Cybersecurity and human factors. The missing link?

Very often in the literature we read about humans being the weakest link in the cybersecurity supply chain while more than frequently it is explained that besides technical efforts the main vulnerability in an organization is the person itself. This is because peoples’ decision-making process, attitudes, beliefs, and behaviours remain to be deciphered by cybersecurity professionals. Studies on human and behavioural factors in cybersecurity are scarce and the existing ones insist that data security and privacy depend upon the education, training and awareness of the employees and users. The efforts are collected around the education of the individuals aiming for them to protect the data assets by changing their behaviour and as an extent protect the organization as a whole.

However, the focus on this topic needs a radical shift which would start with the contextualization and modelling of existing challenges for which the individuals are to blame. Then we will move from the repetitive belief that humans are the weakest link in the supply chain and will have as a focal point the development and implementation of a cyber-resilient, secure, and reliable ecosystem. This ecosystem will encompass the limitations of people, will be adapted to the peoples’ behaviours and re-train according to their capabilities and learning process.

Recent research has discovered that the following elements are required to alter the behaviour of individuals regarding control and security:

  • Preparation
  • Responsibility
  • Management
  • Social Elements
  • Regulation

These elements are interconnected and harmonized, while there are based on:

  • Regulation (Which protects today)
  • Adaptation (Which safeguards on tomorrow and the present)
  • Memory and learning (Which questions previous knowledge)

Revolutionizing the way that the human factor is viewed in security and privacy is urgent and much needed. Moving forward and slightly away from forming norms and groups and exhausting education, awareness, and trainings mostly in technical and non-practical terms. Behaviour change (i.e., graded tasks) and psychosocial techniques (i.e., motivational enhancement), theories (i.e., theory of planned behaviour) and models (i.e., COM-B model) from social and health sciences, like psychology, can be utilized successfully and adapted to the particular context of privacy and security. The desired outcome would be to achieve minimization of breaching incidences by attackers.