Elementary Threat · BSI IT-Grundschutz

G 0.31 — Incorrect Use or Administration of Devices and Systems

Updated on 17 April 2026 4 min Reviewed by: Cenedril Editorial

A.5.1A.5.4A.5.9A.5.10A.5.14A.5.15A.5.16A.5.17A.5.18A.5.23A.5.24A.5.25A.5.28A.5.29A.5.32A.5.34A.6.2A.6.3A.6.7A.6.8A.7.9A.7.14A.8.1A.8.2A.8.3A.8.4A.8.5A.8.7A.8.9A.8.10A.8.12A.8.15A.8.16A.8.18A.8.19A.8.20A.8.21A.8.22A.8.24A.8.25A.8.26A.8.27A.8.28A.8.31 BSI IT-GrundschutzISO 27001ISO 27002

During ongoing operations, an administrator executes a storage management command and mixes up the production and test systems. Within seconds, all production data at a site is deleted. The last complete backup is from the previous day — an entire working day of customer data and transactions is irretrievably lost.

Incorrect use or administration (G 0.31) is among the most common causes of security incidents — and the number of unreported cases is high, because many errors are covered up or not classified as security-relevant.

What’s behind it?

Every system is only as secure as the people who operate it. Operator errors occur when authorised users or administrators unknowingly ignore, circumvent or misapply security measures. The causes range from lack of training through time pressure to ergonomically poorly designed user interfaces.

Typical sources of error

Faulty administration — Wrong configuration of firewalls, overly generous permissions, incorrect DNS entries, accidental deletion of data or systems.
Circumvention of security measures — Users disable screen locks because they are perceived as annoying, or forward emails to private addresses to work “more flexibly”.
Accidental data disclosure — Confidential documents are sent to wrong recipients, access rights on file shares set too broadly, cloud storage accidentally made public.
Physical operator errors — Tripping over unprotected cables rips out connecting lines. Spilled drinks cause short circuits.
Wrong password handling — Passwords on sticky notes on the monitor, sharing credentials with colleagues, using identical passwords for different systems.

Impact

Incorrect operation can violate all three protection goals simultaneously. Confidentiality is compromised when access rights are set wrongly. Integrity suffers when data is accidentally changed or deleted. Availability collapses when a faulty configuration command takes a service offline. The consequences can match those of a targeted attack.

Practical examples

Misconfigured firewall rule. An administrator adds a firewall rule to open a new service. Through a typo in the subnet mask, the entire internal network range is accidentally opened for access from the internet. The error remains unnoticed for a week until an automated vulnerability scan flags it.

Accidentally public cloud storage. A project group stores confidential project documents in a cloud folder. When setting up the share link, an employee accidentally selects “Anyone with the link” instead of the intended restricted share. Search engines index the folder, and the documents become publicly discoverable.

Cable damage through trip hazard. In an office, the network cable of a critical workstation is laid unprotected across the floor. An employee trips over it, the plug is ripped out of the wall socket and the network panel is damaged. The entire floor loses network connectivity for several hours until a technician repairs the panel.

Relevant controls

The following ISO 27001 controls mitigate this threat. (You’ll find the complete list of 44 mapped controls below in the section ‘ISO 27001 Controls Covering This Threat’.)

Prevention:

A.6.3 — Information security awareness, education and training: Regular training reduces operator errors due to ignorance.
A.8.9 — Configuration management: Standardised, versioned configurations prevent ad hoc changes.
A.5.10 — Acceptable use of information and other associated assets: Clear policies define how devices and systems are to be used.
A.8.19 — Installation of software on operational systems: Controlled installation processes prevent faulty software configurations.
A.7.14 — Secure disposal or re-use of equipment: Documented procedures for device lifecycle management.

Detection:

A.8.15 — Logging: Complete logging of administrative actions makes errors traceable.
A.8.16 — Monitoring activities: Monitoring detects unusual configuration changes and deviations from baselines.

Response:

A.5.24 — Information security incident management planning and preparation: Procedures for handling incidents caused by misuse, including rollback.
A.5.25 — Assessment and decision on information security events: Triage to distinguish real security incidents from harmless operator errors.

BSI IT-Grundschutz

G 0.31 is linked by the BSI IT-Grundschutz catalogue to the following modules:

ORP.3 (Awareness and training) — Requirements for the qualification of users and administrators.
OPS.1.1.2 (Proper IT administration) — Documented procedures and four-eyes principle for critical tasks.
OPS.1.2.4 (Telework) — Specific risks in remote work and mobile administration.
SYS.1.1 (General server) — Requirements for secure administration of server systems.

Sources

BSI: The State of IT Security in Germany — Annual report with findings on human errors
BSI IT-Grundschutz: Elementary Threats, G 0.31 — Original description of the elementary threat
ISO/IEC 27002:2022 Section 6.3 — Implementation guidance on information security awareness and training

ISO 27001 Controls Covering This Threat

A.5.1 Policies for information security A.5.4 Management responsibilities A.5.9 Inventory of information and other associated assets A.5.10 Acceptable use of information and other associated assets A.5.14 Information transfer A.5.15 Access control A.5.16 Identity management A.5.17 Authentication information A.5.18 Access rights A.5.23 Information security for use of cloud services A.5.24 Information security incident management planning and preparation A.5.25 Assessment and decision on information security events A.5.28 Collection of evidence A.5.29 Information security during disruption A.5.32 Intellectual property rights A.5.34 Privacy and protection of PII A.6.2 Terms and conditions of employment A.6.3 Information security awareness, education and training A.6.7 Remote working A.6.8 Information security event reporting A.7.9 Security of assets off-premises A.7.14 Secure disposal or re-use of equipment A.8.1 User endpoint devices A.8.2 Privileged access rights A.8.3 Information access restriction A.8.4 Access to source code A.8.5 Secure authentication A.8.7 Protection against malware A.8.9 Configuration management A.8.10 Information deletion A.8.12 Data leakage prevention A.8.15 Logging A.8.16 Monitoring activities A.8.18 Use of privileged utility programs A.8.19 Installation of software on operational systems A.8.20 Networks security A.8.21 Security of network services A.8.22 Segregation of networks A.8.24 Use of cryptography A.8.25 Secure development life cycle A.8.26 Application security requirements A.8.27 Secure system architecture and engineering principles A.8.28 Secure coding A.8.31 Separation of development, test and production environments

Frequently asked questions

What distinguishes incorrect use from unauthorised use?

In incorrect use (G 0.31), an authorised person acts wrongly -- out of ignorance, carelessness or lack of training. In unauthorised use (G 0.30), someone accesses who has no authorisation. The distinction matters in practice because the countermeasures differ: training and process design for G 0.31, access control for G 0.30.

Why is incorrect administration especially dangerous?

Administrators work with the highest permissions. A wrong command can paralyse entire networks, irretrievably delete data or disable security mechanisms. Without a four-eyes principle or a change management process, there is no corrective authority before execution.

How can operator errors be effectively reduced?

Three levels work together: first, well-documented, comprehensible procedures. Second, regular training that addresses common mistakes. Third, technical safeguards -- confirmation dialogs for critical actions, rollback capabilities and automated configuration checks.