Human Factors Accident Classification System (HFACS) for Cybersecurity
HFACS-Cyber is the world’s first application of the US Navy’s HFACS Framework to the cybersecurity domain to reduce incident recurrence.
Human factors refer to the environmental, organisational and work conditions, to include human and individual characteristics, that influence behaviour, which can affect the security of information assets.
The Reason Model of Human Factors
Dr James Reason developed the “cumulative act effect” (or the “Swiss-cheese”) model of incident causation. It takes a systems approach to incident investigations where the human is at the end of a chain of barriers meant to prevent unwanted events. This means that people are not the cause of incidents, but rather a factor in the system as a whole meant to prevent incidents.
Dr Reason established four layers of barriers that are common to most organisations:
- Organisational Influences
- Unsafe Supervision
- Preconditions
- Unsafe Acts
In the Reason model, the layers are hierarchical, where one layer affects the layer after it. Failures in one layer create weaknesses in that layer, which force the next layer to handle a hazard. If no layer prevents a hazard, then a loss, a breach, or an incident occurs. Therefore, the HFACS theory is that when an incident occurs, it is the result of a failure in every control layer, not just what the end-user does, and incident recurrence is a result of systemic weaknesses in these barriers.
Identifying Non-Technical Weaknesses in Your Cybersecurity Controls
Technical tests, like penetration testing and dynamic/static code tests, can identify weaknesses in technical controls. But non-technical weaknesses, like human factors, are more difficult to test and identify. HFACS-Cyber is a framework to assist investigators in identifying these weaknesses by analysing the factors of an incident in context of the people involved.
Using a blame-free, holistic approach to incident investigations, HFACS-Cyber is a framework to identify weaknesses within the entire context of an incident and to discover patterns and systemic problems that contribute to a cybersecurity incident.
HFACS-Cyber Control Layers Infographic
