True business security starts with protecting your workforce, here are some tips on developing a human-centered security culture

Data breaches and other security incidents are often traced to human error, rather than vulnerabilities in technology. Cybercriminals and other bad actors frequently exploit human psychology in their attacks and there are often psychological reasons for the major errors that lead to security issues. 

This climate of uncertainty, with more people working from home, is tough all around. It may be tempting to apply strict rules, and they have their place, but educating your staff on the value of information security and encouraging critical thinking will have a much bigger long-term impact.  

A human-centered approach to security accepts common failings and acknowledges clever attack techniques that are designed to trick us. Because it is only by accepting these weaknesses that you can design an effective information security system. Understand threats and you can arm employees with the knowledge they need to avoid falling victim. 

Review your information security 

Start with an assessment of your current security posture and examine how information is handled throughout the organisation. How do different departments value information security? Is there a common culture across the company? How do third-party partners fit into this culture? This initial assessment should help you identify where human vulnerabilities lurk and how you might go about tackling them. Look for cognitive bias and consider where it might cause an issue. Optimism bias is a common cause of risky behavior, but perhaps you’ll find the “over-justification effect” has demotivated good security practice when there’s no tangible reward.

Test employee awareness 

Self-awareness is vital in building a stronger security culture, so take time to learn what level of awareness your employees have. Do they understand and recognise cognitive bias in themselves and their colleagues? Are specific departments or working groups prone to certain biases? By running through some basic exercises and discussions you can better tailor training and get a picture of what is required.  

Identify threats and probe them

Create a ranked list of threats to the business and design some scenarios based on those key risks. Go beyond penetration testing and task a third-party with crafting test attacks on your business that employ social engineering techniques. Find out if your employees fall victim to phishing attacks with different levels of sophistication. Learn how stressful situations impact their responses. Envisioning a perfect storm will help you design more effective training and build real resilience. 

Promote critical thinking

Instead of explaining how to cope with specific scenarios in detail or breaking down specific risks, it is beneficial to encourage critical thinking. If you can foster natural suspicion and strong personal awareness, combined with analytical skills and clear communication, then you can equip your employees with the skills they need to cope with any security incident. Try to reinforce the importance of keeping an open mind and being creative in solving problems. The aim is to embed secure behavior and empower people to deal with complex and challenging situations. 

Assess interactions with technology and data

Consider the daily stresses that employees face, identify the break points where they are prone to manipulation, and take small steps to combat them. Simple reminders or nudges towards desired behavior delivered automatically at the right time can make a big difference. The aim is to make life easier for your staff, to remove friction and uncertainty, and to eradicate obvious systemic triggers for different cognitive biases. 

Learn from successful attacks

One of the best learning resources you have at your fingertips is past attacks. Evaluate how previous security incidents unfolded. Look for the weak points and failings in your organisation and in the people involved. Include these lessons in your training programmes and mitigate the issues you identify, just be careful to avoid a blame culture.  

Restructure processes and policies

Consider what you learned about employee interactions, possible stress points, and triggers, and blend it with what you know went wrong in previous breaches. This information should be used to restructure your processes, so the correct, logical path to desired behavior is as frictionless as possible. Policy should address past failings directly and make sure to change areas that led to circumvention in the past.  

Automate where possible

While overreliance on technology can be dangerous, there will be areas that you can automate to reduce the risk of human error. Spam filters and contextual nudges to desired secure behavior can be greatly beneficial. Employ artificial intelligence to monitor networks for abnormal behavior and filter out some of the noise, while flagging potential problems for further investigation by a security professional.  

The human-centered approach 

Having clear procedures set in stone can be an effective way to reduce the risk of successful manipulation, but you need to balance rules with reasoning. Teach people to think more critically, remove some of the challenges that make them vulnerable, and you can build a strong, resilient, human-centered security culture.