The Intersection of User-Centric Security and Security Culture

I recently found myself at a fork in the road. On the right was a path designed by architects and experts, and on the left, a path carved out by pedestrians actually walking the road - let's call them "users." I chose to go left.

The reasons for my choice were simple. First, it was convenient, almost natural - why walk around a bend if I could walk straight? Second, it was safer, with no low-hanging branches to dodge.

This got me thinking about security controls and how we design and implement them. Often, we follow best practices and industry frameworks without truly considering the user experience. For example, implementing complex passwords and multifactor authentication (MFA) via an app when most of your customer base consists of people using small-keypad mobile devices that aren't smart devices, may not be ideal. While the value of MFA is undisputed, when you consider the customer, offering MFA via email or SMS as well might be more appropriate than an app-only option.

When we consider the proverbial right and left paths in cybersecurity - the intended way documented in security policies that we hope users comply with versus how users actually interact with systems and data - we consistently find that if a security control is too cumbersome or complex, users will find a way around it.

Take, for example, a problematic secure?web gateway?(SWG) that prevents access to legitimate websites. Once users discover they can access the blocked websites via 3G, they will. Not out of malice, but because the intended design fails to meet their needs. Given a choice, people will always gravitate toward what is easiest. The technical term for this is cognitive fluency - the subjective experience of how easy or difficult it is to complete a mental task. When presenting users with options, ensure that the right choice is the easiest, most natural choice.

So, how do we get users to choose the 'right' path instead of going left?

We don’t. We build the path where it makes sense and allow users to walk where they would have walked anyway, but in a safer, more secure manner. That's our job. ISACA is clear on this; the purpose of cybersecurity and risk management is to support business objectives. It was never about absolute security - it was always about allowing the organization to operate in a secure, ethical, safe, and legal manner.

User-centric security puts people at the center of the strategy. Phillimon Zongo puts it best in his book, Five Anchors of Cyber Resilience: Cyber-resilient enterprises put people’s hearts and minds, not technology, at the center of their cybersecurity strategies.

Remember, strategy is how we play. Governance and culture is how we win.