IT security breaches: Why users shouldn't take all the blame anymore

Information security professionals need to get beyond 'blaming the user', says expert.
Written by Danny Palmer, Senior Writer

Is it time to start blaming processes, not people?

Image: iStock

Cybersecurity professionals need to stop blaming users for being unable to follow security policies in the workplace, and realise that business and technology processes should accept some of the responsibility.

In order to have a chance of improving cybersecurity in the workplace, those issuing security directives must "stop asking people to do impossible things" and placing blame on employees, said Professor Angela Sasse, professor of human-centred technology and director at the UK Research Institute in Science of Cyber Security at University College London.

Speaking at the European Information Security Summit in London, Sasse described the "fundamentally broken" way in which businesses approach security awareness -- which in many cases, is to outright blame the user.

While praising the hard work that cybersecurity professionals do in order to keep organisations safe, Professor Sasse argued that "there is something rotten at the core" of how elements of the work are done.

"It's basically still driven by the assumption that the people are at fault and that we need to fix them, and that's what security awareness is about. We need to get past that," she said.

"In every other area of technology design, you would basically accept that if there's a particular process and you want it to work in a particular way, that 90 percent of the effort goes into making the technology fit the business process, and how people behave, and 10 percent is asking people adjust themselves," said Sasse.

"But when you listen to most security awareness practitioners, when you listen to hardcore security people, they've got it the other way around -- the answer to all problems when something isn't working with security awareness is to fix the user," she explained.

When it comes to businesses, they should ensure that their employees have the right tools required to carry out the job. If users are required to store files in the cloud, companies should provide a corporate cloud storage solution, rather than allowing users to store data with a public cloud service provider, which could potentially put the data at risk. Organisations must change the business approach to match what users want in order to be both productive and secure.

"If you don't make it easy for people to do the right thing, you're wasting money on security awareness," said Sasse.

It's also important for organisations not to confuse employees with many different terms for the same thing. For instance, explaining that ransomware, malware, viruses, and Trojans are different things might be overwhelming, especially if different terminology is being used by different sources -- something even the government has been accused of.

"We've got a lot to do in terms of the terminology that's being used; it's contradictory, or people use different terms for the same thing. I think people are justifiable thinking it's too complex," said Sasse, urging companies to unify their communications on this.

She also called for an organisation like the National Cyber Security Centre to provide clear information. "There should be a single authoritative source for advice," she said.

While many hacks and data breaches are caused by human error, there are ways of enabling users to experiment with good and bad approaches to cybersecurity, all without endangering the network

Read more on cybersecurity

Editorial standards