The Value of Human-Centric Cybersecurity
The Value of Human-Centric Cybersecurity
Whether it’s choosing weak passwords, getting fooled by scammers, or forgetting to secure cloud storage, human error plays a much-talked-about role in many cyber incidents. However, only seeing people as potential weak points is not conducive to a strong security posture. Human-centric cybersecurity aims to place the behavior, needs, and roles of people at the heart of security strategies. This article highlights the value of taking a human-centric cybersecurity approach.
Key Tenets of Human-Centric Cybersecurity
Human behavior influences the ability to prevent, detect, and respond to cyber attacks. By considering these human elements and placing them at the heart of what drives your security strategy and posture, you can better manage risks.
Taking a more human-centric approach is prudent given that threat actors increasingly exploit human factors rather than technological weaknesses. Recent research shows that 82% of cyber attacks involve the human element. And remember, everyone in your company has a part to play in bolstering security — not just the security team.
To truly grasp what human-centric cybersecurity means, below are some of its key tenets.
Tailored, Ongoing Security Training
Many companies still treat security awareness training as a compliance-driven, box-ticking exercise that all employees must complete at set intervals. Yearly or half-yearly training modules are often dull or irrelevant to specific user roles. Generic, once-off training doesn’t do much to reinforce learning about basic security hygiene, let alone more advanced tactics and techniques.
Human-centric security emphasizes the importance of tailored education and training programs to help different users understand security policies and practices, recognize threats, and respond appropriately to attacks. Someone in a finance department probably has different security risks and threats than, say, a DevOps engineer. Ongoing training and reminders are central to this approach because they help employees better remember what they learn versus one-off modules and assessments.
Human-centric security also aims to improve the training of security operations center (SOC) teams and other analysts whose roles directly focus on defending companies against attacks. A lack of real-world cyber attack experience often stifles security teams’ abilities to perform optimally when a real cyber attack happens.
Simulated attacks that cover a range of scenarios are a big part of human-centric security because they serve as practical training tools that allow security teams to experience the type of dynamic tactics used by cyber attackers in a controlled, educational environment.
This hands-on approach not only tests the effectiveness of current security policies and measures, but it also directly engages people in the learning process. The immediate feedback provided in cyber attack simulations is invaluable for reinforcing good practices and identifying areas where staff may need extra training.
Avoiding a Blame Game
Fostering a culture of openness and transparency about how people report security incidents is also integral to a human-focused strategy. The aim is to avoid a blame game where employees don’t feel fear or shame around security mistakes. When employees feel safe to report security mistakes or issues, versus those with a blame culture, companies benefit in many ways, such as:
Openness and transparency can lead to quicker detection of breaches to limit their impact.
A non-punitive approach allows everyone to learn from errors and reduce the chances of future similar incidents.
There’s less underreporting of security incidents when people don’t fear blame.
Accounting for Psychological Factors
Human-centric cybersecurity accounts for psychological factors in key security decisions. Psychology is important because the way people think and behave significantly impacts the effectiveness of other security measures and tools. Technical security often overlooks these psychological factors to focus on enforcing tools and rules.
One important idea is the concept of cognitive biases, which often cause people to think and act in a way that's not completely logical or accurate based on their own perceptions and experiences. For example, the optimism bias can cause people to underestimate their own risk of becoming a cyber attack target.
People also have different preferences in terms of learning styles and motivations that training programs can be adjusted to account for. Some people learn best through hands-on activities and simulations, while others might thrive with detailed presentations. Tailoring training programs to accommodate different learning styles and motivations is a prime example of human-centric security.
Thinking of User Experience
Early in 2023, research and consulting company Gartner identified human-centric security design as the top cybersecurity trend in 2023. What this means in practice is designing security measures and policies with the user experience in mind. When security protocols are user-friendly and seamlessly integrated into daily workflows, people are more likely to adhere to them. Password policies, authentication methods, data sharing, remote access, web browsing rules, and security training must all account for user experience.
When security controls add friction or frustration, problems arise. Consider how mandatory regular password changes often result in people choosing less secure, predictable passwords or even writing down their passwords. Another example of poor user experience is overly intrusive antivirus software that constantly interrupts work with pop-ups, scans, or notifications. These intrusions could lead employees to disable important security tools or features on their workstations or laptops.
Why a Human-Centric Approach Is Better
In addition to the benefits already mentioned, here are some reasons you might consider switching to a more human-centric cybersecurity approach:
Research shows that human error causes around 88% of data breaches. The pillars of a human-centric approach — continuous user education and awareness, systems and protocols tailored to user experience, and feedback through open reporting — all reduce the chances of human error leading to data breaches.
As threat actors continue to target human vulnerabilities, social engineering techniques that exploit fear, urgency, and trust become more widespread. Technical defenses alone cannot fully protect against attacks like phishing or business email compromise. Educated and aware users who understand the threats faced in their specific roles are better placed to recognize social engineering scams.
While technical solutions and rules are important in cybersecurity, they are not sufficient on their own. After all, it’s ultimately people who operate and integrate with technology and who follow security policies and protocols. Putting the human element at the core of security strategies is worth embracing — after all, 50% of CISOs plan to adopt this approach by 2027. Why not start now?
Empower Your People with Cloud Range
Human-centric cybersecurity prioritizes tailored, ongoing security training. At Cloud Range, we believe that nothing prepares people better for cyber attacks than real-world experience. That’s where our Cyber Range-as-a-Service Platform service helps with custom live-fire cyber ranges and a library of attack scenarios for people to practice and refine their skills.
Empower your security teams with realistic, interactive environments for training and testing cybersecurity skills. With Cloud Range, your teams will not only understand the technical aspects of cybersecurity but also learn how to hone their decision-making skills, stress management, and collaborative abilities in the face of cyber incidents.
Replicating your specific network on the cyber range provides employees with relevant and practical training experience, tailored in alignment with the tenets of human-centric security.
Our Performance Portal gives you reporting, metrics, and analysis for individual and team performances. You can use this data to identify areas of strength and weakness in both technical skills and soft skills like communication and teamwork, which are crucial in effective cybersecurity responses.
