Standards Spotlight

Cybersecurity awareness should be a top priority to avoid becoming a target for cybercriminals, but when it comes to cyber surveillance and protection, people are often the weakest link. New research from the National Institute of Standards and Technology (NIST) highlights six misconceptions that security specialists have about lay users of information technology, which can increase an organization’s risk of cybersecurity breaches.

The NIST findings, published in the paper, “Users Are Not Stupid: Six Cyber Security Pitfalls Overturned,” is intended to help the security and user communities become allies in mitigating cyber risks. NIST computer scientist Julie Haney, author of the paper, explains: “We need an attitude shift in cybersecurity. We’re talking to users in a language they don’t really understand, burdening them and belittling them, but still expecting them to be stellar security practitioners. That approach doesn’t set them up for success. Instead of seeing people as obstructionists, we need to empower them and recognize them as partners in cybersecurity.”

Haney’s research addresses the issue of neglecting the human element, and details six pitfalls that threaten security professionals, with suggested solutions:

• Assuming users are clueless. Hanes notes that a potential solution involves building positive relationships with users while empowering them to be active, capable partners in cybersecurity.

   

• Not tailoring communications to the audience. Using layperson terms instead of IT jargon and presenting messages in different formats may make a positive impact on a user audience and their willingness to participate.

   

• Unintentionally creating insider threats due to poor usability. When piloting new security solutions, security professionals can test the approach first with a small group of users, to reveal potential confusion.

   

• Having too much security. Restricted access to websites and other essential tools can hinder productivity and cause delays in workloads, among other issues. NIST notes that creating a risk assessment using a risk management framework can help determine what level of cybersecurity best fits a given environment.  

   

• Depending on punitive measures or negative messaging to get users to comply. Instead of sending aggressive messaging for incomplete training or breaches, security professionals can opt for positive incentives for employees who respond to threats appropriately, and this strategy can improve attitudes toward security.

   

• Not considering user-centered measures of effectiveness. To see if strategies are working, security teams can use surveys, focus groups, or other direct interactions with users to assess the root cause of problems and improve their solutions.

In addition to enhancing cyber strategies with NIST’s tips, organizations can rely on various standards developed by ANSI members to support cyber safety in various environments and sectors:

Recent revisions to information security, cybersecurity, and privacy protection standards include an update to an American National Standard (ANS) developed by the InterNational Committee for Information Technology Standards (INCITS). INCITS/ISO/IEC 27001, Information Security Management Systems – Requirements, specifies the requirements for establishing, implementing, maintaining, and continually improving an information security management system within the context of the organization. This document also includes requirements for the assessment and treatment of information security risks tailored to the needs of the organization.

Another recent ANS revision, INCITS/ISO/IEC 27002, Information Security Controls, provides a reference set of generic information security controls including implementation guidance. The document was designed to be used by organizations a) within the context of an information security management system (ISMS) based on ISO/IEC27001; b) for implementing information security controls based on internationally recognized best practices; and c) for developing organization-specific information security management guidelines.

An ANS published by CSA Group, CSA/ANSI T200-2022, Evaluation of software development and cybersecurity programs, supports effective executive business decisions that establish a comprehensive maturity model approach to cybersecurity. The standard describes a methodology for assessing the product software and cybersecurity control maturity of an organization. This ANS is applicable to all IoT and related products/solutions.

Assessing interconnected systems and their software vulnerabilities is critical in the healthcare realm. The UL Standards & Engagement standard UL 2900-1 Ed. 1-2017, Standard for Software Cybersecurity for Network-Connectable Products, Part 1: General Requirements, covers evaluations and tests of network-connectable devices as they relate to vulnerabilities, malware, and software weaknesses.

Access more ANSI cyber security news items:

• President’s Council of Advisors on Science and Technology (PCAST) Creates Cyber-Physical Resilience Working Group, Seeks Feedback

   

• U.S. Department of Defense Approves ANAB as Accreditation Body for DoD Cyberspace Workforce Qualification and Management Program

   

• Combating Cybercrime Together: White House Hosts 36 Nations at Ransomware Summit