AITech Interview with Dr. James Norrie, Founder of cyberconIQ

Discover practical tips to enhance your cybersecurity, especially when engaging with third-party platforms.

Can you tell us about your background and journey that led you to establish cyberconIQ?

I am both an academic and a consultant/entrepreneur who has been studying technology trends, information privacy and security issues and considering the impact of disinformation on society for many years.  In both my professional practice and personal experience, cybersecurity – and now AI which will rapidly transform this important issue even further – are technology problems with a human dimension that more technology alone cannot fix.  So we need to blend psychology and technology better together in order to address the human elements of cybersecurity risk with proven behavioral science methods instead of simply pretending that humans are programmable like machines – they are not.  Knowing something is not the same as doing something, so we founded cyberconIQ to create pathways to voluntary changes in user behavior that creates a security 1^st culture inside any organization more effectively than generic training that is unengaging and has proven to not have any meaningful impact on user behavior.

Dr. Norrie, could you please explain how cyberconIQ’s proprietary platform utilizes behavioral psychology to measure and manage personalized cybersecurity training and education programs?

By blending in proven elements of behavioral science including trait-based personality theory, understanding habituation and pattern interrupts as well as  the value of supporting humans as part of the solution instead of the problem, we EMPOWER  humans as your last line of organization defense against increasingly sophisticated attacks. Additionally, we can prove in side-by-side client studies that we can virtually eliminate phishing as a significant risk to your organization using this patented method.

Your research on third-party cyber attacks is fascinating. Could you share some key insights from your research and how modifying online behavior can effectively mitigate cyber risks associated with third-party interactions?

Social psychology helps us understand human behavior and different people respond differently to different social settings, stimuli and situations.  While crooks know this, they only know it because in a wide-scale attack only SOME humans among MANY will be vulnerable to any particular kind of attack.  On the surface, this may seem random.  But it is not.  Our research proves that different types of personalities respond differently to different kinds of online threats.  Now, in this case, I am not suggesting the content of the attack drives the vulnerability because it doesn’t.  Rather, it is the context of the threat architecture itself that matters – for instance, does it invoke authority or urgency as influencing factors.  Does it incorporate elements of persuasion derived from ego or fear for example?  While there are many factors in our model related to how we help users understand themselves, their profile – once established – helps us and them identify the most likely types of third party attacks that may make a person vulnerable and why – and then trains accordingly.  This method is sophisticated enough to take less time and is more effective than generically training everybody on every threat which, if someone is not particularly vulnerable to or which they can easily spot, why should they have to be trained on something they already know?  On the other side of that, if you train only against easy and frequent types of attacks you may miss a vector that, while rare, may be important for some of your users to be trained on – those who are most vulnerable to it – and not train everyone because that’s unproductive.

Often, there is a gap between the technology implemented by organizations and the potential for human error. How can individuals and organizations bridge this gap to create a more robust cybersecurity posture?

I opened with the premise that more technology cannot solve a problem that new technology originally created.  That is because for most technologies, there is still an operator who is a human.  And humans are not programmable just because they are told what they should do, does not mean that they will do it.  So how do you inspire individuals to think of themselves not as a weak link in the chain, but the strongest?  And then use that dedication to new security habits to improve your organizations overall security posture one human and one style at a time?  And it works. Very well.

Based on your expertise, what practical strategies can individuals adopt to enhance their personal cybersecurity, especially when handling sensitive information online or engaging with third-party platforms?

Of note, no organization is too small to be attacked.  And that is because almost any organization, of any scale, has something of value to steal; or has useful intellectual property that could be exploited if shared; or is a pathway to something that somebody else wants for some reason.  So, we need to have a natural skepticism about all things digital and online – questioning the sources of information; considering the risks of fraud and crime online; considering all requests as if they may have an ulterior motive, and certainly never feeling any need to do something quickly.  All of these are warning signs:  psychologists call this cognitive dissonance.  It is a nagging warning from our intuition or judgment that something may be amiss…in that instance, the hardest thing we must learn to do as humans is STOP.  This is the first letter of our proprietary and patented SAVE^TM method, and that first step is often the hardest to consistently provoke.  Once the user has stopped that first impulsive or instinctive response, we move on the assessing the situation using critical thinking skills, tips and techniques we provide to enhance their knowledge of security best practices.  The third step is to verify the source and identify of all participants in the communication chain directly and using different and validated means; and if we do all of this and still have doubts, to engage a security expert or peer before proceeding.  This simple SAVE mnemonic is useful for any of your reader’s to remember!

