CASES.LU

Glossary

  1. ▹ Antivirus
  2. ▹ Assets
  3. ▹ Authentication
  4. ▹ Availability
  5. ▹ Basic criteria for risk analysis
  6. ▹ Computer Hacks
  7. ▹ Confidentiality
  8. ▹ Control
  9. ▹ Cryptography
  10. ▹ Cybercrime
  11. ▹ Cybercriminals
  12. ▹ DRP – Disaster Recovery Plan
  13. ▹ Data backups
  14. ▹ Data loss
  15. ▹ Defacement
  16. ▹ Disinfect machine with a live CD
  17. ▹ Disposal
  18. ▹ Email
  19. ▹ Firewall
  20. ▹ Human error
  21. ▹ IDS/IPS
  22. ▹ Image rights
  23. ▹ Impact
  24. ▹ Integrity
  25. ▹ Internet and copyright
  26. ▹ Legal Aspects
  27. ▹ LuxTrust
  28. ▹ Malicious Codes
  29. ▹ Malicious websites
  30. ▹ Network segmentation
  31. ▹ Password
  32. ▹ Patches
  33. ▹ Phishing
  34. ▹ Physical faults
  35. ▹ Securing a fixed workstation
  36. ▹ Physical theft
  37. ▹ Recommendations for securing a file server
  38. ▹ Recommendations to secure a server connected to Internet
  39. ▹ Recommendations to secure a Web server
  40. ▹ Removable devices
  41. ▹ Risk processing
  42. ▹ Spam – unwanted emails
  43. ▹ SSL/TLS – encryption technologies on the web
  44. ▹ Update softwares with Secunia PSI
  45. ▹ Security Charter
  46. ▹ Social engineering
  47. ▹ Threat
  48. ▹ Virtual Private Networks (VPNs)
  49. ▹ Vulnerabilities
  50. ▹ Web of Trust - WOT
  51. ▹ Web filter – Proxy
  52. ▹ Why is it important to protect your computer?

Human error

In brief

Considering human errors as threats may seem a little insensitive, yet as statistics from various organisations show, they are still a very common cause of IT incidents. 

“Human error” is defined as any human behaviour that does not fall under correct usage and may involuntarily result in various damages.

Types of error

“Human error” is defined as any human behaviour that does not fall under correct usage and may involuntarily result in various damages. Voluntary acts committed with malicious intent are not considered errors.

Drawing up an exhaustive list of human errors would be impossible. It might not be possible to list all possibilities for human error, but it is, however, possible to identify some distinctive criteria that we can use to categorise human error.

Errors through negligence

Actions carried out by people who understand the rules, but fail to apply them fall under this heading. Negligence can therefore be considered a voluntary act. However, negligence is rarely intended to be fraudulent.

Examples:

Errors through incompetence

This category includes all errors committed unknowingly. A number of errors may be committed “in good faith”, without the user having realised they were acting irresponsibly or breaking a rule, and without them realising the consequences of their actions.

Examples:

  • “social engineering” (see point on this topic),
  • incorrect use of an IT tool,
  • deletion of data.

How does it work?

Human errors are unintentional threats that exploit different vulnerabilities, such as:

Idleness and lack of conscientiousness

This category includes all acts committed through negligence and that are very difficult to combat, except by making employees accountable and using sanctions.

Lack of training or security awareness

A person’s lack of awareness is a huge vulnerability, of which the result is a lack of awareness of the error committed and therefore the inability for the error to be detected and corrected by the person themself.

A person’s lack of training and security awareness is a vulnerability that can easily be exploited through the highly dangerous threat of social engineering.

How can we protect ourselves?

The American mathematician Gilb’s Law of “unreliability” states that “Any system which depends on human reliability is unreliable.”.

There are multiple ways to combat human error. However, it is recommended that you focus on limiting the impact of human error and not get caught up in the idea that we will ever be able to avoid human error entirely. The primary countermeasures are as follows:

Awareness

Increased awareness is an easy way to noticeably reduce risk.

Most people mean well and if they are aware of the importance of their daily actions, as well as the value of the data processed, they will make sure they treat it with due diligence.

Training

The best way to avoid the incorrect handling of data and software is to train the users on how to use the software and devices.

Implementation and control of procedures

It is vital to introduce procedures covering all important security-related aspects (access, backups, etc.). These procedures must be cyclically controlled and non-compliance should result in sanctions. These procedures are generally part of the security policy.

Double validation

In order to avoid data entry errors in critical software (e.g. electronic payment), it is a good idea to set up a duplicate data entry or double validation system.

Error management and follow-up

As errors can’t be avoided entirely, it is important to learn from the consequences so they don’t happen again. Only a targeted analysis of the mistakes made and what caused them can prevent them being repeated in the future.

Centralised administration

To minimise human error, it is advisable to limit access to software and data only to those persons who really need it: access management and authentication.

Table of Contents