In an increasingly digital society, where technology makes the world go ‘round, it is easy to overlook a foundational component of our systems: the people that make them work. Human factors engineering is an integral, yet often overlooked aspect of effective cybersecurity.
My colleague Dr. Calvin Nobles, department chair and associate professor of information and management at the Illinois Tech College of Computing, defines human factors engineering as “a scientific approach to improve system design to optimize human behavior and performance.”
Human threats to cybersecurity require human solutions, and human factors engineers are experts in applying the science of human performance and cognition to complex work environments. Expertise in human factors, and educating leadership about human factors, can lead to a more holistic security strategy that is better able to respond to both internal and external threats.
Recently, Calvin and I discussed human factor security strategies in a fireside chat. We believe cybersecurity moved beyond technology a long time ago. As organizations increasingly depend on one another for critical goods and services, understanding the impact of humans within these complex systems is critical for improving resiliency and security. Our discussion centered on four key considerations:
Integrating human factors into security systems and processes is critical:
- Neglecting human aspects of cybersecurity creates deficiencies in responding or reacting to threats.
- “Cyber criminals have a vote in what we do in cybersecurity …. How do I infiltrate a company, I don't want to attack them through their technology, I'm going to attack them through their people” - Dr. Nobles
- “People are the first and last line of defense in cybersecurity.” - Dr. Nobles
- Communication between people working in a cybersecurity system is the most important thing to make sure everything is running smoothly.
Cybersecurity systems are increasingly complex
- The pandemic increased the amount of remote locations that must implement security.
- Each system operates independently, but is still dependent on other systems; when one system is faulty, it can compromise the security of other systems.
- It is important to remember that people are the ones making sure everything runs smoothly.
Under-education about human factors is a pressing issue in security
- Business executives and decision makers do not fully understand human factors, and how human factors can facilitate decision making that better protects their companies.
- “We have tried everything … to deal with reducing risk in cybersecurity, except for addressing the human behavior aspect.” - Dr. Nobles
- “There's a knowledge gap, and there's a lack of education. And there are people out there who've been trained to do this. Now, you cannot bring people in, you cannot try to solve this problem with just regular cyber security professionals.” - Dr. Nobles
- People do not realize the importance of the human element of incredibly complex cybersecurity systems.
Human factor engineers work to create concrete, science-based systems
- Human factors must be built into the framework of a cybersecurity system.
- “It's not something you sprinkle on the top at the end, right? There’s a scientific approach to doing human factors the right way.” - Dr. Nobles
- The human aspect of security cannot be replicated or replaced by a machine, and must be highlighted in order to effectively protect information.
- Scientific analysis of natural human instincts and the anticipation of mistakes are built into the engineer’s systems
No matter how far technology advances, it will never be able to replace the human element of security. With the expansion of remote workforces as a result of the COVID-19 pandemic, security relies on even more interrelated systems than ever before. To ensure that these systems are running smoothly, we have to move beyond technology-focused strategies and solutions, and take a more scientific and serious approach to integrating behavioral sciences into our systems.