How to talk to users about cybersecurity
User-friendly login tools and clear communication go a long way toward getting staff in step with cybersecurity protocols.
While cybersecurity may be second nature to IT professionals, instilling it across an agency may be an uphill battle without a human-centered approach, one expert says.
IT staff must be able to communicate cybersecurity terms and concepts in ways the average person can understand, according to Julie Haney, computer scientist and usable security researcher at the National Institute of Standards and Technology. Otherwise, agency staff may ignore proper cyber hygiene if they feel their lack of understanding will be belittled or judged by IT professionals, Haney wrote in a November 2022 paper titled, “Users are not stupid: Six cyber security pitfalls overturned.”
Before security teams initiate cybersecurity training or communications, they should test their explanations with people who are not experts and who “can say, ‘I have no idea what this means, you might want to change this,’” she said in an interview.
When agency staff fully understand the security issues and context, they are more likely to absorb the information and integrate cybersecurity into their normal workflows, she said.
Agencies should also leverage tech-based solutions that detect and prevent cyberattacks to prevent their users from developing security fatigue—a sense of resignation, weariness, frustration or loss of control over their own cybersecurity, Haney wrote in the paper.
“Don’t always put all the responsibility on people if you don’t have to,” Haney said. For example, IT staff can deploy or improve email filters to catch phishing messages to reduce end users’ cybersecurity burden. “The more you can [offload that to the backend], the better.”
Other ways to avoid security fatigue include running training campaigns throughout the year rather than ahead of a single deadline. IT staff should also offer different ways staff can meet security benchmarks such as cyber incident simulations and educational events with certified speakers, she added.
But these education efforts would be useless without a way to measure how well staff retain cybersecurity knowledge. While many organizations use metrics on how many employees complete a training session to gauge their staff’s cyber awareness, IT staff must dig deeper, Haney said.
For instance, IT managers can monitor how often cyber incidents involve user error or evaluate click rates on simulated phishing attacks. “These metrics can be very helpful to see if people are responding appropriately to those phishing emails, but [they] have to be put in context as well,” she added. Data may reveal that click rates increased significantly from one quarter to the next, so IT managers should investigate what caused that spike before proposing a solution.
Furthermore, IT personnel should consider loosening elaborate password requirements such as minimum character counts and the use of special characters and numbers, Haney said. Though weak passwords remain a major threat to cybersecurity, “complex password policies can inspire poor decisions, such as using the same password across multiple accounts,” the paper stated.
“We’re human, right? We can only recall so many things,” Haney said. Passphrases, which are typically longer in length, are easier to remember and type in compared to complex passwords.
Another solution is dialing down how frequently users must update their passwords. While some organizations prompt staff to change their credentials every 60 to 90 days, Haney said changes could be made on an as-needed basis if, for example, IT staff believe the system has been compromised.
Two-factor authentication can add another layer of defense without burdening staff. With this method, users may present a physical device such as a security token in addition to a PIN, which may be easier to recall, she said.
For IT managers to understand staff’s pain points, feedback is vital. Open-ended surveys that ask staff how effective a training session was or what they struggle with when it comes to cybersecurity provides qualitative data that IT workers need to implement effective solutions, Haney said.
“It’s hard for security people to put themselves in the shoes of non-security people because … we have an expertise that we can’t forget,” she said.
NEXT STORY: Turning hackers’ behavior against them