Episode 43
To trust or not to trust: the overwhelming challenge
Clinical psychologist Beatrice Cadet, Scientist Integrator at Netherland's Organization for Applied Scientific Research (TNO), draws upon multiple concepts such as 'learned helplessness' to explain why people still fall for phishing attacks despite the training. Beatrice emphasizes the need to factor in human behavioral traits and motivational triggers when developing social engineering solutions and training.
Time Stamps
00:49 -- Please share some highlights of your professional journey.
03:51 -- From a psychologist's lens, what do the social engineering trends look like? What can we expect in the future?
08:13 -- You talked about the need for socio-technical solutions to counter social engineering, and there are a lot of solutions out there. What are some of these solutions?
10:17 -- Unfortunately, we are in an environment where we have to be mindful, we have to be careful, and we have to prioritize. Your thoughts?
13:20 -- Do you think we'll ever get to that stage where humans don't have to worry about making mistakes; because we have great technologies that will cover us?
16:48 -- We are naturally not inclined to be proactive. Your thoughts?
18:56 -- You said, "I want to debunk the emotional aspects of social engineering. We need to be more pragmatic about it. We all fall for it at some point. But how to best avoid it and recover." Expand a little bit about the emotional aspects of social engineering.
24:35 -- From a psychologist's standpoint, what are your thoughts on the Zero Trust approach to cybersecurity governance?
27:37 -- It is so important that human psychology is taken into consideration by involving subject matter experts, such as yourself when training programs are developed. Would you like to add to that?
34:41 -- The more I think about it, it makes sense to have a Zero Trust approach. Your thoughts?
37:17 -- I'd like to give you the opportunity to share some final words.
Memorable Beatrice Cadet Quotes/Statements
"I think deep fakes are here to stay. They are likely to be used (by criminals) more and more."
"Social engineering can be approached in two ways -- using psychology, i.e., human manipulation to conduct technical cyber-attacks, and using technologies and technical tricks to manipulate people."
"Social engineering is nothing new, and we're still falling for the same old trick."
"Technology is being increasingly used to manipulate people even more effectively."
"When I think of social solutions, I refer to the awareness that comes with training. "
"With so much social engineering going on, we cannot expect everyone to always be at their best and ready to check everything."
"If you don't have awareness and mindset, you can do every possible training you want, it won't have the desired effect."
"People really need to understand why cybersecurity training is important; if you don't get their buy-in, the training will be ineffective."
"It has been shown in cybersecurity research that the reason why sometimes things don't work, or people still fall for phishing, is because they know that no matter what they do, or they think that no matter what they do, they will get scammed anyway."
"Beyond being well aware of social engineering campaigns and cybercrime in general, it's also very important to be self-aware, and to know your limits, to know that sometimes you might be overstressed and overwhelmed. And you're not going to be able to make the same type of decision as if you're perfectly healthy and mentally well-balanced."
"The only generalization we can make is that there are no generalizations that can be made."
Connect with Host Dr. Dave Chatterjee and Subscribe to the Podcast
Please subscribe to the podcast, so you don't miss any new episodes! And please leave the show a rating if you like what you hear. New episodes release every two weeks.
Connect with Dr. Chatterjee on these platforms:
LinkedIn: https://www.linkedin.com/in/dchatte/
Website: https://dchatte.com/
Cybersecurity Readiness Book: https://www.amazon.com/Cybersecurity-Readiness-Holistic-High-Performance-Approach/dp/1071837338
https://us.sagepub.com/en-us/nam/cybersecurity-readiness/book275712
Latest Publication: https://www.imd.org/ibyimd/magazine/preventing-security-breaches-must-start-at-the-top/
Transcript
Welcome to the Cybersecurity Readiness Podcast
Introducer:Series with Dr. Dave Chatterjee. Dr. Chatterjee is the author of
Introducer:the book Cybersecurity Readiness: A Holistic and
Introducer:High-Performance Approach, a SAGE publication. He has been
Introducer:studying cybersecurity for over a decade, authored and edited
Introducer:scholarly papers, delivered talks, conducted webinars and
Introducer:workshops, consulted with companies and served on a
Introducer:cybersecurity SWAT team with Chief Information Security
Introducer:officers. Dr. Chatterjee is Associate Professor of
Introducer:Management Information Systems at the Terry College of
Introducer:Business, the University of Georgia. As a Duke University
Introducer:Visiting Scholar, Dr. Chatterjee has taught in the Master of
Introducer:Engineering in Cybersecurity program at the Pratt School of
Introducer:Engineering.
Dr. Dave Chatterjee:Hello, everyone, Happy New Year. I'm
Dr. Dave Chatterjee:delighted to welcome you to this episode of the Cybersecurity
Dr. Dave Chatterjee:Readiness Podcast Series. Our discussion today will focus on
Dr. Dave Chatterjee:finding a balance between our natural need to trust and the
Dr. Dave Chatterjee:caution that needs to be there to deal with all forms of online
Dr. Dave Chatterjee:cyber attacks. In fact, I experienced a phishing attack
Dr. Dave Chatterjee:this morning, and I'll get into that later on. I'm delighted to
Dr. Dave Chatterjee:welcome Beatrice Cadet from Amsterdam, Netherlands. Beatrice
Dr. Dave Chatterjee:is a scientist integrator at Netherland's Organisation for
Dr. Dave Chatterjee:Applied Scientific Research (TNO). With a background in
Dr. Dave Chatterjee:intelligence and psychology, Beatrice has specialized in
Dr. Dave Chatterjee:cybersecurity by taking an integrative approach working on
Dr. Dave Chatterjee:bridging the gap between human and the technical aspects. So
Dr. Dave Chatterjee:Beatrice, before we get into the details of managing trust, let's
Dr. Dave Chatterjee:talk about you a little bit, share with the listeners some
Dr. Dave Chatterjee:highlights of your professional journey.
