We are not the only industry with this problem. Hospitals and Airlines have the same issue. Although this article focuses on the approach hospitals use to combat human error mistakes, the airline industry has also made creative changes to dealing with this issue.
Here is just the first page of twelve of a Boeing 737 checklist designed by Michael Swannick:
- What is your plan this year, now, to reduce human errors?
- An example of an industry that suffers worse human error pain than you do.
- How to apply creativity in the midst of complexity.
- A tool to reduce human error.
I am going to give you a thought experiment to reduce errors in your IT Security program which cause up to 50 – 95% of breaches. If you want to skip to the bottom please do but if you want more context continue reading.
We are not the only industry with a human error problem. Hospitals have had this issue for a long time. We can’t ignore it though. Humans in our companies are causing the problem most of the time. This is humbling.
The complexity shared by IT is not special to IT. There are other industries which have this problem of trying to handle and execute in a complex environment while reducing human errors too. Hospitals are what come to mind for me.
Let’s tackle human errors and IT Security breaches.
Here are some questions I want you to ask yourself:
- What % of IT Breaches are due to Human Error?
- Where are ALL of the human error weaknesses in your current IT Security program?
- What is your plan to reduce human error? Specific and actionable steps?
- Do you have a lot of shiny new security toys?
- What can we learn from one creative surgeon and his solution to human error?
- What tool can you use to reduce human error in IT?
I think everyone knows that human errors caused by surgeons and medical staff and related complexities and challenges of being in a hospital with other sick people is a problem. This is nothing new. I put stats in this article just to make a point and not to belabor the obvious. The challenges of medicine are extreme and I would posit that IT security is equally damaging from a ‘scale’ point of view, although from a loss of life perspective the two are not equal. However, from the perspective of lost identities and disruption of human life and business there is no doubt that IT Security breaches are a front runner.
200,000-400,000 people Die Each Year in Hospitals Due to Human Error.
The numbers are mind – numbing.
Study after study documents this.
Top 10 Causes of Death
John James has produced landmark research in this area.
By combining the findings and extrapolating across 34 million hospitalizations in 2007, James concluded that preventable errors contribute to the deaths of 210,000 hospital patients annually.
That is the baseline. The actual number more than doubles, James reasoned, because the trigger tool doesn’t catch errors in which treatment should have been provided but wasn’t, because it’s known that medical records are missing some evidence of harm, and because diagnostic errors aren’t captured.
An estimate of 440,000 deaths from care in hospitals “is roughly one-sixth of all deaths that occur in the United States each year,” James wrote in his study. He also cited other research that has shown hospital reporting systems and peer-review capture only a fraction of patient harm or negligent care.
According to a new study, just out from the prestigious Journal of Patient Safety, four times as many people die from preventable medical errors than we thought, as many as 440,000 a year, according to a Forbes article.
Studies show hundreds of thousands of people die every year in the U.S. due to hospital errors, although it’s not clear how many of those cases involve drug mix-ups like this one. A report published in the Journal of Patient Safety last year says the number of deaths due to preventable hospital errors ranges from 210,000 to 400,000 people each year, according to 5News Online.
IT Security breaches are caused by human error? 95% are caused by humans.
According to Tech Republic, “A recently released report from computing giant IBM attributes some 95% of IT security breaches to human error and that over 75% of attacks are targeted at just five industries, proving when it comes to security, people are the real problem.”
All humans make mistakes. One of the most intriguing findings from IBM’s “2014 Cyber Security Intelligence Index” is that 95 percent of all security incidents involve human error. Many of these are successful security attacks from external attackers who prey on human weakness in order to lure insiders within organizations to unwittingly provide them with access to sensitive information.
Resources for the Role of Human Error in Successful Security Attacks:
Creativity in the Midst of Complexity
Let’s use creative thinking to solve this problem.
A CIO, CISOs and those CIOs acting as CISOs can suffer from binary and linear thinking. I think that this can hurt you because you are looking for math equations to solve problems versus finding solutions to problems that are blended, non-linear, or need more creativity. No human brain is simply 100% left brain or 100% right brain, but the point is that technology tends to attract left brainers as a ‘general’ rule.
In Michael Michalko’s book Creative Thinkering, on pages 90 and 216
One way to shift our perceptual position. Shifting our perceptual position will shift how we view things. Michael writes, “one way to do this is to look at the subject from someone else’s perspective.”
Michael invented this Thought Experiment to reduce infections in a hospital (located on page 88 of his book). You can use it to reduce human errors in your IT Department. You can pretend that you are looking at the problem from the perspective of other professions.
A hospital is filled with hazards to your health, including myriad infections, missed diagnoses, dosage mistakes and other complications that arise from human error. And in a hospital, human error seems all but inevitable. How can any one individual, or even any one team of individuals, keep all the tasks straight and anticipate all eventualities 100 percent of the time?
Imagine you’ve been hired by a hospital to come up with ideas to minimize errors. Assume the role of any of the following:
- Airline pilot
- Prison warden
- Middle School principal
- Football coach
How did you do?
Michalko tells a story of Dr. Peter Pronovost, a critical care specialist at the Johns Hopkins medical center in Baltimore who took the perspective of an airline pilot. He borrowed the concept of the checklist that pilots go through before they take off. In an experiment, Dr. Pronovost used the checklist strategy to attack just one common problem in the intensive care unit: infections in patients with central intravenous lines. The checklist listed the obvious steps that should be taken but were often forgotten.
The checklist was given to nurses in the intensive care unit, and, with the support of the hospital administrators, Pronovost asked the nurses to check off each item when a doctor inserted a central line – and to call out and doctor who cut corners. If doctors didn’t follow every step, the nurses had permission from the administration to intervene. The nurses were strict, the doctors toed the line, and within one year the central-line infection rate in the Johns Hopkins intensive care unit had dropped from 11 percent to zero.
Supporting reference to the article above:
Page 90 Dr. Peter Pronovost, a critical care specialist. The story about Dr. Peter Pronovost’s experiement is derived from the Robin Marantz Henig, “A Hospital How-To Guide That Mother Would Love,” New York Times, December 23, 2009,
In my experience, those CIOs and CISOs who have asked my teams to help them with IT Security breach forensics activities, the problems are caused because of IT just not paying attention to details and breakdowns within the big areas that all the research reports have identified: patching, passwords, spyware, content inspection, outbound controls, etc.
The cause – in my opinion is overwhelming. Would a checklist work for you and your staff? Maybe there are other ideas….try the experiment.
A Tool To Reduce Human Error
I think that a tool like the CIO Scoreboard can assist in reducing human errors because it identifies weaknesses beyond the shiny toys and breaks the weaknesses into manageable steps and graphically represents the data visually.
If you can see that you have great shiny toys but bad or weak policy, education, or outbound traffic flow inspection then you can shift your strategy.
I think you have to have a 10 second rule. You need to be able to tell your human error weaknesses within 10 seconds across all security domains. It is that important.
The tool that I would like to recommend for you is the CIO Scoreboard to do this. You can find links to it here with a couple of explainer videos that will help you learn about the functions of it. The product does a lot more than what I have explained here, but I wanted to highlight one application of it.
Bill Murphy is a world renowned IT Security Expert. You can find him online through LinkedIn and Twitter. Subscribe to weekly podcast updates and information about upcoming CIO Mastermind discussions.