FEATURE

The Human Factor in Information

Security
The Weakest Link or the Most Fatigued?
Humans represent a mystery to be deciphered by Similarly, studies confirm that despite the education
security/cybersecurity experts because their provided and the sanctions established for
behaviors, attitudes, beliefs, rituals and decisions behaviors that violate the security procedures and
(the general characteristics that define a culture) processes designed to safeguard information, the
constitute a little-understood universe for vulnerabilities exacerbated by people still
executives and their heads of security. Frequently materialize, either due to error, omission or
cited in various international research projects and deliberate actions that compromise an
reports is the fact that people are the weakest links organization’s sensitive information.4
in the security chain.1 Time and again, it is
determined that, despite all the technical efforts The inevitability of failure as a natural phenomenon
and security procedures, people are highly likely to in any human pursuit becomes the context that
expose organizations to vulnerabilities.2 security and control practices must not only accept,
but also refuse to resign themselves to a fait
The literature available to date on the human factor accompli. Security practitioners know that despite
in security/cybersecurity often refers to raising their best efforts, risk scenarios such as
awareness, training and education—all subjects unauthorized access, data leaks, unreported change
associated with the “education” of individuals in an to a text, human error or omissions, among others,
effort to protect information. The hope and will materialize, and that understanding by its nature
assumption are that people will comply with the reveals a schism in business practice where what
expectations of the organization with respect to the people actually do is far different from what the
information assets to which they have access.3 organization intends for them to do.5

This implies that organizations should be prepared

to understand and comprehend, on one hand, the
different meanings that coexist in regard to data
protection practices on the basis of their everyday
experience and, on the other hand, the levels of
resistance and resilience of individuals confronted
with the challenge of security/cybersecurity in an
increasingly hyper-connected world.

Consequently, the aim herein is to contextualize the

present-day challenges inherent in the
security/cybersecurity education of humans in
organizations. Thus, it is necessary to go beyond
the weakest-link-in-the-chain discourse and move
into the “reliable and resistant factor of the system”
discourse, which eclipses the viewpoints and
limitations of individuals through its recognition that
Jeimy J. Cano M., Ph.D, Ed.D., CFE, CICA people’s behaviors comprise a network of meaning
Is an academic and international consultant. He has more than 22 years of that is fed as much by correct decisions as by
experience as an executive, academic and professional in the areas of
lessons learned, forming part of an ongoing
information security, cybersecurity, digital forensics, digital crime, critical
process of learning/unlearning about the
infrastructures and IT auditing.
inevitability of failure.

© 2019 ISACA. All rights reserved. www.isaca.org ISACA JOURNAL VOL 5 1

 Distribution of Investment in In this regard, the education required at present for
Security/Cybersecurity individuals, rather than exercises or presentations
on the procedures necessary for the protection of
Recent reports tell us that investments in information (although necessary to learn about and
security/cybersecurity generally have to do with understand the reason for their existence) or playful
purchasing and reinforcing infrastructure through performances or award ceremonies for exemplary
new technologies that fine-tune the available behavior, should teach employees to understand
capacities of the organization to identify, contain their environment and how their actions may affect
and repel possible attacks or threats designed to both their personal reality and that of the
compromise information assets. organization. That is, individuals must personally
assume responsibility for the risk to which the
This reality has not varied substantially since a organization’s digital assets are exposed and how
2005 study that indicated that the greatest amount their behavior makes a difference in the creation of
of investment in data security was concentrated in the perception of reliability and trust, with the
perimeter defense infrastructure, while the smallest former based on the reality of vulnerability.
amount was in data treatment.6 Subsequent studies
based on this 2005 study and using its results show
Data Security Education: A Challenge of
that as investment in the technological periphery
grows, vulnerabilities in the area of data treatment
the Appropriation of Difference
are accentuated (figure 1).7, 8 This creates a paradox Research and practice in general insist that people
about where to prioritize and focus efforts to are the most important element in data security, but
maintain levels of data security within enterprises. this is paradoxically the area with the lowest
amount of organizational investment in terms of
Figure 1—Comparison of Investment and
Vulnerabilities in Data Security security/cybersecurity. One possible explanation for
this tendency lies in the technical and operational
priorities of organizations with regard to
PERIMETER maintaining current infrastructure, renewing
licenses and updating technical tools; all of which
occupy much of the attention of heads of security
NETWORKS
and engender the ideal of trustworthiness that
executives have of security and control.
APPLICATIONS
In this counterintuitive scenario, a series of everyday
DATA practices is implemented at organizations with the
Investment Vulnerabilities hope that individuals will acquire a set of behaviors
Infosec Infosec
that corresponds to the expectations the organization
has around safeguarding its digital assets.
In the current context, in which the perimeter is
becoming ever more permeable and the digital The first practice is trainings. Training is a meeting
density around physical objects is growing in called to provide information on the organization’s
unexpected ways,9 it is necessary to rethink the processes and practices concerning data
fundamentals of investment in security and control. protection. The guidance received should tell people
It is no longer control of access that makes the how the relationship is, how to handle the
difference but rather control of use, meaning that information the organization possesses and what is
people are all-important as the determining factor in expected of them in terms of the level of access
improving the treatment of information via they have, with the attendant consequences of any
trustworthy and ethical criteria according to their acts that go against specific instructions. These
context and the realities of the organization. types of activities are generally offered to
employees as part of the onboarding processes

