When I read the article that human error was the source of most breaches and data loss in 2014, it was not a surprise. You can pick any study about computer-related crimes and data breaches in the last few years and you will find that humans are the primary attack vector for most significant breaches, and the criminals intend to initiate human error. In order to prevent this error, you have to understand what causes humans to make errors.
For the most part, humans are not generally stupid. Human error is the cause of problems in just about any field. Think about aviation. Pilot error is the source of many problems. Factory injuries are almost always caused by human error. The computer field is not alone in significant damages caused by human errors. For some reason though, the information technology field refuses to acknowledge that there should be sufficient efforts put into reducing human error.
[ ALSO ON CSO: Human Error Causes Most Serious Data Loss ]
In aviation-related errors, people die. In response, there are extensive studies as to what can prevent errors. Surprisingly, they found that making pilots go through a very simplistic checklist, that at face value appears to be an insult to their intelligence, that has them ensure they go through basic preflight procedures. Factory injuries are commonplace and cost companies hundreds of millions of dollars annually. In response there are many studies and millions of dollars invested in preventing future accidents.
What do we do in the IT field? We call the users stupid. Despite millions of dollars in losses, there are not millions of dollars invested in research to figure out how to prevent the errors. Companies make employees watch videos, with little examination of the effectiveness of such videos, and claim they are taking action to prevent future errors.
As I addressed previously, when other fields look to reduce human error, they first look to what aspects of the environment cause the error. For example, in factories safety experts first look to the layout of factories that may be the cause. They paint lines on floors to function as walkways that prevent people from walking into equipment. They add warning signs. There are many things that are done. By proactively changing the physical environment, human error is reduced by 90%. Can the IT profession state that they make the same efforts?
Then there is the remaining 10% of the human errors. Studies show that those errors result from lack of knowledge, carelessness, inattentiveness, or just outright ignoring advice. This is where awareness programs come in. However much like the other business disciplines, you cannot rely on videos and a simulated phishing attack to account for all possible human errors.
If someone has a lack of knowledge, you need to provide them the knowledge in the formats that most effectively impart that knowledge. That is not as simple as showing people a video and testing them on their short-term memory. You need to ensure that they integrate that knowledge into their behaviors, which is the actual goal of a real awareness program.
As far as carelessness and inattentiveness go, that is more difficult to address. It implies that users know what to do, and would do it if they were thinking clearly, but they just aren’t paying attention to what they are doing. In this case, you have to create constant reminders so they are paying more frequent attention to the task at hand. Likewise, you can increase the motivational component of doing the proper actions. In other words, highlight the importance of what they are doing. For example, a normal person will clearly be more attentive to holding a baby securely in their arms than they might be to holding a sponge. They have a greater sense of responsibility with the baby, and are naturally more attentive.
Then there is addressing people who ignore advice. For example in the IT world this might include people who reuse their personal password for business accounts. This was apparently the root exploit for how the North Korean hackers obtained administrator access to the Sony network. To do this there must be an increase in motivation.
Good awareness has three components: knowledge of what the problem is, the solution to the problem, and motivation to enact the solution. Of the three components, the motivation is where most awareness efforts fail. All too frequently, awareness professionals and the programs they create act like knowledge of the problem is its own motivation. That is rarely the case. The fact is that most people know what to do, but there are more than enough people who just fail to choose to do the right things. And I want to be clear that while there are some users who choose to purposefully flaunt the rules, for the most part, most users are just not provided enough information to choose to take the proper security actions over doing what is easiest to do.
I have made it a point to implement awareness programs that take into account improving the user environment to reduce the opportunity for them to commit errors. Those programs are then supplemented with constant metrics collection and constant research to improve the awareness programs. However, as an awareness professional, I realize that awareness is a business problem and it needs to be treated as such.
[ ALSO ON CSO: The things end users do that drive security teams crazy ]
Airline accidents, workplace injuries, accounting errors, etc. are all considered business problems with large costs associated with them. As such, companies make substantial investments in studying why human errors occur and make large investments to reduce the likelihood of future errors. Besides the personal projects I have been involved with, I have never seen a similar process enacted elsewhere. I see companies hit with phishing, and then do phishing simulations, which don’t improve the environment that allowed phishing to be successful, and generally don’t address the root problem. However, there are so many other issues to address as well.
The fundamental issue is that we see IT related user errors that are now causing millions of dollars of damage. In return, we do not see a similar scope of effort to reduce those errors. We see security programs begrudgingly buy subscriptions for videos or acquire phishing services with the appearance that this is the appropriate business response.
I want to be clear that I am not downplaying the potential of CBT and phishing services as a part of a good awareness program. However, these efforts are clearly not first performing a good proactive study into why the errors occurred in the first place and what are the best methods to address the reason for those errors.
Until CISOs and the IT community as a whole recognizes that user error is an expected part of the business process, and that these errors are costly and deserve the respect that human error gets in every other discipline associated with the business, security awareness programs will have massive failures and user error will continue to be costly. IT professionals seem to believe that user error is unique to our community, and just telling users not to do something will work. That doesn’t work in any other discipline. Until CSOs, CISOs and other executives realize this, and promote this issue to their management, losses associated with user error will only continue to increase. It is time to accept this fact.
Ira Winkler, CISSP can be contacted at www.securementem.com.