To encourage individuals to improve their security practices, begin by not blaming them.
That was one takeaway that Angela Sasse, a professor of human-centered technology at University College London, offered at the Infosecurity Europe conference. Sasse is also the director of the U.K. Research Institute for Science of Cyber Security, or RISCS.
Officials at Britain’s National Cyber Security Center – part of Britain’s GCHQ signals intelligence agency, and a primary funder of RISCS – have made user-blaming verboten.
“It’s counterproductive; it doesn’t help us to change” or to develop more effective security models, Sasse said in a keynote presentation.
Organizations have to find collaborative ways of working with employees and getting them to change, she argued. But they also need to be open to rigorously testing security-related assumptions – and practices – and revising their thinking based on empirical evidence.