Codecademy Logo

Human Error

Social Engineering

Social engineering is a tactic in which a threat actor tricks a victim into sharing information or performing an action.

Security Culture

In Cybersecurity, Security Culture is the attitude towards security within an organization, and the members of that organization. Poor security culture can lead to poor security. Everyone in the company needs to respect important security practices.

Even large organizations can have “simple” vulnerabilities within their systems and security practices. For example, using the username admin and the password password for their admin account.

If breaches happen, organizations have a duty to respond promptly and ethically to those data breaches.

Preventing Human Error

Preventing human error is difficult, and there isn’t any one way to do it. If you want to protect against human error, you need an approach with multiple layers.

Some ways to help prevent human error are:

  • Employee education
  • Building a strong security culture
  • Implementing security controls
  • Designing systems with human error in mind

What Are Security Controls?

A Security Control is something that protects the confidentiality, integrity, or availability of an asset.

Antivirus software, a locked door, or even an organization’s security policy all count as security controls. The definition is really broad!

Types Of Security Control

Security controls can be administrative, technical, or physical.

  • Administrative security controls are things like an organization’s security policy.
  • Technical security controls are things like hardware or software on computers.
  • Physical security controls are physical objects such as a lock or fire extinguisher.
An image showing examples of Administrative, Technical, and Physical controls. An administrative control would be a policy, a technical control could be an error message, and a physical control might be a locked door.

Roles Of Security Controls

Security controls can serve different purposes, in order to achieve their overall goal of protecting an asset.

  • Preventative controls prevent unauthorized access.

Example: Authentication systems

  • Deterrent controls deter people from doing things they shouldn’t do.

Example: A sign warning that an area is monitored by cameras

  • Detective controls identify and record attempts at access.

Example: logging and monitoring tools

  • Corrective controls attempt to stop an incident that is already happening, and/or stop it from happening again.
  • Compensating controls restore the function of compromised systems.

Skill-Based Errors

Skill-based errors are a type of human error, where someone who knows how to perform a task correctly, but performs it incorrectly by mistake. This might be due to a lapse in concentration, or a physical mistake such as pressing the wrong button.

Rule-Based Errors

Rule-based errors are a type of human error that occurs when rules are applied incorrectly. For example, someone might apply the wrong rule to a situation, misunderstand a rule, or apply a rule that is badly designed and makes the situation worse.

Knowledge-Based Errors

Knowledge-based errors are a type of human error which occurs when someone lacks the knowledge to perform a task correctly. Even if someone has the knowledge to handle routine situations, sometimes unexpected situations occur, where our best judgement turns out to be wrong.


Violations are a type of human error that occurs when someone knows how to perform a task correctly, but chooses to perform it incorrectly. Violations can be malicious, but they can also be the result of external factors such as time pressure or poor security culture.

Human Error

Human error can refer to a threat actor that is accidental. When experiencing a security event caused by human error, it’s important to keep in mind that whatever access has been granted to the human making the error is the level of impact the error may cause. For example, a network administrator will have much more impact to an organization compared to a low-privilege user.

Learn More on Codecademy