Free Newsletter
Register for our Free Newsletters
Newsletter
Zones
Access Control
LeftNav
Alarms
LeftNav
Biometrics
LeftNav
Detection
LeftNav
Deutsche Zone (German Zone)
LeftNav
Education, Training and Professional Services
LeftNav
Government Programmes
LeftNav
Guarding, Equipment and Enforcement
LeftNav
Industrial Computing Security
LeftNav
IT Security
LeftNav
Physical Security
LeftNav
Surveillance
LeftNav
View All
Other Carouselweb publications
Carousel Web
Defense File
New Materials
Pro Health Zone
Pro Manufacturing Zone
Pro Security Zone
Web Lec
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
 
News

Reducing Human Factors in IT Security

InfoSecurity Europe : 09 March, 2010  (Special Report)
Martyn Smith of Logically Secure contemplates the difference between errors and mistakes and believes that better end user education can reduce the number of errors that expose security vulnerabilities
See our events guide listing for more details

Oscar Wilde took the view, "Experience is simply the name we give our mistakes." Although Wilde lived in a time when mistakes had consequences that were rarely as far-reaching as they are in the modern globalised world it is perhaps heartening to know that since humans clearly make mistakes we should therefore be growing in experience. In one perspective of the world, humans have been making errors almost since the time of their creation. But there is a difference between a mistake and an error; one which even teachers are often prompted to question if my research is anything to go by. However, I am drawn to this particular explanation: "A mistake is a wrong response that, if thought about, you would realize is wrong. An error is a wrong response because you have no knowledge about what the correct response is.

In a nutshell, you make errors because you don't know any better, and mistakes you make despite the fact that you know better. Pilots in the RAF use the term "switchpigs" to explain situations where the wrong button is pressed or an incorrect switch selection is made despite the operator being perfectly aware of what the correct action should have been. Officially, the RAF uses a term we all probably understand; "Cognitive Failure." This cognitive failure is what allows the brain to guide our hand to select 'send' on our e-mail client when we knew that what we should have done is click 'save' whilst we deliberated on the wisdom of sending an e-mail criticising our boss. So if we are to stand by the previous explanation of what constitutes an error, rather than a mistake, we must take it that human error in IT security terms is the result of a lack of knowledge. But a lack of knowledge about what? Not the operation of the IT or how the equipment works surely. I suspect, and many will doubtless agree, the true foundation of human error is the lack of understanding, or knowledge if you prefer, of the implications of their actions.

Sensitive information posted on an internet forum, or documents which should have remained confidential sent out to inappropriate recipients. These are acts carried out by people fully aware of the means of doing so, but often clueless as to the ramifications of their actions. Security education therefore is the means of reducing this human error "attack surface," providing the users within the organisation the ability to recognise and, importantly, to understand the correct actions to take. Unfortunately, education needs to be focused and have specific aims, and this usually means that its topics are reactive and often prompted by an incident of some sort, since you can't teach everyone everything. Whilst education may serve to cut the incidence of errors, albeit in specific areas, all this will probably achieve is to change the name of any incorrect or inappropriate act; now it won't be an error, it will be a mistake. Yet an error or mistake will have exactly the same impact on its victim and the only consolation is that with an error you can now be assured that the perpetrator didn't know what they were doing! Which is probably no better or worse than accepting that the perpetrator did know what they were doing, but didn't realise they were doing it. Semantics aside, I'm drawn to the inevitable conclusion that mistakes will never be eradicated, since even the well-educated among us will occasionally "switchpig;" hence the popularity of the modern truism: There is no patch for human stupidity. All we can do is continue to expand our experience and prepare to deal with the consequences.

Certified Digital Security is exhibiting at stand K50 at Infosecurity Europe 2010, the No. 1 industry event in Europe held on 27th - 29th April in its new venue Earl's Court, London. The event provides an unrivalled free education programme, exhibitors showcasing new and emerging technologies and offering practical and professional expertise.
Bookmark and Share
 
Home I Editor's Blog I News by Zone I News by Date I News by Category I Special Reports I Directory I Events I Advertise I Submit Your News I About Us I Guides
 
   © 2012 ProSecurityZone.com
Netgains Logo