Daniel Norman is a Senior Solutions Analyst at the Information Security Forum (ISF).
It is clear that for millennia attackers have manipulated, confused, intimidated and blackmailed individuals into giving up sensitive information or causing financial damage. Whilst data breach statistics related to behaviour are damning, there are tangible, cost-effective technical and non-technical initiatives that organisations can invest in. The ultimate goal here is to identify, measure and analyse the security behaviour of the workforce, demonstrate compliance with regulations, reduce the frequency of security incidents and build trust across the organisation… This approach is called ‘Human-Centered Security.’
To achieve this goal, it is important to understand that security behaviour is incredibly susceptible to a number of influential and disruptive factors. These factors can be grouped into two categories: internal and external influencing factors.
Know your risk
Internal factors relate to an individual’s psychological processes and competence, specifically their attitude, motivation and overall understanding of security risks and threats. The external factors recognise that an individual’s behaviour is affected by the way an organisation communicates with its workforce, the tools and capabilities provided to employees, and the influence that senior leaders can have on behaviour at scale. Meaningful analysis must be conducted to profile the security behaviour of the workforce. Quantitative data gathered from the Security Operations Centre, behavioural analytics, and incident response can give indications into which teams are causing most incidents. This coupled with qualitative workshops and focus groups can provide invaluable insights into why these incidents are happening in the first place. For example, teams may not know who to report an incident to; they might not have a readily available tool to report an incident with; they may not understand why security is their responsibility. These insights can help determine which behavioural factors need to be influenced and why.
Armed with these insights, security leaders can now begin influencing behaviour at scale, motivating individuals to behave securely and improving the speed and accuracy of reporting incidents. A multi-layered approach must be taken. Simply performing e-Learning during onboarding then once per year, or a phishing simulation will never have the desired long-term impact on behaviour. It may have a short-term influence on ‘proficiency’, but it won’t have any real impact on the other factors like example setting from security leaders, tools provided to employees to help with reporting or internal communications of threats.
Organisations must therefore design education, training and awareness materials that are targeted and tailored to specific role requirements; are emotionally engaging and entertaining; delivered frequently in small doses; and use a consistent and memorable style. The materials can have a profound impact on attitude, motivation and proficiency, influencing individuals to behave securely, reducing the likelihood of human error and empowering them to withstand social engineering attacks. Moreover, organisations can adopt ‘secure behaviour by design’, an approach to developing systems, applications, processes and the physical environment in a usable manner that guides good security behaviour. Organisations can make secure choices available to employees without impeding productivity or adding friction to the performance of daily tasks, by removing the option for bad behaviours to manifest. This can only be achieved, however, by engaging with employees to understand their role requirements and how security affects their interaction with relevant systems, applications and processes.
Read the full article here