Cybersecurity awareness should be a top priority to avoid becoming a target for cybercriminals, but when it comes to cyber surveillance and protection, people are often the weakest link. New research from the National Institute of Standards and Technology (NIST) highlights six misconceptions that security specialists have about lay users of information technology, which can increase an organization’s risk of cybersecurity breaches.
The NIST findings, published in the paper, “Users Are Not Stupid: Six Cyber Security Pitfalls Overturned,” is intended to help the security and user communities become allies in mitigating cyber risks. NIST computer scientist Julie Haney, author of the paper, explains: “We need an attitude shift in cybersecurity. We’re talking to users in a language they don’t really understand, burdening them and belittling them, but still expecting them to be stellar security practitioners. That approach doesn’t set them up for success. Instead of seeing people as obstructionists, we need to empower them and recognize them as partners in cybersecurity.”
Haney’s research addresses the issue of neglecting the human element, and details six pitfalls that threaten security professionals, with suggested solutions:
In addition to enhancing cyber strategies with NIST’s tips, organizations can rely on various standards developed by ANSI members to support cyber safety in various environments and sectors:
Recent revisions to information security, cybersecurity, and privacy protection standards include an update to an American National Standard (ANS) developed by the InterNational Committee for Information Technology Standards (INCITS). INCITS/ISO/IEC 27001, Information Security Management Systems – Requirements, specifies the requirements for establishing, implementing, maintaining, and continually improving an information security management system within the context of the organization. This document also includes requirements for the assessment and treatment of information security risks tailored to the needs of the organization.
Another recent ANS revision, INCITS/ISO/IEC 27002, Information Security Controls, provides a reference set of generic information security controls including implementation guidance. The document was designed to be used by organizations a) within the context of an information security management system (ISMS) based on ISO/IEC27001; b) for implementing information security controls based on internationally recognized best practices; and c) for developing organization-specific information security management guidelines.
An ANS published by CSA Group, CSA/ANSI T200-2022, Evaluation of software development and cybersecurity programs, supports effective executive business decisions that establish a comprehensive maturity model approach to cybersecurity. The standard describes a methodology for assessing the product software and cybersecurity control maturity of an organization. This ANS is applicable to all IoT and related products/solutions.
Assessing interconnected systems and their software vulnerabilities is critical in the healthcare realm. The UL Standards & Engagement standard UL 2900-1 Ed. 1-2017, Standard for Software Cybersecurity for Network-Connectable Products, Part 1: General Requirements, covers evaluations and tests of network-connectable devices as they relate to vulnerabilities, malware, and software weaknesses.
Access more ANSI cyber security news items: