Human Perception: The Missing Security Control

awesome thank you so much uh well thank you to besides delaware for having me and first speaker of the day uh so thank you for for having me i'm excited to talk about this as i mentioned literally any time i can talk about this i'm excited uh so today i'm going to be presenting on human perception the missing security control i am a security architect by day an adjunct professor by night as well as several other things i also co-host the brazilian cyber podcast uh so you know just a couple little things i like to do all right so what we're going to talk about today so i'm going to cover quite a few topics

since i have the time uh we're going to start with talking about security controls i'm sure you guys are all aware of what they are but i'm going to talk about uh sort of give us a baseline here of what what i'm sort of adding context to and then i want to talk about some of the different itunes security roles specifically related to security controls uh what is perception and i'm going to talk a little bit about perception and cognition senses in cyber security how does perception change over time i.e how does our risk change over time and then i wanted to provide some case examples some uh ways that this may manifest itself uh

within different organizations or within different teams and then hopefully some final takeaways some really practical stuff that you guys can use and take back to your organizations your teams uh things to think about and digest and uh see where it goes okay as i mentioned uh security architect by day primarily so at ibm i'm part of the cisso's security innovation and remediation team so i do a lot of remediation activities as well as on the innovation side uh you know trying to solve those big complex problems you know within within a large organization i'm also an adjunct professor at capital technology university that is the school that i received my dsc in cyber security in and i'm

currently wrapping up a phd in human factors so shock that's why i'm sort of talking about this topic today you know the last year and a half of research has really changed the way i feel about cyber security so i have a background in itops so i was an administrator i did a managed virtual environments i did a d sccm citrix i mean vmware you name it um and then transitioned into security about probably about four years ago now um i got really interested in vulnerability chaining vulnerability scoring how our vulnerabilities scored how do we understand what vulnerabilities are and so when i was studying that for the dsc um i saw this this phd in human

factors and i was like oh this is really interesting i want to see how i can if i can understand psychology better if i can understand humans better can i improve cyber security our security posture and reduce our risk in an environment and that's really what ultimately led me here so quick disclaimer all thoughts feelings views expressed in the presentation are my own they do not reflect any of my employers and another quick disclaimer i'm not a licensed therapist or psychologist i love research um i i have a lot of friends that are cognitive psychologists that i've spoken to about research and uh there's a sort of a small group of us out there that are sort of really studying sort of

the implications of cognitive psychology and understanding how it really affects the security posture of a network all right so hopping right in so security controls so anyone that's you know been in security for any sort of any length of time and even from the i.t side you know this is really where i was introduced to security controls uh was actually as an administrator so these are anything like applying a group policy uh fixing a registry key on an os baseline uh template um all kinds of different uh settings uh password length and strength or complexity requirements how do i handle users versus service accounts how do i manage my ou's all of that kind of stuff

now i'm getting really far into a.d but there are a number of different types of security controls they're not just you know gpos um or settings on a network device we're actually talking about procedural technical compliance there's also physical security controls uh so security controls are really this it's really this broad sort of um a field and i when i was looking at what security controls do we manage do we implement do we look at i just started to see this like missing sort of piece right is it's like okay so let's say i'm able to implement these security controls um and i'm monitoring them and i'm doing all these other things um but what am i missing because

we all know like cyber security attacks are continuing and they're just increasing in complexity and um the way that we sort of um the way that we sort of handle security right like we're still having all these cyber attacks happening phishing attacks are still outrageous and and happening all the time so what are we missing if i'm applying these security controls properly how am i still missing you know something that's allowing a phishing attack to take place um so i anyway this is where this sort of started this idea of like what are we missing that we can't sort of properly put these security controls in place uh to really mitigate risk so that sort of got me thinking well when i

was on the i.t side of the house i didn't really see and perceive security controls the same way that i do now that i am a security practitioner you know from the it operations side i'm really implementing those controls i may have some leverage over what controls are selected but not always you know i at on the it side i may have been told hey implement these security controls and i may be able to push back and say you know what that one's not going to work or maybe not but ultimately i'm gonna have to figure out how to either implement this control or figure out how to provide mitigating controls uh that will resolve that that vulnerability or

