Oh, the Humanity! How to Make Humans Part of Cybersecurity Design

Oh, the Humanity! How to Make Humans Part of Cybersecurity Design

November 5, 2024 at 10:14AM

Security teams increasingly recognize the need for a human-centric cybersecurity (HCC) approach, aiming to reduce user errors through better usability and collaboration. Instead of relying solely on technology, organizations should focus on employee training, feedback, and supportive environments, fostering a culture that empowers rather than blames users for breaches.

### Meeting Takeaways on Human-Centric Cybersecurity (HCC)

1. **Understanding the Issue**: Security teams often view non-security coworkers as vulnerabilities in cybersecurity plans; human errors contributed to 68% of breaches in 2023. This leads to an over-reliance on technology to mitigate risks.

2. **Critique of Current Approaches**: The reliance on technology to remediate human errors is failing. The National Institute of Standards and Technology (NIST) advises against poor usability and excessive security measures that disregard user feedback, which can create insider threats.

3. **Adoption of HCC Approach**: Organizations are encouraged to implement a human-centric cybersecurity approach, which prioritizes users’ needs and incentivizes secure behavior. Elements of HCC include:
– Security awareness and anti-phishing training.
– User feedback mechanisms in security products.
– Minimization of security burdens on users.

4. **CISO Trends**: Gartner predicts that by 2027, half of large enterprises will adopt human-centric cybersecurity practices. This includes initiatives that consider human behavior and needs in cybersecurity.

5. **Moving Towards Collaboration**: Security teams should foster a cybersecurity-focused culture by collaborating with employees rather than just instructing them. This recognizes the diverse behaviors and needs of individuals.

6. **Key Actions for SBCPs**:
– Conduct threat simulations.
– Integrate automation and data analytics to assist users.
– Reward employees for reporting security incidents.
– Track metrics to measure the impact of security behavior and culture programs (SBCPs).

7. **Addressing Cybersecurity Stress**: Minimizing friction related to cybersecurity can alleviate stress and burnout among cybersecurity leaders, with expectations that many will leave the industry due to job-related stress.

8. **Lack of Standard Definitions**: There is currently no standardized definition for HCC, which highlights the need for further research into how to enhance security support for workers.

9. **Biden Administration’s Focus**: The latest Federal Cybersecurity Research and Development Plan prioritizes HCC, advocating for improved user experience and usability in digital technologies.

10. **Emerging Human Risk Management**: The concept reflects a shift from traditional compliance-oriented training to a focus on educating and reducing risks associated with employee actions.

11. **Employee Awareness**: A considerable proportion of employees are aware of their role in cybersecurity and express concern about their potential to cause breaches. Organizations should channel these concerns into constructive actions rather than placing blame on the individuals.

12. **Constructive Approach to Errors**: Organizations should analyze systemic issues rather than simply blaming employees for mistakes. Empowering employees to communicate issues can lead to better security practices.

13. **Caution with User Tracking**: While user monitoring can help identify weaknesses, it is essential to approach this with care to avoid labeling individuals negatively.

### Action Items:
– Implement user-friendly security protocols.
– Enhance communication between security teams and employees.
– Support educational programs focusing on human-centric practices.
– Monitor employee feedback to improve security processes continuously.

Full Article