8th Layer Insights 4.25.23
Ep 31 | 4.25.23

Postcards from the Intersection of Cybersecurity and Folklore


Perry Carpenter: I'm Perry Carpenter and you're listening to "8th Layer Insights."

Perry Carpenter: In 1844 Jacob Grimm of the brothers Grimm wrote this in his book "Teutonic Mythology." He writes, "The fairy tale flies. The legend walks, knocks at your door. The one can draw freely from the fullness of poetry. The other has almost the authority of history." So what does that mean? It means that we humans have two basic kinds of stories that we tell ourselves and those around us. We tell stories that are easily understood as being made up. You know, stories of talking animals or fantastical feats that are so far outside our experience of reality that any sensible person would know that they are not true or that they are allegory or maybe were just written for the sheer enjoyment of the author or the pleasure of the reader. Those are fairy tales. Legends, on the other hand, are darker and grittier. They just feel more grounded. They may feel a bit strange, but there's just something that gives them the edge of believability. Maybe they mention a town nearby or a brand that we all know or maybe that nearby railroad crossing or that abandoned house. You know, the one just across the way. Whereas most fairy tales come to us in books or in story time, these stories come to you from a friend or a family member. And when you ask, they say they were told about it by a reliable source. It was a friend of a friend of their aunt. And sometimes these legends are all good fun, but other times they can lead to real confusion and pain. My guest today is Josiah Dykstra. He's a senior fellow in the office of innovation at the National Security Agency. He's also the coauthor of a new book along with Eugene Spafford and Leigh Metcalf. The book is titled "Cybersecurity Myths and Misconceptions: Avoiding the Hazards and Pitfalls that Derail Us." These myths and misconceptions are often the urban legends of cybersecurity. They're the things that we all may believe, but we don't really know quite why. Little bits of knowledge that come to us as received wisdom. Or maybe they're told to us from somebody who heard it from a friend of a friend. On today's show we explore some cybersecurity related myths and misconceptions that trip us up and hold us back. Welcome to "8th Layer Insights." This podcast is a multidisciplinary exploration in to the complexities of human nature and how those complexities impact everything from why we think the things that we think to why we do the things that we do and how we can all make better decisions every day. This is "8th Layer Insights." Season four. Episode one. I'm Perry Carpenter. Welcome back, and welcome to episode one of season four. It's been almost three months since we ended season three and in that strange way that time works it feels like a lifetime ago and simultaneously like it was yesterday. A quick update about me. I've been traveling quite a bit for conferences and speaking engagements and my other show, "Digital Folklore," also kicked off right as season three of this show was ending and "Digital Folklore" has been doing really well. And like many of you, my family and I are getting ready for the summer, trying to figure out how to make the best use of the time that we have with our kids before they finish school and start new lives of their own. And that's just on my side. Let's talk about you. Well, the world keeps getting more complex and economic uncertainty continues to rear its ugly head and depending on who you listen to we might be seeing the light at the end of the tunnel or we may be continuing a bit further down the tunnel. What else? Advances in AI seem to be picking up at an even more rapid pace than when we ended season three back in January, and it seems like every podcaster's been doing an AI and ChatGPT focused episode. So yeah. I'll have one of those in the season just as soon as I figure out how to bring something unique to the conversation. And, oh yeah, this fun new AI tech seems to be coming along just in time to take the disinformation/misinformation and malinformation problem that we have in to an entirely new realm of sophistication just in time for the upcoming election cycle here in the U.S. So that will be fun. Not. Yeah. Let's get back to something more positive. Today's show is an interesting blend of the two topics that I have podcasts on. We're going to be talking a little bit about cybersecurity and folklore and the intersection between the two. It's actually pretty interesting. The more research that I do in to the area of folklore, the more I see how it applies to the discipline of cybersecurity and vice versa. After all, folklore is really the beliefs, the customs, the stories, and all the other artifacts that come from quote, unquote, "the folk." And who are the folk? Well, that's us. Or more specifically the folk are normal people who engage in society, and folklore is the output that comes from normal everyday people as opposed to coming from formal or official publications. I like how Dr Lynne McNeill describes folklore. She says that folklore is the informal traditional culture of a group of people. And don't let that word traditional trip you up. That just means that it is ever changing and dynamic. So in the age of the internet traditions of a piece of folklore can happen extremely rapidly. Think about how rapidly you've seen certain memes spring up and spread, each iteration being slightly different as everyone puts their own unique spin on it or tailors it to fit whatever their purpose is. That's folklore. And we cybersecurity professionals form what's known as a folk group. We have shared lingo and beliefs and customs and practices and a whole lot more. And of course even within the whole of the cybersecurity profession there are multiple folk groups, clusters of people who share common interests and stories or express themselves in unique ways. And we each even have our own urban legends. Oh, and speaking of urban legends, I recently accepted an invitation to speak at the International Society for Contemporary Legend Research at their annual conference this summer where I'll be sharing some of these interesting overlaps and what our two disciplines can learn from each other. I'll update you on that a little bit later in the season, but first here's a quick example of that overlap between cybersecurity and folklore. This is a short clip from an interview that my "Digital Folklore" co-host Mason Amadeus and I did with Chelsey Weber-Smith on the "American Hysteria" podcast. In this episode we were talking about slender man and a folklore concept called ostension. And that term ostension leads us in to an interesting discussion about cybersecurity.

