How can security keep pace with a cyber threat landscape that rapidly becomes more sophisticated and appears to have an unlimited appetite for growth? The Information Security Forum (ISF) believes that human-centered security is the way forward. The idea starts with a simple premise, and one backed up by empirical evidence; human beings tend to be the weak link in any security setup. Security awareness thus must stay in tune with expected realities and patterns of behavior in how they interact with technology and make decisions while using it.
Human-centered security: A brief summary
In the broadest possible sense, the “human-centered security” approach is basically a system of positive reinforcement and good public relations. It is universally true that employees are the most likely entry point for a data breach, with phishing being the most frequent cause by a large margin (and accidental misconfigurations and similar mishaps also contributing). However, the ISF posits that one of the biggest shortcomings of current security awareness is in blaming and shaming employees for these “weakest link” incidents without providing an appropriate level of support.
While the current spectrum of security awareness elements all remain equally important, together these elements are not doing an adequate job of preparing employees for their role in the overall process. Human-centered security would account for this with a program of initiatives and reminders that intervene at the points at which people commonly make poor security decisions, and enable and reward them with positive reminders of what good choices look like.
The human-centered security approach begins with mapping out the factors that influence employee security choices, delivering training and awareness in the right way, designing systems and processes to account for expected behavior, and developing metrics to measure the success of the program.
Organizations begin by assessing their present state of maturity on a five-point ladder used in the annual SANS Security Awareness report. Companies progress from a non-existent security awareness to compliance-focused, actively promoting awareness and behavior change, long-term sustained culture change, and finally the implementation of a robust metrics framework. Only about 1% of the companies in the 2019 SANS survey had made it all the way to the top of that ladder; the majority are in the midst of promoting security awareness or are simply doing the minimum necessary to meet compliance requirements, which leaves a lot of room for human error.
Addressing security awareness
One of the biggest consistent issues in corporate security awareness programs is a simple lack of funding. The study finds that 92% are running some sort of training program to abate security incidents, but only 32% are spending on a program that promotes behavioral or internal culture change.
Mapping out an organization-specific program is important as what constitutes “poor security behavior” can vary depending on the circumstances. The human-centered security approach breaks all of this down into three generalized categories of factors on the employee end: attitude, motivation, and proficiency. The management end has its own set of three factors: communication, capabilities and leadership. The program begins with collecting evidence of and mapping out these employee behavior factors to establish a baseline, then implementing transformational security awareness initiatives to address them. Behavioral metrics are collected and mapped against the original behavior profile to refine and optimize the program.
What data is a baseline drawn from? The research suggests incident and compliance audit logs, risk assessment results, alerts from behavior analytics tools, results of previous data breaches and completed security training as some examples. This data is combined with the previously mentioned behavioral factors to create a profile that demonstrates exactly where the security awareness problems tend to be.
How does a human-centered security system improve outcomes? Central elements are positive reinforcement delivered via a combination of regular trainings / dialogue and a “just in time” system that intervenes at critical moments of potential breakdown. The approach stresses emotionally stimulating content and short, frequent intervals to best improve organization-wide security awareness. The approach also details ways to add these training courses and reminders into the overall design of both the network and even the physical office space.
One of the keys to empower employees (and make all of this work as intended) is inter-department communication and collaboration. This means more effective communication from the security team to the rest of the staff, but it also means addressing issues and negative sentiment among the information security staff. For example, IT and security professionals tend to feel overburdened and are dealing with extra stress in the midst of the Covid-19 pandemic. Lisa Plaggemier, Chief Strategy Officer at MediaPro, addressed what this sort of communication should look like: “If the “brand” of your security team isn’t to be approachable, helpful, and add value, you won’t be included in projects where you really do need a seat at the table. Your training and awareness program is the most visible thing your security team does, so use it to show that you want to work with the business, not against it, and that you’re friendly and approachable. This is the reason why I don’t advocate for training and awareness that relies on fear-mongering to get people’s attention.”
A focus on human psychology underpins the human-centered security approach, and this has only become more important as the working environment has expanded and as organizations make plans for remote work to continue beyond the extent of the pandemic conditions.