CISOs in crisis

Archive for the ‘Security’ Category

CISOs in crisis

Posted by

Cybersecurity is an intense race that never lets up, an endless back-and-forth with threat actors looking for a way in. Not surprisingly, CISOs are continually on edge, feeling increased stress and pressure: In fact, 75% are open to change, according to a new report from IANS Research and Artico Search.

Excerpt from: CISOs in crisis – why they feel dissatisfied and neglected by the C-suite and board.

So what can CISOs do to improve their satisfaction levels, standing and influence within a company and broaden their non-technical expertise? For starters, advocate, IANS advises. With traditional characteristics no longer meeting the needs of the new security landscape, CISOs have an “unprecedented opportunity” to argue for their role at the C-suite level and call for enhanced interaction with boards.

Ultimately, says advisory CISO and IANS faculty member Wolfgang Goerlich: “CISOs who manage relationships are more satisfied and successful than CISOs who manage technology.”

Read the full article:

Wolf’s Additional Thoughts

Security leadership is a relationship, not a position. I’ve said it before and I’ll say it again. I understand many of us (myself included!) got into this field for our love of technology. Preserve that love, that spark, that joy. But always remember it is our relationship with our peers, the C-Suite, and the board, which enables us to lead and make a difference.

Side note, I’m a fan of coaching. Both being coached, and coaching others. I think it just makes good sense to get an outside opinion on what you’re doing, and what’s possible. The study found it also makes good business sense. “Security leaders who don’t participate in professional development make an average of $369,000 a year, while those with executive coaching take in roughly $550,000 — a difference of nearly $200,000.”

This post is an excerpt from a press article. To see other media mentions and press coverage, click to view the Media page or the News category. Do you want to interview Wolf for a similar article? Contact Wolf through his media request form.


A pre-mortem on Zero Trust

Posted by

Zero trust offers organizations an approach that can help to significantly improve security posture and help to minimize risk. But what would happen if, let’s say, an organization had fully implemented zero trust and yet at some point several years into the future had a breach? What would be the likely reasons?

Excerpt from: How a pre-mortem can tell you what’s wrong with Zero Trust

“Our out of scope is in scope for adversaries,” Goerlich said.

“Whenever a control reaches critical mass, the control will be bypassed,” he said. “Another way of saying that is all a better mousetrap does is breed better mice.”

He suggests that organizations deploying zero trust today, look at their roadmaps and make sure they have plans to sustain support, interest and engagement for years to come. Goerlich also recommends that zero trust implementers shore up out-of-scope areas to help reduce the attack surface.

Read the full article:

This post is an excerpt from a press article. To see other media mentions and press coverage, click to view the Media page or the News category. Do you want to interview Wolf for a similar article? Contact Wolf through his media request form.

Empathy, kindness, and behavior economics on We Hack Purple Podcast

Posted by

Tanya Janca invited me onto her We Hack Purple Podcast to discuss vulnerabilities beyond code. Along the way, we cover behavior economics and the importance of empathy in cybersecurity design. “Kindness is the original security principle” makes an appearance, as we talk about how all this and more applies to building better products.

Our conversation was sponsored by the Diana Initiative, a conference committed to helping all those underrepresented in Information Security.


To see listen to other podcast interviews, click to view the Podcasts page or the Podcasts category.

Cisco Rolls Out Duo Passwordless Authentication, Sees WebAuthn Usage Surge

Posted by

Excerpt from: Cisco Rolls Out Duo Passwordless Authentication, Sees WebAuthn Usage Surge

Cisco plans to roll out its Duo Passwordless Authentication globally next Wednesday. This push is in line with the findings from Duo Security’s recent report which showed that passwordless adoption continues to climb.

“We’re starting to reach a tipping point where the hardware is ubiquitous, the standards are in place, and enough services support the standards, and that’s really driving that increase that we see in web authentications. So now … organizations can adopt them with confidence,” Goerlich said.

Read the full article:

This post is an excerpt from a press article. To see other media mentions and press coverage, click to view the Media page or the News category. Do you want to interview Wolf for a similar article? Contact Wolf through his media request form.