Chelsey Weber-Smith: They can kind of seep out in to the real world and how it kind of seeps back again and, you know, there's this complicated interplay of forces between -- well, let me let you explain what ostension is first.

Mason Amadeus: It's interesting because there's like a couple of different flavors of it, but basically it's when real life happenings parallel the events in a pre-existing narrative like a legend or something. So in the case of the slender man stabbings that happened that is actually in the flavor of ostension it falls under pseudo ostension which is when people are aware of the original narrative, but in some ways it doesn't. The lines get a little blurry because there's like there's ostension, quasi ostension, and pseudo ostension. At least to my knowledge. I'm not an expert, but from all the people we've talked to quasi ostension is like interpreting ambiguous events in terms of a legend. So like a lot of media panics are based on that where it's like, "Oh, we believe there's a man in a van. We believe this was like gang activity or this was an occult thing."

Chelsey Weber-Smith: Yeah. Like an example of that maybe would be some teenagers spray paint hail Satan under the bridge. Right? And then that is interpreted. Would that be a good example of that? It's interpreted as real, a real cult, not just teenagers being stupid.

Mason Amadeus: Exactly because it's a very ambiguous thing and not a particular legend whereas like direct ostension would be a real life happening paralleling something that happened in well established legends, but the people who carried it out weren't like, "Let's go act out this legend." Unidentified Person: So really the slender man ones in particular I think may fall under that. And this would be something I'd want to ask someone who really studies folklore. They may fall under this because the people who carried them out were children and also, you know, suffering with extraneous circumstances and things that made understanding the depth of their actions not possible. But it's when a story comes to life, and it doesn't always have to be in dark ways either. The focus on slender man and that is just the darker side of it.

Perry Carpenter: Yeah. Well, I mean, and on the dark side of those there are so many examples of that. As you hear the legend of Bloody Mary and then so that is the legend. That's the folklore that's there. And then the ostension of that is you, you know, with a group of your friends in the house standing in front of a dark mirror and saying Bloody Mary three times. It is the physical manifestation of your understanding of the legend or the -- kind of the way that the collective consciousness of that has put the legend in to your mind whether you know it's a legend or not.

Mason Amadeus: But it's one of the ways that folklore like directly affects the real world because it's always from a story to the real world.

Chelsey Weber-Smith: So like, for example, there's a -- you know, several legends out there that say there's a chair in this graveyard. Right? And if you go sit in this old stone chair that's also a grave, you know, you'll go to hell or something. Right? So that would be ostension if you were a teenager and you decided to go and test that paranormal idea.

Unidentified Person: Yeah. Definitely.

Chelsey Weber-Smith: Okay. Okay.

