The siege in a chocolate shop in Sydney’s CBD ended early this morning AEST. Three people died, including one purported to be the gunman Haron Monis.
There will necessarily be intense scrutiny on the forces used to resolve a violent event. However, it is important to remember that they do not happen in isolation.
The factors that lead us to these events are always complex and often have geo-political, sociological and psychological underpinnings. In this case, the gunman, was a convicted criminal and seems to have latched on to the idea of violent jihad to justify his own failings.
This is the time for cool heads. It is far more effective and efficient to invest in efforts which counter radicalism before it descends into violence. To that end, we should remember the quiet work of those who enfranchise the disenfranchised and seek to strengthen social cohesion.
It is these people, who make our way of life so great.
Governments at all levels must lead in these efforts. Politicians must remember, whatever their political colour, that radicalism is a complex societal issue, not a sound bite. Else we descend into barbarism.
As a society, we must remember that the work of all members of the civil society needs to be focussed on countering radicalism.
This event received so much coverage precisely because it is uncommon in Australia
Just remember that the reason this event received so much coverage in the media is precisely because it is so rare. And of course, it was across the road from the HQ of one of the big Australian TV channels.
Yet, at the same time across the world, six people died, one was wounded, and the gunman escaped in a shooting in Philadelphia. In that case, it seems that the gunman is a mentally disturbed ex soldier.
Yet, although it was reported, multiple shootings are depressingly common in the US. They are even more common in parts of Africa, and often the reports don’t even make it beyond the local news.
It all comes back to risk and societal resilience, because when citizens are allowed to panic, governments start using extreme measures in our names. Professionalism in risk and security is about understanding the difference between perception and reality and taking an evidence based approach to dealing with the issues.
A culture of entitlement is corrosive in a government agency or any organisation
I’ve just come across a USA government document which is both fun to read and educational. Its called the Encyclopedia of ethical failure 2013, its published by the US Defense department. The dry title doesn’t do this piece justice, I think the title should be “A culture of entitlement in an organisation is corrosive”.
A culture of entitlement is corrosive just like acid
The reason that you should be reading it is that it is a series of sometimes funny and tragic stories about how employees forget that the employee/employer relationship is a two-way street. Maybe it is also about how employers forget that their staff are human. They sometimes do dumb things and forget about the consequences of their actions.
Steven Dubner from Freakanomics interviewed the current and past editors Steve Epstein and Jeff Green. Interestingly they said that it was difficult to find common characteristics (M/F, race, religiosity, seniority) between the people who did these things. Green and Epstein suggested that they all didn’t think about the consequences of their actions properly. The other thing to notice is that security people, intelligence officers and lawyers commit these crimes too.
Maybe as a collection these are cases of a man or woman failing to identify the full consequences of their actions. I could put it in risk terms, individual failure to realise initial risk and downstream consequences when the they get caught.
The other observation that is interesting is that some people are cheap to bribe. Some of these people lost their careers and potential earnings of millions of dollars over a lifetime for hundreds of dollars in cash or kind. This is an sign that the perpetrators haven’t thought about personal risk and/or their decision-making is visceral. It makes me wonder whether one possible mitigation against fraud is teaching employees decision-making to improve the way that they weigh up alternatives. Maybe the SWOT analysis is the best preventative tool against fraud!
Because the document was written by the US Defense department, it has a military flavour, but the examples run the gamut of the US Federal public service. Here are some of my favourite excerpts. I’m sure you’ll get a laugh out of these and some food for thought. Maybe some of these are familiar in your organisation…..
FBI Undercover Parties
According to an FBI report, upon the retirement of a senior FBI official, FBI personnel from around the country journeyed to Washington to attend the official’s retirement party. Many out-of-town G-men traveled on official orders and public expense. According to their travel orders, the purpose of the trip was to attend an ethics conference! According to the news report, only five people actually attended the ethics forum.
“But, Judge, I didn’t get anything!”
