Using a Human-Centric Approach to Boost Security

Most users just want to do their jobs. Here’s how to work with them, rather than against them, to improve security.

istock 469875500

Each new data breach that hits the front pages proves that some current security practices aren’t working. Rather than throw more technology at the problem, however, many experts say it’s time to put more attention on the human factor.

This means understanding why users engage in “risky” behavior, recognizing we often can’t change that behavior, and working with users to manage risk without reducing their productivity.

A Human-Centric Strategy

A human-centric strategy involves understanding the context of users’ actions. This includes their behavior over time and our understanding of their job responsibilities, says Richard Ford, chief scientist at Forcepoint. If a salesman downloads five customer records every day, it’s reasonable to assume that’s legitimate. If he downloads 10,000 a day, that’s cause for concern.

Here’s another example of context around activity, says Ford: “The travel system knows I’ve booked a trip to London but I’m logged in from my desk in the office.” We have the data, but we so often don’t put things together until it’s too late.

Being human-centric also means accepting that users will do risky things not because they’re lazy, stupid, or stubborn, says Ford, but because, “when you’re operating on your computer you’re very focused on the task at hand” rather than on secondary tasks such as security.

Finally, a human-centric approach considers alternatives to inflexible “yes” or “no” rules to nudge users to the safest route in ambiguous situations.

The human factor shouldn’t be confused only with the malicious employee supposedly out to hack your systems. Many breaches result from accidental user missteps. Some users cut security corners because that makes it easier to do their jobs; others can’t resist clicking on a fraudulent phishing email or less-than-secure website.

Accepting that these risks are there and managing the outcomes of such behaviors is a key part of being more human-centric.

The Human Factor in Action

Consider an employee trying to copy corporate data to a USB drive. Always allowing this probably incurs too much risk. Always blocking it would likely reduce their productivity.

A human-centric approach, on the other hand, might detect whether they were copying an unusual number or type of files or data that was particularly sensitive. If so, the policy could allow the transfer but automatically encrypt the files. If the employee accessed the data on an authorized system, the data would be automatically decrypted. If they shared it with an unauthorized user, the data would stay encrypted and be useless. Such an approach combines security with the least possible “friction” in the user’s work, says Ford.   

Or consider an employee sending a confidential document to a personal email account so they can edit it from home. Rather than blocking or allowing the transmission, a human-centric approach might ask the user if they really intend to take this risk. If they abort the transmission, the organization has helped them avoid an error. If they proceed, they take responsibility for their choice and, hopefully, think more carefully about it.

Cooperation, Not Coercion

Research shows that employees who feel engaged and valued in their jobs – motivated by positive enforcement as well as negative consequences – present a significantly lower organizational risk.  That’s why a human-centric approach to security can help deliver both better security and higher productivity.   


Forcepoints’s human-centric cybersecurity systems protect your most valuable assets at the human point: The intersection of users and data over networks of different trust levels. Visit www.forcepoint.com

Copyright © 2018 IDG Communications, Inc.