In episode 141 of Cybersecurity Where You Are, Tony Sager is joined by Phyllis Lee, VP of SBP Content Development at the Center for Internet Security®(CIS®); and Julie Haney, Computer Scientist & Human-Centered Cybersecurity Researcher at the National Institute of Standards and Technology (NIST). Together, they use a human-centered understanding of security to discuss password policies, including their benefits, drawbacks, and efficacy. Here are some highlights from our episode:

• 01:03 . Introductions to Phyllis and Julie
• 03:34 . How "human-centered cybersecurity" goes beyond just usability
• 05:35 . The use of NIST and other authoritative sources to dispel confusion in cybersecurity
• 09:09 . How password policies positively and negatively impact human behavior
• 15:06 . Three anecdotes that showcase the importance of context when enacting security policy
• 21:49 . The process of using NIST SP 800-63 to recommend password security best practices
• 27:11 . Our changing understanding of "the human element"
• 29:23 . The need to do cybersecurity awareness training "right" and measure its effectiveness
• 31:30 . Recognition of the absence of natural systems thinking in cybersecurity
• 33:14 . Psychological safety, feedback, and trust as foundations of security culture
• 39:03 . Human touchpoints as a starting point to help usability and security work together

Resources

• CIS Password Policy Guide
• NIST SP 800-63 Digital Identity Guidelines
• Episode 98: Transparency as a Tool to Combat Insider Threats
• Episode 110: How Security Culture and Corporate Culture Mesh
• Why Employee Cybersecurity Awareness Training Is Important

If you have some feedback or an idea for an upcoming episode of Cybersecurity Where You Are, let us know by emailing podcast@cisecurity.org.