Perry Carpenter: Well, and ostension for me until I actually started studying folklore a little bit more from an academic perspective, and I'll say this really clear, neither myself nor Mason are academic folklorists. We don't have degrees in this. We're kind of on this journey learning as much as we can, but it was only when I took a class in folklore at Harvard over the summer just so I could get up to speed a little bit and feel competent that I heard the word ostension for the first time. And then I started to realize, oh, we actually see that word embedded in other words like ostentatious when people are trying to make a show of something or ostensibly because of something. So I think you can understand when you start to see how that word has been used or derived in other ways kind of the idea that's behind it, but the other thing that was really interesting to me when it came to ostension again from the cybersecurity perspective that I've come from is we always talk about when it comes to things like cyber warfare at what point does digital warfare spill in to physical warfare. You know, if I shut down a power grid, that was a digital action that now has physical consequences. So there is this interesting ostensive type of idea that I had already been playing with for a couple decades.

Chelsey Weber-Smith: Wow. Yeah. I would love if you wanted to say any more about -- because that's something I hadn't really put the pieces together on where if you're thinking about ostension I've been thinking about it in terms of urban legends mostly and that's a lot of fun, but can you give us an example in cybersecurity of ostension as maybe it relates to conspiracy theories or anything in that digital realm?

Mason Amadeus: Oh. There was also that story from Betty.

Perry Carpenter: That's exactly where I was going to go with that. So I've got lots of stories that I had come across on my own, but one that ties in with a person who we're going to have a segment of her interview for is Betty Aquino. Yeah. So we were talking with Betty Aquino who is a graduate student at George Mason University, and she presented at the International Society of Contemporary Legend Research over this last summer. And the thing that she had presented on was this, you know, if you're on Facebook groups or have the neighborhood app or anything like that you tend to see these little rumors get started. And in the increasingly fractured and polarized society that we are in we also see these moral panics spin up. So around the time of Halloween she had received a notification. I think it started out through text message, but somebody had seen it in a different way first of, "Oh. We have to worry about, you know -- we've heard that ISIS is coming to town and they're planning an attack against X." And that turned like several things due. Once they're already in a digital format, it turned kind of like in to this chain letter. So, you know, the grandfather got that. They sent it out to three other people. Those people get a little bit spun up, and now all of a sudden news stations are reporting about an impending ISIS engagement in this neighborhood or at this local supermarket that may happen. And so all that started to spin up. And of course some of the things that we had seen years ago is that when those type of panics spin up they may start as a digital rumor, but that can spill out in to real physical violence as people start to say, "Oh. That person looks like they may be with ISIS. Me and my buddies are going to go beat them up." You know, tell them whose area this really is. So luckily it didn't spill over in to that, but I think we've seen that over and over and over again. We know that those types of things when we spill these digital rumors that have the ability to spread at seven times -- one interesting study that I had seen, I can probably pull the report name, is that it's been shown that on Twitter -- this was an MIT study. They showed that falsehoods generally go seven times faster than truth.

Chelsey Weber-Smith: I remember that study. Absolutely.

Perry Carpenter: Yeah. Because when you're building that type of falsehood you're usually going with some kind of, you know, preconceived bias. You're inflaming an emotion. You're poking somebody's bias in some way. And so people get riled up and they share that. Whenever we start to see these digital rumors go out and misinformation and disinformation go out it's playing on all of that, and of course that can spill over in to the physical world as people then take all that digital information in to their mind, inflame their own biases, and then go out. Act that out on the street. So we see that, but then we also see in the Russia/Ukraine war that's been going on we see the Ukrainian government especially using meme warfare very, very well. If you look at the Ukrainian government's Twitter page, especially at the very beginning of the incursion, they were using memes I mean just like masterfully. And just poking Russia, getting people on their side, and not in ways that looked like a government doing it. In ways that looked like a 15 year old that really knew what they were doing when it comes to kind of poking somebody at their most vulnerable spot online and really kind of showing the power that the medium has to really inflict -- and I think I'm using that term intentionally. To inflict opinion in a very interesting way.

Chelsey Weber-Smith: Yeah.

Mason Amadeus: That's exactly the kind of thing that really just blew my mind about the fact that this is folklore and folklore has this incredible value in being studied academically because it has so many real world impacts, but it's the kind of thing where everyone when they hear the word folklore is not going to think about this kind of thing, but really all of these narratives that we tell each other, the way we share information among our groups informally, is so vastly important and has very real world consequences. But I would never have thought to put the label folklore on studying that kind of thing before.

