ISF research has found that errors and manipulation now account for the majority of security incidents. By helping staff understand how these vulnerabilities can lead to poor decision making and errors, organizations can manage risk. In an effort to support global organizations, the ISF today announced the release of Human-Centred Security: Addressing Psychological Vulnerabilities, the organizations latest digest which helps security professionals to understand how psychological vulnerabilities in humans can lead to errors in decision making, identify methods and techniques used by attackers to exploit psychological vulnerabilities and manage psychological vulnerabilities to improve information security. Underlying psychological vulnerabilities mean that humans are prone to both making errors, and to manipulative and coercive attacks.
“Human-centred security starts by acknowledging that humans have psychological vulnerabilities that may impact decision making,” said Steve Durbin, Managing Director, ISF. “During interactions with technology, controls and data employees may make errors that lead to security incidents, negatively impacting the organization. By understanding what triggers human error and the psychological methods attackers use to manipulate their targets, organizations can improve security awareness and design controls to account for human behavior, enabling them to mitigate the risk of human error.”
Many different terms are used to describe human-centred security, including human-centric security, people-centric security or people-focused security. They all relate to the aim of mitigating or reducing the risk of human error. ISF research identified that organizations are struggling to manage the risk of what is called “the accidental insider” – the authorized member of staff making accidental errors. Equally, traditional security controls are proving to be less effective at preventing external malicious attacks. Attackers are transitioning away from malware-based attacks to more targeted, social engineering-based attacks designed to coerce or influence the accidental insider into making exploitable errors.