Why should you make cyber security people-centred?
Blog posted by: Professor Lizzie Coles-Kemp – Information Security Group, Royal Holloway University of London, 15 January 2020.
As technology becomes more and more embedded in company processes, businesses need to look beyond the traditional ways of securing their organizations’ most valuable assets. This involves approaches that engage with people and understand their needs and perspectives on security.
People want to access digital services that enable rather than constrain them. Organizations need to find methods of securing that are not reliant on simply “screwing down” their technology platforms. Otherwise the consequence could be businesses becoming less able to offer services that are of real benefit to people. Therefore, apart from finding alternatives to optimize technology securely, this challenge is also about engagement.
People-centred security – a number of approaches
Building an engagement approach is at the heart of people-centred security. In other words, this is technology designed with the needs and benefits of people in mind. This is where security is usable, accessible and trustworthy, while considering how people engage and what benefits they obtain through that engagement.
Also, flipping that on its head, it also means more emphasis on the trust relationships between people and organizations where that trust relationship is digitally mediated. This involves thinking about what technology enables you to do plus trust users have in the technology to ensure positive outcomes for them. Therefore, people need to trust that technology has been built appropriately and that the organization providing the tech-enabled service has intentions that benefit them.
Doing better with cyber security
A good starting point for organizations trying to improve their approach to cyber security is understanding the context in which their people are using technology. So, what are their stresses, challenges and drivers when using technology? Only when you’ve answered this is it meaningful to embed security measures within that context.
There is another name for this: “You Shape Security”. We have worked with the UK’s National Centre for Cyber Security (NCSC) on this approach with the premise that cyber security is founded on having ongoing dialogues with people to tap into their ways of working and co-creating security policies that address long-standing problems. This will, ultimately, make an organization more effective and better able to cope with the unexpected.
One of our colleagues at NCSC, Ceri J – a senior socio-technical researcher – explained:
“The premise of this is communication: understanding how to build dialogue and learn about the way people actually work in an organization. At the moment, security practitioners can make assumptions about how people work rather than asking them what they need, taking a step back and engaging with them. It’s about getting them to take part, to break down assumptions and fit security into everyday life instead of it being seen as a blocker.
“If people talk to each other and build trusted relationships it helps security as a whole and enables everyone to get their jobs done. And it means taking people from awareness to having knowledge and understanding; building confidence in what security is for them and taking part in the process without blame or having security as something that’s ‘done to you”.
These ideas are just a start to the journey, creating a two-way conversation rather than awareness pushed in one direction. When people start adopting these principles it becomes an alternative to what they’re currently doing.”
Storytelling and a positive culture
In practical terms, this means thinking about contextualising security policies, advice and guidance to ensure people can relate more to the messages delivered. This also builds a much more positive culture based on trust and the benefits of good cyber security behaviours.
As part of the You Shape Security guidance, there is a storytelling toolkit which enables people to use storytelling for talking about their everyday experience of technology, complete with its challenges, difficulties and opportunities.
To expand on this idea, we are now leading a research initiative in conjunction with AXELOS and supported by NCSC to design workshops that will help security practitioners understand how they would use creative engagement and storytelling in training and awareness learning, risk assessments and audit.
We think that there are a lot more organizations out there engaging creatively with their people than we realize. Therefore, we would like to uncover what the real information security engagement capacity is in organizations and what they are really doing about it.
The storytelling toolkit references in the NCSC guidance can be found here: https://bookleteer.com/collection.html?id=28
Original article link: https://www.axelos.com/news/blogs/january-2020/why-should-you-make-cyber-security-people-centred
Latest News from
How PRINCE2 gives us a common project language, and why it’s important25/05/2023 13:20:00
Blog posted by: Robert Buttrick, 23 May 2023.
Resetting your PRINCE2® knowledge and approaches22/05/2023 13:20:00
Blog posted by: Lawrie Kirk, 19 May 2023.
Why everyone is a project manager now12/05/2023 13:20:00
Blog posted by: Pedro Bertacchini – Senior Project Manager, 10 May 2023.
Improving your portfolio management to keep services relevant11/05/2023 13:20:00
Blog posted by: Chris Gallacher, VP & Principal Consultant, Forrester Research and contributing author to ITIL 4 Digital and IT Strategy, 10 May 2023.
Programme management in a VUCA world02/05/2023 10:20:00
Blog posted by: Chris Carter, Principal, orgshift solutions inc, 27 April 2023.
Studying ITIL 4 beyond Foundation level: building careers and improving business17/03/2023 13:20:00
Blog posted by: Mohammed Feisal Ismail, Principal Consultant, Sapience Consulting, 16 March 2023.
Portfolio management – making the totality of change work better19/12/2022 16:20:00
Blog posted by: Ian Clarkson – Practice Director, PPM, QA, 15 December 2022.
Employing PRINCE2 to simplify project management for stakeholders19/12/2022 10:20:00
Blog posted by: Pedro Bertacchini – Project Manager, Luminor Group, 15 December 2022.