Humans are often regarded as the “weakest link” in information security. However, organizations have historically relied on the effectiveness of technical security controls, instead of trying to understand why people are susceptible to mistakes and manipulation. A new approach is clearly required; one that helps organizations to understand and manage psychological vulnerabilities and adopts technology and controls that are designed with human behavior in mind. That new approach is human-centered security.
Human-centered security starts with understanding humans and their interaction with technologies, controls and data. By discovering how and when humans “touch” data throughout the working day, organizations can uncover the circumstances where psychological-related errors may lead to security incidents.
For years, attackers have been using methods of psychological manipulation to coerce humans into making errors. Attack techniques have evolved in the digital age, increasing in sophistication, speed and scale. Understanding what triggers human error will help organizations make a step change in their approach to information security.
Identifying human vulnerabilities
Human-centered security acknowledges that employees interact with technology, controls and data across a series of touchpoints throughout any given day. These touchpoints can be digital, physical or verbal. During such interactions, humans will need to make decisions. Humans, however, have a range of vulnerabilities that can lead to errors in decision making, resulting in negative impacts on the organization, such as sending an email containing sensitive data externally, letting a tailgater into a building or discussing a company acquisition on a train. These errors can also be exploited by opportunistic attackers for malicious purposes.
In some cases, organizations can put preventative controls in place to mitigate errors being made, e.g., preventing employees from sending emails externally, strong encryption of laptops or physical barriers. However, errors can still get through, particularly if individuals decide to subvert or ignore these types of controls to complete work tasks more efficiently or when time is constrained. Errors may also manifest during times of heightened pressure or stress.
By identifying the fundamental vulnerabilities in humans, understanding how psychology works and what triggers risky behavior, organizations can begin to understand why their employees might make errors, and begin managing that risk more effectively.
The latest report from the ISF address psychological vulnerabilities and how human error can lead to security breaches.