The Role of Human Error in Cybersecurity Breaches

Making mistakes is a core part of the human experience – it is how we grow and learn. Yet, human error in cybersecurity is far too often overlooked.

According to a study by IBM, human error is the main cause of 95% of cybersecurity breaches. In other words, if human error was somehow eliminated entirely, 19 out of 20 cybersecurity breaches may not have taken place at all!

Types of human error in cybersecurity

While the opportunities for human error in cybersecurity are almost infinite, they can broadly be categorized into two different types: skill-based and decision-based errors. The difference between these two essentially comes down to whether or not the person had the required knowledge to perform the correct action.

Skill-based errors:- Skill-based human error in cybersecurity consists of slips and lapses: small mistakes that occur when performing familiar tasks and activities. In these scenarios, the end-user knows what the correct course of action is, but fails to do so due to a temporary lapse, mistake, or negligence. This might happen because the employee is tired, not paying attention, is distracted, or otherwise has a brief lapse of memory.

Decision-based errors:- Decision-based errors are when a user makes a faulty decision. There can be a number of different factors that play into this: often it includes the user not having the necessary level of knowledge, not having enough information about the specific circumstance, or not even realizing that they are making a decision through their inaction.

What factors cause a human error in cybersecurity?

There are a large variety of factors that play into human error, but most of them boil down to these three: opportunity, environment, and lack of awareness.

Opportunity:- Human error can only occur where there is the opportunity for it to do so. That may seem obvious, but the point is that the more opportunities there are for something to go wrong, the higher the chance that a mistake will be made at some point.

Environment:- There are many environmental factors that can make a human error in cybersecurity more likely to occur. The physical environment of a workplace can significantly contribute to the number of errors that occur. While any construction site worker will be able to tell you that errors are more common on boiling hot or freezing cold days – these considerations also apply to offices.

While having the right office temperature is an important consideration, privacy, noise-level, and posture are all things that can contribute to a more mistake-prone environment. Culture also plays an important role in environmental considerations. Often end-users will know the right course of action, but fail to carry it out because there is an easier way to do things or they simply don’t think it is important. Having a culture where security is always pushed to the background will lead to errors becoming more and more commonplace.

Lack of awareness:- Much of human error in cybersecurity results from end-users simply not knowing what the right course of action is in the first place. For example, users that aren’t aware of the risk of phishing are far more likely to fall for phishing attempts, and someone not knowing the risks of public Wi-Fi networks will quickly have their credentials harvested. A lack of knowledge is almost never the fault of the user – but should be addressed by the organization in order to ensure their end-users have the knowledge and skills they require to keep themselves and the business secure.

Address lack of knowledge with training

While reducing the opportunities for error is essential, you must also approach the causes of error from a human angle. Educating your employees on security basics and best practices allows them to make better decisions, and enables them to keep security on their mind and seek further guidance when they’re not sure what the consequences of a certain action are.

Train employees on all core security topics: as human error in cybersecurity can manifest in a huge variety of different ways, it is essential that you train employees to a basic level on any security topics that they may encounter in their day-to-day work activities. The use of email, the internet, and social media, as well as phishing and malware training, are just some of the topics that training should cover.

Training has to be engaging and relevant: your employees have limited attention spans, and you need to ensure that their training isn’t just going to make them fall asleep. Interactive training courses that use image and video content are far more effective than hour-long PowerPoint sessions. Training should also not come in yearly sessions which your employees will forget a week later, but recur regularly throughout their work-life in a brief and easily digestible format.

For more information visit uSecure