2 ISACA JOURNAL VOL 5 © 2019 ISACA. All rights reserved. www.isaca.org

 individuals experience security fatigue, a weariness
of the insistence on the subject, generally embodied
IT IS NO LONGER by a sense of resignation, loss of control,
minimization of risk and evasion of decision-
CONTROL OF ACCESS THAT
making.13 These as manifested in the domain of
MAKES THE DIFFERENCE material resistance14 are demonstrated by:
BUT RATHER CONTROL • The presence of internal irregularities or
discontinuities (i.e., regulatory changes,
OF USE.
administrative changes, staff movement, bad
business results)
when they are hired by organizations and are • Irregularities originating in the practice of the
followed up by periodic actions to remind them to business itself (i.e., updating of responsibilities,
bear this in mind in their day-to-day practice.10 changes in the way tasks are done, adjustments
due to the incorporation of information systems
The second practice is frequently referred to as raising and technologies, cases of corruption)
awareness. This type of activity seeks to use concrete
actions and experiences to train people in the • Changes in business geometry (in the model of
procedures and access controls in such a way that value creation) and the operational environment
they can develop practical skills and knowledge of or emerging threats
how such controls make the idea of control a reality.
These types of exercises are done directly in the work These can lead to individuals’ rejection of security
area to contextualize control actions in people’s and control questions, which are generally based on
everyday tasks and to recognize how it is possible to specific terms of practice associated with
ensure that the specific business processes around international standards rather than the language of
the handling of data are adhered to by everyone.11 business, thus creating a greater distance between
business areas and security professionals.
The third practice is not often mentioned and deals
with something more interior to people: Figure 2 shows that despite an insistence on
appropriation.12 This practice does not seek to inform coexistence and practice as a basic exercise in
or train the employee, but rather to construct a security/cybersecurity education, a new distinction
transcendent meaning and mission for the protection cannot be made that makes sense to people
of information. The construction of a series of involved in data protection. People create
learnings and unlearnings makes it possible to act distinctions that they adopt as their own and which
according to ethical, responsible principles that go go beyond their prior knowledge both when efforts
beyond control of access (an exterior measure) to are concentrated on the creation of meaning based
factor in control of use (an interior measure). This on their learning or unlearning and when it is
type of approach seeks to connect individuals with possible to surprise them and suspend the exercise
their responsibility for the results of their decisions of reality15 in relation to security matters.
and actions in relation to data security; that is, the
recognition and acquisition of a personal One book posits a process of investigation that aims
differentiation of why and to what end employees at “action to improve” through social learning.16 That
should protect the organization’s digital information. is, understanding the problematic situation of security
challenges, remembering actions previously carried
Of the three practices mentioned, the first two have out, designing new intentional activities based on a
been used (and continue to be used in model of understanding current reality, using the
organizations) to try to change people’s behavior proposed model to ask questions of and challenge
and train them to conform to the expected the reality and, ultimately, obtaining different answers
treatment of information. In these endeavors, with two features:

