Security Awareness Training

    Get Cyber Resilient Ep 98 | Being smart with Human Behaviour - with Dan Gregory CEO of The Impossible Institute

    Dan Gregory, CEO of The Impossible Institute, joins the podcast this week to talk about the effects of human behaviour in cyber.


    Dan explains how to work with the fact that employees won’t care as much about cyber as we do and the impacts of leadership democratisation.

    We then look at how human trust has changed and how design beats discipline and motivation.

    The Get Cyber Resilient Show Episode #98 Transcript

    Garrett O'Hara: Welcome to The Get Cyber Resilient podcast. I'm Garrett O'Hara. The conversation today is with Dan Gregory, the CEO of The Impossible Institute, expert on human behaviour and engagement leadership speaker, author, and social commentator. You may have seen him on The Gruen Transfer or other TV shows. He gave one of the best keynotes I've seen in cyber at the AISA Cyber Conference in 2018.

    Dan is all about being smart when it comes to human behaviour. And in this interview, we talk about humans and cyber, how to work with the fact that employees won't care as much about cyber as we do, the impact of leadership democratisation, i.e., we can't tell people what to do anymore and they can ignore us even if we do, how human trust has changed, and how design beats discipline and motivation. Dan was an absolute pleasure to talk with. So over to the conversation.

    Welcome to The Get Cyber Resilient podcast. I'm Garrett O'Hara. Today I'm very excited to be joined by Dan Gregory, the CEO of The Impossible Institute, expert on human behaviour and engagement leadership speaker, author, and social commentator. You would've seen him probably on TV and also keynote speaker at AISA a few years ago. Great to have you on the show, Dan.

    Dan Gregory: Thanks Garrett. It's good to be on.

    Garrett O'Hara: So Dan, the, the first question, we pretty much ask everybody just as kind of a level set is how did they get to where they are today? Obviously you spent a lot of time in the media and, you know, in conferences and leadership with leadership teams. How did you, how did you kind of arrive at where you are today?

    Dan Gregory: Well, to be honest, it was a very indirect route. Although I, I often think that life makes sense in retrospect, but not going forward. And, and that's certainly the case for me. I, so I I did very well at school in every subject which made choosing what to do really difficult. It sounds like a good thing doing well at school. It's actually not. Like if you are good at car- if you're good at woodwork, carpentry is a really easy choice.

    So for me, I started my university degree, I started an economics degree studying to be an actuary 'cause I was very good at maths. And very quickly realised that wasn't the right path. And then I, at, at the time I was in university and I was working as an editorial cartoonist as well so I thought, “Well, maybe that's it.” So I ended up doing a communications degree.

    Garrett O'Hara: Yah.

    Dan Gregory: And the, the, the base of the degree was, was psychology, sociology, and philosophy and a whole bunch of subjects I hadn't even considered. And that's really what piqued my interest. And then so I got out of the university and started a career in the advertising industry, you know, sort of putting communications and psychologist work.

    And so I did that for 10 years and then I traveled the world for about three and a half, four years working as a professional standup comedian. And then came back to advertising and started doing The Gruen Transfer, a TV show on the ABC.

    So it was a very roundabout route to, to get where I am. But I yeah, I ended up spending the past 10 years working as as a professional speaker and mentor and, and coach helping people understand what motivates them, what drives their team, and what, what, you know, gets their customers to buy and buy-in.

    Garrett O'Hara: Yeah. It was such an interesting one for me, when I saw you on the AISA bill, I was like, “Oh, that's just, that's kind of interesting.” you know, somebody who, air quotes, isn't cyber, I wonder what they'll have to say. And, you know, I've sort of said this to many people. It was it, I still reckon it was one of the best cybersecurity talks that I've seen so far, believe it or not, even though, you know, in theory you're not a cybersecurity professional, but the insights to motivation communication, I think, is something that we have traditionally gotten pretty wrong in our industry. We've tried to use information as a way to change minds and it just doesn't work. So yeah, I was definitely yeah, interested to see you there.