that issue and i may be evaluating specifically for functionality so from the i.t side i don't want to affect my user negatively i want to make sure that they are you know they have all of their systems available and functional and so my objectives and goals are going to be a little bit different than the security side of the house you know security we're concerned with risk you know i i want to make sure that the system is secure and of course i want to work with the business i want to make sure that what i'm telling it aligns with the business and the strategy but you know ultimately i still need to my main primary

objective is to secure the network to secure the organization so i'm going to select those controls based on maybe whatever requirements i may have if i'm a federal organization versus a private sector organization that may be different and then ultimately monitoring for any inconsistencies so my favorite example is sort of i've applied a gpo for a setting well what happens if i move maybe i have you know 100 computers in that ou what if i moved them from there to a different ou and i didn't take the gpos with me to the new ou or maybe i didn't take all of them it's possible that some of those settings would then end up being missing

from those systems so me as security it's my job to make sure that you know those settings are being applied uh consistently and you know as i expect them to so um perception when i started looking into sort of seeing the same problems that i see over and over again in insecurity uh and studying the idea of human factors so human factors is really um it's sort of this blend of engineering design and psychology really ultimately trying to make tools the best way that we can for humans to use them and so that got me thinking well hold on a second if i start to blend some of those psychological concepts or some of those really the terminology

that we're using in psychology if i start applying that in cyber security can i start to address some of those gaps that i'm seeing so perception this is how we interpret a situation we're going to talk about some specific cases here because i think it's important to to actually highlight how this works in the real world but perception is how do i understand a situation how do i understand the world around me this is sensory based you know versus cognition cognition is really you know how do we make decisions and there may be some perception or some bias there based on our past experiences but we are making decisions based on our understanding of a situation

i like to equate this to um when i talk about cognition you know i talk a lot about chess perception is more you know i've interacted with an individual before if i've had a negative interaction how does that affect my perception of that individual and it could solely be based on that one situation that one interaction i had but maybe that person was having a bad day you know they were they had a donut for breakfast and their donut dropped on the ground like ugh that's frustrating and so maybe i had a bad interaction with them because maybe they were frustrated that morning not because they're a bad person um but my perception may change of that

individual based on that interaction but so uh for perception it's it's handled in a couple of different ways the way that we perceive and handle decision making um using perception uh bottom up processing versus top-down processing so for example if i stub my toe i immediately my bot i have pain that shoots through my toe potentially up through my leg and i'm like oh my gosh ow ow that was my toe uh you know that for me that that changes my perception of a situation it's like oh wow that was immediate and that hurt a lot um and it's a sensory thing that was a pain sort of reaction uh versus if i'm sitting on the beach and you know my

hands go in the sand and i can feel the sand and my perception of the beach and where i'm at changes based on what i feel and even what i see and what i smell you know if you're at the ocean and you're smelling the ocean uh you know you have memories that are based on those sensory sort of inputs that we have so to get a little bit dig a little bit deeper into perception versus cognition so this is where i was starting to talk about chess if i'm talking about cognition i'm talking about how do i make decisions if i'm playing chess and i'm playing a two-minute chess match versus a an hour-long chess match i'm going to be

playing that quite differently two minutes is not a lot of time that's one minute per uh per player that's one minute for me to process an entire chess game so i'm going to be really playing that game based on my past experience with chess and the fastest thinking that i can do to make sure that i'm making those decisions to try to win the game you know if i'm playing a two-minute chess match i may be okay with losing my queen very early on uh because it's like hey i gotta keep moving i can't i can't focus too much on the implications of losing that queen i need to figure out how do i handle that and overcome versus an hour

long chess match i'm gonna have time to really think about 30 moves ahead uh if i move here what will my opponent do if i move here what will my opponent do if i move here how many different ways could my opponent react to that me moving that piece so you're really thinking in multiple different ways and really deeply considering what implications moving a piece might have um so uh visual perception there's there's a lot of really great research out there and of course i'm unfortunately not going to have time to talk a lot about it but i highly suggest if you're interested in this topic and how it might relate to your cyber security teams just

