The Security Circle

EP 102 Dr Gavriel Schneider and Mike Gips Debate the 'Psychology of Risk'

Dr Gavriel Schneider and Michael Gips Season 1 Episode 102

Share episode

Send us a text

BIO's

Dr. Gavriel (Gav) Schneider is a distinguished authority in risk management, security, leadership, and resilience, combining extensive frontline and senior leadership experience with a strong academic pedigree. With extensive global business, security and risk experience spanning 3 decades Gav currently serves as Group CEO of the Riks 2 Solution Gorup – Australia’s most awarded integrated Risk Business. An award-winning business leader, accomplished author, and lifelong martial artist (holding an eighth-degree black belt), Gav developed the groundbreaking, award-winning Presilience® approach. This innovative framework and set of tools have not only transformed his own businesses, but also empowered many others to thrive. Through his compelling writings and dynamic presentations, Gav delivers profound insights and practical strategies, inspiring audiences to master the art of navigating modern challenges with resilience and agility.

Dr Gav has previously been honored as the RMIA Risk Consultant of the Year and later was also awarded the RMIA’s Risk Leader of the Year award. He holds a unique distinction as the only Australian to be named, four years consecutively among ISFSEC Global’s Top 40 Influencers and Thought Leaders, as well as being listed in the Life Safety Alliance’s Top 40 Global Thought Leaders and twice named as an international Security Journal Global thought leader and influencer.. A fellow of several prestigious institutions, Gav is a qualified board director, a graduate of the AICD, and a fellow of the Governance Institute of Australia as well as the Institute of Strategic Risk Management where he serves as a regional president for the ANZ region.

 
Michael Gips, CPP, CSyP, is a security professional, attorney, writer, researcher, volunteer leader, expert witness, and principal of Global Insights in Professional Security.

The former Chief Global Knowledge and Learning Officer for ASIS International, Mike founded the CSO Roundtable (now CSO Center) and served as editor and publisher of Security Management. Mike was named the most influential person in global security thought leadership by IFSEC for 2022, Outstanding U.S. Security Consultant (OSPAs) that same year, and one of Security magazine’s most influential people in 2019. He has won more than a dozen awards for his published security articles.




Security Circle ⭕️ is an IFPOD production for IFPO the International Foundation of Protection Officers

Yoyo:

If you enjoy the security circle podcast, please like share and comment or even better. Leave us a Fabry view. We can be found on all podcast platforms. Be sure to subscribe. The security circle every Thursday. We love Thursdays.

Mike:

this is Yolanda. Welcome. Welcome to the Security Circle podcast. IFPO is the International Foundation for Protection Officers, and we are dedicated to providing meaningful education, information, and certifications for all levels of security personneHellond make a positive difference to our members mental health and well being. Our listeners are global, they are the decision makers of tomorrow and today and we want to thank you wherever you are for being a part of the Security Circle journey. You love the podcast. We are on all podcast platforms so don't forget to subscribe or even better, just like, comment and share the LinkedIn posts. Thank you for your company today. Well, I have two. Very special guests. Before I came online, I was thinking, who do I mention first? Like, are they going to think that because I mention one before the other, that one's more important than the other? But these two both rule the security territories. First of all, we have with us Mr. Michael Gipps. How are you doing? I am great, and I would have preferred you mentioned Gav before me, introduced Gav before me, because he is truly a man of, uh, a man who has accomplished so much in security, and I admire him greatly, but I really appreciate being on the show. Well, you've lifted the lid there. I don't know anyone called Gav, but I do know a Gavreel Schneider, a Dr. Gavreel Schneider. How you doing, Gav? You all right?

Gav:

Hello Y O Y O. Hi, Hi Mike and uh, definitely the bromance is two sided. I think Mike is friggin awesome.

Mike:

Am I gonna turn like green and prickly?, so listen, both of you collaborated, which was a great piece of work actually, in an article. It talks quite intensively around psychology, but let's first look, if you don't mind us coming to you, Hello to look at why you felt it was important to collaborate. I mean, surely you'll, you've both published loads of articles yourselves.

Gav:

So I think part of the interesting challenge in a global economy is that none of us have Real deep expertise on every geographic area, every geographic threat, every cultural trend, et cetera. And I think it's really important these days that if we want to be able to translate information to broader audiences, we have to be collaborating. And there's no question. I mean, those who don't know, Mike is a Harvard trained lawyer and was the first CSO for ASIS. Uh, you know, Mike understands the security sector, particularly in the U. S., almost better than anyone else I've met. So great reason to collaborate.