Beatrice Cadet:Yes. So again, thank you so much for having me,
Beatrice Cadet:I'm excited about the discussion that we're about to have. So,
Beatrice Cadet:about me as you just said, I studied with a master's in
Beatrice Cadet:intelligence and security management from Strasbourg
Beatrice Cadet:University in France, that gave me quite a multidisciplinary
Beatrice Cadet:background within the social sciences area. From there, I
Beatrice Cadet:knew I was interested in tech. So I tried to target my
Beatrice Cadet:internships more into the online safety and security, which led
Beatrice Cadet:me to work for a startup in Dublin that is called Zico that
Beatrice Cadet:works for online safety for children. And then I thought I
Beatrice Cadet:needed to gain some technical knowledge to properly work in
Beatrice Cadet:cyber security, which led me to the Netherlands where I still am
Beatrice Cadet:today. And I worked for a company called Red Sox Security,
Beatrice Cadet:cyber threat intelligence. So I really dove into the technical
Beatrice Cadet:world and worked with a technical team, my goal being to
Beatrice Cadet:get some knowledge and some skills. But eventually I found a
Beatrice Cadet:really interesting position to be a social scientist or more
Beatrice Cadet:human approach person within the technical world and the
Beatrice Cadet:technical people. And from them to my current position where
Beatrice Cadet:indeed, I know that what we do is quite multidisciplinary.
Beatrice Cadet:However, online safety and security, information
Beatrice Cadet:manipulation. So that's the core of the content that we're
Beatrice Cadet:working on within the type of work we do could be a scientific
Beatrice Cadet:article, as much as trainings or workshops for police or the
Beatrice Cadet:Ministry of Defense, right now. I'm focusing now on the human
Beatrice Cadet:factors. So that got me to start a bachelor in psychology just to
Beatrice Cadet:add that to the background in security, and mostly
Beatrice Cadet:cybersecurity. And I got hooked, and I became a clinical
Beatrice Cadet:psychologist.
Dr. Dave Chatterjee:Wonderful. In fact, I don't believe I've
Dr. Dave Chatterjee:had a clinical psychologist on my show yet. So you are the
Dr. Dave Chatterjee:first one.
Beatrice Cadet:nice!
Dr. Dave Chatterjee:I'm looking forward to learning a lot from
Dr. Dave Chatterjee:your insights and expertise. So from your lens, from a
Dr. Dave Chatterjee:psychologist's lens, what does the social engineering trends
Dr. Dave Chatterjee:look like? What can we expect in the future?
Beatrice Cadet:Yes. So one thing I always say is that, of
Beatrice Cadet:course, criminals innovate, also a lot in social engineering. So
Beatrice Cadet:we see new tricks and new ways to catch people, especially with
Beatrice Cadet:new technologies. And I think that's something to really look,
Beatrice Cadet:look up look to, and look at, sorry, because, for example,
Beatrice Cadet:deep fakes, and it's something that we need to look for in the
Beatrice Cadet:future, but that is also already here. I think deep fakes will be
Beatrice Cadet:more and more used. And we've seen it this year already. I
Beatrice Cadet:mean, 2022 We've seen it, so more and more defects. They use
Beatrice Cadet:technology more and more to manipulate people. And I always
Beatrice Cadet:say that social engineering can be approached from the two ways,
Beatrice Cadet:right. So it's using psychology, or I mean human manipulation to
Beatrice Cadet:conduct a technical cyber attacks, but it could also be
Beatrice Cadet:using technologies and technical tricks to actually manipulate
Beatrice Cadet:people. So that's something I like to highlight when I talk
Beatrice Cadet:about social engineering. So as I said, Yeah, innovation, so new
Beatrice Cadet:tricks, but one thing that I always see is that all tricks
Beatrice Cadet:also always, are always here. And when I was working on cyber
Beatrice Cadet:threat intelligence, I would work on some phishing labs and
Beatrice Cadet:try to analyze some phishing campaigns. And I would find some
Beatrice Cadet:campaigns that beside having different types of indicators of
Beatrice Cadet:compromise, different different IP addresses, for example, the
Beatrice Cadet:visual aspect of the campaign would be exactly the same. So
Beatrice Cadet:for example, Elon Musk is giving away 20 Bitcoins. And so that
Beatrice Cadet:shows that social engineering in the end is nothing new, and that
Beatrice Cadet:we're still falling for the same old trick. And it's not proper
Beatrice Cadet:to cybersecurity, social engineering has existed since
Beatrice Cadet:forever. So with that in mind, I think, yeah, what we can see in
Beatrice Cadet:the trends and in the landscape for the upcoming year and years
Beatrice Cadet:is really looking at the old trick, look, still trying to
Beatrice Cadet:bring more awareness because we're still falling for the same
Beatrice Cadet:sort of campaigns. And additionally, technology is
Beatrice Cadet:being more and more used to manipulate people even more
Beatrice Cadet:effectively.
Dr. Dave Chatterjee:I can't agree with you more, when you
Dr. Dave Chatterjee:say, we are still falling for the same tricks. We as humans,
Dr. Dave Chatterjee:we are naturally inclined to trust, we are very vulnerable or
Dr. Dave Chatterjee:susceptible or gullible, we end up believing what we see. Early
Dr. Dave Chatterjee:in the morning, I saw an email supposedly from a major credit
Dr. Dave Chatterjee:card company, and I have a card with them, stating that a
Dr. Dave Chatterjee:certain amount could not be paid, so I need to log in and
Dr. Dave Chatterjee:make the payment. It looked so genuine. They had the graphics,
Dr. Dave Chatterjee:right, they had the logos, right. And it was very well
Dr. Dave Chatterjee:crafted. It wasn't the typical phishing emails with grammatical
Dr. Dave Chatterjee:errors and stuff like that. I was almost thinking of clicking
Dr. Dave Chatterjee:on that link. But then I said, No, I won't, I'm just going to
Dr. Dave Chatterjee:call them. And yes, I did expand the subject line to check on the
Dr. Dave Chatterjee:address. I couldn't tell if it was a genuine address, or a fake
Dr. Dave Chatterjee:address. Instead of clicking on anything, or replying, I just
Dr. Dave Chatterjee:called them this morning, and said, I received this email and
Dr. Dave Chatterjee:she went into my account checked and said, Sir, very smart of
Dr. Dave Chatterjee:you, you picked up on something that you should not be clicking
Dr. Dave Chatterjee:on. The reason I share this example is, that I have now
Dr. Dave Chatterjee:become so paranoid, anytime I see an email, I scan it
Dr. Dave Chatterjee:thoroughly. I refuse to click on any attachments unless I know
Dr. Dave Chatterjee:for sure who the sender is. And when in doubt, verify, right?
