The concept of “psychology of security” is often a foreign concept to IT professionals, yet they all acknowledge that users are the biggest challenge. When hackers are unsuccessful at exploiting technical vulnerabilities, they turn their attention towards users. They scan for responses to psychological triggers and cognitive patterns that can be easily exploited. We think of these as pre-conceived ideas and heuristic patterns that are associated with risk vulnerability and decision making.
“We currently use a number of different solutions and vendors for security products and training… I’m not sure what else can be done.” -an oft repeated remark I get from IT professionals.
Despite all the investment in the latest and greatest technologies and the “once-a-year” data privacy training, the company still gets hacked.
85 percent of the time, usererror and unsafe behaviors are the root cause
71 percent of the time it is carelessness
Hackers exploit the psychology of security – the human vulnerabilities associated with risk taking, habit and discipline.
Hackers pay attention to the psychology of security. “The art of deception” is no longer art. It is now a science that can be explained through cause and effect. Driving people towards safer behaviors cannot be achieved through firewalls or port scanners. In fact, technology-centric solutions tend to drive the wrong behavior because security is secondary to the task that the user is trying to achieve. It simply gets in the way of executing a task efficiently. If we factor in the fact that security is usually an “add-on” that tends to be poorly designed, it becomes an annoyance. The temptation to use work-arounds or avoid security protocols is difficult for the user to ignore.
Cyber security should be more about addressing the state of mind when using technology.
Risk exposure: “I’m not going to get hacked.”
Risk control: “I can risk it this time.”
Habituation: “What pop up alert?”
Normalization of deviance: “Nothing happened before.”
The path of least resistance: “I can’t be bothered. I already have a lot on my plate.”
Put the “human in the heart of the loop” to reduce human error and increase safe behaviors.
Create a cyber resilient organization that balances security behaviors against human error.
Leadership commitment: The C-Suite signals the importance of cyber security and makes financial and strategic commitments.
Organizational structure: Cyber security is fit for purpose, aligned with your overall business strategy and yet has the flexibility to proactively counteract and prevent future breaches.
Operating model: Your cyber security efforts are directed towards the rest of your organization and bridges the gap between the business and IT.
Talent Management: Your IT security workforce needs are understood so that you can acquire the skills and the human resources needed to achieve and maintain a state of cyber resilience.
Culture: Your culture is a direct expression of your users’ behavior inside and outside the workplace. Achieving a state of cyber resilience is second nature and not device or location dependent.
Over the next five weeks, we will dive into each one of these components to explore how to design a cyber resilience framework around behavioral change. Stay tuned!