Human-Centered Security for CXOs

The modern threat landscape has rendered traditional, technology-centric cybersecurity models increasingly obsolete. Threat actors have gotten a lot better at manipulating the most accessible element of any organization: its people.

This paradigm shift demands an equivalent evolution in defense strategy. Human-Centered Security (HCS) is a comprehensive approach that addresses this reality by placing people, their behaviors, and their interactions at the core of the cybersecurity program. Simply writing policies down on a piece of paper or a notice board will not suffice.

Academic research in HCS, which originated as ‘usable security’ a couple of decades ago, emphasizes understanding why employees do not comply with security policies. It often finds that non-compliance is less about a lack of awareness and more about security tasks creating too much friction with main productive tasks.

HCS advocates for adapting technology and processes to secure employee routines, rather than trying to change employee behaviors for security's sake. It stresses that security should be made as easy as possible, supporting employees rather than dictating behavior.

It reframes the role of the people from the proverbial "weakest link" to the most critical asset and the strongest line of defense against sophisticated cyber threats.

Today’s post dives deep into the HCS paper from USENIX 23 and provides guidance for Tech. Executives (CXOs) and particularly Chief Information Security Officers (CISOs) to embrace HCS into their overall software development and cybersecurity strategy.

I find that the USENIX paper is very much reflective of the situation in many Silicon Valley corporations. From the CISOs' perspective, human-centered security (HCS) is largely perceived as security awareness or training.

All CISOs in the USENIX paper reported implementing some form of awareness and training, including in-person lectures, web-based training, etc. They also widely utilize phishing simulations, viewing them as a primary tool for measuring employee security behavior and generating figures and numbers for discussions with management.

Despite implementing these measures, CISOs often struggle to see the benefits and measure the return on investment of awareness and training efforts.

Many CISOs believe employees who "don’t accept the time security takes are not aware enough". CISOs routinely shift responsibility either to the management (demanding more power, funding, resources, etc.), the market (lack of skilled professionals) or to the employees (by blaming them). Industry “best” practices don’t implement the insights from HCS research.

Let’s now discuss what the paradigm shift calls for…

When asked about human-centered security, the first things that often come to mind for many CISOs are awareness and training programs. All CISOs in the study reported implementing these in some form and the primary motivation is often compliance, or simply doing what others are doing.

However, research shows that awareness and training alone are often insufficient to change employee behavior. The CISOs themselves reported struggling to see the tangible benefits of their awareness efforts and how to measure their effectiveness beyond simple completion rates.

Most training activities follow a "fire-and-forget" approach or are just a "check-box exercise" for compliance. This is even after observing and acknowledging the challenge of ensuring employees actually engage and absorb the information, especially when competing with numerous other mandatory trainings.

The core insight from HCS research here is that understanding human behavior requires more than just providing a web-based tutorial; it requires addressing the underlying reasons for behavior, particularly how security interacts with employees' daily tasks.

A fundamental concept in HCS is "security friction" – the effort and disruption that security measures cause to employees' primary work tasks. This research, dating back decades, highlights that employees often struggle with the complexity and workload imposed by security, leading to mistakes or workarounds. For instance, authentication requirements have been shown to be a significant "wall of disruption," causing employees to reorganize workflows to minimize their exposure.

Surprisingly, when asked directly about the time employees spend on security tasks like authentication, many CISOs in our study admitted they had never considered it. Some even challenged the idea that considering this friction should be part of their job.

This highlights a significant disconnect: employees are paid for their main jobs, and security demands, while important, often compete directly with productivity. HCS research emphasizes that security must account for productivity and the reality of employee workload. Implementing usable security solutions that minimize friction, or at least explicitly negotiating and allocating time for security tasks, is key. However, many CISOs seem focused on changing the employee to fit the security system, rather than adapting the system to fit the employee's reality.

Despite HCS research advocating for a "non-blame" principle, the phrase "employees as the weakest link" persisted throughout the discussions with CISOs. This mindset can lead to adversarial relationships where security is seen as something imposed upon employees, rather than a collaborative effort.

HCS encourages viewing employees not as vulnerabilities, but as potential partners in security. This involves understanding their needs and working with them. The concept of "security champions" – employees embedded within teams who liaise with the security department is one of the ways to achieve this collaboration.