Dr. Dave Chatterjee:Just call and ask. So it was kind of interesting that I had
Dr. Dave Chatterjee:that experience this morning, and we are now discussing about
Dr. Dave Chatterjee:whether to trust or not to trust.
Beatrice Cadet:Yeah, good timing!
Dr. Dave Chatterjee:Yeah, I know, good timing. Beatrice,
Dr. Dave Chatterjee:during our planning discussion, you mentioned a few things that
Dr. Dave Chatterjee:I want to pick up on. You talked about the need for
Dr. Dave Chatterjee:socio-technical solutions to counter social engineering. And
Dr. Dave Chatterjee:there are a lot of solutions out there. It might be very valuable
Dr. Dave Chatterjee:for you to highlight for the benefit of the listeners, what
Dr. Dave Chatterjee:are some of these solutions?
Beatrice Cadet:Yes. So when I mentioned the need for social
Beatrice Cadet:technical solutions, I think, for example, on the technical
Beatrice Cadet:side to the filtering solutions, for example, for the email, if
Beatrice Cadet:we're talking about phishing emails, yes, I think this is a
Beatrice Cadet:good first step. We need that in place, we need that to be
Beatrice Cadet:efficient. When I think of social solutions, it all comes
Beatrice Cadet:with awareness, it all comes with training. And the reason
Beatrice Cadet:why I say this social technical solutions, because there is so
Beatrice Cadet:much so many campaigns, so much social engineering going on,
Beatrice Cadet:that we cannot expect everyone to always be at their best ready
Beatrice Cadet:to check everything. And I would like to rebound on the example,
Beatrice Cadet:you just mentioned your example from this morning, You're in the
Beatrice Cadet:fields, so you're more aware, maybe and you may be a little
Beatrice Cadet:bit more used to it. So that gives you a bit more awareness,
Beatrice Cadet:maybe than most people, but also you took the time and that was
Beatrice Cadet:time consuming know to have to check all the different
Beatrice Cadet:elements, to doubt, and then still to call them. So not
Beatrice Cadet:everyone always has that time or decides to always take that
Beatrice Cadet:time. So that's why even though people would be very well
Beatrice Cadet:trained into spotting every single phishing email
Beatrice Cadet:whatsoever, I think there would still be some vulnerabilities at
Beatrice Cadet:some points, the same way, that a filter on the emails also has
Beatrice Cadet:some vulnerabilities and might not filter all the phishing
Beatrice Cadet:emails or filter too many of them. So yeah, that's a few
Beatrice Cadet:examples I can think of now, when I'm talking about social
Beatrice Cadet:technical solutions.
Dr. Dave Chatterjee:Yeah, I mean, I don't enjoy calling
Dr. Dave Chatterjee:credit card companies in the morning, to follow up follow up
Dr. Dave Chatterjee:on things because it takes up a lot of my time. Yeah. And that's
Dr. Dave Chatterjee:not the way I want to start my day. But we are in this
Dr. Dave Chatterjee:environment where we have to be vigilant, we have to be patient.
Dr. Dave Chatterjee:It brings to mind an episode I did recently on multifactor
Dr. Dave Chatterjee:authentication and the fatigue that's associated with it. The
Dr. Dave Chatterjee:subject matter expert told me that many developers don't want
Dr. Dave Chatterjee:to go through that authentication process,
Dr. Dave Chatterjee:especially when they are dealing with 15-20 different
Dr. Dave Chatterjee:applications. Because it is bothersome, it is time
Dr. Dave Chatterjee:consuming, they become impatient. Unfortunately, we are
Dr. Dave Chatterjee:in an environment where we have to be mindful, we have to be
Dr. Dave Chatterjee:careful, we have to prioritize. Finances are something that I
Dr. Dave Chatterjee:carefully monitor, especially my credit card transactions. If I
Dr. Dave Chatterjee:know anything that could be problematic, I immediately get
Dr. Dave Chatterjee:into an investigative mood and I probe further. I give it a
Dr. Dave Chatterjee:priority, though it's not something that I would like to
Dr. Dave Chatterjee:give priority, but I am left with no choice. So that's kind
Dr. Dave Chatterjee:of the way I do things. And I'm sure many others, your thoughts?
Beatrice Cadet:Yes. And I think it's great. Ideally, we should
Beatrice Cadet:always be very mindful of every single emails, every single
Beatrice Cadet:text, even every single phone call or interaction with people.
Beatrice Cadet:The thing is, as you said earlier in this talk, is it
Beatrice Cadet:biologically human beings are inclined to trust. And then of
Beatrice Cadet:course, it depends on the personality, not everyone will
Beatrice Cadet:have the same extent, that same inclination to trust, and also
Beatrice Cadet:depends on your experiences. And I would say one of the problems
Beatrice Cadet:with cybersecurity in general is that most people don't feel the
Beatrice Cadet:burn, when dependence of you know how you learn that fire
Beatrice Cadet:burns, well, you burn your finger, it's painful, and you
Beatrice Cadet:tend not to do it again, because you learned from the pain. Most
Beatrice Cadet:people that got cut with cyber security issue, so a phishing
Beatrice Cadet:email or whatsoever, they might not know that they have, that
Beatrice Cadet:their data is out on the Dark Web, or they might know that
Beatrice Cadet:there has been a data leak, for example, but they don't really
Beatrice Cadet:know what it represents. So I think it's also very difficult
Beatrice Cadet:for people who are not very knowledgeable or used to
Beatrice Cadet:cybersecurity to choose to put that as a priority the same way
Beatrice Cadet:that you do. Yep. So yeah, I think that is a very important
Beatrice Cadet:factor to consider. And as you said, there's so many emails as
Beatrice Cadet:well. And to go back on that need for social technical
Beatrice Cadet:solution. That's also why I think it's important because
Beatrice Cadet:there's so many simulations coming all the time from
Beatrice Cadet:different directions, that it's very difficult to keep
Beatrice Cadet:everything as a priority and to be untrusting of
Beatrice Cadet:everything you have come across every day.
Dr. Dave Chatterjee:Exactly. And we multiprocess so much
Dr. Dave Chatterjee:these days, right? And we are using different devices. Yes.
Dr. Dave Chatterjee:And so it's like second nature to us, we're just doing stuff.
Dr. Dave Chatterjee:So to have that natural filter, that a little bit of security
Dr. Dave Chatterjee:paranoia, which would force us to stop, think, take unnecessary
Dr. Dave Chatterjee:action, before we move on to the next thing. For that to become
Dr. Dave Chatterjee:muscle memory, for lack of a better word that comes through
Dr. Dave Chatterjee:training, you're exactly right. That also comes through, again,
Dr. Dave Chatterjee:I'm not a psychologist, but I'm gonna put myself out there and
Dr. Dave Chatterjee:hypothesize or suggest that we have to start really believing
Dr. Dave Chatterjee:that this is a problem. And like you used the excellent,
Dr. Dave Chatterjee:excellent analogy or metaphor of the burn that do we really need
Dr. Dave Chatterjee:to get burned to appreciate what should be done proactively. We
Dr. Dave Chatterjee:have to kind of learn to be a little more cautious and cant
Dr. Dave Chatterjee:just throw caution to the winds as they say. I was speaking with
Dr. Dave Chatterjee:a subject matter expert in the last episode that was published,
Dr. Dave Chatterjee:and she's a expert in cybersecurity technologies. And
Dr. Dave Chatterjee:I asked her a question, I said, Do you think we'll ever get to
Dr. Dave Chatterjee:that stage where humans don't have to worry about making
Dr. Dave Chatterjee:mistakes, because we have great technologies that will cover for
Dr. Dave Chatterjee:us? And she answered in the affirmative. She said yes, I am
Dr. Dave Chatterjee:optimistic that there will come a time sooner than later where
Dr. Dave Chatterjee:we don't have have to be this vigilant. And I hope that her
Dr. Dave Chatterjee:words come through. But until then we just have to be careful,
Dr. Dave Chatterjee:right?
Beatrice Cadet:Yeah, exactly. And also be very pragmatic about
Beatrice Cadet:it, it most likely will happen, I think, maybe coming to the
Beatrice Cadet:state where we don't have to be that worried about it will be
Beatrice Cadet:that first because we have more training. So we have more
Beatrice Cadet:feeling of control on what we can do about it, that's very
Beatrice Cadet:important. But also a point where we'll have better
Beatrice Cadet:technology, maybe to counter this, complimentary, but also
Beatrice Cadet:that we'll have more resilience processes, so that you will know
Beatrice Cadet:that, okay, even if you're making mistakes, there are ways
Beatrice Cadet:to recover, or there are ways to, unless all the developments,
Beatrice Cadet:maybe with insurances or like processes where you can, okay,
Beatrice Cadet:making mistakes, but you're not alone in there. Because as of
Beatrice Cadet:now, there are very little processes in place. And even
Beatrice Cadet:with the police, they're trying to have more people report cyber
Beatrice Cadet:crime, but it's still very low. So I think that as a compliment
Beatrice Cadet:could also help us get to a stage where we're a little bit
Beatrice Cadet:more. Yeah, yeah, he's all about it. Yep, that can be done as
Beatrice Cadet:well on something you say, with training and the importance of
Beatrice Cadet:mindset. There is one concept, it's a sort of pyramid of
Beatrice Cadet:different concepts, you need to get to effective training. And
Beatrice Cadet:the bottom line of the pyramid is actually awareness and
Beatrice Cadet:mindset. And if you don't have that, you can do every single
Beatrice Cadet:training you want, it won't have the effect that you're
Beatrice Cadet:expecting, you really need to have people understand why
Beatrice Cadet:they're training on this, why they have to work on this
Beatrice Cadet:specific skills or specific concept, or issue. And if you
Beatrice Cadet:don't have that, you won't get the effects you want. So that's
Beatrice Cadet:really important to understand why we need actually to get
Beatrice Cadet:better at this
Dr. Dave Chatterjee:Yep, that connects with what I often say
Dr. Dave Chatterjee:is, we have to get the user buy-in, unless the buy-in is
Dr. Dave Chatterjee:there, unless the user recognizes the importance of
Dr. Dave Chatterjee:doing certain things, or following certain guidelines,
Dr. Dave Chatterjee:following certain best practices, they may not be
Dr. Dave Chatterjee:willing to do so. And as much as we might preach that, lets, be
Dr. Dave Chatterjee:proactive, let's not be reactive. But unfortunately, the
Dr. Dave Chatterjee:results, the statistics, suggest that we are reactive. And we
Dr. Dave Chatterjee:learn best after a major catastrophe. If we can use the
Dr. Dave Chatterjee:pandemic as an example, despite all these great organizations
Dr. Dave Chatterjee:out there, terrific scientists out there, we still couldn't, we
Dr. Dave Chatterjee:were not proactive about it, we made a great recovery. Thanks to
Dr. Dave Chatterjee:the scientists, we have the vaccines and all credit to them,
Dr. Dave Chatterjee:thanks to all the healthcare workers who've done yeomen
Dr. Dave Chatterjee:service. But having said that, I'm not so sure that we have
Dr. Dave Chatterjee:another round of a pandemic, are we better prepared for it now
Dr. Dave Chatterjee:that we have experienced one? I'm not so sure, I'm still very
Dr. Dave Chatterjee:pessimistic about it. Because we are naturally not again, this is
Dr. Dave Chatterjee:a hunch I'm not a psychologist, maybe you can shed some light,
Dr. Dave Chatterjee:we are naturally not inclined to be proactive.
Beatrice Cadet:And I would fear that maybe if there would be
Beatrice Cadet:another pandemic, we would try to apply the lessons from the
Beatrice Cadet:one we just we've just been through, which is still been
Beatrice Cadet:happening. Right. I would hope that we would learn to be
Beatrice Cadet:proactive by taking the lessons learned, but also looking
Beatrice Cadet:towards the future as well. And mixing that up together. Yes.
