Users Are Not Stupid - Six Cybersecurity Pitfalls Overturned - Cyber MiSC

## 1: assuming users are stupid - they're not - stop being a dick about it - think about how we can empower users - try to understand the root cause of why people are struggling before thinking about how to support them better - practice empathy - practice is a good word. It takes effort and will ## 2: Not tailoring communications to the audience - your 'everyday professional language' is everyone else's 'incomprehensible jargon' - be aware of that context, and particularly your audience's capabilities - do the hard work to make it simple: translating what you're saying to simple, clear language is more work and also completely worth it ![[Pasted image 20240831115508.png]] - start with user needs - use a variety of formats (although [learning styles is a somewhat rejected hypothesis](https://www.swansea.ac.uk/press-office/news-events/news/2021/01/new-review-says-ineffective-learning-styles-theory-persists-in-education-around-the-world-.php)) - reach out for support from people who do this for a living ## 3: Creating [[insider|insider threats]] because your security is not usable - lol - if you implement auto-locking screens after n minutes users will probably come up with ways to prevent that happening, particularly if they're at they're desk and they know - better than you - that there's little risk being introduced - so carry out actual user research! - the lower the maturity and ability, the clearer the instructions have to be - remove burden where possible: stop asking users to do more, and think about where it can be automated ## 4: There is just Too Much security - every rule has to interact with the existing system and may interact with one, many, or all existing rules - this is a recipe for complexity - complex systems do not react in the way you expect - people are part of this system, making the whole thing _even more_ complex - one size does not fit all, and a risk-based approach is probably more sensible - make sure your tools are interoperable - they should have clearly documented APIs, and you should have someone on your team who can at least write python scripts to glue it all together - consider carefully how every new rule will impact the system - I don't actually agree with this, because I think the consequences are too complex to figure out ## 5: it's not all about the punishment - yeah, I said what I said >[!quote] \[...] cybersecurity professionals may hold unrealistic expectations that users will _always_ make good decisions and then punish them when they do not - collaboration will get you further - honey catches more flies than vinegar ## 6: not using user-centric measures of effectiveness - 'users completing security training' is not a measure of effectiveness - so figure out what the actual measure is, and measure it, and go straight to the source to find out what the issue is