True North Networks Blog
Human Performance as a Risk Factor
Most organizations don’t place enough focus on the human elements of cybersecurity, according to Stephen A. Wilson, Dean Hamilton, and Scott Stallbaum from consulting firm Wilson Perumal & Company. In an article for MIT Sloan Management Review, the consultants explain that the right technical defenses are essential, but most successful cyberattacks rely on human failures.
“Without addressing this issue of human performance, a vicious cycle perpetuates,” they write. “As companies bring on board new technologies — each one potentially addressing an emerging threat — they also add more corresponding people and processes. As this continues, the interactions between technology, processes, and people pile up, and the level of complexity increases geometrically. At some point, this complexity overwhelms the cybersecurity infrastructure and obscures emerging threats — until, weighed down by legacy systems, the business finds itself less agile than cybercriminals, and an attack occurs. In response, the business seeks out the technological patch for that specific threat, and the cycle repeats.”
The consultants say there are some observable attributes possessed by organizations that have strong security postures.
“Closing the human performance gap — embedding new behaviors and shared understanding as part of the culture and normal course of business — is no small undertaking, but it’s ultimately the best defense against cyberattacks,” the consultants say. “And fortunately, an analog exists for addressing this type of risk and leveraging human performance as a critical layer of defense: the high-reliability organization (HRO), which we define as an organization that has a remarkably low number of mishaps consistently over a sustained period of time yet performs highly complex and inherently hazardous tasks.”
The consultants explain that HROs differ from other organizations in three ways. First, employees at these organizations are in “a state of hypervigilance and watchfulness for early danger signals.” Second, HROs are able to respond quickly when an incident occurs. Third, they learn from every incident and quickly share knowledge throughout the organization.
Additionally, employees in an HRO are knowledgeable about cybersecurity, which leads them to take security protocols more seriously.
“They understand how easily passwords can be compromised and the risks of unauthorized access,” the consultants write. “Because they recognize that cybersecurity is everyone’s job, they read and take seriously the warnings that the cybersecurity department sends out each week.”
Employees need to be a central part of an organization’s security posture. New-school security awareness training can address the human side of cybersecurity.