Image generated by OpenAI's DALL·E
A classic dilemma: humans as a security risk
It is a well-known thesis: humans are the weakest link in the security chain.
Phishing emails are opened, insecure passwords are used, and rules are circumvented. Classic approaches to improving security awareness, such as training and campaigns, start right here. But their effect often falls short of expectations.
This is not only due to the quality of the measures, but also to how security policies are designed and implemented. Many guidelines aim to enforce idealized behavior that is not always compatible with the actual working practices of employees. Perhaps it is time to change the perspective: people should not adapt to the policies - the policies must adapt to people and their reality.
Policies for people, not against them
An alternative approach could include the following considerations:
Security policies that support working practices
Guidelines should make employees' everyday lives easier, rather than more difficult. For example, complicated password requirements are often impractical and lead to rule violations. Passwordless technologies such as FIDO2 standards offer a secure and user-friendly alternative.
Technology as a partner, not as a blockade
Instead of perceiving security solutions as a barrier, they should provide employees with unobtrusive support. Adaptive authentication that adapts to the user's behavior or automated phishing detection can minimize risks without hindering the workflow.
Involve employees as co-creators
When employees are involved in the development of security policies at an early stage, there is greater acceptance. Measures based on real work processes are often more effective than purely theoretical guidelines.
Using mistakes as learning opportunities
Instead of penalizing mistakes, companies could view them as valuable indicators of vulnerabilities. A transparent and open approach to security incidents promotes a culture in which problems are reported proactively.
Examples: How the human factor can work
phishing attacks and resilience tests
According to a Verizon Data Breach Investigations Report analysis (2023) , 74% of cyberattacks are traced back to humans as an entry point. Companies that actively involve employees in phishing simulations and provide regular feedback report a significant reduction in successful attacks.
Password management and acceptance of passwordless technologies
Companies like Microsoft have not only increased security but also increased user satisfaction by introducing passwordless systems. These solutions reduce the risk of errors and create a better working environment.
Open feedback culture
A Security Champion program can help improve the security culture in companies and reduce security incidents.
Conclusion: From security risk to resource
In cyber security, people should not only be seen as a potential risk, but above all as a key strength that needs to be promoted. Policies and technologies should be designed to take into account the working reality and the individual skills of employees. This can create an environment in which security is perceived as a natural and supportive part of everyday work.
It should be less about changing employees and more about developing solutions together that promote their strengths and actively integrate them into the security strategy. Because a successful cyber security strategy must start where people and technology work hand in hand - with the goal of creating a safe and productive environment for everyone.