Sign Indiana Banking Permission Slip Secure

Industry sign banking indiana permission slip secure

good evening everybody welcome to another indiana university south bend pop-up university with our friends at lang lab here on the internet uh because at the moment we can't be at lang lab but uh of course we're looking forward hopefully to the fall when we can uh be back together again for some exciting on stage action uh but in the meanwhile we have a terrific uh online presentation for you tonight uh with our cup with our colleague uh professor moe marie of decision sciences at iu south bend before we get started i just want to tell you a little bit about the presentations tonight pop-up university is a is an event put on by the uh iu south bend office of community engagement uh and the iu south bend center for excellence in research and scholarship uh if you're interested in learning more about how your organization business or community group uh could liaise with iu south bend uh with for uh student activities interns or other or other activities uh please contact dr gail mcguire director of the community engagement office or if you're interested in learning more about the expertise of faculty and the ways in which in the ways in which they may intersect your interests please feel free to get a hold of me josh wells at series we're of course extremely grateful to our sponsors indiana humanities the iu bicentennial office the the college of liberal arts and sciences academic affairs and a great many other departments and organizations through campus thank you all for your support so tonight it is my pleasure to present to you uh what uh what one of our campuses most engaging and energetic speakers uh professor mohamed marie from decision sciences he's also the department he's also department chair of decision sciences at the judd leighton school of business and economics at iusb professor mari comes to comes to us from the university of texas pan-american and emporia state university where he received his graduate education and he's been recognized on numerous occasions as one of our campuses most engaging educators winning numerous awards for both online education which makes him a a favorite in the current environment uh and for and for his use of technology in uh in data-driven cli in data-driven classes on analytics and business business security and intelligence he's been published in many leading journals including computers in human behavior the journal of global information management and computers and education he's received numerous grants for his research through through indiana university and other outlets and he's here to talk to us about uh his about his recent research in security in security and uh and uh the way in which we live our lives now online uh pl i know we uh we can't hear it through the speakers but i know right now we're all giving a big round of applause to professor mary uh mo i'm gonna stop my screen share now thank you josh thank you thank you everyone for uh for coming here and joining us tonight uh in this lecture it's my pleasure to be here presenting to you and talk about one of the most critical topics that we hear about today a topic that i love a topic that i've been working with since i was a graduate student in my phd i was working on which is on information system security my doctoral dissertation was on on that topic i came here to iu south bend i developed a course and i thought the course on this subject and this is what i also do and i've published many research on on this topic so i welcome you all here um thanks again for joining us and let's go to our presentation here so we're talking tonight about information system security and we're going to see from uh starting by what is it why do we have it going uh into the its effect on people and businesses and we're going into the employees response to security uh information system security policies but before i start here the way i teach my classes i know we're not here in a class but the way i teach i i prefer engagement and this is my colleague josh mentioned about the awards that i want because i use active learning strategies and all this so before i start i want to take a moment please here uh read this scenario and i wanted to respond to this so what we have here we have tom who's working a company and he's put into a situation so we need to see if you were tom how do you read to this situation so i'm going to give you a few minutes please read here this paragraph and write in the chat so what do you do if you were tom do you do the same or you behave differently or you make different decisions etc uh for sure as elizabeth you can do that if you want i hope everybody is seeing the responses everybody here is seeing the the responses that we're getting you're not seeing the responses okay yeah so if you can just respond to all panels and attendees because right now you're just sending two panels so what i have here i have uh uh i'll probably do what tom did i would not give my password sorry linda no password in truth i would give linda the password i do not give the password to linda because i may risk being fired for violating company security policy i would not we are not seeing the responses okay would he be able to use a vpn to get into his desktop this is what we have right now so we have this situation we're not talking about vpn we're not talking about any any more details besides what we have i would probably remind the project manager of the password rule and tell them to wait or get permission from higher ups actually perhaps there's some other way for tom to access remotely and share it with their insured file okay thank you thank you for all these responses we're coming back to these responses in a bit so um for now let's move and and see what is information system security and why do we have it so as we know nowadays technology is in everything in our life all of us we have computers all of us we have cell phones all of us we are majority of us are on social media from facebook twitter linkedin etc etc right now this current where we are right now we're using uh uh zoom to conduct this seminar instead of meeting face to face we're using this video conference so we're using technology and technology is impacting us in everything what caused it because life is changing computers are becoming faster cheaper cloud computing data analytics everybody's talking about data analytics everybody is interesting in data organizations are accumulating tons and tons of data in in their databases and in their data warehouses