Sage Journals: Discover world-class research

Abstract

Human error is a leading cause of cybersecurity breaches, yet inconsistent reporting due to a lack of structured frameworks hinders mitigation. Analysis of five major 2024 cybersecurity reports (Verizon DBIR, IBM, ENISA, Microsoft, Global CISO Survey) reveals how human error is characterized and quantified. Significant inconsistencies, gaps, and ambiguities are identified in classifying “human error” across these sources. Current industry reporting lacks a standardized taxonomy, hampering comparison and effective mitigation strategy development. Drawing on established frameworks (e.g., HFACS, Swiss Cheese Model), integrating a formal human factors classification system into reporting is proposed to improve clarity and actionability. The need for an integrated systemic framework is underscored, calling for industry adoption of standardized human error classification to enable more effective cybersecurity strategies.

Keywords

Human error analysis Cybersecurity Human-Computer Interaction

Get full access to this article

View all access options for this article.

References

Accenture. (2023). State of cybersecurity resilience 2023. Accenture. Retrieved from https://www.accenture.com/content/dam/accenture/final/accenturecom/document/AccentureStateCybersecurity.pdf#zoom=40

Cisco. (2024). Cisco cybersecurity readiness index 2024: Underprepared and overconfident companies tackle an evolving landscape. Cisco Systems. Retrieved from https://newsroom.cisco.com/c/r/newsroom/en/us/a/y2024/m03/cybersecurity-readiness-index-2024.html

European Union Agency for Cybersecurity (ENISA). (2024). ENISA threat landscape 2024: July 2023 to June 2024. ENISA. Retrieved from https://www.enisa.europa.eu/sites/default/files/202411/ENISA%20Threat%20Landscape%202024_0.pdf

IBM. (2024). Cost of a data breach report 2024. IBM Security. Retrieved from https://www.ibm.com/downloads/documents/usen/107a02e94948f4ec

Khaw

T. Y.

Amran

Teoh

A. P.

(2024). Building a thematic framework of cybersecurity: A systematic literature review approach. Journal of Systems and Information Technology, 26(2), 234–256. https://doi.org/10.1108/jsit-07-2023-0132

Microsoft. (2024). Microsoft Digital Defense Report 2024: The foundations and new frontiers of cybersecurity. Microsoft Corporation. Retrieved from https://www.microsoft.com/en-us/security/security-insider/threat-landscape/microsoft-digital-defense-report-2024

Nobles

(2022). Investigating cloud computing misconfiguration errors using the human factors analysis and classification system. Science Bulletin, 27(1), 59–66. https://doi.org/10.2478/bsaft-2022-0007

Nobles

Burrell

(2024). Exploring the variability of human factors definitions in cybersecurity literature. MWAIS 2024 Proceedings, Peoria, IL, USA. https://aisel.aisnet.org/mwais2024/28

Oltramari

Henshel

D. S.

Cains

Hoffman

(2015). Towards a human factors ontology for cyber security. Semantic Technologies for Intelligence, Defense, and Security. https://api.semanticscholar.org/CorpusID:18074878

10.

Pollini

Callari

T. C.

Tedeschi

Ruscio

Save

Chiarugi

Guerri

(2022). Leveraging human factors in cybersecurity: An integrated methodological approach. Cognition Technology & Work, 24(2), 371–390. https://doi.org/10.1007/s10111-021-00683-y

11.

Pollock

(2017). Reducing human error in cyber security using the human factors analysis classification system (HFACS). 2017 KSU Conference on Cybersecurity Education, Research and Practice, Kennesaw, GA, USA. https://digitalcommons.kennesaw.edu/ccerp/2017/research/2

12.

Proofpoint. (2024). 2024 Voice of the CISO: Global insights into CISO challenges, expectations and priorities. Proofpoint. Retrieved from https://www.proofpoint.com/sites/default/files/white-papers/pfpt-us-wp-voice-of-the-CISO-report.pdf

13.

Rahman

Rohan

Pal

Kanthamanon

(2021). Human factors in cybersecurity: A scoping review. The 12th International Conference on Advances in Information Technology, Bangkok, Thailand, 1–11. https://doi.org/10.1145/3468784.3468789

14.

Reason

(Ed.). (1990). Human Error (1st ed.). Cambridge University Press.

15.

Reason

(1995). Understanding adverse events: Human factors. Quality & Safety in Health Care, 4(2), 80–89. https://doi.org/10.1136/qshc.4.2.80

16.

Reason

(2000). Human error: Models and management. British Medical Journal, 320(7237), 768–770. https://doi.org/10.1136/bmj.320.7237.768

17.

Rohan

Papasratorn

Chutimaskul

Hautamäki

Funilkul

Pal

(2023). Enhancing cybersecurity resilience: A comprehensive analysis of human factors and security practices aligned with the NIST cybersecurity framework. Proceedings of the 13th International Conference on Advances in Information Technology, Bangkok, Thailand, 1–16. https://doi.org/10.1145/3628454.3629472

18.

Shappell

S. A.

Wiegmann

D. A.

(2000). The human factors analysis and classification system—HFACS (No. DOT/FAA/AM00/7). Federal Aviation Administration. https://commons.erau.edu/publication/737/

19.

Tessian. (2022). Psychology of Human Error 2022. Tessian. Retrieved from https://f.hubspotusercontent20.net/hubfs/1670277/%5BCollateral%5D%20TessianResearchReports/%5BTessian%20Research%5D%20Psychology%20of%20Human%20Error%202022.pdf

20.

Vaczi

TothLaufer

Szadeczky

(2020). Fuzzybased cybersecurity risk analysis of the human factor from the perspective of classified information leakage. 2020 IEEE 18th International Symposium on Intelligent Systems and Informatics (SISY), Subotica, Serbia, 000113–000118. https://doi.org/10.1109/SISY50555.2020.9217053

21.

Verizon. (2024). 2024 Data Breach Investigations Report. Verizon. Retrieved from https://www.verizon.com/business/resources/reports/2024dbirdatabreachinvestigationsreport.pdf

22.

Zimmermann

Schöni

Schaltegger

Ambuehl

Knieps

Ebert

(2024). Human-centered cybersecurity revisited: From enemies to partners. Communications of the ACM, 67, 72–81. https://doi.org/10.1145/36656655