Invest in Developing a Human-Centred Security Program
Organisations have long implemented security awareness training programs in an effort to protect against data breaches. These programs are often designed with a one-size-fits-all approach, focused on compliance, and rarely result in sustained changes to security behaviour. As a result, the number of data breaches due to human error continues to rise, with 90% of breaches being attributed to human error, according to the Information Commissioner’s Office in the UK. This highlights the need for a reassessment of how we teach individuals about security.
The current approach to security training is not enough and a human-centred security program must be implemented instead. This approach takes into consideration roles, psychological processes, attitudes, and communication methods. Changing behaviour in the long term is a complex task and requires careful planning and an interdisciplinary strategy that caters to specific roles and is backed by solid metrics that demonstrate a return on investment.
The first step in developing a human-centred security program is to establish a behavioural baseline. This is achieved by pulling in rich datasets and performing statistical analysis on historic risk assessments, data loss prevention, and user behaviour analytics. By breaking down the data by role, department, location, and across the entire organisation, it is possible to understand how employees are currently behaving and why. Qualitative information can be gathered through focus groups, observation, and examination of policy and systems. This information provides valuable insight into patterns of behaviour and reveals weaknesses in the current approach to education, training, and awareness.
Tailored content and emotional engagement are critical components of a successful security program. Traditional ‘blanket’ training is ineffective, and a far better approach is to create role-based security training programs that are tailored to each employee’s specific role and the threats they face. Training should also engage people on an emotional level, through gamification, rewards, and public praise. Regularity is crucial, and security awareness, training, and education should be delivered in short bursts and at frequent intervals, using various mediums to accommodate different learning preferences.
Security can also be encouraged through design, by redesigning the digital infrastructure, user experience, and interfaces to guide individuals towards secure behaviour. This includes making it easy to manage threats and report incidents, as well as redesigning the physical environment to foster secure behaviour. Desired behaviour can also be encouraged through nudges and reminders in public areas and apps that prompt people to complete training modules.
Measuring success is key, and metrics should be developed to assess the impact of the human-centred security program. The impact on individual behaviour should be examined, including changes in motivation, proficiency, and attitudes. Financial savings should also be calculated through a reduction in incidents, compared to the cost of the program. A human-centred security program is the smart investment that organisations can make to ensure a secure future.