Information security needs to focus on the human factor
Human error has become one of the biggest contributors to data breaches. Organizations have traditionally relied on the effectiveness of technology controls but haven't addressed the fundamental reasons why humans make mistakes and are susceptible to manipulation.
A new report from the Information Security Forum finds that by helping staff understand how these vulnerabilities can lead to poor decision making and errors, organizations can better manage risk.
"Human-centered security starts by acknowledging that humans have psychological vulnerabilities that may impact decision making," says Steve Durbin, managing director of ISF. "During interactions with technology, controls and data employees may make errors that lead to security incidents, negatively impacting the organization. By understanding what triggers human error and the psychological methods attackers use to manipulate their targets, organizations can improve security awareness and design controls to account for human behavior, enabling them to mitigate the risk of human error."
The ISF research identifies that organizations are struggling to manage the risk of what is called 'the accidental insider' -- the authorized member of staff making accidental errors. Equally, traditional security controls are proving to be less effective at preventing external malicious attacks. Attackers are transitioning away from malware-based attacks to more targeted, social engineering-based attacks designed to coerce or influence the accidental insider into making exploitable errors.
"A human-centered approach to security can help organizations to significantly reduce the influence of cognitive biases that cause errors. By discovering the cognitive biases, behavioral triggers and attack techniques that are most common, tailored psychological training can be introduced into an organization's awareness campaigns. Technology, controls and data can be calibrated to account for human behavior, while enhancement of the working environment can reduce stress and pressure," adds Durbin. "Once information security is understood through the lens of psychology, organizations will be better prepared to manage and mitigate the risks posed by human vulnerabilities. Human-centered security might just help organizations transform their weakest link into their strongest asset."
You can find out more on the ISF website.