The Human Side of Cyber Security – with Mark Timms

The Balancing Act is our podcast series. We speak to leaders and practitioners about the challenges they face and the strategies they use to defend against threats. You can find the entire series here.

Altaz Valani, our Director of Insights Research, recently spoke with Mark Timms. Mark is a Senior Behavioral Scientist at Royal Bank of Canada (RBC). His job is to deliver behavioral science research to help RBC’s over 100,000 employees make smarter decisions about how to use technology. Prior to joining RBC, he served (and continues to serve) as an Infantry Officer in the Canadian Armed Forces, a Communications Advisor for the Government of Canada, a Defence Scientist for the Defence Research and Development Canada, and as Manager of Physical Risk at Scotiabank.

You can listen to the entire interview here. Below are some highlights.

His passion is decision science

Mark talks about the writings of James Clear and the desire of humans to fit in with others. This is true in the workplace as well as at home, and can drive safe or unsafe behavior from a security viewpoint. “People want to avoid behaviors that the humans around them will condemn…” This can present challenges to security teams that focus on explaining the technical aspects of a threat without understanding how users “need to receive information that will help them make smarter decisions with technology.”

Work from Anywhere adds challenges

By now, most people know they shouldn’t click on links in emails from unknown senders. However, Mark contends that overconfidence and distractions can cause people to make mistakes. He provides the example of reading email while driving. More important in today’s environment is the impact of employees working from home.

“The boundaries between “work” and “not work” are fudged because…a lot of the activity happens at the same desk in the same room. Bottom line: our distractibility and perhaps the absence of focus or the blurring of lines between “work” and “not work” contributes to suboptimal decisions.”

Security is not always a technical challenge

Organizations need to balance the technical side of solutions with getting workers to take the correct actions in their normal workday. Shaping human behavior needs to speak to the individual. Traditional cybersecurity messaging focuses on things people are not allowed to do. Instead, organizations need to focus on helping people achieve their goals safely. Organizational policies on communications can also deter progress. In Mark’s words: “Lessons identified have a harder time transforming into lessons learned when the only humans who can actually perceive this issue have to go through all kinds of permission granting loops to share that information with other people.”

Security people are like salespeople

Messaging is critical in convincing users to adopt good security practices. He cites the work of Sandra Matts and Michael Kazinski on “psychological targeting”. In essence, “…tailoring a line of persuasion or a message to convince me to do something”. Where a salesperson might be selling a car, his organization is helping “sell smarter decisions with technology”  including making the better security behavior easier for the user. This includes messaging about “why” it is best not to reuse passwords or respond to phishing messages. They key is “to present the exact same call to action [e.g., don’t reuse passwords’ to two different types of humans in ways that resonate with those types of humans equally.”

The entire interview is available here.