According to research, around 95% of security issues are due to some level of human error. Not only is human error the most critical factor that affects security, but it’s also a critical factor in aviation incidents and medical errors. Chief Information Security Officers and Information Security Risk Managers can benefit from studying the human factor within these areas to overcome human error in security.
Human Error Defined
Before we can talk about overcoming human error, we need first to explain what human error is. Human error is defined as a circumstance where planned actions, behaviors, or decisions can potentially decrease quality, safety, and security. Following are a few examples of human error related to information security:
- System misconfiguration
- Use of default username/passwords
- Use of easy-to-guess passwords
- Poor management of patches
- Disclosing information via the incorrect email address
- Sharing passwords
- Using personal mobile devices connected to the organization’s network
- Double-clicking on unsafe attachment or URL
- Leaving computer unattended
According to human-factor engineers in the aviation industry, serious incidents are not the result of one human error but an alignment of several events. Incidents occur when a series of seemingly minor events happen all at once or one right after the other. It’s easy to see the relation with information security incidents, which are often the result of security inadequacies or a combination of errors.
Tips for Tackling Human Error
When it comes to securing information, there are a variety of strategies organizations will employ. Most of these are derived from lessons from the discipline of human factor engineering. Following are some well-known examples:
- Eliminate strategies that make it possible for mistakes to be made. For example, use automated safeguards such as identity/access management, automatic standby locks, cryptography, network access rules, and password management.
- Utilize preventative strategies to support someone in properly completing tasks such as awareness campaigns, litigation threats, checklists procedures, training/retraining, and disciplinary measures.
- Mitigate consequences of errors by making sure there are detection measures to correct a situation before it becomes critical. Some examples include internal control, system monitoring, audits, and breach detection solutions.
Develop Helpful Programs
The healthcare and aviation industries prefer a more holistic approach to error prevention to change the organization’s condition, the environment as a whole, and the systems that people use. These strategies could be beneficial to the information security industry.
CRM, or crew resource management, is a training program created to teach airline crews how to manage and act during an incident. CRM training involves:
- Situational awareness
- Decision making
The use of CRM in aviation and healthcare has proven to decrease errors significantly.
If using this method with information security, it’s critical to understand that humans are your primary links in times of crisis. Security incidents are bound to happen, and staff needs to recognize and deal with them.
Take the time to rehearse potential scenarios with your team, imagine other risks, or prepare them for possible incidents. If there happens to be an ongoing data breach, staff will be able to make the best use of their equipment, procedures, and each other.
Data from aviation incident reporting systems have been used effectively to redesign aircraft, train pilots and airport staff, and air traffic control systems.
Information security specialists need to continue to analyze security issues as well as any near mises. Without this analysis, we have no way to uncover these recurring errors. An investigation will target the people involved, the workplace, the team, the organization, third parties, and the information/communications technology systems. The important thing is why and how it happened, not necessarily who did it.
It has been known that poor environmental conditions, poor system/process design, fatigue, workload, and distraction can affect the number of errors. To change the working conditions, leadership is critical. Security officers, data protection officers, crisis managers, etc., can help, but any significant changes toward a resilient, secure organization.
Errors are what make us human and can, therefore, not be prevented 100%. However, there are some strategies, as mentioned here, that can keep the damage minimal. The successful reduction of error in aviation, while medical error studies give us some hope. If you want more help overcoming human error by leveraging technology, you’ll want to contact Securiteam.