With my Symphony Ventures hat on, I recently wrote a guest post for NICE, an innovative Israeli-based software automation vendor. The article had to be edited down a little to fit in with their format, so here’s the full version for you.
Data breaches reached a new high this month with the news that the US Government’s Office of Personnel Management had been hacked not once but twice, putting the lives of many public employees, and especially the spies, at serious risk. Not only has it released the private details for individuals that were requested as part of the security vetting process (and so opening them up to coercion and blackmail) but it also allows, by the process of elimination, to identify which of the employees are pretending to be boring government officials and are therefore actually spies.
Data breaches have also been responsible for the high-profile resignation of a number of CEOs, including Greg Steinhafel at Target (who exposed information on 40 million of their customers) and Amy Paschal at Sony Pictures following the theft of digital content and the release of personal emails.
No-one can be certain about the cause of some of these breaches, and we are certainly not suggesting any level of incompetence, but it was interesting to read of a recent report from CompTIA which found that human error accounts for 52 per cent of the root cause of security breaches. The two biggest sources of human error were ‘failure to follow general policies and procedures’ (42 per cent) and ‘general carelessness’ (42 per cent).
To many, this will sound surprising and a little bit scary. But if one looks at it in more detail the opportunities for any number of data breaches, even in a relatively straight-forward and common process, are clearly exposed. This is exactly what a team of researchers did in their paper ‘How significant is human error as a cause of privacy breaches? An empirical study and a framework for error management’ (Divakaran Liginlal, Inkook Sim, Lara Khansa).
Firstly, they took some useful definition of errors from ‘Human Error’ (Reason J. New York, NY: Cambridge University Press) which categorised these into ‘slips’ and ‘mistakes’. “Slips describe the incorrect execution of a correct action sequence and mistakes refer to correct execution of an incorrect action sequence. Mistakes represent the situation where a person makes a wrong decision but executes it correctly. The term ‘mistake’ can be interpreted as the result of an intentional act involving faulty conceptual knowledge, incomplete knowledge, or incorrect action specification.”
They then related this to a process that many people will be familiar with: applying for a loan from a bank: “The first step in loan processing involves the collection of personal information. In most cases, the loan officer interrogates the customer and runs a background check to acquire supporting information. An example of a mistake that could plausibly occur during this information collection activity is that of an overzealous loan officer attempting to acquire more private information than what is allowed in the company’s task manual. On the other hand, a slip might occur when the loan officer is distracted during data entry. Also, a slip or mistake may plausibly occur when, due to the exigencies of the work situation, the loan officer designates the task of entering the customer’s [Personally Identifiable Information] (PII) to a subordinate with a lesser skill set. During the information processing activity, the collected information is stored in a database and transferred internally or externally in raw, aggregated, or summarised form. Such information may be erroneously disclosed in a variety of ways during storage or transmission. For instance, the loan officer may discuss details of the loan application with the loan approval department in an open hall where the conversation is overheard by other people. Or, when notifying a customer of the acceptance status, the mailing clerk may use a wrong mailing address and reveal sensitive personal information to the wrong recipient. In the information dissemination stage, de-identified information about a customer may be disclosed to third parties for secondary use such as for market research. However, it is quite possible that the marketing department commits an error either by forgetting to de-identify or by failing to apply effective de-identification techniques.”
When looked at in that level of detail, it’s clear that there are considerable opportunities for human error to enter that process and cause a data breach.
So why have humans in the loop at all?
Technology exists today that can replicate the majority of the tasks required to process that loan application. Using a combination of Robotic Process Automation (RPA) and Artificial Intelligence (AI), the software solution is able to carry out the process exactly according to the proper procedure, without distraction, over-zealousness, under-skilling or any discussion in open forums. In other words, by taking out the humans from the process, the opportunities for ‘slips’ and ‘mistakes’ is reduced to almost zero, both in the decision-making stage (through defining the process to the right level of detail in the first place and supporting that with cognitive learning capability) and the execution stage (through the application of robotic process automation).
This applies to any process that is rules-based, repetitive and has system interactions. RPA, once trained, will carry out the task again and again in exactly the same way, logging every step as it does it. AI can provide support for decision-making when the task falls outside the standard rules (such as when a value threshold has been reached), or interpretation of the information if the inputs are unstructured (such as a customer email).
Automation technologies are already benefiting forward-thinking organisations through delivering significant cost savings, but the ability to provide high levels of security through error-free and auditable processes may save a CEO or two their jobs.