Human Error and Secure Systems

Dustin Collins● software engineer● devops enthusiast● meetup organizer● developer advocate at Conjur

95 percent of all security incidents involve human error

IBM Security Services 2014 Cyber Security Intelligence Index report

human error

‘Human error’ blamed for Rogers online security breach

Healthcare breaches need a cure for human errors

Human error causes most data breaches, Ponemon study finds

Human Error Blamed for Most UK Data Breaches

Human error is the root cause of most data breaches

Human error causes alarming rise in data breaches

Human Error: The Largest Information Security Risk To Your Organization

Huge rise in data breaches and it’s all your fault

Data breaches caused mostly by negligence and glitches

“human error”

we can do better

http://amzn.com/B00Q8XCSFI

Old View● Asks who is responsible

for the outcome

● Sees human error as the cause of trouble

● Human error is random, unreliable behaviour

● Human error is an acceptable conclusion of an investigation

two views of “human error”

New View● Asks what is responsible

for the outcome

● Sees human error as a symptom of deeper trouble

● Human error is systematically connected to features of people’s tools, tasks and operating environment

● Human error is only the starting point for further investigation

“

Rather than being the main instigators of an accident, operators tend to be the inheritors of system defects created by poor design, incorrect installation, faulty maintenance and bad management decisions. Their part is usually that of adding the final garnish to a lethal brew whose ingredients have already been long in the cooking.

http://amzn.com/0521314194

When we’re dealing with complex systems, the magnitude of a cause is often not proportionate to the magnitude of its effect

accountability

implementing reliable security requires a solid understanding its operators

know your operators

operations

development security

compliance

user personas

a framework for iteration

warning signs

● security policy is not visible● security is at odds with how work

gets done● developers use a different workflow

than production● documentation featuring warnings● talking processes, not people● audits are time-consuming

references

Sidney Dekker

● “Just Culture” Lecture (video)● A Field Guide to Understanding ‘Human Error’● Just Culture: Balancing Safety and

Accountability

● Human Error - James Reason● The Design of Everyday Things - Dan Norman● Universal Principles of Design - William Lidwell

Thanks!

ANY QUESTIONS?You can find me at

@dustinmm80

dustinrcollins@gmail.com