Considering human errors as threats may seem a little insensitive, yet as statistics from various organisations show, they are still a very common cause of IT incidents.
‘Human error’ is defined as any human behaviour that does not fall under correct usage and may involuntarily result in various damages. Voluntary acts committed with malicious intent are not considered errors.
Drawing up an exhaustive list of human errors would be impossible. It might not be possible to list all possibilities for human error, but it is, however, possible to identify some distinctive criteria that we can use to categorise human error.
Actions carried out by people who understand the rules, but fail to apply them fall under this heading. Negligence can, therefore, be considered a voluntary act. However, negligence is rarely intended to be fraudulent.
This category includes all errors committed unknowingly. A number of errors may be committed ‘in good faith’, without the user having realised they were acting irresponsibly or breaking a rule, and without them realising the consequences of their actions.
Human errors are unintentional threats that exploit different vulnerabilities, such as
This category includes all acts committed through negligence and that is very difficult to combat, except by making employees accountable and using sanctions.
A person’s lack of awareness is a huge vulnerability, of which the result is a lack of awareness of the error committed and the inability for the error to be detected and corrected.
A person’s lack of training and security awareness is a vulnerability that can easily be exploited through the highly dangerous threat of social engineering.
The American mathematician Gilb’s Law of ‘unreliability’ states that ‘Any system which depends on human reliability is unreliable.’
There are multiple ways to combat human error. However, it is recommended that you focus on limiting the impact of human error and not get caught up in the idea that we will ever be able to avoid human error entirely. The primary countermeasures are as follows:
Increased awareness is an easy way to noticeably reduce risk.
Most people mean well and if they are aware of the importance of their daily actions, as well as the value of the data processed, they will make sure they treat it with due diligence.
The best way to avoid the incorrect handling of data and software is to train the users on how to use the software and devices.
It is vital to introduce procedures covering all important security-related aspects (access, backups, etc.). These procedures must be cyclically controlled, and non-compliance should result in sanctions. These procedures are generally part of the security policy.
In order to avoid data entry errors in critical software (e.g. electronic payment), it is a good idea to set up a duplicate data entry or a double validation system.
As errors cannot be avoided entirely, it is important to learn from the consequences so they do not happen again. Only a targeted analysis of the mistakes made and what caused them can prevent them from being repeated in the future.
To minimise human error, it is advisable to limit access to software and data only to those persons who really need to use them (see: access management and authentication).