Errors and acts of negligence can cause significant financial and reputational damage to an organization, with many security incidents and data breaches originating from a human source
Daniel Norman, Senior Solutions Analyst at the ISF
Individual behavior is an important factor in security, but according to the Information Security Forum there’s a growing recognition that security awareness in isolation rarely leads to sustained behavior change.
The ISF argues that organizations need to proactively develop a robust human-centred security program to reduce the number of security incidents associated with poor security behavior and is releasing a new digest to help.
Titled, Human-Centred Security: Positively Influencing Security Behavior it’s aimed at helping senior leaders to better understand the key drivers behind human behavior, how they can positively influence people and use the right techniques to empower employees to keep the organization secure.
“Errors and acts of negligence can cause significant financial and reputational damage to an organization, with many security incidents and data breaches originating from a human source,” says Daniel Norman, senior solutions analyst at the ISF and author of the digest. “A human-centred security program helps organizations to understand their people and carefully craft initiatives that are targeted at behavior change, reducing the number of security incidents related to human error and negligence.”
A human-centred security program uses psychology to address the fundamental strengths and weaknesses in the human mind and aims to enhance the working environment to enable employees to behave securely. A successful program uses cross-departmental collaboration to fully grasp the current state of security behavior, which then enables organizations to target investment to address the identified risks.
“There are some simple initiatives organizations can engage in to design secure behavior into everyday activities,” says Lisa Plaggemier, chief strategy officer at MediaPro, a Seattle, Washington-based provider of cybersecurity and privacy education. “For developers, there are plenty of tools that don’t interrupt their workflow that help them to ‘design’ security into their code. Some of them also include ‘teachable moment’ training when they scan their code and are ready to check it in. I’m a huge fan of tools that don’t ask people to do things differently, but rather help them to be more secure in a way that is designed around their function.”