Cybersecurity has become increasingly important across organisations, departments and teams. However, effective cyber-security requires both technical and organisational measures to reduce risks to organisations and the clients they serve. Furthermore, attacks on many types of critical infrastructure service providers, such as financial, healthcare or public institutions, could result in serious economic and societal repercussions.
An often overlooked element of cyber-security is the human factor in supporting effective programmes. Trilateral Research made a substantial contribution to knowledge in this area, as part of the multi-million Euro SOTER project, that examined the human factors related to cybersecurity, taking the financial sector as a case study for analysis. This article outlines some of the findings from that research, with a focus on how organisations can better address the human factors in cyber-security to provide more comprehensive protections.
Methodology
The work on “Mapping […] human behaviour related threats and mitigation measures” began with a literature review to identify key hypothesis from the literature on human factors in cyber-security. These hypotheses were then tested with one-to-one interviews with employees from a financial services organisation. The interviews were carried out with a range of employees from different departments and job roles, including management, general staff, and cybersecurity staff. Employees were asked a series of questions about cybersecurity in their job and presented with hypothetical scenarios in order to provide their opinion on how they would respond to specific cybersecurity issues.
Key Findings
Three key findings stood out from the research. First, urgency, lack of time and the friction between cybersecurity and meeting business demands were mentioned by participants as disablers of effective cybersecurity in the workplace. Second, there was a continued recognition of the need to invest in cyber-security to build experience and expertise. Finally, staff saw themselves as important enablers of cyber-security within the organisation.
Friction between cyber-security and other business needs
Employees reported that compliance with cybersecurity procedures could sometimes be slow, inflexible and impact client experience. Potential delays due to cybersecurity compliance emerged as a key issue, since timeliness is an important KPI for effective business operations. This meant that cybersecurity procedures were sometimes not being followed diligently. For example, employees reported friction related to the way data or files are shared:
Often the pressure you are under or the rush to get the information makes you a bit more flexible with the procedures, even if you know it is not the best way to do things.
In some cases like these, employees choose to prioritise meeting business objectives over maintaining an optimal level of cybersecurity. In addition, due to the need for flexibility in business operations, employees felt there may be situations where cybersecurity procedures could be improved by being more adaptive. From the clients’ perspective, employees also felt that complying with certain procedures or too many cybersecurity procedures may hinder clients’ experience:
Because of my job, I have a customer mentality. I know that too much cybersecurity affects the customer’s UX, but cybersecurity is very important.
Nevertheless, almost as the quotes above demonstrate, almost all employees recognised the importance of cyber-security to the business.
Resourcing and investment
The importance of appropriate resource allocation is a recurring theme within cybersecurity. The proliferation of larger and more complex IT systems, including cloud or distributed infrastructures, means that the overall attack surface is widening, without sufficient investment in IT support budgets. Most respondents communicated that increasing cyber-security resources would provide a strong ROI in relation to cybersecurity resilience. In particular, not having sufficient staff was a central roadblock:
We need to have more people in all the security teams to get more work done. As there are few of us, in the end you end up doing what is urgent and important, and there are lots of things that we are not doing because of a lack of staff.
Information Security Staff felt that more staff would mean an ability to cover more threat areas. However, respondents recognised that the market competition for cybersecurity talent was fierce, and that identifying, hiring, and retaining staff placed strain on budgets, human resource departments, and management.
Staff as “success vectors”
While the literature recognises that human error represents an important vulnerability for organisations, the research reinforced the idea that staff are also aware that they are important resources in effective cyber-security. Staff with sufficient and relevant skills and experience were often viewed as one the most important organisational assets. According to one of the Information Security Employees:
It is the quality of the people that makes them work well, rather than the processes themselves. You can have a good process but it is not followed. But you can have a good person who, even if there is no process, if he or she is a good professional, will solve the problem. I would emphasise the human resources much more than the process.
At the same time, there was consensus amongst participants that responsibility fell on all employees to ensure that cybersecurity procedures are implemented effectively. Therefore, there was a sense of collective responsibility concerning the implementation of cybersecurity procedures, as one employee reported:
I think we there are two profiles. On the one hand, the profile of cybersecurity teams (…). They set the pace, the protection mechanisms and the guidelines to follow. On the other hand, all us employees who carry out the policies defined by these cybersecurity teams, as well as use the cybersecurity tools and pass on everything the cybersecurity team tells us to clients on a day-to-day basis (…).
Thus, rather than see themselves as “threat vectors”, staff reported an understanding of their collective responsibility in building trust within the organisation and between the organisation and the people they serve.
Recommendations
This study demonstrates that effective cyber-security within an organisation can be strengthened by two key interventions.
First, organisations should do their best to ensure that cyber-security measures fit as easily as possible into existing workflows, systems and procedures. The research demonstrates that if extra steps are required, these may be de-prioritised in high-pressure situations, which is also where mistakes are often made.
Second, sufficient investment in talent is both essential and difficult in the face of market competition and skills shortages.
Third, although human error is the main cause of personal data breaches and cyber-security breaches, staff in this organisation were ready to be part of the collective responsibility framework for cyber-security. Creating cyber-security responsibility as a shared endeavour, and viewing staff as success vectors, rather than threats, may better support the development of a cyber-security culture.
For more information on how to improve information security in your organisation, please contact our team of experts who will be happy to help. For more information on the SOTER project’s findings, please visit our project website.
