"Human Error"? in Cyber Security - It's not what you think!

"Human Error" in Cyber Security - It's not what you think!

It's a constant message in cyber security - companies are being breached, and they blame "human error" for about 90% of those breaches. The core question is, where exactly is the human error? Is it the staff member that was tricked, or does responsibility lie somewhere else?

I'm going to dissect this with 4 scenarios:

1. I own a courier company, I employ a new driver, and I just stick them behind the wheel.

? In cyber security this is equivalent to letting someone operate a computer without any awareness training. Good luck, you have no idea what they will click on, what information they will give out etc.

2. I employ a new driver, but I check that they have a current drivers license.

? For me that's equivalent to a compliance program of cyber security awareness. i.e. "tick a box, they've got the minimum".

3. Now what if I send them on a defensive driving course?

? For me that's equivalent to using engaging cyber security awareness training.

4. Now I realise that the person being the best driver they can be will reap rewards for my business. They crash far less, and that saves downtime, insurance, repair costs, reputation. So I run a constant refresher program. We talk about current road rules, new road rules, have a slogan, do standup chats about near misses and how we handled it, and regular assessments on knowledge. It's all done in a fun and engaging way.

? For me that's equivalent to cyber security cultural change. i.e. embedding awareness into the culture of the organisation so people are constantly suspicous and thinking about scams.

So what's human error?

As an employer doing number 3 or 4, you won't have many issues. Sure there will be the occasional hiccup, but not enough to worry about (fingers crossed!).

But if you're doing number 1 and 2, you'll be getting mistakes by the driver, potentially lots of them, and you may call that human error. But who employed them? Who failed to see assess how competent they were? Who failed to provide them with skills and knowledge they needed to do the job? Who failed to continue to nurture them, and keep them at the top of their game.

So this is my definition of human error in cyber security:

Expecting to get the best out of your people without helping them to be at their best

Let me know if you agree or disagree!

Jack Sterling

Cyber & Fiber Broker, Veteran Entrepreneurship Advocate, SEAL, Clemson MBA

4 年

I love this analogy One of our clients maintains a fleet of repair trucks across the country, and they track driver performance metrics on all the vehicles They know who their risky drivers are and pro-active with defensive driving training when needed They were not doing this for online behavior when we met Now they know who is more likely to engage in risky online behavior and compassionately guide them to plain English short, form awareness “edu-tainment” And everyone gets unannounced phishing emails in their inbox on a semi-routine basis You can’t know what you don’t measure

James Meikle

Security Architect | Consultant | Cybersecurity and Risk

4 年

(2) done the compliance exercise 'oh look we have the min' (3) being we're actually looking to mature based on the compliance check of (2) not being enough. Statement of human error (or victim blaming) should bounce straight back on the compliance check and then likely find items of immaturity - like you have stated such as (3) having not been done. However from a media perspective that doesn't seem to be realised and the focus seems to always be on the human error victimisation as it makes better news?

Paul Brown

Managing Director at SURA Technology Risks

4 年

Totally agree.

Robert G

??Security Analyst @ AFCA | Azure ?? & Defender 365 XDR Infosec Ninja In ????

4 年

Train more than the rail networks.

回复
Max Broodryk

Country Manager - Australia

4 年

Agreed. Edward Deming, giant of TQM, would always highlight that management is responsible for the system, which in most cases is responsible for quality/errors

要查看或添加评论,请登录

Mike Ouwerkerk的更多文章

  • How to get staff to watch awareness videos

    How to get staff to watch awareness videos

    Cyber security awareness is not a one off initiative. People will slowly forget information they are taught, that's a…

    1 条评论
  • Compliance Does Not Equal Security

    Compliance Does Not Equal Security

    I train a lot of people, and I always like to ask whether they have done this type of training before. Largely people…

    3 条评论
  • 10 Hard Truths About Cyber Security Awareness

    10 Hard Truths About Cyber Security Awareness

    I've been in the trenches of cyber security awareness for quite a few years now. In that time I've made a lot of…

    3 条评论
  • How do we spot deep fakes? Don’t bother!

    How do we spot deep fakes? Don’t bother!

    If you haven’t heard of deep fakes, it’s the use of technology to pretend to be someone. You can recreate someone’s…

  • Conversations with a Romance Scammer

    Conversations with a Romance Scammer

    OK, I'm out - "She" wants to have a voice chat. For the last week or so I've been chatting to a romance scammer.

    17 条评论
  • Cyber Security Cultural Change for SMEs

    Cyber Security Cultural Change for SMEs

    The war with cyber criminal scumbags wages on, and unfortunately the battle is still being lost by the good guys…

    5 条评论
  • Toot Toot Here Comes the Deep Fake Pain Train

    Toot Toot Here Comes the Deep Fake Pain Train

    The Scam Picture this: The receptionist gets to work, and there's a voicemail from the IT Manager saying that cleaners…

    2 条评论
  • The Benefits of Cyber Crime

    The Benefits of Cyber Crime

    Yeah I'm gonna go there. Doom and gloom is all we hear, the global economy is losing trillions, companies are getting…

    18 条评论
  • It's All About the Lightbulb Moments

    It's All About the Lightbulb Moments

    Metrics in cyber security awareness can be a bit of an art form, and will need to vary between organisations. But I…

  • My nomination for "10 Best Security companies in Asia 2019 (Asia Edition)"

    My nomination for "10 Best Security companies in Asia 2019 (Asia Edition)"

    I had a bit of fun baiting some more scammers / scumbags. No doubt they'll email me for the same bogus award next year…

    6 条评论

社区洞察

其他会员也浏览了