Episode 15

Significance of the Human Element in Cybersecurity

Renowned authority in human-technology interactions and Presidential appointee Prof. Missy Cummings of Duke University, spoke to the importance of understanding human motivation and behavior to proactively predict and detect deception. In a very candid and engaging conversation, Prof. Cummings expressed her concern about cybersecurity as a field not receiving the necessary scientific recognition and support. "Cybersecurity is not like changing the oil of your car, it is its own science," she said while discussing the various aspects of cybersecurity knowledge creation and dissemination. She also talks about her class on the Human Element in Cybersecurity and how she draws from various scientific knowledge bases (such as cognitive science, systems theory, game theory, and queuing theory) to provide a rich learning experience.

To access and download the entire podcast summary with discussion highlights --

https://www.dchatte.com/episode-15-significance-of-the-human-element-in-cybersecurity/


Connect with Host Dr. Dave Chatterjee and Subscribe to the Podcast

Please subscribe to the podcast so you don't miss any new episodes! And please leave the show a rating if you like what you hear. New episodes release every two weeks.

Connect with Dr. Chatterjee on these platforms:

LinkedIn: https://www.linkedin.com/in/dchatte/

Website: https://dchatte.com/

Cybersecurity Readiness Book: https://www.amazon.com/Cybersecurity-Readiness-Holistic-High-Performance-Approach/dp/1071837338

Transcript
Introducer:

Welcome to the Cybersecurity Readiness Podcast

Introducer:

Series with Dr. Dave Chatterjee. Dr. Chatterjee is the author of

Cybersecurity Readiness:

A Holistic and High-Performance

Cybersecurity Readiness:

Approach by SAGE Publishing. He has been studying cybersecurity

Cybersecurity Readiness:

for over a decade, authored and edited scholarly papers,

Cybersecurity Readiness:

delivered talks, conducted webinars, consulted with

Cybersecurity Readiness:

companies, and served on a cybersecurity SWAT team with

Cybersecurity Readiness:

Chief Information Security officers. Dr. Chatterjee is an

Cybersecurity Readiness:

Associate Professor of Management Information Systems

Cybersecurity Readiness:

at the Terry College of Business, the University of

Cybersecurity Readiness:

Georgia, and Visiting Professor at Duke University's Pratt

Cybersecurity Readiness:

School of Engineering.

Dr. Dave Chatterjee:

Hello, everyone, I'm delighted to

Dr. Dave Chatterjee:

welcome you to this episode of the Cybersecurity Readiness

Dr. Dave Chatterjee:

Podcast Series. Today, I have the pleasure of talking with

Dr. Dave Chatterjee:

Professor Missy Cummings, of the Pratt School of Engineering,

Dr. Dave Chatterjee:

Duke University, about the significance of the human

Dr. Dave Chatterjee:

element in cybersecurity. Professor Cummings is a renowned

Dr. Dave Chatterjee:

authority in human-technology interactions. In October 2021,

Dr. Dave Chatterjee:

the Biden administration named Cummings as a new Senior Advisor

Dr. Dave Chatterjee:

for safety at the National Highway Traffic Safety

Dr. Dave Chatterjee:

Administration. A naval officer and military pilot from 1988 to

Dr. Dave Chatterjee:

1999, Missy was one of the Navy's first female fighter

Dr. Dave Chatterjee:

pilots. She is an incredibly gifted and accomplished

Dr. Dave Chatterjee:

academic. It's truly an honor to have her as a guest on the

Dr. Dave Chatterjee:

Cybersecurity Readiness Podcast show. Missy, welcome! Thanks for

Dr. Dave Chatterjee:

making time. I'd like to get started by asking, how does your

Dr. Dave Chatterjee:

work on human safety in automation and robotics inform

Dr. Dave Chatterjee:

cybersecurity research?

Missy Cummings:

Well, first, let me say thank you for having me,

Missy Cummings:

it's a real pleasure to be here, and as a researcher, I'm

Missy Cummings:

relatively new to conducting research in this field. But it

Missy Cummings:

really came about because of the work that I've been doing in

Missy Cummings:

human interaction with autonomous systems. And I would

Missy Cummings:

say the real point of my entry was, as we were starting to in

Missy Cummings:

my lab, we were starting to evaluate how much humans err in

Missy Cummings:

the construction of artificial intelligence and how human

Missy Cummings:

subjectivity can cause problems in the design of AI, I think

Missy Cummings:

that one of the natural kind of gotcha points there, was then

Missy Cummings:

the influence of humans who are designing these technologies,

Missy Cummings:

and then cybersecurity vulnerabilities. And so I just

Missy Cummings:

naturally ended up going down that path, because there are so

Missy Cummings:

many problems with vulnerabilities and artificial

Missy Cummings:

intelligence. And it's still such a nascent field, people

Missy Cummings:

don't even understand how and where the vulnerabilities are

Missy Cummings:

when we create AI. Then then I got fascinated as I started to

Missy Cummings:

dip my toes in the water, I started to think about

Missy Cummings:

deception. And because that's fundamentally what cybersecurity

Missy Cummings:

is, and social engineering, as you and your audience will know,

Missy Cummings:

is the number one threat access that people, companies, face in

Missy Cummings:

cybersecurity attacks. And so I started really getting

Missy Cummings:

fascinated by, we spend so much time trying to prevent

Missy Cummings:

deception. What if we could get inside the heads of people to

Missy Cummings:

maybe predict how when why people deceive and start

Missy Cummings:

thinking about it from the other end? And so, I have some

Missy Cummings:

research underway with various other collaborators where we're

Missy Cummings:

thinking about how to model deception kind of proactively,

Missy Cummings:

because, you know, I, you want to keep your friends close, but

Missy Cummings:

your enemies closer, right. So, yeah, so if we could figure out

Missy Cummings:

how to get in the minds of the people who are doing the

Missy Cummings:

deceiving, the hacking, that is another way to mitigate

Missy Cummings:

cybersecurity attacks.

