The information
security industry is playing catch-up when it comes to positively influencing
behavior - the proliferation of remote working arrangements, exacerbated by the
stress associated with the pandemic, has underlined the importance of
strengthening the human elements of security. With this in mind, the benefits
of a human-centred approach to security are clear. According to the Information Security Forum (ISF), with growing recognition that
security awareness in isolation rarely leads to sustained behaviour change,
organizations need to proactively develop a robust human-centred security
program to reduce the number of security incidents associated with poor
security behavior.
To aid
organizations to invest effort and resources in understanding the human mind
and deploying the right techniques so they can influence behavior, the ISF is
releasing Human-Centred Security: Positively Influencing Security Behavior.
The organization's latest digest helps enterprises to develop mature approaches
to managing human risk by setting out several initiatives supported by
established psychological theory. The digest will enable senior leaders to
better understand the key drivers behind human behavior, how they can
positively influence people and use the right techniques to empower employees
to keep the organization secure.
"Errors and
acts of negligence can cause significant financial and reputational damage to
an organization, with many security incidents and data breaches originating
from a human source," said Daniel Norman, Senior Solutions Analyst at
the ISF, and author of the
digest. "A human-centred security program helps organizations to understand
their people and carefully craft initiatives that are targeted at behavior
change, reducing the number of security incidents related to human error and
negligence."
A
human-centred security program uses psychology to address the fundamental
strengths and weaknesses in the human mind and aims to enhance the working
environment to enable employees to behave securely. A successful program
leverages cross-departmental collaboration to fully grasp the current state of
security behavior, which subsequently enables organizations to target
investment to mitigate the identified risks.
Human-Centred
Security: Positively Influencing Security Behavior provides organizations with guidance on:
- Understanding
the key factors that influence employees' security choices
- Delivering
impactful security education, training, and awareness
- Designing
systems, applications, processes, and the physical environment to account
for user behavior
- Developing
metrics to measure behavior change and demonstrate return on investment
"Technology
and processes should complement behavior, not add friction and impede
productivity," said Steve Durbin, Managing Director, ISF. "A typical strategy
should aim to reduce the number of security incidents and improve the accuracy
of incident reporting - therefore human-centred security is an ideal mechanism
for meeting these goals."
"If the ‘brand' of your security team isn't to be
approachable, helpful, and add value, you won't be included in projects where
you really do need a seat at the table," said Lisa Plaggemier, Chief Strategy
Officer at MediaPro, a Seattle, Washington-based provider of
cybersecurity and privacy education. "Your training and awareness program is
the most visible thing your security team does, so use it to show that you want
to work with the business, not against it, and that you're friendly and
approachable. This is the reason why I don't advocate for training and
awareness that relies on fear-mongering to get people's attention."
For more
information on Human-Centred Security: Positively Influencing Security
Behavior, or any aspect of the ISF, please visit the ISF website.