Understanding the Root Cause of Cybersecurity Incidents Through DuPont’s Dirty Dozen Framework

Abstract

Cybersecurity incidents, such as data breaches, pose a significant threat to organisations. Shockingly, 95% of these incidents occur due to human errors. Despite organisations making substantial efforts to reduce the likelihood of such occurrences through technological and non-technological means, the frequency of these incidents has been increasing. Previously, organisations relied on technology as the primary barrier to minimise cybersecurity incidents and achieve their objectives. Although research indicates that humans are the weakest link in an organisation's efforts to combat cybersecurity incidents, organisations still consider technology as the key to improving security defences. Therefore, the researchers suggest improving human interventions should precede technological means to overcome the problem. They propose that existing information security plans should consider human factors in cybersecurity risk management. Prioritising an understanding of human factors in managing information security can help organisations identify the relationships between various dimensions of human errors and cybersecurity incidents. To achieve this, the paper suggests solving the human factor problem in cybersecurity incidents by explaining how DuPont's Dirty Dozen framework, commonly used in aviation, can help understand why cybersecurity incidents and accidents occur. The framework lists twelve human behaviours that can be used to understand the relationships between various dimensions of human errors and cybersecurity incidents. By understanding these relationships, organisations can improve their cybersecurity strategies by anticipating, mitigating, and resolving issues more effectively and efficiently.