Human Error and Implications in Information Security
Technologists, engineers, and future-focused organizations tout automation as the answer to consistency, reliability, and quality. Automation takes basic tasks out of human hands, freeing up human resources to focus on research, strategy, and planning. Even more, automated systems and services can work tirelessly around the clock. ITOps, DevOps, and SecOps leaders and architects are incredibly excited about leveraging automation to deploy and scale applications and platforms, reliably, rapidly, and securely due to the lower risk of human error.
If automation minimizes errors, then why do mistakes still happen?
Human error is when a planned action, decision, or behavior degrades (or has the potential to degrade) quality, safety, or security. Human error is inevitable, and we all know it. Mistakes can also be costly to your organization and, in some situations, even deadly. But if moving to an automated system means minimizing errors, then why do mistakes still happen? Because humans and robots have to work side by side, and automation can never eliminate human error. We are fallible creatures, and one of the most significant sources of human error when dealing with technology is simply a misunderstanding. When we want to automate a process, programming is required.
Organizations apply various strategies to ensure automated information security, with many of these based on lessons learned from human behaviors. It starts with eliminating tasks that allow end-users to make mistakes. For example, you can use automated processes and technologies, including encryption, password management, identity, access management, network access rules, and time-based device locks. To mitigate the consequences, organizations build mitigation strategies to ensure that reactive mechanisms are in place and correct course before events lead to an incident or outage.
Examples of these strategies include audits, internal controls, breach detection solutions, and network and system monitoring with analysis. Applying these methods to information security is essential to recognize that humans are still crucial in a crisis. Security incidents are inevitable, and personnel should be trained to recognize and contain them. Rehearsing possible incident scenarios with your team and taking the time to envision other risks will help your team prepare for possible scenarios.
In the event of an incident, it will still be the human that is required
Organizations use preventive and strategic approaches to strengthen human involvement by improving situational awareness, creating procedural checklists, ongoing training with learning validation and certification. In the event of a prolonged data breach or incident, it will still be the human that is required and must be prepared to use remediation processes, systems, and tools for assessment and recovery. Information security professionals must always analyze data and train for security incidents and outages regardless of how much automation is in place.
Even with automation, there will be errors. The deployment chain will always involve humans. Because of that, system configuration, patch management, even changing default usernames and passwords will continue to be impacted by humans. Another source of human error when working with automated systems is maintenance. Automation can dramatically reduce the risk of human error, but it cannot eliminate it. Services and scripts can’t fall asleep with their fingers on the keyboard, but they can cause errors if they aren’t programmed or appropriately maintained.
The critical question is not who made the error, but how and why the incident occurred
The research needs to include security breaches and outages where automation was a factor to learn from these incidents. It’s essential to understand the people involved, teams, workplaces, organizations, third parties, and information and communications systems. The critical question is not who made the error, but how and why the incident occurred, and documented to and include in any information security risk assessments.
Finally, leadership is essential to changing the work environment. Local “champions” (e.g., security officers, auditors, data protection officers, compliance officers, crisis management officers) can motivate others. However, making a significant difference in a secure and resilient organization will require technology investment, direction, and support from leaders who demonstrate a commitment to information security.
Security and IT operations teams receive a wide variety of incidents that require immediate attention, many that are repetitive and addressed with automation. With Delinea’s Secret Server’s If/Then Event pipelines, trigger events can initiate a series of automated response actions. For example, if a privileged credential’s heartbeat fails, indicating the password was changed directly outside the Secret Server vault a triggered action can automatically rotate the password and bring control back into Secret Server.