and this is the main thing that it's impacting us as technology is impacting us and impacting the uh organizations at our personal life it's impacting our us and personally socially professionally nowadays if you want to buy anything you just go online amazon or you go best buy you go any tour any website so we buy before you travel to chicago for instance you need to go and check the weather so you're not waiting to go on on tv and wait for the news to check it to just go and check it online on your phone you want to use gps you've never been so this is how internet of things is impacting us uh to go same for so here are different things that is impacting us as technology is impact us from health monitoring to online calendar to home security to appliances in in home to garage you can open your garage you can close your garage you have cameras etc brands so all of these are internet of things and these are technological uh innovative innovations that are impacting our organization for businesses they have to adapt they have to change because consumers are changing they are always demanding and they have to move they have to move to virtual stores we know many of the retail stores now are closing because everything is going online everything is virtual uh we have more remote sensors etc and with that move organization there want to move and they have also to have a strategy without having strategies for this move starting from how they're going to behave how they're going to deliver how they're going to hold the data how they're going to save the data how they're going to interact with their customers so they have to have some strategies in order to solve these potential problems that might occur and we're going to talk about different problems so moving now to what's interest for us here is the information system security but before i move to information security i want to talk about the information systems what is it so it is the hardware software data people and processes so we use machines we use technology from hardware and software to collect and process data using people's intelligence in order to make decisions in organizations so now if we apply this same definition to security we can apply it exactly but now with the purpose of not only getting data but now we need for the focus on the data but now we're focusing on how should we store this data and how should we uh preserve it and save it so it doesn't get leaked okay so what are we going what are trying to save at the personal level you're trying to save your own personal information your personal identification from name to address social security probably credit cards etc for organizations you have they need they are caring about what i listed for for us as individuals they're talking about customers data they talk about the network infrastructure intellectual property because every organization has some intellectual property financial data service availability and their reputation they won't they don't want to be on the news to say x company lost so many thousands of records for employees and they will be that which will impact uh their reputation and their image in the um in the market so is it important is information security important absolutely is important because companies they have to hold into these data that give them that competitive advantage over other organizations and there are some laws that mandate that and the every day we hear in a bit we're going to see a few examples of data breaches that happen just recently in january of 2021 so in a month there's at least 12 incidents these are 12 incidents that we know about where thousands of records were lost just because of uh technology or because of a human uh behavior that are caused that caused these security breaches so i mentioned here that we have some uh laws that mandate this and so these are some u.s compliance laws for us in the universe we have ferpa because we are under the education so for healthcare industry they have their own bank government corporation each discipline each sector has uh their own laws that mandate organizations to protect the privacy and to protect the data they have about consumers or about patients about stakeholders they have in their organizations so if you heard me i talked a lot about data and i talked about information i mentioned these two words a lot i know we're not here to take any lecture english lecture forgive me for that but uh i hear many people they use these two words uh interchangeably and so i want to ask you guys and see what do we have so data and information are these two words are they the same do data and information have the same meaning i wanted to write in the chat and tell us are they the same are data and information the same if yes yes if no why and how so we heard from stephanie and hold the prize dean fisher sean fisher not exactly i like stephanie's answer so stephanie said data is the raw form of information it must be analyzed to become information no data is raw numbers with no read meaning information is when you look at data and derive meaning from it not exactly i like said any answer data are just facts information is organized that's good so at least here i have in our crowd here that we all it seems we all agree that data and information are not the same which is correct data and information are not the same data are the raw material that we have we have to process it in order to get information so for instance if we talk about stock prices we get all these different numbers per day going up and down so if you look at the numbers if i just look at the numbers it will not make sense i can process for instance but in a graph line chart or if i have pie chart if different scenarios and then i can see is it going up is it going down is it going up and down so i transform the data the raw material that i can't see into actual information that i make sense of it the second question is now the data is it singular or plural do i say data is or data are what do you think data r lisa data r do you all agree data r what the singer if if data are plural what's the singular tanks both so datum is singular data r so again this is another word that i hear from maybe but they say data is so data it should be r and these are here data information because i teach students in mis management information systems we have information right and this i defined earlier and they teach analytics so we're dealing with data so the first thing i emphasize on my student is this fact here so now let's go back to our topic the data so data classification what