Behavioural Economics as a tool for enterprise security

Have you ever wondered why on your electricity bill there is a representation of your household’s usage against the average 2, 3 or 4-person household telling you whether you are over or under? How does it make you feel?

The term behavioural economics has been around for maybe two decades. The marketing profession has been using the techniques it describes for even longer to get you to buy their brand. However, the use of behavioural economics as a tool for enterprise security is just emerging.

It is time for security professionals to start using these techniques to help protect organisations and not just to influence people to buy a particular soap, car or follow a sporting code.

What is behavioural economics

Behavioural economics looks at the relationship between the decisions that we make and the psychological and social factors that influence them. A significant amount of study in this area has been on people’s economic decisions, but the tools and techniques that have been tested can be applied in many other contexts.

Daniel Kahneman and his late research partner Amos Tversky are the two research psychologists most associated with behavioural economics. In 2002, Kahneman shared the Swedish Banker’s Prize in Economic Sciences in Memory of Alfred Nobel for this work. Kahneman’s 2011 book “Thinking Fast and Slow” explains many of the concepts in accessible terms. Kahneman and Tversky built on earlier studies that cut down an idea that now sounds quaint, the idea that humans act entirely rationally at the population or large group level. Even so, this idea was at the heart of much classical economic thinking.

You might not think at first that this seems entirely related to enterprise security. However, if you consider that the premise of behavioural economics is that people do not always make decisions that are entirely rational, you’d probably see the connection! In addition, the ideas that small (and sometimes even intangible) incentives and disincentives can be used to guide individual actions on a large scale are also very important. It is this second aspect which is of greatest use to the enterprise security practitioner.

Behaviour is at the heart of enterprise security, because people are every organisation’s greatest asset and often also their greatest risk. At its simplest, the key aim of good enterprise security is ensuring that individuals are encouraged to make the right decisions that benefit their organisation.

Behavioural economics works by assuming that in many cases, people making the ‘wrong’ decision within an organisation do so because they have imperfect information or lack the right incentives or disincentives.

Psychologists have also found that people can often exhibit a strong inclination to conform to social norms. The social norms change with the social groups that we participate in. Essentially, we often do things because our friends, colleagues, or those we admire, do.  Our friends and colleagues provide us with informational social influence or social proof. In plain English, we like to follow our herd and keep up with the Jones’.

Curiously though, we seem to struggle more with changing our minds than coming to a decision in the first place. The idea that when the facts change, people change their minds is a bit tricky for many. Associated with this curious aspect, researchers from Harvard Business School have claimed also that we tend to think we are more moral than we actually are and inhabit an “ethical mirage”.  This can mean there’s a disconnect between how we describe our decisions and how we actually behave. If we accept this somewhat unflattering portrait of human behaviour, it means that we tend to take a position that justifies our actions whatever they were, once we’ve made a decision. And we want more justification to change our minds than we needed to come to it in the first place!

But what if we could get people to make the ‘right’ decision in the first place. Then they wouldn’t have to justify wrong decisions. This is where the research findings of behavioural economics are tested at organisational and national scale.

Behavioural economics concepts are being applied at the public policy level by governments wanting to encourage certain behaviour without going to the expense of legislating compliance. It is expensive to make something illegal. Sometimes it is absolutely necessary e.g. murder, but the society has to create enforcement systems, pay the enforcers, and then who watches the watchers? Some enlightened government agencies are dabbling with the use of behavioural economics to achieve high levels of compliance.

In the UK and latterly also in Australia, the tax authorities have been attempting to use behavioural economics techniques. So called ‘nudge units’ have been set up to coax to get people to do their taxes by using social proof methods.  Informing taxpayers who are late paying that “90% of people pay their taxes on time” increases the rate of taxpayer compliance. This achieves the policy objective of getting timely tax payments, but does it in a way that won’t generate negative headlines. This in turn allows the tax agency to focus on individuals who are intentionally breaking the law, rather than doing so because life got in the way.

Another recent example has been the introduction of the “No Jab, No Pay” policy by the Australian Government where parents do not get all their family tax benefits unless they are willing to vaccinate their children. Rather than making it illegal for children to remain unvaccinated, the government has incentivised parents to vaccinate. This, added to significant social pressure from almost all the medical community, means that Australia’s childhood vaccination rates are generally very high and we see fewer distressing pictures of children with whooping cough around the country.

