The Human-Centered Cybersecurity program (formerly Usable Cybersecurity) is part of the Visualization and Usability Group at NIST. It was created in 2008, but we’ve known for quite some time that we needed to rename our program to better represent the broader scope of work we provide for the cybersecurity practitioner and IT professional communities. We made the decision to update the name to Human-Centered Cybersecurity to better reflect our new (but long-time practiced) mission statement, “championing the human in cybersecurity.” With our new name, we hope to highlight that usability still (and always) will be a very important focus for us, but it is just one component within the broader arena of work in which we specialize.
Our multi-disciplinary team conducts research at the intersection of cybersecurity, human factors, cognitive science, and psychology. We seek to better understand and improve people’s interactions with cybersecurity systems, products, and services.
To learn more about our latest projects, watch our latest videos, meet the team, or to view our publications, visit our revamped website https://csrc.nist.gov/projects/human-centered-cybersecurity.
We changed our name to eliminate misconceptions and better reflect the breadth of what we do.
With this name change we aim to squash the misconception that we only address the usability of cybersecurity technologies and processes. When engaging with different audiences around the world as the Usable Cybersecurity program, we ran into some confusion around the types of projects we do and solutions we offer. It was sometimes believed or interpreted that we only conduct usability evaluations to improve user interfaces and websites or that we only focus on usability for “end users.”
Usability refers to how well people can use a system, product, or service to accomplish a goal with effectiveness, efficiency, and satisfaction in a specific context of use. The lack of usability in cybersecurity systems, products, and services can result in people making errors, becoming frustrated, or trying workarounds. After all, security is not most people’s primary task.
Usability was originally and will remain a cornerstone of the program (like our authentication research that informed the usability considerations in NIST Special Publication 800-63). However, our program scope goes beyond that to more broadly consider the human element of cybersecurity: the relationships between individual human, social, organizational, and technological factors and how those relationships ultimately impact people’s experiences with and adoption of cybersecurity. For example, our work uncovering how social influences impact youth cybersecurity and privacy understandings and behaviors resulted in recommendations on how parents can talk to their kids about keeping safe online. Program efforts related to users’ smart home security perceptions helped inform labeling considerations in NIST’s Recommended Criteria for Cybersecurity Labeling for Consumer Internet of Things (IoT) Products. As a resource for practitioners, we synthesized industry and research evidence to describe and offer suggestions to overcome common user misconceptions and pitfalls.
We also expand the notion of “users” to all stakeholders of cybersecurity, including experts in the field. For example, we have completed projects exploring the work practices, skills, and challenges of cybersecurity advocates and cybersecurity awareness professionals. Our phishing research led to the development of the NIST Phish Scale as a measurement tool to better aid cybersecurity awareness and training staff in contextualizing their phishing simulation click rates. As you can see, all these projects address issues beyond the confines of traditional usability.
We’ve updated our website to improve findability and reflect our recent projects.
One of the goals of our program is to advance cybersecurity adoption and acceptance by getting our research into the hands of those who can take action within federal and non-federal sectors. We strive to help bridge the communication gap that can get in the way of cybersecurity and IT practitioners being informed of the relevant human-based research that could benefit their work and professional education.
To complement our new name, we decided it was the perfect time to revamp our website in hopes that our resources can be more easily found. We optimized the site with searchability in mind, using the proper keywords that will allow NIST’s resources to be more visible on the web. We reorganized our publications and presentations using easy-to-use navigation bars and updated the list of our current research topic areas to provide transparency and encourage collaboration. We will also highlight recent videos, media, and other program announcements on the front page.
We ultimately want to advance cybersecurity by empowering people to be active, informed partners in cybersecurity.
Through our commitment to “champion the human in cybersecurity,” we humbly serve as a voice for people in a technology-dominated field. We seek to encourage and empower individuals to be active participants and have positive experiences with cybersecurity while, at the same time, improving cybersecurity outcomes for individuals and organizations. We want to provide actionable guidance and evidence and help facilitate connections between researchers and practitioners to keep people informed of the latest updates in human-centered cybersecurity. We will continue to advocate and educate stakeholders on ways to overcome common human element challenges while also learning from others’ experiences through engagement with the community at events, social media, podcasts, articles, etc.
We truly appreciate your support, encouragement, and feedback regarding this change. Please feel free to reach out with any questions or comments to human-cybersec [at] nist.gov (human-cybersec[at]nist[dot]gov) (and follow us on @NISTcyber and subscribe to our Cybersecurity Insights blog to stay updated on our future work).