Human error - the ultimate challenge or an excuse for incorrect reactions

Human errors have always been the main challenge of security. And now more than ever. But perhaps we are not doing things correctly.

I will use the name given in the cartoon from 2006. Dave has been the weakest link in every security system ever implemented and still we do the same thing. Trust Dave. So, why do we still trust Dave for the security of our systems, instead of designing the applications, including security and privacy, such that it will not cause too much harm, damage or loss if Dave does exactly what he does best. Failing.

The Daves of the world

The Daves of the world are so many and most the time they are not given the option to do things manually as they might prefer rather than use application on their mobile, tablet or laptop. When Dave is an employee of an organization, the organization can provide Dave with education, guidelines, support and training to increase this security awareness. But when Dave is just another dude on the street, it is not as simple. Some of these Daves are actually very security minded while other sweat over being forced to use applications on their devices for almost everything. Is it ever fair that organizations require Dave to be computer expert, fully technically literal and with the security awareness of security professional? No, it is not fair, but still it is expected.

Whatever the service is, Dave is expected to use it. Whatever the complexity of the service is, Dave is expected to understand how it works. Whatever the security requirements are, Dave is expected to master it at all levels. And when Dave fails to meet the demands, it is his fault, not that the solution was too complicated and too much expected of Dave.

The focus needs to be changed

It is time to change things around and organizations simply have to expect Dave to fail.  Give away secret authentication information, click on a link in an email that he should not have done, open a file of unknown origin, allow someone to piggy-back through the secure entrance and what it is that Dave does without thinking. Security measurements are already in many cases based on that, but too often we are missing better second and third line of defenses. Then it looks like responses are more down to protecting the organization’s assets than reputation and customers’ assets.

We can add security layer on top of two, three, four or five other security layers.  If we still have the most important factor being Dave not giving away his PIN or password and everything else relying on that, then we have not increased the security as much as we think. The focus has to moved to recognizing the user behavior on the inside, move away from user-friendliness while that is being misused, redesign the authentication process so there is no longer a single-point of failure, understand the difference between acceptable and unacceptable user behavior, etc.

ISO/IEC 27001 requires organizations to understand customers’ needs

ISO/IEC 27001:2022 states in clause 4.2 including the additons from ISO/IEC 27701:2023 inside brackets:

The organization shall determine:

a) interested parties that are relevant to the information security [and privacy] management system;

b) the relevant requirements of these interested parties;

c) which of these requirements will be addressed through the information security [and privacy] management system.

Item b) is on the expectation of the interested parties to the security the organization will provide them when using the organizations systems and applications. How many organizations have asked their customers and external users of these requirements? Not many, because most think that they know what the customer thinks.