Cybersecurity approaches traditionally protect data and users by determining the most effective and secure processes, tools and programs, regardless of complexity and user impact. Alternatively, umanizing security is a security approach that prioritizes the people that need the security more than the items to be protected.
Security should be designed, implemented and supported by starting with the people. If items are made “secure,” but unusable for those who use them, security will be resisted, which results in less protection than expected (and required). As explained in the 2005 research study, "The User is Not the Enemy," by Anna Adams and Angela Sasse, complex security would keep out the most threats, but would make using it too hard for the people it is trying to protect.
When designing security, in addition to how secure it makes things, there needs to be consideration for how much it harms users in its implementation. Overly-complex, non-humanized security is like a classic Corvette encased in cement: It is secure and no damage can be easily done to it, but ultimately it has no value — it cannot be driven, seen or enjoyed. Security that is too hard to use or too disruptive to its users is therefore not as valuable because its complexity has a negative impact on the user that prevents its full effectiveness.
Humanity should be considered in each step of security, which includes preparation for an attack, response during an attack and recovery after an attack. The last step, the recovery, is where security professionals most often drop the ball concerning the human element of security. The financial cost of an attack is considered, but the emotional cost of recovery is not. Security professionals must question: Did the attack result in an employee being too afraid to take action, cause emotional damage or result in corporate paralysis due to fear of another attack?
Humanizing security goes even farther than material impact and argues that cyberattacks hurt people beyond the financial loss and cause emotional damage that affects performance, quality of life and outcomes. Not addressing these issues as part of the security process can leave users hurt and alone. Imagine an accounts receivable clerk is wire frauded for $123,000. What does that do to their future workability? What does that do to how others view them? Both of these questions suggest an impact of cyberattacks that is often underestimated.
In a humanized security approach, for security to be functional, it needs to be seen as valuable, manageable and relevant from the user’s perspective:
- Valuable: Do users fear the threat? Do they think someone may try and attack them? Do users feel safe enough right now?
- Manageable: Can users implement the security and still do work in a reasonable way?
- Relevant: Do users value the security? How does it affect their life? Do users understand how security keeps them working and safe?
Without having these three elements, security will be resisted by users and the impacts of emotional stress incurred by attacks will remain unaddressed. As an industry, security professionals need to see beyond the technical issues to the human issues. Security is about the human experience first and is supported by the technology next.