ISF Proposal for “Human-Centered Security” Focuses Security Awareness on People’s Interactions With Technology
How can security keep pace with a cyber threat landscape that rapidly becomes more sophisticated and appears to have an unlimited appetite for growth? The Information Security Forum (ISF) believes that human-centered security is the way forward. The idea starts with a simple premise, and one backed up by empirical evidence; human beings tend to be the weak link in any security setup. Security awareness thus must stay in tune with expected realities and patterns of behavior in how they interact with technology and make decisions while using it.
Human-centered security: A brief summary
In the broadest possible sense, the “human-centered security” approach is basically a system of positive reinforcement and good public relations. It is universally true that employees are the most likely entry point for a data breach, with phishing being the most frequent cause by a large margin (and accidental misconfigurations and similar mishaps also contributing). However, the ISF posits that one of the biggest shortcomings of current security awareness is in blaming and shaming employees for these “weakest link” incidents without providing an appropriate level of support.
While the current spectrum of security awareness elements all remain equally important, together these elements are not doing an adequate job of preparing employees for their role in the overall process. Human-centered security would account for this with a program of initiatives and reminders that intervene at the points at which people commonly make poor security decisions, and enable and reward them with positive reminders of what good choices look like.
The human-centered security approach begins with mapping out the factors that influence employee security choices, delivering training and awareness in the right way, designing systems and processes to account for expected behavior, and developing metrics to measure the success of the program.
Addressing security awareness
One of the biggest consistent issues in corporate security awareness programs is a simple lack of funding. The study finds that 92% are running some sort of training program to abate security incidents, but only 32% are spending on a program that promotes behavioral or internal culture change.
How does a human-centered security system improve outcomes? Central elements are positive reinforcement delivered via a combination of regular trainings / dialogue and a “just in time” system that intervenes at critical moments of potential breakdown. The approach stresses emotionally stimulating content and short, frequent intervals to best improve organization-wide security awareness. The approach also details ways to add these training courses and reminders into the overall design of both the network and even the physical office space.
A focus on human psychology underpins the human-centered security approach, and this has only become more important as the working environment has expanded and as organizations make plans for remote work to continue beyond the extent of the pandemic conditions.