An offshore safety inspector found much of the Government’s equipment to be in need of repairs to meet safety standards. He then referred the business to his brother-in-law’s repair shop. The rig operators smelled a rat and called the FBI. They discovered that, in return for each referral, the brother-in-law was treating the inspector to an evening with a lady of dubious morals.
The case was brought to trial. In his defense, the inspector claimed that he had not received a “thing of value” in return for the referral. The judge didn’t buy it – and neither did his wife.
Courting Trouble
A former official of the U.S. Tax Court, Fred Fernando Timbol Jr., was sentenced to 18 months in prison and three years of supervised release in connection with a bribery conspiracy.
Timbol was a facilities services officer in the Facilities Management Section of the U.S. Tax Court. Timbol was responsible for assisting in the award of contracts to contractors who provided maintenance, construction, and other related service to the Court. Timbol admitted to soliciting and accepting over $12,000 from a government contractor in exchange for rigging the award of at least six inflated contracts. As part of a plea agreement and by order of the court, Timbol also agreed to pay restitution of $24,143.
DVD Bootleggers MIA During Government Work Hours
A Federal employee used his Government computer to make illegal copies of commercial DVDs in violation of copyright laws. He and another employee also used their Government computers and duty time to watch the movies. The other employee took lunches lasting up to three hours in order to watch the DVDs and take naps. Initially the employees’ supervisors signed off on this behavior, even assigning extra work to others to make up for the employees’ time wasted napping and movie watching. The employee who copied the DVDs received a written reprimand. The supervisor received an oral admonishment for failing to address the misconduct, and another employee received a Letter of Counseling for knowingly accepting a pirated DVD. In a similar case, a civilian employee working for the U.S. Army in Germany was involved in selling pirated DVDs. He used the profits from his illegal operation to buy vacation homes and luxury cars and to pay for frequent European ski vacations. He devoted some of his duty time to the marketing and selling of the bootleg videos, including taking payments while on the job. Even though the employee had left Federal service by the time the accusations against him were substantiated, administrative action was taken to bar him from US Army Europe installations.
This next one is interesting because of the recent Asiana crash
FAA Employee Sentenced for Bribery
A former employee of the Federal Aviation Administration (FAA) was convicted of bribery. In carrying out his primary responsibility of reviewing and processing applications for FAA-issued pilot certificates, the employee accepted bribes of $2,000 and an all-expense paid trip to Korea in exchange for preferential treatment of applications for Korean pilots from the flight school, Wings Over America.
The employee was sentenced to pay a $2,000 fine and serve four months in prison, followed by three years probation for violating 18 U.S.C. 201(b)(2). Bribery occurs when a public official seeks or accepts anything of value in return for being influenced in the performance of an official act.
government Lawyer in Tucson Illegally Possesses Sheep Skull and Horns
The Assistant U.S. Attorney (AUSA) prosecuted an individual for illegally killing a bighorn sheep on an Indian Reservation. As a result of the prosecution, the hunter forfeited the bighorn sheep and trophy (skull and horns), valued at approximately $5,000, to the Arizona Game and Fish Department. Pursuant to a request from the AUSA, the Arizona Game and Fish Department entered into an agreement with the AUSA allowing him to publicly display the skull and horns in his office, but requiring their return upon request. However, after leaving employment with the U.S. Attorney’s office, the AUSA took the skull and horns with him and treated them as his personal property. When the former AUSA was questioned a year later about his possession of the skull and horns, he claimed that an unspecified Indian had sent the skull and horns to him in appreciation for his work on the prosecution of the hunter. Investigation showed that such a gift would have been contrary to tribal practices and no member of the tribe could be found who knew anything about the alleged gift.
CIA Employee Drives Overseas Auto Scheme
As a U.S. Federal employee residing in Egypt, the CIA agent discovered that he could purchase an imported vehicle in Egypt without having to pay the normal 150% excise tax. This fact had created a black market in which Egyptian car brokers would pay U.S. employees to register luxury cars in their names in order to allow the dealers to evade import taxes. Investigators found that while in Cairo, Egypt, the employee had agreed to accept $25,000 in exchange for changing the status of his personally-owned vehicle with the Egyptian Ministry of Foreign Affairs, which would allow him to participate in the scheme
———————–
So there’s some of the highlights from my perspective. You can download the full document here (163 pages). You’ll find that it references most vices! What do you think about the alternative title – “A culture of entitlement in an organisation is corrosive”?
