Human error, negligence or intent are not the same
When something goes wrong in security, the explanation shows up almost on its own. It was human error. The phrase is reassuring because it closes the case before opening it. It also hides a problem, because it gathers under one label situations that barely resemble each other. The person who clicks in a hurry at the end of a long day, the one who reuses a password because nobody offered anything better, and the one who copies a database the week before resigning share a word and little else. According to the Verizon Data Breach Investigations Report, the human element remains present in a large share of the breaches analyzed each year. That figure tends to be read as a verdict against people. Reading it that way is, precisely, the first error, and that one is ours.
What do we mean by “human error”?
Human error is the gap between what a person meant to do and what actually happened. Defined with that precision, it leaves out much of what we usually put inside it. The psychology of error has worked on this distinction for decades. In Human Error (1990), James Reason distinguished unintentional failures, the slips and mistakes of someone trying to get it right, from violations, the deliberate deviations from a known rule. They are different mechanisms, with different causes, and so they require different responses.
The practical problem is that the “human error” label erases that boundary. It lumps together the person who slipped without noticing, the one who took a conscious shortcut, and the one who acted to cause harm. When the diagnosis is that coarse, so is the treatment. And a coarse treatment tends to fail with all three at once. Worse, it hides the organization behind the person. If everything ends up being “human error,” the environment that made that error likely never gets reviewed.
How do error, negligence and intent differ?
It helps to separate three phenomena that everyday conversation confuses.
Error happens when the person wanted to do the right thing and failed anyway. Attention was fragmented, analytical capacity drained, a bias did the rest. There was no decision to skip any rule. Human risk starts there, before the click, in the conditions under which someone decides in front of the screen.
Negligence appears when the person knew the rule and chose the path of least resistance. There is rarely malice. There is almost always an organization that set security to compete against the task that person has to deliver today. Reusing a password, postponing an update or sharing an access “just this once” are shortcuts the environment makes reasonable.
Intent is another matter. Here the person seeks to cause harm or gain an advantage. Sabotage, fraud, data theft before an exit. It is a minority of cases, but it exists, and no awareness campaign corrects it.
Lined up, the difference is quick to see:
- Error: wanted to get it right and failed. Typical causes: limited attention, cognitive load, bias, time pressure.
- Negligence: knew the rule and took a shortcut. Typical causes: friction, environmental incentives, habits, cumbersome processes.
- Intent: acted to gain an advantage or cause harm. Typical causes: personal motivation, opportunity, absent controls.
A single fact can fall into any of the three categories depending on context. Sharing a password with a colleague is an error by someone who did not know it was forbidden, negligence by someone who knew and preferred to skip the hassle, or the first move of a fraud. The observable action is identical in all three cases. What changes is the intent and the conditions around it. A record that logs only “shared password” loses that information right when it matters most, and leaves whoever investigates with a data point that distinguishes nothing. That is the difference between a dashboard that accuses and one that explains.
What intervention fits each type?
Distinguishing serves a very concrete purpose. Each type is reduced with a different tool, and using the wrong one wastes the effort.
Error is addressed by redesigning the decision environment. If someone fails because their attention was elsewhere, repeating the rule changes nothing. What changes is lowering cognitive load, adding a signal at the right moment and turning each failure into a short lesson. Nudges and educational moments act on this type, not on the other two. That phishing is not a knowledge problem is exactly this. The person knows, and still fails, because knowledge does not govern the decision under pressure.
Negligence requires reducing the friction of doing the right thing and sustaining accountability without punishment. If a unique password is impossible to remember, a password manager does more than ten reminders. If the shortcut is the fast lane, the safe lane has to become the most comfortable one too.
Punishment as an intervention pushes people to hide the error instead of reporting it, and an organization that never hears about its incidents loses its best source of improvement. To reduce negligence, it helps to review which shortcuts it rewards without realizing, because the unsafe behavior is almost always the fastest one.
Intent goes beyond the awareness program, and it is worth saying so plainly. Against someone determined to do harm, what protects you are technical controls, access management and the ability to detect anomalous behavior in time. That is where monitoring, the behavioral signals your SIEM does not see on its own and incident response come in. Asking a course to stop an insider loads onto awareness a weight that is not its own. Detecting a mass file download or an off-hours access in time is not the job of a campaign, but of correlating what people do with what the systems record.
Is distinguishing a form of respect?
Yes, and it is the part most often overlooked. Naming what happened well means treating the person for what they did and not for the worst available reading. Mistaking someone overloaded for a saboteur is unfair and also ineffective. The response the first one deserves does not work for the second. Respect, in this field, is precision before kindness.
That precision also helps whoever runs the program. A dashboard reporting “500 human errors” says nothing actionable. One that separates failures by attention, shortcuts by friction and deliberate conduct points to three different plans of work, with different owners. Distinguishing also protects the awareness function itself. When it is blamed for everything, including what it cannot solve, it ends up judged by failures that were never its own, and the very tool that does reduce errors and negligence gets abandoned.
The awareness programs we design at SMARTFENSE start from this distinction, because content built for error does not do the job of a simulation that measures real behavior. The “human error” label comforts whoever uses it and does not help whoever receives it. Starting to name what happened well is where the serious work begins.
Leave a Reply