A new article by Julie Haney, computer scientist for the National Institute of Standards and Technology (NIST) highlights the risks of making overly optimistic assumptions about how much your employees may know about cybersecurity and common threats. By overestimating, cybersecurity specialists often end up having challenges effectively communicating with general users, and not listening to feedback regarding how security measured are impacting their productivity. The end result can be people bypassing security measures, as they choose their personal convenience over safe cybersecurity habits.
“We need an attitude shift in cybersecurity. We’re talking to users in a language they don’t really understand, burdening them and belittling them, but still expecting them to be stellar security practitioners,” says Haney. “That approach doesn’t set them up for success. Instead of seeing people as obstructionists, we need to empower them and recognize them as partners in cybersecurity.”
In response, Haney offers a set of six guidelines for cybersecurity managers and team members to consider in both their policies and communications, ranging from assumptions about the level of user understanding, to relying on threats to ensure compliance, to not considering how security measures might impact the ability of users to do their jobs. Says Haney of the importance of considering the human element in cybersecurity, “There has been a lot of research into this issue, but the research is not getting into the hands of people who can do something about it. They don’t know it exists.”
Source:
