خطاهای انسانی و تخلفات در کامپیوتر و امنیت اطلاعات: نقطه نظر مدیران شبکه و متخصصان امنیت

This paper describes human errors and violations of end users and network administration in computer and information security. This information is summarized in a conceptual framework for examining the human and organizational factors contributing to computer and information security. This framework includes human error taxonomies to describe the work conditions that contribute adversely to computer and information security, i.e. to security vulnerabilities and breaches. The issue of human error and violation in computer and information security was explored through a series of 16 interviews with network administrators and security specialists. The interviews were audio taped, transcribed, and analyzed by coding specific themes in a node structure. The result is an expanded framework that classifies types of human error and identifies specific human and organizational factors that contribute to computer and information security. Network administrators tended to view errors created by end users as more intentional than unintentional, while errors created by network administrators as more unintentional than intentional. Organizational factors, such as communication, security culture, policy, and organizational structure, were the most frequently cited factors associated with computer and information security.

The National Research Council Computer Science and Telecommunications Board (2002) has distinguished between accidental and deliberate causes of poor computer and information security (CIS): “Accidental causes are natural (e.g., a lightening surge that destroys a power supply in a network that causes part of the network to fail) or human but non-deliberate (e.g., an accidental programming error that causes a computer to crash under certain circumstances, or the unintended cutting of a communications cable during excavation). Accidental causes figure prominently in many aspects of trustworthiness beside security, such as safety or reliability. Deliberate causes are the result of conscious human choice.” (National Research Council Computer Science and Telecommunications Board, 2002, pp. 3–4). In the CIS literature, deliberate causes are referred as ‘attacks’. Attackers, those who seek to cause damage deliberately, may be able to exploit an error accidentally introduced into the system. In this paper, we will refer to accidental causes, as described in the National Research Council Computer Science and Telecommunications Board (2002), as human error. Deliberate causes will refer to the concept of violations: deliberate actions that deviate from processes. The concept of violations is two-fold: (1) violations of malicious intent (e.g., insider threats, hackers, terrorists) and (2) violations of a non-malicious nature, the deliberate actions that deviate from CIS processes that may or may not result in decreased CIS performance. In this context, human errors and violations do not assign blame to the individual. Rather, it is important to examine the different elements of the system that can lead to human errors and violations, such as faulty equipment, poor management practices or unclear procedures ( Reason, 1997). Previous studies demonstrate the ever-present risks in computer and information system security, and the importance of the accidental and deliberate causes, or threats, that exist within these security systems. Causes of deliberate attacks have been described as resulting from poor management or operational practices, rather than human error (Computer Science and Telecommunications Board-National Research Council, 2002). However, this is not necessarily true. For example, in the fall of 2000, Western Union was victim to an attack that was attributed to human error rather than a design flaw. A hacker electronically entered one of Western Union's computer servers without permission and stole about 15,700 customer credit card numbers. The incident occurred after the system was taken down for regular maintenance, and a file containing the credit card information had inadvertently been left unprotected when the system was returned to operation (Stokes, 2000). In addition, Whitman's (2003) study found that the IS directors, managers, and supervisors ranked technical software failures or errors and acts of human error failure (for a combined total of 2231 responses) higher than deliberate software attacks (2178 responses). Whitman's (2003) findings support recognition of human error and failure as a significant area for consideration in the field of CIS. In addition, examining accidental causes may allow an organization to identify weaknesses in its systems or processes that may be deliberately exploited. The field of human factors has developed models and concepts for understanding and characterizing varying types and levels of human error, which have been used successfully in various industries to analyze causes of accidents (Reason, 1997). These taxonomies not only explore the cognitive mechanisms involved in human error (Rasmussen et al., 1994), but also emphasize the role of organizational and management factors in the creation of error-prone conditions (Reason, 1997). We propose that taxonomies and models of human error can be used to identify and characterize vulnerabilities of computer and information systems. This paper examines the “accidental” causes (i.e. human errors) and “deliberate” causes (i.e. violations) in CIS. We examine how models of human error and macroergonomics can be used to understand accidental causes errors. We also argue that knowledge generated from the understanding of accidental causes can help build better defense mechanisms against deliberate attacks. Using data collected from interviews with network administrators and computer security specialists, we identify the human and organizational elements contributing to CIS. This study encompasses two objectives: (1) Identify human errors, violations, and associated mechanisms that contribute to vulnerabilities and breaches in CIS systems. (2) Characterize the human and organizational elements associated with human errors and violations in CIS systems.

This study provided linkages between human error in CIS and work system causes. The literature has acknowledged there is a distinction between the accidental and deliberate causes of human error in CIS (Computer Science and Telecommunications Board-National Research Council, 2002; Dutta and McCrohan, 2002; Whitman, 2003). Our study provided insight into the different types of human error that occur and the saliency of work system elements that conspire to facilitate the occurrence of human error in the security context. Organizational elements were emphasized the most by network administrators and security specialists and this may be an area of future inquisition for workplace interventions. Network administrators and security specialists may use this framework to build better security practices and procedures for their networks. Future research in this area would include a taxonomy that described work system fixes for more specified categories of security breaches, with relative weighting of each element. Understanding the types of errors occurring on their networks and the contribution of work system elements to those errors allows for better defenses against attacks.