Psyched For Business Podcast Episode 17
Episode 17:
The Psychology of Cyber Security with Bec McKeown
In this episode, we'll learn more about cyber security and psychology plus what makes businesses more susceptible to different types cyber harm. We will also delve into cyber incident response, how data leaks can impact the reputation of a business and why aptitude and mindset are the most important factors when recruiting for cyber roles.
Subscribe to the podcast on your favourite platform:
Episode 17 - Transcript
Voiceover 0:00
Welcome to Psyched for Business, helping business leaders understand and apply cutting edge business psychology principles in the workplace.
Richard Anderson 0:13
Hi, and welcome to another episode of Psyched for Business. I'm your host Richard Anderson. And today as always, we're diving into the world of psychology and business. In today's episode, I'm joined by Bec McKeown, the chartered occupational psychologist who specializes in cybersecurity. In this episode, we unravel the psychology behind cyber threats, incident response, and the essential skills needed to navigate in this dynamic field. Discover how cyber criminals exploit cognitive biases, the art of manipulation and why vulnerability isn't just about traits, but rather how our brains process information. I really enjoyed this discussion with Bec. I hope you do too. And thanks again for listening. Bec McKeown, welcome to Psyched for Business. Thanks for joining me, how are you doing?
Bec McKeown 1:00
Oh, you're more than welcome. Thank you for asking me. Yeah, doing great. Thank you very much. Looking forward to having to chat with you. About this whole Cyber thing
Richard Anderson 1:09
me too. And I have to admit, I have been extra excited about this one because genuinely and I mean this when I say it, cybersecurity and psychology are two really interesting topics that I have a broad interest in certainly, nor deep knowledge around. So I'm really looking forward to getting stuck in so I know that you're, you're a chartered psychologist, you've gone through all the BPS accreditation, you've been doing that for a little while now. And you've got a specific emphasis on the whole world of cybersecurity. I'm really interested Bec and I know the listeners will be as well. How did you get into that world?
Bec McKeown 1:43
completely by accident. I think there's any psychologist that works in cybersecurity in defense, you probably find they come across it by accident. Happy accident, but certainly wasn't planned thing. I started off doing a degree in psychology degree with the Open University because something to do what I had a small child never thought I'd make a career of it, then found myself doing a master's degree in Applied Psychology at Cranfield University. And the plan was to go off and do organizational change and culture type things because that's where my interests were. Then I ended up not doing that and staying at University and working in aviation because aircraft cabin safety was sort of like well, that's interesting. didn't know it was a thing. So did a little bit of that. Then I ended up working a lot with the Ministry of Defense on a contract trusted research. Yeah, chasing tanks around prairies in Canada. And that led me then to working at a defense Academy in Shrivenham, which is UK military base. And I got into working on the cyber master's program there. Okay. So Oh, okay. I'm a psychologist, what my doing cybersecurity gadgets and techie stuff. And, yeah, so it's a bit of a meandering path,
Richard Anderson 3:13
not it's really interested in it. And what a time not to be involved in cybersecurity, I guess specifically, from a psychology perspective. I've told you previously, but for the listeners, I'm in the process or my company is in the process of going through the ISO 27,001 accreditation, which you'll be very familiar with Bec and maybe we can go into that a little more detail, but it's all about information and cybersecurity. And there are things in there that I had no clue about. And I understand the importance of psychology in that. But let's not assume maybe that the listeners know everything about cybersecurity. And maybe let's start with a bit of a broad overview of the terms and what do we mean Bec by cybersecurity? What does it mean, and why is it important?
