Security teams often view their nonsecurity colleagues as a potential weak point in any cybersecurity strategy, leading them to rely heavily on technology to counteract the perceived poor decision-making of these individuals. The rationale behind this mindset is rooted in statistics that show the “human element” contributed to a significant percentage of security breaches in recent years.
According to Verizon’s “Data Breach Investigations Report,” 68% of breaches in 2023 and 74% of breaches in 2022 were attributed to human error. This alarming trend has prompted organizations to adopt a technology-driven approach to address these vulnerabilities. However, experts argue that simply trying to fix “dumb choices” with technology is not an effective long-term solution for bolstering cybersecurity measures.
The National Institute of Standards and Technology (NIST) released a publication titled “Users Are Not Stupid,” urging organizations to move away from creating insider threats through poor usability, excessive security layers, and a lack of consideration for user feedback. Instead, a human-centric cybersecurity (HCC) approach is recommended, focusing on designing processes and products that align with users’ needs, motivations, and behaviors.
HCC programs advocate for security awareness training, anti-phishing education, incorporating user feedback mechanisms into security products, and reducing the burden of security responsibility on individual users. Key components of an HCC approach include security monitoring and user/entity behavior analytics (UEBA) tools, which enable companies to better understand and address human vulnerabilities in the cybersecurity landscape.
Julie Haney, the HCC program lead at NIST’s Information Technology Lab, emphasizes the importance of placing people at the forefront of security design and implementation. Haney highlights the need for human-centered cybersecurity to create usable solutions that prevent errors, risky decisions, and insecure workarounds resulting from employees’ need to fulfill their job responsibilities.
NIST recently launched the Human-Centered Cybersecurity Community of Interest (COI) to facilitate discussions among practitioners, academics, and policymakers on enhancing security effectiveness and user-friendliness. The move signals a broader industry shift towards prioritizing human factors in cybersecurity initiatives.
Gartner, a leading business intelligence firm, forecasts that by 2027, half of large enterprises’ Chief Information Security Officers (CISOs) will adopt human-centric practices for cybersecurity. The firm identifies human-centric security design as a top trend in cybersecurity, emphasizing the importance of addressing security behaviors and cultural aspects in organizational strategies.
Victoria Cason, a senior principal analyst at Gartner, stresses the need for a shift from talking “at” employees towards engaging in collaborative efforts to shape a cybersecurity-focused culture. Taking a human-centric approach entails understanding and accommodating diverse human behaviors, actions, and needs to promote secure practices effectively.
Gartner proposes the Security Behavior and Culture Programs (SBCPs) framework, which includes conducting threat simulations, leveraging automation and data analytics, incentivizing incident reporting, and measuring program impact through metrics. Organizations embracing SBCPs are recognized for their proactive efforts to foster a robust security culture and mitigate cybersecurity risks effectively.
Minimizing cybersecurity-related challenges not only enhances organizations’ security posture but also reduces stress among security professionals, who face considerable job-related pressures. Gartner’s research indicates that a significant number of cybersecurity leaders are expected to transition to new roles by 2025, with stress being a key factor influencing their career decisions.
The lack of a standardized definition for HCC highlights the need for further research to support workers’ security growth within organizations. The Biden administration’s “Federal Cybersecurity Research and Development Plan” underscores HCC as a critical focus area for national security, emphasizing the importance of improving usability and user experience in digital technologies.
Gartner introduces the PIPE framework, encompassing practices, influences, platforms, and enablers, to guide the implementation of SBCPs. By adopting a holistic approach that goes beyond traditional training methods, organizations can enhance user engagement and efficiency in promoting cybersecurity best practices.
Human risk management emerges as a pivotal concept in the evolution of security-awareness and training programs, emphasizing the education of workers to mitigate security risks effectively. This approach deviates from conventional compliance-oriented training towards a more positive and constructive method of handling human vulnerabilities within organizations.
Employee concerns over cybersecurity risks underline the need for organizations to empower users and address their fears constructively. Rather than attributing blame to individuals for security incidents, organizations should focus on establishing a supportive culture that encourages open communication and proactive reporting of potential security threats.
Cybersecurity professionals are urged to engage in dialogues with users, identify procedural shortcomings, and implement corrective measures to enhance security resilience proactively. Adopting data-driven tools like human risk analysis services can offer valuable insights into user behaviors without stigmatizing or labeling individuals based on their security practices.
The evolving landscape of human-centered cybersecurity underscores the significance of holistic approaches that prioritize user needs, behaviors, and sentiments in shaping effective security strategies. By fostering a culture of collaboration, understanding, and continuous improvement, organizations can navigate the complexities of cybersecurity with a human-centric lens, ensuring a more robust and resilient security posture in the digital age.