Technical expertise and cutting-edge equipment mean precisely nothing when employees don’t understand or don’t care about cybersecurity. That’s why organizations are beginning to study not just cybersecurity itself, but how workers react to and think about it.
Mary Theofanos, a computer scientist at the National Institute of Standards and Technology, set out to discover what people’s mental models are for cybersecurity. A mental model, she said, is a frame of reference for thinking about a certain subject. A good example of mental models is understanding the difference in circumstances and required behavior for a restaurant versus a cafeteria or a fast-food establishment.
“We were kind of looking for those and their perceptions about cybersecurity and could they define what it meant, what privacy meant, some other security concerns,” Theofanos said during Cybersecurity Awareness Month. “And instead, we got this overwhelming view of weariness and this reluctance to see or experience anymore with respect to security. And it just lost control. It was all through the data, all the comments people made.”
She said people are being forced to make too many decisions, frequently about things they don’t completely understand, and they’re tired of doing that. And when that happens, they either make hasty decisions, which tend to be bad, or just make no decision at all.
“I think it turns out that, looking at the study, when people get weary and fatigued, they kind of give up,” Theofanos told the Federal Drive with Tom Temin.
Another issue Theofanos discovered is that cybersecurity fatigue can carry over from the home into the workplace. It’s usually not as bad at work, because the employee doesn’t have to worry about patching or updates, but passwords and pop-ups still exacerbate the fatigue.
In a paper on the topic, NIST offers a couple of solutions to this problem. First, it wants to simplify the situation so that people are making fewer, more accurate decisions. One of the ways to do this is to allow the software to make most of the decisions. And if it does have to ask the user a question, it should make the right answer obvious.
Along those lines, automating processes like updating, patching and creating backups can take a lot of stress off the user and ease the fatigue.
NIST also wants to instill cybersecurity as a habit, because the brain works better in habit mode, Theofanos said. There are two steps to this solution: first, the good habits of professionals need to be identified, and second, they need to be turned into a training regimen.
“It’s incumbent on everybody to practice good cybersecurity hygiene in order to protect the whole,” Theofanos said. “So it’s this common good concept. You might feel like you’re a little cog in this big mechanism, but the reality is our overall cybersecurity posture requires everyone to participate.”
But the burden doesn’t fall solely on employees, either.
Rebekah Lewis, deputy director of the Kogod Cybersecurity Governance Center at American University, said that good cybersecurity governance is equally as important. There’s a lot of focus on the technical pieces, the fast-evolving technology and the cyber-threat actors, but governance is looking at, coordinating and managing all those things.
“You can focus all you want on the specific technical pieces, but if you don’t have your arms around the big picture, all of that effort may be for naught,” Lewis told the Federal Drive with Tom Temin. “Because you’ve got blind spots, you’ve got gaps that you’re not seeing, and you may not be managing very efficiently either.”
She said there has to be a “governor” — someone at the top of the cyber hierarchy to manage and be accountable. In many cases, that person is the chief information officer, or the chief information security officer, although sometimes it’s the agency head.
“What’s … important is that that person is clearly identified, properly resourced, and they have the authority that they need to actually fulfill the responsibilities that have been given,” Lewis said.
One issue, however, is that those positions are political, which means agencies can lose continuity between administrations. For example, President Barack Obama just appointed Brigadier Gen. (retired) Greg Touhill as the first federal CISO in September. But he’ll only have 4 months to accomplish anything before the new administration takes over.
Likewise, it’s important that this cyber governor knows their institution, and be clearly identified to its employees as the individual with the authority and accountability. They should also have knowledge about all of the various aspects of cyber policy, including technical, legal and financial.
“Continuity is very important, visibility is very important. How do you prioritize competing interests if you don’t have visibility of all of them?” Lewis asked.
“You need to know your universe,” Lewis added. “What is it you’re trying to protect? Why are you trying to protect it? What is the value of it? And what is the culture of your organization? How do you go about motivating the people working for you to do very mundane, cyber hygiene things that are not sexy, are not particularly exciting, but they really matter in terms of protecting your assets.”