Learning from safety management

It is no secret that my desire for improving cybersecurity within organisations is influenced by approaches taken by other disciplines within industry such as quality management and safety management. Cybersecurity within the commercial sector is a relatively new area compared to these two (although granted, the science of security such as cryptography goes back many centuries). The maturity of cybersecurity practices is still evolving while, on the other hand, safety practice has reached an acceptable level and maintains a stable state. Through the past century, safety science has helped organisations achieve low incident rates within industries such as manufacturing, construction and consumer safety (passengers, fairgrounds etc). However, in my experience, there is not much crossover between quality / safety and cybersecurity within academic research and business practice. Cybersecurity seems to be very immature by comparison. Breaches are a daily occurrence affecting customers and businesses in ways that are not well understood.

In a 2018 article that explores data breach harms (Solove, D.J. and Citron, D.K. (2018) ‘Risk and Anxiety: A Theory of Data-Breach Harms’, Texas law review, 96(4), pp. 737–786.), the authors state:

The number of people affected by data breaches continues to rise as companies collect more and more personal data in inadequately secured data reservoirs. Risk and anxiety are injuries in the here and now. Victims of data breaches have an increased risk of identity theft, fraud, and reputational damage. Once victims learn about breaches, they may be chilled from engaging in activities that depend on good credit, like house- and job-hunting. Data-breach victims might decline to search for a new home or employment since there is an increased chance that lenders or employers will find their credit reports marred by theft. They face an increased chance of being preyed upon by blackmailers, extortionists, and fraudsters promising quick fixes in exchange for data or money. Emotional distress is a crucial aspect of the suffering. Knowing that thieves may be using one’s personal data for criminal ends can produce significant anxiety. Because companies do not have to internalize these negative externalities borne by individuals, the number of data breaches continues to grow.

Data breaches can also be fatal as declared in a an October 2019 paper discussing the implications of data breach remediation on hospital quality (Choi, SJ, Johnson, ME, Lehmann, CU. Data breach remediation efforts and their implications for hospital quality. Health Serv Res. 2019; 54: 971– 980. https://doi.org/10.1111/1475-6773.13203):

Hospital data breaches were associated with higher 30-day AMI mortality rates in the years following the breach […] A 0.23–0.36 percentage point increase in 30-day AMI mortality rate after a breach effectively erases a year’s worth of improvement in the mortality rate.

The evidence supports the argument that data breaches are not only harmful to customers, they are potentially fatal. But too often, the onus on accepting cybersecurity risk is tied inextricably to the financial impact a data breach has on an organisation.

The recent tragedy that unfolded at the site of the sunken Titanic, in which five people were killed when a submersible vehicle imploded in the extreme conditions of the deep sea highlights the dangers of placing profit above safety. It leads me to ask the question of whether businesses that put profit above cybersecurity and exposing their customers to the harm that data breaches have on their customers is ethical?

One of the biggest challenges in cybersecurity is understanding how secure an organisation is. There is no measure of security, as there is no measure of quality or safety. Peter Drucker’s oft-misquoted affirmation that “if you can’t measure it, you can’t improve it” suggests quality, safety and cybersecurity are unmanageable since there is no way to directly measure them. W. Edwards Deming counters in The New Economics that “[i]t is wrong to suppose that if you can’t measure it, you can’t manage it — a costly myth.” In essence, there’s no KPI for quality… or security. The important point here is that organisations must find ways to understand the limitations of their data and work and use information that is available to them to adopt practices that improve quality, safety and security.

Safety management has learned from experience to predict the likelihood of incidents occurring and using information on safety performance to mitigate risk. In cybersecurity, organisations have adopted some practices such as threat modelling and automated security scanning to identify potential weaknesses within their systems and use their outputs as a means to improve security. However, in my experience, output from these activities are not indicative of the exposure of an organisation to cybersecurity risk. So what can cybersecurity learn from safety?

The following is an adaption from an article by Jim Loud on building effective safety management systems (Loud, J., (2021) Plan Do Check Act NOT Plan Do Hope Pray — Building an Effective Safety Management System, [online] available at: https://www.safetystratus.com/blog/plan-do-check-act-not-plan-do-hope-pray-building-an-effective-safety-management-system/ (accessed: 23 July 2023)). These are potential opportunities to learn from safety management although more research would be needed in the realm of cybersecurity. Having said that, these suggestions are a good starting point for improving cybersecurity within an organisation.

Leading indicators are essential to identify and fix potential issues before incidents happen. These include:

1. Frequency and speed of fixing known vulnerabilities
2. Level of patching of vulnerable third-party software
3. Level of cybersecurity training completed within the organisation
4. Ratio of employees proactively engaged in cybersecurity improvement activities
5. Number of suggestions from employees to improve security

I have often seen the use of the DORA metrics as indicators of software delivery performance (Forsgren, N, Humble, J., Kim, G,. (2018) Accelerate, IT Revolution p. 17), which are:

1. Lead time
2. Deployment frequency
3. Mean time to Restore
4. Change Fail Percentage

However, in my opinion, these are not sufficient as leading indicators of cybersecurity risk.

Using feedback loops in real time provides immediate information to the teams developing software applications. The objective of [security] process improvement is to shorten the feedback loops so necessary fixes can be made (Kim, G., et al, (2021), The DevOps Handbook, IT Revolution). Solutions include responsive IDEs that identify potential issues during development and frequent reviews of cybersecurity related problems.

Security teams and leadership should observe how product teams work, and not make assumptions based on previous experience or hearsay. Security teams often impose security standards and practices based on ‘work-as-imagined’. This dogmatic approach leads to friction between security teams and product teams who try to implement methods and tools that are incompatible with the way they work. By observing ‘work-as-done’, and engaging with the product teams, more appropriate practices can be developed and adopted to improve the security of the system.

Use findings from cybersecurity incidents as an opportunity to learn what is happening within the organisation. When the organisation’s secure operations centre (SOC) identifies incidents, the information should be fed back to the relevant product teams and executive leaders as an opportunity to learn from them and make improvements to the system based on these findings. This will allow teams to determine whether new products or features are of greater risk due to unforeseen weaknesses. It will also allow organisations to adapt to the ever-changing threat landscape.

Studying the effects of implementing the above suggestion provides a double-learning loop that will improve the system further. It is important to continually evaluate the techniques used to improve security. In my opinion, ‘best practice’ does not exist — no system is perfect. Seeking ways to improve security should be a common goal across the organisation. Ultimately, organisations that fail to improve security and succumb to a significant data breach are potentially putting their customers’ quality of life at risk. The organisation is likely to survive a data breach, and so will most of its customers. But life-changing events do occur due to the fallout of cybersecurity events and, just as we condemn organisations that risk lives through inadequate safety practices, so we should condemn organisations that risk lives through inadequate cybersecurity practices.