Bec McKeown 3:58
Yeah. I went on to the website of the National Cybersecurity Center. So that's the UK is a place to go if you want to information on cybersecurity. And they define it is how individuals and organizations reduce the risk of a cyber attack. So broadly speaking, to stop people attacking you, well, that's fine. However, what does that actually mean? And I think today, it's become so important. We all do our banking online, we shop online, our emails, we have social media. And there's a thing called IoT devices, Internet of Things. Doorbell and all of this, you know, your hive stuff that you have in your home. And I think that there's probably underappreciated risk that having all of these gadgets has fortress. You kind of know that when you've got your own laptop that you need some sort of security product in it. So you buy one and you press it to have a clean up every now and again. Probably about the limit. Yeah. that was my limit, I know that bad things happen. But that was it, really. So I think that's sort of a bit of an overview about it. But why is it so important, and there's been some really interesting research done on categorizing cyber harms, okay. And they're categorized into five different things, you've got a physical and digital harm. So physical harm. Think about if there is a cyber attack that looks and prevents people from moving goods around the country, imagine if that ordered petrol tankers couldn't move to deliver, because of a cyber attack, we'd all be stuffed. So that's called Digital harm. things called a denial of service attack means that they overwhelm a website and you can't use it. So if you want to go and do your banking, and they're being subjected to an attack, you can't access your accounts. So that type of thing, economic you can have your money stolen, simple as that. reputational harm is a massive big one in the cybersecurity industry. I've recently had letters from two different pension companies to say that my details have been compromised, okay. Well, you know, so my, the dark web for any old criminal to apply for credit to my name, or whatever. And they've had to deal with that. So obviously, their reputation as an organization is massively damaged by that. psychological harm? Well, I've been made to feel quite anxious about this, because I feel quite vulnerable. Now, when I didn't know until they told me and they've given us all a Experian Credit thing, you know, that you can have free year's memberships. It happens. But that has made me feel a little bit anxious. And then you've got sort of social and societal harm, and you think about, we all hear about cyber attacks, you know, with Russia and Ukraine and things like that. And it always seems like it's something going on somewhere else. But I think the NHS was subject to a cyber attack a few years back. Well, that was just the harm across the whole of our society. Yeah. So to me, I think when you start realizing that that's the sort of impact, you start to appreciate that maybe there's a little bit more to this cybersecurity thing than something that's just talked about. Yeah,
Richard Anderson 7:29
absolutely. I mean, that was one of the things that that I was going to ask you, but you've pretty much answered this affects everybody, doesn't it? I mean, I think there was, I'd maybe had a preconception or misconception, as it turns out, that it will be big tech firms that are gathering lots of data, and maybe government agencies and these types of organizations that will be at risk most for cyber attacks. But really, it could be any type of business. And that's pretty much what we're seeing here, isn't it?
Speaker 3 7:55
Or any type of business or even as individuals and individuals? Yeah, you know, we sort of forget about that. And there's generally two types of tat attacks as targeted attacks, which is the ones that you're probably talking about there, where they'll go after big multinational or a government. And so that's that, then there's untargeted attacks, which is these phishing things. And I'm sure that you've received links, I know, I certainly have as to oh, here's, here's the unpaid invoice that you asked for. You click on it, then you've got malware in your system. And it's probably tracking you it might be tracking your bank details, that sort of thing. You've got things that are caught is called Water holing. And you get an email from allegedly from your bank that says you need to go in and change something. And then when you click on a website looks real, you have to be quite good at spotting, checking different things to check if it is real or not. So there's all of that sort of thing that goes on. So it can be individuals, it can be companies. And you think with ransom, where attacking in a big company to get their details. And you hold that, you know, if you don't pay me X amount of millions of pounds, I'm going to let this go. But there's the the untargeted thing is all of that things where they're just attacking so many people, millions of people across the globe at once. And it's just the sheer volume of people, that certain percentage will always click on those links.
Richard Anderson 9:21
Yeah, yeah. I'd love to get into that in a little more detail. Interesting, what you're talking about there with the phishing emails, the phishing with a PH of course, and different phishing attacks. And I remember maybe five years ago when I'd got a phishing email come through and I had to wire somebody a million pounds I got a million pounds in the first place, of course, wire somebody a million pounds or whatever would happen and it was really easy to spot but Bec, let's be honest, these are getting better now. They're getting better and better. And even this weekend, or it was Monday morning, I had a colleague said to me, Rich did you send me an email over the weekend, asking me to do something that's said no, not at all. And the colleague and it said Richard Anderson on the email founder of Evolve Assess. And obviously, it didn't have my email address and probably didn't, didn't look anywhere. But that's that's some of the things that we need to to educate people around, isn't it? Because
Bec McKeown 10:15
much, much better. Yeah. It's long, long gone are the days of some African king who's got some money that if you were wise to that one, recently popular one has been within organizations that somebody will get an email from the managing director or the founder. Yeah, like yourself and say, can you release these funds for me? So if you're in finance department and your MD, asked you to release some funds, chances are you might do it? Absolutely. That type of thing. And the other thing to think about with that is that they're starting to use social engineering now as well. Now, I find that as a psychologist utterly fascinating. But when are people at their most vulnerable? And when I say vulnerable, I don't mean that necessarily in the true meaning of the word. But what are you doing on a Friday afternoon at work? When it's a long bank holiday, or you you know, the Christmas holidays are coming at you finish enough? You want to get out early, your mind already left the office and on to Christmas shopping? Or whatever it is you do? So you find that sort of Friday of a bank holiday, that's when there's more likely to something to happen? Because they know people have lowered their guard because of the time. Isn't all of that sort of thing.
