of 26
8/17/2019 Cybersecurity’s Human Factor_ Lessons From the Pentagon
1/26
David M. Upton, Chritopher Kirchho , JameA. (and) Winnefeld Jr.,
Cerecurit’ Human Factor:
Leon from the Pentagon
The vat majorit of companie are more expoed to cerattack
than the have to e. To cloe the gap in their ecurit, CO can
take a cue from the U.. militar. Once a vulnerale IT colou, it
i ecoming an adroit operator of well-defended network. Toda
the militar can detect and remed intruion within hour, if not
minute. From eptemer 2014 to June 2015 alone, it repelled
more than 30 million known maliciou attack at the oundarie
of it network. Of the mall numer that did get through, fewer
than 0.1% compromied tem in an wa. Given the
ophitication of the militar’ ceradverarie, that record i a
ignicant feat.
hr.org
David M. Upton i the American tandardCompanie Profeor of Operation Managementat Oxford Univerit’aïd uine chool.
https://getpocket.com/redirect?url=https%3A%2F%2Fhbr.org%2F2015%2F09%2Fcybersecuritys-human-factor-lessons-from-the-pentagon
8/17/2019 Cybersecurity’s Human Factor_ Lessons From the Pentagon
2/26
One ke leon of the militar’ experience i that while technical
upgrade are important, minimizing human error i even more
crucial. Mitake network adminitrator and uer—failure to
patch vulnerailitie in legac tem, micongured etting,
violation of tandard procedure—open the door to the
overwhelming majorit of ucceful attack.
The militar’ approach to addreing thi dimenion of ecurit
owe much to Admiral Hman Rickover, the “Father of the
Nuclear Nav.” In it more than 60 ear of exitence, the nuclear-
propulion program that he helped launch han’t uered a ingle
accident. Rickover focued intenel on the human factor, eeing
to it that propulion-plant operator aoard nuclear-powered
veel were rigoroul trained to avoid mitake and to detect and
correct anomalie efore the cacaded into eriou malfunction.
The U.. Department of Defene ha een teadil adopting
protocol imilar to Rickover’ in it ght to thwart attack on it
IT tem. Two of thi article’ author, and Winnefeld and
Chritopher Kirchho, were deepl involved in thoe eort. The
article’ purpoe i to hare the department’ approach o that
uine leader can appl it in their own organization.
The Danger from Within
Rik management Magazine Article
The igget threat to our cerecurit ma e an emploee
or a vendor.
https://hbr.org/2014/09/the-danger-from-within
8/17/2019 Cybersecurity’s Human Factor_ Lessons From the Pentagon
3/26
Like the Defene Department, companie are under contant
omardment from all tpe of ource: nation-tate, criminal
ndicate, cervandal, intruder hired uncrupulou
competitor, digruntled inider. Thieve have tolen or
compromied the credit-card or peronal information of hundred
of million of cutomer, including thoe of on, Target, Home
Depot, Neiman Marcu, JPMorgan Chae, and Anthem. The’ve
managed to teal proprietar information on oil and ga depoit
from energ companie at the ver moment geological urve
were completed. The’ve wiped negotiation trategie o internal
corporate network in the run-up to major deal, and weapon
tem data from defene contractor. And over the pat three
ear intruion into critical U.. infratructure—tem that
control operation in the chemical, electrical, water, and tranport
ector—have increaed 17-fold. It’ little wonder, then, that the
U.. government ha made improving cerecurit in oth pulic
and private ector a national priorit. ut, a the recent hacking
of the federal government’ Oce of Peronnel Management
undercore, it i alo a monumental challenge.
The Militar’ Cerjourne
ack in 2009, the Defene Department, like man companie
toda, wa addled with a vat arra of diparate IT tem and
ecurit approache. ach of it three militar ranche, four
uniformed ervice, and nine unied comatant command had
8/17/2019 Cybersecurity’s Human Factor_ Lessons From the Pentagon
4/26
long functioned a it own prot-and-lo center, with utantial
dicretion over it IT invetment. Altogether, the department
compried 7 million device operating acro 15,000 network
enclave, all run dierent tem adminitrator, who
congured their part of the network to dierent tandard. It wa
not a recipe for ecurit or ecienc.
