Hi, folks. This is the Cyberways podcast, and we translate our academic knowledge about information security into stuff that you can use as a security professional. We think it's a unique mission. We think you'll like it. I'm Tom Stafford. Craig Van Slyke. Tom and I are your hosts on your journey to knowledge. Cyberways is brought to you by the Louisiana
Tech College of Business's Center For Information Assurance. The center offers undergraduate and graduate certificate programs in cybersecurity and sponsors academic research focused on behavioral aspects of cybersecurity and information privacy. Hello, everybody, and welcome back in to cyber ways. This is a production of the Louisiana Tech Center For Information Assurance in the College of
Business. It's a DHS NSA certified center of academic excellence in cybersecurity, and we consider one of our jobs is to connect you with the people that know what's happening in security research so you can take advantage of the very best findings in the most timely manner. Our our special guest today is doctor Mikko Sipinan. He is professor of business, cyber security, and management at the University of Alabama's
Culverhouse College of Business. He holds advanced degrees, several advanced degrees, in software engineering, information systems, and my favorite of his group of degrees, philosophy. He's a leading scholar in information systems, one of the thought leaders in our behavioral information assurance workshop group. He ranks amongst the top 30 worldwide for publication, taking 2. He ranks among the top 40 worldwide based on his publications in premier journals.
Professor Siponen is the only Finnish IS professor who's been invited to join the Finnish Academy of Science in Letters, and his expertise spans cybersecurity management, IS development, and philosophical aspects of information systems. He has extensive experience as a visiting professor, a consultant, and a research leader internationally with his particular focus on cybersecurity management. Mikko, welcome to our podcast.
Thank you. It's great to be here, and nice to discuss about sanctions and how they work, and what kind of things you should avoid if you are planning to use sanctions in your firm. So what has had my attention for a number of years in the, the workshop group that we all attend is, the role of sanctions and how they have an effect on better cyber security. And, so I I guess the question at the top of this, do sanctions work? How do
they work? Sanctions can work, but if you don't use them carefully, they can also be worse than useless. So that's why you have to be very careful when you're using sanctions. And today, I will discuss what we know and, you know, what kind of things you should avoid and so on. So you you need to make sure that you understand what makes
sanctions effective and what to avoid. And, luckily, many of of these questions about the effectiveness of sanctions have already been answered in the in the scientific literature. Actually, in cybersecurity management, sanctions have been studied over 30 years, especially in information systems, IS side of cybersecurity security literature. Talk to us about the factors that determine whether sanctions are effective or not. Yeah. There are
quite many. The most studied aspects are what people call certainty of sanctions and the severity of sanctions. So let's start with these 2 first. So the certainty of sanctions means, basically, likelihood of getting caught. So it means the likelihood that active your activities will be detected and identified for the purpose of sanction. And I will keep very soon, I will give you examples. Okay. The other well known well studied aspect of sanction
is is the severity of punishment. It basically means that if you get caught or somebody get caught, you know, how harsh or big is the penalty. And in the literature, these are often presented in a way that the higher is the certainty and severity, the less risky cyber cybersecurity behavior will follow. And, of course, on these two dimensions, there are few many which I'll, explain later. People are talking about likelihood
of getting caught and and the severity of punishment. These are refers to people or, in this case, users' perception. For example, they they perception of the likelihood of detection and and severity of punishment. So let's illustrate this this with a very simple example first, which is familiar to everybody, namely driving over the speed limit.
What the certainty of detection means, it means that if you believe that there is a police radar, you know, when you drive, on a highway, you are more likely to drive within the speed limit. So more radar, more the more likelihood you believe there's a police radar, the less you are likely you are driving over the speed limit. That's the likelihood of getting caught, also known as certainty of detection. The other thing is severity of the punishment.
