This is a smaller post in which I will briefly describe The Impact of the Human Factor on Safety
The human factor accounts for more than 75% of security incidents. The vast majority of these incidents have occurred by accident because employees are not aware of the consequences of their (usually harmless) actions. That is why it is important for everyone to understand what are the likely threats to the assets and the entire business of the company and how to act properly to reduce the risks inherent in those threats. Also, every employee must be fully aware of his / her role in protecting the system when managing people, information and assets.
Why is a man the weakest link?
If we look at the basic elements of each system, we will see that there are three basic elements, namely: equipment, environment, and people. The equipment can be tested, duplicated, monitored and automatic fault detection is possible. The environment can be monitored, additionally protected, backup locations can be used, and automated incident response (IR) can be used. However, unlike the previous two elements, people have many ways of interacting, there are a huge diversity and number of participants and, most importantly, the behavior is unpredictable.
What are the possible human factor categories in companies?
Lack of awareness
Lack of time to check and test
Not defining rules or defining them badly
Not providing enough resources
Is there a solution to the problem?
It is very difficult, if not impossible, to answer this question. The first thing that matters is that human intelligence is necessary to solve the problem. Another thing that is no less important is education through different types of specialized and customized training (knowledge & skills). The third thing that must be worked on is discipline and motivation through precisely defining rules and consequences in the event of rules and consequences being violated. The fourth thing is to create procedures that will be adequate (procedures) and last but not least is ethical hacking (Penetration testing) because only in this way can we be aware of existing problems and thus be able to react and reduce or disable the possibility system abuse. I would like to mention here that this ethical hacking must include employee testing, not just hardware and software.