‘Human actions underexposed in cybersecurity’Thursday 11 March of 2021
Many companies see protection against cybercrime and incidents such as data leaks as a technical issue. But where it often goes wrong is in processes and human actions. A Security Journey Expert will investigate where organisations are vulnerable with respect to human actions. This is what is being proposed by the PCSI.
From unsafe human action...
The Security Journey Expert? Yet another new appointment? Not many companies will cheer at the prospect of yet another person on the payroll. And anyway, aren't there enough security officers, information security guards and other ICT staff to guarantee digital security? That remains to be seen. After all, despite all the security measures, financial institutions are still affected by cyberattacks (hacks, DDOS etc.) and cyber incidents (such as data leaks). This is partly because human behaviour plays a greater role in this than is often recognised. A number of financial institutions and TNO, united in PCSI, are therefore looking for new solutions to get a better picture of the human factor and to be able to assist employees more effectively in the fight against cybercrime. PCSI's provisional conclusion: appoint a Security Journey Expert (SJE) who not only looks at technology, but especially at processes and the role of human actions in this. We have the idea that such a new role, shaped from the perspective of psychology, can really add value,' says TNO's Rick van der Kleij.
... towards safe human conduct
Van der Kleij: 'Precisely because technology in larger organisations is often in good shape, the criminal targets employees. The best known example is phishing emails. If the employee clicks on it, malware can get into internal systems or confidential information can be stolen. Cybersecurity is traditionally focused on technology; the psychology, in other words human behaviour, is underexposed in our view. The awareness is often there. Employees know very well that they should not click on suspicious emails. And most organisations have instructions as to which software should be used. Yet employees deviate from the guidelines, either consciously or unconsciously. How is this possible? One of the reasons, as we know from scientific research, is that while people tend to consider security measures very important, they think it is others who should adhere to the rules. In short, there’s quite a bit of psychology involved in cybersecurity.’
Science and practice
The intention of the partners in the PCSI is clear: the results of research and projects must help organisations and society to arm themselves against tomorrow's cyberattacks. By working together, the PCSI partners (ABN Amro, ING, de Volksbank, Achmea and TNO) combine applied scientific research, current data and practical cyber problems. Jacolijne Coops, participant from ING: ‘Our work in the first phase confirmed that cybersecurity touches virtually every functional area within an organisation. You're talking about IT, compliance, sales, HRM, process design, data management, risk management and so on. The Security Journey Expert, as we see it, is a linking pin. He or she analyses, from a human perspective, together with other employees from other functional areas, why things sometimes go wrong. What are the causes? And how can we organise processes better for this?’
Coops: ‘Just imagine, at a recruitment department, CVs of candidates are forwarded internally from a managed system, so that they disappear into download folders and mailboxes. That is a security risk and a reason for the SJE to take action. Why do employees act as they do? And how do we persuade people not to simply forward privacy-sensitive information¬, even under time pressure or just as a one-off? The SJE ensures that the behaviour of employees is better understood. Subsequently, this officer can ensure that technical solutions are better suited to this. If the technology is not (yet) sufficient, the SJE uses his or her knowledge to influence the 'people' factor, whether or not in consultation with other experts from other functional areas.’
More complete cybersecurity
The PCSI wants to create a new role. Couldn't the security or compliance officer take on the tasks of the SJE? ‘The rapid developments already keep employees who deal with cybersecurity very busy,’ says Richard Verbrugge, participant from ABN Amro. Verbrugge refers to methods such as Lean Six Sigma, which looks at processes through efficiency glasses. ‘We think it is good to also look at processes through security glasses. This will undoubtedly provide many insights. Unclear processes and inefficient systems cloud the picture of cyber protection. It must always be crystal clear in organisations what risks exist and how employees must act to minimise these risks. An interesting assignment for the SJE would be to investigate how employees who structurally work from home because of the pandemic deal with cyber risks. Have they developed behaviour at home that is not in line with company policy? And why have they done so? With this knowledge, the Security Journey Expert can formulate recommendations to prevent this undesirable behaviour and also to ensure that employees remain alert at all times. For example, with a monthly training course, as has been introduced at ABN Amro.’
The partners in the PCSI take an agile approach. This means that the best solution is built step by step. The exploration phase is behind us. Here, the problem has been identified and the best answer determined. The next step is to draw up a job profile for the SJE, including the methods and data sets this person can use to perform a security journey. What education does she or he need to have, what background and work experience? Once the job profile has been worked out, the partners in the PSCI will defend their proposal in a Dragon's Den in which CISO representatives from the participating organisations will act as the jury. This could be followed by a pilot, in which one or more partners will gain experience with the new role.