It basically mean in the in the driving over the speed limit example, that the higher is the the ticket fine, the less likely you are you are expected drive within the speed limit. And now, I mean, in that kind of cases, applying sanction is quite easy and straightforward. But if you apply these elements to cybersecurity cases, it's a little bit challenging. So let's take a phishing as an example. And let's illustrate one idea only. The third time you have detect detection,
also known as the likelihood of getting caught. So if you're a cybersecurity manager and, you know, you apply this principle, You should ensure that the employees believe that if they click a phishing link or share their password, the company will monitor such in incidents and impose sanctions on them. So what is the problem here? Well, the situation in in cybersecurity and, of course, this depends case by case, but in the phishing
example, it's actually very different from the speeding example. Because in the speeding example, people usually have they know their car speed. Right? The only contribution might be what is the actual speed limit on the road, and then do their navigators often provide that information. But if you think about the phishing victimization case, none of this is true. Employees often lack the necessary
knowledge to separate phishing message from real one. And, you know, if you impose sanctions in that case, the sanctions may backfire because employees really believe how I should, you know, know these things. That's why applying sanctions in cybersecurity cases is tricky. And there are many other concerns. One is sanctions experience. If you believe the original theory developed in seventies by guy named Gibbs so he was
basically saying that you can use sanctions. The sanctions require sanctions experience. And there are 2 kind of sanction experience if you follow the original idea. There are general and there are specific. The specific means that employees have received sanctions themselves. So they have own experience of receiving sanctions. That's called specific experience. The other experience is general experience. General experience means that you have not received sanctions
yourself, but you have seen other received received sanctions. For example, you may have never received a ticket for driving over the speed limit, but you know it's actually happening. People are getting caught and people get ticket. Okay. So so all of these conditions, if you can think about the driving over the speed limit example, I easily met. Be because people have either seen that, you know, this actually happened. You know? People are driving over the speed limit.
They get caught, and they get a ticket, or they have their own experience of that. Or, well, in many cases, both. But in cybersecurity cases, that may not be the case. For example, think about password reuse,
meaning you are using the same password in different accounts. Have anybody ever received sanctions for password reuse when hardly anyone has personal experience of receiving sanctions in, you know, many cases like my example of password reuse, then there's no really interference experience. If we read the theory and we believe the theory, sanctions
would not work in that kind of cases. Because without this this experience that you have own experience of receiving sanctions, or you have seen that other people receive sanctions, the sanctions should not work if we believe the theory. There's a difference between sanctions, which somebody else is imposing on you, and risk. So, like, I I I've never heard of anybody being, you know, receiving a sanction for reusing the password, but I've heard of people that got
hacked from reusing a password. So that that's a very different thing. Right? Yeah. It's a different thing. And and and well, if okay. If you believe the theory, here it means that that you need to have sanction experience. Sanction experience does not mean that somebody hacked, but somebody hacked and then because of the hacking, the firm punished somebody. Of course, the sanctions might be formal or might be informal. Informal means that, you know, you get the warning or something. So that
basically the sanctions experience means. Okay? And if you believe the theory, it means that you have seen that employees in the firm has received sanctions by the firm by not following cybersecurity policies, or they have own experience, or they have seen that, you know, somebody else actually received sanctions. And, again, the theory is saying, if that not the case, sanctions should not work. Now I'm saying, the theory is actually wrong
here. Because if if you look the evidence, as I said, we have been studying sanctions 30 years. And if you look to scientific evidence, it points out that sanctions do have some effect in cybersecurity cases, even there would be no sanction experience. So my conclusion here is that sanctions could be more effective if you have a sanction experience, meaning you have received sanctions or you have seen people have received sanctions by the firm for violating cybersecurity policies.