    Look, in researching for today's conversation I've read that you and your, your business partner Kieran Flanagan, believe that all influence begins with insight. And in a recent talk, you gave at Connect you, you also said that, we need to assume that they, as in, you know, I suppose employees, don't care as much about cyber as you do or we do. Can you talk us through how those two kind of things interact, influence and insight, and then people just don't care about cyber?

    Dan Gregory: Yeah. Well, I think that's, that's always a good starting point no matter what kind of influence, you know, whether you're a leader trying to influence your team or someone trying to influence customers or community. I think it's a good place to start. Start with the idea that they don't care. Because I think it's, one, one of the things, you know, just picking up what you said there Garrett, the, the idea that that we've, we, we've tried to persuade people or influence them using information, you know, that's not the cybersecurity industry on its own. That's every industry.

    And one of the, one of the, the problems with really smart people is they're really intelligent and they think being intelligent is enough you know. And they'd, so they'd rather be right than rich or they'd rather be right than get a result. And rightness is really appealing. [laughs] And, and, you know, it's something that I understand as well. You know, I like. You know, at some point, you know, my rightness does tend to become righteousness and I think we all become a little bit guilty of that on our particular thing, the thing that we love the most.

    And, and I think one of the things I learned, you know, having been good at school and done really well academically was I got out of school and, and very quickly learned that being the smart kid didn't necessarily lead to success. In fact, sometimes being the smart kid got in the way and sometimes the kids who, who had to be more adaptive in, in how they how they built their careers, oftentimes they were more, more effective because they, you know, they understood... I, I, I think business is more like the rules of schoolyard than the rules of the classroom. And I think that smart kids typically, typically understand the rules of the classroom.

    So my observation is, is that that's, that's something that shows up in the cybersecurity industry as well. You know, you've got some very, very technically brilliant people but they're not very good at managing their biological hardware, you know, the, the, the people that work with them. And I think one of the problems is we think facts are enough. So if you have a look at things like, you know, climate scientists or if you have a look at, at you know, during the pandemic, you know, the, the epidemiologists trying to, trying to make people do the right thing by giving them facts, well, that's not how human beings work. Human beings run on, on, on stories, not data. And so I think having a willingness to, to change your communication style in order to be more influential is really important.

    Garrett O'Hara: Yeah. No. That absolutely makes sense. And, and that's sort of, I suppose, the, the leadership style, communication style. One of the things you talk about is you know, behavioural trends and one of them being business modification. And, and you talk about this where you see this democratisation, I think was the language you used of leadership, where we've gone away from, “Hey, you've gotta do XYZ.” You know, the very directive telling people what to do and moving much more more towards getting buy-in and getting people sort of on the journey and, and sort of bought in. With cyber clearly, like, you know, we've spent a long time telling people what to do and actually sometimes like what not to do. It hasn't worked. Like specifically, how do you think we should tackle that as a problem?

    Dan Gregory: Well, I think one of the, one of the issues with cybersecurity is the people in the industry are used to writing instructions in code and then the machine does exactly what they want to, want it to do. [laughs] And that's not-

    Garrett O'Hara: Yeah.

    Dan Gregory: ... that's not how human beings work. And I think the, the most important thing, if, if there's, there's one thing you take away, I think rather than making people care about what you care about, demonstrate how what you care about serves what they care about. In other words, the more, coming back to this point about all the influence begins with insight, the more you understand about a person, the more, the more you understand what motivates them, what drives them, what's truly important to them, the more influence you're able to have with them by aligning, you know, your value with their values. So if I have a real sense of what really truly matters to you, I can, I can be really influential by linking to that, as opposed to making you, you care about something that's completely separate from your world.

    Garrett O'Hara: That, and that's sort of disconnection you see, I think quite a lot. One of the things that in our industry that you, you're supposed to do for ISO certification is do things like send an email every month you know, a security missive. And I'd love to see the open rates for those kind of coms 'cause I don't think anybody ever reads them. You know, they're written, it's heavily texted. It's a lot of very detailed technical jargon quite often. And you're sending those to-

    Dan Gregory: I think the, the open rate for a lot of emails is gonna be very low. I mean, we, we know from any kind of email marketing that the, that the, the hit rate's very low, but, but I think that's a really good, I think that's a really good question is rather than... We, we tend to think of communication as, as transference of information.

    Garrett O'Hara: Mm-hmm.

    Dan Gregory: You know, I, so I, I communicate to you Garrett. There is some kind of a static or interference. You know we're using you know, a technical device at the moment to talk to each other. Then you filter it through your biases and your, your perceived or your filters have perceived meaning. Then you translate that into meaning. And then you feedback to me and that goes through further. That, we tend to think of a very linear model of, of communication.

    I think a better model is, and this, you know, I saw this a student I was at university with created this, this model of communication. And using, she was she was a single mom and she had, she had kids at home. So she, she, she made the model on some cardboard using cotton wool and some pens and some, you know, straws and stuff.

    And basically what she did was she had a field or, or like a pen full of sheep and then a gateway called meaning. And this idea that it's not about two and flow communication, but rather taking a group of people towards a shared sense of meaning. I think that's a better model or a better understanding of the communication.

    And oftentimes we think, well, I send out the email, I send out the information, I've given them the data, you know, communication done. Tick. And I don't think that's a really useful metric. I think a better metric is, is not just open rate, is, is, is comprehension rate. You know, have, have they understood what's, what's being required and have I chosen the best tool or the best medium to communicate to them with?

    Garrett O'Hara: And is there something there, like just to kind of go a little further in that, more ends, you know, measuring kind of comprehension, but also behaviours like watching, what does that actually translate to in a business? You know, are, are you seeing people do the wrong thing day to day, you know?

    Dan Gregory: I think that's actually a really good, good pickup though there Garrett. You're right. It isn't just about communication. It is about behaviour.

    Garrett O'Hara: Yeah.

    Dan Gregory: And if you think about one of the things, one of the things we do in, in, in business and in life in general is we tend to rely very heavily on things like motivation and discipline, you know, whatever change, whether I wanna exercise, whether I wanna be, you know spend more time with my kids, whether I wanna, you know, be more motivated at work. We tend to rely on, you know, motivation discipline either, either gearing ourselves up or beating ourselves up. And both of them are good strategies, but they're short term strategies. Like no one is motivated all the time, no one is disciplined in every area of their life and it always breaks down.

    And what we've found is that behavioural design works better than discipline. In other words, if you can design a system that has a bias towards success and just as critically a bias away from failure, success is more likely to show up. So if you look for, you know, what are the behavioural breakage points in a process? And think, “Okay. Well, how can I ameliorate that? How can I, how can I create a human nature hack that disrupts that, that failure point and actually creates an or engineers that bias towards success?” That's a more useful way of thinking rather than saying, “Well, my people never do that.” Well, if they never do it, then there's clearly a problem in the design. So, so what can you do to, to, to shift that, that at a behavioural level?

    And the other thing is we tend to think that behaviour follows engagement. In other words, if I engage you enough, you'll behave the right way, but it actually works the other way as well. It's like an equation. behaviour actually leads engagement. So if you, if you allow people to perform more effectively, they start to think, “Well, I'm good at this.” And their engagement levels go up. So it's a virtuous circle. You actually need to work both sides of the equation.

    Garrett O'Hara: Yep. No, I definitely get that. You, there's something you, you mentioned there around kind of design being better than motivation or discipline. I definitely agree with that. The, there's a thing that we've been talking about in our industry a little bit more and more recently, which is around the, the value of context. And I feel like that context feeds into design.

    So it's, you know, an example might be somebody goes to do something. And based on the context of the action, they're about to take you know, using a technology or a platform, there's a contextual message rather than just a generic you know, please don't do that or that's dangerous, but you know, something much more contextual with the idea that you're, you're sort of driving them towards good behaviour. For you, any thoughts on like the value of context in design when it comes to that kind of pushing, you know, the biases towards success?

