Skip to content

Foolproofing the Human Factor in Cybersecurity

While many people still believe humans are the weakest link in cybersecurity, preventing their slip-ups is not only possible; but necessary.

Social engineering, convenience, lack of knowledge and skills, unconscious behaviors… the list of factors that might influence humans to make mistakes in cybersecurity goes on and on. It’s no joke: simple errors committed by regular business users, IT team members, and mid-level managers account for up to 50% of all data loss incidents.

But are people to blame? The topic is certainly controversial.

We interviewed expert speakers from the Global Cyber Conference and they gave us a hint: The human factor might have less to do with mistakes done by individuals and more to do with inadequate security cultures of companies.

As we will discover along this article, the best way to prevent human errors is to understand the way in which people operate in the workplace, and to address the areas malicious actors are set out to exploit. 

It starts with awareness

People have always played a pivotal role in cybersecurity. Exactly because of that, Stéphane Duguin, Chief Executive Officer at CyberPeace Institute, prefers not to frame people as the problem, as this may focus blame on those least able to remedy the issues.

“When the cybersecurity incident is linked to an internal error, it is important to understand why,” he says. “Is it a lack of a strong cybersecurity culture, lack of training, or lack of investment by the organization in monitoring and updating systems?” 

The truth is that more than individual responsibility, addressing the cyber-human factor is an essential part of an organization’s overall approach to putting in place a robust cybersecurity framework. 

“When the organization is subjected to cyberattacks from external threat actors, it is important not to blame the victims of the attack, to recognize that this is criminal behavior, and ensure accountability that remedial measures are taken,” says Duguin.

It is vital for employers to realize that by understanding the different types of cyber-attacks and the most common ways they exploit human traits, organizations can better prepare their workforce to identify potential threats – forewarning staff and implementing security protocols.

Assume breach and defense in depth

Tom Hoffman, CISO at the Department of Security Canton Zurich, believes that we underestimate the role of organizational design in cybersecurity breaches. 

“Security incidents occur due to many distinct factors,” he says. “Was it because someone clicked a link? Maybe. But links are meant to be clicked.” 

According to Hoffman, the paradigm of the assumed breach and the concept of defense in depth are still incredibly helpful and effective when thinking about setting up secure infrastructure for your company.

If, for example, we already expect that human mistakes are going to happen, it is possible to leverage multiple security measures to protect an organization’s assets. That way, even if one line of defense is compromised, additional layers exist as a backup to ensure that threats are stopped along the way. 

Such strategies certainly evolve as an organization progresses into the different stages of a security awareness maturity model, but it’s vital that the human factor is not overlooked. 

“Organizational stress, lack of resources, budget cuts… are enormous stress factors that inevitably lead to risky behavior and workarounds”, says Hoffman. ”If we continue to neglect them, we are doomed to fail repeatedly.”

Is it time to exclude the human factor?

But even if mistakes can never be completely prevented, there are also those who suggest we could try as much as possible to exclude the human factor itself. 

Iskro Mollov, Group CISO, Vice President Security, Business Continuity and Crisis Management at GEA Group, reminds us of a method that is often used in process improvement: The “poka-yoke” (or “mistake-proofing”) approach.

Because of its intended simplicity and repeatability, it builds habits over time. For example:

  • ATMs in Germany do not issue the money until the card has been removed
  • Telephone plugs cannot be plugged in upside down
  • Pressing the clutch pedal of a car with a manual gearbox before you can start the automobile (or the brake pedal in an automatic car)

According to Mollov, we need more “poka-yoke” in the information and cybersecurity domain. “Passwordless log-in, face recognition, and multi-factor authentication are good examples for that,” he says. “Your credentials cannot be easily phished and by mistake revealed.”

While this type of process improvement thinking won’t be able to solve all the problems of security interactions by itself, if combined with other strategies mentioned in this article, it can become a powerful tool to prevent human mistakes from ever becoming too damaging to an organization.

Join the discussion

If you are interested in further insights about preventing human errors in cybersecurity, and you would like to connect personally with the security experts featured in this article, we invite you to join the Global Cyber Conference.
Follow these links to check the conference agenda and the full speaker lineup.