"Human Error" in Cyber Security - It's not what you think!
Mike Ouwerkerk
DON'T CLICK ON THAT! | Cyber Awareness & Culture | Live Training for Results
It's a constant message in cyber security - companies are being breached, and they blame "human error" for about 90% of those breaches. The core question is, where exactly is the human error? Is it the staff member that was tricked, or does responsibility lie somewhere else?
I'm going to dissect this with 4 scenarios:
1. I own a courier company, I employ a new driver, and I just stick them behind the wheel.
? In cyber security this is equivalent to letting someone operate a computer without any awareness training. Good luck, you have no idea what they will click on, what information they will give out etc.
2. I employ a new driver, but I check that they have a current drivers license.
? For me that's equivalent to a compliance program of cyber security awareness. i.e. "tick a box, they've got the minimum".
3. Now what if I send them on a defensive driving course?
? For me that's equivalent to using engaging cyber security awareness training.
4. Now I realise that the person being the best driver they can be will reap rewards for my business. They crash far less, and that saves downtime, insurance, repair costs, reputation. So I run a constant refresher program. We talk about current road rules, new road rules, have a slogan, do standup chats about near misses and how we handled it, and regular assessments on knowledge. It's all done in a fun and engaging way.
? For me that's equivalent to cyber security cultural change. i.e. embedding awareness into the culture of the organisation so people are constantly suspicous and thinking about scams.
So what's human error?
As an employer doing number 3 or 4, you won't have many issues. Sure there will be the occasional hiccup, but not enough to worry about (fingers crossed!).
But if you're doing number 1 and 2, you'll be getting mistakes by the driver, potentially lots of them, and you may call that human error. But who employed them? Who failed to see assess how competent they were? Who failed to provide them with skills and knowledge they needed to do the job? Who failed to continue to nurture them, and keep them at the top of their game.
So this is my definition of human error in cyber security:
Expecting to get the best out of your people without helping them to be at their best
Let me know if you agree or disagree!
Cyber & Fiber Broker, Veteran Entrepreneurship Advocate, SEAL, Clemson MBA
4 年I love this analogy One of our clients maintains a fleet of repair trucks across the country, and they track driver performance metrics on all the vehicles They know who their risky drivers are and pro-active with defensive driving training when needed They were not doing this for online behavior when we met Now they know who is more likely to engage in risky online behavior and compassionately guide them to plain English short, form awareness “edu-tainment” And everyone gets unannounced phishing emails in their inbox on a semi-routine basis You can’t know what you don’t measure
Security Architect | Consultant | Cybersecurity and Risk
4 年(2) done the compliance exercise 'oh look we have the min' (3) being we're actually looking to mature based on the compliance check of (2) not being enough. Statement of human error (or victim blaming) should bounce straight back on the compliance check and then likely find items of immaturity - like you have stated such as (3) having not been done. However from a media perspective that doesn't seem to be realised and the focus seems to always be on the human error victimisation as it makes better news?
Managing Director at SURA Technology Risks
4 年Totally agree.
??Security Analyst @ AFCA | Azure ?? & Defender 365 XDR Infosec Ninja In ????
4 年Train more than the rail networks.
Country Manager - Australia
4 年Agreed. Edward Deming, giant of TQM, would always highlight that management is responsible for the system, which in most cases is responsible for quality/errors