One of the most common threat actors isn’t some shadowy hacker group, but the potential to make mistakes that lies in every one of us! Even though these mistakes aren’t intentionally malicious, they still represent an (abstract) threat actor that should be considered when designing systems. Human error doesn’t have any specific targets or objectives - it can strike anytime and anywhere that humans are involved, “attacking” through unpredictable means and with unpredictable results.

Protecting against human error means designing processes and systems in ways where it is impossible (or at least very difficult) for mistakes to have a serious impact. We see this in Murphy’s Law: if it’s possible to do something incorrectly, someone will do it incorrectly. Human error has caused data breaches, civil engineering disasters, airplane crashes, industrial accidents, and much, much more.

Human error can be both external and internal and includes any action that can be done by a human. Human error has whatever access has been granted to the human making the error, but very little sophistication. For example, multi-step mistakes are less likely than very simple errors. Human error has no specific targets, as well as no “negative” motivation, as the humans making the errors are often trying NOT to make errors!