Human error

“Errare humanum est”. To err is human. Error is a universal characteristic of human behaviour.

When an individual executes a behaviour, two possibilities exist – either the behaviour is

completed successfully or there is failure. In any system, where human behaviour is crucial to successful operation, it becomes vital to understand failure so that its probability and impact can be mitigated.

Reason (1990) presented the GEMS (Generic Error-Modelling System) taxonomy for the classification of human error. In GEMS, human error is defined as “a generic term to encompass all those occasions in which a planned sequence of mental or physical activities fails to achieve its intended outcome, and when these failures cannot be attributed to some chance agency”.

Reason (1990) proposed three major error types: skills-based slips and lapses, rule-based mistakes and knowledge-based mistakes. These error types are shown in Figure 2.1.

Slips and lapses occur at the skill-based level of execution of routine and familiar actions. Slips arise from failures of attention, while lapses arise from failures of memory. In both cases, the action (or lack of action) is unintended and leads to unintended results.

Mistakes are rule-based or knowledge-based and occur in the execution of problem-solving actions. These are intended actions that lead to unintended results. Rule-based mistakes arise from the misapplication of good rules or the application of bad rules. Knowledge-based mistakes arise from the lack of knowledge.

In the context of information security policies and controls in an organization, slips, lapses and mistakes occur when end-users interact with the policies and controls. A slip occurs when an end-user misses encrypting an email containing confidential information. A lapse occurs when an end-user forgets a password. A rule-based mistake occurs when an end-user creates a simple

Human Error

Slips / Lapses

Rule-based Mistakes

Knowledge-based Mistakes

Unintended

Intended

Intended

Unintended Consequences

Figure 2.1: Human Errors (adapted from GEMS)

password when the policy demanded a strong password. A knowledge-based mistake occurs when the end-user does not know how to create a strong password.

Slips, lapses and mistakes are inadvertent actions that have unintended consequences. But individuals, often, indulge in more deliberate acts that have the potential of unintended consequences. Such actions are called violations. Whittingham (2004) defines a violation as “an intended action that has taken place in breach of a set of rules, whether or not these rules be written down, are implicit within the action, or have been developed as part of custom and practice”. Whittingham (2004) further states that a violation meets the two conditions that the individual has prior knowledge of the rule being violated, and that the individual violates the rule willfully. In such a situation, the individual does not necessarily have any malicious intent and the violation may even be well-intended and meant for getting the job done. Often, organizations reward successful violations by terming them as initiatives (Hudson, Verschuur, Parker &

Lawton, 2000; Santiago, 2007). According to Hudson et al. (2000), there are five types of violations, namely, unintentional, routine, situational, optimizing and exceptional violations.

Unintentional violations are similar to errors. Routine violations are deviations that are practised so regularly that they have become common practice. Such violations become the accepted way of doing the work. Situational violations result from the factors present in the environment or workspace of the individual. Optimizing violations are related to job characteristics such as monotonous work or overly restrictive rules. Exceptional violations occur only in very unusual circumstances such as emergencies.

In the context of information security policies and controls in an organization, end-users often indulge in acts that are in violation of security policies and controls. These violations are not deliberate; they are not malicious and they are not intended to harm the organization. For example, sharing a password with a colleague is a violation, but it is intended to get the job done.

This practice of sharing passwords may be accepted as regular practice amongst colleagues and so becomes a routine violation. Furthermore, even though the password policy forbids password sharing, password sharing may be seen as a positive act whereas resistance to password sharing may be seen as reflecting an unhealthy sense of distrust and paranoia.

Human errors and violations can be viewed in two ways: the person approach and the system approach (Reason, 2000). The approach depends on whether the focus of the analysis is on the human or on the system. In the words of Rasmussen (1997), “the stop rule applied to identify

‘root causes’ depends on the aim of the analyst (to understand behaviour, to punish, or to improve system safety)”. Consequently, the approach determines the philosophy of error management.

The person approach focuses on the errors and violations of people at the sharp end of operations. In this approach, the stop rule treats the human as the root cause of the failure and

blames the individual for aberrant mental processes such as carelessness, negligence, poor motivation etc. Consequently, countermeasures for mitigating failures are directed at reducing unwanted variability in human behaviour through education, rewards and penalties. The person approach blames individuals for all failures; and it, therefore, suffers from the inability to learn from failures. This approach impedes the development of safer systems.

The system approach looks beyond the people at the sharp end of operations and focuses on the blunt end. This approach treats people as inherently fallible and requires that defences be built to avert or mitigate failures. Errors and violations are seen as consequences rather than the cause of failure i.e. these originate not only from human nature, but also, from other organizational and systemic factors. Consequently, countermeasures for mitigating failures are directed at building sufficient defences in the system, and human variability is seen as a valuable resource.

Dekker (2002) identifies the ‘old view’ and the ‘new view’ of human error. These views closely match the person and system approaches of Reason (2000). In the ‘old view’, systems are inherently safe, failure is a result of human error and progress on safety can be made by protecting systems from unreliable humans. In the ‘new view’, safety is not inherent in systems, human error arises from factors within the system and progress on safety can only be made by understanding and influencing the connections between people, tools, tasks and the operating environment.

In the ‘new view’ or the system approach to human error, failure occurs when unsafe acts or active failures combine with underlying latent conditions. This is the “Swiss cheese model of system accidents” (Reason, 2000). The active failures are committed by people at the sharp end of the operation. The latent conditions are the ‘resident pathogens’ within the system that arise from decisions made by other people such as designers, developers, top-level managers, etc.

In the context of information security policies and controls in an organization, it is known that end-users undertake two kinds of unsafe acts – either they are unable to cope with the information security task, or they deliberately do not comply. End-users are the people at the sharp end of the operation and their unsafe acts are the active failures. The decisions made while formulating the information security policies and controls, while creating the work processes and procedures, while creating the IT systems, while rewarding performance etc. are the latent conditions.

According to the traditional view of information security, which matches the old view of human error or the person approach, the failure to undertake or complete the information security task is blamed on the end-user. This approach prevents the analysis from going deeper into understanding the underlying causes of end-user behaviour, and as a consequence, information security management keeps repeating its faulty decision-making with regard to information

security policies and controls. The cycle of faulty decision-making by management, unsafe acts by end-users and blaming end-users for failures completes a vicious circle.

Information security, as a discipline, needs to evolve its conception of the role of end-users in failures related to information security policies and controls in an organization. Information security must adopt the new view or the system approach towards unsafe acts by end-users. In the new view, end-users can be held responsible for only a few unsafe acts, most other unsafe acts can be traced back to earlier decisions in the life-time of information security policies and controls in the organization. Analysis according to this approach uncovers the latent conditions behind the unsafe acts. This understanding is used to improve the decision-making by management. Thus, a virtuous circle is created between decision-making that is responsive to end-user needs, improved compliance by end-users and a deeper understanding of end-user needs gained through a deeper analysis of failures.