Here at the Gartner Security & Risk Management Summit, I sat in on a session regarding human behavior and it’s connection to information security. Tom Scholtz, an analyst with Gartner, started off with a statement many of us know to be true, but often forget.
“The single weakest link in the information security chain still remains the human being,” he said.
In Scholtz’s view we are increasingly coming to the realization that by focusing on individuals’ human behavior and how we can influence it, we can learn how to create a more secure environment. “By 2015, one out of four enterprises will use social and behavioral sciences techniques to drive cultural and behavioral change in their information security programs. Maybe understanding how individuals react differently will give us an understanding in improving our security measures.”
He advises that security professionals should start focusing on human behavior as a root cause rather than a symptom. “We need to understand how individuals react differently to risks and the controls to mitigate risks.”
The key issues regarding behavior and information security:
- How is the information security and risk management discipline evolving and what are the consequences?
- What are the parallels and overlaps with social and behavioral sciences?
- What strategies and tactics should information security and risk leaders adopt to exploit this evolution?
It is vitally important for organizations to consider these questions. But it may be better to seek answers from an outside source, in order to prevent group think. “Group think tends to polarize views,” said Scholtz. “If you have the same group of individuals who sit in the same office eight hours a day, they’re going to have similar attitudes towards things. We need to understand how those working environments pressurize people into beliefs which they might not have if it was a one-on-one basis or under a different work environment.”
So what kind of insights do we get from the social sciences? People react differently. To understand this is to become a pioneer in understanding human behavior and its importance in developing an ever-evolving information security program.