Human-Centered Security

Voice+Code
Human-Centered Security

Cybersecurity is complex. Its user experience doesn’t have to be. Heidi Trost interviews information security experts about how we can make it easier for people—and their organizations—to stay secure.

  1. 1D AGO

    We Regret to Inform You: Your Phishing Training Did Nothing with Ariana Mirian

    You click on a link in an email—as one does. Suddenly you see a message from your organization, “You’ve been phished! Now you need some training!” What do you do next? If you’re like most busy humans, you skip it and move on. Researcher Ariana Mirian (and co-authors Grant Ho, Elisa Luo, Khang Tong, Euyhyun Lee, Lin Liu, Christopher A. Longhurst, Christian Dameff, Stefan Savage, Geoffrey M. Voelker) uncovered similar results in their study “Understanding the Efficacy of Phishing Training in Practice.” The solution? Ariana suggests focusing on a more effective fix: designing safer systems. In the episode we talk about: Annual cybersecurity awareness training doesn’t reduce the likelihood of clicking on phishing links, even if completed recently. Employees who finished training recently show similar phishing failure rates to those who completed it months ago. The study notes, “Employees who recently completed such training, which has significant focus on social engineering and phishing defenses, have similar phishing failure rates compared to other employees who completed awareness training many months ago.”Phishing simulations combined with training (where companies send out fake phishing emails to employees and, for those who click on the links, lead those employees through training) had little impact on whether participants would click phishing links in the future. Ariana was hopeful about interactive training but found that too few participants engaged with it to draw meaningful conclusions. The type of phishing lure (e.g., password reset vs. vacation policy change) influenced whether users clicked. Ariana warned that certain lures could artificially lower click rates.Ultimately, Ariana suggests focusing on designing safer systems—where the burden is taken off the end users. She recommends two-factor authentication, using phishing-resistant hardware keys (like YubiKeys), and blocking phishing emails before they reach users. This quote from the study stood out to me: “Our results suggest that organizations like ours should not expect training, as commonly deployed today, to substantially protect against phishing attacks—the magnitude of protection afforded is simply too small and employees remain susceptible even after repeated training.” This highlights the need for safer system design, especially for critical services like email, which—and this is important—inherently relies on users clicking links. Ariana Mirian is a senior security researcher at Censys. She completed her PhD at UC San Diego and co-authored the paper, “Understanding the Efficacy of Phishing Training in Practice.” G. Ho et al., "Understanding the Efficacy of Phishing Training in Practice," in 2025 IEEE Symposium on Security and Privacy (SP), San Francisco, CA, 2025, pp. 37-54, doi: 10.1109/SP61157.2025.00076.

    47 min
  2. JUN 30

    Trust Me Maybe: Building Trust in Human-AI Partnerships in Security

    In this episode, I speak with three guests from diverse backgrounds who share a common goal: Building trust in human-AI partnerships in security. We originally came together for a panel at the Institute of Electrical and Electronics Engineers (IEEE) Conference on AI in May 2025, and this episode recaps that discussion. Key takeaways: Security practitioners tend to be natural-born skeptics (can you blame them?!). They struggle to trust and adopt AI-powered security products, especially in higher-risk scenarios with overly simplified decision-making processes.AI can be a tool for threat actors and a threat vector itself, and its non-deterministic nature makes it unpredictable and vulnerable to manipulation.All AI models are biased, but not all bias is negative. Recognized and carefully managed bias can provide actionable insights. Purposefully biased (opinionated) models should be transparent.Clearer standards and expectations are needed for “human-in-the-loop” and human oversight. What does the human actually do, are they qualified, and do they have the right experience and information?What happens when today’s graduates are tomorrow’s security practitioners? On one end of the spectrum we have a lot of skepticism, on the other end not enough. We talk about over-reliance on AI, de-skilling, and loss of situational awareness. Dr. Margaret Cunningham is the Technical Director, Security & AI Strategy at Darktrace. Margaret was formerly Principal Product Manager at Forcepoint and Senior Staff Behavioral Engineer at Robinhood. Dr. Divya Ramjee is an Assistant Professor at Rochester Institute of Technology (RIT). She also leads RIT’s Technology and Policy Lab, analyzing security, AI policy, and privacy challenges. She previously held senior roles in US government across various agencies. Dr. Matthew Canham is the Executive Director, Cognitive Security Institute. He is a former FBI Supervisory Special Agent, with over twenty years of research in cognitive security.

