Human-Centric Security Model Meets People Where They Are

Human-Centric Security Model Meets People Where They Are

December 7, 2023 at 09:07PM

According to Gartner, 93% of employees may violate security policies to avoid inconvenience. Companies are adopting human-centric security, focusing on reducing friction and tailoring policies and training to users’ needs. Enhanced security tools and positive reinforcement are employed to encourage secure behavior without impeding workflows.

**Meeting Takeaways:**

– **Employees Bypass Security:** A Gartner survey found that 93% of employees who engage in insecure behaviors do so knowingly, often because security measures are inconvenient.

– **Friction from Security Measures:** Employees face difficulties in complying with cybersecurity controls due to added friction such as multifactor authentication and complex policies.

– **Shift to Human-Centric Security:** Organizations are moving towards a human-centric approach to cybersecurity, which prioritizes understanding the employee experience and reducing friction. This involves creating readable policies, simplifying security processes, using positive reinforcement, and offering supportive help.

– **Predictions and Trends:**
– By 2027, 50% of CISOs will have adopted human-centric security approaches.
– By 2030, 80% of enterprises are predicted to have a formal human risk management program.

– **Incorporating User Feedback:** Companies like Random Timer involve employees in deciding on new security solutions to ensure they address user concerns about convenience and usability.

– **Technology Adoption to Reduce Friction:** There is a focus on adopting technologies that are less intrusive, such as browser security that doesn’t require user thinking, and passwordless access.

– **Behavioral Cues:** Utilizing behavioral cues technology can help modify employees’ actions without being punitive—for instance, alerting users when their actions may be a security risk.

– **Understanding User Needs:**
– Conducting interviews, observations, and surveys to gather user feedback.
– Prototyping and refining minimum viable products based on feedback.
– Employing usability experts to advocate for employees.

– **Examples of User-Centric Approaches:**
– Santander integrating UX principles into cybersecurity practices.
– Johnson & Johnson converting forbidden activities into a self-service assessment that guides employees to safe alternatives.

– **Training Tailored to Roles:** Security training should be specific to the various interactions that different employee types have with technology, customers, and data.

– **Building a ‘Yes’ Culture:** Instead of outright denying certain actions, provide employees with alternative, secure ways to achieve their goals, thereby discouraging them from bypassing the system.

– **Soliciting Feedback:** Companies that invite feedback on their policies often find it advantageous, as it can lead to meaningful improvements in policy accessibility and user experience.

– **Conclusion:** The success in cybersecurity hinges on integrating technology with a process and philosophy that places humans at the core, favoring user-centric design over solely tech-driven solutions.

Full Article