© 2019 ISACA. All rights reserved. www.isaca.org ISACA JOURNAL VOL 5 3

 Figure 2—Security/Cybersecurity “Education” in Organizations
Being (Appropriation/
learning/sense)

Doing (Awareness raising/

training/practice)

Coexisting (Fulfilling tasks/

training/acting)

• Desirable, based on the model constructed • Social elements

• Feasible, which is associated with the history, • Regulation (this last element is not included in
culture and personal dynamics of the persons the original model)
taking part

In this way, when a space for learning and MANAGEMENT IS THE

discovering data security is created—not to follow
an established script, but rather to understand the PRACTICE OF SEEKING TO
“why” of things—a learning window is created where INCREASE THE CERTAINTY
mistakes are not something to be punished.17
Instead, they represent an opportunity to AND REPEATABILITY OF
consolidate a lesson learned or, better yet, to THE ORGANIZATION’S
express freely, openly and authentically those blind
spots that the organization is unaware of due to the SECURITY AND CONTROL
very nature of its dynamics. ACTIVITIES.
Molding Human Behavior in
Security/Cybersecurity
In this context, the term “mold” should be
Strengthening people’s education in understood as configuring a personal vision of the
security/cybersecurity inside organizations assets in a systematic way so that the elements of
represents an important step in consolidating a coexisting, doing and being are composed around
concrete distinction in the protection of data an overarching mission that the organization has
assets. It also creates a scenario for the emergence managed to connect to each of the participants in a
of that which the organization requires and desires transparent, authentic way.
in order to tackle the challenges of reliability and
trust that customers demand in an ever more Preparation implies developing competency in the
hyper-connected environment. secure management of information,19 which makes
it possible to establish levels of perfection and
Recent research has established that at least five mastery in the protection of data. It also guides
elements (figure 3) are required to mold people’s people toward an understanding of practices and
behavior in relation to security and control:18 how to implement them consistently in the real
• Preparation world of business and to recognize their
autonomous, concrete responsibilities, knowing
• Responsibility that both the organization and they themselves can
• Management have a psychologically safe environment in which to
act when things do not work out as planned.

4 ISACA JOURNAL VOL 5 © 2019 ISACA. All rights reserved. www.isaca.org

 Figure 3—Aspects That Shape Information Security Behavior

Aspects that
mold behavior I
Sensitization, N
Preparation competencies F
and training O
R
M
Responsibility Follow-up, A
monitoring
and control T
I
O
Management Policies, practices N
and procedures
A
Beliefs, customs S
Social elements S
and habits
E
T
Internal, national S
Regulation and international

Individual responsibility based on the personal people’s behaviors manifest themselves is to discover
distinctions constructed by each participant must the fine lines of the imaginaries that individuals create
be assisted by the recommended practice of the and end up acting on in diverse situations.
standards for follow-up, monitoring and alerting in
such a way that both the execution of the activities Regulation is the normative element; the demand of
in the processes and the decisions that people third parties to ensure the function of compliance.
make occur within a framework of verification. This People in charge of compliance at organizations are
framework is designed not to assign blame, but responsible for, among other things, developing the
rather to limit the effects on customers, which can culture, anticipating risk, ensuring operation and
then be translated into lessons learned and consultation, and implementing best practices.
potential new scenarios of possible fatigue of the These activities are designed to observe the
current security distinction. guidelines laid down by supervisors in different
sectors to enable the organization to project an
Management is the practice of seeking to increase image of imperfect trustworthiness20 that tells its
the certainty and repeatability of the organization’s different interest groups it is capable of taking on
security and control activities. It is the traditional the responsibility of protecting its information
exercise relating to the quality cycle—planning, assets and the interest groups themselves.
doing, verifying and acting—that seeks to
homogenize the organization’s intended effects in These five components act in harmony and are
order to avoid surprises. Although these are based on three evolutionary cycles:
activities that constitute the minimum requirement
for greater trust, they do not solve the equation of
• Regulation—Which safeguards today
the inevitability of failure. In short, it is the least that • Adaptation—Which focuses on tomorrow and
can be done. renews the present21

