Skill-based errors are a type of human error, where someone who knows how to perform a task correctly, but performs it incorrectly by mistake. This might be due to a lapse in concentration, or a physical mistake such as pressing the wrong button.
Rule-based errors are a type of human error that occurs when rules are applied incorrectly. For example, someone might apply the wrong rule to a situation, misunderstand a rule, or apply a rule that is badly designed and makes the situation worse.
Knowledge-based errors are a type of human error which occurs when someone lacks the knowledge to perform a task correctly. Even if someone has the knowledge to handle routine situations, sometimes unexpected situations occur, where our best judgement turns out to be wrong.
Violations are a type of human error that occurs when someone knows how to perform a task correctly, but chooses to perform it incorrectly. Violations can be malicious, but they can also be the result of external factors such as time pressure or poor security culture.
Social engineering is a tactic in which a threat actor tricks a victim into sharing information or performing an action.
Human error can refer to a threat actor that is accidental. When experiencing a security event caused by human error, it’s important to keep in mind that whatever access has been granted to the human making the error is the level of impact the error may cause. For example, a network administrator will have much more impact to an organization compared to a low-privilege user.
In Cybersecurity, Security Culture is the attitude towards security within an organization, and the members of that organization. Poor security culture can lead to poor security. Everyone in the company needs to respect important security practices.
Even large organizations can have “simple” vulnerabilities within their systems and security practices. For example, using the username
admin and the password
password for their admin account.
If breaches happen, organizations have a duty to respond promptly and ethically to those data breaches.
Preventing human error is difficult, and there isn’t any one way to do it. If you want to protect against human error, you need an approach with multiple layers.
Some ways to help prevent human error are:
A Security Control is something that protects the confidentiality, integrity, or availability of an asset.
Antivirus software, a locked door, or even an organization’s security policy all count as security controls. The definition is really broad!
Security controls can be administrative, technical, or physical.
Security controls can serve different purposes, in order to achieve their overall goal of protecting an asset.
Preventative controls prevent unauthorized access.
Example: Authentication systems
Deterrent controls deter people from doing things they shouldn’t do.
Example: A sign warning that an area is monitored by cameras
Detective controls identify and record attempts at access.
Example: logging and monitoring tools
Corrective controls attempt to stop an incident that is already happening, and/or stop it from happening again.
Compensating controls restore the function of compromised systems.