But if if firms are actually giving sanctions, that's tricky as you know, when you impose sanctions, you actually start to punish people or give warnings, the sanctions may backfire. People don't like sanctions and so on, and they may turn against you. That's an interesting stream in the literature that I've noticed. The the articles you and your your coauthors have been writing is the the possibility resentment arising from the organization enforcing its
security mandate. I want to go back to the, the the driving too fast in traffic example, because I'm going to be traveling up through your part of the woods in a couple of weeks. Straight past Tuscaloosa, I generally travel about 10 miles over the speed limit with a radar detector. The thing in my mind is I always slow down if everybody else slows down, and I always slow down if I see blue lights flashing, meaning somebody's been caught
in a speed trap. That leads me to ask the employees knowing about, the punishable acts, knowing about what might get sanctioned, that's an aspect of this too, isn't it? Their awareness of a of a security protocol that might be applied against them? Yeah. So the employees' knowledge should have a big role here, and especially if you read the theory. So the original theory assumes that that that users know already what is illegal or, in in our case, cybersecurity policies and what
is allowed and not allowed by the cybersecurity policies. But often the users may not know the policies. We have run number of studies on on these things, and, you know, most employees do not remember the details in cybersecurity policies. So that's, of course, challenge. And there's also another issue, other another knowledge issue related to how to do the right thing in terms of cybersecurity because cybersecurity policies may instruct let's take a pass password example
again. Okay? Cybersecurity policies may say, hey. Use long random unique password for each account. But then, you know, policy does not actually tell you how to do it, how how you manage this, you know, how you remap accountless long unique passwords. And they may not be training on this. Of course, this issue is not specific to use of sanctions, but that kind of challenge is there is in terms of employees' knowledge that they don't know the cybersecurity
policies. And even they know, they don't necessarily know how to do the right thing because the company doesn't give them enough information. Training is not adequate and so on. Of course, as I mentioned, this issue is not specific to, return steering. Maybe we can explore that a
little bit more. As you were talking about that, I started thinking about if if you're driving along the highway and you don't notice that the speed limit changes, you don't necessarily react to seeing that officer on the side of the road because you think you're going the speed limit. Well, then if you get a ticket and it turns out the speed limit sign was behind the branch of a
tree, you're gonna experience a lot of resentment. And I think maybe or let me ask, do you think that the same sort of thing is in play with cybersecurity? So we've got these policies, either we haven't received training on them or the policies are really complicated. We violate the policies, get caught, get punished. It seems like that would lead to resentment, wouldn't it? Yeah. I mean, big thing here is that a very different thing if you don't know the the rules. And and as I mentioned,
for many firms, you just give the policies. There's some generic training. It means that people may not really understand, you know, why they have to follow these policies. And sometimes the policies are not actually good ones. You know? They are. There might be conflict between what the cybersecurity policies are saying and what the firms want you to do. For common example is that security guys are saying don't click any, links. And then, you know, administration is
actually saying, just do this training and click a link. So, you know, that's a con Look at this document to see what I'm writing you about. They do that all the time where we were. Yeah. So there's basic con conflict that, you know, cybersecurity policy is in the conflict, but you should do in the work. And that's actually past cybersecurity management, not about the the
return as theory as such. Whether using sanctions or not, it's important that the policies make sense, employees understand the cybersecurity policies. And they also know how to cope, as I mentioned. You know? If you start to say, hey. For every account, you have 30 account. Every account use unique long password, but you don't tell how to actually manage this, then, you know, you are not really helping employees. And then don't and then don't use a password manager because
that that's, risks. I know yeah. Well, and I I don't know about where you are, but we have annual training. Yeah. And it's, what, Tom, 4 hours, 5 hours of just all kinds of training. It's a chunk of time. Yeah. And the security training is buried in the middle of that, and you're kind of tuned out. You know, all you wanna do is get through the training. That's why I wonder if that's a reason that people react poorly when they are sanctioned because they feel like
the training isn't very effective. It goes back to your awareness. So what what about, can I can I can I quickly comment that? Sure. Sure. So this is a almost like universal problem. So not specific to, sanctions, of course. It also have implications for sanctions because if you don't know the policies, you
don't know how to how how to react. But often, you know and and the people who are listening to this, if if they are cybersecurity managers, you know, or you are responsible for the cybersecurity, you should ask, have you ever asked from the provider who is actually giving you the training how effective the training is? Mhmm. So for example, if you take a vaccine, you, you know, you ask, like, how effective? Is is this giving me 80% of
protection or 70% of protection and so on? You know, if you have a cybersecurity training, you should ask the provider, give me test results. How effective the training is? Right. So, you know, is it actually no. If if I have an let's say, anti phishing training, how effective this training is against the you know, how how much is lower the rate of victimization? And most providers, they have never even tested. You know, while you're selling or buying
products with you don't know how effective they are. And if they aren't effect effective are you actually wasting employees' time? Do you think that's just checking a box? Yeah. You know? That that's a lot of because lot of cybersecurity management, that's that's a really different topic. Lot of cybersecurity management is people call it best practice, but it basically does that, you know, tick box compliance that you can say to auditors that, hey. We have we have been
to you know, we have covered this. Right. You don't really you don't really care or you don't know how to, you know, what is actually quality here. You just say, hey, we did this. Next item, we did this. Right.