One interesting way that companies are using social proof is in encouraging households to save water and electricity. Increasingly, utility bills show householders where they stand in comparison to their suburb in terms of water or electricity use. The householder can then consider whether they want to moderate their behaviour. Literally to keep up with the Jones’!

Marketing firms use many behavioural economics techniques to encourage us to use particular products. Many of us take advantage of airline frequent flyer programs that give rewards for the flights taken by members. The extremely successful travel website, Tripadvisor awards points to its website users for the travel reviews that they produce. However, Tripadvisor points have absolutely no dollar value. They are valuable only to users in terms of social proof to that community that a member is a well seasoned traveller. You may have realised that the majority of social media operates in a similar way.

Why should enterprise security professionals consider using behavioural economics in their organisation?

It is expensive and time consuming to maintain rules for the increasingly complex environment that organisations operate in. Rules are difficult to write well and often only work in limited circumstances. The more detail, the more exceptions need to be built. Quite often rules also create a culture where individuals only follow the letter, not the spirit of the rules. This can contribute to the creation of a workplace which is not adaptable and where security is blamed for the problems of the organisation.

This can lead to situations where workers sometimes choose to circumvent organisational rules in order to achieve local goals. A worker might shortcut a process to ensure that their team are able to complete it faster. The individual might rationalise this as being good for their company in that the job is completed faster and good for themselves in that they can go home earlier. However, the decision that they have rationally come to might be the ‘wrong’ decision from the perspective of their organisation. The shortcuts that have been introduced may decrease organisational security.

How do organisations change this? By changing the decision-equation the worker takes when he or she makes that decision. This is very much the place of behavioural economics in enterprise security. Organisational messaging which demonstrates the social norms of the organisation from a security perspective are vital. So to are tools and procedures which endeavour where possible to make the secure decision, the easiest one to make.

In many ways the decision is very much linked to the ‘security culture’ of the organisation. The security culture is effectively the customs and practices of the organisation for whom the individual works.

Organisations are increasingly moving to principles and risk based frameworks in many areas including security because they find the sheer complexity of business overwhelming otherwise. This was one of the main drivers for the creation of the Australian Government’s Protective Security Policy Framework. The PSPF tries to get government agencies to focus on their security outcomes, rather than on process.

 

[Brain scan of white matter fibers, brainstem and above. The fibers are color coded by direction: red = left-right, green = anterior-posterior, blue = ascending-descending (RGB=XYZ). The Human Connectome Project, a $40-million endeavor funded by the National Institutes of Health, aims to plot connections within the brain that enables the complex behaviors our brains perform so seamlessly.MANDATORY CREDIT: Courtesy of the Laboratory of Neuro Imaging at UCLA and Martinos Center for Biomedical Imaging at MGH / www.humanconnectomeproject.org] *** []
Brain scan of white matter fibers, brainstem and above.  Laboratory of Neuro Imaging at UCLA and Martinos Center for Biomedical Imaging at MGH / www.humanconnectomeproject.org
Enterprise security professionals should be asking where they can apply these behavioural economics techniques in their organisations. The possibilities are varied and many, but one financial institution has used behavioural economics give nudges to staff regarding personnel security. In one case, to improve their reporting of change of circumstances by giving them a simple message that “most people in our organisation report their change of personal circumstances within four weeks”.

In the government space, there has been debate about whether it is possible to create an ‘information classification market’ which balances the need to classify information appropriately against the costs to organisation of over-classification in terms of long term storage and devaluation of security markings. Such a market could work by incentivising managers to ensure that staff were classifying information as accurately as possible. As always, the trick would be to ensure that the incentives matched the risk profile of the organisation.

Every organisation is different and so are the opportunities for using these techniques to improve your enterprise security.

For more information:

http://www.nobelprize.org/nobel_prizes/economic-sciences/laureates/2002/advanced-economicsciences2002.pdf

http://theconversation.com/the-potential-of-behavioural-economics-beyond-the-nudge-43535

http://www.immunise.health.gov.au/internet/immunise/publishing.nsf/Content/clinical-updates-and-news/$File/Update-No-Jab-No-Pay-Immunisation-Catch-Up-Arrangements(D15-1126865).pdf

www.hbs.edu/faculty/Publication%20Files/08-012.pdf

https://en.wikipedia.org/wiki/Social_proof

 

Security Solutions Magazine 100th EDAn earlier version of this article appeared in the 100th edition of Security Solutions magazine  http://www.securitysolutionsmagazine.biz/

Speaking at the ASIS Asia-Pacific Security Forum

ASIS Asia-Pacific Security Forum

Alex will be speaking at the ASIS Asia-Pacific Security Forum being held in Singapore 7-9 December 2014.

http://www.gratisography.com
Credit:www.gratisography.com

Alex will be talking about:

Resilience in an Information Centric World.