That ear, recognizing oth the opportunitie of greater
coherenc and the need to tem the rie in harmful incident,
Roert Gate, then the ecretar of defene, created the U.. Cer
Command. It rought network operation acro the entire .mil
domain under the authorit of one four-tar ocer. The
department imultaneoul egan to conolidate it prawling
network, collaping the 15,000 tem into a ingle unied
architecture called the Joint Information nvironment. The work
ha een paintaking, ut oon hip, umarine, atellite,
pacecraft, plane, vehicle, weapon tem, and ever unit in
the militar will e linked in a common command-and-control
tructure encompaing ever communication device. What once
wa a jumle of more than 100,000 network adminitrator with
dierent chain of command, tandard, and protocol i evolving
toward a tightl run cadre of elite network defender.
At the ame time, the U.. Cer Command ha een upgrading
the militar’ technolog. ophiticated enor, analtic, and
conolidated “ecurit tack”—uite of equipment that perform a
variet of function, including ig data analtic—are giving
8/17/2019 Cybersecurity’s Human Factor_ Lessons From the Pentagon
5/26
network adminitrator greater viiilit than ever efore. The
can now quickl detect anomalie, determine if the poe a threat,
and alter the network’ conguration in repone.
The U.. Department of Defene experience 41M can, proe,
and attack a month.
The interconnection of formerl eparate network doe
introduce new rik (a, that malware might pread acro
tem, or that a vulnerailit in one tem would allow
omeone to teal data from another). ut thee are greatl
outweighed the advantage: central monitoring, tandardized
defene, ea updating, and intant reconguration in the event
of an attack. (Claied network are diconnected from
unclaied network, of coure.)
However, unied architecture and tate-of-the-art technolog are
onl part of the anwer. In nearl all penetration on the .mil
network, people have een the weak link. The Ilamic tate rie
took control of the U.. Central Command’ Twitter feed in 2015
exploiting an individual account that had not een updated to
dual-factor authentication, a aic meaure requiring uer to
verif their identit paword plu a token numer generator
or encrpted chip. In 2013 a foreign nation went on a four-month
pree inide the U.. Nav’ unclaied network exploiting a
ecurit aw in a pulic-facing weite that the nav’ IT expert
knew aout—ut failed to x. The mot eriou reach of a
8/17/2019 Cybersecurity’s Human Factor_ Lessons From the Pentagon
6/26
claied network occurred in 2008, when, in a violation of
protocol, a memer of the Central Command at a Middle atern
ae inerted a thum drive loaded with malware directl into a
ecure dektop machine.
While the recent intruion how that ecurit toda i no
mean perfect, the human and technical performance of the
militar’ network adminitrator and uer i far tronger a
numer of meaure than it wa in 2009. One enchmark i the
reult of command’ cerecurit inpection, whoe numer
have increaed from 91 in 2011 to an expected 285 in 2015. ven
though the grading criteria have ecome more tringent, the
percentage of command that received a paing grade—proving
themelve “cer-read”—ha rien from 79% in 2011 to over 96%
thi ear.
Companie need to addre the rik of human error too. Hacker
penetrated JPMorgan Chae exploiting a erver whoe ecurit
etting hadn’t een updated to dual-factor authentication. The
exltration of 80 million peronal record from the health inurer
Anthem, in Decemer 2014, wa almot certainl the reult of a
“pear phihing” e-mail that compromied the credential of a
numer of tem adminitrator. Thee incident undercore the
fact that error occur among oth IT profeional and the roader
workforce. Multiple tudie how that the lion’ hare of attack
can e prevented impl patching known vulnerailitie and
enuring that ecurit conguration are correctl et.
