Security awareness rarely leads to sustained behavior change on its own, according to a recent analysis – meaning that organizations need to proactively develop a robust “human-centered” security program to reduce the number of security incidents associated with poor security behavior.
According to the Information Security Forum (ISF), the information security industry is playing catch-up when it comes to positively influencing behavior – the proliferation of remote-working arrangements, exacerbated by the stress associated with the pandemic, has underlined the importance of strengthening the human elements of security.
In its digest released this week, entitled “Human-Centered Security: Positively Influencing Security Behavior,” the ISF laid out four elements that can move the needle on security behavior:
- Understanding the key factors that influence employees’ security choices
- Delivering impactful security education, training, and awareness
- Designing systems, applications, processes, and the physical environment to account for user behavior
- Developing metrics to measure behavior change and demonstrate return on investment
“Errors and acts of negligence can cause significant financial and reputational damage to an organization, with many security incidents and data breaches originating from a human source,” said Daniel Norman, senior solutions analyst at the ISF, and author of the report. “A human-centered security program helps organizations to understand their people and carefully craft initiatives that are targeted at behavior change, reducing the number of security incidents related to human error and negligence.”
A successful program leverages cross-departmental collaboration to fully grasp the current state of security behavior, which subsequently enables organizations to target investment to mitigate the identified risks.