The best indicators of the future are the events of the past, yet the past is not an absolute indicator or future events. Outlier events are becoming more common and threatening the existence of organisations – Is enterprise risk management to be thrown out?

The vast majority of organisations that have ever existed are not around today. Of the top 25 companies on the US Fortune 500 in 1961, only six remained there in 2011.

The few that survive broadly did so for two reasons, which Alex Webling, Treasurer of the Australasian Council of Security Professionals will discuss with examples at ASIS Asia Pacific 2014 in Singapore.

I think we all understand that small businesses come and go, but this lesson is true for large organisations as well.Research carried out on fortune 500 companies in the USA showed that the average rate of turnover of large organisations is accelerating.  The turnover has reduced from around 35 years in 1965 to around 15 years in 1995.

Alex has talked about this topic before and will be expanding on his observations and research with conference participants about how they might assist their organisational longevity.

We hope to see you in Singapore.

The website for the conference is here and you can register here

 

 

Climate sustainability and resilience

Resilience for organisations is bound to their adaptability to climate change both in the short and long term.

A review of US public companies shows a number of climate related risks and costs. Their ability to adapt and become resilient to climate change is starting to affect their finances.

The document reveals that USA S&P 500 companies are seeing climate change related risks increase in urgency, likelihood and frequency, with many describing significant impacts already affecting their business operations, according to a new report from CDP, which collects environmental performance information on behalf of investors.

company

Threats include damage to facilities, reduced product demand, lost productivity and necessitated write-offs. The impact of these threats being realised comes with costs that can reach millions of dollars.

Importantly, the proximity of the threat is quite near. 45% of the risks S&P 500 companies face from extreme weather and climate changes are current, or expected to fall within the next one-to-five years, up from 26% just three years ago. 50% of these risks range from “more likely than not” to “virtually certain”. This is up from 34% three years ago.

Around 60 companies describe the current and potential future risks and their associated costs in the research, which highlights excerpts from the companies’ disclosures to their investors between 2011 and 2013. Ironically, even NewCorp made the following contribution to the report.

“Climate projection models make it difficult to know exactly how business might be impacted by episodic weather events. However, it is clear from past severe weather events that some of News Corporation’s businesses are susceptible to such extreme weather.”(p6)

The media release accompanying the report asserts that

Dealing with climate change is now a cost of doing business

Making investments in climate change related resilience planning both in their own operations and in the supply chain has become crucial for all corporations to manage this increasing risk.

Resilience Outcomes has the skills and expertise to help your organisation develop its organisational resilience strategy to take into account how it will adapt to the changing environment. contact us via the form below or at [email protected] to discuss your needs.

Download the full report here

CDP is an international, not-for-profit organisation providing the only global system for companies and cities to measure, disclose, manage and share vital environmental information. We work with market forces to motivate companies to disclose their impacts on the environment and natural resources and take action to reduce them

 

Organisational resilience – biological approaches

A biological approach to organisational resilience

By a lapsed microbiologist
 “Organisational resilience is only achievable through adaptability”
Wattle flower
Flowers are just an adaptation of normal leaf on plants, a combination of genes normally responsible for forming new shoots.   Photo by AWebling 2013
Too many leaders start believing their own press and thinking that they are able to predict the future. Whilst it is absolutely true that the best indicators of the future are the events of the past. It is also true that the past is not an absolute indicator of future events because our view of the past is limited by our record of it. Some events are so rare that they are not recorded, yet they may have extreme consequences if they occur. So if we cannot predict the future with certainty, how is longevity possible for organisations?  The answer is resilience, and at the core of resilience is adaptability.

The lesson from biology is that adaptation to the environment that has allowed organisms to survive and thrive. However large and seemingly terrible[1] an organism is, if it is not adapted to its environment it will become extinct. The vast majority of species that have ever existed are not around today.

The same is true for organisations.

The vast majority of organisations that have ever existed are not around today

In simple terms the story is the same for each failed organisation. They were unable to adapt to the business environment before they ran out of resources. Those that survive a crisis are able to do so for two reasons

1               They have the resources, capital personnel leadership etc to manage themselves out of a crisis once it hits emerging weaker but alive; or

2               They are prepared to adapt if a crisis arises and have developed a broad set of principles which will work with minimal change in most eventualities. These companies still suffer from the crisis at first, but emerge stronger in the longer term.

