JOHNSTON: It does work that way. People say, "Gee, you're telling me I need to make this one little change, and this attack and this attack and this attack and this other attack basically go away?" It's really quite surprising. Sometimes the vulnerabilities are extraordinarily complex, and the solutions, while they may not be 100 percent perfect, are often really painless. We don't always have the most realistic view--we work for the government--about what's economically viable to implement. Sometimes what we think is simple isn't really simple in the real world. But that's OK too. Sometimes our suggestions get the end users thinking, and then maybe they come up with their own solution.

CSO: You've brought a couple of industrial-organizational psychologists onto your team. Why?

JOHNSTON: Industrial-organizational psychology has been applied across a wide range of fields, but for some weird reason, not security. When we first got these psychologists to work with us, they just couldn't believe that no one had applied all these powerful tools in industrial psychology towards security problems. Increasingly, we're using them to understand the human factors associated with security. In the end, security is really about how people interact with technology, how people use and think about technology, and how the technology was designed to enhance what people are already doing.

CSO: What kinds of things have the industrial-organizational psychologists found?

JOHNSTON: The main one early on was the recognition that the security guard turnover problem is a huge problem. The numbers typically run between 40 percent and 400 percent per year. McDonald's has a turnover rate of about 35 to 40 percent, so McDonald's does a better job than security of finding the right people and hanging on to them. There are plenty of organizations that do very fine with turnover rates that don't pay people very well and don't necessarily represent fabulous careers. There are ways that IO psychologists have developed over the last couple decades that help these companies, but the tools never have been applied to security. The first things that our guys did was publish some papers basically saying, "Hey, wake up, we don't need to do any new R&D, there are all these tools already proven out there." They involve things like understanding who you hire and creating a realistic picture in their mind of what the job is like. If you simply do that, turnover rate plummets.

We're just beginning to look more specifically at how IO psychology applies to vulnerability assessments. It's a totally open field. One problem we want to look at is the tamper-indicating seals that are used for cargo security. We know from experience that some people are really good at finding seals that have been tampered with, and some people aren't. But we don't know why. One of the things we want to do is study the people who are good at it and try to understand what it is that they're doing or what characteristics they have that make them good. One of the studies we want to do, and we haven't found anybody to fund it, is an eye-tracking study. We want to look at what seal inspectors are looking at. You give them this little eyeglass thing, and it tells what their eyes are looking at. It's used all the time to judge advertisements for TV; advertisers stick audiences in front of the proposed commercial to see if they're really looking at the product or they're looking at the pretty girl in the background. We want to apply this technology to understanding what the people who are effective at finding seals that have been tampered with are looking at. Maybe we can train people better, or maybe we can do a screening exercise to find the people who are really good at it, for whatever reason.