Cybersecurity In-Depth

The Edge

How Do I Let Go of 'Human Error' as an Explanation for Incidents?

Successfully learning from incidents requires a deeper and more expansive perspective of them.

The term "human error" represents the misguided narrative that human action was the "root cause" of an incident. Reality is never that simple; security incidents never occur because of a sole factor. Incidents are more symphonic than a single note, consisting of multiple factors interacting together in dynamic ways.

Successfully learning from incidents requires a deeper and more expansive perspective of them. A human making a mistake is your starting point for investigation, not the conclusion.

Be curious about the humans interacting with your systems. If an employee downloads and runs a malicious file, explore why. What were their priorities at that moment? Was there a tight deadline? Did they feel pressure to multi-task and divide their attention? How is their job performance measured?

These questions start untangling incident context to uncover all the factors at play – and not just technological ones. Financial goals, compensation structures, key performance indicators, cultural priorities, and other economic or social elements can directly and powerfully influence human behavior away from safe choices. For instance, incentivizing employees to work faster and produce more output can be a critical vulnerability that reduces the organization's resilience to attack.

Appreciating how real humans make real choices allows us to design security procedures, tools, and policies that are grounded in reality rather than futilely following textbook and tradition. Security is rarely the top priority in user workflows. The fundamental question you must ask is therefore: what are users' top priorities and how can we ensure those can be achieved as safely as possible?

Security teams should research and document users' competing goals and pressures, starting with situations where mistakes can spiral into incidents. This helps you discern why a human in a given situation might make suboptimal security decisions and enables a promising, practical path towards implementing interventions that can successfully encourage more secure behavior.