    Dan Gregory: Yeah. Yeah. It's hugely important. It's actually backed up by psychological science. So we used to think that, that people did the right thing or people were good people because of their character, right? And then there was a group of, of psychological scientists called the situationist who basically looked at creating situations where they tested what made people do the right thing.

    So this is, they're quite famous experiments. There's this Zimbardo experiment from Stanford University called the Stanford prison experiment where it took a group of students and some were made guards and some were made prisoners. And another one is the Milgram experiment, which is that quite famous, the electric shock, where, where, you know, the subject was told to give someone else an electric shock, they were an actor, but they actually [laughs] kept dialing up the shock until the person was actually unconscious, right?

    Now what those two things told us was really nice, good people and in fact, people who were very likely to obey instructions within about, you know, a matter of hours, they were essentially became, becoming Nazis, you know. They were behaving in an incredibly immoral and amoral way. And, and so that was a real, real shift in... I mean, the interesting thing is they, they always bring those two things up as as ethically kind of sketchy-

    Garrett O'Hara: Yeah.

    Dan Gregory: ... psychological experiments, but they're the most [laughs] quoted psychological experiments in the entire field. So clearly, you know, the best, the best experiments are actually a little bit ethically dodgy, but what they showed was the context mattered enormously.

    Garrett O'Hara: Yeah.

    Dan Gregory: You know, it, wasn't just a matter of character. These, you know, they took, so for instance, the Stanford prison experiment, they were highly educated Californian. So very liberal, progressive, you know, students, probably from reasonably well off, you know, if they're studying at Stanford, you know, they, they've gotta be able to pay the college fees.

    So probably well educated, reasonably well off, from good families and yet they had to shut the experiment down because it degenerated so quickly. And the guards became so preoccupied by their own sense of power and the, and the, and the, the ones who were, who were the prisoners became so demoralised and shut down by the experiment that it was, it was absolutely extraordinary. It shocked everyone. And it's, it's what we, what it taught us was context is much, at least as important as character in determining whether we do the right thing or not.

    And, and I guess the, you know, the frightening part of that is, is we tend to think, oh freedom and, and freedom of thought is a really good thing. And it is however, it's very easily corrupted and we are very easily swayed by the context that we're in. And it's why, you know, mob mentality becomes so problematic so quickly. So if you go to a football game or something and, and something breaks out, you know, that would degenerate really quickly because it, because of the context that people are in.

    Garrett O'Hara: So at, at some level you, what you're, what you would be trying to do in an organisation is create a good mob mentality, right? So like, that seems like a much more difficult thing than, than, and this is probably the point you were making a little bit earlier, sending an email or doing the easy, you know, air quotes, communication, but it doesn't really change anything. Any, any thoughts on like how long that can take? Any other things you can do to create that good sort of social norms, mob mentality, whatever you might wanna call it within an organisation?

    Dan Gregory: I think it's about environmental design as well. So environment, you know, if you're asking if human environment is a part of context then it's. You know, if you look at experiments like in New York, they did the funny enough, I think it was under Rudy Giuliani who's, who's sort of a dubious fame now, but at the time they did, they had a zero tolerance on trains leaving the station with graffiti on them. So they had a zero tolerance on, on minor crime.

    And what they found was, you know, the trains being cleaner and the rubbish being collected actually had a change on, on behaviour. Like the crime dropped because small things were picked up. So I think that's really a really useful live study, you know, not just an experiment. That, you know, that, that tested the way human beings behave. So if you can create an environment of responsibility that becomes really important. Now, now it's getting the balance right.

    There's there's another another scientist Sidney Dekker, who, who does a whole lot of stuff on, on safety and, and what's the right amount of safety? And one of the things that he's found is that if, if you make the environment too safe injuries go through the roof, but deaths decline. And if you make it not safe, deaths go up and injuries decline. And what he's found is if you make things too safe, people's awareness drops.

    Garrett O'Hara: Okay.

    Dan Gregory: So they become less-

    Garrett O'Hara: Sure.

    Dan Gregory: ... careful about what they're doing. Now, now, [laughs] you might say, “Well, you know, injury is worse than death.” But these are serious injuries. So-

    Garrett O'Hara: Yeah.

