September 18, 2014 By Rick M Robinson 2 min read

Security breaches continue to lead in technology news, with the targeted victims ranging from personal consumer storage to major enterprises and government organizations. All too often, the response from the public — and enterprise management — is to blame the human failings of the victims.

While it is true that people, both as employees and consumers, largely don’t follow the advice of security professionals, blaming the victims has failed to produce better security practices. This is why security experts are increasingly focusing on persuasive technology, which makes good security practices the path of least resistance for users.

Complexity Bedevils Security Measures

Security can be complicated — just think of the standard guidance for generating strong passwords. And what’s more, as Jon Oltsik reports at Network World, security is often made needlessly complicated by organizational flaws.

These complications can range from information technology initiatives undertaken without security consultation to security staffs that are so busy putting out fires that they don’t have time to train employees to use existing security measures properly. Some of the shortcomings are technology-centric; for example, network security measures tend to center on specific devices instead of network flows.

All too often, however, “security policies … are too complex and can’t be enforced with the current network security processes and controls,” according to a recent ESG report. Even the most conscientious employees are likely to throw up their hands when faced with confusing, overlapping or downright contradictory security measures.

Safely Navigating Toward a Safe Haven Through Persuasive Technology

Avoiding needless complexity is a vital starting point when it comes to streamlining security. However, it should only be a starting point; the next stage should be actively pursuing persuasive technology that will make good security practices a natural part of the workflow.

As Erik van Ommeren, Martin Borrett and Marinus Kuivenhoven write in Chapter 6 of their new e-book, Staying Ahead in the Cyber Security Game, the user is commonly regarded as a weak spot, but that same user can be “an enormous force for good.”

Once a secure process or workflow is established, it becomes second nature to users. Those same users can become the first line of defense, spotting anomalies in logins or suspicious emails.

Persuasive technology, to be sure, is not just about making secure procedures easier and more natural to follow. It is also about making insecure practices less natural to follow.

For example, a persuasive technology approach to email attachments might have two sides. On one hand, a smoothly working, collaborative solution can make sending secure messages and attachments a simple, natural process. At the same time, restrictions on email attachments (such as attachment size) make insecure email attachments less convenient to use, meaning users will have less of an impulse to use them.

Not every necessary security measure can be made “persuasive.” But thinking of security in terms of what users can do rather than what they cannot do will go a long way toward making good security practices the norm.

Download the free e-book: Staying Ahead of the Cyber Security Game

More from CISO

Overheard at RSA Conference 2024: Top trends cybersecurity experts are talking about

4 min read - At a brunch roundtable, one of the many informal events held during the RSA Conference 2024 (RSAC), the conversation turned to the most popular trends and themes at this year’s events. There was no disagreement in what people presenting sessions or companies on the Expo show floor were talking about: RSAC 2024 is all about artificial intelligence (or as one CISO said, “It’s not RSAC; it’s RSAI”). The chatter around AI shouldn’t have been a surprise to anyone who attended…

Why security orchestration, automation and response (SOAR) is fundamental to a security platform

3 min read - Security teams today are facing increased challenges due to the remote and hybrid workforce expansion in the wake of COVID-19. Teams that were already struggling with too many tools and too much data are finding it even more difficult to collaborate and communicate as employees have moved to a virtual security operations center (SOC) model while addressing an increasing number of threats.  Disconnected teams accelerate the need for an open and connected platform approach to security . Adopting this type of…

The evolution of a CISO: How the role has changed

3 min read - In many organizations, the Chief Information Security Officer (CISO) focuses mainly — and sometimes exclusively — on cybersecurity. However, with today’s sophisticated threats and evolving threat landscape, businesses are shifting many roles’ responsibilities, and expanding the CISO’s role is at the forefront of those changes. According to Gartner, regulatory pressure and attack surface expansion will result in 45% of CISOs’ remits expanding beyond cybersecurity by 2027.With the scope of a CISO’s responsibilities changing so quickly, how will the role adapt…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today