privacy one as well.
So a lot of topics, uh, that all touch the human, which I love. And I'm super happy to hear that you're, you're doing all these things. And I, I, I echo what you said. I would encourage people to go and, and, and look around and see what's there. Uh, absorb what you can provide feedback where you have it. Um, um, it's an important.
Uh, as I mentioned, Marco and I started ITSB Magazine because of this, and it's great to see, uh, great to see the work coming together, uh, research driven, not just, uh, not just because we know it's important, trying to figure it out. We actually have, we actually have data to help us do a better job with it.
[00:40:38] Julie Haney: Well, I appreciate the opportunity, Sean, it was great, great talking with you.
[00:40:43] Sean Martin: Always, Julie, and, uh, keep up the good work, we'll include links to, uh, some of the things we talked about here today, and, uh, of course, uh, I would encourage everybody to, uh, share this with your friends and enemies, both, and, uh, subscribe, have fun, comment, uh, connect with us, and, uh, Julie, thank you, again, for taking the time today.
Thanks,
[00:41:08] Julie Haney: my pleasure, thanks.