By Philip Sasser
Introduction
In this article I would like to discuss the fact that careless and uneducated computer users are a leading cause of breaches in information security. Simple controls and informing end users could greatly reduce the financial losses experienced by businesses and home users.
Discussion
In the past few years the number of viruses and worms on the internet has increased tremendously. Credit card fraud, identity theft, information breaches, and social engineering are occurring more and more every year. As information systems and computers continue to become more and more complex, the number of human errors increases.
Information security has primarily been thought of as securing hardware and software. But recently statistics have shown that 80% of information breaches are caused by human factors such as inadequate information assurance knowledge, improper training, and failure to follow security procedures (Bean). These frequently overlooked threats often lead to costly financial losses for companies and even private computer users. Many companies and organizations tend to focus primarily on technological controls while ignoring that human error can just as easily lead to breaches of information security. Technical solutions are a direct and very important approach to controlling security but these solutions don't account for ignorance or omission of the people that use the systems. While the administrators and technicians discuss security issues and concerns, these conversations do not educate the end users.
While studying Information and Computer Technologies in college, I worked with the student computer support center, performing tasks such as removing malicious software or troubleshooting network issues. After working there for several weeks I began to realize that most computer users don't even care about their security. They just want the computer to work and when a virus gets to the point of corrupting their operating system and rendering it inoperable they finally seek help only to return several weeks or even days later with the same problem. This attitude creates havoc for network administrators and encourages people that make viruses.
According to a survey conducted by AOL, there is a gap between users' perceptions and the prevalence of actual threats on the internet. This causes many home computer users to ignore typical security precautions such as anti-virus and firewall software, which threatens sensitive personal and financial information (Roberts).
Not only do private computer users deal with these problems but businesses and corporations lose millions of dollars due to security breaches and most of these are linked back to a human error that there was no technical defense in place to prevent. Regardless of all the money spent for physical and software security measures most organizations are still vulnerable to some of the most basic security risks. In order to prevent these risks from happening we must first recognize the different types of human error and inform the users of the possible risks and how to avoid them.
Human Factors
Human errors can be made in several different ways.
- Carelessness
- Lack of computer knowledge
- Technical errors
Carelessness can be linked to many different causes of security breaches. Such as when a user writes his or her password on a sticky note and leaves it on the keyboard, when a browser warns of a potentially harmful website and the user continues anyway without reading, or when an employee fails to follow proper security policies or procedures. In a survey conducted by Help Net Security, employee carelessness is rated as number 4 for the top 10 information security threats of 2010 their survey stated the following:
Careless and untrained insiders will continue to be a very serious threat to organizations in 2010. Insiders can be broken down into three categories: careless & untrained employees, employees that are duped or fall prey to social engineering type attacks, and malicious employees. Protecting a network and critical and sensitive data is done very differently for each type. Policies, procedures, training and a little technology can make a world of difference in reducing an organization's risk to careless insiders (Top 10 Information Security Threats for 2010).
Another factor contributing to user error is lack of common computer knowledge. Many computer users today only know the very basics of using a computer such as, writing documents, sending emails, and checking the weather online. These users don't even know that they are supposed to have anti-virus software installed or how or why to install updates. These users are the main target of malicious software programmers. This type of user omission can even lead to a computer being compromised and used to host the malicious software to other unprotected computers.
Not only do uneducated computer users cause errors but sometime even the programmers make mistakes in their code that can be exploited by hackers. These errors made by programmers are usually used by hackers to gain control of the affected application. These errors are usually found and patched, but again what about that user that doesn't know to install security patches?
Application
There are many different ways that uneducated and irresponsible computer users may cause breaches of information, but what are some strategies that we could use to encourage end users to follow proper procedures to ensure data confidentiality and integrity? What are some ways we can inform and encourage people to learn more about security?
A past study conducted by the Computing Technology Industry Association (CompTIA) has shown that when a company trains one in every four IT employees in information assurance fundamentals, it is 20 percent less likely to encounter a security breach (Bean). This study shows that if a company spends a little more money on training employees it could save money in the long run. Companies can also keep their employees up to date and more involved with current security concerns.
As for the personal computer users there needs to be drastic measures taken to better inform and mold users into security aware computer users. This should be the responsibility of the maker of the operating systems. They could possibly implement a "wizard" type process that will first question the user for current security knowledge. Once the user's level of knowledge is known, certain safeguards could be put into place. A simple training tool could also be implemented to spread user awareness.
If simple steps are taken to inform and educate end users, it could lead to a more secure internet for every one. The human factors of information security should be a very important concern for all IT systems and viewed as equivalent to technical concerns.
Sources
Bean, Martin. "Human Error at the Center of IT Security Breaches." 04 February 2008. newhorizons.com. 01 April 2010 .
Human Factors in Information Security. 22 February 2010. 04 April 2010 .
Increase User Awareness to Bolster Security. 13 May 2005. 11 April 2010 .
Roberts, Paul. AOL survey finds home user ingnorant to online threats. 27 October 2004. 04 April 2010 .
Top 10 Information Security Threats for 2010. 14 January 2010. 04 April 2010 .
0 comments:
Post a Comment