When Spanish financial services company Banco Santander adds a security control, they apply user-experience (UX) principles and decision trees.
Is a new identity tool critical to workloads? If no, consider reviewing and retiring it.
Do employees complete a given security action frequently? Do they read FAQs to understand a control? Does the control add to their cognitive load?
If the answer to more than one of these questions is yes, that’s friction to be evaluated.
Companies like Santander are finding success with “human-centric” design—not just implementing a control, but asking for feedback from employees about the end-user experience and making policy changes accordingly.
“They used to just ask, ‘Does the control work?’ Now they ask, ‘How does it feel?’ And they have seen dramatic improvements in secure behavior,” said Chris Mixter, research VP at Gartner.
Human-centric moves to center stage. Mixter defines “human-centric” cybersecurity as prioritizing the employee experience. Human-centric practices include establishing the mechanisms that reduce productivity-impacting “friction,” as well as axing controls that no longer add value.
Gartner recently predicted that, by 2027, 50% of large enterprise CISOs will adopt human-centric security designs.
Let’s talk feelings. Employers today may implement controls without considering employee experience.
The secure option of multi-factor authentication, for example, if deployed carelessly, could quickly lead to office anger. What if a software developer has to log in again and again as they move to different systems?
“There’s nothing more frustrating than having something rolled out and applied to you that you’ve had no ability to weigh in on,” said Cassie Christensen, director of GTM strategies at the tech-consulting firm Strategic Security Solutions (S3).
Top insights for IT pros
From cybersecurity and big data to cloud computing, IT Brew covers the latest trends shaping business tech in our 4x weekly newsletter, virtual events with industry experts, and digital guides.
For the imaginary developer mentioned above, maybe token-based authentication can limit logins, or perhaps “adaptive” methods can authenticate based on known device behavior and location.
Companies can figure out the best options through direct feedback sessions or even short surveys with, ya know, humans.
“Those types of feedback loops are what human-centric technology deployments are all about,” said Christensen.
The same kind of feedback can improve training sessions and the effectiveness of the dreaded phishing test.
“Stop trying to get humans to not click the link and start asking them more about why they click the link. What are you trying to do? Where are you trying to get to? How can I help?” Mixter told IT Brew.
In a Nov. 2022 Gartner survey, 69% of respondents stated that they intentionally bypassed their organization’s cybersecurity guidance in the last 12 months.
But they know what to do, says Mixter; doing the wrong thing is just faster.
The primary reason that employees give for knowingly adopting insecure behavior: cybersecurity-induced friction that impedes their ability to get the job done.
Don’t click the link, don’t use unapproved apps, don’t try to get around MFA is perhaps an outdated IT approach.
“Human-centric cybersecurity design fixes the messaging: I know you’re here to do. I want to learn more about that, so I can help you do,” Mixter told IT Brew.—BH