Employees remain the biggest source of corporate cyber risk. According to the IBM X-Force 2016 Cyber Security Intelligence Index, staff members are responsible for 60 percent of all digital attacks endured by enterprises. Accordingly, organizations focus on the negligent employee as a victim of an attack, or on the malicious insider behind an attack.
There’s an understandable emphasis on preventing and mitigating employee risk. But some organizations and researchers are increasingly looking at user empathy, social psychology, and human factors to improve cyber security.
Explain the Psychology
Security awareness education is a necessary effort. But, with the rise in socially engineered attacks, it’s important to share with users the psychology behind the attacks in order to properly ‘arm’ employees.
In marketing, the impulsive urge to act can be induced by promotions that tap into the ‘Id’ and urge people to reduce self-control and act immediately without thought. Similarly, social engineering attacks use a sense of urgency and impulse gratification to trick employees into taking phishing bait and sharing information.
Make this connection between marketing tactics and threat tactics clear to your employees. Encourage the pause for rational thought, and make it easy for employees to raise questions when unsure.
Share Stories and Adoption from Peers
Research has found that social factors are key drivers of security-related behavior change. In this research, the most prevalent social catalyst for security-related behavior change was observing friends: people often started using security tools after observing friends use those same tools. This same research has shown that people often learn about cyber security through stories from friends.
In a test regarding security tool adoption on Facebook, research showed that when a prompt to use security settings was prepended with the number of the viewer’s friends who used one of the promoted security tools, these announcements increased clicks and adoptions of the settings (over those without the number of the viewer’s friends).
Organizations could take advantage of these findings by using respected peers to share security tips and stories of security compromises. Additionally, sharing metrics of the adoption of security best practices across the enterprise could be another way of spurring greater adoption of best practices.
Traditional guidance around passwords is now considered dated. Clemson University’s Dr. Kelly Caine recommends eliminating the advice to “change your password often” and “use a mix of special characters in your passwords.” Better to chose a good passphrase, and keep it unless there’s evidence of a problem. NIST also notes that password composition rules, which require the user to choose passwords constructed using a mix of character types, are not beneficial and may cause harm because they are unmemorable and cause workarounds.
Employees often feel restricted by current security measures that hamper effective job performance. According to SC Magazine, that’s why medical staff “routinely ignore” IT security rules. Regulations that exist to meet compliance standards or protect critical assets often fail to account for medical professionals’ need for quick access to essential data, leading to a culture of technology workarounds that allow staff members to complete essential tasks but place organizations at risk of cyber attacks.
Security teams should investigate the ‘why’ behind workarounds they encounter. Instead of implementing security controls that run counter to existing processes (a process that is a hard sell and requires vigilance), security teams should strive to understand the workflows that are optimal for employees.
Say ‘How’, Not ‘No’
Digital transformation, a cloud- and mobile-first approach, and the use of IoT has caused a shift from the old way of taking a “control” approach to security and trying to figure out the best way to secure an environment after it’s been implemented. It’s now key to focus on application security.
When security teams attempt to restrict the use of applications, a culture of shadow IT emerges, and IT becomes known as the ‘department of no’. Flip the script, and become a ‘department of how’.
Security teams bring a consultative approach to business units, assessing the software that teams are using to improve productivity and finding ways to ensure this software is secure.
Analyze the Mistakes
No matter how good the training or how engaged the employees, perfect network security is impossible. Mistakes will happen. Learning from mistakes should happen too. What bad security habits are present in your organization?
User monitoring tools can help organizations identify bad habits and provide the data that can be used to remediate gaps in security best practices.