You may have heard recently about the efforts being promoted by the USA and Australia amongst others to promote trusted online identities. There are also significant efforts in the private sector to develop online trust systems.
Trust will be the currency of the new economy as it was in the mediaeval village. During the late 19th and early 20th Century, formal identity credentials gradually replaced more informal systems of identifying people that we interacted with. Increasing population and technology drove this change. It was simply impossible to know everybody that you might deal with and so societies began to rely on commonly used credentials such as drivers’ licences to prove identity and ‘place’ in society. Of course, drivers’ licences don’t say much if anything about reputation. But if you think about high value financial transactions you establish your identity and then you give a mechanism to pay for the transaction. Although in most cases it wouldn’t matter who you are, it gives the vendor some comfort that the name on your driver’s licence is the same as on your credit card and makes it just that bit more difficult to commit fraud on the vendor if the credit card isn’t legit. However this isn’t the case with interbank lending. Most of this is done on a trust basis within the ‘club’ of banks and it is only at a later time that the financials are tallied up for the day.
You can’t trust who or what is on the other end of the keyboard just because of what they say
What is a trusted ID?
Most simply, trusted online identity systems are the online equivalent of a physical credential such as a drivers’ licence used to give evidence of identity online. They can (but don’t have to) also be the basis for online reputation. They may also say something about the rights of the credential holder, such as that they are a resident in a particular country.
Which countries are developing trusted identity systems
The program in the USA is called NSTIC – National Strategy for Trusted Identities in Cyberspace. In Australia, the Prime Ministers’ department has been investigating the possibility of a trusted identity system as part of its work on a cyber policy paper which was due to be released ‘early in 2012’. At the same time, Australia has undertaken a number of processes of service delivery reform, government 2.0 and e-health. All without necessarily solving the problem of identifying whom they are dealing with online. The USA has gone beyond the planning stage and announced that it will move forward on development. As I mentioned recently. NIST has announced grants for pilot projects in NSTIC.
Some countries have already implemented online identity systems simply by migrating their physical identity cards online and allowing these to be used as trusted online systems. A number of Asian countries including Malaysia, Hong Kong and Singapore have proportions of their online services available through such means. Estonia probably leads the world in online service delivery with around 90% of the population having access to an online ID card and around 98% of banking transactions being via the Internet. More information at the Estonia EU website. While NSTIC was issued by the USA government, it calls for the private sector to lead the development of an Identity Ecosystem that can replace passwords, allow people to prove online that they are who they claim to be, and enhance privacy. A tall order which runs the risk of creating an oligopoly of identity systems driven by corporate interests and not one which suits users. It may be a signal of things to come that Citibank and Paypal have recently been accepted to lead development of the NSTIC. There are also a number of private sector initiatives which come at the issue from a different perspective. Beyond Paypal, Google Wallet and the recently announced Apple Passbook are interesting initiatives which give some of the attributes of a trusted identity.
Why might we want one?
As more services go online from both government and business and more people want to use them there will be an increased demand for a way of proving who you are online without having to repeat the process separately with each service provider. In some ways this is already happening when we use PayPal to buy products not only on eBay, where it originated but also on Wiggle.co.uk and many others. The problem is that different services need different levels of trust between the vendor and the purchaser. Thinking about a transaction in terms of risk… The majority of private sector transactions online carry equal risk for both the vendor and customer. In that the customer risks that he or she won’t get a product or service from the transaction and the vendor risks that they won’t get the cash. Here online escrow services such as Transpact, or PayPal can help.
Where this doesn’t work well is where there complexity to the transaction. The banking or government services sector are key areas where this is the case. Here the vendor must know their customer. One area might be analysing whether a customer can pay for a service on credit. Another is in applying for a passport, you need to prove that you are a citizen and pay a fee. However, the intrinsic value of the passport is far greater than the face value, as shown by the black market price. The result to the government if it issues the passport to the wrong person is not the value of the nominal fee, but closer to the black market value of the passport.
As a result, we are at an impasse online, in order for more ‘high trust’ services to go online the community has to have more trust that people are who they say they are.
Who might need a trusted identity?
If you take the Estonian example, 90% of the population. Most of us carry around some form of identity on our persons that we can present if required. In some countries, it’s the law that a citizen must carry their identity card around with them. In Australia and Canada and other countries, it’s a bit more relaxed. In the end the question will be whether a trusted id is used by customers and required by vendors. This will be influenced by whether there are alternative ways of conveying trust between people and institutions which are independent of the concept of identity in the traditional sense of the word
Next time:
What are the security and safety implications of a trusted identity and a discussion of about social footprint and whether this may overtake government efforts
A legislative approach that defines as ‘sensitive’ any biometric measurement shows a lack of common sense and understanding of the science.
A better approach would be to protect those aspects of sensitive personal information (eg sexuality, political opinion, racial / ethnic origin) collected by any means, making legislation independent of technology.
An interesting paper was published in the most recent International Journal of Biometrics. Finnish scientists have developed a biometric measure using saccade eye movements. Saccade eye movements are the involuntary eye movements when both eyes move quickly in one direction. Using a video camera to record movement, this biometric measure can be highly correlated to an individual.
What is important is that there are large numbers of these life (bio) measurements (metrics) being discovered as scientists look more closely at human physiology and behaviour.
The use of biometric identification technologies sees biometric information (eg eye movement) converted into a series of digits (a hash), which can be statistically compared against another series of digits that have been previously collected during the enrolment of an individual to use a system (eg building access control). A biometric ‘match’ is a comparison of the number derived from the collection of a biometric during enrolment with the number that is elicited during verification. In the real world, these ‘numbers’ are nearly always slightly different. The challenge is to make a system able to allow an individual to get a match when he/she seeks verification and to ensure that the bad guy is repelled.
Generally speaking, biometric identity systems are not primarily designed to determine information that might be used to elicit sensitive personal information. Nor is it practical to reverse-engineer the biometric because of the intentional use of one-way mathematical functions and the degradation of data quantity collected. This means that one person would be hard pressed to elicit any information that might be used to discriminate against another with access to this series of digits.
The word ‘biometric’ seems to send shivers down the spines of some privacy advocates. I suggest it is because most, if not all, are not scientists but lawyers. But these biometric systems are just the current technology. Many critics of biometrics forget that like any tool, it depends on how it is used. The old saying that fire is a ‘good servant, but a bad master’ is equally true of biometrics.
What seems lacking in common sense is that legislation in several countries (including in Australia) puts up a barrier for the use of biometrics for purposes that protect the privacy and safety of people and organisations.
The information that a biometric collects is not necessarily sensitive information –I don’t really care if you know how often I blink. In fact, a photo of me is more likely to give you information about me that I am sensitive about.
The danger with this approach is that people focus on the technology being ‘bad’ and not on the fact that it is the sensitive information which is potentially harmful. Biometrics can be privacy enhancing, particularly as they can add additional layers to securing claims about identity and be used to protect individuals and organisations from becoming victims of identity fraud.
Disaggregating biometrics from ‘sensitive information’ and considering technology on the basis of what (sensitive information – gender, medical information, religious affiliation etc) it collects about an individual would more appropriately provides a course of protecting personal information. This of course would avoid stifling the practical application of technology.
I’ve been trying to summarise organisational resilience into a form that can be visualised for some of the people who I’m working with. The key has been to summarise the thinking on resilience as succinctly as possible.
Apart from the diagram you can see, the text below attempts to give concise answers to the following questions
Resilience is about the ability to adapt for the future and to survive. Whether that is for an organisation, country or an individual.
What seems sometimes forgotten is that the adaptation is best done before a crisis!
And here Resilience is more an organisational strategic management strategy, and not a security protocol. In this sense, Resilience is the ‘why’ to Change Management’s ‘how’
Why should my organisation care about resilience?
Research shows that the average rate of turnover of large organisations is accelerating. from around 35 years in 1965 to around 15 years in 1995. Organisations that want to stick around need to adapt with the changing environment.
Organisations know that they need to change to survive, but today’s urgency overrides the vague need to do something about a long term problem. For this reason, crises can be the catalyst for change.
Resilience is about dealing with organisational inertia, because the environment will change. The more successful an organisation has been in the past, the more difficult it will be to make change and so it becomes susceptible to abrupt failure. Miller coined the term ‘Icarus Paradox‘ to describe the effect and wrote a book by the same name. Icarus was the fictional Greek character who with his son made wings made from feathers and wax, but died when he flew too close to the sun and the wax melted, causing the feathers to fall out of the wings.
It is possible that Eastman Kodak is the best example of this trait. An organisation that was very successful between 1880 and 2007, Kodak failed to make the transition to digital and to move out of film fast enough.
Why is detailed planning not working?
Simply put, the world is too complex and the outliers becoming more common
increasing connectedness – interdependencies leading to increasing brittleness of society/organisations – just in time process management – risks, in rare instances, may become highly correlated even if they have shown independence in the past
speed of communication forces speedier decisionmaking
increasing complexity compounds the effect of any variability in data and therefore the uncertainty for decisionmakers
biology – we build systems with an optimism bias. Almost all humans are more optimistic about their future than statistically possible. We plan for a future which is better than it is and do not recognise the chances of outlier events correct. Additionally, we plan using (somewhat biased) rational thought, but respond to crises with our emotions.
So if
we can’t predict the outlier events and
this makes most strategy less useful– especially that which is written and gathers dust without being lived ,
maybe we can be more resilient when we run into the outliers. What Taleb calls the Black Swans in the book of the same name.
Taleb’s book is available from Book Depository and is well worth the read, even if he can’t help repeating himself and dropping hints about fabulous wealth.
What’s the recipe for resilience?
Bad news, there isn’t a hard recipe for a resilient organisation, just like there isn’t one for a successful company, but they all seem to share some common attributes such as:
Agility and the ability to recover quickly from an event and,
an awareness of their changing environment and the willingness to evolve with it amongst others.
How does an organisation develop these characteristics?
It is a combination of many things –
developing an organisational culture which recognises these attributes which is supported and facilitated from the top of the organisation;
partnering with other organisations to increase their knowledge and reach when an event comes; and
Lastly engaging in the debate and learning about best practices
Resilience before and after (a crisis)
But is resilience just one set of behaviours or a number. When we think of resilient organisations and communities, our minds tend to go to the brave community / people / organisation that rose up after a high consequence event and overcame adversity. These people and organisations persist in the face of natural and manmade threats. Numerous examples include New York after the September 2001 events; Brisbane after the floods in 2011; and the Asian Tsunami in 2004.
However there is another set of actions which are more difficult in many ways to achieve. This is the capacity to mitigate the high consequence, low likelihood events or the creeping disaster before a crisis is experienced. The US behaved admirably in responding to the 9/11 terrorist disaster after it had occurred, but as the 9/11 Commission Report notes, terrorists had attempted on numerous occasions to bring down the World Trade Center and come quite close to succeeding.
In this thought may be one of the best argument for blue sky research. Serendipity – wondering through the universe with your eyes open to observe what’s happening around you, rather than head down and focussed only on one task – is this the secret to innovation?
How does nature do resilience ?
Life becomes resilient in that it is replicated wildly so that many copies exist, so that if some number fail, life can continue. Individual creatures carry DNA, which is all that needs to be replicated. Those creatures compete with each other and the environment to become more and more efficient. An individual creature may or may not be resilient, but the DNA is almost immortal.
How an organisation achieves this is the challenge that every management team needs to address. Over the next posts I will expand more