Richard Anderson 11:30
Yeah, of course,
Bec McKeown 11:31
Very much started to become part of it now.
Richard Anderson 11:34
Yeah, absolutely. I think. So there's obviously a few different ways of looking at susceptibility, I guess, would be the word to a cyber attack, whether that's an individual, whether it's a business, whether it's an individual within the business, presumably, I know that there's a there's a couple of different components that you look up there, I guess. One is how we how we maybe prevent a cyber attack from occurring within a business. And presumably there's tips and tricks and things that we can do within that. And I guess the second component is, if a cyber attack or a cyber risk has occurred, then how do we respond? And how do we react in that in that situation. But if we look to maybe dissect those, those two things, so I made a few assumptions there. But I'm guessing that might be the way that we behave, or the our kind of personality, our psychological makeup that makes us more vulnerable or more susceptible to, to clicking on a phishing email or kind of thinking out loud here, what what do you find typically in organizations is
Bec McKeown 12:38
I think it's more really not necessarily about personality traits, and all of that sort of thing, because a lot of cybersecurity people say, Well, you know, is there a side? Yeah, what's the risk of somebody? Can we get them to take a test so we can know what their risk is. And I think that attribute in somebody as a risk based on their personality characteristics is, there's a whole amount of stuff around that that's just quite wrong. Okay, it's more about understanding how the brain works. Because it's a limited capacity information processor. So it's all sorts of things. It's a cognitive biases and heuristics, which your audience will know what I'm talking about, basically, shortcuts that the brain takes. So it doesn't notice certain things that's going on. If you're being very busy, you'll do something more quickly. And you won't take as much notice, if it's something you familiar with, you won't necessarily look at the detail. So for example, if you're driving through your local village or town, you won't look at the road signs, they've always been there. Yeah, just ignore, you don't need to know they're there anymore. When you go somewhere new, you're more likely to notice them, because you're looking at them for cues of where to go and all that. So it's all about understanding how that works. And then how you can use those things to sort of slip in when people are unaware. And that's why I said when I mean vulnerable, that's probably what I mean, rather than vulnerable is they're just busy doing something else. But then you've got the influence side to it. So persuasion techniques. So what language do they use when they're sending these emails? Because people will, if it's urgent, and they perceive it to be a problem that needs sorting, they're more likely to just jump in and sort it rather than think carefully. So I think one of the things that we see quite often in terms of guarding against this, if somebody's pushing you to do something quickly, that in itself is a cue that you need to perhaps think a little bit more carefully about what's going on. Yeah. So how to manipulate people really, isn't it? Yeah.
Richard Anderson 14:37
So this is about being very much being aware. And again, that's a misconception that I have, because I I probably bought into the whole idea of risk. In truth. I just assume that would be the case that some of us are maybe more risk prone than others. But as you said, there's probably a whole other conversation around that side of things. Yeah.
Bec McKeown 14:56
I mean, there's a thing called insider risk. Okay, this Again, if think is of interest to psychologists, when you're looking at the culture of an organization, you've got a lot of people that are very unhappy. They're not, you know, the insider threat is people doing things on purpose. So well be that they've you know you might have a developer who's developed some code and left a back door open, knowing that it could be easily abused, because they're about to leave because the company has treated them badly. It's all sorts of things that go on, so does the insider threat thing. But most of it is really about people making mistakes. And we all make mistakes, because we do. So. Yeah,
Richard Anderson 15:38
It's about is it about preventing mistakes? Is it about how we deal with the mistakes? How we learn from those?
