The Swiss Cheese Model: Human Error Puts Holes in IT Security

Reduce vulnerabilities to security breaches and data loss by shoring up a common weakness: human error.

Research continues to show that human error is a significant contributor to data breaches. The Ponemon Institute’s 2017 Cost of Data Breach Study reports that the root cause of 28 percent of data breaches could be traced back to things people did — or didn’t — do. Many businesses and enterprises are taking a layered approach to security, including launching awareness campaigns, training employees in best practices, hiring skilled IT professionals, and putting a firewall, intrusion detection and other security solutions in place. But, apparently, a little more than one-fourth of the time, something goes wrong.

The Explanation via the Swiss Cheese Model

The Swiss Cheese Model can help you understand why a well-thought-out, layered system of defenses can fail if humans are involved. The model was originally presented in the 1990 paper “The contribution of latent human failures to the breakdown of complex systems” by University of Manchester professor James T. Reason. The model, explained in a What’s the Point article, compares layered defenses — whether intended to prevent a data breach, an accident, or an error — to a stack of Swiss cheese slices. Often, the defenses work, stopping a hacker or the accident. But sometimes, the holes line up, creating an unobstructed path for an attack or an accident. Reason recognized that any system in which humans were involved, failure was possible — humans make mistakes. And since you can’t “change the human condition, change the condition under which humans work.”

Perforated Slices of Attack Defenses

So businesses put policies and solutions in place to compensate for human fallibility. Unfortunately, however, due to that same fallibility, they aren’t always used. Firewalls are disabled, security patches are ignored, data isn’t encrypted, and passwords are still set at “12345678.” There’s also a problem of not considering all possible contingencies and having plans in place to deal with them, like how to locate or remotely wipe a lost or stolen device.

Even the most conscientious people can fall prey, however. Perpetrators of social engineering attacks, whether they realize it or not, are experts in the Swiss Cheese Model. They understand that if they can’t get past technology solutions implemented to protect a network and data, they have a sporting chance at getting past a person. Spear phishing, which targets specific organizations or individuals to try to get them to reveal passwords or personal information, has evolved to the point where the attack can include investigating social media accounts or other sources to find personal information that can make the fraudulent message seem authentic. Regardless of corporate security policies and hours of training, employees may still give up information.

Filling the Holes

Software developers have the power to fill some of the security gaps related to the fact that imperfect people are using your applications. Consider whether you can incorporate any of these measures into your products to help save people from themselves:

  • The Verizon 2018 Data Breach Investigations Report advises, “Automate anything you can as this reduces the human error associated with many breaches we see.”
  • The Verizon report also states, “Conduct routine scans to discover misconfigurations before an adversary does.”
  • Encrypt. If hackers can’t decrypt data, they can’t use it — or sell it.
  • Validate. Consider two-factor identification, blockchain technology, or other solutions or processes to confirm that the person logging in is who they say they are.
  • Facilitate. Whatever measures you incorporate into your solutions, ensure they will take little effort on the part of the user. Another thing about human nature: If something is too hard, we won’t do it.
  • Address Industry-Specific Concerns. The Swiss Cheese Model is used in specific industries to identify gaps that led to errors beyond those that involve data security, for example, patient safety errors in the healthcare industry. Understand the challenges your industry faces when it comes to human error and address them, if possible, with the solutions you design.
  • And, Yes, Train. People get complacent with time and attack vectors change. As a software developer, you may have little direct contact with end users, but you may be able to include messages that alert users to risky behaviors or remind them of best practices they learned in training.
If You Can Solve This Problem…

Human error has always plagued us, and minimizing its risk will have definite value to your clients and prospects. How can the solutions you develop address minimizing the risk of human error — and maximize opportunities for your business? 

Datacap Systems