Right. Well, you said something earlier that I wanted to come back and revisit, which is that employees typically don't know the full totality of the information security policy of the organization, and that implies that the, the information security officers need to be able to communicate not only the restrictions and the prohibitions, but also the sanctions associated with violating them in a more
in an effective and reasonable way. How can the security managers get that word out in a way that will take that will be effective with the other employees? In communicating sanctions, there are a couple of things. First, you need to understand the firm culture and the nature of the firm business. So if sanctions are not self evident and depending on the firm culture and existing cybersecurity education efforts, you must explain why the sanctions are necessary if you want to use them
effectively. Also, you should think about putting yourself in employee shoes. You know, say, hey. How about these sanctions? Would you accept these sanctions if you would be the employee? If you want to introduce sanctions, you should pilot test ideas with you people. Discuss the concept and get feedback on how they think about this. And, of course, you need management support. And in any reason and this is really depending on the country or state or even, you know, the the what kind of,
firm. Is it public firm or is it, like, private firm? But, you know, some cases, some countries, some states, there might be strong work union. And if there's a work strong union, they may actually challenge you unless you are well prepared. A lot of cases in my, consulting work where, you know, lot of things we introduce and then the work union came and, you know, are you actually you know, what you are doing for our creative
employees. You have to know your firm culture well, what kind of culture it is, put you on employees' shoes, pilot test ideas, get management support, and so on. So for our listeners who are generally managers responsible for determining how to, manage security violations, how do they determine the right level of sanction? In our protection motivation work that we're all familiar with tends to suggest that if you have too heavy a hammer, people are gonna shy away out of, perceptual screening,
essentially. The old fear appeals argument, don't scare them too much. How does the CISA determine the right level of sanctions so they're, maximally effective? 1st, I think you should under as I mentioned, you should understand the firm's culture, and that's very different. And here, actually, I think many many scientists make a mistake. You know? If you if you let let's assume you you have very liberal university and philosophy department. That's an extreme example.
Most employees think that sanctions would be absurd unless you you really explain them carefully, and perhaps you are never able to do that. In contrast, if you go to military organizations, almost everybody almost know, hey. There will be sanctions. You know? It's it's a normal thing. In Northern Europe or France, employees expect more autonomy, so sanctions must be justified more than other countries. In turn, if you go,
like, US in the Middle East, sanctions are more commonly used. So, you know, you need to know your firm culture. In cultures where sanctions are not in firms culture with sanctions are not commonly used, then you really need to justify the sanctions and especially if there are harder sanctions. But as I mentioned, this is really depends on the firm's culture, so it's it's very firm specific issue. But you can also compare the
cybersecurity sanctions with other sanctions. What kind of sanctions the firm is giving other type of violations? And, again, same commerce apply. Put yourself into employee shoes. Pilot testing to idea ideas with few people. And, of course, you need to get management support, as I mentioned, also. Sounds like sanctions could backfire if they're not engineered properly. How how could a a a manager avoid sanctioning in a way that would have the an unintended effect?
Backfire basically means that you increase sanctions for improving cybersecurity behavior. Perhaps cybersecurity behavior increases, but then you have negative effects, kind of side effects. People don't like sanctions as a result of which they work work motivation may decrease. They may start to hate cybersecurity, or they may start to hate IT or even leave the firm. In in in case of cybersecurity, one concern is also privacy.