on google scholar look up visual perception because uh that primarily recently they're talking about it as being you know one of the primary ways that we make decisions it's how we see something so uh if i see someone oh i think i'm getting getting some echo okay um so if i see someone and i see their body language that may change the way that i handle a decision or the way that i um you know sort of interact with someone so the way that we visually see something it may change the way that we handle decisions and quickly i want to touch on metacognition this is one of the most interesting things i think i found when

i was studying cognition and perception this is the way that after we make a decision we really think about how we made that decision so if i'm making a risk-based decision how did i come to that decision was it the right decision was it the wrong decision and if it was how could i change that the next time to make sure that i make a more appropriate decision uh so i love the term meta because we use it for lots of different ways uh metadata and all that but for metacognition you're really taking that step from okay i've made a decision to evaluating how that decision was made and i think especially in cyber security

this is a really important concept because we're constantly our our jobs are really making decisions is this alert malicious or not uh is this um network traffic malicious or not so there's a lot of um sort of uh the the ability to make decisions and make them quickly but then we have to really go back and say how did we make that decision how did i determine that that was a malicious uh file versus non-malicious how did i determine that that website should be blocked versus maybe not so a couple examples here i wanted to mention the sort of the fear-based response based on uh experience which is more perception based so let's say for example

i responded to an incident there was an incident that happened a security incident that happened and i just i know if i don't do something i'm gonna get in a lot of trouble or i might be held accountable for it i'm scared of the making the wrong decision but so ultimately i'm gonna quickly move i'm gonna communicate probably really effectively try to tell whoever i can tell ahead of time so that way it doesn't get you know out of hand um quickly or if i'm too scared to tell somebody about something that's when you know issues really arise right is it's like if i see alerts coming in but i'm really scared to tell my management about it because

maybe in the past i've had an experience where they got really upset with me what happens if you know a sock analyst who's nervous about telling their management about an incident what happens if that incident goes unnoticed or like undisclosed for an hour versus two hours versus three hours you know what happens how does our risk you know sort of go up at that point um so i think it's really important especially when we're talking about perception to talk about how uh fear-based responses could impact the overall security of our environment um and in across different teams right not just um you know a software analyst talking to a manager but maybe even a manager talking

to executive management you know maybe there's concern there that if an incident is happening that there may be you know repercussions and uh that not not addressing the situation or uh you know not maybe not uh taking it up with with the uh highest executives you know maybe that could end up being a much bigger incident than maybe it would have been if it was addressed immediately so uh census and cyber security when i was putting this presentation together this uh this concept really hit me how do we use our senses to either make decisions to understand a situation to manage and monitor alerts to configure our security tools how do we especially visually and with the tools that we have how do

we interact during an incident a security incident what tools do we have available to us and how do we see them uh i'm really big on you know having security tools we have to have them right we we need them they help give us great information that we can then make objective decisions on however if we have too many security tools it's very possible that you know i i could if i've got 10 security tools that i one analyst need to manage it's very difficult for me to make sure that i'm using all of those tools to the best of my the best of their ability so that i can configure those tools properly because when you have 10 tools to manage

potentially upgrades patching at the os level os level the application level and maybe a device as well you have to consider all of that time uh updates to the software there may be new things that have to be configured it's possible that over time that uh that tool wasn't configured properly initially and so it's not working well now you know maybe a year later or two years later so am i using the tools that i have properly am i able to visually see those tools and get effective information you know helpful information which is where i want to talk about cognitive limitations if i'm focused on like my number two bullet here if i'm focused on the data that i'm

seeing in these tools if i'm focused on all of the information that's coming out from you know all the products the patches the security controls the frameworks the guidance the policies and what i'm being told by peers colleagues management executives strategic business direction i think you can kind of see where i'm going but this is where we start talking about burnout cognitive limitations how much can i as an individual really handle at in cyber security you know we have so many different things that we have to not only manage from a technical perspective but we have to manage relationships with it operations with developers with maybe product and product managers um you know maybe from the soft perspective maybe i

