The Human Error Factor in Cybersecurity: A Systems Engineering and Software Testing Perspective

By /

January 25, 2025

Article written by:
Jordan Emanuelson
Regulatory IT Supervision Specialist & Examiner

Curacao Testing Qualification Board (CTQB)

Ensuring the Confidentiality, Integrity, and Availability (CIA) of data is fundamental to business continuity. These pillars of security must be deeply embedded into every facet of systems and software applications to support good governance and operational resilience. However, despite technological advancements, human error remains a critical risk factor, often leading to security breaches that could jeopardize sensitive business information.

Understanding the Human Element in Security

Security incidents frequently stem from human errors linked to factors such as employee deviance, compliance challenges, ineffective decision-making, and stress management. In the intricate relationship between humans and technology, systems must be designed to empower users rather than constrain them. Security should be an enabler of business processes, not a hindrance.

From a systems engineering perspective, secure systems are socio-technical ecosystems where behavioral science insights must be leveraged to ensure users are not the weakest link. A comprehensive understanding of user behavior, expectations, and trust in technology-mediated interactions is crucial to designing effective protective measures.

Key Perspectives on Security Design

Security must be integrated seamlessly across three critical perspectives: Product, Process, and Panorama.

1. Product Perspective

Users trust systems to safeguard data while facilitating primary business functions. Security controls, including policies and mechanisms, should align with stakeholder needs, encompassing considerations of mental workload, behavioral impact, and cost-effectiveness.

2. Process Perspective

Security should not be an afterthought; it must be an intrinsic part of the design, development, and implementation lifecycle. Treating security as an ‘add-on’ introduces vulnerabilities and increases operational risks. Embedding security early in the software development lifecycle (SDLC) through secure-by-design principles ensures that protective measures evolve with system complexity.

3. Panorama Perspective

Security exists within a broader organizational context where users may seek shortcuts if security controls impede their workflow. A well-designed system must balance usability and security, ensuring that users understand the implications of their actions. Effective security mechanisms should be intuitive, necessary, and transparent to promote adherence without sacrificing productivity.

Addressing Human Error: Mitigation Strategies

To mitigate the risks associated with human errors, organizations must adopt a proactive approach that encompasses:

  1. Comprehensive Data Classification and Role-Based Access Controls (RBAC):
    • Ensuring data is only accessible by authorized personnel to perform specific tasks.
    • Regular audits to assess access privileges and detect anomalies.
  2. User Training and Awareness Programs:
    • Bridging knowledge gaps through regular training on cybersecurity best practices.
    • Reinforcing policies to promote secure behaviors and reduce ignorance-based errors.
  3. Policy Enforcement and Governance:
    • Establishing clear, enforceable security policies that align with business objectives.
    • Holding both IT and management accountable for compliance and security vigilance.
  4. Incident Response Preparedness:
    • Developing incident response strategies that address human-related security lapses.
    • Conducting regular simulations to assess and improve response effectiveness.

The Case for Removing High-Risk Functionalities

It is imperative to assess functionalities like those for example where information flows to external parties from the software application or online platform, which may potentially and inadvertently expose confidential information to unauthorized entities. Eliminating or redesigning such high-risk features based on comprehensive risk assessments can significantly mitigate potential breaches.

Furthermore, identifying and addressing additional vulnerabilities related to human error through systematic reviews of security controls and workflows is crucial. Organizations must continuously evaluate whether security mechanisms align with the principle of least privilege and data protection regulations.

Root Causes of Human Error in Security Breaches

Research indicates that human errors is for the most part the cause of Cyberscurity incidents, and they commonly originate from the following factors:

  • Diverse Attitudes: Resistance or indifference toward security measures.
  • Lack of Knowledge and Skills: Insufficient training and awareness.
  • Moods and Feelings: Fatigue, stress, or overconfidence leading to risky behaviors.

Acknowledging these elements and addressing them proactively through human-centered security strategies and training ensures that employees become active participants in safeguarding business-critical assets.

In the following Table 1 provided by the sources that I have researched, the following themes emerged and were cohesively presented in the following table:

• factors influencing human errors;

• impact of the human errors;

• vulnerability mitigation strategies.

Employee ignorance and decision-making typically cause related technical errors, and policy-based errors.

Conclusion

Human error will always be an inherent challenge in cybersecurity. However, by designing systems that prioritize usability, implementing robust security controls, and fostering a culture of security awareness, businesses can effectively reduce their exposure to threats. The focus should always remain on aligning security with business goals to ensure continuity, compliance, and resilience in the face of evolving threats. Lastly, not to forget to mention, that to align security in the software applications operated by users, organizations must become proficient in Software Testing, and in particular, Software Security Testing.  

I recommend all Information Technology and Risk professionals to have a look at the CTQB courses and inquire for more information about these courses that focus on the foundation that is needed to test your critical applications development requirements, their security requirements and their business continuity requirements. For more information, please visit https://www.curacaotestevents.org/ 

Scroll to Top