Dr Mark Carey-Smith
Independent Infosec Professional
Mark has been an information security professional for approximately 20 years.

He has worked in operational and architectural infosec roles as well as lecturing, and his current focus is governance, risk and compliance.

Mark holds an MIT and a PhD from the Queensland University of Technology. Mark's philosophy is that information security should be an enabler of business and is fascinated with the behavioural antecedents of the decisions that people make when they use, or abuse, information.

TUTORIAL: Cyber Security Awareness and Culture Roundtable
Technical Level (3 being the highest score): 1

Ensuring staff have an appropriate understanding of the importance of cyber security and the part they have to play in managing cyber security risks is challenging and important. Join a group of your peers to discuss cyber security awareness-raising and cultural improvement. This will be a workshop style tutorial with extensive opportunities for discussion and the generation and sharing of ideas and knowledge.

Topics to be covered include:

• Setting the context
> What do we mean by 'awareness'?
> What is culture?
> How can these things be measured accurately?
> How can these things be changed?

• Challenges

• Solutions
> Methodology - how Appreciative Enquiry can identify and scale up 'bright spots'

• Wrap up
> Summary of workshop
> Suggested resources

Why Do People Do That? Lessons from neuroscience, positive psychology and behavioural economics.
Technical Level (3 being the highest score): 1

The information security research literature has many examples of studies that attempt to predict user behaviour based on users’ self-reported intentions and perceptions of risk. However, people are generally fairly poor at judging their own future feelings and behaviours. There are also other factors including social desirability bias that create disparity between the theoretically predicted and self-reported behaviour and the actual behaviour in workplace settings. In recent years advances in neuroscience have enabled studies into users’ actual perceptions of risk and decision making, rather than their estimation and reporting of perceived risk and assumptions about resulting behaviour.

This presentation will discuss recent, practically-focused research from the fields of cognitive neuroscience in information systems (NeuroIS), positive psychology and behavioural economics, and describe how this knowledge can help us be more effective individuals and information security professionals. If we have greater insight into why people do what they do (including ourselves), we can better manage the challenges of modern life, both personally and professionally. All information security professionals need to be effective communicators and even the most technical of roles involve human interaction.

Key presentation points include:

- Examples of cognitive biases and how they influence perceptions of risk, including:
** Affect heuristic, which describes the influence of the emotional impact of a message on the recipient’s estimation of associated risk
** Availability heuristic, which describes how the ease of recall of an example of a described risk influences the recipient’s estimation of associated risk. E.g. approximately twice as many Australian deaths result from cows than by sharks but most people perceive the threat of sharks as much higher, at least party because examples of attacks are easy to recall
- Understanding these biases and others helps us communicate risk in a way that is more likely to be persuasive. It may also help us understand why something seems obvious to us but appears difficult for other people to grasp
- Examples of recent neuroscience studies into information security risk perception and decision making
- How positive psychology can benefit information security professionals, including the importance of sense making and how it contributes to well being

The guiding principle of the presentation is to convey practical lessons to be learned from the aforementioned fields and how they they can be applied in the communication of risk and the design, implementation and management of information security controls.

Presentation slides can be found HERE

Presentation video can be found HERE