Camille Stewart

People are at the center of information security challenges. I’m sure you’ve heard “people are the weakest link in security” multiple times. That thinking is counterproductive. Most cyberattacks rely on social engineering or exploiting human psychology to gain access to buildings, systems, or data. And one of the most important tools in preventing cyberattacks is encouraging user adoption of proper cyber hygiene and security tools. This makes clear that the actions of people are at the core of the challenges and the solutions, which is why understanding the user and meeting them where they are is foundational to better security outcomes. A traditional technology-centered approach limits you to making decisions based on the threat rather than also contemplating how behavior changes the attack and the response.

The central question no matter your role in information security is, “Why do people behave the way they do?” Identity, lived experience, culture, community, societal norms, and a number of other factors all play into how an individual or institution behaves, i.e., how they use technology, perceive risk, and adopt security and privacy mitigations. Technology is used within a society by people who introduce personal perspective and inevitably bias of all kinds into its creation, adoption, implementation, and ...