Sign in
  • Blog
  • Behaviour
  • Communication

Author  Professor Lizzie Coles-Kemp – Information Security Group, Royal Holloway University of London

January 15, 2020 |

 4 min read

  • Blog
  • Behaviour
  • Communication

As technology becomes more and more embedded in company processes, businesses need to look beyond the traditional ways of securing their organizations’ most valuable assets. This involves approaches that engage with people and understand their needs and perspectives on security.

People want to access digital services that enable rather than constrain them. Organizations need to find methods of securing that are not reliant on simply “screwing down” their technology platforms. Otherwise the consequence could be businesses becoming less able to offer services that are of real benefit to people. Therefore, apart from finding alternatives to optimize technology securely, this challenge is also about engagement.

People-centred security – a number of approaches

Building an engagement approach is at the heart of people-centred security. In other words, this is technology designed with the needs and benefits of people in mind. This is where security is usable, accessible and trustworthy, while considering how people engage and what benefits they obtain through that engagement.

Also, flipping that on its head, it also means more emphasis on the trust relationships between people and organizations where that trust relationship is digitally mediated. This involves thinking about what technology enables you to do plus trust users have in the technology to ensure positive outcomes for them. Therefore, people need to trust that technology has been built appropriately and that the organization providing the tech-enabled service has intentions that benefit them.

Doing better with cyber security

A good starting point for organizations trying to improve their approach to cyber security is understanding the context in which their people are using technology. So, what are their stresses, challenges and drivers when using technology? Only when you’ve answered this is it meaningful to embed security measures within that context.

There is another name for this: “You Shape Security”. We have worked with the UK’s National Centre for Cyber Security (NCSC) on this approach with the premise that cyber security is founded on having ongoing dialogues with people to tap into their ways of working and co-creating security policies that address long-standing problems. This will, ultimately, make an organization more effective and better able to cope with the unexpected.

One of our colleagues at NCSC, Ceri J – a senior socio-technical researcher – explained: “The premise of this is communication: understanding how to build dialogue and learn about the way people actually work in an organization. At the moment, security practitioners can make assumptions about how people work rather than asking them what they need, taking a step back and engaging with them. It’s about getting them to take part, to break down assumptions and fit security into everyday life instead of it being seen as a blocker.

“If people talk to each other and build trusted relationships it helps security as a whole and enables everyone to get their jobs done. And it means taking people from awareness to having knowledge and understanding; building confidence in what security is for them and taking part in the process without blame or having security as something that’s ‘done to you’.

These ideas are just a start to the journey, creating a two-way conversation rather than awareness pushed in one direction. When people start adopting these principles it becomes an alternative to what they’re currently doing.”

Storytelling and a positive culture

In practical terms, this means thinking about contextualising security policies, advice and guidance to ensure people can relate more to the messages delivered. This also builds a much more positive culture based on trust and the benefits of good cyber security behaviours.

As part of the You Shape Security guidance, there is a storytelling toolkit which enables people to use storytelling for talking about their everyday experience of technology, complete with its challenges, difficulties and opportunities.

To expand on this idea, we are now leading a research initiative in conjunction with AXELOS and supported by NCSC to design workshops that will help security practitioners understand how they would use creative engagement and storytelling in training and awareness learning, risk assessments and audit.

We think that there are a lot more organizations out there engaging creatively with their people than we realize. Therefore, we would like to uncover what the real information security engagement capacity is in organizations and what they are really doing about it.

The storytelling toolkit references in the NCSC guidance can be found here: https://bookleteer.com/collection.html