    Dan Gregory: ... so there's, there's kind of striking this, this correct balance. I mean, it re- it reminds me of there's an Australian comedian, Steve Hughes, who d- who, who who used to, who used to do a bit about, you know, having too much safety in society and, you know, it's a nanny state. And he said, you go to Amsterdam, you know, you're walking past the canal, there's no railings, they're just like, “Mate, is your bike wet?” “Yeah.” “Well, you're on the wrong bit.” And so [laughs] I think there's that there's, it's striking the balance right so that you get the right amount of situational awareness with enough design and environment focused on, on generating the, the correct result.

    But, but environment is, is, is one of the most influential parts of, of, of success. And, and in fact, you know, if you wanna find you know, the highest number of self-made billionaires, you go to a really rich country and you go to a suburb where there's lots of private school educated kids who've, who've had access to university and we go, “Well, you know, were they just better and brighter than the poor kids?” Well, no, they were just in an environment that, that supported and encouraged them, appointed them in that direction, so.

    Garrett O'Hara: Yeah.

    Dan Gregory: You know, we like to say we're self-made, but we are very much the product of our environment.

    Garrett O'Hara: Yep. You, you're preaching the converter in that one. A little, little bit of a pivot here. There's a guy called Bruce Schneier, who you may be aware of. He's sort of a speaker in our industry kind of fairly well respected guy. He's been around for kind of decades now. And he's got this quote around trust. So, you know, he says, you can't, you can't trust anyone, but you're forced to trust everyone. And he's obviously talking more at a technology level. You know, our company talks to your company and we connect digitally and, you know, we're kind of forced to do that in today's kind of commercial environment.

    Now, trust at a human level, I know is something that you have talked about and then certainly talked about in a couple of weeks ago in the, the talk you gave at the Connect event. Does, I'm guessing there's overlap there, right? This, this human trust and how that impacts cybersecurity and then there's also the technology kind of overlay to that. How have you seen human trust change over the years? And then, you know, maybe a follow up question to that is like, how does, how does that actually impact in cybersecurity?

    Dan Gregory: That's that's a really good question actually. I think it, some of it hasn't changed at all. Some of it is still very, very basic and, and, and almost primitive in terms of how we build trust. However, there's been a trust decay in recent years, so we've become less trusting of authority. I mean, interestingly Australians on the whole are more trusting than say other cultures, you know, you know, considering the European beginning of Australia was, you know, a bunch of convicts on a, on a ship. You would think trust would be quite low in this country, but it's actually, trust for authority is actually quite high.

    However, what we've seen is, is sort of a democratisation of information as well, not just of leadership where I've now got access to information I couldn't get access to before. I can now see further inside organisations than ever before. So we've got a situation where large organisations are being found out, you know, committing corporate crime. We, you know, all of a sudden now our, our politicians are being found guilty of sexual assault and, and corruption. The religious organisations, you know, have been found out to be supporting terrorists or, or abusing children. We've got you know, the big banks, you know, so all of these big pillars of society-

    Garrett O'Hara: Yeah.

    Dan Gregory: ... have, we've sort of gone, “Okay. Well, it turns out they're not who we thought they were.” And so this, this level of trust has, has really decayed. And then we have what Eli Pariser calls, the filter bubble, where, where social media and, and search engines have an algorithm that feed our own opinion back to us.

    Garrett O'Hara: Mm-hmm.

    Dan Gregory: So that actually amplifies the, the, the Dunning-Kruger effect. So the Dunning-Kruger effect is basically most, you know, a lot of people are so stupid that, they're too stupid to realize how stupid they are, but it also works the other way. It means that if, if I'm not particularly bright and I get proof that my position is right, I'm not smart enough to know that that proof is, is probably biased and not very co- cohesive and I actually think I'm smarter than I am.

    Garrett O'Hara: Yeah.