By my reckoning, 99% of companies that manage to survive a crisis are in the first category. In most cases, those companies are then consigned to a slow death (My Space anyone?). Sometimes however, the first crisis weakens them, but they then become more resilient and bounce back to ride future crises.

This is an era of organisational accelerated extinction

What is more, the ‘extinction rate’ for companies is becoming faster as society and technology changes more rapidly.

I think we all understand that small businesses come and go, but this lesson is true for large organisations as well. Of the top 25 companies on the US Fortune 500 in 1961, only six remained there in 2011.

Research carried out on fortune 500 companies in the USA shows[2] that the average rate of turnover of large organisations is accelerating.  The turnover has reduced from around 35 years in 1965 to around 15 years in 1995.

If you think about how much the world has changed since 1995 when Facebook barely existed and Google just did search, you might agree with the idea that organisations that want to stick around need to adapt with the changing environment.

So give me the recipe!

Bad news, there isn’t a hard recipe for a resilient organisation, just like there isn’t one for a successful company, but they all seem to share some common attributes such as agility and the ability to recover quickly from an event and an awareness of their changing environment and the willingness to evolve with it amongst others. This is difficult for a number of reasons.

1               increasing connectedness – interdependencies leading to increasing brittleness of society/organisations  – just in time process management – risks, in rare instances, may become highly correlated even if they have shown independence in the past

2               increasing speed of communication forces speedier decision making

3               increasing complexity compounds the effect of any variability in data and therefore the uncertainty for decision makers

4               biology –  Organisations operate with an optimism bias[3]. Almost all humans are more optimistic about their future than statistically possible. We plan for a future which is better than it is and do not recognise the chances of outlier events correct. Additionally, we plan using (somewhat biased) rational thought, but respond to crises with our emotions.

5               Organisational Inertia. The willingness to change organisational culture to adapt to a change in the environment.

Something about organisational culture and resilience

When discussing culture, resilience is more an organisational strategic management strategy, and less a security protocol. In this sense, Resilience is the ‘why’ to Change Management’s ‘how’. But both are focused on organisational culture.

Organisations, particularly large organisations, all have their own way of doing things. Organisational culture is built up because individuals within the organisation find reward in undertaking tasks in a certain way. This is the same whether we are talking about security culture or indeed financial practice. Organisational culture goes bad when the reward structure in the organisation encourages people to do things that are immoral or illegal.

Larger organisations have more inertia and so take longer to move from good to bad culture and vice versa. Generally most organisations that are larger than about 150[4] staff have a mix of cultures.

The more successful an organisation has been in the past, the more difficult (inertia) it will be to make change and so it becomes susceptible to abrupt failure. Miller coined the term ‘Icarus Paradox‘ to describe the effect and wrote a book by the same name. Icarus was the fictional Greek character who with his son made wings made from feathers and wax, but died when he flew too close to the sun and the wax melted, causing the feathers to fall out of the wings.

Maybe the Kodak company is the best example of this. An organisation that had been very successful for more than 100 years (1880 -2007), Kodak failed to make the transition to digital and to transition from film as fast as its competitors. The irony is that it was Kodak researchers who in the 1970s invented the first digital camera thus sewing the seeds for the company’s doom forty years later.

Where does my organisation start on the path

So what is the answer, how do we make sure that our organisations adapt faster than the environment that is changing more rapidly every time we look around? The only way is to begin to adapt to the changing environment before crises arise. This requires making decisions with less than 100% certainty and taking risk. The alternative is to attempt to change after a crisis arises, which historically carries higher risk for organisations.

It is a combination of many things –

  • developing an organisational culture which recognises these attributes which is supported and facilitated from the top of the organisation;
  • partnering with other organisations to increase their knowledge and reach when an event comes; and
  • Lastly engaging in the debate and learning about best practices

Are there two sorts of resilience?

But is resilience just one set of behaviours or a number.  When we think of resilient organisations and communities, our minds tend to go to the brave community / people / organisation that rose up after a high consequence event and overcame adversity. These people and organisations persist in the face of natural and manmade threats. Numerous examples include New York after the September 2001 events; Brisbane after the floods in 2011; and the Asian Tsunami in 2004.

