Speaking at Infosecurity Europe 2017 professor Angela Sasse, director, UK Research Institute in Science of Cyber Security, UCL, said that good security is not just about having ‘better’ policies as a lot of security policies are very counterproductive if they "do not work for people.”
As a result, professor Sasse claimed it’s now time for a shift in thinking if we are to improve user behavior, with particular focus on moving away from the notion that the human is the ‘weakest link’ in security who should take the blame for security issues.
“There is this need to reshape the relationship between the IT security team in an organization and the people who use IT security,” she added.
So, Sasse outlined a three-step ‘primer guide’ to getting security to work for people in an effective way.
The first of these is realizing that, for security experts, security is the main priority, but that is not the case for the vast majority of a workforce who are focused on their day-to-day jobs. “It’s your [security experts’] responsibility to design security that fits with individuals’ tasks and the organization’s business process.”
The second, Sasse continued, is that security communications must be NEAT – necessary, explained, actionable and tested.
“Very few people don’t care [about security] it’s just that they can’t pay attention when they are overloaded or feel like they are being told to do things that don't work or offer them anything.
“Advice must be given in a simple, concrete format.”
Lastly is a realization that security awareness and education are not the answer – as there is no cure for a lack of security hygiene with unworkable policies or useless tools.
“What you want is a change in undesirable behaviors – this is neither a quick nor cheap option, and it’s not a job for amateurs.”
To conclude, professor Sasse said her key piece of advice for companies looking to improve the behavior of their users is through engaging with them, and to really mean it.