SANS Institute Certified Instructor on the Leadership curriculum focussed on human behaviours, security culture, and human error.
Still hear the occasional 'stupid user' comment - especially when referring to someone clicking on an email. I thought this quote was very true, and still relevant 30 years on. “operators tend to be the inheritors of system defects created by poor design, incorrect installation, faulty maintenance and bad management decisions. Their part is usually that of adding the final garnish to a lethal brew whose ingredients have already been long in cooking.” (Human Error, James Reason 1990, p. 173)
I really like that quote and his name couldn’t be more appropriate.
Exactly which is why it is essential we ensure that Corporate Policies, Procedures, Processes, with supporting controls and compliance mechanisms are agreed and promoted at the highest levels of any organisation
Great observation, John. 'User error' can be an easy get out for organisations as they avoid recognising that their systems and/or processes are the problem. Reviewing and changing these — and crucially involving the people who work with them — can be costly and complex, but pays off in the resulting minimised risk and improved employee security behaviour.
The internet and email were never designed with security in mind. Yet, people still wonder why security by design is important...
I had several discussions with Jim Reason at Manchester Uni in the late '70s. Always entertaining, always insightful, always thought-provoking.
Solid quote
I don’t go to my dentist for tax advice and vice versa. You hire people to do a job and use the tools provided with no secondary role as an ‘ IT security expert’. So you support them with good controls ( access mgmt / auth / limited rights / AV /IM) so that they are supported for when something does happen.
Think you’ve brought out the James reason fan club John Scott ! Made my week! 😃
My Masters is in Human Factors and that book was my bible!!! Agree with you 100%
Lead Technical Business Analyst at NTT Data
4yHuman error can never be eradicated, only mitigated against. There is a secondary issue to human error here, Reason was primarily looking at the mistakes humans can make through poor training and design, that of social engineering. Mitnick manipulate people into giving him access to systems, passwords etc. All things being equal the human will always be the weakest link (and replacing humans with machines is not the full answer as machines are designed and built by humans).