We should talk about "human error"

Blaming security failures on "human error" is easy and seductive. We believe a "new view" can help improve information security within organisations.

As a company director, Chief Information Security Officer (CISO) or anyone for given, the responsibility of keeping a company's information and systems protected from attack, it can be difficult to find the best solutions for your security needs. When it comes to understanding how to protect your data and systems, there is no one-size-fits-all solution.

Moreover, when it comes to information security, the human element has historically often overlooked. We’re often quick to invest in the latest cyber-security solutions and technologies. Important tools though these can be in the fight against the hackers and other malicious actors, in too many cases, we frequently don’t take enough time to step back and examine the system as a whole, and the interactions between our technologies, our processes and our people,.

Worse still, when we do, the finger often gets pointed at "human error". The focus falls on individuals failing to update software regularly to mistakenly or users clicking on malicious links or opening suspicious attachments in emails. We highlight errors such as staff leaving laptops unattended or allowing contractors or even members of the public unauthorized access to sensitive systems.

In 2014, IBM's Security Services 2014 Cyber Security Intelligence Index began to put some dimensions to the issue:

95%!!!!

More recent data drawn from IBM’s latest 2022 Cost of a Data Breach Report, puts human error as the cause of a more modest 21% breaches.

But, let's not get too comforted. The difference is perhaps not as stark as initially it might seem. NB "contributing factor" v's "cause", and note the contribution which individuals may have played (by, for example, clicking phishing links) in ransomware and within a chain of vulnerabilities arising within the supply chain attack.

All these can lead to serious breaches of data security and have disastrous consequences for your business.

Life could be so much simpler if ...

So that's it? My business would be so much simpler and safer without having to interact and draw upon the work of all those humans...?

Certainly we can develop a better understanding how humans interact with technology and how they are likely to make mistakes while using it. It helps identify the conditions that could lead people to make mistakes within an organisation’s infrastructure and allows organisations to take steps to reduce the likelihood of errors occurring in the first place.

To better understand the risks and benefits of different approaches, we must first become familiar with three key theories: Control Theory, Systems Theory, and Resilience Engineering.

Control Theory

Control theory looks at ways of maintaining control over a system even when variables are changing constantly. It focuses on identifying points where intervention can change behavior within the system and suggests ways in which organisations can use feedback loops and other methods to control their infrastructure more effectively. This theory is especially useful for organisations that need to ensure that their systems remain secure while still responding quickly to changes in their environment.

Systems Theory

Systems theory examines how different elements within a system interact with each other and how changes within one element will affect the entire system. It helps organisations identify potential weaknesses in their infrastructure before those weaknesses become vulnerabilities that could be exploited by attackers. It also provides insight into strategies for preventing attacks from succeeding by making sure that any changes made are designed not just for short-term fixes but for long-term security as well.

Resilience Engineering

This approach - developed by Erik Hollnagel, David D Woods and Nancy Leveson - takes the view that there is no "human error", but failures of the system to adjust to emergent challenges. Using Resilience Engineering concepts in our approach to information security allows us to build on control and systems theories and take a more holistic view, focusing on prevention rather than reaction after an attack has already occurred. By taking into account both human factors and system dynamics, resilience engineering seeks to build systems that are resistant to attack by designing them with failure in mind—that is, anticipating what might go wrong before it does so that if something does go wrong, there is a plan in place for dealing with it quickly and efficiently without causing too much disruption or damage.

This is very much central to the approach that NaturallySecure.Net takes in its work and the services and technologies we offer to our customers. But we can and do draw on the other approaches at the appropriate time. to provide valuable insight into information security and the ways in which we can ensure your company's data and systems are better protected from malicious actors. Each approach has its own advantages and disadvantages, and can be applied in different situations and different phases when improving security maturity. so it is important we consider all of them at the appropriate time before deciding which one is right for your organisation’s needs. .

It is certainly important to remember that humans are just one piece of a much larger, interacting and complex puzzle. To stay ahead of malicious actors, organizations must take an integrated approach to their cybersecurity efforts – combining robust technical controls with strong policies and procedures as well as behavioural change initiatives designed to reduce risk and strengthen resilience.

Not only should we not be talking about human error. We should be focusing on the critical role humans always play in responding to novel attacks. It's time we put the human at the heart of our information security.