Bec McKeown 15:45
Yeah, definitely. I think there's very much been in cybersecurity a thing where sort of the person is the weakest link? Yeah, it's always that machinery will stop attacks. It's always the people that let them in. But then you think about that, is that how do people feel about that? You are the weakest link, you're hopeless? Well, you know, it's not my job. I'm not IT. You know, so there's all of that sort of thing going on as well, because people might be the weak link, but if they're a weak link it's because they don't understand. They don't know. And there's a lot of assumptions that everybody knows that cybersecurity is not just the IT department Well, I didn't know that until I started working on it. I will be honest, when I've done my mandatory training in organizations that I've worked in health and safety, manual handling cybersecurity, what am I doing when I'm doing that mandatory training? I've had another nagging email from my manager, I've got loads of stuff to do. I'm not really interested in this. I'm going to get through it as quickly as I can tick the boxes, get a pass mark, move on completely forget everything that I've learned. Yeah, a session? You know, I think that that that sort of part of it as well.
Richard Anderson 16:58
It is. And I guess while we're on that topic of learning, I guess it was one of the just to kind of go back to what I said right at the beginning. So the ISO 27,001 certification that we're going through at the minute, I guess it's the incorrect me back where I'm wrong here. But it's it kind of industry standard kind of recognition for adhering to the correct regulations, rules around things like information security, of which obviously, cybersecurity kind of falls under that. And we're a small business Bec when when we've got seven staff. But we've wanted to do this for a long time, because many of the clients who we work with, they're bigger organizations, they take these things very, very seriously as of course, we all should. And as part of tech, either tender processes or procurement processes, I had to fill in reams of documentation, all the potential of this standard, and then it got to the point where it was okay, well, we'll just go through it. So one of the things that I'm trying to do with the team is to change the culture and kind of educate people across the entire team and make sure that people are taking this seriously rather than a tick box exercise. But one of the things that I struggle with a little bit too in one of the packs that we've got is a PowerPoint slide deck where you just walk through and explain it to people. And know that that's not going to go in, you know, if I if I'm just stood there talking through a PowerPoint slide deck. So what's your stance on the education piece, and I guess the change and the, you know, the cultural change, I've got a small business, you work with lots of much bigger organizations. But I would imagine that's quite a challenge.
Bec McKeown 18:36
So it's very much a challenge. And it's very much acknowledged within the industry that recognition that awareness training doesn't work. Yeah, there is no direct link between awareness and changing behavior. It's moderated by seven year, lots of different things. I think it's the theory of planned behavior, and reasoned action. So for the psychotherapists out there will, hopefully. But what it is, is basically is that just because you're aware of something doesn't mean it's gonna change your behavior, and you've got to care about it. To make somebody care about it in amongst all of the other things that they have to care about, is the massive problem. One of the things that we say is that your average slide deck probably isn't going to cut it. It's about making it a bit more personal. And it is a lot easier for somebody like yourself, the seven of you know these people well. And they're probably quite invested in the business in a way that you're not when you're working for multiple 1000s. For me, it's it's about thinking about like the Internet of Things thing I talked about a little bit earlier, when you start to realize that it can hit you at home. I think some of the good training that I've seen is and when it's how do you explain to my elderly parents so they don't? Yeah, you know, fall victim to one of these things. So that sort of made me take a little bit more notice because it's something I care about is my parents welfare. So that was one thing. People like to have gamification, so they want, you know, they want badges for completing levels, they want a leaderboard and all of that sort of thing. So that works for other people. And I think there's also the thing about having training that's relevant to you. Because when I worked at the university, I had to do manual handling training. I didn't manually handle anything heavier than a book, you know. It was just a complete and utter waste.
Richard Anderson 19:48
Tick-Box exercise. Exactly. Yeah, yeah.
Bec McKeown 20:35
So what position in the company does somebody have, what level of knowledge do they need to have, and don't overwhelm them, don't just give everybody that's the quickest way to lose an audience. And more recently, I was working for immersive labs, and they have a crisis simulator. And we've started to look at using that. So people who are either in a working in finance or on reception, or in a warehouse, so wouldn't necessarily be involved in anything cyber, would actually do one of these crisis stimulators and start to realize, now if you're there, and you're suddenly responsible, so you've had this cyber attack, you've got your customers complaining, you've got your IT department and wanting to shut everything down. Yeah, we've got the money thing direct, say, No, don't shut everything down, we've got our reputation our customers still need, then you've got some tweets going out on Twitter. So you've started to get in, you know, incoming calls from national press and things like when you put people into that position, and they start to see a slightly different side to it, they take a whole lot more notice, now, it's not realistic for them, then they're gonna have to make a decision about how to deal with, you know, PR and all of that sort of thing. But I think that it just grabs attention in such a way and makes you think about things that's going to sit better with you. And from doing that exercise, you then might take a little bit more notice of the bog standard awareness thing, because you've had this. I mean, they're great fun to do takes about an hour, but the conversations that go on in the room, and you know, it's not, it's a safe space, you know, you're not really under any threat, but it just, it surfaces, all sorts of things. So there's lots of different ways of doing it. And I think it's being aware of you can't make people be interested in everything. So give them a basic level of that.
