Human-Centered Security

In this episode, Mike Kosak explains what threat intelligence really is (Mike’s former boss said you have to “rub some thinking on it.”), how to define priority intelligence requirements (PIRs), how to treat model, where to find threat intel, and how to keep in actionable with tight feedback loops—not panic.  Key takeaways: * Threat intel ≠ data. It’s analyzed info focused “walls-out” (what’s outside your org), then shared clearly so people can act. * Start with PIRs. Ask: What are we protecting? What is most valuable to our company? What might threat actors want? How do they operate? What do we need to know to defend? Do this with a broad set of stakeholders, not just the security team. * Communicate clearly and with context. Intelligence is only valuable if it’s shared in a way others can understand and act on. Avoid overwhelming people with raw data or inducing panic — provide actionable insights that are right-sized for the audience.  * Mike’s advice: “As a threat intelligence analyst, if you’re doing your job right, when somebody hears from you they know they need to act on it. You don’t want to be the chicken little where you make everybody freak out about everything.” * Start small and iterate. Even if you’re a one-person team, you can make a big impact. Use free resources (like MITRE ATT&CK, open-source feeds, or even vendor reports), summarize what’s relevant, and push that out. Then refine based on feedback—treat it as a continuous cycle, not a one-and-done project.  * Mike admits, “I always say it’s like painting the Golden Gate Bridge. As soon as you get done, you gotta start back at the other end. That’s basically what it is.” Mike Kosak is the Senior Principal Intelligence Analyst at Lastpass. Mike references a series of articles he wrote, including “Setting Up a Threat Intelligence Program From Scratch.” https://blog.lastpass.com/posts/setting-up-a-threat-intelligence-program-from-scratch-in-plain-language [https://blog.lastpass.com/posts/setting-up-a-threat-intelligence-program-from-scratch-in-plain-language]

You click on a link in an email—as one does. Suddenly you see a message from your organization, “You’ve been phished! Now you need some training!” What do you do next? If you’re like most busy humans, you skip it and move on. Researcher Ariana Mirian (and co-authors Grant Ho, Elisa Luo, Khang Tong, Euyhyun Lee, Lin Liu, Christopher A. Longhurst, Christian Dameff, Stefan Savage, Geoffrey M. Voelker) uncovered similar results in their study “Understanding the Efficacy of Phishing Training in Practice.” [https://www.computer.org/csdl/proceedings-article/sp/2025/223600a076/21B7RjYyG9q] The solution? Ariana suggests focusing on a more effective fix: designing safer systems. In the episode we talk about: * Annual cybersecurity awareness training doesn’t reduce the likelihood of clicking on phishing links, even if completed recently. Employees who finished training recently show similar phishing failure rates to those who completed it months ago. The study notes, “Employees who recently completed such training, which has significant focus on social engineering and phishing defenses, have similar phishing failure rates compared to other employees who completed awareness training many months ago.” * Phishing simulations combined with training (where companies send out fake phishing emails to employees and, for those who click on the links, lead those employees through training) had little impact on whether participants would click phishing links in the future.  * Ariana was hopeful about interactive training but found that too few participants engaged with it to draw meaningful conclusions.  * The type of phishing lure (e.g., password reset vs. vacation policy change) influenced whether users clicked. Ariana warned that certain lures could artificially lower click rates. * Ultimately, Ariana suggests focusing on designing safer systems—where the burden is taken off the end users. She recommends two-factor authentication, using phishing-resistant hardware keys (like YubiKeys), and blocking phishing emails before they reach users. This quote from the study stood out to me: “Our results suggest that organizations like ours should not expect training, as commonly deployed today, to substantially protect against phishing attacks—the magnitude of protection afforded is simply too small and employees remain susceptible even after repeated training.” This highlights the need for safer system design, especially for critical services like email, which—and this is important—inherently relies on users clicking links. Ariana Mirian is a senior security researcher at Censys. She completed her PhD at UC San Diego and co-authored the paper, “Understanding the Efficacy of Phishing Training in Practice.” G. Ho et al., "Understanding the Efficacy of Phishing Training in Practice," [https://www.computer.org/csdl/proceedings-article/sp/2025/223600a076/21B7RjYyG9q] in 2025 IEEE Symposium on Security and Privacy (SP), San Francisco, CA, 2025, pp. 37-54, doi: 10.1109/SP61157.2025.00076.