Mike:

In fact, Mike, you've published more than 1000 articles, haven't you, on security topics? I mean, is it about time you wrote your own book? I'd like to, but I've written so many articles that I'm thinking, do I have a book in me? Now, I do have books that are kind of security related, but they're obliquely related to security. They're more, we've talked about a little bit about what I've wanted to write about. I don't really necessarily want to write a book. That's a calling card. Those are great. You know, it's like a meet and greet and it's something to have people remember you by. I'd like to write a more substantive book and I'm not putting those down at all. Um, but, you know, like Gav has written books that are substantive and can be used as calling cards. And let me just circle back to why I wanted to collaborate with Gav. He created a whole new risk paradigm. He's, Reviewed, digested, all this literature on risk, all these different programs, frameworks, um, best practices, and they've, he's coalesced them into a new approach, and he teaches that approach, as a matter of fact, we're working together, and I'm a student in one of his diploma courses on organizational resilience, so the idea, I think, the proximate, idea or the proximate cause of working together because I was reading some of his materials and I said, I'd like to put a different spin on the stuff I'm reading that you wrote, especially on Risk because he has this whole typology and whole universe that he's created. I have stuff here and there and I have thoughts, random thoughts and items and, and, and writings. But I thought, let me delve into what he has done and sort of put my twist on it. And maybe we can get the best of both worlds, sort of my approach to his kind of documented researched typology and body of knowledge. One of the first subjects you tackle is what is risk psychology? But there's a big difference, isn't there, Gav, between psychology of risk and psychology in risk?

Gav:

Indeed, and it's a really good segue and you talk about some of the strengths that collaboration brings to the table. So, you know, that's not a concept that we haven't explored before, but Mike brought it up in a different way. And it was interesting to kind of see that in reality, if we're looking at the psychology of risk, we're actually probably thinking about how to psychology affect decision making when we're looking at how we manage or take risk on. But if you look at it the other way, then we're looking at psychology in risk. And what are the human factors mean for people who are in the world of risk? So even though they almost sound the same, it's probably the difference between somebody who's a security risk management expert or somebody who's a security manager. And while, you know, for the layman, they might seem almost the same. We know those are totally different jobs.

Mike:

Mike, talk to us about why understanding risk psychology leads to smarter choices. Sure. I'm going to refer back to when I was taking this module of this course, and I was reading about cultures. We're talking about different cultures in businesses or any kind of organization. And you don't just have one, you know, Google doesn't have one culture. It has an overriding culture. Each department, each location, each team, each unit, You know, maybe each floor of a building, you know, maybe they're different groups. I mean, so they're over there You can cut and slice many different ways So I was thinking about how an organization it doesn't have to be google. It could be a small organization addresses and assesses risk and i'm thinking about Okay, if if you're entrusting risk Management to people you have to really understand their personal You Approach to risk, whether they're, they're risk averse or risk tolerant or whatever it is, and a lot of those things, you know, you might say, okay, they might be risk averse or risk forward personally, but not organization, but I find that my experience is a lot of, there's a lot of, well, someone who is risk averse In one area is often risk averse in the other part of their life. You know? So it's like personally, you know, I'm fairly risk averse. So personally, so I'm not going to go out and do some crazy thing by business. Cause it's not my money. You know, I'm just going to, I actually am a better caretaker for my organization than I am for myself because I have a feeling of responsibility. So I'm thinking we really have to know our people if we're going to, if we're figure out what a risk approaches for an organization, we have to know the risk approach to the different cultures who are making the decision and the individuals within. Now, you can go and, drive yourself crazy. But, you know, if you're in a small group, I would say it's mandatory that, you assess how somebody views risks. What their approach is, not necessarily whether they're risk averse or risk forward or not, their process, you know, and if it's something that adds to your organization, something, if they're thoughtfuHellobout it. If they process, and you have a good mix of decision makers and, you know, the way people come at a risk decision. So I know that sounds kind of abstract and abstruse, but it, it actually is very practical when you're working with people like you can. You know, you choose staff, based on, or choose who to work with based on their risk profile or how they view risk. I'd love to hear Gav comment on that.