Dr. Dave Chatterjee:

Great. Welcome to the field. I'm

Dr. Dave Chatterjee:

delighted to have you as a colleague in this area. As you

Dr. Dave Chatterjee:

know, as you alluded to this, cybersecurity has to be

Dr. Dave Chatterjee:

approached multi-dimensionally, there's a technical side to it,

Dr. Dave Chatterjee:

there is a very strong human side to it, there is an

Dr. Dave Chatterjee:

organizational side to it. So, when you speak about the human

Dr. Dave Chatterjee:

factor, when you talk about deception, trying to understand

Dr. Dave Chatterjee:

deception, it also brings to mind what motivates people? And

Dr. Dave Chatterjee:

I say, say that from the standpoint of cybersecurity

Dr. Dave Chatterjee:

training, as you know, we all get trained uniformly,

Dr. Dave Chatterjee:

consistently. But when it comes to applying the, the, what we've

Dr. Dave Chatterjee:

learned, the implementation of that varies from person to

Dr. Dave Chatterjee:

person for a variety of reasons, some of which relates to

Dr. Dave Chatterjee:

behavioral traits. Is that something that you can relate to

Dr. Dave Chatterjee:

and speak about a little more about the importance of the

Dr. Dave Chatterjee:

human factor from the standpoint of cybersecurity training?

Missy Cummings:

Well, first, I would just tell the audience,

Missy Cummings:

and I'm not sure if you can make these documents available, but

Missy Cummings:

I'd be happy to give everybody my syllabus from the class that

Missy Cummings:

I just finished teaching called the human element and

Missy Cummings:

cybersecurity, because it really speaks to that. What are all the

Missy Cummings:

core fundamental first principles to cybersecurity,

Missy Cummings:

human behavior, and even some systems engineering? And I will

Missy Cummings:

tell you, I would kind of argue first with your assumption that

Missy Cummings:

we're all sort of uniformly trained. Oh, haha, I mean, I'm

Missy Cummings:

kind of laughing holding my stomach, oh, my gosh, the one

Missy Cummings:

thing that I really started to uncover when I was developing

Missy Cummings:

this class on humans and cybersecurity is, it is just

Missy Cummings:

amazing to me, how uneven the training space is that out

Missy Cummings:

there. And, you know, I mean, there's a lot of truth to the

Missy Cummings:

fact that maybe big companies take cybersecurity more

Missy Cummings:

seriously, because they're bigger targets. And thus, maybe

Missy Cummings:

they have better cybersecurity practices. Maybe I say maybe,

Missy Cummings:

because we see big companies all the time really get in a bind,

Missy Cummings:

because they have very sloppy cybersecurity practices. And so

Missy Cummings:

one of the things that I think is a very interesting Venn

Missy Cummings:

diagram, for the way companies think about cybersecurity is

Missy Cummings:

they think about it last, kind of, if at all. And that is also

Missy Cummings:

the same problem that just basic human factors consideration has

Missy Cummings:

in the design of any product, right? So if we design a

Missy Cummings:

technology with autonomy, maybe if at all, we consider the human

Missy Cummings:

and it's the same thing for cybersecurity. And so then

Missy Cummings:

there's that shared Venn diagram, which means that if

Missy Cummings:

it's a human security issue, cybersecurity issue, then you're

Missy Cummings:

definitely not going to get it funded, right. Companies don't

Missy Cummings:

want to spend the money or the time and the effort. And yes, it

Missy Cummings:

takes time and effort, and I'm a big fan of having the US

Missy Cummings:

government start to put in at least requirements for companies

Missy Cummings:

that work with them. Right, as a, as a veteran, and, and a

Missy Cummings:

person who works with the government, my identity is

Missy Cummings:

constantly stolen through the government, you know, through

Missy Cummings:

every kind of breach that the government has my ID is stolen.

Missy Cummings:

So I would like to close that gap. But it is difficult for

Missy Cummings:

private companies, you know, if you don't mandate it, and it's

Missy Cummings:

funny, because there is there's kind of a shared similar

Missy Cummings:

argument over vaccines, you know, like, we're all at risk.

Missy Cummings:

When a company refuses to embrace at least standard

Missy Cummings:

cybersecurity practices. We're not asking them to go one above.

Missy Cummings:

So I do think that this the problem that we're having in

Missy Cummings:

this country and in other countries is really still one of

Missy Cummings:

the more core issues of what do companies really value, they say

Missy Cummings:

in the boardroom, that they evaluate that they value ESG

Missy Cummings:

(Environmental, Social, and Governance) and cybersecurity,

Missy Cummings:

I'm afraid this is still really at the lip service level as

Missy Cummings:

opposed to actually being real.

Dr. Dave Chatterjee:

Absolutely. You've covered a lot of ground.

Dr. Dave Chatterjee:

Let's see if I can follow up on some of the things that you were

Dr. Dave Chatterjee:

talking about. When I mentioned about standardized cybersecurity

Dr. Dave Chatterjee:

training, I was referring to, let's say, a company hires an

Dr. Dave Chatterjee:

organization to train their employees in detecting or

Dr. Dave Chatterjee:

preventing phishing attacks. Let's say a group of 10 people

Dr. Dave Chatterjee:

get trained. Research finds that subsequent to training, some of

Dr. Dave Chatterjee:

them perform better on the phishing tests than others. And

Dr. Dave Chatterjee:

they have associated the difference in the results to

Dr. Dave Chatterjee:

human curiosity, perception of potential personal losses and

Dr. Dave Chatterjee:

other factors. So, I was coming at it from that perspectives.

Dr. Dave Chatterjee:

That irrespective of the quality of training imparted, effective

Dr. Dave Chatterjee:

assimilation depends on factors such as innate curiosity, greed,

Dr. Dave Chatterjee:

perception of potential loss and more. But anyhow, switching

Dr. Dave Chatterjee:

gears a bit, you mentioned about your class, and I was reviewing

Dr. Dave Chatterjee:

your learning objectives. And one of them that got my

Dr. Dave Chatterjee:

attention is about analyzing and measuring unintentional human

Dr. Dave Chatterjee:

errors and malicious behavior. Just curious, how do you go

Dr. Dave Chatterjee:

about doing that? How do you go about measuring that?