Beatrice Cadet:And it's similar to what could be happening sometimes in
Beatrice Cadet:cybersecurity that we just think, oh, yeah, there is that
Beatrice Cadet:threat. So we apply this, but the threats are moving, and it's
Beatrice Cadet:always a cat and mouse game. So how do we become as defenders as
Beatrice Cadet:innovative as the criminals, right? How do we try to make the
Beatrice Cadet:gap between the two sides a little bit smaller, that's also
Beatrice Cadet:very important.
Dr. Dave Chatterjee:Exactly. And I want to emphasize what you
Dr. Dave Chatterjee:just said, it is important to learn from the past. But it's
Dr. Dave Chatterjee:also important to recognize that the future might present
Dr. Dave Chatterjee:challenges that have to be dealt with, and we may not be prepared
Dr. Dave Chatterjee:for it from our past experiences. So therefore, it
Dr. Dave Chatterjee:requires a mix of Yes, informed insights from the past plus the
Dr. Dave Chatterjee:innovations that's going on because we have to think
Dr. Dave Chatterjee:proactively of what are the future types of attacks that
Dr. Dave Chatterjee:might be launched, and how can we protect ourselves? When I say
Dr. Dave Chatterjee:how can we I'm talking about individuals, groups,
Dr. Dave Chatterjee:organizations, nations at any level, I think this approach us
Dr. Dave Chatterjee:a deliberate a proactive approach is is valuable
Dr. Dave Chatterjee:irrespective. So awesome! Once again, going back to my planning
Dr. Dave Chatterjee:document here, I took notes when we were talking and you made a
Dr. Dave Chatterjee:very poignant statement. You said "overall, I want to debunk
Dr. Dave Chatterjee:the emotional aspects of social engineering. We need to be more
Dr. Dave Chatterjee:pragmatic about it. We all fall for it at some point. But how to
Dr. Dave Chatterjee:best avoid it and recover. Expand a little bit about
Dr. Dave Chatterjee:emotional aspects of social engineering?
Beatrice Cadet:Yes. So I would say motional, maybe also a
Beatrice Cadet:little bit seeing it as a buzzword we hear so often that
Beatrice Cadet:humans are the weakest link, and it's because of the people and
Beatrice Cadet:stuff. And yes, it is true. Because in the end, even though
Beatrice Cadet:cybercrime cybersecurity is all about tech, behind the
Beatrice Cadet:computers, behind the phones, you have humans on both sides of
Beatrice Cadet:it. So completely agree with this. But being sort of alarming
Beatrice Cadet:about social engineering as much as it is good and important and
Beatrice Cadet:necessary, it has to have its limits. Because first, there is
Beatrice Cadet:a point that we haven't mentioned yet. But there's a
Beatrice Cadet:psychological concept that is called learned helplessness is
Beatrice Cadet:that people feel so overwhelmed, and they feel like no matter
Beatrice Cadet:what they do, it won't help anything. So and many people
Beatrice Cadet:have that. And it has been shown in research in cybersecurity,
Beatrice Cadet:that the reason why sometimes things don't work, or people
Beatrice Cadet:still fall for phishing and stuff, is because they know that
Beatrice Cadet:no matter what they do, or they think that no matter what they
Beatrice Cadet:do, they will get scammed anyway. And it's so overwhelming
Beatrice Cadet:that they prefer to just drop it and be like, Yeah, I have
Beatrice Cadet:nothing to hide or whatever happened happens. So that's why
Beatrice Cadet:I think like being a bit less emotional about social
Beatrice Cadet:engineering being a threat, but being just pragmatic about it,
Beatrice Cadet:like it is there, it has always been there, it will still be
Beatrice Cadet:there, I think that could be actually a very good step
Beatrice Cadet:towards being more protected against it. So that's the core
Beatrice Cadet:point I would like to make. Yes,
Dr. Dave Chatterjee:well made, when you said learned
Dr. Dave Chatterjee:helplessness, it immediately brought to mind an experience
Dr. Dave Chatterjee:that I had a couple of years ago when I was gathering data for my
Dr. Dave Chatterjee:book. And I spoke to a senior leader of a major healthcare
Dr. Dave Chatterjee:company. And he made a very interesting statement. He said,
Dr. Dave Chatterjee:we are such a large organization, we have so many
Dr. Dave Chatterjee:systems interfacing with other external systems, we connect
Dr. Dave Chatterjee:with all kinds of IoT devices, it's very overwhelming to stay
Dr. Dave Chatterjee:on top of everything and know where our vulnerabilities are,
Dr. Dave Chatterjee:where we are, we are strong. So you almost feel helpless. And
Dr. Dave Chatterjee:you're kind of hoping, to use his words, that we get attacked,
Dr. Dave Chatterjee:so we get to know where our weaknesses are. And of course,
Dr. Dave Chatterjee:that is not the approach or mindset that I recommend, or
Dr. Dave Chatterjee:anybody for that matter would recommend. But that speaks to
Dr. Dave Chatterjee:what you just said about learned helplessness. Whether it's a
Dr. Dave Chatterjee:leader of a major organization, or whether individuals, I have
Dr. Dave Chatterjee:gone through some cybersecurity certifications, some
Dr. Dave Chatterjee:cybersecurity training, they can get complicated, there's so much
Dr. Dave Chatterjee:to learn so much to know. And so for a regular person who just
Dr. Dave Chatterjee:wants to do their thing and be happy and not get too caught up
Dr. Dave Chatterjee:with this stuff. They're like, Oh, I don't want to know the
Dr. Dave Chatterjee:details. If something were to happen, I'll deal with it when
Dr. Dave Chatterjee:it happens. So that's precisely I think, what ends up happening
Dr. Dave Chatterjee:with humans, because human mind can only absorb or deal with so
Dr. Dave Chatterjee:much complexity, right? We have, we have our cognitive
Dr. Dave Chatterjee:limitations. And when it goes beyond that, we are like, Okay,
Dr. Dave Chatterjee:nevermind, let's just hope for the best I'm not gonna try
Dr. Dave Chatterjee:anymore. So I think that point is extremely well made,
Beatrice Cadet:We have our cognitive limitations, yet, we
Beatrice Cadet:still make 1000s and 1000s of decisions every day without even
Beatrice Cadet:noticing it. So that's the whole thing. Also, we're going back to
Beatrice Cadet:trust, trusting, not trusting so many decisions are automated.