    Dan Gregory: So we have this, this decrease in, in trust and sort of this an inflated sense of correctness or rightness, and, and that becomes problematic as well. However, the, the basics of trust in terms of, if you have a look at why gossip evolved in, in, in human society. So gossip evolved as a way of building trust. So, so I share an intimacy with you guys, you share an intimacy with me. Now we've got something on each other, so trust ensues.

    Garrett O'Hara: Mm-hmm.

    Dan Gregory: So that's why a leader or, or, or, or someone who can be vulnerable and share an intimacy or share a failing is more likely to engender trust. So if I share something that's an inconvenient truth and you go, “Wow, if Dan's telling the truth about that, why would he lie about something else?”

    Garrett O'Hara: Mm-hmm.

    Dan Gregory: So it has to be you, you have to be truthful or honest beyond expectations and then trust. So that's a very, that's a very primitive human way that trust develops. And it's also one of the reasons why we've seen trust sort of go down in the, in our political process because there's so much political spin and so much trying to look good. Whereas in fact, our willingness to have a [inaudible 00:24:17] and say, I was wrong. I did the wrong thing. That's actually more engaging from at a human point of view.

    Garrett O'Hara: And, and how do you think politicians don't get that? 'Cause it seems really like grading for many people I'm sure when they, they, they sort of realize it's all spin and you can't get a straight answer from politicians, I would say sometimes corporate leaders too, are, are guilty of that. That, you know, big tech will tend to spin, you know, their, their value they're providing to the world.

    It feels like we all, we all sort of fundamentally get that 'cause like, I totally agree when, when people are vulnerable and honest, I think you can tell, right? There's there's an auth- I mean, not to sound like Brene Brown, but there's an authenticity there. [laughs] Like there's a thing you can feel as a human being and it's very powerful, but it feels like people don't tap into that.

    Dan Gregory: No. Well look, and I think it's, one of the problems with the political classes is, is it's exactly that, you know. It's kind of whether they're from the left or the right. It's okay, well, which, which single sex pub private school did you go to?

    Garrett O'Hara: Yeah.

    Dan Gregory: You know, you know, and it's whether they're on the left or the right and it's the same, it, it's, it's, it's the same around the world. You know, we see this typical kind of person occupying both sides of the major parties. Even though you get some outliers in some of the, some of the minor parties, but they're, you know, and I've met a lot of the political classes, I've met, you know, a few of former prime minister, well, and sitting prime ministers in this country. And you, it's almost, you know, you get slightly different policies, but it's almost all in the same tone of voice.

    And so I don't think you get a lot of lot of diversity and I mean, I mean, diversity in the real sense. It's, one of the, one of the problems with, with diversity is its very much treated as you know, a corporate box to be ticked, you know, "Well, you know, we, we hired a couple of foreigners and some women, so box ticked. We, we, we are heaps to this." Well, yeah, that's good, but that's not real diversity. Real diversity is, is a diversity of cognitive styles.

    You know, oftentimes I'll meet, I'll meet a leadership team and they'll say they're diverse. And it's, they're all saying the same thing just with different accents in different vocal pitches. So it's not, you know, they're not actually thinking in, in a very different way. So I think that we are very tokenistic in our search for diversity and I think that's, that's a real problem.

    You know, there's, there's a whole raft of studies that tell us the more diverse the team is and the more openly they debate different points of view, the higher the collective IQ. So diversity is actually, it shouldn't be seen of as a corporate social responsibility thing. It should be seen as as a risk mitigation and a bottom line protector. But we tend to think of it, "Oh, it's the right thing to do." As opposed to being the smart thing to do. And I think that's, I think that can be a problem as well.

    Garrett O'Hara: Is there, is there something there touching on trust and diversity, because I think one of the things I understand if, if you know, correctly or incorrectly is that a lot of xenophobia racism comes from fear and a lack of trust. So, you know, fundamentally those two things have to exist in an organisation together. You can't, you presumably couldn't really have truly true diversity of thinking or even gender origin, ethnicity, any of that stuff, would they trust at some level or a level of confidence in the organisation and the people?

    Dan Gregory: Yeah. And look, I think, but, but again, you know, I, we, we tend to think of ourselves as incredibly highly evolved and we're really not.

