ThinkCyber reviewed data from the Information Commissioner’s Office (ICO) and the 2023 Data Breach Investigations Report (DBIR), suggesting the need to find new ways to influence behaviours to reduce the most common causes of incidents.
Understanding the Human Factor in Data Incidents
The prevalence of "The Miscellaneous Errors Pattern" in healthcare, as highlighted in the Verizon DBIR 2023, emphasizes the impact of human factors on data security.
It’s important to understand that not all incidents occur because people are “unaware” or lack skills or knowledge. It’s far more likely that they occur because people are tired, not concentrating, under pressure, and trying to do their job. So they make mistakes.
Miscellaneous Errors include misdelivery, misconfiguration and publishing errors, but it’s the ease of sending an email to the wrong recipient that was a significant concern for data security. In 2023:
ICO technical data breach data revealed that misaddressed emails were the second most common cause of reported data breaches, particularly in the health sector.
DBIR reported “Misdelivery accounts for 43% of breach-related errors in our dataset”
The Ineffectiveness of Traditional Security Awareness
The traditional approach to security awareness, while well-intentioned, often falls short of effectively changing behaviours. Time-consuming and easily forgotten, it fails to address breaches caused by habit or heuristic decision-making, especially in high-pressure situations or in the face of sophisticated phishing attempts.
Behavioural science theory highlights that to really influence behaviours and mitigate these risks, interventions need to occur within the context where mistakes and tricks take place, such as providing nudges, interventions, or warnings at critical moments.
Context-aware interventions can effectively nudge people on their devices, guiding them towards secure actions precisely when they are at most risk - sending an email, adding an attachment etc.
Embracing a New Approach
When faced with significant threats ranging from ransomware to simple email misdelivery causing impactful data breaches, we are compelled to think about better tackling “the human factor”. But:
is traditional lengthy, mandatory awareness simply a waste of valuable staff time when judged by measurable behavioural impact?
how do we even show that impact, in order to meet Data Security Standard – Staff Training 3.1.3 Evaluation requirements!?
In light of these challenges, we invite you to join our upcoming webinar, where we will explore these issues through the lens of learning and behavioural science. We will delve into why traditional approaches may be ineffective, what behavioural science theory suggests we should do, and how to apply this thinking to your own security campaigns.
Together, we will explore approaches to drive measurable risk reduction.