Why we need to know end users & their behaviors and to engage & empower them!
I am quite sure you have all heard about the acronym PEBKAC which means: “Problem Exists Between Keyboard and Chair”.
Actually, it does belong to a long list of highly creative and quite funny terms used by IT people & techies to describe users errors such as:
PICNIC: Problem In Chair Not In Computer
EEOC: Equipment Exceeds Operator Capabilities
ESO: Equipment Smarter than Operator
Code 18: The problem is 18″ away from the screen
RTFM: Read the Freaking Manual
Etc…
As you surely know, security teams generally tend to consider end users as the “weakest link” of the Information System.
As a matter of fact, from a strict cyber threat point of view, we all know that end users are convenient entry points for attackers and key targets for phishing, social engineering, cyber frauds, and cyber scams. Another issue relating to end users is mistakes and errors. In 2019, SolarWinds, a leading provider of IT infrastructure management software, delivered the results of a study about cyber threats: “The research of over 100 IT professionals in Germany revealed internal user mistakes created the largest percentage of cybersecurity incidents over the past twelve months (80%)”. And I am quite sure that this is not solely the case for German businesses but for most businesses around the world.
At the other end of the spectrum, in the eyes of most end users, cybersecurity tends to be an amalgamation of procedures, tools and technologies which slows them down in their day-to-day work. As a matter of fact, many end users consider that security procedures are very restrictive, burdensome and that altogether security hinders the business. In the end, security people are often dubbed the “NO people”, meaning they would always say no to the business and put security first.
So, what do we have in between?
Most of the time, we have cybersecurity training and cybersecurity user awareness programs.
But is it sufficient and satisfactory? I doubt it.
I conducted this year a cybersecurity survey with a client’s workforce asking a quite simple question: “How do you perceive cybersecurity at your company?”. Well, I can tell you that the answers I got were pretty diverse. They ranged from “I don’t care about cybersecurity” to “I think we need more cybersecurity” to mixed answers such as “I understand the need for cybersecurity, but it is a constraint” or “I had a good mark at the last E-learning session but over time I forget what I have learned”.
To me, cybersecurity training and cybersecurity user awareness programs are of course important, and we shall keep educating end users about good cyber hygiene and cybersecurity best practices.
However, I note that most of the time end users are trained via the same platform, in the same way and on the same content without distinction of function, age, experience, digital literacy etc.…
I would say that due to the diversity of the workforce, a one-size-fits-all approach to cybersecurity is not satisfactory in the sense that, for instance, a 50 years-old senior role with access to sensitive and confidential data does not present the same risks as a 25 years-old junior role with no access to critical data. Of course, there is a need for common ground on good cyber hygiene and cybersecurity best practices, but I am convinced that further differentiated cyber education is needed, let’s say a more adaptative set of training and awareness tools depending on the context of the role.
Moreover, I believe that we need to engage end users and empower them, i.e. going beyond the “passive” E-learning and training mode and get end users being more “active”. This could be first done by simply listening to their views and suggestions around cybersecurity, especially when it comes around their role and context. For instance, I have set up a kind of “suggestion box” about cybersecurity at another client company and I can tell you that I do get interesting feedback, ideas, and suggestions from the workforce.
More generally speaking, I note that what is lacking in-between security teams and end-users is simply dialogue and goodwill.
There is a need to understand each parts’ concerns and priorities.
And as such I would dare to say that cybersecurity has somehow to reclaim its humanity because humans shall be our first line of defense.
I welcome your thoughts and comments.