Main Nav

The Real Reason the Human is the Weakest Link

Computers and mobile devices store, process, and transfer highly valuable information. As a result, your organization most likely invests a great deal of resources to protect them. Protect the end point and you protect the information. Humans also store, process, and transfer information. Employees are in many ways another operating system -- the HumanOS. Yet if you compare how much organizations invest in securing people compared to computers and mobile devices, you would be stunned at the difference. Let's take a look. Organizations typically invest the following in protecting an end device, including:

  • Anti-Virus Software
  • Patching Infrastructure
  • VPN Solution
  • Host-Based Prevention System
  • Two-Factor Authentication
  • Vulnerability Scanning
  • End-point Encryption
  • Log Monitoring

Go down that list and add up the cost for each computer. Then add support contracts, help desk phone calls, and how many FTE (Full-Time Employees) it takes to maintain all of this technology. You probably end up spending $100 a device, $200 a device, or perhaps even more? Now, go through the exact same process and determine how much you are investing in securing your employees. How much per person? Hear those crickets chirping? Your organization is most likely spending 10x to 20x the time and resources securing technology as it does securing the HumanOS. If determining the dollar amount for each computer becomes too complex for you or your organization, try a simpler metric. Count how many people you have on your information security team. Now, out of all of those people how many focus on securing technology, and how many on securing the HumanOS? You probably will end up with a very similar metric, something like 10-1 or 20-1.And organizations still wonder why the human is the weakest link.

Technology is important, we must continue to protect it. However at some point you hit diminishing returns. We have to begin investing in securing the HumanOS as well, or bad guys will continue to bypass all of our controls and simply target the human end-point.

 computers vs. humans

BIO: Lance Spitzner is the training director of SANS Securing The Human program. His job and passion is helping organizations around the world build high-impact awareness programs. To learn more or download free resources visit the Securing The Human website.


I do see where you're getting with the fact companies invest more into technology than employees, particularly in protection. But what do we need to be protected from? We protect computers from hackers because their information can be stolen. Hackers can't get into our heads (at least not yet). Computer viruses harm computers just like a normal one does to humans, but many companies provide health insurance for such a purpose.

Computers are less than capable than people, whch is why they need to be cared after so much. They don't know when to turn on and off, who to trust and who not to, what lines of code are malicious or not. They just take orders blindly, with the only restrictions being the ones programmed by an administrator.

Computers are designed to work with humans. People often perform their jobs with a computer. If the computer is broken or comprimised, we work less efficiently or not at all. Yes, we have become dependent on computers. But they are not better than humans.

Humans can think for themselves. We cam make judgement calls. We don't need to be babied and when we are, most people complain and feel smothered. When people require more from an employer, they quit or go on strike. Unions were formed to force employers to provide better benefits or working conditions. Perhaps when AI reaches a level of being human-like, computers can also be self-sufficient and require less protection.