Religion and security with Karen Renaud and Marc Dupuis - podcast episode cover

Religion and security with Karen Renaud and Marc Dupuis

Cyber Ways Podcast
May 28, 202437 minEp. 23
--:--
--:--
Listen in podcast apps:
Apple Podcasts
Spotify
Download
YouTube
Overcast
Pocket Casts
Episodes.fm
Download Metacast podcast app
Listen to this episode in Metacast mobile app
Don't just listen to podcasts. Learn from them with transcripts, summaries, and chapters for every episode. Skim, search, and bookmark insights. Learn more

Episode description

In this thought-provoking episode of Cyber Ways, Tom and Craig discuss the intriguing topic of cybersecurity and religion with guests Dr. Karen Renaud and Dr. Marc Dupuis. Karen and Marc share insights from their research exploring the intersection of cybersecurity and world religions, offering a fresh perspective on enhancing cybersecurity practices.

Key Points Covered:

- The innovative research by Karen and Marc on leveraging positive values from world religions to influence cybersecurity behavior.

- The discussion on the drawbacks of fear-based cybersecurity practices and the importance of fostering a positive culture within organizations.

- Insights into the role of community, belonging, and sacred values in both religious communities and cybersecurity environments.

- The parallels drawn between religious principles and cybersecurity practices, emphasizing adaptability, forgiveness, and the sense of belonging.

- The significance of incorporating nonnegotiable values and building a culture that supports cybersecurity from top to bottom within organizations.

As Karen and Marc shed light on the impact of incorporating religious values into cybersecurity, they advocate for a different perspective on how a sense of community, forgiveness, and grace can transform cybersecurity practices. Join Tom, Craig, Karen, and Marc as they explore the potential for positive change in cybersecurity culture by drawing upon timeless principles from world religions.

Don't miss out on this enlightening episode of Cyber Ways and discover the transformative power of integrating religious values into cybersecurity practices. Tune in to gain a new perspective on building trust, community, and resilience in the ever-evolving landscape of cybersecurity.

Subscribe now to Cyber Ways for more insightful discussions on innovative approaches to information security and stay ahead in the realm of cybersecurity. Go to https://cyber-ways-podcast.captivate.fm to subscribe.

Guest bios

Karen Renaud is a Scottish computing Scientist at the University of Strathclyde in Glasgow, working on all aspects of Human-Centered Security and Privacy.  She is particularly interested in deploying behavioural science techniques to improve security behaviours, and in encouraging end-user privacy-preserving behaviours. She collaborates with academics in 5 continents and incorporates findings and techniques from multiple disciplines in her research. 

Marc J. Dupuis, Ph.D., is an Associate Professor within the Computing and Software Systems Division at the University of Washington Bothell where he also serves as the Graduate Program Coordinator. Dr. Dupuis earned a Ph.D. in Information Science at the University of Washington with an emphasis on cybersecurity. His research focuses on human factors related to cybersecurity, especially how psychological traits affect cybersecurity behaviors.

Transcript

Hi, folks. This is the Cyberways podcast, and we translate our academic knowledge about information security into stuff that you can use as a security professional. We think it's a unique mission. We think you'll like it. I'm Tom Stafford. Craig Van Slyke. Tom and I are your hosts on your journey to knowledge. CyberWays is brought to you by the Louisiana Tech

College of Business' Center For Information Assurance. The center offers undergraduate and graduate certificate programs in cybersecurity and sponsors academic research focused on behavioral aspects of cybersecurity security and information privacy. Hello, everybody, and welcome back to Cyberway. It's a production of the Louisiana Tech University Center For Information Assurance supported by a Just Business grant from college of business Dean Chris Martin. Today we have with us Karen Renaud

and Mark Dupuy. They are doing some fascinating research on cybersecurity insights taken from world religions. Recent article appeared in Computers and Security. Doctor Renault is a Scottish computer scientist at University of Strathclyde in Glasgow, works in all manner of human centered security and privacy. Doctor Dupuis is an associate professor with the Computing and Software Systems Division, University of Washington, Bothell, where he also serves

as the graduate program coordinator. He has his PhD information science from the University of Washington with an emphasis in cybersecurity. Welcome, Karen and Mark. Thank you so much. Thank you. Let's start with the big question that I think is gonna underlie a lot of what we talk about today. What's wrong with the way we currently practice cybersecurity? Rita, Janet, I'm not It's not working because there's no