However there is another set of actions, which are more difficult in many ways to achieve. This is the capacity to mitigate the high consequence, low likelihood events or the creeping disaster before a crisis is experienced. The US behaved admirably in responding to the 9/11 terrorist disaster after it had occurred, but as the 9/11 Commission Report notes, terrorists had attempted on numerous occasions to bring down the World Trade Center and come quite close to succeeding.

Last Thoughts

Life becomes resilient in that it is replicated wildly so that many copies exist, so that if some number fail, life can continue. Individual creatures carry DNA, which is all that needs to be replicated. Those creatures compete with each other and the environment to become more and more efficient. An individual creature may or may not be resilient, but the DNA is almost immortal.

How an organisation achieves this is the challenge that every management team needs to address if they want to achieve longevity.

If you wish to discuss any of the issues in this whitepaper, please contact us



[1] noting that the word dinosaur is directly translated as terrible lizard

[2] http://www.kauffman.org/uploadedFiles/fortune_500_turnover.pdf

[4] Dunbar number

Information Declassification – A way for governments to save money and improve their information security

In the digital world it is very easy to create data, very difficult to get rid of it

Like us all, government agencies are creating huge amounts of information. Lots of it is classified either to protect privacy or for national security. This is what should happen, classification is an important aspect of information security.

What is data classification?

It is the process of assigning a business impact level to a piece of data or a system. This then governs how many resources are directly devoted to their protection. By classifying documents and systems an organisation makes risk managed decisions on how information is protected.

Graphic by Mark Smiciklas
Graphic by Mark Smiciklas, Flickr.com/photos/intersectionconsulting

Digital data wants to be free and it is expensive to ensure confidentiality if you also want to maintain data integrity and availability.

However over-classification of information can be as bad for an organisation as under classification. This is particularly true of large government organisations.

In addition, Government agencies tend to be risk averse places anyway – which on balance is a good thing!

So how could governments shift the classification balance, improve security and improve efficiency in agencies?

The problem is that the person who classifies data or systems does not have to pay for the cost of their actions in classifying. In fact, the individual avoids personal risk if a  piece of data is over-classified. However their agency has to wear the added expense.

Gentle readers, we have a problem of incentive imbalance!

Suppose it costs $100 to store a Secret document for its lifetime and $10 to store an everyday unclassified document. If governments placed a nominal value on document creation relative to the whole of life costs, it might be possible to stem the tide of increasing amounts of classified data.

If under this scheme a government employee wishes to create a secret classified document, they would need to find $100 in their budget to do so. In this case the employee might consider producing an unclassified document or one that was slightly classified. I argue that this market based approach to declassification would have far more effect than more rules.

A plan for implementation

So how might the plan be implemented in the tight fiscal environment that government agencies currently face, even though it is likely to save money long term?

  1. Survey government agencies to see how many classified pieces of data they produce each year by type. eg, there might be 500 top secret data pieces and 1000 secret.
  2. Assign a dollar value to each document according to the level of protection it receives. This bit would require a bit of research or possibly a pilot scheme.
  3. Based on the previous year’s classified information output, each agency is given a declassification budget. It might be considered that as this task was one that the agency should have been doing previously, that there is no requirement for central funding.
  4. Require each agency to report the numbers of classified data produced.
  5. Agencies that produced too many classified documents would need to pay the treasury a fine equivalent to the cost of storing the extra documents in archives.
  6. Agencies that produced fewer pieces of data than the previous year would receive a windfall.

That’s it in a nutshell. As governments produce more data, they will need to store it. Balancing the incentives to overclassify and underclassify data will help ensure that information is properly protected.

I’d love to hear your ideas, please make a comment

Alex

 

 

Cybersecurity – keep your head

The Australian Attorney-General’s Department released the 2012 Cyber Crime and Security Survey on 18 February. Reading the press that accompanied it eg Cyber criminals struck one in five top Australian businesses, and similar surveys in past years, you might be forgiven for thinking that we are on the precipice of a cyber armageddon!

There is no denying that the threat, vulnerability and consequence of cyber attack to organisations is increasing steeply.
Luckily all is not lost, organisations can minimise their attack surface significantly. How, by taking a holistic approach to their information security which blends appropriate physical, personnel and IT security mitigations.  This, with a well thought out response and recovery plan can produce layered security and lead to a resilient organisation able to sail the ‘cyber seas’ with confidence.

