Study: Human Error Causes Most Security Breaches

A new survey from the Computing Technology Industry Association indicates that human error, rather than
technology is at the root of most information technology security breaches.

The survey entitled “Committing to Security: A CompTIA Analysis of IT Security and the Workforce,” says that
more training and certification is needed, if IT workers, their companies and government agencies are to be better
equipped to handle violations of computer security.

The survey found that in more than 63 percent of IT security breaches that human error played a role. The
survey also found that of those questioned only 8 percent said that security problems were the result of
technological failures.

CompTIA is a trade association that offers technology certifications, so it’s no surprise that it was quick to point
out that the findings of the study that point to the need for improved security training and certification of IT

“We define a security breach as one that caused real harm, resulted in confidential information taken, or
interrupted business,” says Mike Wendy, policy counsel for CompTIA.

“We are seeing very little of the IT budget being spent on security and an even smaller subset being dedicated to
resources on IT security training, certification and awareness,” Wendy said.

NFO Prognostics conducted the survey during the fourth quarter of 2002 for the CompTIA, which questioned 638
information technology workers in both the private and public sectors.

The survey found that thirty-one percent of the IT workers were aware of between one to three major security
breaches in the past six months. While another four percent said had between four and nine security breaches
happened over the same period of time, while another three percent said they had ten or more security breaches
in the past six months.

The survey also found twenty-two percent said none of their IT workers had recently received technology
security training. The survey went onto say 69 percent have had fewer than 25 percent of their tech staffs
trained to protect against security breaches, while only 11 percent said all of their IT workers have had proper
security training.

The survey also found that ninety-six percent of the respondents thought it would be a good idea for their IT
staffs to receive more security training. Seventy-three percent of the IT workers surveys said they would
recommend comprehensive security certifications.

Wendy added it provides certification tests for IT workers, which normally cost $249 per test, and has resellers,
such as A+, Prometric and New Horizons sell directly to corporate IT departments and government IT workers. He
said CompTIA has sold over 775,000 IT security certification tests over the past ten years.