Michael Joyce ,
Michael Joyce is the Executive Director of the Human-Centric Cybersecurity Partnership (https://hc2p.ca), a transdisciplinary group of scholars, government, industry, and not-for-profit partners working to generate research and mobilize knowledge that fosters a safer, more secure, democratic, and inclusive digital society. He has over a decade of experience in the development and management of national and international cybercrime and cybersecurity knowledge mobilization programs, including Canada’s Smart Cybersecurity Network (https://serene-risc.ca).
He is also a doctoral candidate in criminology at the University of Montreal's Cybercrime Prevention Laboratory (https://www.prevention-cybercrime.ca/), where he researches personal guardianship behaviors and related interventions. Put simply, he wants to understand why people click on things they later regret—and whether we can do anything about it. Michael is the host of the long-running Cybercrimeology podcast (https://cybercrimeology.com), which explores cybercrime science and research.
He has been a volunteer at NorthSec since well before the pandemic.
Talk: Why preventing phishing is so difficult, and what we can do about it
Talks will be streamed on YouTube and Twitch for free.
We still haven’t solved phishing. Why does phishing still happen and why do security professionals struggle to understand user behavior? This presentation demystifies the challenge of phishing and presents key findings from one of the largest independent studies of phishing behavior in Canada.
Drawing from five years of research, this talk challenges assumptions about human decision-making and security training. By integrating insights from a range of scientific perspectives, we explore why phishing remains effective despite increasing awareness. This research will also present results of a large scale, Canada-wide study of phishing behaviours, offering an unparalleled view into real-world phishing trends. Key questions addressed include: - When are phishing emails most dangerous? We show the time and day of the week that is the riskiest, and evidence as to why. - How often should cybersecurity training be conducted? We Investigate the decay rate of training effectiveness to balance reinforcement with security fatigue. - Does Cybersecurity Awareness Month actually change behavior? We evaluate the real-world impact of this national event. - Can strong technical security measures increase phishing risk? We look into the potential negative impact that confidence in technology can have. By the end of this session, you will gain a deeper understanding of phishing psychology and training, helping you design more effective security programs that account for human behavior. Attendees will learn why traditional training can fails, the why of phishing simulations, and how to better interpret user behavior. This talk will debunk common misconceptions and provide practical, data-driven approaches to phishing mitigation.
This presentation is based on PhD research conducted at the University of Montreal in collaboration with Beauceron Security. These findings are being presented publicly for the first time, offering a unique opportunity to engage with groundbreaking research