Problem exists between keyboard and chair. IT professionals often announce “PEBKAC” as soon as they finally realize that the user created their own problem. The cybersecurity community is no different. We also frequently announce that users are our biggest weakness. This is true — some reports indicate that human error accounts for 62% of cyber security incidents. Humans need some level of privilege in order to perform functions on their information system, and that privilege can be misused, intentionally or not.
Many IT professionals choose to take comfort in this fact. They get high on their ego, knowing that they are “better users.” I on the other hand, recommend that all of us, especially security professionals, take this as a sign of our own failure. We should feel guilty every time a user clicks a malicious link in a phishing test. We should feel responsible. Here are my three recommendations on how we should think about user error.
- Work with the users not against them. I hate to say this, but cybersecurity is rarely, if ever, the goal of an organization. Organizations always have to have another mission that requires them to have cybersecurity. The same can be true with IT. You are there to support the users and help them be more secure. It’s primarily your responsibility, even if you need to enlist their help.
- Take user error as the job of the security community. I was once in Puerto Rico, and the doctor asked me if my leg was broken. My response? “That’s what I came here to find out.” We should expect security professionals to behave like doctors, find the problem, fix it, and help us keep it from happening again. You can’t go back in time.
- Learn psychology. When I first entered the cybersecurity field, I never would have advocated bringing psychology into the mix. Now I believe it is essential. User experience must allow them to naturally gravitate towards proper use. If it’s not, the engineers are failing, not the user.
Do you agree that the IT community needs to take more ownership in layer 8 vulnerabilities? Comment your opinions below!