Richard Anderson 22:30
Yeah, because that's the biggest challenge. But that's, that's really, really interesting stuff. And it's definitely something that I need to consider as well. Because even even with seven stuff, although you've said, Yeah, it'll be a lot easier to get to a seven than a big organization, there are things within those seven people that I could cover that aren't going to be relevant, to each one of those seven people, I need to keep it interesting. I think that's the, that's the key there. So make one of the, I guess the expressions or topics that we hear about very often within the whole world of cybersecurity is incident response, or Incident Response Management and I know that you do a lot of work in that particular area. I guess we're gonna, we're gonna assume it means how you respond to a cyber incident. But I'd be keen for you to go into a little more detail on that. What what kinds of things do you see in organizations when there is an incident? And how do people typically go about responding to those incidents?
Bec McKeown 23:28
Yeah, I worked mostly with enterprise organizations. So they're large, they tend to have really big ones have dedicated cyber response teams. Yeah, you'll be pleased to know there is an ISO for crisis management response, Yeah, so what you find is, is there is there is a lot of guidance on how to spot the attack what to do when it comes in. It's called a playbook. So what do you do when you realize somebody comes up to us as a, hey, there's something going on in our network, we need to just check that it is actually something going on, because you can't have you know, an almighty response to something that's nothing. So that sort of initial early stages of that, of identifying what's going on, and then it's sort of trying to work out the impact it's going to have and then that's when it gets escalated it to match your response level. Yeah, yeah. And there is a playbook about who needs to be involved. And what you tend to find is that you have a crisis response team. It's either that's what they do, or you have people from within the organization who form a team when it's necessary. You'd have people from the IT department, the legal department, the HR department, marketing and PR. Yeah, because they've all got a part to play. That's great to a certain extent, because when something happens, you know what you're going to do and you've rehearsed it, hopefully, hopefully, fingers crossed. But then what that doesn't take into account and this is the sort of work that I've been doing, is that people's individual reactions to it. Yeah, cool. The adrenaline starts flowing because you suddenly realize something bad's happening within the organization, reputational damage all of that stuff I've talked about earlier. So then what happens then is well, when adrenaline's flowing, the rational thinking goes down, there's deep learning goes up. So then you start to have what's called cognitive narrowing. So your brain is now focusing on the immediate threat. It's not necessarily taking in all of the information that you need to understand exactly what's going on. You're going to have knee jerk reactions that aren't thought through. This is where it can massively go wrong, where you can deny something's happening, and then the media find out that it happened, and then you look bad because you lied in the first place. It's all sorts of chaos ensues, basically. And the research that I did when I was at Cranfield University was on what sort of skills do you need to deal with that? Is thing called a VUCA. Environment is volatile, uncertain, complex and ambiguous.
Richard Anderson 26:15
That's the environment when there's been when you're under threat,
Bec McKeown 26:18
and that from military research that I'm interested in, but it translates so well into cybersecurity, which is why down that path relief, because you don't know what's happening, it's all very happening very quick, you have to make decisions with high cost, high stakes consequences, based on not very much information. So the incomplete you can't be sure of it, you don't know if you're gonna, you know, make the right decision. Wicked problems, I don't know if that's a wicked problem, basically, because whatever you do in one area is going to have a negative impact on another. And this sort of, there's a thing called cognitive agility, which is a set of thinking skills that help you stop, take a breath and start to be creative in your thinking about do are we sure this is where this information is coming from? Do we know what we're gonna do? Are we making the right decision?
Richard Anderson 27:11
So that's that's the education piece around the cognitive agility that despite the fact that the adrenaline's flowing, the fight or flight response to catastrophizing, it's about taking a step back.
Bec McKeown 27:22
And then sort of testing your thinking.
Richard Anderson 27:25
Because the automatic reaction for the same for the majority of people, but especially if reputational damage is on the line, that's going to be what you know, it's going to be that fight or flight response here.
Bec McKeown 27:35
Fight flight or freeze, some people just
Richard Anderson 27:38
Freeze, yeah, freeze what do I do Yeah.
Bec McKeown 27:41
Although Yeah, jumping to doing something they think is best without thinking it through. So how to counter that. But the other thing you find that I find interesting is, is that when you see these product management teams in action, it's about relationships, because you've got lots of different people from lots of different parts of the organization, that don't necessarily work together. And they've all got different priorities. Those in charge of the system want to shut it down. Because as soon as that system shut down, you can manage things. Like say somebody from the operation side, or the business side is not going to want to shut down because a bank, maybe student wants customers to be able to access their funds to carry out transactions. The big bank might be responsible for salaries of 1000s, millions of people, you know what, they get paid on time. And then like I say, you've got the PR people, you've got HR saying, well, actually, we can't blame, you know, the junior down in accounts because they pressed the wrong button. So there's a whole bunch of stuff going on. But because each of those people have a different priority, don't necessarily understand how that fits in there. See the big picture? You tend to get a lot of friction. Yeah, I can imagine. Yeah. So you've got friction with that, then you've got the friction because some people just don't get on. And then you've got people who are some people are very happy with making decisions in uncertainty. Other people won't move until they've collected more information that in itself can cause friction in the decision making and mean that nothing happens because you're too busy arguing, yeah, who's right, who works, what and how to move. So there's a whole bunch of relationship and team stuff going on there as well. And that is what makes it all so fascinating, really is how on earth do you deal with all of that? Yeah,
Richard Anderson 29:33
I was just I was just about to ask because I can imagine that that somebody there who needs much more information to gather before they're happy to make a decision, and then somebody who's a little bit more gung ho for want of a better expression that just wants to get it done. That's gonna cause tension, but it causes friction. So do you either yourself Bec or the the organizations that you work with for these types of scenarios, big incidents? Do you have like a, like a rehearsal? I can't think of the word that it would be just to see how the dynamic of the different individuals and the different teams would, would work. So it's to see where the where the issues are, or whatever is that something that you often do?
Bec McKeown 30:14
the often do they have a lot of people with tabletop exercise, which is exactly that is all from it. Yeah. Great things to do, because it's very involved. Every he needs to be involved is involved, but they're very massively resource intensive. So they probably only do them once a year. If that, yeah. That's a problem, because it's very much focused on the process. I'm not seeing a huge amount of people focus on the when we do an after action review, like military people do, what else what was supposed to happen, what actually happened and why it either becomes very much a blame game, or you didn't do your pet, and we did our bit sort of thing, that's not helpful. So again, that's sort of about building the right sort of culture. But I think that what I try and do is to encourage people to look at the behavioral side of things and to get people to engage with it. Because if you can learn from it that, you know, this particular group of people have one mindset, this other group have another mindset. And it was those sorts of things that caused the friction, you can then while you're doing this training, you can have those conversations in slow time where the adrenaline is not flowing, then you can sort out we're actually if we were in this situation, we would pay a ransom, we wouldn't pay ransom, you know, those sorts of questions. Because the last thing you need when you're in that situation is to be having difficult conversations, if you already know the answers to the obvious things. Having those conversations in the safe time will build up those relationships. So they're a bit more strong when they actually sit in a real real life event.
Richard Anderson 31:56
Interesting. And how much does resilience play a part in this as a skill? I guess is that is that a big thing, resilience in these types of scenarios? Does it tie into The cognitive agility component,
Bec McKeown 32:13
Resilience is a massive buzzword at the minute you see all over LinkedIn, everybody's talking. Yeah,
Richard Anderson 32:17
that's why I said it, I was trying to impress you.
