In a wide-ranging speech for the Confederation of British Industry last week, National Cyber Security Centre chief executive Ciaran Martin credited work done by RISCS for several significant aspects of the NCSC’s current thinking.
First and foremost among these is the importance of human factors in designing security policies and controls: “Every solution must survive contact with the user,” Martin said. Users need to be able to do their work effectively while understanding how to do it safely; and leaders at all levels should check that they themselves could follow the security policies their staff are required to follow. Martin called the idea that human beings are the weakest link in cyber security “nonsense”, and said, “It’s a bit like saying the weakest link in a sports team is all the players”.
Among the research Martin cites is From Weakest Link to Security Hero: Transforming Staff Security Behavior (PDF), by Shari Lawrence Pfleeger, Angela Sasse, and Adrian Furnham,
which suggests how to transfer findings from social psychology about moral values and habit formation for use transforming staff security behaviour. Crucial to this effort, Martin noted, is fitting the task to the people required to accomplish it.
As a result of RISCS work, NCSC changed its password guidance; more recently, recognising the error of its 2003 standard, the US National Institute for Standards and Technology has followed suit.
All of this is now part of the NCSC’s People: the Strongest Link campaign.