Home > Articles

This chapter is from the book

The Primary Goal of Cybersecurity Is Security

There is a perception, particularly among cybersecurity professionals, that people desire cybersecurity for its own sake. Once users feel safe, they say, all will be well! We must keep working until the users and systems are secure. Or at least feel secure. This goal sounds correct to many people, but it is misguided.

In reality, cybersecurity is not the primary goal; the goal of cybersecurity is to maximize and support what the user is trying to accomplish. People and organizations have goals that can be enabled and protected by security, but the primary tasks matter most. Users want to buy things online and share photos with their friends. Hospitals want to treat medical issues. Gamers want to play games. Elves want to make cookies. The users’ primary goals are things like entertainment, healthcare, and sharing cat videos online. Security supports pursuing these goals by protecting the user and the activity against adversity and loss.

One reason that people ignore or circumvent their security is that it interferes with their primary goals. This is why people disable the antivirus software when the computer is running slowly and they simply want to play a game. When developers and engineers prioritize security at the expense of a primary goal, it often backfires and causes people to disable or work around that protection.

Consider automatic software updates. Because software is complex, created by fallible humans, and often built poorly, there is a need for continual bug fixes (and feature updates). At one time, users had to proactively check if updates were available and install them manually. Because that wasn’t a priority for most people, users did not check or install updates. Vendors, including Microsoft, Apple, and Google, determined that systems were safer when the software automatically installed updates without user intervention, and users were (mostly) absolved of the effort. That also had the unintended effect of making some users think all of their software was self-updating, so they stopped checking everything else—oops!

To avoid the myth that security is the primary goal, cybersecurity professionals must better understand their users and context. Observe them doing their primary tasks in their natural environment. Then, as you consider cybersecurity measures, carefully consider the impact on users. Will it disrupt them every time they log in or browse the web? Is the cost worth the pain or inconvenience? In 2019, researchers examined the relationship between data breach remediation and hospital care quality. Because cybersecurity is often increased after a data breach, was there an increase, they wondered, in the time from a patient arriving in the emergency department to receiving an Electrocardiogram (EKG)? The data showed an increase of 0.5 to 2.7 additional minutes in the three years following the breach, suggesting that cybersecurity might have slowed the ability to access health records, and to order, review, and execute the EKG.23 The longer the wait, the higher the mortality rate.

The takeaway is not to focus on maximizing security. We should focus on optimizing the protection of users’ primary goals with an appropriate amount of security.

InformIT Promotional Mailings & Special Offers

I would like to receive exclusive offers and hear about products from InformIT and its family of brands. I can unsubscribe at any time.