Missy Cummings:

Well, for unintentional behaviors, you

Missy Cummings:

know, it's it's actually in our wheelhouse of everyday ways to

Missy Cummings:

measure human performance, you can measure, and I'm sure most

Missy Cummings:

companies who are very proactive do this, you know, whether or

Missy Cummings:

not people click on phishing emails, the kinds of behaviors,

Missy Cummings:

I recently had my students conduct analysis of email

Missy Cummings:

patterns, you can actually take someone's email and understand

Missy Cummings:

just by the logs of the email, of when they're opened, how long

Missy Cummings:

they're opened, how much people interact with email, whether

Missy Cummings:

they're just reading them or writing them, you can actually

Missy Cummings:

get a very good model of a person's workload over time. And

Missy Cummings:

indeed, you know, we do see phishing attacks, success on

Missy Cummings:

basically at two different times number one, when people are

Missy Cummings:

super busy, and they don't take the time to read an email, or

Missy Cummings:

the kind of the the counter to that is, when people are really

Missy Cummings:

bored. And there's an email that comes in, that's just

Missy Cummings:

interesting enough to make somebody want to click that

Missy Cummings:

attachment or click the link. And so if, if you can actually

Missy Cummings:

develop a good model of a human's engagement in their

Missy Cummings:

everyday work practices, you can actually figure out when is the

Missy Cummings:

right time to deceive them. And, you know, one of the problems

Missy Cummings:

with working doing work in this space is I have my students

Missy Cummings:

develop these models, or I have them develop plans for how to

Missy Cummings:

how to hack, and then you know, we don't we can't actually do

Missy Cummings:

them, you know, for ethical purposes. I mean, I keep telling

Missy Cummings:

my students over and over, you know, these are, you know, we're

Missy Cummings:

just here for a learning engagement. And then I had a

Missy Cummings:

student, they all had a final project where they had to go

Missy Cummings:

figure out some kind of project related cybersecurity, and they

Missy Cummings:

could propose their own. And I had one student proposed that,

Missy Cummings:

that he would go onto GitHub and find out where everyone was

Missy Cummings:

vulnerable in how they're using GitHub. And I thought that was

Missy Cummings:

good from just a, you know, let's just do a descriptive

Missy Cummings:

analysis. But then later, I found that he was going in and

Missy Cummings:

trying to hack people through GitHub and say, Look, I was just

Missy Cummings:

doing I mean, no, no, no, no, no, you know, I think that's a

Missy Cummings:

that is kind of the interesting thing. First of all, if you're

Missy Cummings:

on GitHub, be careful because my student knows how to go in and

Missy Cummings:

hack you. But it's just it's so easy to do. And there's so many

Missy Cummings:

points of access now that I think that that line between

Missy Cummings:

what is what is just trying to do good research, or, you know,

Missy Cummings:

trying to prevent and learn more about hacking. I do wonder

Missy Cummings:

sometimes did I actually create some hackers?

Dr. Dave Chatterjee:

And And it's funny, because you

Dr. Dave Chatterjee:

mentioned about students going into GitHub and trying to figure

Dr. Dave Chatterjee:

out how to hack and many of them are technically inclined,

Dr. Dave Chatterjee:

they'll figure it out, in fact, lots of information out there

Dr. Dave Chatterjee:

for that. That brings up a very fundamental question that's very

Dr. Dave Chatterjee:

close to my heart. And that is, as you know, when organizations

Dr. Dave Chatterjee:

get breached, and when it's a phishing attack, the person or

Dr. Dave Chatterjee:

the group of people who are compromised, they are not the

Dr. Dave Chatterjee:

cybersecurity experts. They are not the ones who are technically

Dr. Dave Chatterjee:

very savvy, at least that's information that's publicly

Dr. Dave Chatterjee:

available. Given that perspectives, as educators,

Dr. Dave Chatterjee:

what's your opinion on how widespread cybersecurity

Dr. Dave Chatterjee:

education should be? Who all should we be reaching out to as

Dr. Dave Chatterjee:

educators, as trainers? Does that make sense?

Missy Cummings:

Yeah, so, you know, I think it's a great

Missy Cummings:

question, because companies are going to say, well, you know,

Missy Cummings:

we're going to get we're going to give everybody training

Missy Cummings:

cybersecurity training on how to how not to click on that link.

Missy Cummings:

And a lot of companies will want to be a one and done, right. I'm

Missy Cummings:

just going to give one training session and be done.

Missy Cummings:

Unfortunately, cybersecurity follows what I would consider

Missy Cummings:

safety critical event model which means that you can think

Missy Cummings:

of airlines and, you know, just aviation in general, there'll be

Missy Cummings:

an accident. And then right after the accident, everyone is

Missy Cummings:

super safe. And so you could if you think about it's, you know,

Missy Cummings:

there's a sharp up uptick in safety, and then there's this

Missy Cummings:

degradation time period over time, then everybody gets unsafe

Missy Cummings:

again, and then there's an accident, and it spikes up

Missy Cummings:

again. And indeed, that's exactly what happens in

Missy Cummings:

cybersecurity. So we're, we're, you know, there'll be a breach

Missy Cummings:

from one company that a bunch of ever all the other companies

Missy Cummings:

will do a one and done, and then they'll forget about

Missy Cummings:

cybersecurity training. And then there's another breach and so we

Missy Cummings:

just keep that cycle, what we need to be is more proactive

Missy Cummings:

about, what would the, what would that look like? Could you

Missy Cummings:

be more proactive in predicting what that time cycle is? And I

Missy Cummings:

think the other problem is we need to do it. It is difficult

Missy Cummings:

because the threat vectors are changing so radically, for

Missy Cummings:

example, COVID, just introduced an entirely new area of

Missy Cummings:

cybersecurity. So I think companies need to not be so

Missy Cummings:

predictable, in the way that they respond and understand

Missy Cummings:

that, that did it. Cybersecurity is a living process, it's not

Missy Cummings:

just a check in the box. Now, I also appreciate how hard it is

Missy Cummings:

to keep everybody engaged in my class, we ended up analyzing

Missy Cummings:

various different companies, training programs. And you know,

Missy Cummings:

it's easy to get stale. And so how to keep that tech, how to

Missy Cummings:

keep their training programs fresh, and people engaged. I

Missy Cummings:

it's just like all training for anything to do with safety. It's

Missy Cummings:

hard to keep people engaged until some bad event happens.

Missy Cummings:

But I think if you have a very clever chief risk officer, and

Missy Cummings:

that's another big issue that I don't see enough companies

Missy Cummings:

working on is, you know, we want to have a CTO and a CFO, but,

Missy Cummings:

you know, only the big companies think that they can afford to

Missy Cummings:

have a chief risk officer. And and, indeed, you know, all these

Missy Cummings:

companies that have paid out all these ransoms, you know, I

Missy Cummings:

wonder how that would have worked for them, if they would

Missy Cummings:

have put the chief risk officer in place.

Dr. Dave Chatterjee:

You're, you're so spot on, in fact, risk

Dr. Dave Chatterjee:

factor, or assessment of risk should be integral towards

Dr. Dave Chatterjee:

evaluating every initiative that a company is planning to pursue.

