Abstract
It is well recognized that individuals within organizations represent a significant threat to information security as they are both common targets of external attackers and can be sources of malicious behavior themselves. Notwithstanding these facts, one additional aspect of human influence in the security domain is largely overlooked: the role of unintentional human error. Such lack of emphasis is surprising given relatively recent reports that highlight error’s central role in being the root cause for numerous security breaches. Unfortunately, efforts that recognize human error’s influence suffer from not employing a commonly accepted error framework and lexicon. We thus take this opportunity to review what the data show regarding error-based breaches across various types of organizations and create a nomenclature and taxonomy rooted in the rich history of safety research that can be applied to the information security domain. Our efforts represent a significant step in an effort to classify, monitor, and compare the myriad aspects of human error in information security in the hopes that more effective security education, training, and awareness (SETA) programs can be devised. Further, we believe our efforts underscore the importance of revisiting the daily demands placed on organizational insiders in the workplace.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsNotes
- 1.
Most information security reports focus on breaches of confidentiality rather than integrity and availability; thus, we have focused our efforts on these types of attacks in this section.
- 2.
While beyond the scope of this paper to provide a tutorial on writing learning or training objectives, most experts in these fields agree that these objectives must at least declare an expectation of observable participant/learner behavior that demonstrates measurable change under a given condition (often time framed) [cf. Mayer 38].
References
Reason, J.: Human Error. Cambridge University Press, Cambridge (1990)
Goldberg, M.: 10 of the biggest data breaches over the last decade (2019). https://www.bankrate.com/finance/banking/us-data-breaches-1.aspx#slide=1. Accessed 30 Jan 2020
Bissell, K., LaSalle, R., Dal Cin, P.: The Cost of Cybercrime: Ninth Annual Cost of Cybercrime Study. Accenture (2019)
Im, G.P., Baskerville, R.L.: A longitudinal study of information system threat categories: the enduring problem of human error. Database Adv. Inf. Syst. 36(4), 68–79 (2005)
Verizon: Data Breach Investigations Report (2019)
Baskerville, R.: A taxonomy for analyzing hazards to information systems. In: Katsikas, S.K., Gritzalis, D. (eds.) SEC 1996. IAICT, pp. 167–176. Springer, Boston, MA (1996). https://doi.org/10.1007/978-1-5041-2919-0_14
Reilly, R.B.: 95% of successful security attacks are the result of human error (2014). https://venturebeat.com/2014/06/19/95-of-successful-security-attacks-are-the-result-of-human-error/. Accessed 30 Jan 2020
Targett, E.: Revealed: human error, not hackers, to blame for vast majority of data breaches (2018). https://www.cbronline.com/news/kroll-foi-ico. Accessed 30 Jan 2020
Metinko, C.: Cybersecurity training sees flood of M&A (2018). https://www.forbes.com/sites/mergermarket/2018/08/17/cybersecurity-training-sees-flood-of-ma/#5d8e709d2266. Accessed 30 Jan 2020
Statista: Spending on cybersecurity in the United States from 2010 to 2018 (2019). https://www.statista.com/statistics/615450/cybersecurity-spending-in-the-us/. Accessed 30 Jan 2020
Carpenter, P.: Transformational Security Awareness: What Neuroscientists, Storytellers, and Marketers Can Teach Us About Driving Secure Behaviors. Wiley, Indianapolis (2019)
Cram, W.A., D’Arcy, J., Proudfoot, J.G.: Seeing the forest and the trees: a meta-analysis of the antecedents to information security policy compliance. MIS Q. 43(2), 525–554 (2019)
von Solms, B., von Solms, R.: Cybersecurity and information security–what goes where? Inf. Comput. Secur. 26(1), 2–9 (2018)
Conrad, E., Misenar, S., Feldman, J.: CISSP Study Guide, 2nd edn. Syngress, Waltham (2012)
Debenedetti, G. The email headache that won’t go away (2016). https://www.politico.com/story/2016/07/hillary-clinton-email-fbi-fallout-225113. Accessed 30 Jan 2020
Response, S.S.: W32.Duqu: the precursor to the next Stuxnet (2011). https://www.symantec.com/connect/w32_duqu_precursor_next_stuxnet. Accessed 30 Jan 2020
Graff, G.M.: How a dorm room minecraft scam brought down the Internet (2017). https://www.wired.com/story/mirai-botnet-minecraft-scam-brought-down-the-internet/. Accessed 30 Jan 2020
Spadafora, A.: 90 percent of data breaches are caused by human error (2019). https://www.techradar.com/news/90-percent-of-data-breaches-are-caused-by-human-error. Accessed 30 Jan 2020
IBM: X-Force Threat Intelligence Index (2019)
Targett, E.: Personal Communication with M. Canham (2020)
Justice, C.D.O.: California Data Breach Report, 2012–2015 (2016)
Chubb: Chubb cyber index: providing data driven insight on cyber threat trends (2020). https://chubbcyberindex.com/#/incident-growth. Accessed 30 Jan 2020
Willison, R., Warkentin, M.: Beyond deterrence: an expanded view of employee computer abuse. MIS Q. 37(1), 1–20 (2013)
Norman, D.: The Design of Everyday Things, Revised and Expanded edn. Basic Books, New York (2013)