Focusing solely on blaming employees ignores the systemic and design flaws that often contribute to security incidents. A non-blaming, supportive approach can foster trust and encourage reporting, ultimately improving the organization's overall security posture.

Phishing simulations are widely used by CISOs, often defended vigorously despite research suggesting they aren't highly effective at improving long-term phishing detection skills. Why the reliance? It is the usual suspects - metrics (Checkout this old post for more on quantification bias), compliance mandates, etc.

As one CISO put it, "There’s always a problem with training: we don’t know what the learning effect was. With phishing emails, we can see that from KPIs. I’m a fan of that". These numbers – often click rates – are invaluable for reporting to superiors who "don’t really want that [budget and staff], and if we can do it with less budget and staff, then it’s better". Showing metrics from phishing simulations helps CISOs "get their messages across" and secure resources.

However, CISOs also acknowledged the downsides: phishing simulations can strain relationships with employees and are not always easy to implement. Some employees feel confused or blamed after failing a simulation.

While they provide data for reporting, relying solely on this metric risks creating a false sense of security and alienating the workforce. They are not effective at stopping a determined adversary performing spear-phishing attacks on the employees.

Instead, moving away from traditional passwords to FIDO Keys is an effective mechanism to solve for both productivity/usability (employees don’t have to remember and regularly change passwords) and security. Checkout the Google case study for more details.

The relationship between CISOs and senior leadership emerged as a dominant and often challenging topic in the study, despite it not being the initial focus. Many CISOs reported difficult relationships, struggling to get their messages across to key senior executives (CEOs/CFOs) who are often not interested in technical details. Finding the "right language" to communicate security risks and needs was a recurring theme.

While CISOs wish for more support and resources from management, they often feel that their budget only increases after a major security incident. This transactional relationship contrasts with the collaborative partnership HCS research suggests is necessary.

Management's focus on compliance and metrics, without deep engagement in how IT investments or policies affect the organization's security posture or employee workload, further highlights this disconnect.

This dynamic underscores the need for CISOs to better articulate security as a business challenge impacting the entire organization, not just an IT problem. However, the research also points out that shifting responsibility down the hierarchy without providing active support is common in many compliance areas, not just security.

Some CISOs who participated in the study reported having regular touch-points, particularly with HR, marketing, and sales. However, true collaboration where CISOs seek to understand the needs of other departments before pushing their own ideas was not consistently evident.

HCS research highlights that effective security requires a "give-and-get" process involving departments beyond IT. Security tasks affect marketing campaigns, HR onboarding, sales processes, and more. Building understanding and integrating security considerations into these functions requires breaking down traditional organizational silos.

Security Partners/SMEs that are embedded with engineers on the ground to help them succeed in their business priorities securely is one way for CISOs to break down the silos. The collaboration and alignment needs to happen not just at the top management layer, but also on the ground.

Working with others and listening to their needs, accepting potentially conflicting ideas, and engaging in broader organizational forums are crucial steps for CISOs to move beyond security practices that can harm productivity.

The insights from the HCS research paint a picture of CISOs interested in the human element of security, but constrained by traditional approaches, and challenging organizational relationships.

They default to market-available solutions like awareness training and phishing simulations because these meet compliance needs and provide easily digestible metrics for management, even if their effectiveness in truly changing behavior or reducing risk is questionable.

Implementing genuine human-centered security requires moving beyond checklists and off-the-shelf tools to understand the specific needs and realities of employees within your unique organizational context.

To effectively recommend strategic changes to senior leadership, it's crucial to connect these HCS insights to tangible business outcomes. Instead of just reporting security metrics, focus on framing security needs in terms of productivity, risk reduction beyond compliance, and fostering a secure and engaged workforce.

A potential next step in your analysis could be to map the key security processes that involve employees and estimate the collective time burden (cost of delay) they impose across different roles or departments within your organization. This exercise could provide powerful data points to discuss security friction and the need for more usable solutions or allocated time with senior leadership, moving beyond abstract discussions about awareness to concrete positive impacts on productivity.

I will finish today’s post with a thought-provoking quote from Dan Geer: