Cognitive load of Cybersecurity on users, and the need for built-in security.
In the current scenario, regular users of IT services are forced to take on the additional cognitive load of staying safe online.
Think regular users/customers of a bank - they now have to exercise an enormous amount of caution to not fall prey to smishing and all other sorts of '-shings'.
Think employees without a tech background. IT and IS systems are part of their daily workflow, but worrying about cybersecurity shouldn't ideally be.
In mature systems/technologies, cars for example, many safety concerns are absorbed and handled in the design and manufacturing itself. Sure, one still has to drive well to be safe, but think about the situation if you had to adjust brake bias between front and rear brakes based on the type you are driving on. Or if you had to manually modify the hydraulic pressure of the clutch mechanism, or manually enable/disable ABS+Airbags each time the car was restarted. Electrical appliances are another example which are produced with a great degree of safety built-in - particularly kitchen appliances which have to deal with regular exposure to heat and liquids while still being easy to be considered a consumer appliance. There are also legal regulations and quality standards that are to be satisfied for an electrical/electronic appliance to even be allowed to be sold.
It becomes apparent that security cannot be an afterthought in the case of IT systems. Security awareness training is a critical, efficient and frankly more immediate approach towards improving cybersecurity, along with fixing bad processes. But for a more fundamental solution to the problems of cybersecurity, security has to be built-in to the systems.
As much as possible, security concerns should be abstracted away from the end-user, and should instead be absorbed into the systems design and engineering processes.
We don't want a situation where the productivity of professionals is lost worrying about cybersecurity - because their organization is bad at ensuring security. E.g. if doctors have to spend cognitive effort worrying about the security of patient data - that's a massive loss of critical value. Instead, the information system being used by a doctor should have adequate security built-in.
Until the secure-by-default approach matures and penetrates systems worldwide, approaches like security awareness training and cybersecurity audits (which can promote/enforce adoption of security frameworks like IMSBI) remain as some of the best tools to protect and defend information assets.
by Aravind Jose T.