Beatrice Cadet:And we can control everything. And also, criminals know that
Beatrice Cadet:they're also human beings, and they know how to trick us. So
Beatrice Cadet:that overwhelming feeling they know how to use it. And for
Beatrice Cadet:example, you get your email, you saw in the morning, and you said
Beatrice Cadet:something about your card in the morning when you just woke up,
Beatrice Cadet:maybe so then it's even harder to be rational. And they know
Beatrice Cadet:exactly how to do this. So yes, bringing a bit more peace to it
Beatrice Cadet:being like, Okay, this is it. You need to be aware of this. We
Beatrice Cadet:need to train on this. We need to get better at this but also
Beatrice Cadet:without Yeah. dramatizing it, I think it's very important to
Beatrice Cadet:actually make concrete progress.
Dr. Dave Chatterjee:Fantastic. So let's talk a little bit about
Dr. Dave Chatterjee:the zero trust approach. And if I understand this approach
Dr. Dave Chatterjee:properly, essentially, the assumption is being made that
Dr. Dave Chatterjee:let's try to be as secure as possible every step of the way.
Dr. Dave Chatterjee:Use a combination of physical, technical and administrative
Dr. Dave Chatterjee:controls, have a micro have micro segmented networks. So
Dr. Dave Chatterjee:when a user wants to move from one network to another, they
Dr. Dave Chatterjee:have to again authenticate. So have checks and balances every
Dr. Dave Chatterjee:step of the way. I was reading somewhere, they used an example
Dr. Dave Chatterjee:of going to a rock concert, and you get checked in once, but
Dr. Dave Chatterjee:then you again, get checked in and again, kept checked in
Dr. Dave Chatterjee:before you get to your seat. So having these multiple layers of
Dr. Dave Chatterjee:defense, for lack of a better word, or another very popular
Dr. Dave Chatterjee:terminology out there is defense in depth, those are being
Dr. Dave Chatterjee:advocated big time they are being considered best practices.
Dr. Dave Chatterjee:From a psychologist's standpoint, what is your
Dr. Dave Chatterjee:perception on this zero trust framework? Or zero trust
Dr. Dave Chatterjee:approach to cybersecurity governance?
Beatrice Cadet:Yeah. So as a psychologist in cybersecurity,
Beatrice Cadet:my first thought is thinking yes, indeed, that that makes
Beatrice Cadet:sense. And layering security is yeah, it's just just makes
Beatrice Cadet:sense, right. But then, as a psychologist first what comes to
Beatrice Cadet:my mind is, we need to pay attention that all of those
Beatrice Cadet:measures, and all of those technical aspects, physical
Beatrice Cadet:points of security, are adapted to how human behave, you know,
Beatrice Cadet:because often we try to create solutions. So I'm thinking
Beatrice Cadet:concrete, technical solutions that are actually not adapted to
Beatrice Cadet:how users behave. And that can be the key to failure, if we
Beatrice Cadet:don't think about it. So I think it's a great, great point to
Beatrice Cadet:have those different policies in place to have those different
Beatrice Cadet:infrastructure security infrastructures in place, but we
Beatrice Cadet:need to make sure that they're not too heavy for the user. And
Beatrice Cadet:of course, it's easy for me to say this, right? It's ideally,
Beatrice Cadet:we always want this, but it's important to develop it as well
Beatrice Cadet:always, with the user in mind and thinking, okay, how can we,
Beatrice Cadet:instead of thinking, let's develop the best technical
Beatrice Cadet:solution, and then fit it into the user process, we need to
Beatrice Cadet:think ahead and think, Okay, we need to have a sort of technical
Beatrice Cadet:solutions in place, how do we make sure that the user will
Beatrice Cadet:adopt it? And of course, the user might have to adapt to
Beatrice Cadet:adopt, but how can we make sure we we do that in the easiest way
Beatrice Cadet:possible. And then when it comes to thinking, zero trust, I think
Beatrice Cadet:as much as it's great for policies and technical
Beatrice Cadet:solutions, we need to again, as we said earlier, remind
Beatrice Cadet:ourselves that having a human being always suspect something,
Beatrice Cadet:won't happen. It's just not possible all day every day.
Dr. Dave Chatterjee:Exactly. And I hope listeners if they
Dr. Dave Chatterjee:have anything to do with training in their organizations,
Dr. Dave Chatterjee:or if they have the insolence, I hope that whoever is involved in
Dr. Dave Chatterjee:developing a training program include the psychologists in the
Dr. Dave Chatterjee:team, because you need technical specialist, no doubt, you need
Dr. Dave Chatterjee:strategists, no doubt, but you also need the psychologists who
Dr. Dave Chatterjee:understand human behavior, because, after all, these
Dr. Dave Chatterjee:solutions, many of the solutions if not all, many of the
Dr. Dave Chatterjee:solutions, which involve human interaction, or which are going
Dr. Dave Chatterjee:to be used by humans, unless you understand human psyche, human
Dr. Dave Chatterjee:mindset, the solutions are not going to be very effective. I'd
Dr. Dave Chatterjee:like to briefly mention a research that was carried out a
Dr. Dave Chatterjee:couple of years ago, where they trained a group of people to see
Dr. Dave Chatterjee:whether post training, the percentage who fell for phishing
Dr. Dave Chatterjee:attacks would drastically decline. Unfortunately, the
Dr. Dave Chatterjee:research found the variation wasn't significant. In other
Dr. Dave Chatterjee:words, the training didn't prove to be the phishing-related
Dr. Dave Chatterjee:training didn't prove to be effective, and the researchers
Dr. Dave Chatterjee:justified the explanation or tried to explain the findings by
Dr. Dave Chatterjee:saying that there are so many human factors such as innate
Dr. Dave Chatterjee:curiosity, for lack of a better better word greediness. If we
Dr. Dave Chatterjee:see an email which is promising a certain sum of money if we
Dr. Dave Chatterjee:click a link and play a game or throw a dice whatever we are
Dr. Dave Chatterjee:inclined to do so because we want to believe that yes, there
Dr. Dave Chatterjee:is some something to be gained from this action, it may not be
Dr. Dave Chatterjee:fake, we almost force ourselves to believe it, because we have
Dr. Dave Chatterjee:the need for money, let's say or, and like you said earlier,
Dr. Dave Chatterjee:we are many of us are often naturally inclined to trust. So
Dr. Dave Chatterjee:it is so important that the human psychology is taken into
Dr. Dave Chatterjee:consideration by involving subject matter experts such as
Dr. Dave Chatterjee:yourself when training programs are developed. Would you like to
Dr. Dave Chatterjee:add to that?
