Human-centred security: a paradigm shift towards greater IT security

According to PwC, 89 per cent of German companies have been affected by cyberattacks over the past three years, despite the fact that investment in IT security is on the rise in this country. Why aren’t these efforts paying off? One key reason is that traditional security strategies neglect human-computer interaction. Human-centred security addresses precisely this issue and puts people at the heart of the process.

Mistakes happen because systems encourage them

CIOs and CISOs are transitioning to zero-trust architectures and introducing new encryption technologies and AI-powered tools. When security incidents do occur, the blame is often hastily placed on the user. Security awareness training is mandated and sanctions imposed. Yet the fault often lies with the system itself: a poor user experience.

When security requirements trigger endless clicking marathons and disrupt value-adding workflows, it is no wonder that employees develop workarounds. This cannot be resolved with more training either. What is more effective against the rising number of successful attacks? At Comma Soft, we are convinced that IT systems designed to make secure behaviour the path of least resistance are the answer. This is precisely the aim of human-centred security.

What is human-centred security?

Human-centred security (HCS) is an approach that considers IT security from a human perspective. It scrutinises the design of digital solutions and processes – and adapts them to human psychology. An intuitive user experience minimises uncertainty, effort and overwhelm, and increases the effectiveness of security measures.

HCS is not an alternative to technical approaches such as Zero Trust, but rather a way of amplifying their impact: by making newly introduced control points – for example, for multi-factor authentication or access requests – user-friendly, companies minimise friction and thus the risk of workarounds. This also contributes significantly to compliance.

In addition to intuitive UX, however, HCS also involves a positive culture of error: only when employees do not have to fear losing face will they react quickly in the event of an incident, inform the relevant departments and not attempt to cover up their own mistakes. Security consequences are mitigated more effectively and insights can be incorporated into the continuous improvement of cybersecurity.

×

Does your cybersecurity strategy take the user experience into account?

Let’s discuss your security challenges and work together to build systems that people can get behind. Only then can new security technologies have the greatest possible impact.

“Anyone who wants to build resilient systems today must align technology, psychology and strategy.”

Pascal Mohr, Associate IT-Security Consultant

Practical examples: Achieving greater cyber security through the right system design

HCS is calling for a rethink of cybersecurity strategy. The measures themselves need not be expensive or complex. In many cases, minor adjustments to security concepts are sufficient to significantly strengthen the security setup from a user experience perspective. Here are three examples from our consulting practice:

  • Passwords: Instead of relying on complicated passwords and annoying password update policies, companies can switch to Windows Hello, passkeys or shared single sign-on solutions such as Entra ID as part of a human-centred security approach. This not only eliminates the risk of password lists being left in plain sight and security-compromising policy workarounds, but also makes logging in much more convenient for employees.
  • Email security: Simply raising awareness of new phishing methods through theoretical training is no longer enough. The methods and attack vectors change far too quickly. It is more effective to configure email programmes so that suspicious messages are clearly flagged and can be reported quickly and easily with a single click. The key is that security alerts are displayed at the moment the decision is made.
  • Security updates: Users often delay security updates because they interrupt their workflow. An HCS-oriented architecture schedules updates based on usage, clearly communicates their duration and purpose, and minimises disruptions. This increases the patch rate without requiring additional monitoring effort and without hindering productivity.

Three benefits of human-centred security

A shift towards a human-centred cybersecurity strategy is not just some feel-good measure plucked from a ‘New Work’ handbook. It is the logical consequence of the increasingly questionable track record of the traditional technology-driven defensive approach. Companies that switch to HCS benefit from:

1. Improved IT security

Simple processes, clear guidelines and user-friendly security mechanisms reduce the risk of human error without the need to set up additional, costly layers of control. Those who fail to take UX into account will quickly spend thousands of euros on innovative cybersecurity solutions without actually improving protection.

2. Higher employee satisfaction

Cumbersome security requirements create friction, frustration and resistance. HCS delivers intuitive solutions that integrate seamlessly into employees’ workflows. At the same time, this shift in attitude leads to greater acceptance of necessary security requirements, more personal responsibility and better collaboration with IT: “It’s not the users’ fault; the system is poorly designed.”

3. Stronger compliance

Regulations such as ISO 27001:2022 or NIS2 require effective security measures. Effectiveness only arises where requirements are understood and actually implemented. Human-centred security promotes secure behaviour and creates a culture in which incidents are reported at an early stage. It lowers the threshold for reporting suspected incidents and breaches, and makes IT security a constructive and collaborative topic. Better UX is therefore not merely a design issue, but a compliance factor.

Evidence-based transformation:
How to achieve human-centred security

The rising costs of cyberattacks speak for themselves: successful IT security strategies must look beyond technology. At Comma Soft, we therefore take a holistic consulting approach that is centred on HCS-based approaches to IT security. We combine deep-tech expertise with organisational psychology measures.

  • Reducing technological friction: We start by analysing your security architecture for unnecessary complexity. Where is security holding the business back? Where is shadow IT emerging? We replace these obstacles with resilient, user-friendly technologies.
  • Initiating cultural change: We then establish processes based on trust. Employees move from being potential security risks to becoming the central line of defence.
  • Measuring results: We assess the new security measures in terms of their acceptance and actual use in day-to-day work. After all, cybersecurity is not a matter of gut feeling.