Photo by Andri klopfenstein on Unsplash
The Human Elements of Cybersecurity: Privacy, Ethics, Usability, and Responsibility
However, this isn’t a diatribe about the obvious predicament facing today’s data security landscape. Instead, I’ll look from the other side of the human equation: the users we are supposed to guard. Humans aren’t just resources that you can force to comply with security best practices. We have feelings, concerns, and needs. An effective security strategy will need to address these human elements.
For example, if you implement a strong password security policy without addressing the human tendency to look for convenience, people will find a way to bypass the rule. They will either write it down in plain text, save it on their browser, or start repeating the same passwords on unsanctioned/personal sites. You will need to provide them with an efficient option such as SSO, key vault, or something else to manage their passwords easily.
While data security is undoubtedly a good thing, it’s also a nuanced issue that can present companies with an ethical dilemma. After all, you are protecting your organization, customers, and employees from a devastating data loss event. In reality, things aren’t as black and white. However, it’s easy for motivations to get muddled when working to protect customer data.
For instance, employees might wonder why you are implementing specific security measures or monitoring initiatives. Is it because you want to increase your workplace productivity? Do you truly need to scan their emails to achieve that? While the goal of data security is ethical, the defensive measures need to be appropriate. Finding the purpose for monitoring and security and establishing boundaries and transparency protocols is key to avoiding such ethical pitfalls.
Security shouldn’t compromise usability. Instead, it should enable freedom and creativity. Fortunately, with the introduction of machine learning/AI, NLP, context-based classifications, and other software developments, companies can balance security and usability. However, you still need to spend time configuring those solutions or training them with enough data to minimize false positives. In addition, the success of your security initiative will suffer when you block a workflow without offering an alternative solution. For example, you might think blocking the use of cloud drives a sensible precaution. However, if you don’t allow another channel such as a private cloud or a ‘cloud-like’ solution such as Transporter or Space Monkey, employees will most likely share those files using email, USB drives, or less secure methodologies, ultimately making it even harder to enforce your security policy.
Data security isn’t just the responsibility of security experts. To be successful, data security priorities have to be a collective effort that extend to all levels of the company. Indeed, everything from election hacking and deep fakes to the weaponization of information can’t be addressed if we just rely on security professionals and technologies.
The problem is too big for a single group to handle. So, what can we do as security professionals to drive mass engagement? Most importantly, we can evangelize the importance of data privacy best practices.
Organizations like RSA are doing a great job of spreading the word, but we can all help out too. Educate and train people whenever you have a chance. Skills like avoiding phishing emails, detecting the signs of social engineering, acting responsibility online, using basic protections, and reporting spam calls are some topics we can all share on our social channels. The more we share, the more awareness we create.
It’s easy to pass the buck and blame the users when they do something wrong, but as security professionals, we are the ones who are responsible for weighing the hard decisions between security and privacy, ethics and profitability, usability and compliance, responsibility and authority. Developing a human-centric policy to security will make it more approachable to our users and, in turn, propel its success. As our friends at RSA say, “it’s about people protecting people.”
Photo credit: Mavo Images stock.adobe.comNo tags for this post.