Perry Carpenter: Yeah. And then one other digital to physical version of this is when people start to organize using things like Facebook or Twitter. Coded language to do stuff like flash mobs. You know, I've got all of this information going out and people that know the right things to look for then all of a sudden start to organize in the right way to have this physical expression of in a flash mob what could be a wonderful thing, but if you take that and turn it a little bit it could also be a very dangerous thing. And of course we see that in different groups using those types of things for lots of forms of recruitment or to take out a physical action in a devastating way as well.

Chelsey Weber-Smith: And that seems pretty similar to what is happening online and I imagine that that's something that you have seen a lot in your work with cybersecurity.

Perry Carpenter: Actually like any discipline there's entire mythologies that come up around cybersecurity. It may not be all that interesting to get in to, but you know when people say cybersecurity immediately there are images that come to mind for people. There are things like people in hoodies. There's green text on black screens. All of that is kind of the mythology and the folklore of the discipline. And people can play in to that in certain ways whenever they want to induce fear or they might play in to that in certain ways if they want to induce trust and they'll use iconography like locks and shields and all of that. So I would say that everywhere that you turn, every discipline that you look at, there is -- there is a folklore around that thing. And the one that I've kind of centered my life on for a really long time happens to be cybersecurity.

Chelsey Weber-Smith: That's cool. Yeah.

Perry Carpenter: If you're interested in hearing the rest of that discussion, I'll put a link to that episode of "American Hysteria" in the show notes. So now let's expand this conversation and bring in today's guest Josiah Dykstra and learn a bit about his new book "Cybersecurity Myths and Misconceptions" and how to avoid the hazards and pitfalls that derail us.

Josiah Dykstra: My name is Josiah Dykstra. I am a cybersecurity professional. I have been doing this for 18/19 years in a professional capacity. My academic background is a PhD in computer science. I studied digital forensics for cloud computing. I have become very interested in the human parts of cybersecurity having done some research on that, some practitioner work on that. And so I find myself at the intersection of research and practice quite a bit.

Perry Carpenter: Fantastic. So tell us a little bit about the book. You've got an interesting book about myths and misconceptions related to cybersecurity. Give us an overview. How did that come about? Tell us about the author team that's involved and what the goals of the book are.

Josiah Dykstra: The story weaves together actually based on these authors. So my first book was an O'Reilly book called "Essential Cybersecurity Science." I care very much about the scientific method in cybersecurity and I was talking to Leigh Metcalf who works at SEI at Carnegie Mellon and she was writing a similar book more recently sort of updated from the one that I had done. And she had asked me to review it. It had a single chapter, maybe even a section in a chapter, which was about myths in cybersecurity. And I said, "That is a really fascinating topic. I bet we could write a whole book about that." And we sort of spit balled by email I don't know 20 or 30 ideas for that. So that was the seed of the idea. I eventually mentioned this to Gene Spafford at Purdue who I've known for some time and we had collaborated before and it turns out he has been teaching a class at Purdue exactly about myths in cybersecurity. So we fell together a year or a year and a half ago all very excited to be collaborating. And, as you'd expect, had no end to the topics that we wanted to include. One day we just had to decide this is going to be enough for version one. And so we spent some time doing research, writing our own experiences. We bring a lot of background. We calculated at one point that we have close to 100 years of experience between the 3 of us. And so we made a pretty good team. It was a mix of government and academic and industry experience.

Perry Carpenter: Yeah. So when we talk about myths in cybersecurity, give us some examples and then I want to have you give a break down of the format of the book.

Josiah Dykstra: Yeah. I'm going to flip open to my own table of contents here so I can remember the diversity. So we broke the book up in to sections. So we have a section on general issues. We have a whole section on human issues. And then a mix of contextual issues and finally data issues. And there is between two and six chapters per section. And we didn't start with themes, but we came up with myths first and then those themes emerged over time. And they range broadly from what is the internet and what is the point of cybersecurity to rather technical topics, things in malware analysis and vulnerability discovery. We wanted the book to be readable. It's not intended to be a formal textbook per se. So it's a broad audience, I think. Normal people from my parents to CISOs I think will appreciate the things that are in it.