8/17/2019 Cybersecurity’s Human Factor_ Lessons From the Pentagon
7/26
The clear leon here i that people matter a much a, if not more
than, technolog. (Technolog, in fact, can create a fale ene of
ecurit.) Cerdefender need to create “high-reliailit
organization”— uilding an exceptional culture of high
performance that conitentl minimize rik. “We have to get
eond focuing on jut the tech piece here,” Admiral Mike
Roger, who overee the U.. Cer Command, ha aid. “It’
aout etho. It’ aout culture. [It’ aout] how ou man, train,
and equip our organization, how ou tructure it, the operational
concept that ou appl.”
The High-Reliailit Organization
The concept of a high-reliailit organization, or HRO, rt
emerged in enterprie where the conequence of a ingle error
can e catatrophic. Take airline, the air-trac-control tem,pace ight, nuclear power plant, wildre ghting, and high-
peed rail. Within thee highl technical operation, the
interaction of tem, utem, human operator, and the
external environment frequentl give rie to deviation that mut
e corrected efore the ecome diatrou prolem. Thee
organization are a far cr from continuoul improving “lean”
factorie. Their operator and uer don’t have the luxur of
learning from their mitake.
The annual gloal cot of cercrime againt conumer i $113.
8/17/2019 Cybersecurity’s Human Factor_ Lessons From the Pentagon
8/26
afel operating technolog that i inherentl rik in a
dangerou, complex environment take more than inveting in the
et engineering and material. High-reliailit organization
poe a deep awarene of their own vulnerailitie, are
profoundl committed to proven operational principle and high
tandard, clearl articulate accountailit, and vigilantl proe for
ource of failure.
The U.. Nav’ nuclear-propulion program i argual the HRO
with the longet track record. Running a nuclear reactor on a
umarine deep in the ocean, out of communication with an
technical aitance for long period of time, i no mall feat.
Admiral Rickover drove a trict culture of excellence into each
level of the organization. (o devoted wa he to enuring that onl
Michael er Photo : Michael er
8/17/2019 Cybersecurity’s Human Factor_ Lessons From the Pentagon
9/26
people who could handle uch a culture entered the program that,
during hi 30 ear at it helm, he peronall interviewed ever
ocer appling to join it—a practice that ever one of hi
ucceor ha continued.)
At the heart of that culture are ix interconnected principle,
which help the nav weed out and contain the impact of human
error.
1. Integrit. thi we mean a deepl internalized ideal that lead people,
without exception, to eliminate “in of commiion” (delierate
departure from protocol) and own up immediatel to mitake.
The nuclear nav inculcate it in people from da one, making it
clear there are no econd chance for lape. Worker thu are not
onl unlikel to take hortcut ut alo highl likel to notif
upervior of an error right awa, o the can e corrected
quickl and don’t neceitate length invetigation later—after a
prolem ha occurred. Operator of propulion plant faithfull
report ever anomal that rie aove a low threhold of
erioune to the program’ central technical headquarter.
Commanding ocer of veel are held full accountale for the
health of their program, including honet in reporting.
8/17/2019 Cybersecurity’s Human Factor_ Lessons From the Pentagon
10/26
2. Depth of knowledge.
If people thoroughl undertand all apect of a tem—including
the wa it’ engineered, it vulnerailitie, and the procedure
required to operate it—the’ll more readil recognize when
omething i wrong and handle an anomal more eectivel. In
the nuclear nav, operator are rigoroul trained efore the ever
put their hand on a real propulion plant and are cloel
upervied until the’re procient. Thereafter, the undergo
periodic monitoring, hundred of hour of additional training, and
drill and teting. hip captain are expected to regularl monitorthe training and report on crew procienc quarterl.
3. Procedural compliance.
On nuclear veel, worker are required to know—or know
where to nd—proper operational procedure and to follow themto the letter. The’re alo expected to recognize when a ituation
ha ecliped exiting written procedure and new one are called
for.
8/17/2019 Cybersecurity’s Human Factor_ Lessons From the Pentagon
11/26
ee Your Compan Through the e of a Hacker
ecurit & privac Digital Article
Turning the map around on cerecurit.
