Human-Centric Security Design

On NBC’s tv show, The Weakest Link contestants attempt to collectively work together to answer questions to earn a pool of money while at the same time voting their fellow players off the show. The idea being that those voted off didn’t contribute as much to the prize pool. Then, at different points throughout the game, contestants begin to shift strategy and gang up on those providing the strongest participation in order to remove them from the final shot at winning the grand prize.

Image: Wikipedia

As with all gameshows, the outcome of any episode is often all about the people involved. There are generally some folks that stand out and master the format, and there are some that seem to struggle, forget the rules, don’t know the answers and seem to have not prepared themselves as well as they should have. It’s really no different when it comes to identifying cyber threats in the corporate environment. People can be a strength for the company, or more often they can be the weakest link (Even though In March 2017, Britain's National Cyber Security Centre (NCSC) provided guidance that people should no longer be called “the weakest link” when it comes to cybersecurity).

Threat actors recognize this aspect of human behavior and target the human emotional factor pretty heavily (phishing, social engineering, etc). The best CISOs also realize this and are formulating their security programs using a different approach. Rather than…

Instead of designing and implementing black and white security programs that lay down the law and have no room for user feedback, they are incorporating the thoughts, and yes feelings, of their employees. Why the softer approach to security? One significant reason is simply to be effective. Employees will always find ways around whatever controls are put in place and it’s better to work with them than without.

Gartner finds this human-centric approach to security design so significant that they name it as the #1 trend of 2023 that they expect to see. They further observe:

While this concept seems to have gained quite a bit of traction in the past couple of years (potentially due to the rapidly changing work environment, ‘quiet quitting’, frequent changing of jobs by workers and related activities), back during the July 2017 Black Hat conference Facebook’s head of security, Alex Starmos told the audience, “The security industry needs to worry less about technology and more about people.” (Medium.com). So this trend has been building over time.

If one is going to go through all of the work to build out a security program only to have 7 in 10 users ignore it or purposely go around it a better way is certainly warranted and this may just be the answer. By designing with the human in mind and how they use and interact with security controls the odds of users paying attention to the training and then remembering and implementing it down the road increases.

For CISOs interested in implementing the human-centric approach to security program design Forbes recognizes that:

To support this observation they recommend an eight-step process for developing a human-centric security design that includes:

1. Assess your cybersecurity posture.

2. Test employee awareness.

3. Identify threats and probe them. 

4. Promote critical thinking.

5. Review employee interactions.

6. Learn from past mistakes. 

7. Re-engineer processes and conduct training.

8. Automate to reduce human error.

In the end it’s all about “getting the balance right” as the CISO works to provide direction, align to regulatory compliance and confirm secure environments all while also incorporating feedback from business stakeholders to ensure you have their attention and support.