This Psychologist’s New Platform Focuses On The Human Behavior Aspect Of Cybersecurity
Nadine Michaelides brought her background in psychology to cybersecurity.
(Nadine Michaelides, founder and CEO, Anima People)
Nadine Michaelides is a psychologist and a technologist. She is also the founder and CEO of Anima People, a U.K.- and Sweden-based company that is “empowering intelligence-driven security for reducing counterproductive behaviour and helping to tackle insider threat,” according to its LinkedIn page.
Anima People just released a new platform, PsycSec, which approaches cybersecurity defense from a human behavioral perspective.
Michaelides spoke with MES Computing about her company’s new cybersecurity solution.
Tell us about your background and how Anima People and PsycSec came into fruition.
[I have a] degree in psychology [and am] bringing in my background in psychology into cybersecurity.
[We were] originally health care but we merged into cybersecurity. We had a lot of added value that we could give to the cybersecurity industry by focusing on psychological factors.
I ended up working in an international project with Swedish television ... a real-life crime documentary series, the equivalent is Panorama in the UK, and it was a cybersecurity project. It was all about surveillance and technology used by drug cartels and security services to monitor drugs being trafficked across the borders... I just realized through working so closely with cybersecurity organizations and involvement with Amnesty International [and other organizations] that are global, that this problem that we are addressing and how we're approaching the people factor was very relevant to cybersecurity as much as it was to health care.
Can you describe PsycSec?
Our offering is what we call ‘socio-technical’ and that wasn't a term that was started by me, actually that was a term that was started by a lady called Angela Sasse [Sasse is a psychologist, computer scientist and a professor of human-centered security at Ruhr University Bochum in Germany].
She is the founder of RISCS which is the Research Institute in Science of Cyber Security which is part of the National Cybersecurity Center in the U.K., which is part of GHCQ [Government Communications Headquarters].
Angela Sasse is my supervisor at University College of London, and essentially, what I've been working on over the last five years has been in collaboration with UCL, and my doctorate there [was] trying to formulate metrics that really get under the surface of human beings and human factors in security so that we can get these predictive and preventative intelligence which helps security teams.
When did you launch, and can you share details about the new platform?
Anima People launched back in 2005 as a behavioral consultancy, but we just launched our new platform called PsycSec ... a human risk management platform which also integrates inside organization threat monitoring. It’s a platform which is very much needed and in demand at the moment because there's a gap, the technological solutions and awareness space ... are all about training and building knowledge [they] have nothing to do with motivation, commitment, loyalty, trust, intentions ... [it’s] kind of an HR approach to security in gathering employee feedback.
[We use] AI to generate intel that security teams can use to better assist with their training and awareness initiatives.
PsycSec is our new SaaS b2b platform that is doing this insider threat monitoring. The intelligence gathering is done through psychometrics, training needs analysis, and data gathering. The AI analyzes that through NLP [neural language processing] and sentiment analysis to really try and get enriched data.
A lot of organizations are guilty of using self-reported questionnaires which can be tricked by employees, they can over optimize. If I was to ask you how are you feeling today, if you know the right answer is ‘good, great’ because that's what the security teams want to see, that's how you're going to answer.
By using scientifically validated psychometrics, we can provide real and enriched preventative data that they can use for their initiatives planning.
How does the platform work?
The platform hosts different surveys for different use cases. You might want to measure the impact of your awareness initiatives. You might want to do a campaign prior to Cybersecurity Month and post-Cybersecurity Month to measure if there's been a difference in behavior, or measure motivation toward security or it could be that you want to measure for security values at the recruitment and selection stage if you’ rerecruiting for security team members and you want to be sure that their values align with the organization's values.
There are lots of different metrics; it's not just psychometrics ... it's also training needs assessment ... where are the actual gaps in knowledge within the organization and insider threats.
The platform hosts surveys but avoids survey fatigue which can be a big problem for organizations --not everyone has a lot of time to do remote surveys. We integrate with systems already available within an organization, that could be Teams, or Slack, or an HR portal. We can have this seamless and interactive conversation with employees.
You get an AI chatbot come up, ask you a question or two so it feels like it's part of your working day to gather how are you doing, are you doing well. It’s trying to have a positive conversation to gather positive feedback from employees as well as negative sentiments that could provide some data on insider threats which is currently data people don't have access to.
The real value of the IP is of course, the psychometrics itself, but it's also the human risks scoring algorithm ... something that we've had six data scientists work on for some time and that is about pulling data from different sources to create this holistic approach towards human risk rather than the current situation where you have organizations very much decide on a level of risk based on phishing simulations and compliance rates, which is a little bit superficial. It’s not really that representative. And compliance rates; all that really says is that they've completed some knowledge-based tests successfully. It doesn't say are they going to repeat those same behaviors or do they have the motivation for security. Do they have a commitment towards the organization? Are they going to be loyal?
Phishing simulations ... not that very worthwhile, valuable data because what we’ve seen in reality is that phishing simulations do not relate ... to other security behaviors ... there's no consistency there.
Does the platform focus on individuals within an organization?
It depends on the needs of the organization. It depends on privacy laws, the company's professional preferences, the regulations that they have in place. [PsycSec] has the capability to identify insider threat ... in terms of employment or throughout the terms of someone's employment, but equally, that can be anonymized or drilled down to fewer than 10 people.
What is the pricing model?
We have three different pricing levels. We have a free version –[then next level] in the U.S. would be $2 per user, per month, and then we have an enterprise level [which] is priced on application because that depends on what integration, what dev works needs to be incorporated.