Dr. Dave Chatterjee:

And when I say every initiative, I'm talking about strategic

Dr. Dave Chatterjee:

initiatives, and there are lots of frameworks out there that

Dr. Dave Chatterjee:

guide organizations to do so. So the question is who's following

Dr. Dave Chatterjee:

to what extent and you kind of talked about this reactive

Dr. Dave Chatterjee:

mindset, this reactive mentality. And, you know, I

Dr. Dave Chatterjee:

think it's easier said than done, that we should be

Dr. Dave Chatterjee:

proactive, we all should be proactive, but the reality of it

Dr. Dave Chatterjee:

is, most of us, we respond to fear, we respond to incidents,

Dr. Dave Chatterjee:

when it happens to us, we sit up and try to do things to take

Dr. Dave Chatterjee:

corrective action. But when it's not happening to us, and when

Dr. Dave Chatterjee:

everything seems to be going fine, it's like a company not

Dr. Dave Chatterjee:

experiencing any attacks, they tend to ignore the good work

Dr. Dave Chatterjee:

that's probably happening behind the scenes thanks to their

Dr. Dave Chatterjee:

cybersecurity team and others. So it's a it's a chicken and an

Dr. Dave Chatterjee:

egg problem. But definitely being proactive is critical. And

Dr. Dave Chatterjee:

the importance of top management actively engaging, you mentioned

Dr. Dave Chatterjee:

about how serious top management is, is often hard to gauge. And

Dr. Dave Chatterjee:

I don't know if that has anything to do with the

Dr. Dave Chatterjee:

consequences of the attacks. There are some large companies

Dr. Dave Chatterjee:

out there who have been attacked and ask per public records, they

Dr. Dave Chatterjee:

have taken action so that those attacks don't happen or they

Dr. Dave Chatterjee:

reduce those risks, but they're not going away. It's not like

Dr. Dave Chatterjee:

their future is at stake. It's the medium size businesses that

Dr. Dave Chatterjee:

tend to go away; 60% of the medium size businesses that have

Dr. Dave Chatterjee:

been hacked, have gone under, if my stats are correct here. So I

Dr. Dave Chatterjee:

worry more about the organizations which are resource

Dr. Dave Chatterjee:

constrained. And to what extent they are making those fearless

Dr. Dave Chatterjee:

calls of finding the right balance between pursuing their

Dr. Dave Chatterjee:

organizational goals and mission without compromising on having a

Dr. Dave Chatterjee:

certain level of cybersecurity readiness. Any reactions

Dr. Dave Chatterjee:

thoughts to that?

Missy Cummings:

Oh, sure. So I have my students tell me at the

Missy Cummings:

end of every class, what they would do if they were a hacker

Missy Cummings:

and what would they do if they were a chief risk officer and

Missy Cummings:

they had learned what they learned during whatever that

Missy Cummings:

particular lecture is, and one common theme that happened

Missy Cummings:

repeatedly after the various lectures were that I would hack

Missy Cummings:

a startup company for problem, you know, thing X, right?

Missy Cummings:

Because startups are really trying hard to make a product,

Missy Cummings:

make a splash, get more series funding. And indeed, just like

Missy Cummings:

trying to plan for human interaction issues,

Missy Cummings:

cybersecurity is again seen as oh, well, this is a nice to

Missy Cummings:

have, it's not a must have. And so I'm just going to push this

Missy Cummings:

down the road. And I would actually say that, to me, in my

Missy Cummings:

mind, if I were a venture capitalist, that would be one of

Missy Cummings:

the first questions that I would ask a bunch of startups that I

Missy Cummings:

was looking to invest in is, look, I understand it's a high

Missy Cummings:

wire act. But in the end, if you've got a cybersecurity

Missy Cummings:

vulnerability, and it could take down the entire operation, then

Missy Cummings:

why should anybody invest in that? And I certainly see this

Missy Cummings:

anywhere where we've got a lot of these new startup

Missy Cummings:

technologies, where they're using, for example, GPS, whether

Missy Cummings:

we're talking about drones, or cars, or small sidewalk delivery

Missy Cummings:

drones. It is so easy to do a GPS spoof on a vehicle, any kind

Missy Cummings:

of vehicle and I would actually say that is my number one

Missy Cummings:

question. When I ask people who are working in these

Missy Cummings:

transportation and or delivery spaces. What are you doing about

Missy Cummings:

GPS cybersecurity, and they look at me like a deer in the

Missy Cummings:

headlights? Ah,

Missy Cummings:

what I did out GPS spoofing, what's that? And so I think, Oh,

Missy Cummings:

my goodness,

Missy Cummings:

we are in serious trouble. You know, so awareness. Again, one

Missy Cummings:

of these issues. And, you know, I think it might be I, I know

Missy Cummings:

that there's a lot of money to be made in cybersecurity. But I

Missy Cummings:

also think that universities are really good about providing

Missy Cummings:

workspaces, and they want to, you know, help, do help

Missy Cummings:

startups, angel funding, that kind of thing. But I also wish

Missy Cummings:

that we would spend more time and thinking about, Okay, well,

Missy Cummings:

what would angel funding look like, just for cybersecurity for

Missy Cummings:

startups, because that actually has dual benefit, not only does

Missy Cummings:

it keep that company safe, but then that end above itself could

Missy Cummings:

be its own product,

Dr. Dave Chatterjee:

Absolutely, in fact, brings to mind one of

Dr. Dave Chatterjee:

my prior guests, who got funding to start his company Trusona,

Dr. Dave Chatterjee:

and they focus on passwordless authentication. So I think

Dr. Dave Chatterjee:

that's a good product, or that's a good approach to strive for,

Dr. Dave Chatterjee:

there is no perfect approach. But that's definitely something

Dr. Dave Chatterjee:

to, you know, move in that direction. Another thought comes

Dr. Dave Chatterjee:

to mind as we are having this discussion. You know, we are

Dr. Dave Chatterjee:

making progress technologically, you do a lot of work in the

Dr. Dave Chatterjee:

field in the area of AI. We are making these fancy cars, they

Dr. Dave Chatterjee:

are supposed to self drive, which is all great. But we also

Dr. Dave Chatterjee:

recognize that the more technologically advanced we get,

Dr. Dave Chatterjee:

the more vulnerable we become, for a variety of reasons,

Dr. Dave Chatterjee:

including information security. So that begs the question, or

Dr. Dave Chatterjee:

that's, that's something that I address in class when I tell

Dr. Dave Chatterjee:

students, that technology is great. But mindless use of

Dr. Dave Chatterjee:

technology is big kind of stupid. Making judicious use of

Dr. Dave Chatterjee:

technology. And and that relates to cybersecurity from the

Dr. Dave Chatterjee:

standpoint of, yes, I want to run after my strategic goals.