Nudge and Sludge: Driving DevOps Security with Design

Posted by


Nudge and Sludge: Driving DevOps Security with Design

Security people say users are the weakest link. When security becomes burdensome, users take shortcuts jeopardizing security. Design offers a solution. We will walk through affordances, nudges, sludge and principles to inform and direct our design. Come learn how better usability leads to DevOps security.

This talk was given at DevOpsDay Tel Aviv 2021.

Good security is like a good coffee pot – Design Monday

Posted by

Coffee. Coffee fuels hackers, coders and security wonks alike. For hackers of my generation, we tackled many a problem and brewed many a pot with a Braun. And within its hourglass shape lies a lesson for today’s security professionals.

The chief designer at Braun from 1961-1995 was Dieter Rams. He was behind the ubiquitous Braun coffeemaker from the 1980s. (I had a hand-me-down pot in my workshop in the 1990s.) Now you might think the shape was for decoration. Makes sense. One of Dieter Rams’ ten principles for good design is that good design is aesthetic. You’d be wrong.

Attractiveness for the sake of attractiveness isn’t Dieter Rams point. His design aesthetic was first solving the problem, and then solving the problem in a beautiful way.

The hourglass coffeemaker’s shape stemmed from a problem with the plastic. Plastic casings were still relatively new at the time. The process wasn’t producing plastic that was strong enough. The fluting provided strength and structure. As Dieter Rams wrote, “what was often misunderstood as some kind of post-modern decorative element had in fact a definite structural function.”

Applying this to cyber security: first design to meet the security requirements, then redesign using the same elements to provide a good experience.

Braun KF 157 Coffeemaker, Photography via WorthPoint.

Good Design is Aesthetic

I’m nostalgic about Braun KF 157 coffeemaker. But I’m in love with the Braun KF 20.

The KF 20 was ahead of its time. It looked like science fiction. In the futuristic world of Alien set in 2122, there was the Braun KF 20.

Florian Seiffert designed the coffeemaker in 1972. Following Dieter Rams direction and principles, every stylistic element has a functional purpose. The end result is well-designed, well-intentioned, beauty.

“It is truly unpleasant and tiring to have to put up with products day in and day out that are confusing, that literally get on your nerves, and that you are unable to relate to.” Dieter Rams spoke of products like coffee pots. But he just as easily could have been describing security controls.

Good security has a design aesthetic that is relatable and understandable.

Braun KF 20 Coffeemaker, Image via Dan Gorman

This article is part of a series on designing cyber security capabilities. To see other articles in the series, including a full list of design principles, click here.

Contrast the status quo with the new vision – Design Monday

Posted by

“I want to be Batman.” This is the greatest answer I’ve received to the interview question, “where do you see yourself in five years?” 

I hired him. Of course.

If only stopping criminals and villains was as simple as hiring superheroes. But we need equipment. We need partners and support. And before we get our batcave and police commissioner Gordon, we first need to reach people. 

Leaders excite and engage people to get things done. We use strong clear communication that cuts through debate and doubt, and provides a solution we can agree upon. It takes strong visual and verbal communication.


One more thing about superheroes, what happened to them visually? The Golden Age and Silver Age comic books were full of bright bursts of primary colors. These days, superheroes have been drained of color. DC’s Superman’s original bright blue and bright red are so muted, they look nearly black-and-grey. Marvel has taken a similar approach. Looking at you, WandaVision. The Scarlet Witch isn’t scarlet but a dark burgundy. Modern heroes are a study in dark contrast. 

Christopher Nolan’s Batman trilogy takes the blame. The films defined the noir look which has played out across all recent comic book movies. But who inspired Nolan?

Visual Contrast

The answer is Johannes Itten from the Bauhaus. That’s Bauhaus the design school, not Bauhaus the band. t’s final form was in Berlin, where Ludwig Mies van der Rohe was the director. Before that, the Bauhaus was in Dessau, getting its start in Weimar in 1919. Many great names, and many great designs, trace back to this time. But in Weimar? In the start? There was Johannes Itten. 

Johannes Itten taught art and color at the Bauhaus. Had a blast doing so, from what we can tell. “Play becomes joy, joy becomes work, work becomes play.”