the number of attacks are not abating at all. So when when you keep doing the same thing and it's still not working, you have to think about, well, what do we what could we do differently in order to have more success? So at at a meta level, seems like we're not very successful. And I think in an organizational setting, I think one of the things that's not working is it's often kind of a us versus them. And if you think about it in an organizational

setting, why are we doing that? It should be us, the employees, and the leadership against them, the people that are trying to cause harm to us as opposed to, the infighting that often takes place. It's it's counterproductive. And as Karen said, we're not we're not getting anywhere. We're not we're not, making improvements, and that's the problem. The other thing is that we have this paradigm in organizational cybersecurity, which is formulate the policy, disseminate the policy, and

enforce the policy. And then when things go wrong, we just go back to disseminate again, and then we enforce again. And so it's almost as if it's it's like a vaccination. And if you just make the vaccination take, everything's gonna be fine. But this is we've been doing this for over 2 decades, and it's not very successful. So we have to start asking ourselves, what could we do differently? So one of the things that I was looking at

y'all's body of research. One of the the things that struck me was that we seem to focus way too much on, negative emotions. You think that's one of the problems? Well, so Mark and I met at Hicks some the very first time. And I said to him, Mark, I want to do some research into the use of fear in cyber. And Mark was on board. That was the first paper we did. And we felt that a lot of the dissemination that is done in cybersecurity is a hook into people's minds was

if you don't do this stuff, things are gonna be really bad. You're gonna get punished, and the hackers are gonna get in and so on. And so fear is being weaponized. And what Mark and I discovered was that this is a very damaging thing to do to people because fear is is an emotion that actually hurts you, and it lasts for much longer than we realize. But, Mark, maybe you could tell them about the password one that well, maybe I should we shouldn't go into that kind of depth

now. Sorry. Well yeah. You know, I I think I'll just just briefly I think the thing I'll say is with with fear and other negative emotions, when when people get scared, they don't make the best decisions, but yet we're trying to use these negative emotions like fear to

try and get them to do what we want them to do. So it's it seems kinda silly in in many respects that we're trying to get them to be compliant with these policies by scaring them when all of a sudden, and from a cognitive standpoint, they're gonna be less adept at doing what we want them to do. So I I you know, it's just

it's very, counterproductive in many respects. And as, you know, some of our research has shown too that not only are we eliciting fear, but we're also increasing other negative emotions and decreasing positive emotions. So what are the other implications for this? Mhmm. Your concern is But we have this extensive criminal justice lens through which we view cybersecurity, and those of us who go to the to all the rude meetings see it all the time.

All the leading authors started with a perspective of enforcement as as Karen so aptly put it. You know, promulgate the policy, enforce the policy, punish the people that don't adhere to it. It just doesn't feel like good organizational behavior, from a managerial perspective to be trying to get people to do the proper thing with negative reinforcement as opposed to building a positive culture, which which I I'm hoping is where we're we're headed at some point, but

we don't see much research on it, do we? No. And I understand the fear. Right? Because I speak to CSOs a lot, and they're worried. They're they're the ones whose head is on the on the plateau when things go wrong. They're the ones who who have to answer the stories for the board, you know, why did we get hacked? So that fear is then being transmitted, and that's why they get all heavy with the normal average person in the organization.

So the whole thing about the blaming and the fear culture is really unhelpful across the board. So I would agree with you, Tom. So your paper is about a religious view on cyber security, and I see that as eminently positive. You know, religion is a positive force in our life. It it speaks to doing good and and being good, and I'm very interested in how you bridge to that particular lens as a way of considering cybersecurity behavior in a new perspective.

So I spent some time in Germany a few years ago, and I picked up 2 books before I left to read while I was there. The one was by Scott Atren, which is called talking to the enemy, and the other one was, Jonathan Haight, The Righteous Minds. Nothing to do with cyber. But both of these books really struck me in terms of trying to understand why people do what they do, and both of them spoke about our values.

