When I give talks about information security, I attempt to
pull protection strategies from real-world situations in non-technology-based
organizations. Many instruction methods focus on analogies to enhance
understanding of security principles. To me analogies are like Canadian Geese
which look majestic at first until you get too close to them. (I mentioned I
would get back to the geese in a previous blog.) Instead, I’ll try to take a
strategy and produce parallel tactics within the information security realm. Part
I of this article will focus on the FAA’s "Cockpit Resource Management”.
On December 28, 1978 United Airlines Flight 173 crashed
after running out of fuel while investigating a landing problem over the
Portland International Airport[i].
The resulting investigation of the crash found that the crew “inattention” to
all the issues arising allowed the plane to run out of fuel in midair.[ii]
As a result of this accident, United Airlines in coordination with the FAA
created the “Cockpit Resource Management” training program. The idea behind
this program was to enhance communication and decision making by following the
three (3) “decision outcome avenues”.
- Avoid: Pre-plan to prevent possibilities of a crisis.
- Trap: Identify factors to recognize potential problems before a crisis.
- Mitigate: Maintain resources to minimize the negative effect during and after a crisis.
I first learned about the as "Avoid, Trap,
Mitigate" mantra as a volunteer firefighter[iii]
(circa 1982). In fact, this is used extensively by NIMS (national incident management
system) in almost all areas of emergency management. All firefighter safety
revolves around this concept; firefighters train and do walk through drills on
major structures to understand where potential problems could be prevented; live fire training allows us
to experience the fire lifecycle first-hand (under semi-controlled conditions)
to recognize what stage a fire may be
when we arrive at a real scene; and fire departments work with local
authorities maintain proper water
supplies to ensure any conflagration can be handled with efficiency and safety.
Later in life as I had a family and embarked on coaching
kids’ sports (circa 1998), coaches’ training included courses in effective
communications and teaching the principles of "Avoid, Trap, Mitigate"
as a sports defensive strategy. In fact,
if one followed ice hockey, you would recognize how the NJ Devils changed the
face of ice hockey in 2000 with their “neutral zone trap”. Many hockey fans
(such as myself) felt that this strategy slowed the pace of the game; in
hindsight that is the purpose of the
strategy.
In the early part of 2000’s, as businesses started focusing
on corporate governance, our consulting business promoted the “Avoid, Trap,
Mitigate” principles in information security. It was our spin on the
“defense-in-depth” best practice. And it works.
Take, for example, your business relies on some intellectual
property (e.g. secret recipe for pizza).
- What steps can you take to prevent it being stolen? Perhaps you premix the secret ingredients ahead of time so your employees have no knowledge of them. Or maybe you create some misinformation, such as re-labeling the secret ingredient “cilantro” as “parsley”.
- How can you tell if another business has gotten your secret recipe? You may decide to periodically send out employees to purchase and taste the competition’s product. Or perhaps, if the ingredient is rare, you ask your supplier if anyone else has bought large quantities of that ingredient.
- And what happens once the secret is out? Perhaps your reputation maintains a good percentage of business. If not, you may need to create a new recipe. (IMHO, litigation at the SMB level would probably bankrupt both companies before anything was accomplished.)
As a small to midsize company, risk management is probably
not your primary focus, so adopting a simple set of three rules allows you to
quickly assess almost any situation with a good degree of success.
No comments:
Post a Comment