While with the Bauhaus, Itten studied colors, establishing the fundamental categories for contrast: hue, light-dark, cold-warm, complementary, analogous, saturation, and extension. This work, specifically with contrasting seasonal color palettes, inspires painters and artists to this day. And nearly a century later, Christopher Nolan would turn to Itten’s desaturated and muted color palettes when establishing the mood of The Dark Knight Rises.

Contrast is what makes the visual beautiful.

Verbal Contrast

The communications expert Nancy Duarte studied storytelling and presentations. She looked at superhero movies, she looked at boardroom talks. “After all this study, it was a couple of years of study, I drew a shape,” Duarte recounted on the TED stage. “There is this commonplace of the status quo, and you need to contrast that with the loftiness of your idea.” 

Duarte details her contrast model and shape in her presentation, The secret structure of great talks, and in her Resonate book.

It was a pattern I followed when establishing the vision for my monitoring program. I explained the status quo of audits and manual efforts. I painted the picture of automation and visibility. I showed where we were weak, and pitched how my team could be stronger. I leaned into the contrast. In the end? I obtained the funding for the SIEM and equipped my team’s Batman.

Contrast is what makes the verbal actionable.

Sell the Vision

“The objective laws of form and color help strengthen a person’s powers and to expand his creative gifts,” Johannes Itten once said. Duarte’s research shows similar laws of form and content strengthen a person’s persuasive powers. 

Explain your vision by contrasting what is and what will be. Use this approach to gain buy-in, support, and budget. That’s how hire the Batman, and that’s how we get those wonderful toys.

A noir color study in contrast.

This article is part of a series on designing cyber security capabilities. To see other articles in the series, including a full list of design principles, click here.

Lateral thinking inspired by the Nintendo Game & Watch – Design Monday

Posted by

Lack of sufficient budget and inadequate staffing, those are among the top challenges CISOs report when surveyed.

Oddly enough? No one ever asks CISOs what they have too much of.

With that one question, Gunpei Yokoi created the handheld video game console market. The Nintendo game designer was behind the Game & Watch and Game Boy. He called his combination of disciplined focus on play and radical use of legacy components “lateral thinking with withered technology.”

It’s a philosophy with repercussions for security leaders.

Withered Technology

When Yokoi spoke of withered technology, he meant technology which had matured to the point where it was plentiful, affordable, and well-understood.

The Nintendo Game & Watch series was built on an advantage in the market which Sharp and Casio’s competition created. These two companies emphasized leading edge technology. The result was older black-and-white LCD calculator screens where readily available at a very low cost. Yokoi embossed the screen to compensate for manufacturing imperfections. To get color? Yokoi had colored lines printed on the embossed screen. This also reduced the need for lighting up the entire display, saving battery and extending game play.

The first way to apply Game & Watch thinking is finding similarly seasoned technology in our security stack. We might not have budget for an advanced user behavior analytics platform with machine learning. But we do have a logging platform. How far can we take what we have? Find the correlation-and-alerting equivalent of embossed-and-painted calculator screens.

A deeper way to apply Yokoi’s philosophy returns to the question: what do we have in abundance? I once collaborated with an organization that had built out an access review and certification process in IT service management. Why? Well, they had extra ServiceNow licenses. Abundance isn’t only technology, however, it can also relationships. I know another organization with strong relationships with marketing and corporate communications, who used this to great effect, producing a slick internal campaign which drove adoption of password vaulting.

In one context, it is withered. In another context, it is ripe. The trick is to see a new context.

Lateral Thinking

As a discipline, lateral thinking offers several methods for seeing things differently. One that comes to mind when studying Yokoi is the provocation and movement technique.

The first step is stating a provocation. This statement can negate the status quo, change the logical order of things, or exaggerate an aspect of the strategy. If our current security model depends upon network visibility, for example, one provocation would be “our defense doesn’t require anything from the network.”

The second step is determining how we move from our current thinking towards a context which satisfies the provocation. The general path is to extract a principle, focus on the difference between the contexts, imagine a movement to close the gap. Using the above example, that may be “we shift monitoring from the network to the endpoint.”

The Game & Watch version of Donkey Kong offers a perfect example of provocation and movement. The arcade version of Donkey Kong required a joystick. The variable resistance joysticks used in arcades required bulky potentiometers. The provocation is an exaggerated arcade joystick taped onto a Game & Watch. The underlying principle is up/down and left/right movement.

