Human Error and Information Security

Stephen DeAngelis

May 24, 2006

I’m a big believer in rule set automation as a way of reducing human errors when it comes to performing routine processes and audits. But the recent lapse by an employee of the Veterans Administration reminds us that not all processes can be automated. The poor judgment or criminal behavior of humans must be a constant factor in our calculations. According to today’s Washington Post (“Veterans Angered by File Scandal,” by Christoper Lee):

As many as 26.5 million veterans were put at risk of identity theft May 3 when an intruder stole an electronic data file from the Aspen Hill home of a VA data analyst, who was not authorized to remove the data from his office. The electronic file contained names, birth dates and Social Security numbers of veterans discharged since 1975, as well as veterans who were discharged earlier and filed for VA benefits.

Salt was poured into that wound when it was later revealed that personal data about spouses and children might also have been compromised. This was not an inadvertent loss of information. It involved a robbery, yes, but a deliberate decision was made to remove the information from a secure environment, which put the data at risk in the first place. Instead of being arrested, tried, and jailed (or even fired), the VA put the offending employee on administrative leave. Not exactly the kind of action that will deter further breeches. While we would like to believe that such breaches are rare, the San Diego Super Computing Center reports that 60% of all breaches are inside jobs. The compromise of the VA data is another example of how technology has outpaced regulations. Laws aimed at protecting against identity theft are long overdue.

Although there may not have been criminal intent on the part of the VA employee in this case, there are criminals looking for access to personal information. üThe absurd rise in “phishing” email attests loudly to that fact. A Consumer Board Survey released in June 2005 reported that ID theft has become such a concern that 41% of customers purchased less on line during the past twelve months than they had in the previous year. Two of the best known past breaches of security involved ChoicePoint and CardSystems. The breach at ChoicePoint cost the company $11.4 million and it saw its stock drop $6/share. CardSystems exposed 40 million customer accounts and as a result faced financial ruin when Visa and American Express dropped its services.

ü

According to the Federal Trade Commission, most often (i.e., 54% of the time), criminally obtained information is used to commit credit card fraud. About a quarter of the time (26%), identity theft is fraudulently used to obtain communications services. The remaining criminal uses of ID theft involve bank fraud (16%) or the obtaining of fraudulent loans (11%). You notice that adds up to more than 100%. That is because ID theft is sometimes used to do all of those things — there is some overlap. Anyone who has tried to untangle the knot that criminals who have stolen their identities have tied around their finances understands that it can be a Gordian Knot-like effort that takes years.

ID theft, of course, is not the only kind of criminal activity that can affect databases. A poll conducted last year by Pew Internet & American Life Project and Elon University indicated that two-thirds of security experts “believe that the U.S. will suffer a ‘devastating’ cyberattack within 10 years. No doubt all this calls for a new kind of resilience — both personal and organizational.