phone-red Call us about IT Support in London 020 7572 0000

Human-centred security is more than train, constrain and blame

Byte-size Bulletin by Simon Heath in Security, News on Aug 23, 2021


What part is security playing in your plans to make a return to office-based work? Is staff training in cyber security part of your plan?


It’s probably no shock to you that 56% of IT leaders believe staff have picked up bad security behaviours whilst working at home. What may come as more of a surprise is that 36% of employees also say they have picked up bad behaviours.


A recent survey by Tessian, a security company, revealed that Chief Information Security Officers (CISOs) are more likely to be involved in company planning because cyber security is viewed as critical to success.


Younger workers are twice as likely to have found such security “workarounds” – possibly because they are more “digitally native”.


One in three employees think they can get away with riskier security behaviours when working remotely. Nearly half of those say it’s because they are not watched by IT.


It’s fairly well understood that cyber risks have increased and that many breaches start with phishing emails which means that people’s behaviour is an important line of defence.


Employees fear of admitting cyber security mistakes exacerbates the risks. Over a quarter admit to compromising company security but say that nobody will ever find out. 27% said they feared pointing them out in case of disciplinary action or being required to take further security training.


This suggests that creating a security-first culture is not as easy as publishing a policy and issuing a few lessons on the dire consequences of making a mistake.

The Tessian survey quotes Dr Karen Renaud, Professor and Computer Scientist, who specialises in human-centred security:


“A lot of organisations see their employees’ behaviours as a problem. They’ll train them, they’ll constrain them, and then they’ll blame them when things go wrong. But what you’re actually doing is excluding them from being part of the solution. So, it creates the very problem you’re trying to solve. What you want is for everyone to feel that they’re part of the security defence of the organisation.


In her article for the Wall Street Journal, Dr Renaud writes about her and Marc Dupuis’ research.


They believe fear doesn’t work when trying to build a security-first mindset. It does the opposite. Anxiety stops people from thinking.


Fear is a short-term emotion. It can cause a short term action, but not long-term vigilance.


Recipients of security awareness training based on fear tend to believe the risks have been exaggerated and reject the entire message.


One example they cite is password policies that ask people to use long passwords, not duplicate them and not write them down. But if you don’t have the tool to make that possible people find it an impossible directive, they second guess themselves and when they find it a blocker to productivity, they give up on the policy altogether.


Instead, they advocate encouraging trust and creativity to figure out how tools can be used effectively. Assign a contact who is to be trained in and champion a particular tool and encourage engagement, questioning and learning around it. It’s likely to generate a better security culture than fear, uncertainty and doubt.


The Tessian survey can be found here.

Photo by Mark Duffel on Unsplash

Subscribe to our Bulletins

Free Download

Is IT a bottleneck to your company’s growth?

Discover how small business IT support can be a strong ally in making you more productive and competitive.

Download Ebook