are the kind of data we have in organization we have private data about people confidential these are the organization these are the secrets of the organizations we have internal use only and we have public domain data that can be shared with the uh with the public okay so now what are the tenants of information system security when we're talking about information system security what are the tenants so we have cia what's cia so it's not the intelligence agency that you know okay so cia you have three words we have confidentiality i have elizabeth yes datum data but i wonder at what point will webster dictionary will change this to it with common usage i don't know we need somebody to talk to webster dictionary okay so we have confidentiality we have integrity and we have availability so confidentiality we need to make sure that only people who should access the data they have access to the data integrity we have to make sure that the data are valid and corrupted and availability it means the system is up and running and people they can access their data at the same time so confidentiality we do this so for instance in your organization or talking about us uh in the in the university we have limited access to students information or to some department because we're not allowed if we if we we don't have any business with this data we should not get access to it uh integrity we need to make sure we don't have we don't give access for anybody to update or change or delete anything in the database availability we need the system to be up and running so on this availability we're talking about when here the system is down or the website is down this is when we talk about availability and for the information system security we'll talk about the data the server all the infrastructure they have to be up and and running all the time so with the security we talk when we're measuring information security and the uh implications of of a security bridge we're talking about three things this is how we assess it we have the risk we have the threat and the vulnerability the risk is the probability that something will happen to the data and the threat is anybody or any action that can compromise this data whereas the vulnerability any weakness that can harm harm the data and we're going to see more examples about this and explain what do you mean by this security breach what is it's an event that mess up with the cia any event that mess up with these three things that we have here the confidentiality integrity and availability so if the system goes down if anybody gets access to the data to delete to update to make any changes uh in the data or harm the hardware or the software or of the company so what are most common threads for um data and systems in organizations so we have here uh malicious software we've heard a lot about these such as virus world trojan horse roadkit spyware etc there are many many more uh we're not here in this lecture to talk about these hardware software failure internal attackers these are uh insiders inside the organization whether employees or users of the system equipment tab um it's clear d fined here external attackers these are the hackers um the black hat hackers and we have the natural disaster such as when you have uh hurricane when you have tornado etc terrorism and social engineering um social engineering do you guys know what social engineering social engineering anybody anybody can tell us what social engineering don't cheat don't google can you define what you mean definitely so social engineering is basically when somebody is trying to get information from you um over the phone so for instance they call you to say uh hey axe okay hey jennifer we're calling you from humor resource and we're updating our information can you give us uh your username so you give the username the second day or after few days they call you jennifer we have your username and we are trying to um make an update uh can you give us your uh a password or uh your email i want to get some information and send you so they'll send you this information and they can get like linda did to tom not exactly linda and tom these are two employees working together here in social engineering this is somebody from outside and they're trying to call you to get access or to get your personal information or critical information from you over the phone without letting you know um that they want to steal here and this particular problem with linda and tom both of them they were working together in the organization it's not considered to be a social engineer i talked before and i said i will share with you some um recent bleachers these are i just chose 6 out of 12 that happened in january of 2021 so we have these are three and in the next slide i'm going to show another three uh the first one vip vip games which is uh an online game so 23 million records were lost another one we have malware attack and they lost one 219 000 patient of nebraska medicine a hacker downloaded the uh bonobos man's clothing retailer and they lost 7 million customers elizabeth asked do all companies these days do the type of phishing test like iu does they do much more than what we do here in iu uh when i was in in texas ut has more strict and more training than this i will talk about this in a bit in in five minutes i will talk more about about this what organizations do and what other universities they do compared to us these are three other uh more recent data breaches so we're talking about one point million 2.28 million data 214 million data and the last one here uh one of them was it had some um uh credit card so on this one here we had partial credit card records for 700 million seven seven million customers so we see the impact of um data leakage in information security it's it's a critical for uh organizations and for uh employees or for us as customers and for government because here we're talking in general and then you can apply this to different entities starting from individual level to organizational to state to country to nation etc so but now when we're talking about security what do you think is the biggest issue to organizations when dealing with information security is it internal or external is it technical or non-technical what do you think i mentioned all of what i mentioned so far to talk about the impact i talk about the different attacks from malicious software from so so we have external post-it notes internal internal internal internal the answer is internal and thanks to erica so erica i mentioned post-it notes okay so post-note is one of the main things that happen in organizations uh what we mean by uh post post notes is people they tend to write their username or password and they put it on post node and then they will put it on on the computer so the biggest issue for organizations is more the insiders or the employees inside from employees or the social engineering these are the two most critical then these are the nightmare more than the technical because in technical they have the it department nice one josh so you hide it under your phone um so here um organization they have the it department and the i.t department is working on protecting and having the right software and the right hardware to protect the organizations but and they are seeing the attack they're seeing the enemy coming from outside but when you have the enemy inside your home this is the problem because you can't predict and you don't know how and when and what's happening i'm going to give you a few examples now of violating the uh security uh policy in organizations or causing some problems so i will start with university first since we are in university and work university so a faculty member takes student grades home on a regular usb drive so this violates the ferpa i talked earlier about ferpa verb which is the uh um law for uh for privacy law for students so this this here if you take it on regular esp and i'm saying regular asp because we have the regular asp that we have and there's the uh encrypted usb where you can use the incredible usb to encrypt the data and then it becomes safer to use it later on here's another example so we have an employee makes a mistake indirect deposit office one emails the account number and deposit amount to office to let's say i'm working with my colleague and i want to make a payment i send the information i send the wrong information so this is not right to do so account numbers ids password should not be sent through emails same thing i always i always remind my colleagues you know when students in the university they ask us about the grade what is my grade what did i get on this and we tend to send oh you got an a you got seven three you got 99 whatever this shouldn't happen you should not send any of this information in an email what if your email gets hacked so now we come back to our friend tom so this tom is working with linda and their work on this and when they ask you about this some of you said yes definitely he should give the information to linda others said well there are ways to do it they can share and others i believe they said no way i can't do it and i believe i guess dean fisher who said i will violate i will violate the security policy which was the correct answer so and this way no matter what no matter who the person asking for for the your personal information this should not be shared with anybody in our organizations based on the information security policy that these organizations have in in place so to avoid and to deal with these employees behavior and with the insiders organizations they implement these security policies this security policy the role of the security policy is to protect the data from insiders to harm and because any harm for uh these data i shared with you here some hypothetical this was a hypothetical case this hypothetical case and this hypothetical case now i'm gonna show you some actual example where employees did it so look at this case in south carolina an employee email sensitive information to their unauthorized accounts guess what so the email was hacked 22 600 medicaid id and social security numbers were stolen we all know what happened when social security numbers are stolen another case personal information of 780 000 medicaid patient and recipient of children health insurance were stolen in 2018. so again what happened a hacker was able to break one employee's password when organizations ask us to change so now i go back to i guess elizabeth asked me do other organizations do this kind of thing that we do here i've been here at iu now for seven years uh i know this is recorded josh i wish if you can stop this recording now so in seven years um i was only asked once to change my password now with this is this the correct thing to do should we have this the answer is definitely no when i was in ut i had to change my password every six months this is just one example and i'm talking about just a university when you go to private sector organization each organization has different type of policy this should be the one of the past when i said organizations they come up with security policies to solve such a problem so you're not allowed to put the sticky note that we said where you have your username and password you must change your password your password have to be 15 let's say character you need to have capital and lower you need to have uh special symbols etc so the all of these the combination of all of these these are um to make the password harder and to make it harder for hackers and to make it harder for technology to solve this is why employees are harder than technology because there are technology that work to find out and find the the password but the harder the password the harder it becomes for the technology to uh break in and find the um the password so other threats from employees these are other steps lack of awareness many employees and organizations they're not aware whether they have security policy in organization or not this is based on my research that i found so i go to big organizations and organ and when you ask employees about security policy said huh do we have security policy in our organization what's that so um some of them they just want to violate they don't care whatever the security policy says i don't care i am living whatever i want to live this is how i'm used to um getting data as we talk about downloading photos uh using facebook using all the social media in their on their machine and they're bringing in their own device uh i didn't talk here about the byod which is the bring your own device to organizations many organizations uh they don't allow this or they have some if you remember at the top at the very beginning of my lecture i was talking about having strategic organizations so they have strategies they have some policies for this if you're bringing in your um your cell phone if you want to use your cell phone on on our network you have to use it and you have to follow our policies to use it if you don't you can choose your uh phone you can use your tablet you can't use any of your technology you have okay and some they do it just for sabotage