And then I started wondering what were the values that we were trying to get people to adopt in cybersecurity. And then I picked up a book by Alain de Beauforton, which is called religion for atheists. And then I realized, well, hang on. Why don't we learn from the people who do espouse values? Because religions all have values that their adherence espouse. So what what could we take? And but Du Boisoten says, don't

throw the baby out with the bathwater. Let's look at religion and take the good parts and learn from it because they're very successful, and and and then don't take the stuff that's not so great. And so that's kind of where this idea came from. And I I zoomed Mark from, from Germany, and he said, yeah. I'm in. So that's that's where the ideas came from. So what did you hope to find in, in applying this new focus on on cybersecurity?

Well, I think a lot of it is, you know, like Karen said is, you know, religions have those that have stood the test of time have stood the test of time for for a reason. And and some of them have, you know, a lot of them have stood the test of time, have adapted, evolved, and changed, as times have changed, as our society has changed. And, by doing that, they have, met the needs of of the people they're serving, of of their believers.

And, and there's something that could be learned from that. And we think about some of these religions have been around for 1000 of years And, you know, in cybersecurity, you know, being around for, you know, 20, 30 years at the most, really. And so what can we do as such a new discipline? What can we take from religion and and try and learn from it? Because, you know, as we said earlier, we're not we're not successful. We're not we're not very successful in what we're doing, and

the problems are only getting worse. So let's let's be humble enough. Right? Let's let's show some humility and let's try and learn from these other areas like religion and and see what we can take. And instead of just this compliance and and this punishment of people that are trying just to do their day to day jobs, most of them are not in there to do cybersecurity. They're being tasked with it in often an unfair way when they're there to

do pretty much anything but cybersecurity. But what what can we take from other places, other, you know, other disciplines like religion and and learn from it to help us to help us be more successful. And, you know, as Karen said, you know, there there's there's a lot to be learned from. So let's learn a little bit from religion. I wanna dig into just what religion is. So it's one of those things where we all know what it is, but we don't really know kind of what it's

made up of. Can you talk to us a little bit about what actually religion does or what its components are? When I I started writing this paper, I thought, well, the first thing to do is define. Right? Whenever you have a new concept in a paper, you have to define it. And it turned out that people are struggle to define religion. So, having read a number of people who said, you know, nobody can agree on it, So, okay, let's go and look at it from a different way.

And I found somebody called Durkheim, who's a very well known German academic, who said that religion has 3 dimensions. It's believing, belonging, and doing. And then when I found some other papers that also tried to say, these are the characteristics of religions, I found that they also fell into those three dimensions. And that made it a lot easier to an to kind of start interpreting how what we are doing and what

religions do. Can you tell us a little bit about the problem? Part is that, you know, if you go to somebody who's an adherent of a particular religion, they can tell you what they believe in. And they also know what kinds of things they should do. So they may believe in in if it's a Christian, they would believe that they have to be kind to other people and forgive people when things people do bad things to them and that sort

of thing. So the believing and the doing is easy to understand. But the belonging was the one that was really came across strongly in all the the religious related literature because people get a sense of belonging to their community. They meet weekly with their community a lot of the time. And that sense that I am a Christian or I am a Muslim or whatever, that was part of became part of their identity. And so those three things were the aspects of religion that people seem to, you know,

cohere to. There's also the nature of, I think, the belonging aspect of of of your model to me speaks to what I've always considered to be the important part of cybersecurity, which is belonging to the team that secures the company. Mhmm. And I I see that as a a very useful metaphor taking religious perspective. Yeah. I I I think, you know, the the belonging part is in many respects, the one big area where we're lacking maybe more than the others. Because I mean, we we all can believe,

oh, you need to do this. You need to be aware of this. You need to watch out for that. Make sure you do this and and so on. But building that sense of community that, hey, we're all in this together, that, we know mistakes are gonna happen, that we we realize this is tough to do, that we're not all, at at the same level of understanding these different threats and so on. That, I I I believe, is really where we're lacking and we're not doing a good

job of. And I think you look at successful religions, you look at people that, want to go to church, and it's not always just to sit there and and listen to a sermon for an hour, but it's oftentimes those other activities. It's gathering for to share a meal together. It's it's it's just being with one another. It's it's that sense of belonging, that community that you have that we just don't see in in cybersecurity. It's it's it's this very this top down approach. It's this punishment approach.