Gav:

Sure, Mike. I think the interesting piece that you flag there is so much of modern security is now this convergence piece. You know, where does cyber fit with protective security or physical security? Where do our processes and policies. You know, maybe align with the way we deploy manpower, but to your point, the overarching piece is what is our view on risk and how do we as individuals manage that view and manage our attitude. So to your point there, it's exactly right, because what we've seen over and over again in practice versus in theory is that organizations love frameworks, whether it's an enterprise security risk management framework and ERM framework. You know, it doesn't really matter. That's a way for them to glue things together and go, we're doing the right thing. The challenge is not necessarily that those are not effective. They are. The challenge is that humans have to apply them, find value in them, and they have to enable outcomes that the organization, usually the board or the executive, would set. So the fundamental challenge then is if we're not trying to understand the sort of attitude aligned to people's appetites and tolerances at an individual, team, and then at the organizational level, we get misalignment. Which leads to poor performance and poor outcomes. So to your point, um, it's interesting. So often during my career and you know, yo, yo, yo, and Mike, you guys know me quite well now, you know, I started my career as a shooting, fighting, punching type of guy. I still like punching. Don't get me wrong. But along the way, as we transitioned into the psychology and human centric piece, which was almost 10 years ago, I kept getting asked, why are you doing that? You know, there's lots of HR people. There's lots of org sacks. You know, you don't have to get into that field. And fundamentally, for me, much to your point, Mike, it felt like there was a piece of authenticity and efficacy missing in our consulting and training practice. Where, you know, we could write a policy, we could teach people things like situationaHellowareness, you know, we could build a security plan, we could, you know, build a bollard and hostile vehicle mitigation strategy, etc., etc., etc. But if people weren't connected and didn't buy into that, And didn't want it and didn't understand how it worked. It's efficacy was diminished. So ultimately, you know, it's a people game. And I think with AI coming into the mix now, you know, some of the topics we brought up in that article that they should be required reading, because if people are not understanding the people dimension as the game changes with knowledge and access to knowledge and use of knowledge, we're going to see some terrible decision making ahead of us.

Mike:

Well, you took my word

Gav:

salad

Mike:

and you created a gourmet meal out of it, you know, a Caesar salad or a wedge salad with bacon or whatever. So well done. Bacon. All right. Stay on. Stay on topic. So, listen, here on the Security Circle, we've had a number of different, especially of late, really,, um, clever ex spies, either from the CIA or from the British Intelligence Services. Gavin Stone, Peter Warmka, Nick Jacinto. They talk quite intensively as skilled professionals about what motivates, about how to identify how people think or what motivates them. You talk to this as well, but in a slightly different context around psychology. Why is this important, Gav?

Gav:

So fundamentally, the concept of motivation is intrinsic to outcomes and performance. So if you look at the sequence in the middle, which is critical thinking and decision making. So let's say I collect information because as security people, we're almost by default Always scanning the environment, reading something, absorbing information. What tends to happen, depending on the maturity of the security professional, is you then reach some sort of risk outcome. You kind of go, it's risky, it's not risky, it's a threat, it's not a threat, it's an issue, it's not an issue. And then if it is any of those things, the more seasoned professionaHellolready comes up with a plan using their subconscious. The more, junior professional would then go, I need to stop and plan. I need to put this together. So realistically it's the glue in the oil components that seem to be the most important for high performance. And I think that's what a lot of understanding and let's not get distracted by the technical terms, you know, neuroscience, psychology, et cetera, and just let's talk about how do we get good outputs from humans. And then stop humans with ill intent from causing us harm. Because realistically, that's the game we're playing. And we can overcomplicate it as much as we want. Which requires us to then understand humans. Because if we don't understand humans, we can't achieve either of those things. You know, the best, getting the best out of us and our people. Or understanding how to predict and prevent an attack. So it's a really important piece. And I think it's one of those ones that a lot of security people feel intimidated by. You know? And they often feel, hold on, you know, I, I didn't get a master's degree or my master's degree was in counter terrorism, not necessarily in psych, but realistically you don't need to be an expert, but if you're not reflecting on what motivates you, what motivate others and how that connects to an organization, you're, you're going to find it very difficult to achieve goals, set objectives and get stuff done. So ultimately, you know, for better or for worse, motivation is probably one of the most important foundationaHellospects for us to get right. Yet again, one of the most ignored ones, because we alHellossume people are instantly motivated, or in the case of the security industry, we assume that, we will be underappreciated. Nobody will want to respect, give us budget, et cetera, which makes it even more important for us to learn the skills of influence and human centricity so that we flip that narrative on its head and get the best out of our people. So long story short story, like motivation, objective and goal setting is the foundational starting point for how we start to look at the psychology of risk. Mike, what are your thoughts?

