June 5, 2023 By Mike Elgan 4 min read

Security would be easy without users.

That statement is as absurd as it is true. It’s also true that business wouldn’t be possible without users. It’s time to look at the big picture when it comes to cybersecurity.

In addition to dealing with every new risk, vulnerability and attack vector that comes along, cybersecurity pros need to understand their own fellow employees – how they think, how they learn and what they really want.

The human element — the individual and social factors that affect cybersecurity — are as important as technology in protecting against malicious cyberattacks. And yet, in general, most cybersecurity professionals are far more adept, knowledgeable and focused on the technology side.

However, “human failure” will be responsible for over half of all major cyber incidents over the next three years, according to a Gartner report.

And so we find ourselves heading into another season of growing cyberattacks with a gross mismatch between the focus of cybersecurity professionals and the factors that protect against it.

It’s time for a reset.

NIST’s 6 most common security pitfalls

In a recent article by the National Institute of Standards and Technology (NIST), computer scientist Julie Haney focused on the misconceptions commonly held by security specialists about users. As an expert in both cybersecurity technology and the human factor, Haney noted that those misconceptions were mostly about communicating with users.

Called “Users Are Not Stupid: Six Cyber Security Pitfalls Overturned,” the paper highlighted the basics of how and why to partner with users, rather than view them as “the enemy”.

  1. Assuming users are clueless.
  2. Not tailoring communications to the audience.
  3. Unintentionally creating insider threats due to poor usability.
  4. Having too much security.
  5. Depending on punitive measures or negative messaging to get users to comply.
  6. Not considering user-centered measures of effectiveness.

In her paper, Haney cited two studies. One found that 82% of 2021 breaches involved the human element.

And the other pointed out that in 2020, 53% of U.S. government cyber incidents involved employees violating acceptable use policies or falling prey to social engineering attacks.

Nobody needs convincing that people are the problem. But it’s less intuitive to know that people are the solution, too — or, at least, a big part of it.

On that latter point, the research is clear, according to Haney. But cybersecurity pros just aren’t focusing on that research.

One starting point is to read Haley’s NIST paper, linked above. I would endorse her list, and add a few more items.

New mindset: Turning users into partners

Cybersecurity feels like war. And that naturally leads to cybersecurity staff forming a combative mindset.

Tasked with securing a massive and growing cybersecurity attack surface, constantly evolving threat landscape, vulnerability-prone software, insider threats, new and unprecedented challenges (like the recent shift to remote work), limited budgets, a persistent skills shortage and general understaffing and other constraints — users just seem like another set of problems coming at you.

It’s intuitive to see users as a huge part of the problem; less so viewing them as a huge part of the solution.

Here’s how:

Focus on shared objectives. The larger conversation between cybersecurity staff and employees feels like the security pros have one set of objectives (preventing and dealing with cyberattacks) that feel at odds with the objectives of everyone else in the organization (winning customers, earning profits, achieving growth goals, minimizing customer loss and many others).

The big picture is that the larger goals of the organization are shared goals. All those business objectives depend on cybersecurity — security is part of what makes them possible. By focusing on shared objectives, users will partner more readily.

Keep language positive; avoid the negative. Focusing on “failure”, “mistakes” and “errors” demoralizes at scale. And demoralized employees who feel intimidated and stupid won’t have the mindset to partner on cybersecurity. Praise good behavior rather than criticize bad behavior. Emphasize the joy of success over the sorrow of failure. Help users understand how and why they’re helping with security, rather than just handing down edicts.

Speak in business terms, not abstractions. Whether talking to the c-suite in budget meetings or the sales staff in cybersecurity training, express yourself in business terms — time and money saved or lost, rather than assuming the facts around cybersecurity can be appreciated in the abstract.

Use plain, respectful language. Learn to express yourself in plain, jargon-free language. Jargon makes sense and provides specificity and clarity to the professionals who dwell in that jargon but can be alienating in the extreme to people outside your profession. Avoid the temptation to solve this mismatch by insisting that users learn the jargon. Instead, learn to express those ideas without jargon and condescension.

Focus on building trust. Consistently express commitment to the objectives of users and be transparent about what you’re trying to accomplish to build empathy, a shared sense of mission and mutual trust.

Forget how to coerce; learn how to persuade. Persuasion is an art that can be learned, and it’s far more effective than coercion. If you use threats and force, users may “route around” your directives every chance they get. But with persuasion, you’ll get users to want not only to follow the letter of best practices but the spirit as well.

Assume most information will be forgotten. CybSafe research found that only 10% of workers remember all their cybersecurity training. The majority of users need reinforced learning, multiple angles of communication and other methods to create a culture of cybersecurity, rather than a training session that all are expected to memorize.

Don’t wait. One reason user communication falls short is the usual list of not enough time, staff or money to prioritize this initiative over other, more pressing concerns. But some of Silicon Valley’s most innovative CEOs will tell you that duress and crisis is the best time for innovation and change.

Securing an organization against persistent cyberattacks is not just a technology role. It’s a leadership role as well. Learn to lead through effective human-centric communication. The ability to excel at both sides is the most valuable package of skills a cybersecurity pro can possess.

More from Risk Management

2024 roundup: Top data breach stories and industry trends

3 min read - With 2025 on the horizon, it’s important to reflect on the developments and various setbacks that happened in cybersecurity this past year. While there have been many improvements in security technologies and growing awareness of emerging cybersecurity threats, 2024 was also a hard reminder that the ongoing fight against cyber criminals is far from over.We've summarized this past year's top five data breach stories and industry trends, with key takeaways from each that organizations should note going into the following…

Black Friday chaos: The return of Gozi malware

4 min read - On November 29th, 2024, Black Friday, shoppers flooded online stores to grab the best deals of the year. But while consumers were busy filling their carts, cyber criminals were also seizing the opportunity to exploit the shopping frenzy. Our system detected a significant surge in Gozi malware activity, targeting financial institutions across North America. The Black Friday connection Black Friday creates an ideal environment for cyber criminals to thrive. The combination of skyrocketing transaction volumes, a surge in online activity…

How TikTok is reframing cybersecurity efforts

4 min read - You might think of TikTok as the place to go to find out new recipes and laugh at silly videos. And as a cybersecurity professional, TikTok’s potential data security issues are also likely to come to mind. However, in recent years, TikTok has worked to promote cybersecurity through its channels and programs. To highlight its efforts, TikTok celebrated Cybersecurity Month by promoting its cybersecurity focus and sharing cybersecurity TikTok creators.Global Bug Bounty program with HackerOneDuring Cybersecurity Month, the social media…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today