One of the wa the nuclear nav maximize compliance i
through it extenive tem of inpection. For intance, ever
warhip periodicall undergoe tough Operational Reactor
afeguard xamination, which involve written tet, interview,
and oervation of da-to-da operation and of repone to
imulated emergencie. In addition, an inpector from the Naval
Reactor regional oce ma walk aoard antime a hip i in port,
without advance notice, to oerve ongoing power-plant
operation and maintenance. The hip’ commanding ocer i
reponile for an dicrepancie the inpector ma nd.
4. Forceful ackup.
https://hbr.org/2015/03/see-your-company-through-the-eyes-of-a-hacker
8/17/2019 Cybersecurity’s Human Factor_ Lessons From the Pentagon
12/26
When a nuclear-propulion plant i operating, the ailor who
actuall control it—even thoe who are highl experienced—are
alwa cloel monitored enior peronnel. An action that
preent a high rik to the tem ha to e performed two
people, not jut one. And ever memer of the crew—even the
mot junior peron—i empowered to top a proce when a
prolem arie.
5. A quetioning attitude.
Thi i not ea to cultivate in an organization, epeciall one
with a formal rank tructure in which immediate compliance with
order i the norm. However, uch a mindet i invaluale: If
people are trained to liten to their internal alarm ell, earch for
the caue, and then take corrective action, the chance that the’ll
foretall prolem rie dramaticall. Operator with quetioning
attitude doule- and triple-check work, remain alert for
anomalie, and are never atied with a le-than-thorough
anwer. impl aking wh the hourl reading on one ocure
intrument out of a hundred are changing in an anormal wa or
wh a network i exhiiting a certain ehavior can prevent cotl
damage to the entire tem.
6. Formalit in communication.
8/17/2019 Cybersecurity’s Human Factor_ Lessons From the Pentagon
13/26
To minimize the poiilit that intruction are given or received
incorrectl at critical moment, operator on nuclear veel
communicate in a precried manner. Thoe giving order or
intruction mut tate them clearl, and the recipient mut
repeat them ack veratim. Formalit alo mean etalihing an
atmophere of appropriate gravit eliminating the mall talk
and peronal familiarit that can lead to inattention, fault
aumption, kipped tep, or other error.
Cerecurit reache caued human mitake nearl alwa
involve the violation of one or more of thee ix principle. Here’
a ample of ome the Defene Department uncovered during
routine teting exercie:
A polite headquarter ta ocer held the door for another
ocer, who wa reall an intruder carring a fake
identication card. Once inide, the intruder could have
intalled malware on the organization’ network. Principle
violated: procedural compliance and a quetioning attitude.
A tem adminitrator, urng the we from hi elevated
account, which had fewer automatic retriction, downloaded
a popular video clip that wa “viral” in more wa than one.
Principle violated: integrit and procedural compliance.
A ta ocer clicked on a link in an e-mail promiing
dicount for online purchae, which wa actuall an
attempt the teter to plant a phihing ack door on her
8/17/2019 Cybersecurity’s Human Factor_ Lessons From the Pentagon
14/26
worktation. Principle violated: a quetioning attitude, depth
of knowledge, and procedural compliance.
A new network adminitrator intalled an update without
reading the implementation guide and with no uperviion. A a reult, previou ecurit upgrade were “unpatched.”
Principle violated: depth of knowledge, procedural
compliance, and forceful ackup.
A network help dek reet a connection in an oce without
invetigating wh the connection had een deactivated in the
rt place—even though the reaon might have een anautomated hutdown to prevent the connection of an
unauthorized computer or uer. Principle violated:
procedural compliance and a quetioning attitude.
Creating a High-Reliailit IT OrganizationTo e ure, ever organization i dierent. o leader need to
account for two factor in deigning the approach and timetale
for turning their companie into cerecure HRO. One i the
tpe of uine and it degree of vulnerailit to attack.
(Financial ervice, manufacturing, utilit, and large retail
uinee are epeciall at rik.) Another i the nature of the
workforce. A creative workforce made up predominantl of
Millennial accutomed to working from home with online-
8/17/2019 Cybersecurity’s Human Factor_ Lessons From the Pentagon
15/26
collaoration tool preent a dierent challenge from ale or
manufacturing emploee accutomed to tructured etting with
lot of rule.
