Human error

Human errors are often predictable and can be traced back to a wide range of underlying issues in the organisation and working conditions that are unnoticed or remain unaddressed. For example, when an employee accidentally clicks a malicious link, several preceding failures may have occurred, such as deficiencies in the organisation’s information security, employee training, or overly time-pressured tasks. When a user makes an error, the organisation should investigate what enabled it to happen. This allows security to be improved more effectively than, for example, blaming users.

In organisations, information systems are usually not designed to be secure and usable from the outset. Systems often consist of multiple other systems (system-of-systems, SoS). In the worst case, the systems do not integrate well and some may be very old. In such situations, there is a significant risk of hidden issues that can lead to user errors and security risks.

Users strive to be as efficient as possible in their work. This leads to performing tasks according to established routines. In new situations that resemble previous ones, users may act in exactly the same way as before. An attacker can exploit this, for example by imitating familiar websites and embedding malicious links into realistic-looking security warnings. A busy employee may not distinguish the message from a genuine one, as they are focused on performing their actual work task.

Factors that predispose users to making errors include:

• fatigue, inexperience, and a risk-taking attitude
• limitations related to memory; on the other hand, common habits and assumptions about the situation
• task-related factors such as time pressure, high workload, and multiple simultaneous tasks; on the other hand, also task monotony and boredom
• uncertainty about the user’s role, responsibilities, and rules
• constant interruptions, poor tools, and inadequate instructions
• situations where practices and rules change

The last four items in the list are factors related to the organisation and working conditions. When errors or “near miss” situations occur, the organisation has an opportunity to identify possible sources of error and to improve conditions. Processes in the organisation should ensure that deviations or “near misses” are reported to a responsible person. When the information reaches the right party, the organisation gains intelligence advantage over the attacker (cf. “CTI” in a later module) and can improve security measures.

Answer the questions.

Question 1

How should an organisation respond to employee errors if the goal is to improve security effectively?

By identifying those at fault and enforcing consequences.

By sending an email to employees stating that such incidents would not occur if everyone were careful enough and followed the rules.

By ignoring the errors.

By providing crisis support for employees.

By investigating what enabled the error to occur.

By improving the prediction of errors.

By defining strict punishments and communicating them to employees.

Question 2

A system-of-systems (SoS) is a risk because

users do not know how to use it.

it is not originally designed to be secure.

it involves compatibility issues.

it always has clearly observable security problems.

some of its problems easily remain hidden.

it closely resembles a modern system, leading users to make incorrect assumptions about its security.

Question 3

Select the correct statements.

Inexperienced employees make more errors.

The user’s drive for efficiency is a security problem.

Focusing on a work task can make it harder to detect phishing messages.

The organisation should ensure that employees are aware of their roles and responsibilities.

Monotony in work tasks can be a security risk.

Changing rules and practices to be more secure does not predispose users to errors.

“Near miss” situations indicate poor work culture and employees.

Routines have both benefits and drawbacks.

Posting submission...