Bec McKeown 32:21
Resilience scores and all that sort of thing. And resilience is made up of lots of different things. So in cybersecurity, you've got resilient technology, people and processes. So those three things are capability. And the focus in cybersecurity very much is processes and technology, we forget about the people side of things. Resilience, you've got to have resilient teams and things I've just been talking about. There's a bond team that even if they're very different, which is great, because you need that diversity of thought. But they're more resilient, because they're a high performing team. And you've built that team to be that way. And then you've got individual resilience. And the last piece of research I was looking at suggested, I think it was Robertson Cooper, and they suggest that they're sort of, you're more resilient if you're part of a team because you've got that social support, so you're not on your own. If you've got the mindset whereby you can look at things that go wrong in a positive light, see what you can learn from them. So the Robertson Cooper model of resilience is structured around four different key components of resilience. So you've got social support, which is being part of a team and knowing that you're not going to deal with it on your own confidence. So the confidence to know that actually, you can deal with this sort of thing. adaptability to learn from your mistakes, and to use that learning in other situations. And again, I think that's very much linked to confidence, and then also a purposefulness. So it's really about understanding where you are in your learning journey. So you kind of there's some sense of purpose that you've got for everything that you're trying to learn. Okay, it makes sense.
Richard Anderson 34:09
Yeah, absolutely. Absolutely. It is genuinely really interesting stuff. One of the things that I'm that I'm, I'm keen to learn a little bit more about, and I think your audience will be as well as when it comes to to the recruitment, or the selection of individuals that you choose to have within your organization, especially when it comes to cyber security. I assume Is it is it something that we need to recruit based on certification levels of experience, those sorts of things? What what's your what's your take on on the selection and the recruitment?
Bec McKeown 34:48
Yeah that's a really good question. Because again, that's a massive hot topic in cybersecurity at the moment. Yeah. Because I think there's recognition of how the Harvard experience is when things how many certifications is another Thing. But just because you've got a certificate doesn't make you good job, tick box. And again, isn't that really awesome? So there's a move now towards, particularly the technical side of things towards aptitude. So if you have aptitude and mindset that you're curious, open minded, you enjoy challenge, you know quite tenacious. And you've got an interest in cybersecurity, you can be trained, because you've got all of those key aptitudes. So I think there's quite a gap in the market really, in terms of assessment for starting to build those sorts of aptitude tests they're interested in. And I certainly know that government departments are very interested in that sort of thing and making some strides in that direction. But I think that it's quite a good time for anybody involved in assessment really to sort of do that research and find out what it is about. And the other thing that I found is I think is a gap is competency frameworks. frameworks that deal with different things that you can do the technical person in cybersecurity fairy, I haven't been able to find a single framework that deals with the more competency side, the soft skill side, and people don't like using the word soft skills. Yeah. But those, you know, the leadership, the cognitive agility, the relationship skills, the decision making, problem solving, all of that sort of thing. I haven't found a single competency framework that sits within cybersecurity for that. And that's driving me absolutely nuts. I think there's certain you can transfer across. But nobody has seemed to have come up with a particular one for cybersecurity. The ISO that I mentioned, I think is the only thing that I've seen that go somewhere towards that. And it's more of a framework of skills. It's not a competency framework. Yeah, I think there's a lot that psychology has to offer.
Richard Anderson 36:54
Yeah, so new competency frameworks, potentially new ways of assessing people for these particular roles. Because it's such a big thing at the minute, but you know, in general, you know, what's ubiquitous, there's this whole kind of notion of cybersecurity and the importance of this is massive, so we can't select and assess and recruit against it. And there's a problem isn't the so yes. And there's some really interesting things there. But, but but Bec I mean, I've really, really enjoyed this this conversation, a company we've been talking for so long already. I'm really keen for you to if any of the audience's is interested in having a further discussion with you about any of the aspects of what we talked about. Are you happy for us to put your your LinkedIn profile in, in the post? Is there a website that people should be looking at?
Bec McKeown 37:44
Oh, definitely. Yes. my LinkedIn profile, my website is very much work in progress. Yeah, well, it's always a work in progress. It just exists. So let's, let's not go there. But yeah, certainly put my LinkedIn profile on because I think there's certain there's a whole bunch of stuff that there's plenty of space for psychology and psychologists in cybersecurity and it'd be nice to see a few more of us around.
Richard Anderson 38:11
Absolutely brilliant. We're really appreciate your time back. Thanks ever so much.
Bec McKeown 38:15
More than welcome. It's been great chatting. Thank you. Yeah, really enjoyed it. Thanks.
Voiceover 38:20
Thanks for listening to Psyched for Business. For shownotes, resources and more visit evolveassess.com