The resulting move was to create the plus-shaped cross control pad. These controls require only four buttons, fit the Game & Watch, cost a thousandth of an arcade joystick, and became Yokoi’s most widely copied innovation.

Ripening on the Vine

Yokoi’s “lateral thinking with withered technology” principle culminated in the Nintendo Game Boy. Released in 1989, it had a cross control pad and a black-and-white LCD. The processor was from the 1970s. Specifically, Sharp’s response to the Intel 8080 and Zilog Z80. In every way, the Game Boy was under-powered compared to the competition.

The Game Boy went on take the market, and to sell 119 million units. It remained Nintendo’s highest selling game system for nearly two decades. Nintendo DS finally overtook the Game Boy in 2016. And withered technology? Withered won.

Gunpei Yokoi began at Nintendo as a maintenance man working the assembly line. He once said, “I don’t have any particular specialist skills. I have a sort of vague knowledge of everything.” His strength was finding strengths in areas others overlooked, then strategically applying them to great advantage.

When determining how best to protect the organization, think like Yokoi, and look for areas of abundance ripening on the vine. Calculator screens, surplus processors, existing technology, working processes, strong relationships. Identify strengths. Be provocative.

Nintendo Game & Watch: Donkey Kong. Photo courtesy WikimediaImages from Pixabay.

This article is part of a series on designing cyber security capabilities. To see other articles in the series, including a full list of design principles, click here.

Cyber Security Design Studies, Papers, Books, and Resources

Posted by

The cyber security design principles emphasize psychology over technology. Here is a collection of scientific studies, research papers, design books, and related resources.

This is part of a series on designing cyber security capabilities. To see other articles in the series, including a full list of design principles, click here.

Paths They Take

Number of steps; Familiarity of each step; Friction at each step.

Introduction to Customer Journey Mapping (ebook)

Flow Design Processes – Focusing on the Users’ Needs

Scientific Articles

Shosuke Suzuki, Victoria M. Lawlor, Jessica A. Cooper, Amanda R. Arulpragasam, Michael T. Treadway. Distinct regions of the striatum underlying effort, movement initiation and effort discounting. Nature Human Behaviour, 2020; DOI: 10.1038/s41562-020-00972-y

G. Suri, G. Sheppes, C. Schwartz, J. J. Gross. Patient Inertia and the Status Quo Bias: When an Inferior Option Is Preferred. Psychological Science, 2013; DOI: 10.1177/0956797613479976

Julia Watzek, Sarah F. Brosnan. Capuchin and rhesus monkeys show sunk cost effects in a psychomotor task. Scientific Reports, 2020; 10 (1) DOI: 10.1038/s41598-020-77301-wBongiorno,

Basu, R., Gebauer, R., Herfurth, T. et al. The orbitofrontal cortex maps future navigational goals. Nature, 2021 // How do goal maps guide the brain toward a destination? 

C., Zhou, Y., Kryven, M. et al. Vector-based pedestrian navigation in cities. Nat Comput Sci, 2021 DOI: 10.1038/s43588-021-00130-y. // People don’t follow the shortest path. They follow the easiest path to recall and follow. That is, the pointiest path.

Li Zheng, Zhiyao Gao, Andrew S. McAvan, Eve A. Isham, Arne D. Ekstrom. Partially overlapping spatial environments trigger reinstatement in hippocampus and schema representations in prefrontal cortex. Nature Communications, 2021 // Navigating an environment that’s sort of similar but not, is harder than navigating an entirely new environment.


Choices They Make

Number of choices; Predictability of the choice; Cognitive load of each choice.

Nudge to Health: Harnessing Decision Research to Promote Health Behavior

Sludge: “activities that are essentially nudging for evil”

Intentional and Unintentional Sludge


Choosing Not to Choose, by Cass Sunstein

How to Decide: Simple Tools for Making Better Choices, by Annie Duke

Being Wrong: Adventures in the Margin of Error, by Kathryn Schulz

Think Again: The Power of Knowing What You Don’t Know, by Adam Grant

Scientific Articles

Sunstein, C. (2020). Sludge AuditsBehavioural Public Policy, 1-20. doi:10.1017/bpp.2019.32

Soman, Dilip and Cowen, Daniel and Kannan, Niketana and Feng, Bing, Seeing Sludge: Towards a Dashboard to Help Organizations Recognize Impedance to End-User Decisions and Action (September 27, 2019). Research Report Series Behaviourally Informed Organizations Partnership; Behavioural Economics in Action at Rotman, September 2019

Chadd, I., Filiz-Ozbay, E. & Ozbay, E.Y. The relevance of irrelevant informationExp Econ (2020). // Unavailable options and irrelevant information often cause people to make bad choices. The likelihood of poor decisions is even greater when people are presented with both.