And, you know, I I think as we think about the success of religions and and a sense of belonging, we just we are so lacking with respect to that sense of belonging in cybersecurity. Can I take a tangent here? As you were were all talking about this, I was trying to translate in my mind the idea of belonging to something like a church or a religion

versus a sense of belonging at work. And so my church and my religion, for a lot of people that are religious, it's very intertwined with their personal lives. So it is part of their life. I grew up in the Baptist church, and it was you know, it could be 3 nights a week going and doing something all day on Sunday. So that was intimate part of who you were. And

I don't know if we get there with work. I know work is part of our identity, but I I wonder if it's a problem of intensity or the extent to which it's intertwined in our real lives. You know, we tend to separate work and personal lives, but religion is part of the personal life. That's a really interesting point because it is work and I guess we have our work tribe and we have our home tribes. But I did another piece of research which is under

review right now with some other people in Germany. We asked people, if they ever discussed cybersecurity with other people, and they all said no. And then we asked them whether they would like to discuss cyber with other people, and most of them said yes. So it's the kind of thing that people don't talk to each other about at all, where people in the same religion would talk about their religion. So it's almost as though people don't feel that that's something they can do.

Whereas a if there's 2 Christians, 2 Muslims, any Buddhists, they would talk about this religion of theirs. Right? So it's almost like it's a solo sport right now instead of a team sport at work. That's an apt point. I I've always felt that many organizations were groups of people each traveling their own way and the challenge of the manager is always to harness their activities

in concert with each other. When it comes to something so mission critical, it's protecting the company's assets from external access. So so do you think part of the problem is the negativity around cybersecurity? So we don't talk about doing cybersecurity well. It's when there's an incident, when something bad happens. And who wants to talk about that? I wonder if it's all wrapped up in the fear of the virus. And 3 people fall for a fish, but 3

1,000 didn't, who are we talking about? We're talking about those 3. And and so, yes, it it's it's a kind of an a mindset that we felt when we were looking at religion really ought to change and this mutually supporting thing. Because when I've studied events where there have been cyber, breaches, the first thing that happens is the person who's responsible, who may be clicked on the fish or something, they're immediately ostracized. They're immediately pushed into the corner and

how dare you do this and how could you have been so stupid. That's that's not what a church would do. They would try to help the person do better. Or not the church, but I mean people in the same religion. Or or burn you at the stake. 1 or 2. Never. Not anymore. Not anymore. Sorry. That was a long time ago. Karen makes a point though. Craig and I both come from the Baptist heritage and then and the Baptist creed of faith is everybody's going to hell unless they do their best to be

a good person. No. That's that's putting it too strongly. Everybody's inherently a sinner and seeking forgiveness and doing good works is the avenue away from, the outcome. And I I see the parallel with what you what you just put voice to your current. I think too is it's it's almost difficult to wrap our mind around how would we do this with cybersecurity.

But, difficult but not impossible. Right? Because I I think about places I worked previously where, you know, maybe a smaller office environment where maybe there's 50 to 75 people working there where, you know, we would have potlucks and and different things. We would have, decorate our office for Halloween and these other activities and have fun things and and

build that sense of community. Well, you know, like like Karen said, you know, you know, what if there is a a fishing simulation exercise and, yeah, 3 people fall for it, but everyone else does it? Well, what if we have a a pizza party or something, right, some kind of celebration, for all those that didn't fall for? We don't even mention the fact that there's a few that didn't. And and we just, you know, again, build that

sense of community. And we we talk about, how successful we were, or or celebrate these things and and come together. And and I think because it sounds so foreign, it seems silly to think about that. But and that may not be the exact approach, but I don't think it's impossible to think about how we can build this sense of belonging in cybersecurity because the fact of the matter is is this isn't a solo sport. We're not in this individually. We're in this together, but we do act like and

it's treated like we're in this individually. At the end of the day, you know, the organization will be impacted. We're all impacted directly and indirectly at at some point in time. So we need to kind of start getting creative with how we're gonna create the sense of belonging and community within organizations. That that fits with what Karen said about mindset. That's one of the things I'm hearing here is we need to really have a shift in mindset.