Perry Carpenter: As I think about a book like this, there's kind of two things that come to mind. One is explaining things that are otherwise murky to certain populations. And then the other one is a debunking type of book. Which does this fall in to or is it kind of a mixture of both?

Josiah Dykstra: That's a great distinction. We didn't necessarily think about dividing it that way, although I probably could do it now. We approached it more from what are things that we've heard people say that appear commonly as antidotes that have permeated for a long time and either have changed and are no longer true or they were never true to begin with, and somehow this seeming fact got in to the ecosystem. And so we wanted to correct the record in those cases.

Perry Carpenter: What is the preeminent example of that? Like when you say, "Here's the most fundamental myth or misconception when it comes to cybersecurity that I hear everybody repeat and I just wish it could go away," what is that?

Josiah Dykstra: That's a real hard one to boil down. The very first myth in the book is everybody knows what cybersecurity means. We sort of start at the beginning and the fact that that term has many definitions. And I have had plenty of conversations where we talk past each other because we don't all perfectly agree on that. And if your boss comes to you and says, "How well are we doing?" Well, that's -- I don't know how to answer that question. The question can be taken so many different ways. It's not that you get a score of 50 today on your cybersecurity. That's a misunderstanding about what is cybersecurity. So that's where we started too.

Perry Carpenter: Okay. So let's make that practical then. So that's the fundamental type of thing is we use this phrase or this word cybersecurity and there's tons of other words that we use where we potentially have a semantic -- differently under -- you know, different semantic understanding than the person that's on the listening end of that conversation. So the security culture is one that I come up with all the time. I, you know, talk about security culture and everybody believes it's really important. Then you ask for them to define that and it means something totally different than what's in my head. So when we say cybersecurity which has only relatively recently become the de facto term for the profession that we find ourselves in, what is the way that you talk about that within the book? Is it just, you know -- is that separate from information security? Is it a subheading within information security? Is it the, you know, super set? You know, how does all that fit together or is it all just a word salad?

Josiah Dykstra: It is definitely a word salad. I have lived through a lot. You've lived through a lot. I have a degree that is technically in information assurance, a phrase that has sort of fallen by the wayside in the last decade at least. And so we didn't try to set the record on this is the definition. I think it's more important that people explain themselves clearly when they're communicating. Language is one of the most powerful tools we have, and yet it gets us in the most trouble. And so when you say, "How is the cybersecurity of our company?" That is an abstract imprecise question. The first thing I would ask that person is, "What do you mean by cybersecurity in the enterprise?" Let's be a little bit more specific with our language. Not that any of the definitions that are out there are wrong. There are plenty of ones that are fine for the use in that compliance document or that -- whatever it might be in your enterprise as long as everybody agrees and understands. What I worry more about is that we talk past each other meaning different things.

Perry Carpenter: Yeah. That makes a lot of sense. And so really just trying to have a meeting of the minds about what this thing that you're saying that you're talking about or that you're measuring or that you're asking for budget items related to, that you're all on the same page about what that is and what the potential outcomes of that investment or measurement or whatever will relate to. You mentioned the human side of things within the book and most of the listeners of this show are super interested in the human side, the intersection between cybersecurity and humanity or tech and humanity in general. What are some of the things that you talked about related to humans?

Josiah Dykstra: Some are probably the ones you'd expect, things like we should blame the user. That's a big one. It's been misconstrued for a long time. That's the first one in that section on humans. We talk about how humans are an asset. There are many kinds of humans in cybersecurity, not just the people who use software and hardware. So that's an obvious one that we cover. There's others that you'd expect like the myth that I'm too small or I'm too insignificant to be a target.

Perry Carpenter: Oh. That's a good one.

Josiah Dykstra: That is one that for some reason still permeates. I talk to small business owners who still hold that view. Why would anybody go after me? I don't have anything of value. And so we talk about the many parts of -- the sub parts of that myth like the sub myth that the attacker knows who you are or cares what you are. Or that you actually have things of value including your computer itself. Right? Which can be used to attack other people, other machines.

Perry Carpenter: Yeah.