In the IT space, doing the basics well can protect against all but the most sophisticated attacks
In the IT space, doing the basics well can protect against all but the most sophisticated attacks

The survey in question was conducted on behalf of the Australian Computer Emergency Response Team (CERT.au), part of the Attorney-General’s Department. CERT’s 450 client organisations were sent the survey and 255 responded. Whilst the survey numbers are small and therefore become statistically unreliable very quickly, the clients of CERT.au are vital to Australia.  Generally CERT.au client organisations are part of Australia’s critical infrastructure. They include utilities, telecommunications providers, financial institutions and also mining companies.

That said, there are some interesting figures.

  • 22% of respondents (around 55) said that they knew that they had had a cyber incident in the last 12 months. Of more concern were that 9% of respondents reported that they “didn’t know”.
  • 50% of respondents (ie 127) said considered that they had been subjected to targeted attacks.

The most common reported cyber incident was ‘loss of a notebook / mobile device’ ; followed by virus infection;  trojan/rootkit; unauthorised access; theft /breach of confidential information; and denial of service attack. This seems odd, I find it difficult to reconcile loss of a laptop with hackers sitting in bunkers outside Shanghai and target key espionage targets.  The concerning question is whether respondent companies are only seeing the easy to spot attacks ie missing laptop, computer not working because of virus etc and not the more sophisticated level, ie stealth attack that exfiltrates data to foreign lands.

The survey authors also reiterate an oft made point about the ‘trusted insider’ that

“Many companies spend the majority of their IT security budget on protection from external attacks. But the figures above serve as a reminder that internal controls and measures are also important, to ensure that internal risks are also managed”.
This is a relic of the perimeter approach to information security, the us and them approach. It doesn’t work anymore because the network has no discernible boundary in the modern interconnected organisation.

Delving further into the report it is interesting to look at contributing factors to attacks. The relevant table is replicated here. Almost all of the contributing factors can be wholly mitigated, with the possible exception of “attractiveness of your organisation to attack” and arguably “Sophisticated attacker skill which defeated counter-measures in place”.

Source www.cert.gov.au  – Cyber Crime and Security Survey Report 2012

In any case, we sometimes forget that the spectrum of resilience involves prevention preparation, response and recovery. Organisations need to be agile, they need to work hard to prevent and prepare for loss or compromise of sensitive information, but accept that it is not possible to repel every attack. For this reason, resources need to be allocated to response and recovery.

Another important point is about the vital role of computer emergency response teams (CERTs). CERTs, are like the white blood cells in our bodies, they share information which help their clients protect themselves.
The other way to think about it is that the bad guys take advantage of the information superhighway by sharing information at the speed of light about vulnerabilities in different systems and new attack techniques, so why shouldn’t the good guys? I’ve written about this previously.  The problem is always, that the bad guys have an advantage. As the IRA said after the Brighton bombings in 1984 which almost wiped out the then UK Prime Minister Margaret Thatcher….

“Today we were unlucky, but remember we only have to be lucky once”

So do the hackers.

Alex

Back To Top

Cyber security focus in the oil and gas sector to increase significantly

Energy companies will need to significantly increase their focus on cyber security in the next three to five years if they wish to keep ahead of the increasing risks to their business from direct cyber attack and malware.

Oil and Gas 32 by Michael Dance http://www.flickr.com/photos/gpmarsh/page4/

The Oil and Gas sector will need to invest around $1.87 Bn USD into upgrading its SCADA* and general corporate systems to defend against direct cyber attack and malware, according to technology intelligence company, ABI research.

There have been several attacks targeted at oil and gas firms in the last two years, including:

  • Night Dragon in 2011. Originating from China according to McAfee. The attacks were a mixture of social engineering and unsophisticated hacks with the aim of gaining access to corporate forecasts and market intelligence from petrochemical firms. Most alarming was the assertion by McAfee that it had been undetected for up to four years.
  • Shamoon targeted Saudi Aramco in 2012, taking out up to 30,000 workstations. This attack has been linked to (and disputed by) Iranian interests.

The examples given are or attacks on energy companies’ corporate systems. The fear is that issue motivated groups or nation states might now choose to attack poorly protected SCADA systems owned by oil and gas companies.  The ability to do this has been demonstrated in the wild with Stuxnet, but not on energy installations.

 

What are the key security issues surrounding SCADA systems?