    Garrett O'Hara: Yeah.

    Dan Gregory: You know, if you have a look at, you know, in this country, indigenous Australians got the vote, got the vote in the 1960s, you know, the decade I was born in, but women got the vote in this country, you know, a hundred years ago. Well, that's one old lady's lifetime, you know, and universal suffrage was only about 50 or 60 years before that. So, you know, even men didn't have a right to, you know, all men didn't have a right to vote 200 years ago. So this is very, very recent history that we've let, we've let anyone other than the ruling classes have a voice.

    And, and we tend to think that we're, we're incredibly evolved, but we're all making very primitive decisions. And the truth is, you know, xenophobia and racism is actually based in our, in our, the most primitive part of our brain. It's a survival brain. You know, 300 years ago, if someone showed up, you know, in a boat on your, on your shores, you know, they weren't there for tourism.

    Garrett O'Hara: Yeah.

    Dan Gregory: You know, it, you know, it's, you know, he's called William the Conqueror, not William they're just here for the tourism and the backpacking, you know. The, the fact is most of our history [laughs] is violent conflict-based. And, you know, and we were, it was actually quite sensible to have a reasonable amount of suspicion who, of someone who came from somewhere else who looked different, who spoke different.

    Now, the problem is, is we are running pre 20 year century software in a 21st century world, you know, and our brains are still wired for that. You know, it's why, you know, if you have a look at some of the, the, the responses around fear, people experience fear of speaking up in a meeting at work the same way they experience fear in the wild when an animal's attacking. Now, that's not, you know, that's not a situation that, that actually requires that level of response, but we're still running that, you know, as I said, pre 20 century software. And the same thing happens at at a human level.

    However, again, the, the, this, this idea that if you align value with values, your value with their values, it's, it's exactly the same for, for how you diminish xenophobia and diminish racism. And if you have a look at, you know, particularly if you have a look at the Greek and Italian community, say in Australia from say the 1950s to today, what they did very successfully was use humour to to reduce the barriers or, or the, the, the mistrust that was between different communities. So, you know, I, I remember when I was when I was a kid, there were certain words that you would never say, 'cause they were considered, you know, incredibly racist.

    Garrett O'Hara: Yeah.

    Dan Gregory: However a lot of that's been sort of diminished by that community taking ownership of it, of some of those words and, and, and, and changing the meaning. And, and the other thing was they demonstrated how much more we had in common versus how much we had that wasn't I in common. And I think that that's part of the way we build trust is, is if you, if someone sees that you have a common a common sense of value, that's, that's what you can build alignment around.

    And I think the other thing that's, that's part of that is if, if you, you, you get to build trust by fighting on behalf of a community for which you, you don't have a vested interest. So, so I'll give you example of that. We I, I study a lot of work on preventing men's violence against women. And what was interesting was I would get less pushback from commentators than say a woman making the same argument might. And the reason was a woman arguing against violence against women obviously has the vested interest, but for me, I didn't have a vested interest.

    And even though we're making exactly the same point, there's a psychological effect where if I'm arguing for something that I don't have a personal win, and now obviously I do. I have a personal win in whether we live in a safe society, but at a psychological level there's that, there's that thinking, well, if you are arguing for something that you don't have a vested interest in, that's one way that you can build trust. And that might be at a commercial level as well. If you think about John Symond, when Aussie Home Loans launched in the marketplace. Now, obviously he was building his business, but he was seen as having a fight on behalf of, of home mortgage owners against the big banks.

    Garrett O'Hara: Mm-hmm.

    Dan Gregory: So he was fighting on behalf of someone other than himself. So that's another way that, you know, we, we build trust at a social and at a community level as well.

    Garrett O'Hara: Yep. Fascinating. Yeah, the- there's so much there. I think we're, we're, we're about to run, [laughs] run out of time unfortunately. We've got maybe one more question and I'll be honest with you. I was in two minds whether to include this one 'cause it feels a little bit a little bit sort of touchy, but you know, we were in this age of participation medals and, you know, everyone kind of gets the pat on the back for doing everything it seems like.

    And one of the things that you've called out and, and that you talk about is this sort of idea that there is a very large variance in the, the intelligence levels of people. And you make the point that, you know, 50% of Australians are below average intelligence, [laughs] which I think many people will chuckle at and, and worry about. But it has a really important it's, I think it's an important part of this conversation, but it feels like maybe we shouldn't really have 'cause it will play into how decisions get made in the moment, whether you're, somebody is potentially intelligent or not.

    And it, it's a real minefield in, in a workplace environment as you can well imagine, right? It's one of those things that you just, you sort of don't really get to talk about. You know, as, as a sort of final piece of commentary, like what, what are the ways that security leaders or leadership in general can tackle? Like how people make good decisions if they're just somebody who's not maybe wired that way?

    Dan Gregory: Yeah. Well, my, Kieran and I, my business partner, Kieran and I read a book in 2014 called Selfish, Scared and Stupid, which was about the fact that our survival brain, the most primitive part of our brain makes all of our initial decisions. And it's, it's required to. It's what keeps us alive. And at the time people said, "Oh, that's a bit cynical, isn't it?" And then, you know, 2020 happened and the pandemic and then people went, "Oh yeah, you should really re- release that book could actually make sense now."

    But I think it's, it's, it's not so much that people are unnecessarily stupid, although huge amounts of them are clearly but it's actually, you know, and, and again you know, I'm, I'm sort of paraphrasing George Carlin, you know, the famous American comedian who said, think about how dumb the average person is and then remember half of them are dumber than that. But again, that's based on the standardized mean. If you actually, if you're actually look at a pre standardized medium or the pre standardized mode, it's actually worse than 50%, but let's not get into the statistics of it.

    What, what I'm really getting at is we tend to have an optimism bias. In other words, we tend to design our systems for our best people on our, on their best stuff. And even our best people have a terrible day. They have a sick child at home, or they have a fight with their spouse in the morning or, or they're just not feeling particularly well. So even our best people have an off date. So I think what we need to do is to engineer with failure in mind, you know, engineer, our systems, understanding that breakage will happen.

    And I think a good example of that is, I was in I was in Thailand a number of years ago with Richard de Crespigny, who's the pilot who landed QF32. And it was the first time he'd ever given a speech. And what was really interesting was, is, is Richard was very very humble about what he did. And he did, what he did was actually really heroic. And, and again, that's another example of trust. Like he over-communicated. He shared more information, more, more constantly and more consistently than anyone had done before. And they've actually changed emergency protocols for pilots now as a result.

    But the thing that was really interesting was he said, the plane refused to fall out, refused to fall out of the sky. In other words, there was so much engineering that so much went wrong and yet it still stayed in the air. Like, you know, it wasn't one thing went wrong, lots of things went wrong.

    Garrett O'Hara: Yeah.

    Dan Gregory: And yet most of us design our systems with like a 1% or 2% error rate. And if we get 2% failure, it drops and it fails. And in my experience, that's not nearly enough, I think. So again, it's not, it's not necessarily about really judge- being really judgemental about people and saying they're stupid, although that is hilarious and fun. I think what it's really about is understanding that expecting peak perfection from everyone every day is probably an optimistic place to be. And actually we need to decide how do we design, design for reality? How do we design our systems so that even our worst employee can get the result that we need them to without having to change who they are fundamentally?

    Garrett O'Hara: A ph- a phenomenal part I think, to, to finish the conversation in 'cause I think you, we, we've struggled to change the people. So that clearly hasn't worked. So we need to, to kinda rethink how we do that. Dan, it's been an absolute pleasure to speak to you today. So, so grateful that you've taken the time to have a conversation. Yeah. Thank you so much.

    Dan Gregory: Pleasure, Garrett. Great to talk to you.

    Garrett O'Hara: Thanks so much to Dan for joining us and as always thank you for listening to The Get Cyber Resilient podcast. Jump into our back catalog of episodes and like, subscribe, and please do leave us a review. For now, stay safe and I look forward to catching you on the next episode.

    Back to Top