To to get at this, you interviewed a number of religious leaders from a variety of different religious traditions. So what did you find? When we analyzed, we didn't specifically ask him about belonging, believing, and doing. We just asked him in a bunch of questions, which I think we've included in the paper. And what happened when we analyzed it was, well, unsurprisingly, belonging, believing, and doing kind of filtered up, and we could group them into those 3 stupid

themes. And what came across with with the one the final question was, you know, how could cybersecurity learn? And they all said, oh, you know, you need not to be so harsh on people when they make mistakes. Cyber is hard. And we saw a sense of forgiveness coming across, a sense of grace for the imperfect human. And that we kind of had expected that, but it was really gratifying when we heard it from them.

But the interesting part was they said the one guy said, well, you know, when did he did cybersecurity training when he was a student at university? It it was just like a checkbox thing. He did it online. He finished it. He answered the questions, and he was done for the next year. But he said at his church, when they get together, they talk about concepts. They talk about the difficulties they're having when they have their community get together. So he said, why don't we do that?

That was exactly what I was hoping if somebody was going to tell me. You know, he was he made he made that contrast for me. One one of the issues that I see from an organizational theory perspective is the notion of agency. The organization is formed as an informal and sometimes actually formalized contract between the people who own the company, the principals, and the people they hire to do the work for them, the agents, and

the agents are economically rational. They will they will do things they shouldn't do if they feel like they can get away with it and and it's to their benefit. Mhmm. The distinction in the religious view is the principal agent component is not there. There's no economic rationality. There's there's no if you think about it, no pragmatic payoff for being good other than being good for goodness' sake, which is faith, which I find very I find that to be a very compelling aspect of

this religious view that you take of cybersecurity. People doing good security for its own sake, rather than because it's their job or because the boss will sanction them. But also maybe learning to do what's right for the community. Right? Rather than just doing what's what I'm scared not to do. I've long felt that the, the criminal justice perspective on cybersecurity, had issues because it it treats people as problems when in fact your

solution is isn't it? Yes. So that that leads into something that I thought was perhaps the most interesting part of the paper, and that's the idea of sacred values. Tom, you were kind of alluding to that. You know, be good for goodness sake. It's because that's what you do regardless of everything else. If it costs you money, if it costs you your position, costs you your material wealth, you still do we we talk about doing doing what's right because it's right. That's a sacred value.

So what are sacred values and how do they apply in this context? Mark. This this is not a quiz, so Well, I mean, well, what row. I was gonna real quickly, maybe touch on the prior question if that's okay. And I I think it's just some interesting insight from the religious leaders with kind of that sense of belonging where, you know, they they touched on how we are all different, and we have a lot of differences between us, but how we should focus also on what's common

between us. And it's kind of that sense of belonging, you know, bringing us together as a community and how we are there to help each other, help us as as people. And by doing that, we can create that sense of trust, between us. You know? And I see that not really being done very well in organizations. It's it's often like, oh, this person doesn't know what they're doing, but they're gonna click on that phishing email. They're gonna hurt us as an organization and and so

on. And so, you know, that was some interesting insight with respect to belonging. And then you look at believing, an interesting comment from one of the religious leaders was, you know, go where the people are rather than just expecting the people to come. And, you know, again, I I thought it was just some very interesting insight of, you know, hey. You know, reach out. Don't just

wait for something bad to happen, but be proactive. You know, be available to the to these people that, again, are not there to do cybersecurity but are being tasked with it in an often and unfair manner, but be available to them. So, you know, that it's just some other things that I wanted to to share. One of the things that somebody said was be humble. The people who are asking other folks to do cybersecurity actions should be humble and not act like they know everything. And that that

was interesting as well. I'm intrigued by the notion of morality. I always have been. And morality is deeply seated in the concept of religion. I I wonder if maybe it it it transfers over to your research perspective because my sense of organizations is companies have no religion. They are the inherently amoral entities. They do what is legal. And sometimes as I tell my students, amorality is doing what is not prescribed by law or what you think you might not be caught at.

