Cyber risk management has many components. Those who do it well will conduct comprehensive risk assessments, enact well-documented and well-communicated processes and controls, and fully implemented monitoring and review requirements.
Processes and controls typically comprise policies, which will include detailed explanations of the acceptable use of company technology. There will usually be examples of the types of activity that are specifically not allowed – such as using someone else’s login credentials or sharing your own. To make this “stick”, there will almost certainly be training – some on “the basics” and on specific systems, but also other related matters – perhaps the requirements of data protection legislation, for example.
Yet despite all these precautions, people will still make mistakes. No level of controls, processes or training can overcome the reality that humans are fallible. The precautions can only reduce the probability – or, as we might think of it, the frequency. Why is this?
One reason mistakes happen is that the processes and controls themselves are inadequate. For example, it is all too easy for even a moderately…