Dr. Dave Chatterjee:

But I better be properly anchored because I can't afford

Dr. Dave Chatterjee:

to lose my operating engines, my databases, my systems, because

Dr. Dave Chatterjee:

if I lose them, then it's the short term thinking, I might go

Dr. Dave Chatterjee:

wander. Having that rich perspective where you're growth

Dr. Dave Chatterjee:

driven, you understand what it takes to take the company to the

Dr. Dave Chatterjee:

next level. But you also recognize the different pieces

Dr. Dave Chatterjee:

of the puzzle that helps anchor the company and one of which is

Dr. Dave Chatterjee:

cybersecurity. Providing that kind of holistic education, I

Dr. Dave Chatterjee:

think is where universities come in. You mentioned about

Dr. Dave Chatterjee:

companies providing students cybersecurity training, and

Dr. Dave Chatterjee:

absolutely every company has their own customized approach.

Dr. Dave Chatterjee:

But I think at the university level, we can offer them a much

Dr. Dave Chatterjee:

more comprehensive insight into what it takes to whether you

Dr. Dave Chatterjee:

create a company and run it or whether you run it and how the

Dr. Dave Chatterjee:

different pieces fit together and how and why it is important

Dr. Dave Chatterjee:

to keep cyber security as an integral part of of the overall

Dr. Dave Chatterjee:

strategy. I in fact, suggest that I've said it very you know

Dr. Dave Chatterjee:

emphatically that cybersecurity is a strategic competency. It's

Dr. Dave Chatterjee:

a competency that organizations need to develop, and master over

Dr. Dave Chatterjee:

a period of time if they want to thrive in the years to come.

Dr. Dave Chatterjee:

Thoughts reactions?

Missy Cummings:

Yeah, wow. I mean, we are about to go down a

Missy Cummings:

rabbit hole, you did not want to go down. And that is because I

Missy Cummings:

have a huge beef with the academic world in the way that

Missy Cummings:

it thinks about cybersecurity, or more broadly, something we

Missy Cummings:

call assured autonomy. And so the idea is autonomous systems

Missy Cummings:

have can operate, and most do operate in a non-deterministic

Missy Cummings:

fashion. And so that opens up a whole new can of worms for

Missy Cummings:

cybersecurity. But and I'm not just speaking about autonomous

Missy Cummings:

systems, I think more broadly, wherever you've got digital

Missy Cummings:

systems, cybersecurity by the academic world, and who am I

Missy Cummings:

speaking of I'm speaking of most of the most of the top tier

Missy Cummings:

research universities, top 30. Most of these organizations

Missy Cummings:

treat cybersecurity as a stepchild in the sense that they

Missy Cummings:

do not see it as legitimate research, that this is

Missy Cummings:

engineering, and it's not research. And so we should not

Missy Cummings:

teach it as a formalized set of courses. Now. It sounds you many

Missy Cummings:

people listening to this be like what the academic institutions

Missy Cummings:

don't think that cybersecurity is a legitimate field? And I'm

Missy Cummings:

here to tell you, they don't. Now that's not true, because

Missy Cummings:

obviously, Duke, it's not sure everywhere, Duke has just

Missy Cummings:

recently stood up a cybersecurity program. But you

Missy Cummings:

know, that is the exception rather than the rule. And be and

Missy Cummings:

people will say that's not basic science. What is basic science

Missy Cummings:

about cybersecurity? And so this is actually one of the reasons I

Missy Cummings:

developed this course, in cybersecurity in humans to so

Missy Cummings:

that people could understand. Do you know what the basic science

Missy Cummings:

that we cover my courses, we start with cognitive science, we

Missy Cummings:

embed game theory, we engage we talk about queueing theory, we

Missy Cummings:

talk about systems thinking, right? So there are so many core

Missy Cummings:

scientific clusters of learning that underpin cybersecurity. And

Missy Cummings:

by the way, that was just for one course, if we started

Missy Cummings:

talking about what what would we find in other courses, formal

Missy Cummings:

methods, and lots more statistical learning. And so

Missy Cummings:

there are many, many core scientific areas that are the

Missy Cummings:

foundation for cybersecurity. So it is actually really my

Missy Cummings:

criticism. And by the way, my criticism is severe, because I

Missy Cummings:

think that the inability of our nation, our nation's agencies,

Missy Cummings:

like the National Science Foundation, and even other top

Missy Cummings:

30 universities, to really grasp this means that this country is

Missy Cummings:

in a serious, vulnerable position. And if we're not

Missy Cummings:

funding the research, then we're not funding the technology and

Missy Cummings:

innovation development that needs to happen to put us out in

Missy Cummings:

front. We are not out in front in cybersecurity, the US is not

Missy Cummings:

the leaders in cybersecurity, the US can be brought to its

Missy Cummings:

knees by a bunch of hackers in Nigeria. I mean, that's, that's

Missy Cummings:

actually that's how you have to ask yourself, if we're so

Missy Cummings:

awesome, why is it that that someone from a country that is,

Missy Cummings:

you know, not nearly as well developed as our country as our

Missy Cummings:

nation can have so many problems by people where the bar of entry

Missy Cummings:

is virtually nothing. So I do wish that we would, as a

Missy Cummings:

country, and in academia raise the alarm bells that this is

Missy Cummings:

these are legitimate areas of study, trying to get more

Missy Cummings:

journals stood up in this area and more traditional, you know,

Missy Cummings:

types of ways that we disseminate research results.

Missy Cummings:

One good area is the Department of Defense, regardless of how

Missy Cummings:

you feel about the DOD, the bottom line is, they see that

Missy Cummings:

it's a problem. And certainly the US government is trying to

Missy Cummings:

do more in this space. So the more that we the government

Missy Cummings:

agencies start to embrace and mandate that their efforts

Missy Cummings:

funded in the area of cybersecurity, the better will

Missy Cummings:

be but I still think we're just missing a core recognition at

Missy Cummings:

universities that cybersecurity is not like changing the oil of

Missy Cummings:

your car. It is its own science.

