1. Conduct stakeholder analysis
CISOs should first ask themselves why users are not behaving securely. A variety of factors play a role here: For example, users may not be aware of the threat, may not see the benefits of secure behavior, or may perceive security measures as hindering their work. There may also be a conflict of interest with the users’ goals, or they may be under time pressure. Often, the resources are simply lacking — for example, if regulations require secure data exchange with suppliers and customers, but employees are not provided with a platform for such data exchange — or there may be a lack of role models in the environment
Before implementing security measures, it is important to identify and balance conflicting goals and priorities among the various stakeholder groups (IT department, technical departments, management, administration, production staff). This can be done, for example, through stakeholder analysis — a method from business informatics used to ascertain the preferences of all stakeholders involved. The more security managers know about the realities of work and the goals of the different departments, the better they can tailor security measures accordingly — leading to greater acceptance and ultimately successful implementation
2. Design security guidelines with the user in mind
Insecure behavior is often blamed on users, when the problem often lies in the measure itself. In IT security research, the focus is often on individual user behavior — for example, on whether secure behavior depends on personality traits. The question of how well security measures actually fit the reality of work — that is, how likely they are to be accepted in everyday practice — is neglected.
