Building 网络安全 Resilience With the Power of Habit

作者: Fouad毛拉, CISM, CASP+, CISSP
发表日期: 2024年1月9日

It has become increasingly clear that the technology, 系统, 网络安全专业人员使用的政策和协议的强度取决于使用它们的人的习惯. 在数字时代, cybersecurity is paramount for every organization, yet building a strong cybersecurity culture remains a challenge. 这一挑战不仅仅是掌握最新的技术或实现最强大的协议. It is also about influencing human behavior, mastering change management and fostering the right habits.

A significant part of this challenge lies in the human factor. As many as 88% of cloud breaches are due to human error.1 这包括配置错误、未能实现最小特权原则2 以及被忽视的软件更新. 这些漏洞, often overlooked in the face of complex technical solutions, present a significant risk to the security posture of an organization.


A solution to this conundrum emerged from an unlikely source: 原子的习惯3 by James Clear, a widely popular book published in 2018.

Clear的原则和理念, advocating for small yet consistent changes, should resonate deeply with cyberprofessionals. 这些原则, while not originally intended for use in the cybersecurity realm, 是否可以创造性地应用于为弹性网络安全文化构建一个强大的框架. Clear's principles can be adapted to the cultivation of cybersecurity habits.

Laying the Foundation: Micro-Changes As a First Step

从Clear的书中得出的最初原则是从小处开始的概念.4 Given the myriad complexities and technicalities of cybersecurity, it can often be an intimidating subject for many employees. 而不是实现扫描, large-scale changes that could potentially lead to confusion or resistance, teams should be steered toward adopting simple, 可管理的网络安全实践.

这段旅程可以从基础开始,例如,云访问权限的管理. 这包括定期审查谁有权访问哪些信息或资源以及为什么访问, 当员工改变角色或离开组织时撤销访问权限, and implementing the principle of least privilege, 其中,用户被授予执行其工作所需的最低级别的访问权限. 这些细微的变化, 当持续应用时, can become the building blocks of an enterprise’s cybersecurity framework.

The cumulative effect of such microchanges can be surprising. 随着时间的推移, 这些变化可以显著增强澳门赌场官方下载的整体安全态势, 证明小习惯可以大大提高网络安全弹性.


Clear的习惯叠加原理为采用新做法提供了一种新颖的方法. When new cybersecurity habits are integrated with established routines, teams are more inclined to adopt and maintain them. 例如, 鼓励员工在每天早上检查收件箱时查看并报告任何可疑的电子邮件,可以成为日常工作的固有组成部分, thereby gradually enhancing organizational security.


在网络安全领域, 人们很容易执着于结果, such as the number of incidents prevented or the absence of breaches. 然而,更有效的方法是关注过程而不是结果. This perspective requires a transition from a reactive stance, wherein the team is constantly responding to cybersecurity incidents, 积极主动的态度, 其中,团队始终致力于维护和增强网络安全态势.5

This transition represents more than a shift in actions. It marks a profound transformation in the collective mindset. 结果是, the team will start to perceive cybersecurity not as a finite goal, but as a continuous journey demanding persistent effort and vigilance.

为了支持这种转变, 组织应该考虑实施定期培训课程,以确保团队了解最新的威胁和最佳实践. 积极主动的学习和发展态度是培养持续改进文化的有力催化剂. The ripple effect of this transformation can be profound, leading to a significant enhancement in a team's approach to cybersecurity.

Incentivizing 网络安全: The Power of Attractiveness

在Clear的工作中,一个突出的原则是让新习惯变得有吸引力. This poses an interesting challenge in the context of cybersecurity, a field often perceived as complex and tedious. How can the adoption of cybersecurity habits be made more appealing?

One solution lies in the power of gamification whenever possible. By turning cybersecurity practices into engaging challenges or competitions, 这些习惯变得更有吸引力. 这种方法将网络安全从一项可怕的义务转变为一项刺激参与和学习的有吸引力的活动.

Simplicity in Adoption: Facilitating Ease of Use

Clear哲学的一个基本原则是习惯养成的便利性. 与这个原则一致, 重点应放在尽可能简化网络安全实践上. 这可能包括提供用户友好的工具、明确的指导方针和简单的程序. 例如, 引入密码管理器可以显著缓解与密码相关的问题. 这种简单性不仅促进了安全实践的采用,还鼓励员工及时报告安全事件, thereby enhancing responsiveness to potential threats.

Reinforcement Through Satisfaction: The Power of Immediate Feedback

Clear强调了养成令人满意的习惯以确保其长寿的重要性. 根据这一原则,优先考虑即时反馈和强化可能是有益的. Whether it is through verbal praise or more formal recognition, such as an employee-of-the-month distinction, 手势可以在激励团队和肯定他们的努力方面发挥关键作用.

Continuous Improvement: The Importance of Regular Reviews

另一个宝贵的教训强调了定期审查和调整的重要性. 尽管由于工作量大,这一课在日常实践中往往被忽略, it is essential to integrate it into cybersecurity routines. 定期的反馈会议和数据分析有助于确定优势和劣势, paving the way for the refinement of strategies for enhanced effectiveness. 这种不断演变的循环是在动态的网络安全环境中保持弹性的基石.

Fostering a Supportive Environment: The Shift Toward Collective Responsibility

最后,也是最关键的原则是创造一个支持性的环境. 培育开放合作的文化强调网络安全是一项共同的责任. 这种转变可能是深远的, 用集体所有制的意识和每个人的投入都是有价值的理解来取代对指责的恐惧.


将Clear的原则融入网络安全文化是一段转型之旅. 微小的变化, 当持续应用时, 能否创造一种自觉的文化, 负责任的, 并具备处理网络安全事件的能力. 如果有什么值得借鉴的, 建立一个强大的网络安全文化不是关于规则和协议,而是关于习惯. As 原子的习惯 习惯从小处开始,但却能带来有意义的改变. As the landscape of cybersecurity continues to evolve, 习惯的力量及其对组织的潜在影响保持不变. 考虑如何在组织内应用这些原则对于加强网络安全弹性是非常宝贵的.


是云安全架构师吗, 网络安全首席顾问和数字领导者,在信息和软件行业拥有超过15年的经验. He has worked closely with global enterprises, playing a crucial role in ensuring their security and resilience. Mulla指导了许多澳门赌场官方下载管理和保护他们的关键信息. 他的见解使组织能够识别和理解网络安全风险, 支持战略业务决策, especially pertaining to critical infrastructure projects. Additionally, Mulla served as a technical reviewer of the book 多云管理指南 and has been a speaker at several leading cybersecurity conferences.