According to Gartner's Drivers of Secure Behavior survey, 93% of employees who behave insecurely do so knowingly.
The Many Paths to Human-Centric Security Human-centric security considers people's behaviors, needs, and limitations at all points - not only in the incident response plan, but day to day as issues arise.
That means readable policies that reduce friction at as many points possible, lower complexity in security-related processes, positive reinforcement instead of punishment, and helping employees when they need it without judgment.
Through 2027, Gartner predicted that half of CISOs will adopt human-centric security to reduce cybersecurity operational friction.
Centering people is the approach Random Timer, a company that makes a productivity app of the same name, uses with its employees.
Traditionally, security has been very technology- and policy-driven without enough consideration of the human element.
This can make it feel restrictive and frustrating for end users, explains company founder Matthew Anderson.
By far, friction is the biggest enemy of secure employees.
It's rampant: A Gartner report recently found that more than one in three employees say they find cybersecurity controls and policies hard to adhere to, unreasonable for their role, and in conflict with their work objectives.
Implementing browser security and passwordless access are good steps, because the user doesn't even have to think about them.
Many companies still aren't adopting these technologies, and even if they do, they don't always work well with the decades-old technology employees still rely on to do their jobs.
He even suggests having usability experts to advocate for employees.
Many of them were given projects using data, data analytics, and word clouds, so the company blocked a lot of the sites that would have allowed them to upload their results publicly, to protect the company's data.
Some companies take understanding the user experience to the extreme, but it yields results.
Santander, the largest bank in Spain, taught its cybersecurity staff the principles of the user experience, which is typically the domain of developers and customer-facing employees.
Johnson & Johnson, for example, turned all of the forbidden activities from its negative acceptable use policy into a positive self-service assessment instead. Based on the employee's answers, the automated system will direct them to a safe workaround.
If the system determines that an employee is doing something new, it might send a training video in response.
If the answers reveal that an employee is planning on using proprietary data incorrectly, it might send the employee a synthetic data repository, which is based on real data sets but doesn't include actual proprietary data.
SRI, a tech company based in California, puts comment boxes in its policies.
That paid off with the insight that cyber policies aren't that readable by those outside of the cyber domain, which the company said has led to positive changes.
This Cyber News was published on www.darkreading.com. Publication date: Fri, 08 Dec 2023 02:05:05 +0000