User error is an expected business problem

When I read the article that human error was the source of most breaches and data loss in 2014, it was not a surprise. You can pick any study about computer-related crimes and data breaches in the last few years and you will find that humans are the primary attack vector for most significant breaches, and the criminals intend to initiate human error. In order to prevent this error, you have to understand what causes humans to make errors.

For the most part, humans are not generally stupid. Human error is the cause of problems in just about any field. Think about aviation. Pilot error is the source of many problems. Factory injuries are almost always caused by human error. The computer field is not alone in significant damages caused by human errors. For some reason though, the information technology field refuses to acknowledge that there should be sufficient efforts put into reducing human error.

[ ALSO ON CSO: Human Error Causes Most Serious Data Loss ]

In aviation-related errors, people die. In response, there are extensive studies as to what can prevent errors. Surprisingly, they found that making pilots go through a very simplistic checklist, that at face value appears to be an insult to their intelligence, that has them ensure they go through basic preflight procedures. Factory injuries are commonplace and cost companies hundreds of millions of dollars annually. In response there are many studies and millions of dollars invested in preventing future accidents.

What do we do in the IT field? We call the users stupid. Despite millions of dollars in losses, there are not millions of dollars invested in research to figure out how to prevent the errors. Companies make employees watch videos, with little examination of the effectiveness of such videos, and claim they are taking action to prevent future errors.

As I addressed previously, when other fields look to reduce human error, they first look to what aspects of the environment cause the error. For example, in factories safety experts first look to the layout of factories that may be the cause. They paint lines on floors to function as walkways that prevent people from walking into equipment. They add warning signs. There are many things that are done. By proactively changing the physical environment, human error is reduced by 90%. Can the IT profession state that they make the same efforts?

Then there is the remaining 10% of the human errors. Studies show that those errors result from lack of knowledge, carelessness, inattentiveness, or just outright ignoring advice. This is where awareness programs come in. However much like the other business disciplines, you cannot rely on videos and a simulated phishing attack to account for all possible human errors.

If someone has a lack of knowledge, you need to provide them the knowledge in the formats that most effectively impart that knowledge. That is not as simple as showing people a video and testing them on their short-term memory. You need to ensure that they integrate that knowledge into their behaviors, which is the actual goal of a real awareness program.

As far as carelessness and inattentiveness go, that is more difficult to address. It implies that users know what to do, and would do it if they were thinking clearly, but they just aren't paying attention to what they are doing. In this case, you have to create constant reminders so they are paying more frequent attention to the task at hand. Likewise, you can increase the motivational component of doing the proper actions. In other words, highlight the importance of what they are doing. For example, a normal person will clearly be more attentive to holding a baby securely in their arms than they might be to holding a sponge. They have a greater sense of responsibility with the baby, and are naturally more attentive.

Then there is addressing people who ignore advice. For example in the IT world this might include people who reuse their personal password for business accounts. This was apparently the root exploit for how the North Korean hackers obtained administrator access to the Sony network. To do this there must be an increase in motivation.

Good awareness has three components: knowledge of what the problem is, the solution to the problem, and motivation to enact the solution. Of the three components, the motivation is where most awareness efforts fail. All too frequently, awareness professionals and the programs they create act like knowledge of the problem is its own motivation. That is rarely the case. The fact is that most people know what to do, but there are more than enough people who just fail to choose to do the right things. And I want to be clear that while there are some users who choose to purposefully flaunt the rules, for the most part, most users are just not provided enough information to choose to take the proper security actions over doing what is easiest to do.

I have made it a point to implement awareness programs that take into account improving the user environment to reduce the opportunity for them to commit errors. Those programs are then supplemented with constant metrics collection and constant research to improve the awareness programs. However, as an awareness professional, I realize that awareness is a business problem and it needs to be treated as such.

[ ALSO ON CSO: The things end users do that drive security teams crazy ]

Airline accidents, workplace injuries, accounting errors, etc. are all considered business problems with large costs associated with them. As such, companies make substantial investments in studying why human errors occur and make large investments to reduce the likelihood of future errors. Besides the personal projects I have been involved with, I have never seen a similar process enacted elsewhere. I see companies hit with phishing, and then do phishing simulations, which don't improve the environment that allowed phishing to be successful, and generally don't address the root problem. However, there are so many other issues to address as well.

The fundamental issue is that we see IT related user errors that are now causing millions of dollars of damage. In return, we do not see a similar scope of effort to reduce those errors. We see security programs begrudgingly buy subscriptions for videos or acquire phishing services with the appearance that this is the appropriate business response.

I want to be clear that I am not downplaying the potential of CBT and phishing services as a part of a good awareness program. However, these efforts are clearly not first performing a good proactive study into why the errors occurred in the first place and what are the best methods to address the reason for those errors.

Until CISOs and the IT community as a whole recognizes that user error is an expected part of the business process, and that these errors are costly and deserve the respect that human error gets in every other discipline associated with the business, security awareness programs will have massive failures and user error will continue to be costly. IT professionals seem to believe that user error is unique to our community, and just telling users not to do something will work. That doesn't work in any other discipline. Until CSOs, CISOs and other executives realize this, and promote this issue to their management, losses associated with user error will only continue to increase. It is time to accept this fact.

Join the CSO newsletter!

Error: Please check your email address.

Tags securitydata breachCSO

More about CSOSony

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Ira Winkler

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place