Dr. Dave Chatterjee:

Absolutely. Wow. I love the fact that you

Dr. Dave Chatterjee:

went down that path. I could continue in that direction, but

Dr. Dave Chatterjee:

I'll keep my reactions and remarks short. Like you said,

Dr. Dave Chatterjee:

you use the example of cybersecurity to make the point

Dr. Dave Chatterjee:

that many might feel that doing research in this area is not

Dr. Dave Chatterjee:

considered scientific. And again, I do not want to assume

Dr. Dave Chatterjee:

stuff, but to keep it simple, research is about solving

Dr. Dave Chatterjee:

problems. And as you try to solve problems, you end up

Dr. Dave Chatterjee:

coming up with theories, better understandings, which

Dr. Dave Chatterjee:

ultimately, you know, can transcend, transcend, and can

Dr. Dave Chatterjee:

enhance your ability to explain multiple phenomena. And talking

Dr. Dave Chatterjee:

about the theoretical development that can come from

Dr. Dave Chatterjee:

cybersecurity research, the work that I've done so far, I see so

Dr. Dave Chatterjee:

many connections, because 17 Success Factors came out in my

Dr. Dave Chatterjee:

work when I was trying to identify what it takes to create

Dr. Dave Chatterjee:

and sustain a high performance information security culture.

Dr. Dave Chatterjee:

And each of those factors have strong grounding in research,

Dr. Dave Chatterjee:

you know, that has been pursued over decades, one of which, of

Dr. Dave Chatterjee:

course, is the role of top management. So there is a lot of

Dr. Dave Chatterjee:

connectivity. Now, I approach research a little differently, I

Dr. Dave Chatterjee:

do not do research, to inform theory or to enhance theory. I

Dr. Dave Chatterjee:

like to do research which I find interesting, which is going to

Dr. Dave Chatterjee:

have impact. And then in the process, if I create great

Dr. Dave Chatterjee:

theory, that's great. But But no, I think your points are

Dr. Dave Chatterjee:

extremely well made. And talking about the role of government and

Dr. Dave Chatterjee:

the private sector, you will remember that we had the the

Dr. Dave Chatterjee:

Colonial Pipeline breach. And that resulted in some

Dr. Dave Chatterjee:

congressional hearings. And the senior executives, the senior

Dr. Dave Chatterjee:

leadership of this organization, along with others, who are

Dr. Dave Chatterjee:

managing the critical infrastructures, they are now

Dr. Dave Chatterjee:

being pushed or asked for major disclosure, in other words,

Dr. Dave Chatterjee:

provide more transparency, that you are doing enough to protect

Dr. Dave Chatterjee:

our national assets. And I'm kind of surprised that it took a

Dr. Dave Chatterjee:

breach to get there. I would think it is common sense that

Dr. Dave Chatterjee:

whether your organization is protecting national assets or

Dr. Dave Chatterjee:

any other asset, any other consumer asset, you must do your

Dr. Dave Chatterjee:

due diligence, you must report to the relevant stakeholders,

Dr. Dave Chatterjee:

there must be adequate transparency, so I kind of get

Dr. Dave Chatterjee:

surprised when I see these. Okay, here are the new things we

Dr. Dave Chatterjee:

will be doing. And government, private sector, they are

Dr. Dave Chatterjee:

separate, but in many ways they need to come together.

Dr. Dave Chatterjee:

Similarly, academic organizations, academic

Dr. Dave Chatterjee:

disciplines, yes, we have our specializations, but I hope you

Dr. Dave Chatterjee:

will agree that cybersecurity is an example that is a phenomenon

Dr. Dave Chatterjee:

that requires cross disciplinary expertise and involvement. So

Dr. Dave Chatterjee:

you shouldn't be leaving anybody outside and say, Well, this is

Dr. Dave Chatterjee:

the domain for such and such field. And they are the ones who

Dr. Dave Chatterjee:

should be doing research in this area. So having that openness to

Dr. Dave Chatterjee:

collaboration, to cross functional involvement, whether

Dr. Dave Chatterjee:

it's in practice or in academia, is critical to dealing with

Dr. Dave Chatterjee:

problems of this magnitude, where it is just not enough for

Dr. Dave Chatterjee:

a specific company, or a government to effectively deal

Dr. Dave Chatterjee:

with the threat. We need the entire ecosystem,

Dr. Dave Chatterjee:

organizationally, across countries to come together and

Dr. Dave Chatterjee:

fight the good fight. So that's how cybersecurity kind of brings

Dr. Dave Chatterjee:

us together, just like COVID has proved to us over and over again

Dr. Dave Chatterjee:

that whether we like it or not, we are all highly

Dr. Dave Chatterjee:

interconnected. If we don't do our part, we are not going to be

Dr. Dave Chatterjee:

able to deal with this pandemic effectively. Cybersecurity is

Dr. Dave Chatterjee:

the same kind of problem, the more interconnected the systems

Dr. Dave Chatterjee:

become. While there have definite benefits of that, the

Dr. Dave Chatterjee:

more vulnerable we become. And we can't, each one of us has a

Dr. Dave Chatterjee:

role to play See, look the other way, there's going to be a

Dr. Dave Chatterjee:

breach at some level with long term impact. So that's my little

Dr. Dave Chatterjee:

spiel,

Dr. Dave Chatterjee:

You got me going there. Thoughts reactions?

Missy Cummings:

Oh, yeah, you know, the Colonial Pipeline for

Missy Cummings:

people in the business, nobody was surprised. Right? It was

Missy Cummings:

just a matter of time because Companies are extremely slow to

Missy Cummings:

change. And, you know, I'm not generally a fan of strong

Missy Cummings:

regulation. But when it comes to these safety critical elements

Missy Cummings:

of systems, you know, if I told you that you that we were going

Missy Cummings:

to let the FAA, you know, we were going to take care of the

Missy Cummings:

FAA out and let companies do whatever they wanted in terms of

Missy Cummings:

safety of airplanes, nobody would get on an airplane. Right.

Missy Cummings:

And so, you know, this is yet another safety critical system,

Missy Cummings:

where if we don't take care of some of these, especially for

Missy Cummings:

infrastructure, and other safety, critical systems,

Missy Cummings:

process control, for example. So yeah, you know, unfortunately,

Missy Cummings:

Henry Petroski, who's another professor at Duke, he talks

Missy Cummings:

about engineering failures, that sometimes engineering failures

Missy Cummings:

have to happen, because that is the only way that the industry

Missy Cummings:

is going to grow. Sadly, I think that applies to this as well.