It can depends on the culture and even people, what they think about privacy. Some for some people, private is very important. For some people, it's not. The privacy is important in cybersecurity cases because often when you actively use sanctions, you have to monitor. Right? And that's may involve violating employees' privacy. And because of privacy concerns, people may start to hate cybersecurity, hate to IT because they think that they
are the one and the same thing and so on. And we have studied that. We have one study where short term, that was field field experiments in Europe. So short term, the cybersecurity behavior increased. Longer term, the sanctions were not effective in cybersecurity behavior, but there was backfire effect that people didn't trust the company and lot of negative
views regarding the company and so on. So in order to avoid the backfire effect, you must understand that the employees get the importance of cyber stick policies and the reasons behind regulating some actions by sanctions. This is depending on the firm's nature. If you are military organization, this is easy. If you are in a university, very hard, depending on the firm culture. But the idea is that you if you use sanctions actively,
you need to justify them if they are not already self evident for employees. And many organizations, they are not self evident for employees. And, you know, they need to understand why the activities sanctioned by sanctions are important to to cover and and so on. If they don't understand that, if they're not accurate that they think that it's a you know, you are just violating their privacy or you are just, making their work more harder, then you most likely will get get the
backfire effect. I'm hearing a pretty consistent subtext of fairness. So a lot of the things that you're mentioning that can cause the sanctions to backfire would be when the employees don't feel like it's fair. Yeah. You know, you're violating my privacy. You know, I didn't understand. You didn't communicate. They're too harsh. But but I wonder if unevenness and
sanctions is a problem. I know at universities and and a lot of other organizations, different departments or different functional areas have different subcultures. And so if you're talking to somebody in another department, then, you know, I they get to leave early on Fridays, and, you know, nobody cares when you come in. And your boss says, you better be in at your desk at 8, and you better not be out that door before 5. That seems like it could cause a lot of problems. Is that an issue with
the security sanctions as well? Well, that's an excellent question. I I don't think that nobody knows the answer to that. Alright. Future research. Yeah. Okay. So I think what I'm taking from this is if, if the security provisions they're required to follow aren't common sense, if they don't already know it, It needs to be carefully explained in a in an explicit manner by the manager Absolutely. In order to justify its application. So it's almost as though explaining the the security policy
achieves a lot of what has to happen. It's that 1%, those with a certain sense of psychopathy who are gonna break the rules anyway that need to understand they're gonna get punished if they don't comply. You know, if you think about the employees' compliance with cybersecurity policies, lot of cases where almost every organization should do better, and that's not necessary sanctions. Specific issue is that, you know, you should make effort that the employees understand the policies and
why, you know, the policies are like they are. I don't know that there's research into this in in the context of cybersecurity, but I think there's there are some psychologists that would say that the sanctions actually might have a an increasing effect on violations by those who are suffer from psychopathy, because that's part of the thrill. You know, if you don't get caught, there's not
a chance of getting caught, then you don't get that thrill out of it. And so I I just wonder, that might be an interesting avenue of research as well. But I don't think I've read anything in cybersecurity that's talked about that. No. I don't my understanding is that nobody has studied this in in the cybersecurity context.
So I have I cannot really I think the closest we get to that are the the very interesting findings in in in Mikko's prior work, particularly about people wanting to I don't wanna say get even with the boss for the boss being stringent, but the the the whole ledger keeping, scale balancing part of, deciding to act out just because you think they're being too stringent. Yeah. That might be. But What do you have coming in the
pipeline? What new ideas will are you working on to get into the literature on on how to manage cybersecurity? You mean sanctions or cybersecurity in general? Just interested in what you're working on and how our reader our listeners might be keeping their eye out for it if they're interested. Nowadays, I'm also doing a lot of work on cybercrime, actually.