have to deal with customers or third-party vendors so there are a lot of things that i as a security professional need to manage and there's only so much that we can sort of handle and bring into it and so we start to get this sort of sensory overload this to way too much information so i think there's uh sort of this interesting conversation that has to happen on how much information are you digesting and ingesting from security tools from products from from patching from a remediation standpoint how much can we handle and really digest and then use that to make really good clear decisions for a risk-based decisions and uh for the third item here that i wanted

to talk about uh can we ensure can we interpret risk based on how security analysts perceive a situation so if i as a sock analyst with my years of experience and the ability to sort of pinpoint um where a an alert might be noise and where an alert might be malicious or anomalous uh that's sort of my based on my uh previous experiences and based on my based on my education based on my awareness of the system then we can make risk-based decisions and we use all of the tools at our our our disposal including my perception of the situation if i'm monitoring a network and i see something that doesn't look right to me

whether or not i can pinpoint it right away whether it's an alert a strange ip something like that uh but if i can start to pinpoint that i'm using my perception my experience to help make risk-based decisions um but we don't talk about it in that context necessarily you know i i think there's a real power in using the right terminology using the right and then on top of that using the right definitions for those terms so for example a vulnerability management which is probably my favorite topic besides human factors but when we're talking about vulnerability management if i asked individual one and individual two what their definitions of vulnerability management was i would probably get two

different answers some people see it as really you know a patch management sort of activity some people see it more from the remediation standpoint some people see it as a continuous monitoring sort of exercise so our perception of the terminology that we use can really impact the way that we think about security of a system so i think there is real power in using terms like perception the way that we sense things the way that we use our intuition based on experience to help us manage risk and then ultimately how does our perception affect how we use those security tools how we interact with other teams whether that's it operations or developers and then ultimately how do we respond to

incidents based on that perception so i'm going to talk about some cases but i really wanted to sort of highlight this because this is really the reason why i think that sometimes uh like i continue to see the same types of attacks over and over again uh you know attackers think about things in a very different way than us as network defenders do and i think if we can start to integrate some of those psychological concepts and terms into our everyday security vocabulary it may help us say like oh you know i didn't think about how my perception of a tool might have affected that security or risk-based decision but now i'm thinking oh i i

perceive this tool differently based on my personal experience how does my co-worker perceive this tool and have a discussion about that hey what is your perception of this tool how do you feel about this tool do you think that it's useful uh based on your experience and your perception because sometimes i know i can have the wrong perception of something based on my experience and so really communicating collaborating talking with other people about how they feel about something or what they've experienced can help change my perception of something too so um that's sort of where we're going to talk about some of the actionable takeaways but really just sort of having that idea of okay i need to think about how

how this uh situation how this tool how my interaction with this tool has changed the way that i feel about this

uh okay so perception over time this is the um this is what i think is also another really important conversation to have um i know i can just speak on my my own experience my perception has really changed over time especially for risk-based decisions when i was in it operations and i started studying vulnerability scoring how low and medium vulnerabilities could be exploited that really changed my entire perception and my perspective about what security meant to me as a system owner so uh over time you know being a system admin on day one you know i i didn't have any biases i didn't have any fear or concern it was just hey i'm here to learn and i'm here to manage an

environment versus maybe my second week on the job where i've met a number of team members i've probably gone through initial training and learned more about the organization um you know meeting even other teams that i might be working with so first impressions are really important so the way that i've had first interactions with people that could change my perception almost immediately of how i feel like i might interact with people versus six months down the road i've probably been working on some projects working with other teams really getting a better understanding of the infrastructure and the technology at play what does the tech stack look like uh i think uh one of one of my uh prior

colleagues it was uh because i was feeling like i was a little lost especially in the first six months i was like oh my gosh i feel like i'm still learning so much and he said to me he was like listen it takes six months to a year to really learn a network like it can really take a long time especially in really highly complex environments so he was like don't worry about it it's gonna take some time it's fine so uh so anyway but by six months you're starting to really get a better understanding technically of what's going on across the organization then let's say four years down the road bias starts to come in maybe you've had

