Why should you make cyber security people-centred?
Blog posted by: Professor Lizzie Coles-Kemp – Information Security Group, Royal Holloway University of London, 15 January 2020.
As technology becomes more and more embedded in company processes, businesses need to look beyond the traditional ways of securing their organizations’ most valuable assets. This involves approaches that engage with people and understand their needs and perspectives on security.
People want to access digital services that enable rather than constrain them. Organizations need to find methods of securing that are not reliant on simply “screwing down” their technology platforms. Otherwise the consequence could be businesses becoming less able to offer services that are of real benefit to people. Therefore, apart from finding alternatives to optimize technology securely, this challenge is also about engagement.
People-centred security – a number of approaches
Building an engagement approach is at the heart of people-centred security. In other words, this is technology designed with the needs and benefits of people in mind. This is where security is usable, accessible and trustworthy, while considering how people engage and what benefits they obtain through that engagement.
Also, flipping that on its head, it also means more emphasis on the trust relationships between people and organizations where that trust relationship is digitally mediated. This involves thinking about what technology enables you to do plus trust users have in the technology to ensure positive outcomes for them. Therefore, people need to trust that technology has been built appropriately and that the organization providing the tech-enabled service has intentions that benefit them.
Doing better with cyber security
A good starting point for organizations trying to improve their approach to cyber security is understanding the context in which their people are using technology. So, what are their stresses, challenges and drivers when using technology? Only when you’ve answered this is it meaningful to embed security measures within that context.
There is another name for this: “You Shape Security”. We have worked with the UK’s National Centre for Cyber Security (NCSC) on this approach with the premise that cyber security is founded on having ongoing dialogues with people to tap into their ways of working and co-creating security policies that address long-standing problems. This will, ultimately, make an organization more effective and better able to cope with the unexpected.
One of our colleagues at NCSC, Ceri J – a senior socio-technical researcher – explained:
“The premise of this is communication: understanding how to build dialogue and learn about the way people actually work in an organization. At the moment, security practitioners can make assumptions about how people work rather than asking them what they need, taking a step back and engaging with them. It’s about getting them to take part, to break down assumptions and fit security into everyday life instead of it being seen as a blocker.
“If people talk to each other and build trusted relationships it helps security as a whole and enables everyone to get their jobs done. And it means taking people from awareness to having knowledge and understanding; building confidence in what security is for them and taking part in the process without blame or having security as something that’s ‘done to you”.
These ideas are just a start to the journey, creating a two-way conversation rather than awareness pushed in one direction. When people start adopting these principles it becomes an alternative to what they’re currently doing.”
Storytelling and a positive culture
In practical terms, this means thinking about contextualising security policies, advice and guidance to ensure people can relate more to the messages delivered. This also builds a much more positive culture based on trust and the benefits of good cyber security behaviours.
As part of the You Shape Security guidance, there is a storytelling toolkit which enables people to use storytelling for talking about their everyday experience of technology, complete with its challenges, difficulties and opportunities.
To expand on this idea, we are now leading a research initiative in conjunction with AXELOS and supported by NCSC to design workshops that will help security practitioners understand how they would use creative engagement and storytelling in training and awareness learning, risk assessments and audit.
We think that there are a lot more organizations out there engaging creatively with their people than we realize. Therefore, we would like to uncover what the real information security engagement capacity is in organizations and what they are really doing about it.
The storytelling toolkit references in the NCSC guidance can be found here: https://bookleteer.com/collection.html?id=28
Latest News from
Integrating new technology into services – ITIL 4 HVIT21/02/2020 13:20:00
Blog posted by: Dr Mauricio Corona – Chairman, BP Gurus, 20 February 2020.
High-velocity IT – a way for the digitally-enabled organization18/02/2020 15:20:00
Blog posted by: Mark Smalley, 18 February 2020.
Holistic IT – a non-siloed approach with ITIL 411/02/2020 13:20:00
Blog posted by: Alfredo De Ninno, IT service and Project Manager, Haufe Group, 10 February 2020.
ITIL 4 Managing Professional: from the earth to the moon07/02/2020 13:20:00
Blog posted by: Bob Roark – Executive Solution Strategist, Cherwell Software, 06 February 2020.
ITIL 4 Specialist drive stakeholder value: maximizing the consumer experience04/02/2020 16:38:00
Blog posted by: Christian Nissen, IT management consultant and lead author for the ITIL 4 Drive Stakeholder Value module, 04 February 2020.
The Importance of Servant Leadership03/02/2020 12:38:00
Blog posted by: Allan Thomson, AXELOS PPM Ambassador, 31 January 2020.
ITIL 4 Managing Professional: aligning operations and strategy with DPI28/01/2020 13:20:00
Blog posted by: Leif Andersson – Change leader, coach, facilitator, IlluminEight, 28 January 2020.