  • The general observation that SCADA systems are built for throughput, and security is bolted on as an afterthought, rather than being built in at the design stage.
  • An overemphasis on security through obscurity, with the belief that the use of specialised protocols and proprietary hardware provides more than cursory protection against cyber-attack. Better to assume the enemy knows or will know the system.
  • Over-reliance on physical security to provide protection
  • An assumption that the SCADA system can be kept unattached to the Internet and therefore will be secure.

A bit of background.

SCADA systems have been around since the mainframe era. However, these systems were based on proprietary hardware and software and they weren’t connected to open systems. The main threat to these systems was the ‘trusted insider’, such as when a disgruntled contractor, Vitek Boden used his knowledge and some ‘acquired’ proprietary hardware to cause sewage to overflow in a plant in Maroochy Shire, Queensland.

In the 1990’s, SCADA systems began to be built using the same technology as the Internet (TCP/IP) and early this century, companies began to connect these systems to the Internet.  In 2010, Stuxnet apparently caused centrifuges to spin out of control and self-destruct in nuclear processing plants at Natanz in Iran. Attribution is difficult, but the finger is alternately pointed at Israel and the USA (or both).

 What next?

Organisations, particularly in the oil and gas industry need to change their approach to cybersecurity and take a holistic and strategic view. This starts at the board level and requires a cultural change. This does not necessarily mean buying the latest machine that goes ‘ping’. It does mean thinking about how to integrate security at the core of the business, just like finance and HR.

 ———-

More info from ABI research

SCADA – Supervisory Control and Data Acquisition

Claude Shannon‘s maxim  “The enemy knows the system.”

Photo: Matthew Dance, used under creative commons – http://www.flickr.com/photos/gpmarsh/page4/ 

Visualising organisational resilience

Resilience

I’ve been trying to summarise organisational resilience into a form that can be visualised for some of the people who I’m working with. The key has been to summarise the thinking on resilience as succinctly as possible.

Apart from the diagram you can see, the text below attempts to give concise answers to the following questions

  1. What is it (Resilience)?
  2. Why should my organisation care about resilience?
  3. Why is detailed planning not working anymore (if it ever did)?
  4. What’s the recipe for resilience?
  5. How does an organisation develop these characteristics?
  6. Resilience before and after (a crisis)
  7. How does nature do resilience?

 

Resilience in a mindmap

Visualising resilience is itself an exercise in complexity

The diagram should be A3, so You can download a pdf version here resilience in a mindmap PDF

Let me take you on a journey …

What is it?

Resilience is about the ability to adapt for the future and to survive. Whether that is for an organisation, country or an individual.
What seems sometimes forgotten is that the adaptation is best done before a crisis!
And here Resilience is more an organisational strategic management strategy, and not a security protocol. In this sense, Resilience is the ‘why’ to Change Management’s ‘how’

Why should my organisation care about resilience?

Research shows that the average rate of turnover of large organisations is accelerating. from around 35 years in 1965 to around 15 years in 1995. Organisations that want to stick around need to adapt with the changing environment.

Organisations know that they need to change to survive, but today’s urgency overrides the vague need to do something about a long term problem.  For this reason, crises can be the  catalyst for change.

Resilience is about dealing with organisational inertia, because the environment will change. The more successful an organisation has been in the past, the more difficult it will be to make change and so it becomes susceptible to abrupt failure. Miller coined the term ‘Icarus Paradox‘ to describe the effect and wrote a book by the same name. Icarus was the fictional Greek character who with his son made wings made from feathers and wax, but died when he flew too close to the sun and the wax melted, causing the feathers to fall out of the wings.

It is possible that Eastman Kodak is the best example of this trait. An organisation that was very successful between 1880 and 2007, Kodak failed to make the transition to digital and to move out of film fast enough.

Why is detailed planning not working?

Simply put, the world is too complex and the outliers becoming more common

  1. increasing connectedness – interdependencies leading to increasing brittleness of society/organisations  – just in time process management – risks, in rare instances, may become highly correlated even if they have shown independence in the past
  2.  speed of communication forces speedier decisionmaking
  3. increasing complexity compounds the effect of any variability in data and therefore the uncertainty for decisionmakers
  4. biology –  we build systems with an optimism bias. Almost all humans are more optimistic about their future than statistically possible. We plan for a future which is better than it is and do not recognise the chances of outlier events correct. Additionally, we plan using (somewhat biased) rational thought, but respond to crises with our emotions.

So if

  • we can’t predict the outlier events and
  • this makes most strategy less useful– especially that which is written and gathers dust without being lived ,

maybe we can be more resilient when we run into the outliers. What Taleb calls the Black Swans in the book of the same name.

