When I read the article that human error was the source of most breaches and data loss in 2014, it was not a surprise. You can pick any study about computer-related crimes and data breaches in the last few years and you will find that humans are the primary attack vector for most significant breaches, and the criminals intend to initiate human error. In order to prevent this error, you have to understand what causes humans to make errors.
For the most part, humans are not generally stupid. Human error is the cause of problems in just about any field. Think about aviation. Pilot error is the source of many problems. Factory injuries are almost always caused by human error. The computer field is not alone in significant damages caused by human errors. For some reason though, the information technology field refuses to acknowledge that there should be sufficient efforts put into reducing human error.
In aviation-related errors, people die. In response, there are extensive studies as to what can prevent errors. Surprisingly, they found that making pilots go through a very simplistic checklist, that at face value appears to be an insult to their intelligence, that has them ensure they go through basic preflight procedures. Factory injuries are commonplace and cost companies hundreds of millions of dollars annually. In response there are many studies and millions of dollars invested in preventing future accidents.
What do we do in the IT field? We call the users stupid. Despite millions of dollars in losses, there are no millions of dollars invested in research to figure out how to prevent the errors. Companies make employees watch videos, with little examination of the effectiveness of such videos, and claim they are taking action to prevent future errors.
As I addressed previously, when other fields look to reduce human error, they first look to what aspects of the environment cause the error. For example, in factories safety experts first look to the layout of factories that may be the cause. They paint lines on floors to function as walkways that prevent people from walking into equipment. They add warning signs. There are many things that are done. By proactively changing the physical environment, human error is reduced by 90 percent. Can the IT profession state that they make the same efforts?
Then there is the remaining 10 percent of the human errors. Studies show that those errors result from lack of knowledge, carelessness, inattentiveness, or just outright ignoring advice. This is where awareness programs come in. However much like the other business disciplines, you cannot rely on videos and a simulated phishing attack to account for all possible human errors.
Sign up for CIO Asia eNewsletters.