Be the first to like this
Why is the security industry so full of fail? We spend millions of dollars on firewalls, IPS, IDS, DLP, professional penetration tests and assessments, and vulnerability and compliance tools, and at the end of the day, the weakest link is the user and his or her inability to make the right choices. It's enough to make a security engineer cry.
The one thing you can depend upon in an enterprise is that many of your users, even with training, will still make the wrong choices. They will violate BYOD restrictions, click on links they shouldn't, respond to phishing scams, open documents without thinking, post too much information on Twitter and Facebook, use their pet's name as passwords, etc. But what if this isn't because users hate us or are too stupid? What if all our ignored policies and procedures regarding the best security practices have more to do with our failure to understand modern neuroscience and the human mind's resistance to change?
Humans are wired to be emotional beings. Emotions influence most of our decisions, good and bad. In failing to understand how this is at the root of user non-compliance, no matter how much money we spend on expensive hardware and software, we will fail to achieve the goal of good organizational security.