And you know it's not right, but you don't think you're gonna get caught. Organizations are not moral, centers, if you will. And then that I think that has to change because cybersecurity requires everybody caring for the good of the all as opposed to everybody looking out for themselves. Don't you think? Yes. Can I just get back to the sacred values that, Craig asked about? When I when I read Scott Atron's book, he said that, people, you know, you could challenge other values they

had. But when you went near their sacred values, they it was not negotiable. Right? And so what I kept thinking was we don't even try to incalculate the values into people in cyber. We give them a list of do's and don'ts. We don't actually try to make that part of them that becomes nonnegotiable. And and you were talking about integrity. I've done a study into whistleblowers, and they also said, we saw this and we had to speak because it was our integrity that was a

question. So for them, that integrity was their kind of sacred value. But we that it seems to be a completely alien concept in cyber at the moment that we we try to find the values that people should endorse and embrace. Let me see if I can tie this back to what what Tom was talking about. So morality isn't a static, universal thing. I mean, we have some things that we view as largely universal, but you brought up a really important point in your paper that ties into all of

this. So the idea is if we can get employees to tie into the security sacred values, then they'll do anything to avoid violating those values. But then you brought up a really important point and I'm literally gonna read it.

While cybersecurity professionals could easily commit to these values, talking about the cybersecurity sacred values, we do not know the extent to which individual employees will be able to commit to these relatively broad categories and or convert them into action, nor do we know whether they are effective candidates to serve as the higher values foundation grounding our vision. Yeah. I think that's the rub.

That the sacred values for the employees getting some and Tom, you kind of talked about this idea of alignment in in management. I think that's gonna be the neat trick, and if we can figure out how to do that, a lot of other things may fall into place. So what do you all think about that idea? I think that's a big part of the challenge is it's creating that culture that is going to work from, you know, from the bottom to the top and vice versa. And that's that's

a really big challenge. It goes to these sacred values that were espoused by the religious leaders, you know, working together to support others. And it's not easy. Everyone is there trying to, for the most part, do their job, make make their money, go home, and and, you know, deal with their lives outside of work. And when things are complicated and, you know, you probably see eye rolls and you see other things I have a couple kids, so I see that plenty. But then, you know, you

you're tasking them with other things that complicate matters. It can be difficult to get that buy in. But if you are successful and if you can do that, you can really see some amazing things happen. And and it is possible. You know, you see things that have been done. You look at at Demian and what was done with Toyota in the 19 fifties. This humongous shift. These humongous shifts in culture can happen, and they do happen, and they are effective.

Why can't this happen with cybersecurity in organizational settings? It can. You know? We just need to figure it out. And I think this is a starting place for some discussions of what this might look like. You know, how this can be effectuated? You know, we still have some work to do to figure that out and to try it out, but it it is possible. It is. You're in my wheelhouse now when you bring up Deming because Deming was issued by all the major

US automakers as being irrelevant. So he went to Toyota out of desperation to sell his idea, and he he landed in a culture which espouses collectivism, which means the good of all as opposed to the good of the one, whereas the companies who turned him down are strictly into economic outcomes for the 1, maximized personal outcome, which is really, I think, the the issue in the a moral approach to business. I I I don't

know. I'm I'm on a soapbox now, so I'll stop. But I I wanted to, to ask you whether you think that the notion in the title of your paper, shame, has an irrelevance or if that's just something that we try to avoid by doing good. And if I could just interject, that's that's another paper that's in this kind of overall we need to do security differently theme. And assuming that Mark and Karen are willing, we're going to have them back to talk about that paper because it was just too much for one

episode. So I just want wanted to to kind of give the backstory here. And that's one that we followed the fear one with because it felt as if people were being shamed when they did make a mistake, and that was my sense. And then when Mark gathered all our bunch of data, it actually happened to loads of people where they where they done something silly, clicked on a message or whatever.

And there was then the organization would people would yell at them, and they would they would get, you know, ostracized by their by their because now everyone had to go for the training again, and everyone couldn't work that day while the folks, IT folks, had to sort the computers out and everything. And the what the people went through was awful. You know? And and what we discovered was, interestingly, there's a difference between shame and guilt.