It’ eaier to create a rule-ound culture for network
adminitrator and cerecurit peronnel than it i for an entire
workforce. Yet the latter i certainl poile, even if a compan
ha a huge numer of emploee and an etalihed culture.
Witne the man companie that have uccefull changed their
culture and operating approache to increae qualit, afet, and
equal opportunit.
Whatever the dnamic of their organization, leader can
implement a numer of meaure to emed the ix principle in
emploee’ everda routine.
Take charge.
A recent urve Oxford Univerit and the UK’ Centre for the
Protection of the National Infratructure found that concern for
cerecurit wa ignicantl lower among manager inide the
C-uite than among manager outide it. uch hortightedne at
the top i a eriou prolem, given the nancial conequence of
cerattack. In a 2014 tud the Ponemon Intitute, the
average annualized cot of cercrime incurred a enchmark
ample of U.. companie wa $12.7 million, a 96% increae in ve
8/17/2019 Cybersecurity’s Human Factor_ Lessons From the Pentagon
16/26
ear. Meanwhile, the time it took to reolve a cerattack had
increaed 33%, on average, and the average cot incurred to
reolve a ingle attack totaled more than $1.6 million.
The realit i that if CO don’t take cerecurit threat
erioul, their organization won’t either. You can et that Gregg
teinhafel, who wa outed from Target in 2014 after
cercriminal tole it cutomer’ information, wihe he had.
Over the pat 3 ear, intruion into critical U.. infratructure
have increaed 17x.
Chief executive know that conolidating their jumle of network
tem, a the Defene Department ha done, i important. ut
man are not moving fat enough—undoutedl ecaue thi tak
can e maive and expenive. In addition to accelerating that
eort, the mut marhal their entire leaderhip team—technical
and line management, and human reource—to make people,
principle, and IT tem work together. Repeatedl emphaizing
the importance of ecurit iue i ke. And CO hould reit
lanket aurance from CIO who claim the’re alread
emracing high-reliailit practice and a all that’ needed i an
increae in the ecurit udget or the newet ecurit tool.
CO hould ak themelve and their leaderhip team tough
quetion aout whether the’re doing everthing poile to
uild and utain an HRO culture. Are network adminitrator
8/17/2019 Cybersecurity’s Human Factor_ Lessons From the Pentagon
17/26
making ure that ecurit function in tem are turned on and
up-to-date? How are pot audit on ehavior conducted, and what
happen if a ignicant lape i found? What tandardized training
program for the ehavioral and technical apect of cerecurit
are in place, and how frequentl are thoe program refrehed?
Are the mot important cerecurit tak, including the
manipulation of etting that might expoe the tem, conducted
formall, with the right kind of ackup? In eence, CO mut
contantl ak what integrit, depth of knowledge, procedural
compliance, forceful ackup, a quetioning attitude, and formalit
mean in their organization. Meanwhile, oard of director, in
their overight role, hould ak whether management i
adequatel taking into account the human dimenion of
cerdefene. (And indeed man are eginning to do thi.)
Make everone accountale.Militar commander are now held reponile for good
tewardhip of information technolog—and o i everone all the
wa down the rank. The Defene Department and the U.. Cer
Command are etalihing a reporting tem that allow unit to
track their ecurit violation and anomalie on a imple
corecard. efore, information aout who committed an error and
it erioune wa known onl to tem adminitrator, if it wa
tracked at all. oon enior commander will e ale to monitor
unit’ performance in near real time, and that performance will e
viile to people at much higher level.
8/17/2019 Cybersecurity’s Human Factor_ Lessons From the Pentagon
18/26
Are You a Certhreat to Your Organization?
ecurit & Privac Aement
The goal i to make network ecurit a much of an everdapriorit for troop a keeping their rie clean and operational.
ver memer of an armed ervice mut know and compl with
the aic rule of network hgiene, including thoe meant to
prevent uer from introducing potentiall tainted hardware,
downloading unauthorized oftware, acceing a weite that
could compromie network, or falling pre to phihing e-mail.When a rule i roken, and epeciall if it’ a matter of integrit,
commander are expected to dicipline the oender. And if a
climate of complacenc i found in a unit, the commander will e
judged accordingl.
