Security Staff Acquisition & Development

Why human nature often trumps security

Pedestrians walk by Uber headquarters in San Francisco, California. Uber suffered a recent breach, likely the result of an intruder gaining initial access by contacting an Uber employee over WhatsApp. (Photo by Justin Sullivan/Getty Images)

Cybersecurity risk is the top concern for CEOs globally, with elevated risks and awareness spurring increased investment in network defenses and security features within systems. But there is one threat executives cannot program away: humans. 

Indeed, recent research from Verizon found that the human element continues to drive data breaches, making up 82% of all attacks. 

“Everything at its core revolves around humans,” said Perry Carpenter, chief evangelist and strategy officer at KnowBe4. “Technology, as good as it gets, isn’t effective at stopping everything. And usually, humans are the reason that a piece of technology fails in some way.” 

Malice and ignorance are not driving mistakes, ‘laziness’ and stress are

Many organizations assume that employees break security protocols because they either have malicious intent or don’t know the rules. Carpenter suggests otherwise. 

Instead, he said most employees fail to comply because of human nature; or more specifically, “laziness.” 

"We all have limited energy but multiple tasks to deal with every day," Carpenter said. "When it comes to decision making, we tend to take the easiest route."

In other words, employees are less likely to follow security policies if the policies prevent them from getting their work done efficiently. For example, when it comes to reporting suspicious emails, organizations typically ask employees to follow certain guidelines, from taking screenshots and entering relevant information to attaching copies. 

These steps bring value for the security team; but they are also time-consuming. That alone sets a barrier for employees to follow. 

Also, in the wake of the pandemic and sudden shift in the working environment, employees can feel overwhelmed. They may also be less prone to follow security protocols in their own homes, versus a work environment, said Lauren Zink, security program awareness manager at Indeed, in an interview with SC Media. “Security teams should work with organizations to take care of employees' mental wellbeing, identifying and reducing sources of stress for them,"

A recent study from the University of Central Florida also found that breaches are more likely to happen on days when employees suffer from stress, whether from “family demands that conflict with work,” “job security fears,” and even “the demands of the cybersecurity policies themselves” that leave employees feeling monitored.

"When our mental faculties are overridden by emotions, such as stress, we will revert to reflexive, automatic behaviors, including accidentally giving away password or clicking phishing links when it comes to online activities,” Carpenter explained. 

Security awareness programs should take human nature into account

Indeed, traditional security awareness programs often have this flawed assumption: if employees are aware of the protocols, they will naturally do the right thing. But human nature drives many to dodge best practices in favor of convenience.

To shift the mindset, Zink suggests that leadership not only inform employees about security rules but also explain why the rules are important for individuals and companies. Once employees understand the roles, they play in keeping the organization secure, they will have more incentive to follow the protocols. 

The security team should also use simple language that employees can easily understand. Lance Spitzner, security awareness director at SANS Institute, told SC Media that the reason lots of security awareness programs failed is that the people doing the communication are highly technical with advanced training in technology, but not in communication. 

“We need to make the training sessions more engaging and interactive for employees,” Spitzner said. “And we need to communicate on their terms.” 

Partnership between people, policy and and technology

Similarly, before blaming employees who overstep security protocols for the sake of convenience, organizations should revisit their policies and revise those that are time-consuming and difficult to follow. Spitzner points to password policies as an example of a critical component of enablement that too often overlooks the user experience. A requirement to create strong and unique passwords and reset them every 90 days is too demanding and ineffective and should be simplified using password managers.

Beyond technology, Carpenter suggests that a company's security culture can be shaped by social pressure. For example, if all managers in the company log out their computers when leaving their desks, employees are more likely to do the same without being explicitly told to do so.

But if shifts in technology and policy can ultimately remove security responsibilities from single employees, why should organizations focus on security awareness programs? 

Experts agree that even with automation’s help, the human element will remain a significant factor in the cyber landscape. While technology eliminates more and more gaps, new ones will continue to emerge under an ever-changing ecosystem. 

“To keep the environment safe, it should never be one or the other,” Carpenter. Instead, it should be “a partnership between people and technology.”

Menghan Xiao

Menghan Xiao is a cybersecurity reporter at SC Media, covering software supply chain security, workforce/business, and threat intelligence. Before SC Media, Xiao studied journalism at Northwestern University, where she received a merit-based scholarship from Medill and Jack Modzelewski Scholarship Fund.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.