and they want just to disrupt organization so to solve it again so i talked about this before so to solve the user's threat the insiders threats they employees behavior in organizations so we use information security policies and information security plans to solve this problem so what are security policies so there's a framework for the security policy in organization first we talk about the policy each policy we have standard we have procedures and we have guidelines definitely not elizabeth asked she said apparently you can't use beef stew as a password it's a struggle now so um you can you can you can't use it it's uh it's simple but uh i hope it's not your uh it's not your password so for in in organizing we have policies so policies for different things starting from emails how should you write emails how to send emails uh to using vpn somebody mentioned vpn uh to using uh flash drive for so for each one we have different standards and we have different procedures how should you do it you can't blindly tell let's say employees you need to use vpn first you need to explain to them what's vpn virtual okay um the virtual private network and you need to explain to tell them how should you use it and when to use it etc and then you need to give them the uh the guidelines um same thing on using uh social media you need to tell them hey you're not allowed to use social media because if you're using social media there are etc so the consequences of having this now we come to users reactions i'm working in my organization i'm used such to use simple password i write beef stew i write uh corned beef i write or whatever this simple stuff right or i use a sticky note or other i uh send a report financial report i sent to the printer the printer is not in my office we have an office common office for a different printer i print it and then i'm sitting here and then i go to pick them up after 30 minutes so a customer who's passing by finds this and then take that and go that's why employees are harder to manage than the technology so moving away from desktop without locking the screen so anybody with a usb drive now external drive or um or hard drive they can just copy paste or just get in the system and they can get all the data that they need from the system that's why employees are um are hard too so when when organizations implement these systems these systems are going to change the way uh things are done all the processes and organization they have to to be changed and we as as human beings we prefer the status quo we don't like the change so for this reason first they hate them they resist and they do not comply these are the three things that happen when security policies are implemented on organizations so what do they do what do organizations do they have different approach from awareness to training to creating security culture to management support to impose management to surveillance etcetera etcetera awareness my organization they go and they run the uh training so for us here in in iu we do some training um other universities they have more sessions of training for their faculty and for their employees and for their students who work they have to take tests and they have to score a certain level on the test to pass the test failure of doing that it will lead to not getting paid at the end of the month so it is it is serious in organization the same thing they do the training training goes from blogs into sending newsletter into attending webinar or attending some videos where you sit down and watch similar to what we do at you i'm not sure probably we have some attendees here or not from the university and attending i'm not sure what kind of things they do at their organization it depends on the size of the organization it depends on the industry of the organization they do the the training top management support it has to be serious this is one of the things that i investigated in my research um similar to any project that's been done in an organization if the top management they don't walk the talk it will not whatever you're doing you're going to fade in that project so they have yet they have to show uh ceos cios or the c levels uh all supervisors they have to show that we're serious about these security policy in our organizations and they have to follow and use whatever they're trying they're trying to do organization they impose punishment also the punishment goes from just oral or written letters um to um all the way to being fired from organization i know many organizations they fire their employees if they don't follow the security points again this depends on how large is the organization and it depends on the industry surveillance also organization they use surveillance in terms of software or cameras to see what organization they're behaving so in all of these there are advantages and there are disadvantages from privacy your work and your your work in in in a culture you don't want to have um anybody watching you etc etc but this is fact i'm citing here facts what organizations do in in in their uh workplaces turn up what did i uh find in my research so i said i've been researching this topic for at least now 9 years 10 years so what did i find i found that top management support is important it is a critical with if employees in organization they don't feel that the management the top management is supporting is serious about this they don't care think about yourself and think about the situation where you're doing something or somebody is trying to make you change what you're doing something and you find that person is kind of lenient so are you going to really put that effort to change i another factor that i i came up with and i found which is task dissonance task this is basically i define it this factor i developed it and i uh i measured it empirically uh that's this is basically the differences of um your perception the person's perception and what others they think uh so for instance uh using vpn or using encryption so by using encryption it stands for those who use vpn or for those who use encryption it tends to lower the performance so instead let's say a task for instance i'm just g ving to make it simple let's say a task that takes one hour it might take 40 minutes or 45 minutes so it's it slows down the performance of the employees so if a person is working on a project that takes let's say 10 hours now it's going to take 13 hours or 14 hours if that person going to like the the uh the new the new thing that you're saying although you're saying oh it's a great it's going to be great it's