Beatrice Cadet:Yes, there are two points I wrote down for
Beatrice Cadet:myself. Let's start with the role of a psychologist in such a
Beatrice Cadet:team, I think is in knowing how people function knowing how to
Beatrice Cadet:investigate how specific groups of people function And as well
Beatrice Cadet:or specific individuals even. And that's something that I
Beatrice Cadet:often hear. So I speak with a lot of technical people, of
Beatrice Cadet:course, and I give a guest lecture every year at the Hague
Beatrice Cadet:University of Applied Science, and it's a technical crowd. And
Beatrice Cadet:what I recognize often is that technical people tend to think
Beatrice Cadet:as one zero. And I don't want to generalize, because that's
Beatrice Cadet:exactly the point I'm about to make. But I hear that very
Beatrice Cadet:often. And I get some people asking me, but how do you know
Beatrice Cadet:this for people? How do you approach this for people? And
Beatrice Cadet:there's no exact rule. And that's one thing you learn when
Beatrice Cadet:you study psychology, is that okay? You will learn specific,
Beatrice Cadet:especially, in my case, clinical psychology, you will learn
Beatrice Cadet:specific syndromes or how to recognize things, but the
Beatrice Cadet:experience will never be the same for two individuals. So you
Beatrice Cadet:really need to learn how specific people function and
Beatrice Cadet:apply that knowledge to the knowledge, the general knowledge
Beatrice Cadet:we have on human beings, and then bring that to the group of
Beatrice Cadet:developers or whoever you're working with. And so there's
Beatrice Cadet:that role that psychologists can have in a team. But then there's
Beatrice Cadet:also the role of often translating between different
Beatrice Cadet:disciplines, you mentioned, strategies, technical people
Beatrice Cadet:that you may have in a team. And that that's a position I've
Beatrice Cadet:often been myself, of actually understanding how the different
Beatrice Cadet:group of people working on the project, think and communicate,
Beatrice Cadet:and how to because multidisciplinary work is still
Beatrice Cadet:very complicated. And it's very valuable, and it's what we need
Beatrice Cadet:to go towards. But it's very complicated. So having a
Beatrice Cadet:psychologist sometimes can help bind these different disciplines
Beatrice Cadet:together. So yeah, that was the first point that I had on what
Beatrice Cadet:you just
Dr. Dave Chatterjee:said. And what was the other one? You
Dr. Dave Chatterjee:said? You made? Two points? Yeah. The other one was,
Beatrice Cadet:general knowledge on cognitive
Beatrice Cadet:psychology. So yeah, this is how the brain works. This, this is
Beatrice Cadet:how people make decisions and stuff. This is very important,
Beatrice Cadet:of course. But one thing that we tend to forget is that one
Beatrice Cadet:person won't make the same kinds of decisions every single day,
Beatrice Cadet:the context is so important to how you will make a decision.
Beatrice Cadet:And even the most rational person may at some point, make a
Beatrice Cadet:very emotional decision. And so that's also what you're talking
Beatrice Cadet:about, we're talking about a seeing that email that will
Beatrice Cadet:promise you some money. And then in a moment of weakness, you
Beatrice Cadet:might decide that, Oh, you want to believe in this. And what you
Beatrice Cadet:say is really true, because sometimes we decide to trust for
Beatrice Cadet:the wrong reasons. And so we're out for the wrong reasons, or
Beatrice Cadet:because of some sort of contextual influence. And my
Beatrice Cadet:colleagues and I two years ago, wrote a paper on disinformation
Beatrice Cadet:during COVID-19. And one of the statements that we made in the
Beatrice Cadet:discussion is that maybe the context of the lockdown and, and
Beatrice Cadet:the pandemic happening, influence why so many people
Beatrice Cadet:started to believe in disinformation, and people that
Beatrice Cadet:might not believe in it before the pandemic, but in this
Beatrice Cadet:specific context, with that much uncertainty with mental
Beatrice Cadet:disorders being on the rise, so I'm thinking anxiety and
Beatrice Cadet:depression, this, like anxiety and depression, they affects
Beatrice Cadet:your emotional system, right. And we saw that the narratives
Beatrice Cadet:that were played in disinformation, played on the
Beatrice Cadet:emotions that are affected by depression and anxiety. So that
Beatrice Cadet:being hopelessness, having difficulties dealing with
Beatrice Cadet:uncertainty, being very anxious, being very angry, and so yeah,
Beatrice Cadet:those people in normal times, they might have not fallen for
Beatrice Cadet:this. But now they were triggered on specific aspects of
Beatrice Cadet:the human factors in a specific context. And that's why it
Beatrice Cadet:worked. So that's why I think, beyond the being well aware
Beatrice Cadet:about social engineering campaigns and cybercrime in
Beatrice Cadet:general, it's also very important to be self aware, and
Beatrice Cadet:to know that, to know your own limits, actually, to know that
Beatrice Cadet:sometimes you might be overstressed and overwhelmed.
Beatrice Cadet:And you're not going to be able to make the same type of
Beatrice Cadet:decision as if you're perfectly healthy and mentally well
Beatrice Cadet:balanced. And nobody will be mentally well balanced every
Beatrice Cadet:single day. So I think, a very important point to consider for
Beatrice Cadet:everyone, because we're all dealing with emails with
Beatrice Cadet:technologies and with cybercrime, but also the people
Beatrice Cadet:making the trainings or searching for the right
Beatrice Cadet:solutions.
