The cybersecurity community typically focuses on technology to address security issues and problems while sometimes overlooking the “human element,” a National Institute of Standards and Technology (NIST) computer scientist wrote in a recent article.
Cybersecurity's Human Element Examined
Human input, wrote Julie Haney, not only cannot and should not be readily dismissed by cybersecurity pros but instead should be “adequately” considered.
As Haney explained:
“Cybersecurity specialists are skilled, dedicated professionals who perform a tremendous service in protecting us from cyber threats. But despite having the noblest of intentions, their community’s heavy dependence on technology to solve security problems can discourage them from adequately considering the human element, which plays a major role in effective, usable security.”
What’s needed, suggests Haney, is an “attitude shift” in cybersecurity:
“We’re talking to users in a language they don’t really understand, burdening them and belittling them, but still expecting them to be stellar security practitioners.”
Not all security pros look at cybersecurity in this fashion. There are a good number of teams that are incorporating the human element of security. Still, the following misconceptions, wrote Haney, remain “prevalent” within the community: (in Haney’s words)
- Assuming users are clueless. Though people do make mistakes, belittling users can result in an unhealthy “us vs. them” relationship between users and cybersecurity professionals. A potential solution involves building positive relationships with users while empowering them to be active, capable partners in cybersecurity.
- Not tailoring communications to the audience. Security pros often use technical jargon that reduces audience engagement, and they may fail to tailor lessons in ways that appeal to what users care about in their daily lives.
- Unintentionally creating insider threats due to poor usability. Users who are already pushed to their limit by time pressures or other distractions can unwittingly become threats themselves, as they become prone to poor decision making.
- Having too much security. While always using the most secure tools available sounds wise in principle, some users can find the resulting complexity stifling for daily work, leading them to violate security policies more frequently.
- Depending on punitive measures or negative messaging to get users to comply. Offering positive incentives for employees who respond to threats appropriately can improve attitudes toward security, as can taking a collaborative approach with struggling users.
- Not considering user-centered measures of effectiveness. It helps to think of concrete metrics as symptom identifiers, such as help desk calls that reveal users’ pain points and incidents like phishing clicks that can show where users need more support.
”Cybersecurity professionals cannot hope to solve today’s cybersecurity challenges on their own. Cybersecurity is a group effort requiring the commitment of everyone within an organization."