Social elements have to do with each individual’s

• Memory and learning—Which challenges
previous knowledge, compares present results
reality. Recognizing people’s beliefs, customs, rituals
and establishes the basis for the formulation of a
and habits with regard to the treatment of data
change in people’s behavior
represents a valuable resource for fine-tuning and
strengthening the competencies required for data
protection. To understand the social fabric in which

© 2019 ISACA. All rights reserved. www.isaca.org ISACA JOURNAL VOL 5 5

 Transforming people’s behavior toward data
security depends on connecting three evolutionary
FINDING NEW ANSWERS TO THE cycles that make the present function in
accordance with established practice; make the
CHALLENGE OF DATA SECURITY BEHAVIORS
future an exercise in construction and collective
DEMANDS MOVING BEYOND WHAT IS practice that visualizes challenging, potential and
plausible scenarios that prepare the organization
CURRENTLY KNOWN ABOUT RAISING
for emerging threats and risk; and make learning (or
AWARENESS AND COMPLIANCE. unlearning) the very essence of the way in which
reality is dismantled to disconnect what now exists
to incorporate the novelty of what is coming and to
This means overcoming an individual vision of a reconnect the dots in ways that are completely
person’s actions to establish a system of diverse and novel.
relationships constructed according to an individual’s
view of a community, where one’s responsibilities are Consequently, the human factor in
governed according to an understanding and security/cybersecurity must cease to be dead
recognition of others’ vulnerabilities.22 emotional weight that security and control
executives carry but do not know what to do with,
Conclusion instead becoming strategic leverage in their
programs for the protection of digital and
Analyzing the human factor in data security is not a
informational assets that are in a constant process
task that involves the disciplined viewpoint of a
of development. Thus, the human factor becomes a
profession or a particular reading of a presently
“reliable and resistant factor” in the organization’s
available standard. It is instead an exercise that
security/cybersecurity system, something that
demands moving beyond a mechanistic, limited
demands an emerging vision by
vision and attempting to configure a homogeneous
security/cybersecurity professionals of themselves
understanding of people organized around basic
as new educators who, paraphrasing John Ruskin,
norms who say and know how security and control
say, “Do not teach something to someone who
are done.
doesn’t know, but rather transform them into
something that didn’t exist.”23
Finding new answers to the challenge of data
security behaviors demands moving beyond what is
currently known about raising awareness and
Endnotes
compliance, two distinctions that have imposed 1 “Chain” is defined here as the sequence of
themselves on security discourse, which frequently connected links that enables a system to
ends up exhausting people’s practices and causing function. Its strength is defined in terms of the
discomfort to collaborators across areas with its connection that is least strong.
talk of risk and the threat of undesired events. 2 Dreyer, P.; T. Jones; K. Klima; J. Oberholtzer; A.
Strong; J. Welburn; Z. Winkelman; “Estimating
Strengthening people’s practices and behaviors the Global Cost of Cyber Risk: Methodology
means recognizing where vulnerabilities occur, what and Examples,” Rand Corporation, 2018,
are the most critical attack vectors, and developing https://www.rand.org/pubs/research_reports/
safe data management practices that connect with RR2299.html
people’s realities and with the essence and sense of 3 Alhogail, A.; A. Mirza; “Information Security
protection of an organization’s information assets. Culture: A Definition and a Literature Review,”
It is an effort that seeks to understand the World Congress on Computer Applications and
inevitability of failure as a reality and to take Information Systems, Hammamet, Tunisia,
advantage of each of the lessons learned in order to 17–19 January 2014
reinvent the distinctions of information security that
people make and motivate them to look beyond
current procedures and standards.