Thomas L. Saltsman, Mark D. Seery, Deborah E. Ward, Veronica M. Lamarche, Cheryl L. Kondrak. Is satisficing really satisfying? Satisficers exhibit greater threat than maximizers during choice overload. Psychophysiology (2020). // To get past frustration, satisficers make a speedy choice instead of thinking too deeply about the choices being presented.

Stuart Mills. Personalized Nudging. Cambridge University Press (2020). // Choice architects can personalize both the choices being nudged towards (choice personalization) and the method of nudging itself (delivery personalization).

Stephanie Mertens, Mario Herberz, Ulf J. J. Hahnel, Tobias Brosch. The effectiveness of nudging: A meta-analysis of choice architecture interventions across behavioral domains. Proceedings of the National Academy of Sciences, 2022. // Over 450 strategies analyzed, with nudges across three groups: “information,” “structure” and “assistance.” Strong proof of nudging over mandates for leading to behavior change.

Gabrielle S. Adams, Benjamin A. Converse, Andrew H. Hales, Leidy E. Klotz. People systematically overlook subtractive changes. Nature, 2021. // People approaching a problem rarely think removing something as a solution. People almost always add something whether it helps or not.

Cary Frydman, Ian Krajbich. Using Response Times to Infer Others’ Private Information: An Application to Information Cascades. Management Science, 2021. // If people in a group pause when making a decision, other people are twice as likely to break from the group to make their own choice.

Narayan Ramasubbu and Indranil R. Bardhan. Reconfiguring for Agility: Examining the Performance Implications for Project Team Autonomy Through an Organizational Policy Experiment. MIS Quarterly, 2021. // More freedom means greater productivity and better customer satisfaction. By contrast, more top-down governance results in lower productivity and customer satisfaction.

Blair R. K. Shevlin, Stephanie M. Smith, Jan Hausfeld, Ian Krajbich. High-value decisions are fast and accurate, inconsistent with diminishing value sensitivity. Proceedings of the National Academy of Sciences, 2022.

Nancy Padilla-Coreano, Kanha Batra, Makenzie Patarino, Zexin Chen, et al. Cortical ensembles orchestrate social competition through hypothalamic outputsNature, 2022. // Study on mice to determine how the brain encodes social rank and “winning mindset”.


The behavior we want people to perform.

Scientific Articles

Hall, Jonathan D. and Madsen, Joshua, Can Behavioral Interventions Be Too Salient? Evidence From Traffic Safety Messages (September 16, 2020).

Robison, M. K., Unsworth, N., & Brewer, G. A. Examining the effects of goal-setting, feedback, and incentives on sustained attention. (August 7, 2021). // Providing feedback on performance is a strong motivator and sustains attention over a longer-term than goal-setting alone.

Kevin P. Grubiak, Andrea Isoni, Robert Sugden, Mengjie Wang, Jiwei Zheng. Taking the New Year’s Resolution Test seriously: eliciting individuals’ judgements about self-control and spontaneity. Behavioural Public Policy, 2022. // “Individuals often make resolutions in January to maintain healthy lifestyle regimes — for example to eat better or exercise more often — then fail to keep them. Behavioural scientists frequently interpret such behaviour as evidence of a conflict between two ‘selves’ of a person — a Planner (in charge of self-control) and a Doer (who responds spontaneously to the temptations of the moment). Public policies designed to ‘nudge’ people towards healthy lifestyles are often justified on the grounds that people think of their Planners as their true selves and disown the actions of their Doers. However, the authors argue this justification overlooks the possibility that people value spontaneity as well as self-control, and approve of their own flexible attitudes to resolutions.”