bad interactions with you know other co-workers maybe you've had frustrating sort of projects or projects that failed for whatever reason you know that affects the perception the way that you perceive the environment maybe the way you perceive co-workers maybe the way you perceive tools and vendor relationships so biases really start to especially as you know as someone who continues to grow within an environment biases really start to come in based on those experiences and then 10 years um i asked the question like what might be the issue here but after 10 years especially you know within one organization or working in sort of one sort of environment you really would have a lot of bias

based on past experience and and that's totally acceptable right uh you know we if we experienced a bad relationship with someone over 10 years my perception is that that's not going to change that's that relationship's probably not going to change um but so after you know a certain amount of time is different for everyone but perception is going to change uh there may be negative perception when it comes to people processes or tools um as well as positive perception um for people process tools um but what does that mean to my risk so if my perception at the beginning of you know a project or working with a team is positive uh but it's really

negative at the end of the project how does that affect my risk does it i mean maybe it doesn't but it's very possible that by the end if you have a negative interaction with someone or uh maybe the project just didn't go as planned maybe you know deadlines were missed the project got pushed back maybe the technology just ultimately wasn't gonna work for for the project or for the goals but that can really potentially increase risk i'll give a really specific example so uh let's say you're evaluating a tool and it goes from you know you have it in test and it works okay and then you know whoever decides yet put it into production

well you've got a test system now that maybe ended up in a production i know this is probably like wildly hypothetical right so uh so you've got an environment now that's probably called something test that's now in production was it meant to go into production what is the risk of putting that test item into production were all the security controls in place from the beginning were they tried to uh did someone try to add them at the end and were there maybe issues with that so how does the perception of that tool over time change based on you know maybe it moved from test to prod uh maybe you know you started having executives or management or you know

vips start to use this product uh but you can't maybe guess necessarily guarantee that it's secure based on you know sort of the inevitable push from test to prod um so it's just sort of something to consider if you think about how perception changes over time and how our interactions with technology change over time it could potentially affect the risk of the organization all right so round one uh i i wanted to break down three different cases mostly because uh like i said these are totally hypothetical right i'm sure these have never happened to anyone uh but i think it's important to talk about how perception might actually uh in the real world practically affect either

relationships or overall risk so let's say there's an it's group they're working on upgrading os levels let's just say windows 10 to windows 11 something like that or windows 7 and windows 10 probably years ago um so maybe the security team because of maybe eol maybe there's vulnerabilities and risk they are pushing for you know a specific timeline because it's like hey there's critical vulnerabilities this is end of life we've got to get this out the door it's got to go um but then tension builds between teams because maybe the it operations team maybe they're getting different direction from it management versus what they're getting from the security team so they're sort of maybe caught in the

middle trying to figure out how do we balance functionality for our user for versus security and making sure that we are you know upgrading those systems as as quickly as possible but uh without effect affecting functionality for you know my users um both teams go to the management there's contention there's issues so uh not just how do we solve this but how does this affect risk so if i'm thinking about risk here it's possible that these systems may not get upgraded because you know their it operations or not get updated you know as quickly as maybe security would like because uh you know there's a functionality issue there's a concern over customer maybe there's turnover revenue even that

hey if if i don't you know if i don't fix this fast enough or if i fix this too quickly i might affect the actual revenue for the business if i affect our customers so there's a lot of concern there and a lot of you know perception that's going to change after this interaction this is one upgrade for an operating system this isn't an application or hardware upgrades or anything like that and if the timeline gets pushed the risk increases if the teams have trouble working together or you know they have a bad interaction when they're where they're sort of uh talking about these things it operations may be very hesitant to work with security in the future um

you know if they're concerned that you know oh my gosh if i do this upgrade it's going to break everything or you know i can't i can't affect my users my customers because that's my number one goal and objective um so i think as far as solving this is it's really uh you know we talk a lot about shift left and improving security sort of i think from the beginning from the onset and that's certainly a great goal and i think what a lot of people are moving towards but i think it's almost a little bit deeper than that as far as communication goes i think uh security you know it's it's there to enable the

