Assessing the Effect of Human Error Factors to Cbe Information Security
No Thumbnail Available
Date
2020-01-01
Authors
Journal Title
Journal ISSN
Volume Title
Publisher
Addis Ababa University
Abstract
Humans have been known as the weakest link within information security chain. Organizations often face information security incidents as a result of human error mostly because they tend to emphasise and invest on technical security controls rather than the human factor. However, organizations have begun to show interest towards improving their security regarding the human element or their employees. In recognizing this fact, a lot of attempts have been done. This includes incident responses and training of employees. There are at least two categories of practices for securing the human factor. The first category is a retrospective approach which involves review of previous incidents and determining the root cause of the incident in terms of human error. And the second category is a prospective approach which assigns quantitative probabilities to identify high risk sections. The latter is used to implement solutions to mitigate the high risk tasks and few researchers studied on this area. Evaluation of the current state is the first step towards improving the approach.
The purpose of this research is to identify the factors causing human errors within CBE regarding information security. This is followed by a literature review of human errors in information security. The paper also discusses the role of human factors and how the information security research community has recognised the increasingly crucial role of human behaviour in many security failures.
The research was conducted as a case study within a public financial sector organization, CBE. In the case study, HEART, one of Human Reliability Analysis (HRA) method is applied to selected divisions of the bank.
In order to keep validity, pilot test on the checklist questions for the semi-structured interview is done by selected respondents before data collection began. The feedback was used to update the contents. The study involved 45 interviewees out of 63 potential interviewees from different roles including branch operations officers, system administrators, IT officers, finance officers and managers, and quality and process officers. After assessing the current state of the bank concerning human factor information security, the most unreliable tasks in the bank were human resources, finances and branch offices. Divisions with relatively high human involvement have shown significant error probability. Accordingly, human resource is predicted to be the most probable office for human error with the probability of failure being 0.058. System information confirmation /feedback inadequacy contributes the highest among the factors for error which is 40.91% within human resource division. In general operator inexperience, highly repetitive tasks and delayed or unclear system confirmation are projected to be the top causes or factors for human error in the bank. This is mainly attributable to the lack of attention given to the soft factors that impact any employee activity by higher managers. In order to minimize the effects that take advantage of those xiii
factors the researcher give improvement area recommendation based on exhaustive literature review and practiced HEART remedial/preventive measures. The research targets are stakeholders, individuals who are in charge of securing the assets of their organizations and institutions. Among the top error producing factors prolonged & repetitive activities, inexperienced person performing at the bank and inadequacy system feedback showed high probability to errors.
Description
Keywords
Human Error, Human Error Assessment and Reduction Technique, Human Reliability Analysis (Hra), Human Based Information Security