Missy Cummings:

Right? And, and like we talked about, it's basically some kind

Missy Cummings:

of work sine curve where we have to keep it has to keep happening

Missy Cummings:

over and over again, for us to be reminded that we need to keep

Missy Cummings:

doing it. So you know, that's where I think that's where there

Missy Cummings:

is a lot of room to figure out like, Alright, then how should

Missy Cummings:

we if we know that there's going to be episodic movements and

Missy Cummings:

technologies being developed, and especially now all the

Missy Cummings:

vulnerabilities that artificial intelligence introduces, how can

Missy Cummings:

we start being proactive instead of being reactive? So that's

Missy Cummings:

where I'd like to spend some of my research efforts.

Dr. Dave Chatterjee:

Makes total sense. Going back to your core

Dr. Dave Chatterjee:

research in safety and automation, as you have pursued

Dr. Dave Chatterjee:

research in that area, hopefully you've seen progress. What do

Dr. Dave Chatterjee:

you expect to see in the field of cybersecurity, in the years

Dr. Dave Chatterjee:

to come? And I realize I'm asking you to wear your

Dr. Dave Chatterjee:

predictive hat, and look ahead and see what's coming. You think

Dr. Dave Chatterjee:

we will get a better handle on how to deal with these threats,

Dr. Dave Chatterjee:

whether it's through better technology, superior governance,

Dr. Dave Chatterjee:

or more effective regulation. Talking about regulation, I'm

Dr. Dave Chatterjee:

reminded of the effectiveness of the Sarbanes Oxley Act (SOX) to

Dr. Dave Chatterjee:

reduce fraudulent accounting activities. I wonder if we need

Dr. Dave Chatterjee:

similar legislation to get organizations and their

Dr. Dave Chatterjee:

leadership to comply with cybersecurity best practices?

Dr. Dave Chatterjee:

What do you see happening?

Missy Cummings:

Yeah, so I kind of think about this as a three

Missy Cummings:

circle Venn diagram. There's cybersecurity mitigation,

Missy Cummings:

people, technology and regulation, right. So there's a

Missy Cummings:

little bit to be done and all of that, I think regulation

Missy Cummings:

certainly needs to be more proactive in that keep companies

Missy Cummings:

and subcontractors who touch safety critical systems, this

Missy Cummings:

should just be mandatory. And they're, you know, there is

Missy Cummings:

movement along this front. But you know, I've been working in

Missy Cummings:

and around the government for the last, you know, 10 years.

Missy Cummings:

And so I've seen the big gaping holes, there's not one

Missy Cummings:

department in the government that I think has a good

Missy Cummings:

cybersecurity strategy. And by good, I mean, they know that

Missy Cummings:

they need help, but they just don't have all the right people

Missy Cummings:

that they need to make these programs safe. I mean, when

Missy Cummings:

we've got the National Security Agency being hacked, you know,

Missy Cummings:

we got serious problems, right. So. So I think that there's a

Missy Cummings:

lot to be done on the regulatory front. Because unfortunately, in

Missy Cummings:

the space companies, not all companies, but a lot of

Missy Cummings:

companies are not going to get at least good enough

Missy Cummings:

cybersecurity practices unless you force their hand. But I

Missy Cummings:

would actually say of those three Venn diagrams, that's the

Missy Cummings:

smallest. So I think we should spend a lot more time in

Missy Cummings:

technology developments. You know, the fact of the matter is,

Missy Cummings:

we should be able to stop phishing emails like that.

Missy Cummings:

There's no, there's no magic solution. There's, it's not like

Missy Cummings:

we got to solve cold fusion to figure that out. We've got some

Missy Cummings:

filtering technologies and some search technologies and some ID

Missy Cummings:

technologies, maybe even figuring out how to run ghost

Missy Cummings:

servers so that these problems don't happen. But, you know, we

Missy Cummings:

I think that that just and this is where research is needed,

Missy Cummings:

like how can we actually develop more efficient programs and

Missy Cummings:

another technology for example, that we need help on VPNs are

Missy Cummings:

like, you know, it's like trying to add a big analog system to

Missy Cummings:

your fast digital system. It just slows it down and people

Missy Cummings:

get so mad at VPNs and I know people from all sorts of

Missy Cummings:

companies who bypass the VPN just for this one thing, right?

Missy Cummings:

And then that's where they get compromised in some

Missy Cummings:

cybersecurity. So, you know, we should be able to solve that

Missy Cummings:

problem VPN don't have to slow technology down. So let's, let's

Missy Cummings:

improve that. So, you know, I think there's a lot more to be

Missy Cummings:

done on the technology front, I think there's a lot more to be

Missy Cummings:

done on the human front. I do wonder if companies ever sit

Missy Cummings:

back and say, why is it that we are so vulnerable to the time of

Missy Cummings:

COVID? Because people are lonely and bored, and the quality of

Missy Cummings:

work is not meaningful, right. So I think there's a lot for

Missy Cummings:

companies to do to think about. How can we make our work

Missy Cummings:

processes and environments such that hacking is not successful?

Missy Cummings:

And how can we make everyone and at least participatory in trying

Missy Cummings:

to stop hacking and mitigation and make that a more integral

Missy Cummings:

part of our everyday work processes, instead of everybody

Missy Cummings:

eye rolling every time they have to go take a online

Missy Cummings:

cybersecurity training that no one's listening to, and they're

Missy Cummings:

doing something else. They're like cooking or doing their

Missy Cummings:

taxes or doing something while theoretically the online

Missy Cummings:

training is happening? So, you know, I think, I think there's a

Missy Cummings:

lot to be done, I think we are getting better. I don't mean to

Missy Cummings:

be the Debbie Downer and saying, it's all miserable, because

Missy Cummings:

obviously, we are making improvements. But I think that

Missy Cummings:

the number one change that needs to happen, for government and

Missy Cummings:

for industry, and for academia is to recognize it's kind of

Missy Cummings:

like COVID, look, this is here to stay. And the longer that you

Missy Cummings:

keep ignoring it, the worse it's going to get?

Dr. Dave Chatterjee:

Absolutely, absolutely. I'd like to go back

Dr. Dave Chatterjee:

to your class, the classes on human factors. And I'd like you

Dr. Dave Chatterjee:

to share with listeners, what are you trying to instill in

Dr. Dave Chatterjee:

students who take your class?