6 ISACA JOURNAL VOL 5 © 2019 ISACA. All rights reserved. www.isaca.org

 4 Bada‚ M.; M. A. Sasse; J. R. C. Nurse; “Cyber 16 Checkland, P.; J. Poulter; Learning for Action:
Security Awareness Campaigns: Why Do They A Short Definitive Account of Soft Systems
Fail to Change Behaviour?” International Methodology and Its Use for Practitioners,
Conference on Cyber Security for Sustainable Teachers, and Students, John Wiley & Sons,
Society, 2015, https://arxiv.org/abs/1901.02672 England, 2006
5 Fuenmayor, R.; H. López-Garay; “The Scene for 17 Schoemaker, P.; Brilliant Mistakes: Finding
Interpretive Systemology,” Systems Practice, Success on the Far Side of Failure, Wharton
vol. 4, iss. 5, 1991, https://doi.org/10.1007/ Digital Press, USA, 2011
BF01104459 18 Ahmad, Z.; T. Ong; T. Liew; M. Norhashim;
6 Kuper, P.; “The State of Security,” IEEE Security “Security Monitoring and Information Security
& Privacy, September/October 2015, Assurance Behaviour Among Employees: An
https://doi.org/10.1109/MSP.2005.134 Empirical Analysis,” Information & Computer
7 Cano, J.; “Administrando la Inseguridad Security, 12 June 2019,
Informática,” Revista Hakin 9, vol. 23, iss. 4, https://doi.org/10.1108/ICS-10-2017-0073
2007, https://es.slideshare.net/heynan/ 19 Cano, J.; “Gestión Segura de la Información:
hakin9-inseguridad Competencia Genérica Clave en una Sociedad
8 Kuper, P.; “The State of Security,” IEEE Security & de la Información y el Conocimiento,” Memorias
Privacy, vol. 3, iss. 5, September-October 2005, Congreso Internacional de Educación,
p. 51-53 Tecnología y Ciencia, CIETyC, vol.3, iss. 1, 2015,
9 Sieber, S.; J. Zamora; “The Cybersecurity https://www.researchgate.net/publication/
Challenge in a High Digital Density World,” 334602391_Gestion_segura_de_la_informacion_
European Business Review, 18 November 2018, Competencia_generica_clave_en_una_sociedad_
https://www.europeanbusinessreview.com/ de_la_informacion_y_el_conocimiento
the-cybersecurity-challenge-in-a-high-digital- 20 Cano, J.; “Riesgo y Seguridad: Un Continuo
density-world/ de Confianza Imperfecta,” Actas IX Congreso
10 Wilson, M.; J. Hash; Building an Information Iberoamericano de Seguridad de la Información,
Technology Security Awareness and Training Universidad de Buenos Aires, Spain, 2017,
Program, National Institute of Standards and https://www.researchgate.net/publication/
Technology Special Publication (SP) 800-50, 321197873_Riesgo_y_seguridad_Un_continuo_
USA, 2003, https://csrc.nist.gov/publications/ de_confianza_imperfecta
detail/sp/800-50/final 21 Espejo, R.; A. Reyes; Sistemas Organizacionales:
11 Ibid. El Manejo de la Complejidad con Modelo del
12 Alnatheer, M.; Understanding and Measuring Sistema Viable, Ediciones Uniandes—
Information Security Culture in Developing Universidad de Ibagué, Colombia, 2016
Countries: Case of Saudi Arabia, Queensland 22 Brown, B.; El Poder de Ser Vulnerable: ¿Qué Te
University of Technology, Australia, 2012, Atreverías a Hacer Si el Miedo No Te Paralizara?
https://eprints.qut.edu.au/64070/ Ediciones Urano, Spain, 2016
13 Stanton, B.; M. F. Theofanos; S. S. Prettyman; 23 Ruskin, J.; “Quotable Quote,” Goodreads,
S. Furman; “Security Fatigue,” IT Professional, https://www.goodreads.com/quotes/
vol. 18, iss. 5, 2016, http://doi.org/10.1109/ 287586-education-does-not-mean-teaching-
mitp.2016.84 people-what-they-do-not
14 Ingemecanica, “Mechanical Resistance
to Fatigue: Tutorial No. 217,”
https://ingemecanica.com/tutorialsemanal/
tutorialn217.html
15 Reyes, A.; R. Zarama; “The Process of
Embodying: A Re-Construction of the Process
of Learning,” Cybernetics & Human Knowing,
vol. 5, iss. 3, 1998, https://www.researchgate.net/
publication/233613109_The_process_of_
embodying_distinctions_a_re-
construction_of_the_process_of_learning

© 2019 ISACA. All rights reserved. www.isaca.org ISACA JOURNAL VOL 5 7