As cyberconIQ continues to grow and expand, what are your long-term goals and vision for the company’s impact on the cybersecurity landscape?

We are on a mission to help right the balance between attackers and defenders to help make the internet a safer place for all.  Today, crime-as-a-service is expanding rapidly and cybercrime is often a low cost, high reward venture with few legal consequences.  This has created a plague of loss, embarrassment and fear that we must arrest.  AI is going to make this even more profoundly felt globally as criminals get access to and exploit AI technologies against us before we even realize what is happening.  That is one reason that we introduced techellect.com, part of a suite of public service tools – all freely available for use by anyone – to help replace ignorance with knowledge and to reduce the fear of AI but also to help instruct users on maximizing its benefits, while avoiding unknown risks.

Cybersecurity is a collective effort that involves the entire organization. How can leadership and organizational culture play a role in promoting cybersecurity awareness and fostering a cybersecurity-conscious culture among employees?

In our studies, we have found that “tone from the top” is an essential ingredient to embedding a security 1^st culture in the organization.  Training alone cannot ever succeed in making cybersecurity everyone’s mission.  Instead, this must be actively fostered and supported and employees must see it, feel it and hear it as a continual priority if you want them to become engaged in and remain committed to the security mission.  As cybersecurity professionals or technologists, we also need to reconsider our language – for instance – “Zero trust”.  While we understand what this means as professionals and it is highly descriptive, how would YOU feel if someone said the only way to handle a problem is to not trust anyone?  While that is a bit of an exaggeration, it is not an exaggeration of the perception of this to a user who is not a technologist and only feels like more a part of the security problem, in this instance, versus part of the security solution.  So, we prefer the term “Absolute Confidence” instead!  And that subtle change also works.

The cybersecurity industry is constantly evolving, and competition can be fierce. How does cyberconIQ stay ahead of the curve in terms of research and innovation to maintain its unique position in the market?

We are data-driven and science-based.  We are continually assessing the threat landscape for new vectors, methods or hybrid combinations of attack architecture and testing them against styles and profiles striving to ensure that defenders have as much success defending as attackers do in attacking!

In your experience, what challenges do organizations typically face when trying to change employee behavior in regard to cybersecurity, and how can these challenges be overcome effectively?

Most of what constitutes security awareness training (SAT) is generally not actually designed by educators with a view of ensuring that the andragogy will actually effectively ensure an educational outcome.  What does that mean in plain speak?  Most of what is currently being done is boring, ineffective and most employees would rather have a root canal then do more security training.  So, how does that inspire them to change their habits? Does the combination of your training and then phishing simulations only catch them doing something wrong instead of doing something right – and if so, how should that make them feel?  Does the training over-simplify a complex problem at the risk of making it unimportant?  Or does it only raise fear instead of confidence in your employees that you do trust them as your last line of defense?  We prefer to think of what we do at cyberconIQ as education rather than training – we teach people about themselves in ways they find effective and inspire them to become part of a security 1^st culture with a mission of keeping themselves safer online – both at home and at work.  And guess what?  We must be doing something right because more than 78% of learners on our system voluntarily consume the user resources provided to them on our system NOT assigned to them as mandatory?  So with your current vendor, when was the last time you had an employee ask your for MORE security training instead of LESS?  That is what we can provide – proof that employees learn effectively, love doing it and that it efficiently improves your organization’s risk posture permanently.

Finally, what advice would you give to aspiring entrepreneurs and cybersecurity professionals who are passionate about making a positive impact in the industry?

While technology can be transformative and trendy, all technology comes with risk as well as rewards. As a society, we cannot rely on big tech to keep us safe or government to regulate away those risks. Therefore, we must rely on humans to exercise judgment while using technology – and if we understand that – we need more people to become more engaged in solving for the problem of the human side of digital instead of just the technology side.

Dr. James Norrie, Founder & CEO of cyberconIQ. Dr. Norrie has more than 30 years of experience in business management, psychology and the cybersecurity industry. He was the Founding Dean of the Graham School of Business at York College of Pennsylvania, and is currently a tenured faculty member at the school.