Guilt says, you did this silly thing. Here's what you can do to make up for it. Shame says, you are the stupid person. It's an attack on you as a as a human. So then what you get is a self defense response. And what we also discovered is that what you do when you shame people is create an insider threat. It's very, very counterproductive. The organization does not end up ahead like maybe they think they're gonna

end up ahead. So it's it's very counterproductive. So we're we're gonna leave that as foreshadowing for our later episode. We're starting to run up against our time limit, so could you give us kind of the 3 or 4 messages that you want our practitioner listeners, our cybersecurity professionals, to take away from what you found in your work. I'm gonna punt that to Mark. I've I've spoken a

lot. Sorry. One thing I will say, and maybe this isn't a direct answer to your question, but maybe one thing I'll say just as a follow-up to the same question is is one thing we sought out to do here was to learn from world religions what we could apply to cybersecurity and make cybersecurity better. One thing that we did not seek to do was to porch portray that world religions were without any issues

or faults of their own, that there weren't any problems or challenges. And I mentioned that because, obviously, plenty of religions use shame. They use fear. They use other things that we do not think should be used in cybersecurity. So I did I did want to mention that that we're trying to say, you know, what does make world religion successful? How can we take that and apply that to cybersecurity?

And so, you know, with that in mind, I think some of the things that some of the major takeaways with respect to these higher values and thinking about, you know, the idea of for me, one of the big ones is a sense of belonging and and building that community, caring for others, wanting others to be successful, to succeed. And that can only be accomplished if, you know, instead of just punishing and looking at other people and saying, hey. You did this wrong. Instead being like, hey. You know,

this this types of things happen. We know it's challenging. Let's figure out how we can make this make everyone more successful. Let's you know, what are we doing on our end that, we could do better? You know? So it's not just the employee, but what is the organizational what is the organization doing that, is making it more difficult? You know, what could what can the organization be doing better? And and, you know, just working together to support others, to share this knowledge,

to care for each other in in a real meaningful way. And so I I think that that sense of belonging for me is is a really big one that I think religions, maybe in an often ideally idealized, can do very successfully. With cyber, we seem to be stuck in a bit of a a rut where we this is the way we do cybersecurity, and things like generational AI has come have come along, and we have to be able to adapt. But because of the fear based approach, people are almost frozen in the way they're

doing stuff and that they're too scared to adapt. So it's really about taking the good parts. I agree with Mark there absolutely. The the religion does belonging pretty well. Let's try and figure that out. Also, the the sacred values were the thing we've put in as our as our this needs to be done because we didn't actually arrive at those. We didn't have the bandwidth to do that with this study, but that's definitely

something we want to work on next. So when we were talking about it, Shane earlier, Craig mentioned that it seems a likely topic of your next paper, even though it's it's partially covered here. Tell us about what the next step is in your research because this is fascinating. We need an alternative to, pardon the metaphor, the hellfire and brimstone of a criminal justice perspective in current cybersecurity

practice. So Mark and I are looking at this whole issue of sacred values with a another friend, at one of the London universities, and we're really hoping to arrive at a set of values that we could offer to the cybersecurity community to say, these are the things that we think that people could possibly espouse in order to help them. For for secure cyber security to become something that they don't even question that they just do, and

you wouldn't have to have the compliance stick to beat them with. We also did a paper on regret, which is can be negative, but it turned out it can also be a positive thing. So if you make a mistake once, you can learn from it. I want to be understood. Organizational theory, Leon Festinger. Everybody knows him for cognitive dissonance, but attribution theory Uh-huh. Was his

big thing, organizationally. And then the notion is people hate to fail, and they're more motivated by figuring out what they did wrong and keeping that from happening again than they are figuring out what went right. Because they expect to do well, but they don't expect to fail and they wanna avoid failure. But I was actually what triggered this, Craig, was we managed to put the name of a song in the title. So the title is from Edith Piaf. Nice. I've been wanting to

do that for years. So we've we've been talking with doctor Karen LeNo and Mark Dupuy, today about their fascinating perspective on cybersecurity and doing our part to spread the faith of doing good in the workplace. This is cyber ways, a production of Louisiana Tech University College of Business supported by Dean Chris Martin's just business grant. You can download it wherever podcasts are found, and we dearly love if you tell

your friends about us. See you next time. And it is important to say that the Cyberways podcast is funded through the just business grant program of Louisiana Tech College of Business, and, we're grateful for that. So join us next time on the Cyberways podcast, which is available on all major podcast platforms. We want you to subscribe or follow or whatever button your favorite podcast app has. Thank you very much.

Transcript source: Provided by creator in RSS feed: download file
For the best experience, listen in Metacast app for iOS or Android