A recent article by the National Institute of Standards and Technology (NIST) computer scientist Julie Haney revealed a pervasive problem: many cyber security professionals hold false beliefs about non-technical users of information, and these pitfalls can raise an organization’s risk of cyber security breaches. 

In the article “Users Are Not Stupid: Six Cyber Security Pitfalls Overturned”, Haney states that skilled and dedicated cyber professionals tend to fall victim to misconceptions that hold other people back from reaching their full potential of being active partners in security.  

“Cybersecurity specialists are skilled, dedicated professionals who perform a tremendous service in protecting us from cyber threats,” she said.  

“But despite having the noblest of intentions, their community’s heavy dependence on technology to solve security problems can discourage them from adequately considering the human element, which plays a major role in effective, usable security.”   

Check out: Australia ranks 1st in cyber security progress 

In the paper, Haney lists out six cyber security pitfalls and how cyber experts can avoid them. 

1. Assuming that consumers are ignorant

Demeaning users might lead to an unfavourable “we vs. them” dynamic between consumers and cybersecurity experts. It has been found that users are just overloaded and frequently experience security fatigue.  

As such, Haney states that building trusting relationships with users while enabling them to participate actively as partners in cybersecurity is an option to consider when improving your cyber security strategy. 

2. Ineffective communication to the audience

Security professionals often utilize specialized terminology that diminishes interest from their audience. Aside from this, they also neglect to personalize their teachings to connect with the topics that matter to users in their everyday routines.  

There are a few approaches that can be helpful, such as concentrating on straightforward communication, delivering the information in various formats, and collaborating with the public relations department of an organization. 

3. Insider threats from poor usability

Time constraints or other distractions may influence users into becoming internal cyber threats due to exhibiting poor decision-making skills. For instance, when presented with complicated password policies, users may resort to weak security practices such as reusing the same password across multiple accounts.  

To alleviate the burden on users, some security responsibilities can be shifted, such as implementing more mail filtering at the server level to reduce the number of phishing emails that users receive.  

Furthermore, it is beneficial to pilot new security solutions with a small group of users to identify and address any confusion before full-scale implementation. 

4. Excessive security measures  

Sometimes a security solution may not be suitable for a particular job context due to its inflexibility or restrictiveness. Although utilizing the most secure tools available appears to be a sensible approach, some users may perceive the ensuing complexity as an obstacle to their daily tasks, prompting them to breach security protocols more frequently.  

Rather than adopting a “one size fits all” approach, conducting a risk assessment through a risk management framework can assist in determining the most appropriate level of cybersecurity for a given environment. 

Check out: Top three cyber security threats for 2023 

5. Relying on punitive measures or negative messaging to elicit compliance

Organizations commonly resort to negative reinforcement tactics, such as deactivating user accounts if they fail to complete security training or publicly humiliating individuals who cause cybersecurity incidents.  

While these measures may yield results in the short term, they often lead to long-term resentment towards security practices. Rather than relying on negative approaches, incentivizing employees who respond appropriately to security threats can foster a more positive attitude towards security. A collaborative approach can also be effective in assisting users who struggle with security practices. 

6. Overlooking user-centred measures of effectiveness

As security training can be seen as a tedious, checkbox exercise, it is uncertain how much knowledge employees retain. Organizations may find it challenging to answer this question in the absence of direct user feedback and tangible indicators of behaviour.  

Identifying concrete metrics as “symptom identifiers” can be helpful, such as help desk calls that reveal users’ difficulties or incidents like phishing clicks that indicate where users require additional support. After pinpointing the symptoms, security teams can employ surveys, focus groups, or other direct interactions with users to ascertain the underlying issues and enhance their solutions. 

Common pitfalls cyber security professionals face 

Haney states that not all security professionals hold these misconceptions, as some security teams and organizations have made strides in acknowledging and addressing the human component of security. However, these misconceptions remain widespread within the community. 

“We need an attitude shift in cybersecurity,” she said.  

“We’re talking to users in a language they don’t really understand, burdening them and belittling them, but still expecting them to be stellar security practitioners. That approach doesn’t set them up for success. Instead of seeing people as obstructionists, we need to empower them and recognize them as partners in cybersecurity.” 

Eliza Sayon

Website | + posts

Eliza is a content producer and editor at Public Spectrum. She is an experienced writer on topics related to the government and to the public, as well as stories that uplift and improve the community.

• Developing an effective data ecosystem
• The journey of building an ecosystem through data
• NZ government strengthens data privacy laws against third parties
• eSafety Commissioner issues legal notice against Twitter