Cybersecurity In-Depth: Getting answers to questions about IT security threats and best practices from trusted cybersecurity professionals and industry experts.

How Do I Let Go of 'Human Error' as an Explanation for Incidents?

Successfully learning from incidents requires a deeper and more expansive perspective of them.

Kelly Shortridge, Senior Principal at Fastly

July 27, 2021

2 Min Read
man blaming employee
Vchalup via Adobe Stock

The term "human error" represents the misguided narrative that human action was the "root cause" of an incident. Reality is never that simple; security incidents never occur because of a sole factor. Incidents are more symphonic than a single note, consisting of multiple factors interacting together in dynamic ways.

Successfully learning from incidents requires a deeper and more expansive perspective of them. A human making a mistake is your starting point for investigation, not the conclusion.

Be curious about the humans interacting with your systems. If an employee downloads and runs a malicious file, explore why. What were their priorities at that moment? Was there a tight deadline? Did they feel pressure to multi-task and divide their attention? How is their job performance measured?

These questions start untangling incident context to uncover all the factors at play – and not just technological ones. Financial goals, compensation structures, key performance indicators, cultural priorities, and other economic or social elements can directly and powerfully influence human behavior away from safe choices. For instance, incentivizing employees to work faster and produce more output can be a critical vulnerability that reduces the organization's resilience to attack.

Appreciating how real humans make real choices allows us to design security procedures, tools, and policies that are grounded in reality rather than futilely following textbook and tradition. Security is rarely the top priority in user workflows. The fundamental question you must ask is therefore: what are users' top priorities and how can we ensure those can be achieved as safely as possible?

Security teams should research and document users' competing goals and pressures, starting with situations where mistakes can spiral into incidents. This helps you discern why a human in a given situation might make suboptimal security decisions and enables a promising, practical path towards implementing interventions that can successfully encourage more secure behavior.

About the Author(s)

Kelly Shortridge

Senior Principal at Fastly

Kelly Shortridge is a Senior Principal at Fastly in Product Technology. Kelly is co-author of Security Chaos Engineering (O'Reilly Media) and is best known for their work applying behavioral economics, resilience, and DevOps principles to information security. Kelly has been a successful enterprise product leader as well as a startup founder (with an exit to CrowdStrike) and investment banker. Kelly frequently advises Fortune 500s, investors, startups, and federal agencies and has spoken at major technology conferences internationally, including Black Hat USA, O'Reilly Velocity Conference, and RSA Conference.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights