A new book called “Cyber Security And Human Factors” has been released on a non-profit basis to help improve knowledge-sharing in the sector. For less than the price of a coffee, Individuals and Organisations can read this handbook with detailed guidance on how to improve Cyber Security and Human Factors.
The ‘human factor’ in Cyber Security is often seen as a weak link in the security chain. But it is fair to say that human intuition all too often has also played a key role in preventing cyber threats materialising. All systems require us humans to receive alerts and subject these to our interpretation. Human intellect is capable of processing numerous inputs and we instinctively know when an issue has arisen.
We hope technology can improve our security posture when a superior tactic may be to dig deeper into human nature. Our norms, habits and quirks determine our security awareness. We can change these and build a security mindset that focuses on our strength which is complex reasoning.
Our habits mean humans have tendency to find shortcuts. Security professionals must think like a hectic employee, a rushed director, or a preoccupied secretary. We must remove complexity from all of our practices.
Human brains process information in less time than many cybersecurity measures take to be implemented. Smartphones, productivity apps and fast connection speeds have set an expectation of instant access. We also must consider the insider threat. Human lives are complex and they bring this to the workplace. They have stressors whether these are financial difficulties, poor mental health, drugs, alcohol, gambling, idealism, politics and power.
Leadership and human intuition can be vital in improving security. Conducting a security review of employees once per month with colleagues from HR, IT, Operations, etc can help identify staff who have too much access or staff who are struggling and need support. Otherwise gathering intelligence on changes from these areas can also help. Human reasoning can look at the situation from an enterprise perspective and spot warning signs earlier.
Malicious actors take advantage of human nature. They target people who are vulnerable, powerful or complacent. Increasingly, we see sophisticated techniques like using social media to develop something that will interest their target or get them to drop their defences. The bad actors are evolving, and so your security training program has to evolve. Continually update about new threats. Reminding people that they could be targeted. Drive home the point to trust nothing.
Testing is an important part of education. Send fake emails, conduct hacking exercises, play war games that simulate an attack or ransom situation. Staff are fooled by these even when they know they could be tested. These represent opportunities to embed learning points and encourage staff to take their time, trust their instincts and validate.
Cyber threats arise increasingly from basic opportunities. We can improve by understanding basic human nature.
Information security awareness should help establish correct security procedures and security principles in the minds of all employees. Increased awareness minimizes user-related security threats and maximizes the efficiency of security techniques. But we must go beyond security awareness and better understand our people and their mindsets to be truly transformational.
The book has been written by a practitioner and includes step-by-step guidance for successful cyber security in any organization through better understanding the individuals within it. It considers issues InfoSec leaders will encounter such as Cyber Security, Cyber Safety, Cyber Crime, Information Security Management, Cyber Vulnerabilities, Cyber Attack Vectors, Risk Management, Business Continuity, Security Education, Awareness and Human Factors.