Josiah Dykstra: One of my favorites I think is at the beginning of the year there are all these predictions about what the next year ahead is going to look like in cybersecurity. What are the threats going to be? What are the trends going to be? And so we wrote a myth about how we cannot predict future threats. We can make educated guesses. And we compare this to the weather. The difference between a weather forecast and the "Farmer's Almanac." The "Farmer's Almanac" is about 50% true. It's more or less a coin toss about what is weather going to be like 18 months from now. That is different than what are the atmospheric conditions in my neighborhood today and does that mean there's a chance of rain tomorrow.

Perry Carpenter: Yeah. That actually makes a lot of sense. So I've had discussions with people on what's a true black swan event versus the other term that is used for things that are largely predictable which would be like gray rhino types of events. And I think you're -- you're really hitting it at that is we can only predict things to a certain degree, but we can look at leading indicators and we can kind of see I know enough about history and I know enough about humanity and adversarial relationships that I can put two and two together and think within a relative amount of certainty that something might happen. But we do end up ritualizing the aspect of putting these forecasts out with lots of certainty and fanfare.

Perry Carpenter: So as you're writing this and going through the different types of misconceptions, is there a certain format that you adopted? Is it, you know, here's the misconception, here is the truth behind that? Do you ever -- do you try to trace that back to the roots of maybe the first instance of that?

Josiah Dykstra: We did in a couple of cases try to trace them back. The general form we took was to give an example, either a real one that we have -- one of us has experienced, or a hypothetical one that very well could happen in real life, to explain maybe why -- why people might come to the wrong conclusion. And always ending with what you can do about it. That was very important. Not to just say, "These are the myths," but what should you do? What can you do? A couple of them I think in the introduction I talked a little bit about myths of the past. There was a myth in the '90s, I would say, that antivirus companies created malware so that you would have to buy their product. And I don't hear that myth so much anymore, but it was I thought really common back in that time. I don't know where it came from. I don't know who started it. It certainly was around the internet for at least a couple of years, and then it sort of died on its own. And we try and point out in this book how can you kill bad myths sooner. How can you prevent them, for that matter, from taking root at all?

Perry Carpenter: Yeah. And I think that when you -- when you get to things like that, there are the myths that we may come to believe as cybersecurity professionals and then there's also myths and misunderstandings that exist within IT and within the executive team of an organization. Do you talk about those, kind of the group or the potential bias differentiations between the backgrounds that people have or the audience?

Josiah Dykstra: That's a great point. I don't think specifically we talk about that, but the closest that I recall is our section on cognitive biases and I had done some work before the book even on action bias. The action bias is our tendency as humans to want to do something, to want to act, to respond, even if it's not rational. But it's our sort of gut instinct to want to just do something. The quintessential example from the -- from the press some years ago was about professional soccer goalies and how people expect them to jump in penalty kicks to block the kick when in fact data shows that if they stayed in the middle of the goal they would block more shots. But it's the expectation of the fans and the coaches and the other players to jump, to move, to want to do something. And we see this in cybersecurity during incident response which is instead of gathering data and trying to slow down and make an informed decision or to take the time before the incident occurs to do a table top, right, to have a playbook and to rehearse that, we want to jump in to action. Even if we don't exactly know what's going on, do something. And what I have discovered is that your rational choice depends very much on your job. Your rational role is the CISO is to defend the company. So of course you want to do something even if it lowers productivity for the company. That is a very different choice than a developer in your organization. And it's very different from a stockholder in that company. All of us are going -- are likely to make rational decisions from our perspective even though from an outside view your choice might look crazy.

Perry Carpenter: I actually love that. I think that's exactly what I was getting at. So you might not have had the outlined conversation points related to each of those, but you give the tools to think through the potential way that somebody might view this situation because of these biases. And I think that that's fantastic. I really like your example of if you're the CISO and there's an incident you believe that you should be doing something. In fact, you want to be on record as doing something. You want all indications to point that you had tried to put on the cape and were doing everything possible. And that if they got by, then it's, you know, because you were, you know, taken down in a fight rather than slowing down and doing all of the things that you talked about or even doing better preparedness beforehand. When you think about the book, what are the things that you're most proud of, that you're -- that you're hoping that people will take and that they will remember as they put it down or maybe hand it to somebody else and say, "You have to read this because of X."

