Human Limitations

Written By the906.com

What constitutes a human limitation? A limitation is none other than a constraints in human cognition, attention, and memory that affect security decision making. It is one of many human factors.

⚠️ Constraints in human cognition & behavior

  • ➡️ Lack of Awareness: not all users understand cybersecurity risks or best practices.

  • ➡️ Trust: some users assume emails, websites, or requests are legitimate without verification first.

  • ➡️ Poor Risk Perception: underestimating the likelihood of an attack or the impact on the organization.

  • ➡️ Cognitive Overload: often when there are too many rules, alerts, or tasks it causes mistakes.

  • ➡️ Memory Limitations: users may forget passwords, updates, or security steps.

  • ‼️ Complacency ‼️ It won’t happen to me/us.

⚠️ Organizational & Cultural Limitations

  • 🧰 Weak Security Culture: this comes from the c-suite, stakeholders, board members. If the culture is poor at the top of an organization, it only trickles down from here to your employees. Cybersecurity is a shared responsibility and must have strategic governance.

  • 🧰 Lack of Accountability: what are the consequences of employees and/or vendors that have risky behavior?

  • 🧰 Poor Leadership: if the c-suite, stakeholders, and/or board members do not take secure behavior as a priority, do not expect employees to do the same. Employees model the culture from the top of an organization.

⚠️ Motivation & Attitude Issues

  • 💰 Convenience Over Security: allowing users to reuse passwords (choosing easy shortcuts).

  • 💰 Resistance to Change: if I had a dollar for every time I heard but “we have always done it that way.” I would be a billionaire and then some. Resistance to change by avoiding new security tools or procedures.

  • 💰 Security Fatigue: feeling overwhelmed by constant security requirements.

  • 💰 Intentional Policy Violations: bypassing controls to meet deadlines. This is not only employees, but management too. This is where policy must be governed at the top of the organization and not by management itself but rather by the c-suite, board of directors, and/or stakeholders of an organization.

⚠️ Communication & Process Failures

When in doubt, please communicate with everyone in the organization. Do not fear or hesitate to reach out to your c-suite, stakeholders, and/or board members? This is not common practice for many organizations and most employees will not go this route. However, if a manager is hesitant to report mistakes due to fear of blame. The consequences will impact the organization due to delayed responses.

  • 🚨 Unclear Incident Reporting: user’s do not know how or when to report issues.

  • 🚨 Delayed Response: hesitation to report mistakes due to fear of blame.

  • 🚨Poor onboarding/off-boarding: security steps missed during role changes.

Do any of these limitations look familiar in your organization? How can you improve your cybersecurity posture to eliminate human limitations? Remember effective cybersecurity requires user-centered design, continuous education, leadership support and realistic security policies!

Check for guidance in June’s newsletter.

the906.com
Next

Settings ☎️