Organizations Should Use Psychology to Promote Secure Behavior Among Staff
Errors and acts of negligence can cause significant financial and reputational damage to an organization…
Daniel Norman, Senior Solutions Analyst at the ISF
Organizations should improve their understanding of the human mind to establish more secure behaviors among employees, according to the Information Security Forum (ISF).
The group has published a new report entitled Human-Centred Security: Positively Influencing Security Behavior, which aims to help organizations develop the right psychological techniques to ultimately empower their staff to engage in more secure behaviors.
This issue of individual errors leading to security incidents has been exacerbated by the recent shift to remote working during COVID-19, with employees more distracted and stressed and with less access to IT personnel.
The new digest sets out guidance for senior leaders on managing this risk, using psychological theory to help them understand the key drivers of human behavior and how to influence people in a positive way through education, awareness and training. The guidance also details how systems, applications, processes and the physical environment can be designed to account for human behaviors.
Daniel Norman, senior solutions analyst at the ISF, explained: “Errors and acts of negligence can cause significant financial and reputational damage to an organization, with many security incidents and data breaches originating from a human source.
“A human-centred security program helps organizations to understand their people and carefully craft initiatives that are targeted at behavior change, reducing the number of security incidents related to human error and negligence.”
Commenting on the research, Lisa Plaggemier, chief strategy officer at MediaPro, said: “There are some simple initiatives organizations can engage in to design secure behavior into everyday activities. For developers, there are plenty of tools that don’t interrupt their workflow that help them to ‘design’ security into their code. Some of them also include ‘teachable moment’ training when they scan their code and are ready to check it in. I’m a huge fan of tools that don’t ask people to do things differently, but rather help them to be more secure in a way that is designed around their function.”