Human error, by Martyn Smith, Senior Security Consultant, Logically Secure Ltd
Oscar Wilde took the view, “Experience is simply the name we give our mistakes.” Although Wilde lived in a time when mistakes had consequences that were rarely as far-reaching as they are in the modern globalised world it is perhaps heartening to know that since humans clearly make mistakes we should therefore be growing in experience.
In one perspective of the world, humans have been making errors almost since the time of their creation. But there is a difference between a mistake and an error; one which even teachers are often prompted to question if my research is anything to go by. However, I am drawn to this particular explanation: “A mistake is a wrong response that, if thought about, you would realize is wrong. An error is a wrong response because you have no knowledge about what the correct response is.
In a nutshell, you make errors because you don’t know any better, and mistakes you make despite the fact that you know better. Pilots in the RAF use the term “switchpigs” to explain situations where the wrong button is pressed or an incorrect switch selection is made despite the operator being perfectly aware of what the correct action should have been. Officially, the RAF uses a term we all probably understand; “Cognitive Failure.” This cognitive failure is what allows the brain to guide our hand to select ‘send’ on our e-mail client when we knew that what we should have done is click ‘save’ whilst we deliberated on the wisdom of sending an e-mail criticising our boss. So if we are to stand by the previous explanation of what constitutes an error, rather than a mistake, we must take it that human error in IT security terms is the result of a lack of knowledge. But a lack of knowledge about what? Not the operation of the IT or how the equipment works surely. I suspect, and many will doubtless agree, the true foundation of human error is the lack of understanding, or knowledge if you prefer, of the implications of their actions.
Sensitive information posted on an internet forum, or documents which should have remained confidential sent out to inappropriate recipients. These are acts carried out by people fully aware of the means of doing so, but often clueless as to the ramifications of their actions. Security education therefore is the means of reducing this human error “attack surface,” providing the users within the organisation the ability to recognise and, importantly, to understand the correct actions to take. Unfortunately, education needs to be focused and have specific aims, and this usually means that its topics are reactive and often prompted by an incident of some sort, since you can’t teach everyone everything. Whilst education may serve to cut the incidence of errors, albeit in specific areas, all this will probably achieve is to change the name of any incorrect or inappropriate act; now it won’t be an error, it will be a mistake. Yet an error or mistake will have exactly the same impact on its victim and the only consolation is that with an error you can now be assured that the perpetrator didn’t know what they were doing! Which is probably no better or worse than accepting that the perpetrator did know what they were doing, but didn’t realise they were doing it. Semantics aside, I’m drawn to the inevitable conclusion that mistakes will never be eradicated, since even the well-educated among us will occasionally “switchpig;” hence the popularity of the modern truism: There is no patch for human stupidity. All we can do is continue to expand our experience and prepare to deal with the consequences.
About the company
Certified Digital Security is exhibiting at stand K50 at Infosecurity Europe 2010, on April 27 to 29, in its new venue Earl’s Court, London. The event provides a free education programme and exhibitors showcasing. For further information visit –