Perrow, C.: Normal Accidents: Living with High Risk Technologies, Updated edn. Princeton University Press, Princeton (2011)
Rasmussen, J.: Skills, rules, and knowledge; signals, signs, and symbols, and other distinctions in human performance models. IEEE Trans. Syst. Man Cybern. SMC-13(3), 257–266 (1983)
SKYbrary: Human error types (2016). https://www.skybrary.aero/index.php/Human_Error_Types. Accessed 30 Jan 2020
Rader, E., Munasinghe, A.: “Wait, do I know this person?” Understanding misdirected Email. In: Proceedings of the 2019 CHI Conference on Human Factors in Computing Systems, Glasgow, Scotland (2019)
Posey, C., et al.: Bridging the divide: a qualitative comparison of information security thought patterns between information security professionals and ordinary organizational insiders. Inf. Manag. 51(5), 551–567 (2014)
Chubb: Chubb Cyber Library (2020). https://chubbcyberindex.com/#/cyber-library. Accessed 30 Jan 2020
Robinson, S.L., Bennett, R.J.: A typology of deviant workplace behaviors: a multidimensional scaling study. Acad. Manag. J. 38(2), 555–572 (1995)
Silic, M., Back, A.: Shadow IT–a view from behind the curtain. Comput. Secur. 45, 274–283 (2014)
Posey, C., Canham, M.: A computational social science approach to examine the duality between productivity and cybersecurity policy compliance within organizations. In: International Conference on Social Computing, Behavioral-Cultural Modeling & Prediction and Behavior Representation in Modeling and Simulation (SBP-BRiMS), Washington D.C. (2018)
Wilson, M., Hash, J.: SP 800-50: Building an Information Technology Security Awareness and Training Program, NIST, Gaithersburg (2003)
Aldawood, H., Skinner, G.: Educating and raising awareness on cyber security social engineering: a literature review. In: 2018 IEEE International Conference on Teaching, Assessment, and Learning for Engineering (TALE), Wollongong, NSW, Australia. IEEE (2018)
Bulgurcu, B., Cavusoglu, H., Benbasat, I.: Information security policy compliance: an empirical study of rationality-based beliefs and information security awareness. MIS Q. 34(3), 523–548 (2010)
Cannon, H.M., Feinstein, A.H.: Bloom beyond Bloom: Using the revised taxonomy to develop experiential learning strategies. In: Developments in Business Simulation and Experiential Learning: Proceedings of the Annual ABSEL Conference, Orlando, FL (2005)
Mayer, R.E.: Applying the Science of Learning. Pearson/Allyn & Bacon, Boston (2011)
Burns, A., et al.: Intentions to comply versus intentions to protect: a VIE theory approach to understanding the influence of insiders’ awareness of organizational SETA efforts. Decis. Sci. 49(6), 1187–1228 (2018)
Kennedy, D.: Writing and Using Learning Outcomes: A Practical Guide. University College Cork (2006)
Kerr, S.: On the folly of rewarding A, while hoping for B. Acad. Manag. J. 18(4), 769–783 (1975)
MITRE: Common vulnerabilities and exposures (2020). https://cve.mitre.org/. Accessed 30 Jan 2020
Weick, K.E., Sutcliffe, K.M.: Managing the unexpected: sustained performance in a complex world. Wiley, Hoboken (2015)
Weick, K.E.: Organizational culture as a source of high reliability. Calif. Manag. Rev. 29(2), 112–127 (1987)
Roberts, K.H.: Some characteristics of one type of high reliability organization. Org. Sci. 1(2), 160–176 (1990)
Field, T.: Insider threat: ‘you can’t stop stupid’ (2010). https://www.bankinfosecurity.com/insider-threat-you-cant-stop-stupid-a-2789. Accessed 30 Jan 2020
Matyszczyk, C.: IT and security professionals think normal people are just the worst (2019). https://www.zdnet.com/article/it-professionals-think-normal-people-are-stupid/. Accessed 31 Jan 2020
Kraemer, S., Carayon, P., Clem, J.: Human and organizational factors in computer and information security: pathways to vulnerabilities. Comput. Secur. 28(7), 509–520 (2009)
Safa, N.S., Von Solms, R., Furnell, S.: Information security policy compliance model in organizations. Comput. Secur. 56(February), 70–82 (2016)
Adams, A., Sasse, M.A.: Users are not the enemy. Commun. ACM 42(12), 40–46 (1999)
Norman, D.A.: The way I see it when security gets in the way. Interactions 16(6), 60–63 (2009)
Acknowledgement
This research was in part sponsored by the U.S. Army CCDC Soldier Center and was accomplished under Cooperative Agreement Number W911NF-15-2-0100. The views and conclusions contained in this document are those of the authors and should not be interpreted as representing the official policies, either expressed or implied, of U.S. Army CCDC Soldier Center or the U.S. Government.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2020 Springer Nature Switzerland AG
About this paper
Cite this paper
Canham, M., Posey, C., Bockelman, P.S. (2020). Confronting Information Security’s Elephant, the Unintentional Insider Threat. In: Schmorrow, D., Fidopiastis, C. (eds) Augmented Cognition. Human Cognition and Behavior. HCII 2020. Lecture Notes in Computer Science(), vol 12197. Springer, Cham. https://doi.org/10.1007/978-3-030-50439-7_22
Download citation
DOI: https://doi.org/10.1007/978-3-030-50439-7_22
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-50438-0
Online ISBN: 978-3-030-50439-7
eBook Packages: Computer ScienceComputer Science (R0)