In this episode, I speak with three guests from diverse backgrounds who share a common goal: Building trust in human-AI partnerships in security. We originally came together for a panel at the Institute of Electrical and Electronics Engineers (IEEE) Conference on AI in May 2025, and this episode recaps that discussion. Key takeaways: * Security practitioners tend to be natural-born skeptics (can you blame them?!). They struggle to trust and adopt AI-powered security products, especially in higher-risk scenarios with overly simplified decision-making processes. * AI can be a tool for threat actors and a threat vector itself, and its non-deterministic nature makes it unpredictable and vulnerable to manipulation. * All AI models are biased, but not all bias is negative. Recognized and carefully managed bias can provide actionable insights. Purposefully biased (opinionated) models should be transparent. * Clearer standards and expectations are needed for “human-in-the-loop” and human oversight. What does the human actually do, are they qualified, and do they have the right experience and information? * What happens when today’s graduates are tomorrow’s security practitioners? On one end of the spectrum we have a lot of skepticism, on the other end not enough. We talk about over-reliance on AI, de-skilling, and loss of situational awareness. Dr. Margaret Cunningham is the Technical Director, Security & AI Strategy at Darktrace. Margaret was formerly Principal Product Manager at Forcepoint and Senior Staff Behavioral Engineer at Robinhood. Dr. Divya Ramjee is an Assistant Professor at Rochester Institute of Technology (RIT). She also leads RIT’s Technology and Policy Lab, analyzing security, AI policy, and privacy challenges. She previously held senior roles in US government across various agencies. Dr. Matthew Canham is the Executive Director, Cognitive Security Institute. He is a former FBI Supervisory Special Agent, with over twenty years of research in cognitive security.

You're a founder with a great cybersecurity product—but no one knows or cares. Or you're a marketer drowning in jargon (hey, customers hate acronyms, too), trying to figure out what works and what doesn’t. Gianna Whitver, co-founder of the Cybersecurity Marketing Society, breaks down what the cybersecurity industry is getting wrong—and right—about marketing. In this episode, we talk about: * Cyber marketing is hard (but you knew that already). It requires deep product knowledge, empathy for stressed buyers, and clear, no-FUD messaging. * Building authentic, value-driven communities leads to stronger cybersecurity marketing impact. * Don’t copy the marketing strategies of big enterprises. Instead, focus on clarity, founder stories, and product-market fit. * Founder-led marketing works. Early-stage founders can break through noise by sharing personal stories. * Think twice before listening to the advice of “influencer” marketers. This advice is often overly generic. Or, you’re following advice of marketers marketing to marketers (try saying that ten times fast). In other words, their advice is probably not going to apply to cybersecurity. Gianna Whitver is the co-founder and CEO of the Cybersecurity Marketing Society [https://www.cybersecuritymarketingsociety.com/], a community for marketers in cybersecurity to connect and share insights. She is also the podcast co-host of Breaking Through in Cybersecurity Marketing podcast, and founder of LeaseHoney, a place for beekeepers to find land.

Users, threat actors, and the system design all influence—and are influenced by—one another. To design safer systems, we first need to understand the players who operate within those systems. Kelly Shortridge and Josiah Dykstra exemplify this human-centered approach in their work. In this episode we talk about: * The vital role of human factors in cyber-resilience—how Josiah and Kelly apply a behavioral-economics mindset every day to design safer, more adaptable systems. * Key cognitive biases that undermine incident response (like action bias and opportunity costs) and simple heuristics to counter them. * The “sludge” strategy: deliberately introducing friction to attacker workflows to increase time, effort, and financial costs—as Kelly says, “disrupt their economics.” * Why moving from a security culture of shame and blame to one of open learning and continuous improvement is essential for true cybersecurity resilience. Kelly Shortridge is VP, Security Products at Fastly, formerly VP of Product Management and Product Strategy at Capsule8. She is the author of Security Chaos Engineering: Sustaining Resilience in Software and Systems. Josiah Dykstra is the owner of Designer Security, human-centered security advocate, cybersecurity researcher, and former Director of Strategic Initiatives at Trail of Bits. He also worked at the NSA as Technical Director, Critical Networks and Systems. Josiah is the author of Cybersecurity Myths and Misconceptions: Avoiding the Hazards and Pitfalls that Derail Us. During this episode, we reference: Josiah Dykstra, Kelly Shortridge, Jamie Met, Douglas Hough, “Sludge for Good: Slowing and Imposing Costs on Cyber Attackers,” arXiv preprint arXiv:2211.16626 (2022). Josiah Dykstra, Kelly Shortridge, Jamie Met, Douglas Hough, “Opportunity Cost of Action Bias in Cybersecurity Incident Response,” Proceedings of the Human Factors and Ergonomics Society Annual Meeting, 66, Issue 1 (2022): 1116-1120.