business and it's there to uh you know sort of work with people and i think in the past there's been this sort of negative perception of you know security's just here to bang on my door and make me implement these 300 controls and not give me any information but uh there are a lot of you know security engineers isos that want to really help enable the business and improve security without affecting functionality and meeting that business strategy so i think that you know maybe in this particular situation there was a negative negative perception of how security might affect the functionality for the users but you know maybe it's just perception maybe that's not actually what they were intending to do

but intention doesn't always meet perception all right round two so uh security versus executive management again totally hypothetical i'm sure this has never happened so uh security is working on a critical vulnerability they have expressed urgency to the cio uh you know making sure that this gets done very quickly and immediately um but you know the cio you know thinking about the business thinking about customers and users hey i can't do this during production hours this is not going to happen we need to we need to figure out like a better way to do this and and i'm not going to affect this and let's say that they're in at the end of a quarter and

they say you know what i'm at the end of a quarter i can't do this right now because this is going to affect sales or productivity whatever it might be um and you know what i don't have enough information so uh we're just we're not going to do this right now if this is a critical not just critical but exploitable vulnerability uh what what would have maybe been a like a better way for security to address this to management maybe instead of saying there's a critical vulnerability we have to do this right now what could be a better way to do this would be laying out a plan you know because that perception then is you know

executive management that cio may be like you know what i don't i don't trust them they're just telling me to do this and they don't understand what you know what we've got going on here so maybe from the security side of the house i could have gone to the cio and said this is a highly exploitable vulnerability you know we know these apt groups are using this actively right now in campaigns against businesses just like us and if the system if we get affected by this if we are um you know hit by by this apt group uh we will lose x amount of dollars we will lose this much you know downtime and the time for

the downtime during production hours to get this resolved versus the possible impact for company reputation loss revenue all those things that might be a better way to show the understanding of the business to show the um that security understands the needs while also expressing that you know what this is a this is a serious impact to our entire organization not just you know yes we have thousands of vulnerabilities but this one in particular could ruin our business uh so it sort of you know changes the way the conversation happens um and it also improves probably the perception of how management feels about security uh overall you know it's like oh hey they were thinking about all this stuff

they gave me all this great information and now i can make a better risk-based decision based on this instead of sort of maybe having you know a negative perception or maybe there was a negative interaction in the past that affected their perception and they were just like you know what i'm not gonna put up with this so it is possible that perception of the security team or of the information given to them was negative uh whether you know appropriate or not uh but that perception might change that conversation and so uh if there is already a negative perception in place for uh security controls or vulnerabilities or whatever it might be that need to be resolved it's it starts

with changing that perception and not saying you know not doing the same thing over and over again and saying like why why don't they listen to me but changing that conversation might change that perception might help reduce risk all right round three uh so here i wanted to talk about just a little bit different angle uh third party uh vendor uh versus at first well yeah versus the security engineer so a security engineer they need more information from this third party vendor okay i need to understand your product better i need to understand what's going on and uh you know this third party is like uh yeah but here's my documentation everything's fine i have this all

documented um you know that's it it's here this is all that you need so that that may change the perception that the security engineer has of that vendor if they feel like they're not getting enough information enough documentation or that their sort of what they need is not being heard that may change the perception of how the security engineer works with that tool or works with that vendor and they may not use that anymore so there's this sort of possibility that you know with a negative interaction like this this may change the perception of how they use these products uh which again may also affect the security although potentially in a positive way if i have a negative perception of a

vendor and i may not use their product anymore you know that whether good or bad um that's sort of my perception right so even a year from then if that third party vendor or vendor comes back and says hey we'd like for you to try our product my pr i may already have a pretty cemented perception of how i feel about that company or organization even if let's say uh they have new products or they've improved their security of their products and they can provide more information i may still have that perception that sort of negative interaction that i'm like you know what i'm just not gonna use them because i just i didn't get a good feeling the

