How Big is the Human Error Element when it comes to Cyber Risk – Time to do a FAIR?

30 Oct

According to a recent report released by Verizon, 17% of data breaches originated from social engineering, mostly emails. The report uncovers that 17% of the breaches are a result of human error, such as employees sending sensitive emails to the incorrect recipients. This report is making industry professionals wonder just how big the human element is when it comes to cyber risks and what can be done about it.

If you ask a company what percentage of their risk is owed to human error, they probably won’t know how to answer that. That’s because over time, most of the attention, when it comes to cyber risk, has been given to the more obvious concerns such as misdirected emails and phishing, instead of what can happen along the attack chain. Not knowing where to start can lead to the stats being a little inaccurate.

Assessing the Human Element

If you really want to assess how big the human element is in cyber risk in an organisation, there is a simple 2-step analysis process to follow.

The two elements that can be used for such an analysis are:

  • Frequency – How likely is it that an employee will become victim to phishing or accidentally forward sensitive information a second or third time?
  • Impact – How likely is it that such a negligent act of an employee will result in data breach or disruption and what could this potentially cost the business.

The FAIR Method of Analysis

Using the Standard Factory Analysis of Information Risk (FAIR) model, one can determine probability and cost of incidents. FAIR is a digital system that allows one to use critical thinking in identifying risks and measuring them. Such a system allows for greater insight into frequency and impact.

Being able to gather valuable data in this manner means that results can be translated accurately and potential outcomes predicted.

Benefits of the FAIR method of analysis:

  • The risk from data breaches can be thoroughly considered.
  • Multiple assets at risk can be carefully identified.
  • Security teams can get a better concept of the frequency of such risks and if similar risks will present in the future, and what impact they will have.

This can be done by considering the following in each of the two analysis factors:


  • How often are emails containing sensitive information sent?
  • Just how often do employees send emails to the incorrect person or attach the wrong information?
  • Is the email content being sent encrypted?


  • How much does it cost for experts and customer relations to rectify the email problem?
  • What it may cost if legal action is taken against the company or if you have to offer some form of compensation for the mishap.

The FAIR analysis system can use the solid data gathered to generate a whole host of potential outcomes. Often, using this method can uncover the possible dangers of overlooking seemingly low-impact events.

With the results provided by FAIR, you can tweak the impact of different factors and rerun the analysis to see what outcomes there are with alternative controls in place. FAIR makes it possible to assess the human element easily and more accurately.

By effectively assessing just how big the human element is in your cyber risk, you can cut back on occurrences that cause losses for your business. While you cannot change human nature, you can identify risks better and implement strategies to safeguard against potential catastrophic fallout.

Comments are closed.