Mitigating the Human Factor in Cybersecurity

Kirk J. Turner

Department of Cybersecurity, Old Dominion University

CYSE 200T: Cybersecurity, Technology, and Society

Professor Lida Hagh

November 8, 2024

The Role of CISO

A chief information security officer (CISO) is tasked with incorporating security technologies, creating safety programs, and managing risks to protect stored data within an organization. The role of CISO is becoming more solidified in most companies as cyber threats become increasingly mainstream (Watts). Due to the CISO having responsibility over creating an effective security infrastructure within their business, the duty of allocating costs towards certain security aspects also falls upon them. As the CISO, I would have trouble determining whether to invest more funds into employee training or additional cybersecurity technology. I would aim to keep these two investments as even as possible, as they are both extremely important within an organization, however, I feel that I would allocate more money towards training.

Outcomes of Increased Cybersecurity Technology

Incorporating stronger cybersecurity tech into a business should be a goal of every CISO, as it further increases the defense of confidential information. Therefore, it’s important, as a CISO, to conduct regular cybersecurity risk assessments in order to identify which aspects of digital security that a business is lacking in. Having a strong cybersecurity department assures that efficiency and productivity are raised, as technologies are protected from viruses and other cyber incidents. Furthermore, with a strong cyber network incorporated in a business, trust amongst employees and customers is built because they grow more confident that their data is secured (Washington State). Along with incorporating cybersecurity technology into a company, it’s also vital to see that all hardware and software systems are up-to-date so they can function properly and avoid being exploited by some outside threat.  

Outcomes of Increased Training Programs

In the cybersecurity field, there is something that is known as the human factor. This refers to the human element that works alongside and controls the technologies within a cybersecurity department. Oftentimes, humans are very prone to making mistakes when doing anything in life, and most of the time a cybersecurity related error can be fatal for an organization. These types of errors can result in confidential data breaches, financial loss, and a besmirched company name (Hamayun). On the bright side, routine employee training is a good method to mitigate the human factor in cyber security. Having employees participate in, at the least, monthly training to refresh them on healthy cyber practices is something that should be incorporated in all businesses nowadays. Additionally, one exercise that a CISO could conduct to test their employees could be sending out fake phishing or scam emails; the employees that fail this test would be subject to increased training exercises or harsher penalties. To lower the risks associated with human errors, frequent training should be a key aspect for any cybersecurity related occupation. 

Allocation of Limited Funds

As my role of CISO, the safeguarding of my company’s networks and information assets is my top priority. Therefore, doing an analysis to weigh the different aspects associated with cybersecurity technology and employee training is important for me to make a decision about what’s better for my organization to invest in. While both aspects could be considered cornerstones of the cybersecurity field, I would argue that routine training provides for stronger defenses of a company’s data. As I previously mentioned, the human factor in cybersecurity can be a major threat in all organizations, so I find it more critical to ensure that all employees are aware of the proper practices and procedures that come with working in cyberspace. By keeping my employees updated on the right practices to use in the cybersecurity field, I am mitigating many unforeseen risks that result from the human element working with technologies.

In conclusion, both increasing cybersecurity factors and employee training result in positive outcomes for a business, yet I believe more funds should be allocated towards employee training rather than increased technologies. Increased cybersecurity technology can allow for a security team to address cyber incidents in a quicker manner, however, if only one employee is not following proper security measures, then all the advanced cybersecurity technologies could be bypassed or corrupted by a threat artist. The human factor is a real risk that every organization faces, that’s why I believe conducting mitigation tasks such as frequent and thorough employee training is one of the most vital things that should be invested in by the CISO of a company. 

References:

Hamayun, M. (2023, November 20). The Human Factor of Cyber Security. Check Point Blog. https://blog.checkpoint.com/security/the-human-factor-of-cyber-security/ 

Washington State University. Strengthen Your Cyber Defenses: Cybersecurity Awareness Month. (2024, October 1). https://hrs.wsu.edu/strengthen-your-cyber-defenses-cybersecurity-awareness-month/ 

Watts, S. (2024, July 24). The Ciso Role: What does a chief information security officer do?. Splunk. https://www.splunk.com/en_us/blog/learn/chief-information-security-officer-ciso-role.html