The Restorative Cyber Culture
What organizations dealing with cyber incidents can learn from the aviation industry
The aviation industry is a prime example of learning from mistakes and making an entire industry more resilient. Anyone who has seen the ‘Air Crash Investigation’ TV series knows that no stone is left unturned to determine the root cause of an air crash. Key to a resilient aircraft industry is their restorative culture.
Theodorus Niemeijer, Jelle Niemantsverdriet & Jurgen Schot - 26 October 2017
Air crashes are fortunately not a common occurrence. However, if they do occur, the impact is usually very high - resulting in massive injuries and fatalities. For every air crash that occurs, independent authorities (like the National Transportation Safety Board, NTSB and the Dutch Onderzoeksraad voor Veiligheid, OVV) will launch a forensic investigation to determine the cause of the crash. There is an inherent benefit for the aviation industry in finding the cause of the crash and sharing this with all airlines, aircraft manufacturers, airports and other relevant stakeholders. If there are too many incidents, passengers will be less likely to use airplanes and use other forms of transportation where possible.
A fundamental element in this industry is the belief that the cause of an incident cannot be related to a single individual or organization. Therefore, the goal of the forensic investigation is not aimed at finding the ‘person’ responsible for the crash, but to establish the actual cause of an incident and ensure that this cannot happen again anywhere within the industry in the future. They consider an inadequate designed process or procedure usually as the cause for human error or technical failure.
The aviation industry is a prime example of a restorative culture. A restorative culture is aimed at developing ways of living and working together in a community based on common agreements and values that support healthy relationships. By having a restorative culture, the aviation industry boosts resilience by learning and improving from mistakes.
The Restorative Cyber Culture?
Our daily lives are becoming more and more dependent on the availability and integrity of supporting IT services. Cyber incidents can have a large impact on these IT services, the associated businesses and in some cases even person’s lives. An example is the disruption of health services in the UK by the WannaCry outbreak in 2017. After such incidents, immediate discussions in the media start on how organizations could have let this happen and why. Individuals with unclear motives – sometimes trying to achieve personal fame and glory – investigate these incidents and come up with solutions. National cyber agencies usually also play a role in monitoring cyber incidents and informing organizations. However, they do not have a mandate or focus on providing an independent, cyber-industry beneficiary (inter)national forensic investigation in cyber incidents.
At this moment, the cyber culture cannot be described as restorative.
Cultivating a Restorative Cyber Culture
The way the aviation industry looks at aircraft safety, is the way that the cyber industry should look at IT security. The cyber industry should make the transition from blaming and shaming, to sharing and caring – benefiting the entire cyber industry. Learning and improving on cyber incidents will increase faith of organizations and individuals in IT and cyber in general. This requires a culture change, and as we all know, this is not easily achieved. Representatives of the cyber industry should support this transition towards a more open environment where mistakes are used to learn from and make the industry more resilient. Institutions – current or to be founded – should be assigned with the task of (forensic) investigations of cyber incidents and sharing information in a structured way.
Fortunately, there are also small – but promising – signs of change. In the IT development discipline, the Agile methodology is becoming more and more adopted. Part of this Agile methodology are the ‘blameless port-mortem’ sessions. In these sessions, IT experts discuss the causes for errors or incidents, looking at ways to learn and improve, without blaming individual persons. This Agile methodology should be embraced by the cyber industry in order to stay relevant and on top of new emerging threats. Could this planted seed be the first step for cultural change within IT and its related cyber workfield?
Want to know more about Resilience & Crisis Management? Please contact Theodorus Niemeijer via +31 (0)88 288 19 78.