“Ultimately, I think empathy is the cornerstone of design,”
Ilse Crawford, studioilse
The security challenges of complexity, alert fatigue, knowledge gaps, resource scarcity, and staff burn-out aren’t new. When you consider them alongside the staggering investments that we’ve made in security, it doesn’t seem right. Check the record and you’ll see that over the past 8 years ( 2011-2019 ) spending on cybersecurity has more than doubled, but in that time the FBI reports that damage from cybercrime has increased by more than six times.
This imbalance and the appearance of utter futility starts with a lack of empathy.
Empathy over Technology
Prolific security sage Chris Roberts recently opined that “Cyber cannot fix the humans,” capturing the issue in a nutshell. We see that 25 years ago, new technologies delivered the Internet and, with it, a new and open way to interact with others. We thought that other new technologies would provide us with the tools to protect ourselves. We didn’t understand that the vulnerabilities and risk from the Internet would be caused by the ways that we wanted to share, not by the technologies that we deployed. Humans, not our technology, created the modern interconnected environment that makes us so open to attack.
As a result, while every year sees more companies creating more products to address more threats, it’s never enough. Improved security can’t come from the deployment of more technology, training, or people.
Progress can only come with empathy for the humans who continue to make decisions that jeopardize their companies and careers.
[Related Reading: Why Humans Are the Weakest Link in Cybersecurity]
Three Steps to Empathy
The path to empathy is much less traveled in security than in other markets. In retail, media, or manufacturing, new investments follow an understanding of specific customer motivations. How much can they afford to spend? What do they want to watch? What new feature are they excited about? These businesses start by understanding their customers. In contrast, security vendors start with the external factors—the threats—believing that everybody has the same priority; to protect themselves. Not true.
Users click on things, vulnerabilities go unpatched, and weak passwords predominate. Empathy forces us to acknowledge that clicking, patch latency, and passwords of “123456” exist for a reason. It may seem like heresy to suggest that there isn’t universal acceptance of the need for better email hygiene, prompt patching, or MFA, but that is only because we don’t understand the countervailing priorities. Here’s a way to look for them:
1. Document what people do instead of what they should be doing
Be as specific as you can on their actions but stay broad on the areas. Insecure behaviors are seldom specific to a single activity and understanding a wider set of bad habits can help you to understand the underlying causes.
2. Understand the context for their decision
Look for functions that are most often performed or implemented in an insecure way. This can point to a lack of security understanding. Look for shortcuts that are consistently taken that can point to time pressure or unmanageable complexity.
3. Set aside your bias for security
Security people understand the need for security, and this makes it natural to assume that users are making some kind of conscious trade-off when they decide to behave insecurely. It’s just not true. The prevalence, seriousness, or even existence, of a major potential impact is lost on many or most. Empathy helps to partition problems into categories of root causes.
Impactful Empathy
The greatest gap in cybersecurity isn’t technology, or even headcount. Whether you are a vendor, consultant, or overtaxed internal resource, this empathy is going to meaningfully change your planning. User awareness training will be helpful, but probably not enough if your team is forced to regularly authenticate to multiple systems, or to act on frequent incoming messages from customers or partners. Adding more features to an existing security product is unlikely to move the needle when a majority of security products, and security product features, are never accessed by buyers.
Our industry continues to try to shame people and organizations into behaving differently. We use loaded words like relative, maturity, and best practices, to draw a line of reasonableness, even though the underlying environments can be as different as surviving in the Arctic versus surviving in the Sahara. Shame is a terrible motivator, and it has historically driven surrender, concealment, and denial.
Empathy drives aspiration. By understanding our audiences and our customers, we better understand how to inspire and enable them.