saving data it's saving my data saving customer data organization so this is another thing where there's a conflict between the perception that employees have or users have about the the task they're doing or and what the organization's punishment certainty and severity definitely it's a critical factor and this is based on theory there are theories uh in different disciplines psychology management etc so there are different theories from production motivation theory to general determinant theory that says if a person thinks that the punishment is certain or is going to be severe that person will not commit any uh bad behavior such as crime or littering or speeding etc etc so i applied the same thing the same concept on security compliance and i found it to be also significant reward reward is something new that's not been done unfortunately an organization nowadays because for organization they believe you are hired to do this task and complying with the security policy is part of your task although um some can argue or you may argue that while you're making my life miserable etc etc so i uh i ran um two experiments and i found that reward can be um a significant um factor that can enhance security compliance or resistance to these security creating norms in organization i talked before about the hurts of having that norm in the organizations from moral thinking that this is moral to uh seeing others are doing these things so when you have let's say the more people they buy in and they use the uh they comply with the security policies more people they will do it uh word of mouth is another factor that i work from marketing um so when you hear people talking about um the severity and the importance of what happened because of breach etc so it's key and habit so we talked before said status quo we tend to have cesco so whatever habit we have we tend to take it for longer time so organizations they need to take these variables these factors into consideration when uh dealing with security i published uh research before where i have this fact that i'm still working on uh on this subject i'm actually now on sabbatical this semester and i'm continuing working on on these and i mentioned here uh a few of the areas that i'm working right now on so i guess i took more than what josh asked me uh to to take uh i'm gonna stop here thank you again for listening i hope you were not bored um now i opened for uh questions comments feedback if you have any uh etc so at uh at this point folks uh you can feel free to to use the uh q a module if you want to make sure we we see your questions there or we'll watch the the chat room as well wherever you feel uh it's easier for you to type them thanks um i will give people a minute or two to think of questions um i have a somewhat unique question while people are thinking um i happen to work for a large company that deals with a lot of uh health information and um we have very very large amounts of um protected health information um that we have access to and the security requirements are like astronomical like they'll lock me out of my computer if i don't change my password every you know six weeks if i don't take the trainings i get locked out you know so on and so forth and i was thinking while you were talking that like that level of security seems appropriate for my job and the levels of security that may be appropriate for um those working in other types of environments and an educational environment or whatever when you think about like printing something off on the printer and what's the harm if you know not the harm but you know what's the impact overall of somebody picking maybe a piece of paper up from the printer that um was not intended for them versus you know a breach of you know 2.5 million you know health records so i'm just wondering if you thought it you know in your research a little bit about like the the scaling up or down of security requirements and how employees react to that based on you know the type of work that they're doing in a type environment that they're in definitely that's what i mentioned you know when i was talking my talk so it depends on the industry and it depends on the organization how large it is or how small so if you talk about large organization and if you're talking about the health care so for sure you can you can't you can't play uh as as you can say you know you can't you can't go wrong and in these cases uh i give you examples talking about the uh sharing these the employees behavior or the user behavior so all of us we go to banks right so when you go to bank and you're done with the teller or with the person who's helping you what what's the first thing they do before they move they lock their screen right they have to lock their screen and move so in in banks they have surveillance they have camera they see do you know what happened if you don't lock your your screen and you move your fire so this gives you an idea about so so this is what happened although you're only not my nothing might happen but they have zero level tolerance in this case whereas another another uh organization you go they're they're fine with it you know uh so it it all depends and it depends from uh from industrial industry you can't compare education to uh healthcare for instance or to financial or you can't compare financial to a commercial and say if you go to here where they have rvs companies so if you go to rv company versus healthcare let's say more hospitals so there's no comparison it all depends on the industry it all depends on the tolerance level the organization they have um i have a follow-up question from um elizabeth about non-compliance and resistance and how widespread it is and and that it might also depend on the industry but what have you found in terms of non-compliance and resistance oh it is so spread everywhere uh all countries uh all governments um anywhere you go um you hear about about this uh problem um people they don't want to to uh to comply or they try some ways to to comply uh nowadays we are we're better we are in better shape than uh we were five years ago or seven years ago so five years ago or even three years ago and before you start a lot of incidents that happen just because of employees unawareness or unseriousness they're not serious etc so now organize they're taking more attention into the training and the awareness to make their employees more aware of that but still it is there thank you bill's asking um if that there seems to be a disconnect between requiring more secure passwords and the number of times that they ask you to