Companie hould do likewie. While the ame meaure aren’t
alwa availale to them, all manager—from the CO on down—
hould e reponile for enuring their report follow
cerafet practice. Manager hould undertand that the,
along with the emploee in quetion, will e held accountale.
All memer of the organization ought to recognize the are
reponile for thing the can control. Thi i not the norm in
man companie.
Intitute uniform tandard and centrall
managed training and certication.
https://hbr.org/web/assessment/2014/08/are-you-a-cyberthreat-to-your-organization
8/17/2019 Cybersecurity’s Human Factor_ Lessons From the Pentagon
19/26
The U.. Cer Command ha developed tandard to enure that
anone operating or uing a militar network i certied to do o,
meet pecic criteria, and i retrained at appropriate interval.
Peronnel on dedicated team in charge of defending network
undergo extenive formal training. For thee cerprofeional
the Defene Department i moving toward the model etalihed
the nuclear nav: claroom intruction, elf-tud, and at the
end of the proce, a formal graded examination. To uild a road
and deep pipeline of defender, the militar academie require all
attendee to take cerecurit coure. Two academie oer a
major degree in ceroperation, and two oer minor degree. All
ervice now have chool for advanced training and pecic
career path for cerecurit pecialit. The militar i alo
incorporating cerecurit into continuing education program
for all peronnel.
Relativel few companie, in contrat, have rigorou certraining
for the rank and le, and thoe that do rarel augment it with
refreher coure or information eion a new threat arie.
Merel e-mailing emploee aout new rik doen’t uce. Nor
doe the common practice of requiring all emploee to take an
annual coure that involve pending an hour or two reviewing
digital policie, with a hort quiz after each module.
Admittedl, more-intenive meaure are time-conuming and a
ditraction from da-to-da uine, ut the’re imperative for
companie of all ize. The hould e a rout a program to
8/17/2019 Cybersecurity’s Human Factor_ Lessons From the Pentagon
20/26
enforce ethic and afet practice, and companie hould track
attendance. After all, it take onl one untrained peron to caue a
reach.
Couple formalit with forceful ackup.
In 2014 the U.. militar created a contruct that pelled out in
great detail it cer-command-and-control tructure, pecifing
who i in charge of what and at what level ecurit conguration
are managed and changed in repone to ecurit event. That
clear framework of reporting and reponiilitie i upported
with an extra afeguard: When ecurit update on core portion
of the Defene Department’ network are made or tem
adminitrator acce area where enitive information i tored,
a two-peron rule i in eect. oth people mut have their ee on
the tak and agree that it wa performed correctl. Thi add an
extra degree of reliailit and dramaticall reduce the rik of
lone-wolf inider attack.
The Department of Defene i conolidating 15,000 network into
a ingle unied architecture.
There’ no reaon companie can’t alo do thee thing. Mot large
rm have alread aggreivel pruned their lit of “privileged”
tem uer and created procee for retracting the acce right
of contractor leaving a project and emploee leaving the rm.
Midize and maller enterprie hould do the ame.
8/17/2019 Cybersecurity’s Human Factor_ Lessons From the Pentagon
21/26
One form of ackup can e provided inexpenive, ea-to-
intall oftware that either warn emploee when the’re
tranferring or downloading enitive information or prevent
them from doing it and then monitor their action. Regularl
reminding emploee that their adherence to ecurit rule i
monitored will reinforce a culture of high reliailit.
Check up on our defene.
In June 2015 the U.. Cer Command and the Defene
Department announced weeping operational tet for oth
network adminitrator and uer. The militar alo i etalihing
rigorou tandard for cerecurit inpection and tightl
coordinating the team that conduct them.
