Conversation

Notices

1. Embed this notice
   Zack Whittaker (zackwhittaker@mastodon.social)'s status on Monday, 30-Dec-2024 22:18:47 JST Zack Whittaker

   I take umbrage with headlines like this. It wasn't the employee's fault for the data breach at Ascension, a healthcare giant with over 140 hospitals across the United States. It was Ascension's leadership that failed to implement adequate cybersecurity defenses that resulted in the breach of 5.6 million patients' data.

   • alcinnz repeated this.
   • Embed this notice
     Bob Lord 🔐 :donor: (boblord@infosec.exchange)'s status on Tuesday, 31-Dec-2024 01:43:32 JST Bob Lord 🔐 :donor:

     in reply to

     @zackwhittaker
     Human error describes the proximate cause of an incident, not the root cause.
     Human error is a symptom, not the cause, of failure. 
     Human error is a social judgment, not an objective conclusion.
     Human error is the start of the investigation, not the conclusion.
     Human error can reveal systemic design flaws in the system that fail to account for human use.
     Human error as a conclusion will lead to myopic and insufficient remedies like “user education”.
     Human error is a label that shifts responsibility from system designers to system users who will inevitably fail.

     𝗦𝘆𝘀𝘁𝗲𝗺𝘀 𝘁𝗵𝗮𝘁 𝗳𝗮𝗶𝗹 𝗯𝗲𝗰𝗮𝘂𝘀𝗲 𝗼𝗳 𝗮𝗻 𝗶𝗻𝗻𝗼𝗰𝗲𝗻𝘁 𝗺𝗶𝘀𝘁𝗮𝗸𝗲 𝗯𝘆 𝗮 𝗵𝘂𝗺𝗮𝗻 𝗮𝗿𝗲 𝗱𝗲𝘀𝗶𝗴𝗻𝗲𝗱 𝘁𝗵𝗮𝘁 𝘄𝗮𝘆. 𝗧𝗵𝗲𝘆 𝗮𝗿𝗲 𝗯𝗿𝗶𝘁𝘁𝗹𝗲 𝗯𝘆 𝗱𝗲𝘀𝗶𝗴𝗻.

     If you are curious as to why we should be intolerant of the label “human error” when talking about security incidents, please see Behind Human Error by David Woods and friends.