    44 min
  3. MAY 29

    XDR, EDR, SIEM, SOAR…Snooze: Cybersecurity Marketing Real Talk with Gianna Whitver

    You're a founder with a great cybersecurity product—but no one knows or cares. Or you're a marketer drowning in jargon (hey, customers hate acronyms, too), trying to figure out what works and what doesn’t. Gianna Whitver, co-founder of the Cybersecurity Marketing Society, breaks down what the cybersecurity industry is getting wrong—and right—about marketing. In this episode, we talk about: Cyber marketing is hard (but you knew that already). It requires deep product knowledge, empathy for stressed buyers, and clear, no-FUD messaging.Building authentic, value-driven communities leads to stronger cybersecurity marketing impact.Don’t copy the marketing strategies of big enterprises. Instead, focus on clarity, founder stories, and product-market fit.Founder-led marketing works. Early-stage founders can break through noise by sharing personal stories.Think twice before listening to the advice of “influencer” marketers. This advice is often overly generic. Or, you’re following advice of marketers marketing to marketers (try saying that ten times fast). In other words, their advice is probably not going to apply to cybersecurity.Gianna Whitver is the co-founder and CEO of the Cybersecurity Marketing Society, a community for marketers in cybersecurity to connect and share insights. She is also the podcast co-host of Breaking Through in Cybersecurity Marketing podcast, and founder of LeaseHoney, a place for beekeepers to find land.

    34 min
  4. MAY 15

    Here Comes the Sludge with Kelly Shortridge and Josiah Dykstra

    Users, threat actors, and the system design all influence—and are influenced by—one another. To design safer systems, we first need to understand the players who operate within those systems. Kelly Shortridge and Josiah Dykstra exemplify this human-centered approach in their work. In this episode we talk about: The vital role of human factors in cyber-resilience—how Josiah and Kelly apply a behavioral-economics mindset every day to design safer, more adaptable systems.Key cognitive biases that undermine incident response (like action bias and opportunity costs) and simple heuristics to counter them.The “sludge” strategy: deliberately introducing friction to attacker workflows to increase time, effort, and financial costs—as Kelly says, “disrupt their economics.”Why moving from a security culture of shame and blame to one of open learning and continuous improvement is essential for true cybersecurity resilience.Kelly Shortridge is VP, Security Products at Fastly, formerly VP of Product Management and Product Strategy at Capsule8. She is the author of Security Chaos Engineering: Sustaining Resilience in Software and Systems. Josiah Dykstra is the owner of Designer Security, human-centered security advocate, cybersecurity researcher, and former Director of Strategic Initiatives at Trail of Bits. He also worked at the NSA as Technical Director, Critical Networks and Systems. Josiah is the author of Cybersecurity Myths and Misconceptions: Avoiding the Hazards and Pitfalls that Derail Us. During this episode, we reference: Josiah Dykstra, Kelly Shortridge, Jamie Met, Douglas Hough, “Sludge for Good: Slowing and Imposing Costs on Cyber Attackers,” arXiv preprint arXiv:2211.16626 (2022). Josiah Dykstra, Kelly Shortridge, Jamie Met, Douglas Hough, “Opportunity Cost of Action Bias in Cybersecurity Incident Response,” Proceedings of the Human Factors and Ergonomics Society Annual Meeting, 66, Issue 1 (2022): 1116-1120.

    43 min
  5. JAN 2

    From Tools to Teammates: (Dis)Trust in AI for Cybersecurity with Neele Roch

    When we collaborate with people, we build trust over time. In many ways, this relationship building is similar to how we work with tools that leverage AI.  As usable security and privacy researcher Neele Roch found, “on the one hand, when you ask the [security] experts directly, they are very rational and they explain that AI is a tool. AI is based on algorithms and it's mathematical. And while that is true, when you ask them about how they're building trust or how they're granting autonomy and how that changes over time, they have this really strong anthropomorphization of AI. They describe the trust building relationship as if it were, for example, a new employee.”  Neele is a doctoral student at the Professorship for Security, Privacy and Society at ETH Zurich. Neele (and co-authors Hannah Sievers, Lorin Schöni, and Verena Zimmermann) recently published a paper, “Navigating Autonomy: Unveiling Security Experts’ Perspective on Augmented Intelligence and Cybersecurity,” presented at the 2024 Symposium on Usable Privacy and Security.  In this episode, we talk to Neele about: How security experts’ risk–benefit assessments drive the level of AI autonomy they’re comfortable with.How experts initially view AI: the tension between AI-as-tool vs. AI-as-“teammate.”The importance of recalibrating trust after AI errors—and how good system design can help users recover from errors without losing their trust in it.Ensuring AI-driven cybersecurity tools provide just the right amount of transparency and control.Why enabling security practitioners to identify, correct, and learn from AI errors is critical for sustained engagement. Roch, Neele, Hannah Sievers, Lorin Schöni, and Verena Zimmermann. "Navigating Autonomy: Unveiling Security Experts' Perspectives on Augmented Intelligence in Cybersecurity." In Twentieth Symposium on Usable Privacy and Security (SOUPS 2024), pp. 41-60. 2024.

    37 min

About

Cybersecurity is complex. Its user experience doesn’t have to be. Heidi Trost interviews information security experts about how we can make it easier for people—and their organizations—to stay secure.

You Might Also Like

To listen to explicit episodes, sign in.

Stay up to date with this show

Sign in or sign up to follow shows, save episodes, and get the latest updates.

Select a country or region

Africa, Middle East, and India

Asia Pacific

Europe

Latin America and the Caribbean

The United States and Canada