Qi Su, Alex McAvoy and Joshua B. Plotkin. Evolution of cooperation with contextualized behavior. Science Advances, 2022.

Gareth J. Hollands, Juliet A. Usher-Smith, Rana Hasan, Florence Alexander, Natasha Clarke, Simon J. Griffin. Visualising health risks with medical imaging for changing recipients’ health behaviours and risk factors: Systematic review with meta-analysis. PLOS Medicine, 2022. // Improved visualization leads to risk-reducing behaviors. 


Barriers preventing people from completing the behavior.

Scientific Articles

Helen Demetriou, Bill Nicholl. Empathy is the mother of invention: Emotion and cognition for creativity in the classroom. Improving Schools (2021).

Rachel C. Forbes and Jennifer E. Stellar. When the Ones We Love Misbehave: Exploring Moral Processes Within Intimate Bonds. Journal of Personality and Social Psychology, 2021 // This applies to security champion and security advocate programs. Tighter relationships mean more forgiveness, which in turn provides more room for the security team to maneuver. 


Benefits of completing the behavior.

Scientific Articles

Nicole Abi-Esber, Jennifer Abel, Francesca Gino, Juliana Schroeder. Just Letting You Know: Underestimating Others Desire for Constructive FeedbackJournal of Personality and Social Psychology, 2022. // A series of five experiments involving 1,984 participants to measure how much people underestimate others’ desire for constructive feedback. People want feedback.

Flow (Concentration) 

Benefits of completing the behavior.

Scientific Articles

loria Mark, Mary Czerwinski, and Shamsi T. Iqbal. Effects of Individual Differences in Blocking Workplace Distractions. Proceedings of the 2018 CHI Conference on Human Factors in Computing Systems, 2018. // Security needs to be extremely careful not to overload people’s already overloaded attention. Check this for strategies people use to manage (ignore?) notifications. 

Richard Huskey, Justin Robert Keene, Shelby Wilcox, Xuanjun (Jason) Gong, Robyn Adams, Christina J Najera, Flexible and Modular Brain Network Dynamics Characterize Flow Experiences During Media Use: A Functional Magnetic Resonance Imaging StudyJournal of Communication, 2021. // The sweet spot is when “activities are engaging enough to fully involve someone to the point of barely being distracted, but not so difficult that the activity becomes frustrating.”

Training (Ignorance)

Scientific Articles

Nesra Yannier, Scott E. Hudson, Kenneth R. Koedinger, Kathy Hirsh-Pasek, Roberta Michnick Golinkoff, Yuko Munakata, Sabine Doebel, Daniel L. Schwartz, Louis Deslauriers, Logan McCarty, Kristina Callaghan, Elli J. Theobald, Scott Freeman, Katelyn M. Cooper, Sara E. Brownell. Active learning: “Hands-on” meets “minds-on”. Science, 2020 // It’s no surprise that hands-on training exceeds lecture. But who does that in security? These researchers evaluate and share ways to make learning active. 


40 Clever and Creative Bus Stop Advertisements

Scientific Articles

Vadiveloo, M. K., Dixon, L. B., & Elbel, B. (2011). Consumer purchasing patterns in response to calorie labeling legislation in New York City. The International Journal of Behavioral Nutrition and Physical Activity, 8(1), 51-51.

Fernandes, D., Lynch, J. G., & Netemeyer, R. G. (2014). Financial literacy, financial education, and downstream financial behaviors. Management Science, 60(8), 1861-1883.

Beisswingert, B. M., Zhang, K., Goetz, T., Fang, P., & Fischbacher, U. (2015). The effects of subjective loss of control on risk-taking behavior: the mediating role of anger. Frontiers in psychology, 6, 774.

Yana Fandakova, Elliott G Johnson, Simona Ghetti. Distinct neural mechanisms underlie subjective and objective recollection and guide memory-based decision making. eLife, 2021. // Memory involves both recall of specific details (who, where, when) and feelings of remembering and reliving past events. New research shows that these objective and subjective memories function independently, involve different parts of the brain, and that we make decisions based on subjective memory.

Elizabeth A. Minton, T. Bettina Cornwell, Hong Yuan. I know what you are thinking: How theory of mind is employed in product evaluations. Journal of Business Research, 2021

Adrian R. Walker, Danielle J. Navarro, Ben R. Newell, Tom Beesley. Protection from uncertainty in the exploration/exploitation trade-off. Journal of Experimental Psychology: Learning, Memory, and Cognition, 2021.


More people, better technology.

Scientific Articles



Drive: The Surprising Truth About What Motivates Us, by Daniel H. Pink

Scientific Articles

Gneezy, U., & Rustichini, A. (2000). A Fine is a Price. The Journal of Legal Studies, 29(1), 1–17. doi: 10.1086/468061

Rey-Biel, Pedro & Gneezy, Uri & Meier, Stephan. (2011). When and Why Incentives (Don’t) Work to Modify Behavior. Journal of Economic Perspectives. 25. 191-210. 10.2307/41337236.

University of Pennsylvania. (2021, January 19). Money matters to happiness–perhaps more than previously thought

Johnny Långstedt. How will our Values Fit Future Work? An Empirical Exploration of Basic Values and Susceptibility to Automation. Labour & Industry: a journal of the social and economic relations of work, 2021. // A look at the intrinsic value people feel from doing the work.

Georgia Clay, Christopher Mlynski, Franziska M. Korb, Thomas Goschke, and Veronika Job. Rewarding cognitive effort increases the intrinsic value of mental labor. PNAS, 2022. // If people are rewarded for their effort, it motivates them to seek further challenging tasks that are not rewarded.



How to Measure Anything in Cybersecurity Risk, by Douglas W. Hubbard, Richard Seiersen

Scientific Articles

Adam Beautement, Ingolf Becker, Simon Parkin, Kat Krol, and M. Angela Sasse. 2016. Productive security: a scalable methodology for analysing employee security behaviours. In Proceedings of the Twelfth USENIX Conference on Usable Privacy and Security (SOUPS ’16). USENIX Association, USA, 253–270.

Behavior Economics

From “Economic Man” to Behavioral Economics

Related Books

  • The design of everyday things, by Don Norman
  • Designing for the digital age: How to create human-centered products and services, by Kim Goodwin
  • Design research: Methods and perspectives, by Brenda Laurel
  • User experience revolution, by Paul Boag


Does security have a design problem? Designing Security for Systems that are Bigger on the Inside.

How does design apply to securing application development and DevOps? Securing without Slowing.

How does design apply to BYOD and Cloud apps? Security Design Strategies for the Age of BYO.

How does design apply to blue teaming? Design Thinking for Blue Teams.

Killing Passwords with Infosecurity Magazine

Posted by

Back in September, Gartner detailed its top eight security projects for the coming year. Among those was the concept of ‘passwordless’ authentication, where a second factor such as a known asset like a phone, tablet, keyfob or smart watch can be used instead of a password.

Excerpt from: Interview: J Wolfgang Goerlich, Advisory CISO, Duo Security (Cisco)

Speaking to Infosecurity, Goerlich cited a talk at the 2004 RSA Conference, where Bill Gates said that the password is dead, and Goerlich commented that “16 years later we’re still trying to kill it.” He said that to enable a passwordless strategy, you need both the equipment and technology to enable it, but mostly you need “to have momentum in the organization and a reason to do it.”

However, now that everyone carries a biometric authenticator in their pocket, has hardware in place and given the fact that security wants to enable users, why do passwords still exist? 

Read the full article:

Wolf’s Additional Thoughts

What leads one innovation to succeed? What leads another innovation to stall? We need standards, infrastructure, and critical mass. But these come often out of order and require a spark to bring it all together. Sixteen years after Bill Gates declared the password dead, we’ve reached the inflection point. It’s about to get exciting.

The final thought in the article is “He concluded by saying that increasing trust in authentication is vital for passwordless to succeed, as today’s good factor is bypassed tomorrow. “

My strong recommendation is pairing passwordless with additional anti-fraud measures. Include the device identification in the authentication. Include behavior analytics (where, when, how) to further bolster trust in the authentication. We can predict criminals will work around these authentication methods, so let’s move now to put in place compensating controls to detect and prevent their next move.

This post is an excerpt from a press article. To see other media mentions and press coverage, click to view the Media page or the News category. Do you want to interview Wolf for a similar article? Contact Wolf through his media request form.