New Information Security Forum research explores human-centered security

It's Time to Change Your Perception of the Cybersecurity Professional

November 24, 2020

The information security industry is playing catch-up when it comes to positively influencing behavior – the proliferation of remote working arrangements, exacerbated by the stress associated with the pandemic, has underlined the importance of strengthening the human elements of security. With this in mind, the benefits of a human-centered approach to security are clear. According to the Information Security Forum (ISF), with growing recognition that security awareness in isolation rarely leads to sustained behavior change, organizations need to proactively develop a robust human-centered security program to reduce the number of security incidents associated with poor security behavior.

To aid organizations to invest effort and resources in understanding the human mind and deploying the right techniques so they can influence behavior, the ISF is releasing Human-Centred Security: Positively Influencing Security Behavior. The organization’s latest digest helps enterprises to develop mature approaches to managing human risk by setting out several initiatives supported by established psychological theory. The digest will enable senior leaders to better understand the key drivers behind human behavior, how they can positively influence people and use the right techniques to empower employees to keep the organization secure.

“Errors and acts of negligence can cause significant financial and reputational damage to an organization, with many security incidents and data breaches originating from a human source,” said Daniel Norman, Senior Solutions Analyst at the ISF, and author of the digest. “A human-[centered]security program helps organizations to understand their people and carefully craft initiatives that are targeted at behavior change, reducing the number of security incidents related to human error and negligence.”

A human-centered security program uses psychology to address the fundamental strengths and weaknesses in the human mind and aims to enhance the working environment to enable employees to behave securely. A successful program leverages cross-departmental collaboration to fully grasp the current state of security behavior, which subsequently enables organizations to target investment to mitigate the identified risks.

Human-Centred Security: Positively Influencing Security Behavior provides organizations with guidance on:

Understanding the key factors that influence employees’ security choices
Delivering impactful security education, training, and awareness
Designing systems, applications, processes, and the physical environment to account for user behavior
Developing metrics to measure behavior change and demonstrate return on investment

“Technology and processes should complement behavior, not add friction and impede productivity,” said Steve Durbin, Managing Director, ISF. “A typical strategy should aim to reduce the number of security incidents and improve the accuracy of incident reporting – therefore human-[centered] security is an ideal mechanism for meeting these goals.”

Lisa Plaggemier, Chief Strategy Officer at MediaPro, a Seattle, Washington-based provider of cybersecurity and privacy education, explains, "If the “brand” of your security team isn’t to be approachable, helpful, and add value, you won’t be included in projects where you really do need a seat at the table. Your training and awareness program is the most visible thing your security team does, so use it to show that you want to work with the business, not against it, and that you’re friendly and approachable. This is the reason why I don’t advocate for training and awareness that relies on fear-mongering to get people’s attention. There are some simple initiatives organizations can engage in to design secure behavior into everyday activities. For developers, there are plenty of tools that don’t interrupt their workflow that help them to “design” security into their code. Some of them also include “teachable moment” training when they scan their code and are ready to check it in. I’m a huge fan of tools that don’t ask people to do things differently, but rather help them to be more secure in a way that is designed around their function."

For more information, or any aspect of the ISF, please visit the ISF website.

In this webinar, we review the results of a benchmark study that asked security professionals about their past, present and future outlook on manned guarding. Want to know what your peers are saying about their weekly billed hours? Join us to find out!

Ransomware and the propulsion of the extortion economy has rapidly eclipsed into a national priority. Recently, we observed the catastrophic impact of a widescale ransomware attack impacting gas pipelines and raising national gas prices overnight.

Poll

Comparison Metrics

View Results

Poll Archive

Products

Effective Security Management, 7th Edition

Effective Security Management, 5e, teaches practicing security professionals how to build their careers by mastering the fundamentals of good management. Charles Sennewald brings a time-tested blend of common sense, wisdom, and humor to this bestselling introduction to workplace dynamics.

See More Products

New Information Security Forum research explores human-centered security

Get our new eMagazine delivered to your inbox every month.

Stay in the know on the latest enterprise risk and security industry trends.

New Information Security Forum research explores human-centered security

Related Articles

Related Products

Related Events

Get our new eMagazine delivered to your inbox every month.

Stay in the know on the latest enterprise risk and security industry trends.