Episode 141: A Human-Centered Take on Password Policies

 

 

In episode 141 of Cybersecurity Where You Are, Tony Sager is joined by Phyllis Lee, VP of SBP Content Development at the Center for Internet Security^®(CIS^®); and Julie Haney, Computer Scientist & Human-Centered Cybersecurity Researcher at the National Institute of Standards and Technology (NIST). Together, they use a human-centered understanding of security to discuss password policies, including their benefits, drawbacks, and efficacy.

Here are some highlights from our episode:

• 01:03. Introductions to Phyllis and Julie
• 03:34. How "human-centered cybersecurity" goes beyond just usability
• 05:35. The use of NIST and other authoritative sources to dispel confusion in cybersecurity
• 09:09. How password policies positively and negatively impact human behavior
• 15:06. Three anecdotes that showcase the importance of context when enacting security policy
• 21:49. The process of using NIST SP 800-63 to recommend password security best practices
• 27:11. Our changing understanding of "the human element"
• 29:23. The need to do cybersecurity awareness training "right" and measure its effectiveness
• 31:30. Recognition of the absence of natural systems thinking in cybersecurity
• 33:14. Psychological safety, feedback, and trust as foundations of security culture
• 39:03. Human touchpoints as a starting point to help usability and security work together

Resources

• CIS Password Policy Guide
• NIST SP 800-63 Digital Identity Guidelines
• Episode 98: Transparency as a Tool to Combat Insider Threats
• Episode 110: How Security Culture and Corporate Culture Mesh
• Why Employee Cybersecurity Awareness Training Is Important

If you have some feedback or an idea for an upcoming episode of Cybersecurity Where You Are, let us know by emailing [email protected].