Positivity and commitment¶

This section highlights two perspectives that emphasise positivity and can be used to promote security.

Positive security¶

Discussions about cybersecurity are often based on ‘deterrence’; attention is drawn to risks, threats, and costly consequences when something goes wrong. At the same time, experts believe that cybersecurity is not taken seriously enough and that organisations are insufficiently prepared for risks. However, marketing based on deterrence may not be the best foundation for decision-making, because if investments in cybersecurity prove ineffective, their benefits will be questioned and future investments will be approached with even greater reluctance.

Effective defence requires more than passive compliance; it requires employees who want to protect their organisation and who take seriously the obligations that security places on them. This is not achieved through deterrence or by framing security as merely freedom from threats. Positive security presents the idea such that security becomes an enabler, allowing the organisation to carry out its core tasks freely. It also involves engaging employees in building security. Security is therefore no longer a set of alarming messages, instructions, and restrictions coming from IT administration, but something that employees actively construct through their actions.

Answer the questions.

Question 1

Hipster Inc. has realised that employees have a somewhat negative attitude towards instructions and practices aimed at improving security. Employees have a lot of instructions and information, but security is experienced as something separate that must be implemented, and it is perceived as laborious. In addition, mistakes have occurred, and some employees have begun to question whether the instructions are useful when they did not help in real situations. So far, IT administration has, for example, warned employees about phishing emails via email or organised various education sessions where awareness has been increased by presenting cautionary examples of the consequences of scams. Could Hipster Inc. do something better? Select all appropriate options.

Hipster Inc. could organise security-related exercises for employees.

Employees could be given a self-help book related to a positive attitude.

It should be clarified to employees that following security instructions and rules frees them from constantly worrying about threats.

Employees should be made aware that they are needed to build security.

Hipster Inc. could ask employees how they would improve security in their work tasks.

Employees could be monitored more closely to ensure that instructions are followed.

Employees should be shown concretely how security helps them perform better in their work tasks.

Stakeholder commitment (advanced)¶

Employees (advanced)¶

How can employees be committed to secure behaviour? Communication, management example, and organisational culture are important factors, but employees can also be engaged more directly. This is helped by identifying the root causes of insecure behaviour. These may include, for example, poorly designed security or the organisation’s failure to support employees in their tasks.

Employees can be engaged, for example, by asking them to reflect on their work environment: what kinds of feelings they have, what constraints they experience, what kinds of pressures they face, and what actions they take when creating or sharing information. The aim is to understand how employees perceive their environment and how security can best be adapted to it. The goal is therefore that people no longer have to adapt to various mechanisms; instead, mechanisms are adapted to people and their tasks. At the same time, the focus shifts from correcting human errors and behaviour to supporting people and their tasks. The objective is both increased productivity and improved security. At the same time, attitudes towards security become more positive.

Software developers and usable security (advanced)¶

Poor usability in security also affects technically skilled employees, such as software developers and system administrators. Their workload increases and errors become more frequent if tools are not usable. This may also be reflected in the final product as bugs and security problems. Software developers often face deadline pressures, and security education may be entirely lacking. The result is insecure software, which ultimately becomes a problem for all users.

Studies have shown that security thinking does not necessarily automatically form part of software development. It has also been observed that computing students and software developers focus on the primary task and treat security as secondary. When they were asked in a test situation to develop a program that stores passwords, no student and only a few developers included any security features. Security was only considered when explicitly requested. There is also a risk of using outdated security mechanisms or making errors when using them; in the mentioned experiment, students used the mechanisms better than developers when asked. A major problem in producing secure software is that cryptographic libraries and interfaces are difficult to use. Recently, attention has been paid to their usability, as developers’ errors pose significant risks to the final product.

From a security perspective, attention should also be paid to the fact that developers and users do not necessarily understand each other. Developers often fail to consider how significant usability is for the end user’s productivity or security. It has therefore been recommended that developers be given opportunities to try the end user’s tasks using the software being developed. In this way, they could concretely understand the impact of usability and security shortcomings, and this would be reflected in software development.