It’s practically a given in the information security world: Users are the weakest link. No matter the security measures an organization deploys, they can all be undone by employees who, knowingly or not, violate IT policies at their desks or while working from home or on mobile devices.

But one security researcher is questioning this assumption from a fresh angle, and in doing so, turning the attention back on the IT professionals up the chain. In her keynote remarks at the Infosecurity North America conference in Boston two weeks ago, Clemson University’s Dr. Kelly Caine argued that the cybersecurity conventional wisdom essentially has it backwards. Previewing her remarks to me, Caine said her key finding is that, “It’s actually executives, managers, system administrators, designers, and coders–rather than users–that are the weak links in information security.”

She buttresses her argument with experience from her role as director of the Humans and Technology Lab at Clemson University, where she leads research in human-centered computing, privacy, usable security, human factors, and human-computer interaction. One of those lessons is that usability is a necessity, and not a luxury or afterthought.

Another key lesson? That from the viewpoint of the end user, everything that IT managers and cyber pros do and say impacts the training and education of users in one way or another. “Every interaction trains users to behave securely or insecurely. There is no middle ground.”

SEE: Security awareness and training policy (Tech Pro Research)

It’s no surprise that employee who are poorly trained, or unsure of what’s expected of them, have been the source of cyber breaches–just look at recent ransomware attacks on healthcare systems and government offices. But are those user failings the cause of the damage done by hackers? According to Caine, they’re just as much the effect of leaders higher up who’ve failed to institute a security culture that takes into account the needs and habits of employees.

SEE: Essential reading for IT leaders: 10 books on cybersecurity (free PDF) (TechRepublic)

What executives and IT managers can do to improve cybersecurity

  • Get to know your users better. What are their good security habits and bad ones? How can you reward the good and reduce the bad?
  • Eliminate outdated or bad advice, such as “change your password often” and “use a mix of special characters in your passwords.” Better to chose a good passphrase, and keep it unless there’s evidence of a problem.
  • Clarify and simplify processes for users. If understanding a privacy statement, or verifying or authenticating a new device, is time-consuming or confusing, research shows users will find less secure ways to get move on and get back to work.