Dr. Dave Chatterjee:Very true, very true. Let me try to tease
Dr. Dave Chatterjee:out some inferences from this discussion, from the standpoint
Dr. Dave Chatterjee:of cybersecurity governance. First, humans are very complex
Dr. Dave Chatterjee:beings, their behavior will not be consistent, will change with
Dr. Dave Chatterjee:context, with situations, with the environment. And that has to
Dr. Dave Chatterjee:be factored in whether you are conducting a training program,
Dr. Dave Chatterjee:whether you're developing a technical solution. But what
Dr. Dave Chatterjee:does that mean? That means you recognize that even the best of
Dr. Dave Chatterjee:solutions, if it has a human involvement, can fail at a
Dr. Dave Chatterjee:certain point in time on a certain day, because that
Dr. Dave Chatterjee:particular person wasn't on their best game, something had
Dr. Dave Chatterjee:happened, something had taken over they had, they were
Dr. Dave Chatterjee:vulnerable, they felt weak for for a variety of different
Dr. Dave Chatterjee:reasons. So therefore, the more I think about it, it makes sense
Dr. Dave Chatterjee:to have a zero trust approach, a zero trust framework, because
Dr. Dave Chatterjee:that's assuming that whether you trust or you don't trust, and if
Dr. Dave Chatterjee:those things keep changing for a variety of reasons, we can't
Dr. Dave Chatterjee:control that, but at least let's build or establish the checks
Dr. Dave Chatterjee:and balances. To use your words, let's be pragmatic about it, and
Dr. Dave Chatterjee:take a very practical approach, instal the necessary barriers
Dr. Dave Chatterjee:through different types of controls. So we can still
Dr. Dave Chatterjee:protect the organization, protect assets, and other
Dr. Dave Chatterjee:resources from attacks that might happen because of human
Dr. Dave Chatterjee:vulnerabilities. So that's kind of my long drawn, circuitous
Dr. Dave Chatterjee:explanation or inferences of what we've been talking about.
Dr. Dave Chatterjee:Would you like to add to that? Yeah, exactly.
Beatrice Cadet:We need to accept that it's not black or
Dr. Dave Chatterjee:All right. Well, as much as I would love to
Dr. Dave Chatterjee:white. We're in an area that is rather gray and, some one person
Dr. Dave Chatterjee:that can be very good at a phishing tests might still get
Dr. Dave Chatterjee:caught at some point, depending on the context, depending on how
Dr. Dave Chatterjee:well the criminal also built the campaign, because maybe it's
Dr. Dave Chatterjee:continue this discussion, we are coming to the end of our time
Dr. Dave Chatterjee:targeted, and they've done a great job of intelligence, and
Dr. Dave Chatterjee:they know how to trick that person. Yeah. So we need to
Dr. Dave Chatterjee:accept that and having Yeah, indeed, different layers of
Dr. Dave Chatterjee:security, technical and human, allow to balance, when one of
Dr. Dave Chatterjee:the two fails, and it will at some point, and also, yeah,
Dr. Dave Chatterjee:having ways to recover properly. That's very important.
Dr. Dave Chatterjee:allotted here. So I'd like to give you the opportunity to
Dr. Dave Chatterjee:summarize or say anything that you'd like the listeners to take
Dr. Dave Chatterjee:away from this discussion.
Beatrice Cadet:Yes, thank you. So I think for the general
Beatrice Cadet:audience, it's very important to become more aware of social
Beatrice Cadet:engineering as a threat, because we're all facing it. And
Beatrice Cadet:consequences can be very damaging, it's important to
Beatrice Cadet:understand that it's important for everyone to understand that
Beatrice Cadet:they can actually have some sort of control on it as little as
Beatrice Cadet:checking your emails more properly, or knowing that
Beatrice Cadet:checking the email address, for example, can save you from a
Beatrice Cadet:phishing link, or just not clicking without checking, like
Beatrice Cadet:this different kinds of things. And it's important for I think,
Beatrice Cadet:authorities in general to understand that, yes, some
Beatrice Cadet:people that work in the corporate environment will get
Beatrice Cadet:some trainings, more or less effective, still at this stage,
Beatrice Cadet:but they will and they have more awareness as well on that. But
Beatrice Cadet:the whole population needs to get more awareness and training
Beatrice Cadet:in general on social engineering. And then if we're
Beatrice Cadet:thinking about decision makers and companies, yeah, understand
Beatrice Cadet:that your employees are human beings. And you got people
Beatrice Cadet:understand that human beings are not just yeah, one or zero, that
Beatrice Cadet:they will fail at times, they are more complex than it's
Beatrice Cadet:really difficult to generalize, the only generalization we can
Beatrice Cadet:make is that there is no generalization that can be made.
Beatrice Cadet:But then to end that summary, again, social engineering has
Beatrice Cadet:always existed, we need to be very pragmatic about it, we're
Beatrice Cadet:still falling for the old tricks. There is some innovation
Beatrice Cadet:and we need to keep an eye on these developments. But there is
Beatrice Cadet:something we can do about it. We have that power. And to finish
Beatrice Cadet:on a positive note, I would say that I have also experienced in
Beatrice Cadet:my surroundings, whether professional or personal, way
Beatrice Cadet:more awareness and good practices coming from different
Beatrice Cadet:types of people. So I think we're on the right track. We
Beatrice Cadet:just need to keep on working on it and accepting that it's a
Beatrice Cadet:gray area and having a multidisciplinary approach.
Dr. Dave Chatterjee:Fantastic. Thank you so much, Beatrice, for
Dr. Dave Chatterjee:your time and your thoughts. I look forward to many more such
Dr. Dave Chatterjee:conversations.
Beatrice Cadet:Thank you for having me.
Dr. Dave Chatterjee:A special thanks to Beatrice cadet, for
Dr. Dave Chatterjee:her time and insights. If you liked what you heard, please
Dr. Dave Chatterjee:leave the podcast a rating and share it with your network.
Dr. Dave Chatterjee:Also, subscribe to the show. So you don't miss any new episodes.
Dr. Dave Chatterjee:Thank you for listening, and I'll see you in the next
Dr. Dave Chatterjee:episode.
Introducer:The information contained in this podcast is for
Introducer:general guidance only. The discussants assume no
Introducer:responsibility or liability for any errors or omissions in the
Introducer:content of this podcast. The information contained in this
Introducer:podcast is provided on an as-is basis with no guarantee of
Introducer:completeness, accuracy, usefulness, or timeliness. The
Introducer:opinions and recommendations expressed in this podcast are
Introducer:those of the discussants and not of any organization.