Article by Chris McDermott, Lecturer, Human-Centred Security Research
Welcome to the first article in a series on human-centred security; an approach to cybersecurity that focuses on understanding and addressing the human factors that contribute to security risks. Historically, organisations have relied solely on the effectiveness of technical security controls, instead of trying to also understand why people are susceptible to mistakes and manipulation.
As technology continues to advance, and the number of cyber threats continues to grow, a new approach is clearly required; one that helps organisations to understand and manage psychological vulnerabilities and adopts technology and controls that are designed with human behaviour in mind. In this series, we will explore such a concept and discuss in detail the benefits of adopting this approach.
The conventional method of security focuses on technology and infrastructure, and has been successful in combating certain threats, like viruses and malware. However, its limitations are becoming more evident. Increasingly, security measures are being bypassed by sophisticated cybercriminals that seek to not only exploit vulnerabilities in systems, but also vulnerabilities in human psychology. Human-centred security tackles these limitations by emphasising human factors that cause security risks. By understanding user behaviour and decisions regarding security risks organisations can create solutions that align with user needs and behaviours, reducing potential risks.
Human-centred security also emphasises designing security into solutions, making them ‘secure by design’. This concept emphasises the integration of security measures into the development and design of products, systems, and services, from the earliest stages of planning through to deployment and ongoing maintenance. The goal of security by design is to prevent security risks and vulnerabilities from being introduced in the first place, rather than trying to fix them after the fact. This approach is important because it can help ensure that security is built into the product from the ground up, reducing the likelihood of security breaches and increasing the overall security of the system. Additionally, security by design can help organisations comply with regulations and standards and reduce the cost and effort of fixing security issues down the line.
A human-centred security approach also requires solutions to be both intuitive and user-friendly to ensure correct and secure usage. User feedback should be considered in the design process, tailoring solutions to meet user needs and preferences. In addition, organisations should equip users with the knowledge and training necessary to make informed security decisions. This involves educating users on potential risks and best practices to embed a “security culture” in the organisation. In this context, a security culture refers to the attitudes, beliefs, and user behaviours that impact an organisation’s security approach. A strong security culture promotes a secure environment and reduces the risk of breaches but requires a commitment from all levels of an organisation, from top management to front-line employees. Additionally, organisations should establish clear policies and procedures for handling security incidents and hold employees accountable for their actions. Furthermore, it’s important to communicate and make security a part of the daily work routine. Regular security training, testing, and drills can help to identify and address potential vulnerabilities, and it can help employees to become more familiar with security best practices. Finally, organisations should establish a reporting mechanism to allow employees to report security incidents and address any concerns they may have.
Human-centred security offers many benefits, including improved security outcomes and user satisfaction. When security solutions align with user behaviour and needs, users are more likely to use them correctly. Additionally, user-friendly, and understandable security solutions will increase user satisfaction.
In future articles in this series, we will delve deeper into human-centred security, examining some of the concepts discussed above. We will also explore the challenges that organisations may face when adopting a human-centred approach to security, and the strategies they can use to overcome them. Ultimately, the goal of this series is to provide organisations with the knowledge and tools they need to adopt a human-centred approach to security and better protect individuals and businesses in today’s digital landscape.