Mike:

You put a nice framework around it. I have loose, disparate thoughts, but I'll try to add to that. All of which I agree with. I would put it this way. Early in my career, I realized that security is so much about psychology, beyond motivation, just psychology in general, how people think, how people, communicate with the world, how they interact with the world, what drives them. And I thought, wow, this is. ignored by the security community. This is so much of it, especially, certainly intentionally, intentionaHellocts by people and also unintentionaHellocts. So, which is, you know, definition of, security risk. And I was kind of searching around for someone who was like minded and I saw that, I don't know if you know Ilya Umansky, he is a very well known guy. I think he's in Hong Kong or, he's also very, you know, very Um, opinionated, let's say he, um, he says what he believes and he doesn't care and I admire that about it. You know, he actually approached me because he was having some, he was talking about how ASIS was approaching some issue. And I said, Hey, I agree with you, but there's not much I can do. So he got it right. Security is about psychology and we should be spending, and I'll cut it off here, but that's where we should be spending our time more than on, I mean, bollards and great technology, it's fantastic, and certainly AI is changing things, but psychology is at the root of deviant behavior of crime, of, um, of violence, of, of behaviors that, you know, that security is trying to prevent. at the security industry as a whole. It is, by default, deliberately a hardwired, and you talk about, you know, hardwired into our brains, it's hardwired to have biases because of the former police detective, former police law, former military, training that we've had. Those biases are generally healthy. Security professionals are training themselves always to be biased, to look for risks. So we have to have our compass facing a certain way. But why is cognitive bias and heuristics really critical to this article? Sure. We all rely on cognitive biases and heuristics. And for people who don't know what that is, Everybody uses it, you know,, recency, bias. If something happened recently, you say it happens all the time. You buy a a red car and a car that you see that red car everywhere. There's another kind of bias, outcome bias. If something works, then you automatically include that the process. by which you got there, was the right one, which often is not. And you see that it's a big mistake in risk management. So people are always going to have these., and they are sometimes helpful, but we should have to be aware of them because they restrict our thinking. And you, as a former police detective, I'm sure you've had to grapple with that. You're probably an expert in psychology, you know, with, trying to get confessions or doing interviews. I mean, you probably don't think you are, but I'm sure you have skills that, you know, that psychologists or psychiatrists would be envious of. We should be aware of it. We should try to counter it. If no one's, you can't see this, but, Yo Yo's making a gesture like, like. I know, I'm great, You know, that's because I could always tell when someone was going, Dan, Mike. Well, that's a great skill. And as long as we're aware of these biases and we think, okay, we know what it is, you know, what traps are in the, we're thinking more freely. If we're aware of it, then we're like 99 percent of the way there. Sometimes we're aware of it and we still fall into that trap. It's always good to talk to other people. who can sort of test your mental heuristics and your biases. One thing that, I noticed in, when I was taking Gav's course that they were talking about, system one and system two thinking, we were talking about, Roger Kahneman, right? He says system one thinking is. Your immediate response to something something that's hardwired into you. You've seen it a million times you do it It's an automatic system to thinking and whoa. Whoa. Whoa, I gotta step back. I can't just give the pat answer I've got to think about this I really don't want to think about this, but it requires me to take some time and not jump So I think some of the heuristics Our system one lazy thinking and system two thinking sitting back and like, let's really like, let's really dissect this and and why I'm thinking this way and step back and look at it more, you know, in more in depth. Gav, what do you think of that? I mean, you took your course. So, um,

Gav:

So our academic lead is a guy by the name of Dr. Paul Johnston, who's a very harsh Mikeer. And, Mike shared after coming on the course going, well, Paul is really harsh. You know, I went to Harvard and this is harsh, but so on that note, just a couple of quick corrections. It's, Daniel Kahneman was the system, right? Thank you, Dan. The late Daniel Kahneman. But to your point, this is the interesting piece with system one and system two. A system one primarily runs on biases and heuristics. So I really liked your, your, how you frame that, which is part of the game of understanding psych and how we use criminology. But practically we need to move away from this idea that all biases and heuristics are inherently problem problematic and have to be managed realistically. Most of our decisions as Mike highlighted beautifully, thank you, Mike, are made with that system. One intuitive, instinctive part of the mind. And we do need to remember that whenever we play with psych and criminology and those sort of fields, like, we can't dissect the mind. So all of these are theories that help us understand how the mind works. So that we can try and have models to reference back to, to make better decisions, to understand motivations and to change behavior that's really the game. So realistically, if we look at positive heuristics and biases that security people bring to the table, uh, one of the things that I'll go back to a little anecdote, maybe 20 years ago, that's how old we're getting and how long it's been in the game. We, we wrapped up our executive and close protection training capacity out of my previous business in South Africa, and we were getting sent lots and lots and lots of people to train regularly. We ran almost a course a month. They were 20 day courses, very expensive, very detailed. And one of the frustrations we kept having is that despite setting very clear criteria of the type of person that would be good to attend that training, we were getting sent people that let's just say they didn't have the physicaHellond mentaHellottributes to thrive through that level of training. So the challenge we had then is, well, either we could push back or we could find a way to make this better. So we did a little research project. And one of the things that always frustrated me was experts. And both of you and many of the listeners are experts already. And if you compare what an expert in security does to a layman, one of the biggest differences is intuitively, we're always scanning our environment. We're always looking for threats. We always want to position ourselves in a way that we've got an escape route or the ability to protect ourselves, et cetera. And that happens automatically. So we landed up interviewing roughly 150 of these very seasoned professionals. And I kept asking them, because I led that process, what is it you look for? How do you know what to do? And we got this real big mix ranging from, you know, almost arrogant swagger that, you know, you need 20 years experience to be as good as I do. And, you know, do all this stuff. Or honestly, some of them just looked at me totally blankly going, I don't know, I just do it because I've done it so many times. And then a bunch of the others were like, you know, that's a really good question. Um, let's unpack the pieces, but, but to your point, the fact that we are schooled and trained to understand what's happening around us and look for threats gives us a huge advantage. Equally, One of the challenges is sometimes security and when I'm talking about security, I am including our law enforcement and other brethren in that we often then are considered a bit paranoid in certain environments where, hold on, why are you sitting with your back to the wall? Why do you have to see the exit? There's no risk here. So the interesting piece there is you don't really get to pick when your biases and heuristics come into play. Once they are set. They are. They come into play. So one of the things you said there, Mike, which is a really important point for us to link back to, um, is the idea that we can train, build and enhance our biases, but equally, if it's something important, we need to be able to manage our biases. And your point around simply knowing they exist is a very good starting point. Um, Adam Grant, who's a very well known psych and lecturer and thought leader in the space, often jokes about, you know, the bias he loves the most is the, I'm not biased bias. And this is the interesting piece because the more professional experience you come across people, they often go, well, you know, you people are affected by biases, but you know, us superhumans aren't, that's just not real. Like we're all humans. We all have different levels of energy and focus. So realistically, if you are trying to be a security expert in any, any, any way, shape or form, let's not even get into whether it's cyber or physical, fundamentally, if you do not understand yourself, you do not understand other humans, you're like tying your hands behind your back and hopping on one leg. You're taking away some of the biggest force multipliers and tools we've got. Um, last week we ran the Protective Security and Government Conference here in Australia. And it was fascinating just to see the themes that came out of that event were mainly the themes that you don't really see at a security conference. Things like collaboration being the driver. You know, things like better decision making being the drivers. Things like motivation and enablement being the drivers. So I think we're seeing a growing up in the security industry. It's really hard because this thing doesn't change overnight. And when I say growing up, I don't just mean the way the industry behaves. I mean the way people treat professionals in the industry. And it's taken a long time, Mike. I know you've been doing this a long time, but I think we're slowly getting to the point where executives and board members understand that security is a critical component for high performance within their organization. So we've almost got to that point. Now, that's where the real work starts because we have to back it up. We have to be able to deliver the goods and validate that it is important and it does add value to objectives, which is, you know, how we leverage human performance.

Exec UK group offers industry leading services across enforcement secure. Security and locksmith sectors. Known for rapid response. Response times and a high level of professionalism. They've become the trusted partner. Partner for businesses and property owners across the UK. Whether. You need enforcement services like high court enforcement and tenant. Evictions or top tier security solutions such as man guarding. Canine units and event security. Executive K group. Provides tailored solutions to meet your needs. With. With a commitment to fast cost effective results. Executive K stands out. Out for its flexibility and ability to mobilize resources quickly. They're expert teams ensure client satisfaction through dedicated. And support and a focus on safety offering services. 24 7 throughout the year. If you need reliable. Efficient services exec UK group. Is your one-stop solution for all enforcement security. And look, Smith requirements.

Mike:

I think going back to being a police officer in the noughties, I think, you know, seeing somebody actually acting suspiciously at three o'clock in the morning when most of the clubs were shut, for example, yeah, your bias is teaches you to look. for something that's, you know, you're profiling that individual's walk and where are they focused on, where are their eyes looking at all those sorts of things. And, but at the same time, police officers are getting it so wrong now by that bias, getting involved in a very high profile case here in the UK, where a black man and a black woman were pulled over in a car and the, Police officer lied about there being a smell of cannabis because he was racially stereotyping and that's where the bias is really dangerous. I think as long as we're aware that there's a justification maybe in our training and learning and understanding that teaches us to back up that bias and to check ourselves before we wreck ourselves all the time. it can be both a hindrance and. very much, get us into trouble. I think you hit the nail on the head in that, if you're aware of the bias, and as Gav said before, a lot of what we do, these biases are good because we couldn't function, you know, with going to system two thinking all the time, you know, dissecting everything. We have to function our daily lives and make quick decisions. But as long as you're familiar with it, you're aware of it, and your actions are commensurate with the understanding of it. So he, if he thinks, okay, it's a black person. And I think that he's likely to commit a crime, but that's my own bias. So don't do anything stupid, you know, let's go by the rules. And it's like, I don't smelHellonything, you know, there's no, I don't see anything that's threatening, like let him go on his way. So there was something that missed there, you know, there was like, he wasn't aware of it, but I think what you said applies. Yeah. There's definitely bad cultures that are underpinned by bias. But look, what also, I was really drawn to in your article, gentlemen, was around cognitive dissonance. So the layman's terms for cognitive dissonance, a classic example would be wanting to be healthy. But not exercising or eating well, that's a classic or wanting to give up smoking and, but still smoking, it's where your values aren't aligned with actions. It's a good example. Why have you chosen to include cognitive dissonance then in your article around psychology and risk?

Gav:

I think if we look at cognitive biases, these are obviously our default instinctive intuitive. hacks to make decisions quickly with our subconscious. The challenge we've got is when we are confronted with facts, information, or anything that is oppositional to a belief we hold, it causes the cognitive dissonance component to kick in, which tends to skew decision making tremendously. Because now I'm no longer looking at what is the best decision, I'm looking at how do I defend my belief system. And that creates a really bad outcome in many cases because we lose impartiality, we lose the ability to look at facts, we lose the ability to change our position if new information is presented. So if we don't tackle both cognitive bias and cognitive dissonance, We then land up going, it's a kind of half baked game and back to your example of the police stop. If you kind of look at that, often we'll come up with narratives that support our bias, as opposed to go, hold on a second, my bias in that case wasn't accurate and it was cognitive dissonance and the need to resolve it. Cause I think that's the important piece. There's lots of ways to define cognitive dissonance. The simplest one I like is it's a state of dis ease, so not disease if we're sick, we just feel uncomfortable. And we will then conduct activities to remove the discomfort and feel good again. And often, if you've ever had a debate with somebody about politics or religion, okay, noting what's going on in the U. S. at the moment, Mike, a very interesting topic, um, those who argue factually tend to lose because they get to a point where the person you're arguing with or debating with. It's cognitive dissonance and then instead of listening anymore starts getting aggressive emotive

Mike:

This is just set something on fire in my head. There's a really good Presenter that I listened to on lbc and he gets involved in debating and he's a very clever libertarian Who very balanced and he'll get these? Muppets ring up, try and take him on, he'll win with fact every time because he's an intelligent man who knows his content, right? But I have noticed the sort of respondent being very emotionaHellond just losing the will to listen to anything that's being said. So a classic example would be, why do you like Trump? And they go, well, he's going to fix the United States. How? Well, he's going to make the United States great again. How? Well, like it's. It just goes on and on until the caller loses, there's no facts. There's emotions that start to kick into play. That's a really good example, isn't it? Of demonstrating how that can work also. You've just made me realize that sometimes you just can't win with fact.

Gav:

A hundred percent, Yoyo. So we can't actually have a discussion around how psychology and criminology intersect with security. Unless we're able to actually tackle these basic concepts and understand how they work. another good example on the cognitive dissonance piece, before I hand over to Mike, is something as simple as the executive team of a large organization, if they believe that security is a cost center and not an enabler, every time they are presented with information to the contrary, it causes them cognitive dissonance. So part of the challenge we've got is if we want to change perceptions, and that's what you highlighted there, that perception is tough because perception is reality to the perceiver. And in the example you gave, what's always interesting for me is what definition of winning are we going by? Because if we're having a debate and my job is to intellectually prove that my factual understanding and application of the facts is superior to yours, I'm out of one, but if my job was to get you to understand that there's a different point of view and slowly over time, maybe get you to think differently, I've lost. So it's quite important. I think for security professionals to understand that because often we fall into this trap of going, I just remove opportunity. I deny, I deter, I detect. Okay. So that I hopefully don't have to respond and recover. But if you actually look at a lot of those things, If we want to properly tackle something like insider threat, for example, it's often less about being able to spot the one bad apple who's gonna, take your organization down and more around how do we get the other 99. 9 percent of people to be engaged, happy and motivated so that the behavior of that one bad apple person is not tolerated full stop and we often miss this. So to close off on that piece of hand to Mike the challenge we've got is that. You know, perception is reality to the perceiver. And if we don't understand that, we're like tying one of our hands behind our back because the only thing we've got to argue within is hard evidentiary based fact. And in the security world, that's really tough because if you do a great job, nothing bad happens. So it becomes exceptionally difficult to communicate it. So lots to that. What are your thoughts, Mike?

Mike:

Well, since it's

Gav:

election

Mike:

day here and it's a couple hours till the, votes start being counted, I will say that. The country seems to be in collective cognitive dissonance. Um, they're, one half of the country believes one thing, another half of the country believes, and they harness the same facts. Well, actually, we don't agree on facts. I'm a person who I usually don't speak about my personal politics, because why let it tarnish a relationship, right? I have a lot for very strong advocates For one side or for the other, they don't talk to the other side. They completely, you know, debase and degrade the other side and I'll listen to them and I talked to them and I just answered. Sometimes they think I'm 100 percent with them because I'm just asking them questions. Other times, if I ask more challenging questions, they immediately assume I'm on the other side. And they say, Oh, you're, you know, I was with some people and they said, you're a Trumper. I'm like, when did I say I was running for Trump? And then some, I was talking to some people, it's like, Oh, you're a classic liberal. It's like, I'm not, I'm not a classic liberal, I'm not even a Democrat, you know, or whatever it was. So, I find that it used to be like an advantage to be that but now, and it certainly kind of is because but I have cognitive dissonance in trying to because I recognize both sides. I don't dehumanize, like, there's some things about each side that I'm like, Oh, how can you tolerate that. I want to want to get into specifics. I feel like the whole country and certainly people, if you kind of understand where both sides are coming from, but you can't Get them to speak. That's almost like cognitive dissonance writ large, right? I know this has nothing to do with security, but it's also,, I can also hear Chuck go, we don't talk about politics. Yo, yo, I'm right down the middle, right? We're just talking about, we're talking about psychology. We're talking about what people want to believe. And I'll talk to someone and they'll say, I can't believe you're even thinking about voting for that other person. I've heard it on both sides, because they said this, I'm like, where did you hear this? I said, did you hear that on MSNBC? Do you hear it on Fox News? Because you're just talking to other people. On the other side, they're saying this. And I, you know, It's a canyon. It is a canyon. And it's like, I think that's, it's not just American. You know, it's happening. All over the place. But then you got, then your article talks about outcome bias. So after the election, after the votes have been counted and decisions made, there's going to be a huge amount of outcome bias. How is outcome bias relevant to the security industry?

Gav:

You want to take on that? Sure, Mike. It's really interesting because one of the things that we like to do is we like to chunk, and that's a psychological term for grouping pieces of information together. And they may or may not be similar. So one of the things that's important to remember is if we focus on a specific bias, like outcome bias, we tend to forget that there's a whole bunch of other biases that come into play to things like confirmation bias and outcome bias, their cousins, or you might even say siblings, they're so close. So part of the challenge, and it was interesting listening to you, Mike, because part of the interesting piece we've got is that my view, while we're looking at the U S and yo, yo, I know we were both there not long ago, but Is there still more in common with both parties than there isn't, you know, both are still democratic, both are still capitalistic, both still value human rights, both still value the constitution. So the hard part actually comes to misinformation, disinformation, malinformation, and how that affects decision making. But to your point, if I'm driven by an outcome and I'm biased that I want that outcome to be a certain thing that I will then construct all the facts and the narratives. to suit the outcome I'm looking for. Yeah. And even if the outcome is different, then it then causes me cognitive dissonance. And you see all sorts of funny behaviors happening, you know, whether it's accusations of voter fraud or mishandling of voter process while we're on the election piece. But if we take this back to security and we kind of look at one of the biggest challenges I think security practitioners have, Which is generally, it's incredibly difficult to get the right amount of budget and allocate that proportionately ahead of time before bad stuff happens. So often security professionals are stuck in this reactive cycle where you almost have to have a bad thing happen, which risks your job, risks well being, has significant impact to your organization to be taken seriously. So one of the pieces we've got to start looking at is how we use something like outcome bias or confirmation bias to educate. And if we can get those pieces right, you know, a simple example is a competent security expert saying, look, one of the risks we've got might be workplace violence. Here are the stats. Here's what's happening in other organizations like ours. Here are incidents that are early warning signs. Therefore, the outcome is very likely to be X. So you're now using outcome bias as an enabler for you to go. So we're planting the seed that if the, that if we don't do X ones that the outcome will be X. I think the interesting piece, Yoyo, to directly answer your question with this, um, question with the idea of outcome bias is humans will do lots of cool things to avoid cognitive dissonance. We will come up with all sorts of narratives. We will construct all sorts of stories that enable us to go, I'm right. And my views and my belief system is right. Even to the point of being able to go, if I need to make sure I feel right, I don't mind having to tell you you're wrong repeatedly. And the challenge we've got in this volatile and certain complex, ambiguous and digital world is things are more gray than they've ever been. if we get stuck on a binary view, we disenable ourselves. And I think from a security perspective, we've got to move into the gray a little bit more.

Mike:

I think is I am usually always right.

Gav:

And I know you're now you sound like my wife.

Mike:

So we are running out of time. I understand that, some very exciting news coming for 2025. Would you like to share it here?

Gav:

Yes, thanks. so when I started teaching the psychology of risk almost a decade ago. One of the best parts of teaching a post grad program is you can tell the students what to read. So I wanted to write the big book on the psychology of risk, and I'm really glad I did it. I actually landed up writing the previous one on situationaHellowareness. But the time is right, and I've learned from my own experience that you need to let this stuff percolate and mature before you get it ready. So after almost a decade, I've got the Presillience book coming out. I'm really excited because I've been able to take really 10 years of research, consulting practice, and a whole bunch of best practice models and document it and try. I've done the very best I can to make it a workable tool that should be sitting on every security risk professionals bookshelf, because practically, if you want to be able to get good at the stuff we were talking about in this podcast,, it's not a click your fingers and instantly the stuff happens. It's a journey. Yeah. And I was actually explaining to a colleague yesterday, I took him through the Brazilian stuff in about an hour and he was sitting there like I'd, you know, literally just filled his head up with way too much stuff. And he was so confused. And this is an experience expert.

Mike:

You blew his mind.

Gav:

Well, I don't know if I can quite say that because we talked to secure broken. But the interesting piece with this is. And this is probably the good segway while I love the academic side of these things because it helps us understand what research has shown us and it provides empirical evidence, it has to be usable and has to be able to be applied in practice. And I think that was one of the things just closing off on the article that Mike and I wrote. Was how do we take some of this really complex and complicated stuff and make it workable that people can grab it straight away and go, All right, I never really thought about biases in the security industry. Now I do. I never really thought about how site works. Now I do. So my hope would be out of the new book that we just get to provide more knowledge and understanding so that we can cope and thrive better because the world we're in ain't getting simpler, that's for sure.

Mike:

And yet there's stilHello huge thirst for information. And I'm contacted almost weekly by young security professionals who want to know more information about certain things. And there's a load of people I want to tag in to this podcast, which has been literally just giving. Mike, what would you like to say before we finish up? I'd like to say first, I knew about Gav's book. I read an early version of his book. As a matter of fact, I liked it so much that I plucked one of the chapters out and I reworked it. And that's the article you see today. And Gav,, obviously we went back and forth and he liked the new approach. But I will give a shout out to another book it. Influenced me. Yep. Okay. I can see your hands. his first book. It's excellent. I also have that over here and it's right up behind me if you can see it. Can I see your hand? It's up behind me as well now. Behind you. That's right. There's a book here on the shelf by Annie Duke, a professional poker player called Thinking In Bets, and it's really a risk management book, but she's a professional poker player. I think maybe she was an academic, she's a very smart person and she won like the World Series of Poker or something, all by risk management. And she talks about her approach to risk and everything's thinking. Everything she thinks about is a term of a bet in terms of a bet. Like would I take this bet? How do I increase the odds? And she talks about outcome. She talks about, outcome bias a lot. For example, she works at Poker Park. She plays with poker players who make the wrong move. Statistically, but win. So they think, you know, they should always win. Or they They do the right thing and they lose. And they think, okay, that wasn't the right thing, because I lost. No, there's a, there's the right thing to do. Whether the outcome is positive or negative is a function of probability, and you can always go with the probability. So, Annie Duke thinking in bets right after Gav's books, which would be on the top of the shelf. Well, thank you. Thank you both for joining us on the Security Circle. Just having you here together has been awesome. Gav will get you back in about 16 weeks to promote your book. We'll put a link to your book in that one, but we will provide the link to the article as well for this podcast. And just thank you. Thank you so much.

Gav:

Thank you. Oh, yeah. Thanks, Mike. And thanks everyone for listening.

Mike:

Yes. Always a pleasure, guys.