So I do understand cybercrime, especially to how cybercrime happens and how to how we can use communication between the offender and victim to actually understand and prevent and prevent cybercrime. So that's that's one thing I'm doing. It's not really on cybersecurity manage management, of course, it has implications for cybersecurity management. What what parallels do you see between that work and and what you've done, around the sanctions within an organization?
Are you seeing any any commonalities across those 2 or too early to tell? The cybercrime cases that we are actually looking, These are cases where people very careful and clever ways, victimized, people and, you know, now sanctions. Well, if you don't understand that you are being victimized, so how the sanctions could really apply effectively. So that kind of case is I don't think the sanctions
help here. It's more about again, you know, we need tools for ordinary people, and and employees to to understand actually more cyber crimes and, you know, what kind of how people may try to use you in order to, get your money or or or some information from the firm. So it's more about the risks and how to protect yourself? Yeah. I think we're also seeing the threat actors becoming vastly more sophisticated than they used to be. That may be that may be an
AI thing. I don't know. The the people I talk to over here where we are, because we we have a a classified work workspace over by the air force base, and they're the opinion that the, the national actors that are trying to breach their network are using AI to do it, and only AI can counter that. That's a lot of the phishing attempts I'm seeing lately are vastly better than they used to be. So it's a risky environment
increasingly so, I think. You can use generic phishing where, you know, you've sent the same message to, you know, million of people and hope some of these will will be your victims, and then you might be more specific or targeted attacks where you actually find a lot of information on the target, and then you make your attack and, you know, of of course, these these targeted cases are much more successful in
phishing or other type of social engineering. So so, Mikko, as we close out, we typically ask what your 4 or 5 practical recommendations would be for the security managers who'll be listening to this. What are the things they can add to their list of to dos to keep the company safe as they, practice the craft? So first, you need to actually decide how you're using active or passive use of sanctions. And and now I realized I don't actually what we have discussed is basically
so far, is active use of sanctions. Active use of sanctions means that, you know, you you monitor cases and you give sanctions to employees. But there's also also passive use of sanctions. So passive use of sanctions, some might prefer to these as a theory of covering your ass by sanctions. So basic idea is that you introduce sanctions, mainly to protect yourself or the firm from the plane. With this passive approach of using sanctions, you actually only use sanctions when
something bad happens. So you introduce sanctions, but you actually will use them only if something very bad happens. I call it back you know, passive use of sanctions. So So something pandemic you can say, hey. We have sanctions in place. Now we can play in this guy or whatever. Now if you use active use of sanctions, that means that they require a justification, and they may backfire. They use justification because you actively monitor
and keep sanctions. And, especially, to hire other sanctions, the more most carefully they have to be justified. And if you don't actively use sanctions, they will lose some of their effectiveness as a preventive tool. You know, same I idea as in the, climbing over the speed example if, you know, you are removing all the police radars, people will increase climbing over the speed limit. And now the use of sanctions,
especially I mean, active use of sanctions. If employees don't find them justifiable, they tend to backfire, and you should already think about that kind of scenarios. And in this case, if your sanctions do not backfire, you don't justify these, well, sanctions may become worse than useless because the, because the side effects, such as employees dislike in cybersecurity are worse than they prevent the effect. These are the 4, 5 key points.
This has been Cyberways. It's a production of the Louisiana Tech College of Business Center For Information Assurance, courtesy of the Just Business grant from Dean Chris Martin. This podcast is available wherever you consume podcasts, and we'd be grateful if you tell your friends about it. And if you find it useful to you, let us know. Let our guests know. I'm I'm sure doctor Sipponen is available to talk to you if you need more advice, because as he says, he does a lot of consulting in this
area. We hope you found this to be interesting, and we hope you find the, the information to be useful in keeping your company more secure. Until next time. Thank you. Thank you. Appreciate it. And it is important to say that the Cyberways podcast is funded through the just business grant program of Louisiana Tech College of Business, and, we're grateful for that. So join us next time on the Cyberways podcast, which is available on all major
podcast platforms. We want you to subscribe or follow or whatever button your favorite podcast app has. Thank you very much.