4 minute read time

Security Podcast: What does sociotechnical research have to do with cybersecurity?

by in Cybersecurity

I’ve always found research and analytics fascinating; What makes people tick, how their cultural background impacts their thoughts, how they communicate, and their global perspective has always interested me. As an undergrad studying advertising, I always thought I’d go into ad research at an agency. As a master’s student, I’m currently studying Intercultural Communications, which is just that – how someone’s background (ethnicity, identity, familial background, etc.) impacts how they communicate, and how you should consider that when crafting communications.

Reimagining Cyber - Episode #8 - Jeremy EpsteinIn this week’s Reimagining Cyber episode, “What does sociotechnical research have to do with cybersecurity?,” worlds collided when Jeremy Epstein, Lead Program Officer at the National Science Foundation (NSF), discussed sociotechnics, how research results could impact cybersecurity, and cybersecurity solutions. Epstein describes sociotechnics as everything from “how people interact with computers to how they behave.” For example, the NSF ran a study in New Mexico that interviewed White, Black, Hispanic, and Native American teenagers about privacy, whose perceptions are impacted by their cultural differences. In other studies, senior citizens were interviewed to see how they reacted to phishing attacks, which could be different than someone who grew up as a digital native. He’s even done research on hacking election results. Results from these studies can be used to tailor solutions and/or communications to intended audiences to avoid dreaded phishing attacks or other dangerous cyber attacks.

I found it really interesting how Epstein and team have thought outside the box to gather research. In one case, they involved anthropologists in their research. As experts in human nature, anthropologists were able to give added insight that they otherwise wouldn’t have gotten.

“We put anthropologists in SecOps centers because they are used to observing cultures different than their own and learning from them. Putting sociologists in SecOps has helped them [SecOps] figure out better ways for different people to work together in a collaborative manner. Sociologists are experts. These are examples of sociotechnical solutions.”

By learning how people perceive things like prompts to change their password or phishing attacks and how they interact with computers can help product designers and security teams better tailor their products, solutions, and communications. Understanding your target audience is critical to finding an effective solution. Just because you think it’s a solution doesn’t mean your target audience will. Regardless of your situation, you want to meet your objective – whether that means minimizing password hacks, protecting PII data, or access breaches – and you can’t do that without understanding your target audience.

Epstein shared a funny anecdote illustrating this point when he discussed a time when he worked with developers at a software company.

“I created the ‘Seven Deadly Sins,’ [where I] focused on a small list of things to focus developers. It turned out, it was kind of funny, when I went to brief the ‘Seven Deadly Sins’ in an Asian country, where ‘Seven Deadly Sins’ isn’t part of the culture. First, I had to explain, as a Jewish guy, what Seven Deadly Sins meant before they could understand why this is important. The point of it,” he says, “is, we expect every developer to be a security expert now. They can’t be. We have to do a better job. We are funding a number of projects where we’re studying the psychological aspects of what causes developers to make security mistakes. We’re also funding the technical aspects, how do we look at the API’s that can’t be misused, so we don’t see the same thing in MSL, where the underlying implementation is secure but people are using the API’s wrong and cause bad things to happen because they didn’t understand to call API X before you call Y, and you can’t skip Y before Z, but API’s don’t enforce this. What can we do to improve those API’s so programmers can’t misuse them?”

I got quite a chuckle out of his story, and it was a good reminder as a Communications Leader to always focus on the target audience and their background/perceptions.

This episode has a lot of great tidbits of information and really interesting stories about how sociotechnics impact cybersecurity. I think my favorite was the one about the cornfields! What was yours? Do you have a funny story like Epstein’s Seven Deadly Sins? We’ve all been there. Just the other day I was talking about a phishing attack while getting a massage, and she thought I meant f-i-s-h-i-n-g. Ha! Share yours in the comments below.

Listen to the full recording of this podcast: What does sociotechnical research have to do with cybersecurity? Let me know what you think. Log in or register to comment below. 

Be sure to also subscribe to the Reimagining Cyber podcast with your favorite service including  AppleSoundcloudStitcherGoogle Play, and Spotify, where you can also listen to previously recorded episodes.


CyberRes is a Micro Focus line of business focused on helping companies protect, detect, and evolve their security framework and helping organizations become more cyber resilient. To learn more, visit CyberResilient.com.