Missy Cummings:

I would say the number one consideration that I

Missy Cummings:

want my students to leave with, after they take my class, The

Missy Cummings:

Human Element in Cybersecurity is that cybersecurity is a

Missy Cummings:

systems-level problem. That there is no one you know, just

Missy Cummings:

stopping pfishing is not going to stop cybersecurity and that

Missy Cummings:

to take to address it properly, you need to think about it first

Missy Cummings:

from a requirements perspective, what does my company need? How

Missy Cummings:

does it need? Why does it need? when does it need? Or what

Missy Cummings:

facets of the company need what various mitigations and then

Missy Cummings:

integrate the cybersecurity aspect at all levels of product

Missy Cummings:

development. And understand that it's integral not an add-on

Missy Cummings:

harassment package, that higher level of management is imbuing

Missy Cummings:

upon the rest of the company. So yeah, systems-level thinking,

Missy Cummings:

cybersecurity, to me, they're one in the same.

Dr. Dave Chatterjee:

Okay, fantastic. Now, I'd like to go

Dr. Dave Chatterjee:

back to something you talked about relating to senior

Dr. Dave Chatterjee:

management, top management, because you'd appreciate that,

Dr. Dave Chatterjee:

at the end of the day, in a in an organization, the the tone is

Dr. Dave Chatterjee:

set at the top. Top management really has to make the

Dr. Dave Chatterjee:

commitment, they have to believe in it and do the needful. And

Dr. Dave Chatterjee:

you mentioned that based on your fieldwork, you found significant

Dr. Dave Chatterjee:

variance in that; I don't mean to misquote you, so correct me.

Dr. Dave Chatterjee:

But I'd like your thoughts and perspective on --besides

Dr. Dave Chatterjee:

regulation, what should it take to get top management to

Dr. Dave Chatterjee:

actively recognize this to be a key issue, that's something that

Dr. Dave Chatterjee:

you can't walk away from, and meet it head-on, and get the

Dr. Dave Chatterjee:

organization prepared to proactively deal with this

Dr. Dave Chatterjee:

challenge?

Missy Cummings:

Well, if right, if the regulatory lever is not

Missy Cummings:

going to be pulled, I think the next regulatory or the next

Missy Cummings:

internal regulation lever that should be pulled is probably a

Missy Cummings:

mandate from a board. For example, if it's a publicly

Missy Cummings:

traded company, or if it's a non public company, if they have a

Missy Cummings:

board, you have to have some kind of external lever of

Missy Cummings:

accountability. Because if you don't have that, you know, it

Missy Cummings:

depends. The companies who are successful in fending off

Missy Cummings:

hacking attempts are those that have good people that understand

Missy Cummings:

and are taking care of that, in the end that the CEO is, first

Missy Cummings:

of all, has hired those people and given them the latitude that

Missy Cummings:

they need to solve those problems. Unless the CEO, I

Missy Cummings:

really think cybersecurity is a leadership issue, because unless

Missy Cummings:

the CEO values it and demonstrate to the rest of the

Missy Cummings:

company that they value it, then everybody else is just going to

Missy Cummings:

follow the lead and be very haphazard. And so, you know, the

Missy Cummings:

resources have to be set aside. And it needs to be transparent

Missy Cummings:

and visible to the rest of the company that these things are

Missy Cummings:

valued. Instead of I see, I would say, for the bulk of

Missy Cummings:

companies out there, the CEOs just give lip service to

Missy Cummings:

cybersecurity and say, Yes, and, you know, maybe we've got McAfee

Missy Cummings:

and that's what we're doing. And unfortunately, that's not

Missy Cummings:

enough. And, you know, or maybe we force people to do some

Missy Cummings:

really cheap online training that people are not listening to

Missy Cummings:

while they're doing many other tasks. And so, you know, taking

Missy Cummings:

it seriously and instead of eye rolling and saying, well, this

Missy Cummings:

is just something I have to do instead of not something that I

Missy Cummings:

should do. I think that's the real problem.

Dr. Dave Chatterjee:

Fantastic! Well, that was terrific, Missy.

Dr. Dave Chatterjee:

Any final thoughts as we wrap up our discussion today?

Missy Cummings:

Leadership starts starts with the man or

Missy Cummings:

woman at the top.

Dr. Dave Chatterjee:

Fantastic. Well, looking forward for future

Dr. Dave Chatterjee:

discussions on this topic. This was really fun. Hope you had a

Dr. Dave Chatterjee:

good time. It was great. A special thanks to Professor

Dr. Dave Chatterjee:

Missy Cummings, for her time and insights. If you liked what you

Dr. Dave Chatterjee:

heard, please leave the podcast a rating and share it with your

Dr. Dave Chatterjee:

network. Also subscribe to the show, so you don't miss any new

Dr. Dave Chatterjee:

episodes. Thank you for listening, and I'll see you in

Dr. Dave Chatterjee:

the next episode.

Introducer:

The information contained in this podcast is for

Introducer:

general guidance only. The discussants assume no

Introducer:

responsibility or liability for any errors or omissions in the

Introducer:

content of this podcast. The information contained in this

Introducer:

podcast is provided on an as-is basis with no guarantee of

Introducer:

completeness, accuracy, usefulness, or timeliness. The

Introducer:

opinions and recommendations expressed in this podcast are

Introducer:

those of the discussants and not of any organization.

About the Podcast

Show artwork for The Cybersecurity Readiness Podcast Series
The Cybersecurity Readiness Podcast Series
with Dr. Dave Chatterjee

About your host

Profile picture for Dave Chatterjee

Dave Chatterjee

Dr. Debabroto 'Dave' Chatterjee is tenured professor in the Management Information Systems (MIS) department, at the Terry College of Business, The University of Georgia (UGA). He is also a Visiting Scholar at Duke University, affiliated with the Master of Engineering in Cybersecurity program in the Pratt School of Engineering. An accomplished scholar and technology thought leader, Dr. Chatterjee’s interest and expertise lie in the various facets of information technology management – from technology sense-making to implementation and change management, data governance, internal controls, information security, and performance measurement. His work has been accepted and published in prestigious outlets such as The Wall Street Journal, MIT Sloan Management Review, California Management Review, Business Horizons, MIS Quarterly, and Journal of Management Information Systems. Dr. Chatterjee’s research has been sponsored by industry and cited over two thousand times. His book Cybersecurity Readiness: A Holistic and High-Performance Approach was published by SAGE Publishing in March 2021.