Information Security Forum Tackles Human-Centered Security in Latest Paper
September 2019 by Information Security Forum (ISF)
According to the Information Security Forum (ISF), trusted resource for executives and board members on cyber security and risk management, human error has become one of the greatest contributors to data breaches. Organizations traditionally have relied upon the effectiveness of technical security controls but have neglected to address the fundamental reasons why humans make mistakes and are susceptible to manipulation. This has led to a growing demand for a fresh approach to information security focused on mitigating the risk of human error.
ISF research has found that errors and manipulation now account for the majority of security incidents. By helping staff understand how these vulnerabilities can lead to poor decision making and errors, organizations can manage risk. In an effort to support global organizations, the ISF today announced the release of Human-Centred Security: Addressing Psychological Vulnerabilities, the organizations latest digest which helps security professionals to understand how psychological vulnerabilities in humans can lead to errors in decision making, identify methods and techniques used by attackers to exploit psychological vulnerabilities and manage psychological vulnerabilities to improve information security. Underlying psychological vulnerabilities mean that humans are prone to both making errors, and to manipulative and coercive attacks.
“Human-centred security starts by acknowledging that humans have psychological vulnerabilities that may impact decision making,” said Steve Durbin, Managing Director, ISF. “During interactions with technology, controls and data employees may make errors that lead to security incidents, negatively impacting the organization. By understanding what triggers human error and the psychological methods attackers use to manipulate their targets, organizations can improve security awareness and design controls to account for human behavior, enabling them to mitigate the risk of human error.”
Many different terms are used to describe human-centred security, including human-centric security, people-centric security or people-focused security. They all relate to the aim of mitigating or reducing the risk of human error. ISF research identified that organizations are struggling to manage the risk of what is called “the accidental insider” – the authorized member of staff making accidental errors. Equally, traditional security controls are proving to be less effective at preventing external malicious attacks. Attackers are transitioning away from malware-based attacks to more targeted, social engineering-based attacks designed to coerce or influence the accidental insider into making exploitable errors.
Organizations that are already taking a human-centred approach to information security typically spend extended periods of time observing human interaction with technology, controls and data, to identify which specific cognitive biases are triggered, and understanding why this is the case. This has enabled effective and targeted investment in human-centred security improvement programs which prioritize the highest risk areas. There is, however, insufficient good practice in order to identify which solutions merit more investment than others, so it will depend on the organization, the specific human vulnerabilities that lead to errors in decision making, and the most common types of attacks experienced.
“A human-centred approach to security can help organizations to significantly reduce the influence of cognitive biases that cause errors. By discovering the cognitive biases, behavioral triggers and attack techniques that are most common, tailored psychological training can be introduced into an organization’s awareness campaigns. Technology, controls and data can be calibrated to account for human behavior, while enhancement of the working environment can reduce stress and pressure,” continued Durbin. “Once information security is understood through the lens of psychology, organizations will be better prepared to manage and mitigate the risks posed by human vulnerabilities. Human-centred security might just help organizations transform their weakest link into their strongest asset.”
Human-Centred Security: Addressing Psychological Vulnerabilities is available now to ISF Member companies via the ISF website. ISF Members are invited to join the Human-Centred Security Community on ISF Live to share thoughts, experiences and to discuss emerging human-centred security solutions.
About the Information Security Forum Founded in 1989, the Information Security Forum (ISF) is an independent, not-for-profit association of leading organizations from around the world. The ISF is dedicated to investigating, clarifying and resolving key issues in cyber, information security and risk management and developing best practice methodologies, processes and solutions that meet the business needs of its Members.
ISF Members benefit from harnessing and sharing in-depth knowledge and practical experience drawn from within their organizations and developed through an extensive research program. The ISF provides a confidential forum and framework, which ensures that Members adopt leading-edge information security strategies and solutions. By working together, ISF Members avoid the major expenditure required to reach the same goals on their own. Consultancy services are available and provide ISF Members and Non-Members with the opportunity to purchase short-term, professional support activities to supplement the implementation of ISF products.