first time now that could be like i said it could actually potentially be a good thing it might help improve security of that environment if you don't sort of trust that organization or you're not quite sure if you should or not then maybe that's probably a good way to go however um it is possible that you know a specific tool or a specific uh uh a third-party application something like that it is possible that it might be necessary for a business functionality or something like that so it is possible that it may have to be integrated at some point just depending on what's available on the market i mean fortunately there are a lot of vendors out there

but if you know if the business is looking for something in particular they may say you know what we're going to go ahead with this product anyway even if we're not getting the information we want because we have to because it's a business need so um that may change the the way the security engineer feels about that product or that company or you know whatever it might be but it may still be a sort of a necessary tool that has to be used in the organization but the point is that the perception of the security engineer is probably going to change and even if that's going to change towards management if they say well you know

what we have to use this tool anyway so you know just sort of deal with it we have to deal with it uh the security engineer might might change the way that they feel about management too it's like they don't understand what i'm you know trying to express or trying to explain uh which can change the way that they maybe interact with management in the future you know maybe they're not going to tell them in the future like well they didn't listen to me the first time i'm not going to tell them that the second or third time you know when this happens which again if there are unremediated vulnerabilities or you know other issues with the product

and the security engineer doesn't feel comfortable going to management and saying anything again because they feel like maybe they're not being heard that would severely increase risk across the environment if they are not actually expressing that to management so actionable takeaways i know i covered a lot but hopefully um hopefully i sort of brought the story together the biggest things here i would say really understanding the concepts of perception and and cognition so how we make decisions and then like how do i make decisions how do i make risk-based decisions in my organization and how does perception affect those risk-based decisions how does my interaction with other teams affect how i associate risk with software with

products how do i use my security tools how do i perceive my security tools and how it's really affecting the overall security strategy so not just how does it affect security today but just like i was talking about perception over time how has maybe a negative perception between teams or negative interactions between teams affected the security strategy over time so considering not just today how it might be impactful but in five years how will perception change or how could i change the perception of maybe the security team or tools or products um to make sure that i am improving uh security in the future as as you know an organization grows how does psychology fit into rmf so i

love the risk management framework i think it's a fantastic place for organizations to really start to build sort of a risk management strategy right but i'm curious if there would maybe be maybe there is something missing there that we're not talking about the actual interactions with teams you know uh it's very laid out very well who sort of owns and manages each step in the rmf process but what if there was sort of an interaction component or perception component in rmf that helps to identify where you know psychology and behaviors you know behavioral analysis or behaviors of people affect the way that we implement and manage rmf like in an organization and do you have people trained in human

factors on your security teams if not why not there are a lot of great cognitive psychologists that i'm aware of that are sort of moving into security uh whether that's through teaching or or into industry and uh it's very very helpful i think it's really helpful because it helps to look at security in a different way um if we keep trying to solve problems in the same ways it's just uh i can't remember who said it but it's like that that leads to madness just continuing to to sort of try to solve problems the same way and then we're not getting anywhere so um so think about how human factors um in engineering think about

how psychology might affect your organization maybe maybe it'll be helpful to understand those terms and that terminology uh wrap wrapping up so just final sort of thoughts here uh you know we as humans are the ones that are using these products we're using the technology we're using the software and we're working with it development product strategy marketing all of that stuff we're working with them so how are we using this uh as humans um how does perception again affect the overall security strategy uh humans and inter humans and our interactions with other humans can really play a major part into how we implement monitor and manage security controls um and consider what security controls might be in your environment

that are not just technical what what security controls are people focused or people-centric uh and then just sort of evaluate you know taking stock and and i try to do this too if i interact with someone how did they potentially perceive that situation did they have a positive perception did we have a positive interaction will that positively impact the security posture of my organization so sort of taking that back and thinking about how perception and even you know for me what what biases do i have that are impacting me implementing security um so that's gonna wrap up my presentation uh i hope it was helpful and i hope that i gave some actionable items uh for you

guys to take uh take back i think i'll be hanging out in discord for a while uh there's my linkedin if you'd like to connect with me on linkedin uh and i i just wanted to say a final big thank you to besides delaware for for having me today and there's a ton of great talks i know i'm excited about them but i'll go ahead and stop sharing and turn it back over

you