Taleb’s book is available from Book Depository and is well worth the read, even if he can’t help repeating himself and dropping hints about fabulous wealth.

What’s the recipe for resilience?

Bad news, there isn’t a hard recipe for a resilient organisation, just like there isn’t one for a successful company, but they all seem to share some common attributes such as:

  • Agility and the ability to recover quickly from an event and,
  • an awareness of their changing environment and the willingness to evolve with it amongst others.

How does an organisation develop these characteristics?

It is a combination of many things –

  • developing an organisational culture which recognises these attributes which is supported and facilitated from the top of the organisation;
  • partnering with other organisations to increase their knowledge and reach when an event comes; and
  • Lastly engaging in the debate and learning about best practices

 Resilience before and after (a crisis)

But is resilience just one set of behaviours or a number.  When we think of resilient organisations and communities, our minds tend to go to the brave community / people / organisation that rose up after a high consequence event and overcame adversity. These people and organisations persist in the face of natural and manmade threats. Numerous examples include New York after the September 2001 events; Brisbane after the floods in 2011; and the Asian Tsunami in 2004.

However there is another set of actions which are more difficult in many ways to achieve. This is the capacity to mitigate the high consequence, low likelihood events or the creeping disaster before a crisis is experienced. The US behaved admirably in responding to the 9/11 terrorist disaster after it had occurred, but as the 9/11 Commission Report notes, terrorists had attempted on numerous occasions to bring down the World Trade Center and come quite close to succeeding.

In this thought may be one of the best argument for blue sky research. Serendipity – wondering through the universe with your eyes open to observe what’s happening around you, rather than head down and focussed only on one task – is this the secret to innovation?

How does nature do resilience ?

Life becomes resilient in that it is replicated wildly so that many copies exist, so that if some number fail, life can continue. Individual creatures carry DNA, which is all that needs to be replicated. Those creatures compete with each other and the environment to become more and more efficient. An individual creature may or may not be resilient, but the DNA is almost immortal.

How an organisation achieves this is the challenge that every management team needs to address. Over the next posts I will expand more

😉

back to top

“It is not the strongest of the species that survives, nor the most intelligent that survives. It is the one that is most adaptable to change”

The quote above has been often misattributed to Charles Darwin. But according to the Darwin project, it is actually a quote from Leon Megginson* in the 1960s paraphrasing Darwin in a management journal.

Now that I have done my bit to put that meme to bed, it is worth considering whether there is value in the concept or whether it is a dangerous oversimplification. And the answer is…

.. It depends!

You didn’t really think there was a black or white answer to this. The facts, such as we have, are that there are very few companies around today which are in the same form. Indeed, Mark Perry’s in his excellent economics blog Carpe Diem presents a chilling picture comparing the US fortune 500 from 1955 and 2011.

Of the 500 companies on the list in 1955, fewer than one in seven are still on the list in 2012! Only 57 years later. I say only 57 years, because it is less than the lifespan of an average western person.

So what happened to the rest, the other 6 in 7? They have either gone bankrupt, been privatised, merged, or their fortunes have gone south to the point that they are under the Fortune 500.

The parallels between evolution and raw capitalism are hard to resist. Indeed, although this may be a bridge too far, there may even be a parallel between evolutionary eras such as the Cambrian Explosion and the current communications technology fuelled business environment. As such, the life expectancy of companies seems to be getting less as the speed of global communications increases.  Steve Jobs is quoted in Forbes Magazine suggesting “why decline happens” at great companies: “The company does a great job, innovates and becomes a monopoly or close to it in some field, and then the quality of the product becomes less important. The company starts valuing the great salesman, because they’re the ones who can move the needle on revenues.” So salesmen are put in charge, and product engineers and designers feel demoted: Their efforts are no longer at the white-hot center of the company’s daily life. They “turn off.”

Maybe another way to say this is that all organisations must have purpose, whether that is a government agency or a company. The widgets (for want of a better description) might be policy or law in the case of a government agency; cars in the case of a car company; or services in the case of a services organisation. If the organisation maintains its focus on why it exists, then it can maybe adapt and survive beyond the average – however, this is hard work and most will end up like trilobites, ubiquitous one day, fossils the next.

Alex

Trilobite fossil – Photo by kevinzim – http://www.flickr.com/photos/[email protected]/43243889/

*Megginson, L. C. (1964). “Key to Competition is Management.” Petroleum Management, 36(1): 91-95.