change it and also exp expecting good employee behavior is there a sweet spot between those two things definitely there's a sweet spot uh i'm i am not happy when when they come as as an employee you know when they come if they come to me and tell me every six weeks you have to change it or every four weeks but also as employee you know in as you said before depending on the industry if i'm working in in critical um uh situation or in in industries where you have critical data you need to be aware of that and you need to uh make sure you know um you uh comply with these with these security policies uh what i found is that um you you see you see both cases you see many organizations they are very lenient and you see many organizations that are so strict especially big large organizations they get stricter and stricter because they care about the reputation they care about their image they don't want for instance sharp or sony or any of these to say oh they have a hack or we we all watch news right and you see what happened when any of this organization or a bank or something gets hit uh so people the second day or immediately they started acting did my affair what happened to my information what happened to my social security etc etc right so um i have another question here that's a very interesting one are there security challenges that are that you found that are specific to small businesses or challenges perhaps that small businesses tend to have more than small businesses small businesses are like are like exactly like large businesses um so a security incident can happen at any time but it all depends on how aware and how serious is the owner of the business when i was in texas i helped a small to medium sized clinic implementing security policy and whatever i was i was seeing in panasonic at that time in ge we implemented almost the same thing in that in that the clinic and that clinic was almost probably uh a fraction of a department in in one of the companies that i mentioned and we applied the same thing but now also you go to other organizations they don't care this is the fact yeah um great question from um bill when google makes up a secure password for me and it will remember it for me is that a good thing sure none no for sure not okay for sure not why could you explain a little bit now because i i simply don't trust google i don't trust anybody because i give example uh last month in january 2021 microsoft was hacked because of one of their employees insider of the organizations he did some sabotage stuff inside the in all of the projects so even google you know who's google to to trust right so you should trust all yourself but um google would have the password whether you generated it and they i guess is there a difference between them keeping it on file where you can have it have have the computer remember your password for you um versus you you know trying to remember it or writing it on a post-it note or something yeah what are the difference is there a difference in um in that from your perspective that we should be you know i am if you see when how how and how i use my uh my computer or how i use my phone or how you use all of this stuff so i always get these questions do you want to save you don't want to save i don't save i uh i change uh passwords for every bank i have a password for for school i have a password for different systems i have password so i don't trust any of that i don't trust any um of the technology that that can help me when it comes to security and more personal data and this is what i always you know this is the message that i always give students one when i teach any class related to this topic great because awareness starts from school you know if students they are aware because many many many people that you meet you know outside they're not aware of the consequences or they're not aware of what happened if i do this or i do that many people unfortunately you go let's say on facebook or any other website you can say i'm eating axe wherever at this hospital i went to this place they take pictures even on their cell phone go on their cell phone they have track the the maps track the the place or the location it's always on so all of these are all data they are all recorded you download applications and you have to agree the first thing they say agree people they click on agree without saying what are you doing you're sharing your personal data you're they're collecting data who's getting this data are they selling this data what happened so yeah thank you um i'll pause and see if there's any last questions i i wondered um also if you had um observed any um any noticeable issues around like social pressure um to with your example for uh that you provided and had us speak to um there seemed to be social pressure to change the password and again in my mind i was thinking i would have so much pressure to not i feel like it was a trap or something from the way from the what i've been ingrained with is like if i'm like they would say like no the social pressure would be that not to share the passage so i wonder if there's any social um pressure the social pressure definitely it's it's it's very important you know if you have if you have a good crowd you're going to have good and positive outcome if you have negative crowd you're going to have negative outcome so uh that's why uh organization culture and that's why it comes from the top management support top management they have to be involved and they have so involvement of that management is key uh into that to uh to show the importance and the consequences and what happened if if any breach happen in an organization thank you um i'll hand it over to you josh to close us out oh thank you stephanie thank you very much professor mary this has been if you could come over tomorrow and change all my passwords for me but thank uh thank you so much everybody um i want to remind you all before you go uh in one month's time we'll have uh professor rebecca brittenham giving a a terrific talk about the poetics and politics of walking just in time for spring we should actually be able to navigate the sidewalks on a healthy stroll by them uh so uh plea please tune it please watch for that uh in the coming month you of course can always find uh professor mary's talk and all our other uh recorded recorded lectures at uh go.iu.edu slash pop-up we'll have more talks in april and may as well and we look forward to seeing it seeing you again thank you so much for uh for joining us and uh stay warm take care thank you everyone good night mo night stephanie