Infosecurity Europe
4-6 June 2024
ExCeL London

How to Design a Human-Centric Cybersecurity Programme

Managing cyber risk is at its heart not a technology issue. It is a human-shaped challenge. After all, it is end-user actions that often lead to security breaches. It is people, or machines programmed by people, that try to trick these users into making the wrong decisions. Therefore, it follows that to build an effective cybersecurity strategy, CISOs must have their users front-and-centre.

That means understanding how they interact with technology, changing behaviours where necessary, and ensuring that policy balances usability with security. 

Why do Organizations Need Human-Centric Cybersecurity?

There are trillions of reasons. Take one look at the threat landscape. Cyber-criminals and state actors are targeting users in seemingly ever greater numbers. A recent Proofpoint study found that 84% of organisations and consumers suffered at least one successful email phishing attack in 2022, and that over half (54%) dealt with three or more. It claimed that financial losses stemming from these attacks surged 76% year-on-year (YoY).

It’s not just traditional phishing either. The vendor recorded a peak of 600,000 daily “telephone-oriented attack delivery” threats incorporating vishing. It also pointed to the growing popularity of more advanced tactics designed to circumvent multi-factor authentication (MFA), such as MFA fatigue and SIM swapping.

Read more: Hacking Your Brain - Top 13 Social Engineering Techniques

Threat actors are innovating in other ways to bypass traditional security controls. SonicWall recorded a 5% YoY increase in never-before-seen malware variants in 2022 and claimed to have spotted as many as 6.3 trillion intrusion attempts during the period. Separately, CrowdStrike noted attackers are conducting more “hands-on-keyboard” activity to improve their success rates, whilst getting faster at “breaking out” from initial access to lateral movement.

The job of IT security teams is made harder by a swollen attack surface, expanded by pandemic-era investments in cloud and other technologies, and the normalisation of hybrid working. Remote workers may be more likely to practice poor security hygiene. Over three-quarters (78%) use work devices for personal tasks, while 28% of employees reuse passwords for multiple work-related accounts, according to Proofpoint.

Designing security policies to manage cyber risk without impairing the productivity of remote workers is a challenge. Younger workers in particular appear to be rebelling against what they view as excessively strict security controls. A 2022 HP report found half (48%) of 18-to-24-year-old office workers thought security policies were a hindrance, and the same share said security resulted in a lot of “wasted time.”

The result? Over a quarter (28%) of younger employees HP polled said they have tried to circumvent security. Poorly thought-out policy not only puts the organization at risk, but it is also bad news for IT morale. Some 80% of IT teams said their job has become a “thankless task” – a worrying stat at a time of Great Resignation and chronic security skills shortages.

Making the Right Calls

Viewing things from a human-centric perspective is about putting cybersecurity at the service of the business, its customers and partners, not the other way around, Derek Brink, VP at Aberdeen Strategy & Research believes.

“Since the beginning of time, there's been a balancing act between ‘better security,’ usability and convenience for users, and total cost. In recent years, the pendulum has thankfully swung in the direction of providing users with a more transparent, friction-free experience, while still managing risks and costs to an acceptable level,” he told Infosecurity.

“In this sense, cybersecurity is becoming more like the best kind of officiating in professional sports: it makes good calls, it doesn't make bad calls, and mostly it stays out of the way and lets the players play the game.”

Building a Human-Centric Security Programme

What should this look like in practice? Phillip Morgan, a professor at Cardiff University’s School of Psychology and director of the Airbus Centre of Excellence in Human-Centric Cyber Security, said there are many bases to cover. He told Infosecurity that programmes can draw on a rich 100-year body of psychological research into human risks and vulnerabilities.

“Don’t forget that we are human and are all different – human-centric cybersecurity is not a science that should result in one-size-fits-all solutions,” he added.

“Things need to be accessible, tailored, adaptive and inclusive. Let’s really start to move away from a blame-and-shame culture and encourage people to be more open about their and others’ cyber vulnerabilities, including mistakes.”

Six Tips to Create a Human-Centric Cybersecurity Programme

1. Understand where key security weaknesses lie: This starts with “thinking like an attacker,” according to Luke Beeson, chair of the Chartered Institute of Information Security (CIISec).

2. Improve awareness training to change behaviours: Training should be as comprehensive as possible, Beeson argues. “For instance, instead of simply emailing advice, share examples of phishing emails that show employees what to look for, and even stage mock attacks to better demonstrate how easy it is to be fooled, to enhance vigilance,” he told Infosecurity. “Similarly, the way you communicate the risk to co-workers is crucial. Use too much security jargon and the message won’t sink in. But focus on the actual risk to the individual employee or their role, and the lesson will be much easier to understand.”

3.  Improve security team skills: IT teams need technical skills to protect the network, analytical skills to spot threats and determine the appropriate response and people skills to manage teams and educate the wider business, according to Beeson. Understanding the psychology of security teams is also important to ensure they don’t burn out, he added.

4. Establish a security by design and default culture: This starts with understanding how security intersects with other parts of the business, and then empowering each employee with the context they need to perceive the importance of protecting themselves and their organisation, according to Beeson.

“With new cyber-threats evolving faster than technical training can keep up with, teaching a rounded, human approach to cybersecurity gives employees the skills and knowledge to be aware of potential threats, without having to consult a checklist,” he argued.

5. Consider developing a “socio-technical” approach to cyber: Tick-box training programmes and technical solutions alone won’t deliver seamless human-centric security. For that, organisations must invest more in research from psychologists, human factors experts and other specialists, said Cardiff University’s Morgan. “They can help to develop solutions that are more memorable, immersive, and lived – to support more effective and less risky decision making,” he adds.

6. Always stress-test solutions: Never base programmes solely on an understanding of human cyber risks and vulnerabilities reached under normal working conditions, warns Morgan. “Other factors are also at play – such as working under the increased pressures of workload, time and stress – which can and will undo some of the good done,” he concluded. “Instead, acknowledge that these other factors will have an effect, and develop and design solutions with them in mind and with your workforce fully aware.”

Enjoyed this article? Make sure to share it!

Looking for something else?