Companie hould follow uit here a well. While man large
rm do ecurit audit, the often focu on network’
vulnerailit to external attack and pa too little attention to
emploee’ ehavior. CO hould conider inveting more in
capailitie for teting operational IT practice and expanding the
role of the internal audit function to include cerecurit
technolog, practice, and culture. (xternal conultant alo ma
provide thi ervice.)
In addition to cheduled audit, rm hould do random pot-
check. Thee are highl eective at countering the hortcut and
compromie that creep into the workplace—like tranferring
8/17/2019 Cybersecurity’s Human Factor_ Lessons From the Pentagon
22/26
condential material to an unecured laptop to work on it at
home, uing pulic cloud ervice to exchange enitive
information, and haring paword with other emploee. uch
ehavior i important to dicover—and correct—efore it reult
in a eriou prolem.
liminate fear of honet and increae the
conequence of dihonet.
Leader mut treat unintentional, occaional error a
opportunitie to correct the procee that allowed them to occur.
However, the hould give no econd chance to people who
intentionall violate tandard and procedure. dward nowden
wa ale to acce claied information convincing another
civilian emploee to enter hi paword into nowden’
worktation. It wa a major reach of protocol for which the
emploee wa rightfull red. It made man militar leader
realize that an operational culture that treed integrit, a
quetioning attitude, forceful ackup, and procedural compliance
could have created an environment in which nowden would
have een topped cold. uch a reach of the rule would have
een unthinkale in the reactor department of a nav veel.
8/17/2019 Cybersecurity’s Human Factor_ Lessons From the Pentagon
23/26
At the ame time, emploee hould e encouraged to
acknowledge their innocent mitake. When nuclear-propulion-
plant operator dicover a mitake, the’re conditioned to quickl
Michael er Photo : Michael er
8/17/2019 Cybersecurity’s Human Factor_ Lessons From the Pentagon
24/26
reveal it to their upervior. imilarl, a network uer who
inadvertentl click on a upiciou e-mail or weite hould e
conditioned to report it without fear of cenure.
Finall, it hould e ea for everone throughout the
organization to ak quetion. Propulion-plant operator are
trained to immediatel conult a upervior when the encounter
an unfamiliar ituation the aren’t ure how to handle. imilarl,
enuring that all emploee can readil otain help from a
hotline or their manager, companie can reduce the temptation to
gue or hope that a particular action will e afe.
Ye, we’re calling for a much more formal, regimented approach
than man companie now emplo. With certhreat poing a
clear and preent danger to individual companie and,
extenion, the nation, there i no alternative. Rule and principle
are needed to plug the man hole in America’ cerdefene.
Couldn’t companie jut focu on protecting their crown jewel?
No. Firt, that would mean multiple tandard for cerecurit,
which would e dicult to manage and, therefore, hazardou.
econd, the crown jewel often are not what ou think the are.
(One could argue that the leak of emarraing e-mail wa the
mot damaging apect of North Korean hacker’ attack on on
Picture ntertainment.) Finall, hacker often can gain acce to
https://hbr.org/2015/07/they-burned-the-house-down
8/17/2019 Cybersecurity’s Human Factor_ Lessons From the Pentagon
25/26
highl enitive data or tem via a eemingl low-level tem,
like e-mail. A compan need a common approach to protecting all
it data.
Technical Capailit, Human xcellence
Over the pat decade, network technolog ha evolved from a
imple utilit that could e taken for granted to an important et
vulnerale engine of operation, whoe ecurit i a top corporate
priorit. The oaring numer of cerattack ha made thataundantl clear. Technolog alone can not defend a network.
Reducing human error i at leat a important, if not more.
mracing the principle that an iracile admiral implanted in
the nuclear nav more than 60 ear ago i the wa to do thi.
uilding and nurturing a culture of high reliailit will require theperonal attention of CO and their oard a well a utantial
invetment in training and overight. Cerecurit won’t come
cheap. ut thee invetment mut e made. The ecurit and
viailit of companie—a well a the economie of the nation in
which the do uine—depend on it.
8/17/2019 Cybersecurity’s Human Factor_ Lessons From the Pentagon
26/26
Michael er