Josiah Dykstra: So some readers they will read a lot of the myths and it will not surprise them. Of course they know that there is this bias. They see it every day. I think everybody -- I hope everybody finds some new tidbit that they hadn't thought about. They might of course say, "Well, how could anybody possibly believe that?" I assure you we have heard these myths before. We do know that they occur.

Perry Carpenter: Right.

Josiah Dykstra: We made a deliberate point to end the book with hope. We did not want it to be just a downer to say, "Look. People believe crazy things. The world is going to end." It's -- that is not the key take away. So the last chapter is called "Finding Hope" and it's about what are the sort of meta myths, and what can you do about it? So when I talked about action bias I said that slowing down was helpful. I think in general that helps to bust myths. If we sort of stop and ask ourselves, "Is this true? What is the other evidence that might support a different perspective on this? Can I find more information?" Slowing down is one way to help dispel myths. Another would be to not overgeneralize. That's a key theme among lots of these myths is to say, "Everybody gets ransomware," "Everybody -- every user makes a bad choice." That over generalization leads very, very often to misperceptions.

Perry Carpenter: So the last question then from me is is there something that was on your mind that you really wanted to make sure gets shared that for some reason I haven't touched on yet?

Josiah Dykstra: A very difficult question. I think maybe it is how do we make cybersecurity easier for people to comprehend. One of my pet peeves in cybersecurity is that we're not very good about measuring the things that matter, measuring the outcomes that matter. We have proxy metrics for a lot of things. And so we talk as cybersecurity professionals in lofty goals. And in the book we cover the myth that -- the goal of cybersecurity is security. And I think that is a big misconception among my peers. We neglect all the time to consider people's primary goals, and that is one thing I come back to a lot. And I try to spread that message as much as I can because I -- I'm having a hard time fixing that myth and I need lots of people's help with it which is help understand what are people trying to do. Security should be there to help them achieve their goals. If you are talking to a healthcare provider, their goal is not security. In fact, we cite a study in the book that one researcher found that in one case there were poorer health outcomes after a data breach at a hospital that might have been the result of increased security. Not a good outcome. And we have to appreciate that, yes, our jobs in the profession are to do as good cybersecurity as possible, and we forget to say that that should be in the context of helping people achieve the things that they want to do. And so perfect security for sharing photos or doing banking or online shopping would mean that we can't do those things. We could have perfect security and people would be unhappy and unproductive. And so I really hope that people can help spread the message about that.

Perry Carpenter: Well, that brings us to the end of today's episode. It's great to be back for season four. I hope you enjoyed the quick catch up as well as learning a little bit about how cybersecurity and folklore overlap and complement each other. And how we can begin to deconstruct many of the myths and misconceptions that we have. And, with that, thanks so much for listening. And thank you to my guest Josiah Dykstra. Be sure to check out the book "Cybersecurity Myths and Misconceptions: Avoiding the Hazards and Pitfalls that Derail Us." In my opinion this is one of those books that really shines as a physical book. There are tons of great charts and graphs and cartoons that work really well in the print edition or at least a very large format e-reader. If you've been enjoying "8th Layer Insights" and you want to know how you can help make this show successful, there are as always two big ways that you can do so. And they're both still super important even in season four. That's the first -- if you haven't yet, go ahead and take just a couple of seconds to go give us five stars and leave a short review on Apple podcasts or Spotify or any other podcast platform that allows you to do so. That helps other people who stumble upon the show have the confidence that this show is worth their most valuable resource, their time. I'd also really appreciate it if you would tell someone else about the show. Growing our audience is what makes the show sustainable. It's also fun to watch the numbers continue to climb. And if you haven't yet, please go ahead and subscribe or follow wherever you like to get your podcasts. If you want to connect with me, feel free to do so. You can find my contact information at the very bottom of the show notes for this episode. This show was written and recorded, sound designed, and edited by me, Perry Carpenter. Our cover art was designed by Chris Machowski at ransomwear.net. That's W-E-A-R. The "8th Layer Insights" theme song was composed and performed by Marcos Moscat. Until next time, I'm Perry Carpenter signing off.