This article posits a dynamic approach to security for critical infrastructure (CI). It adheres to recent science, pressing the edges on how we think about security.
Critical infrastructures are ‘complex systems’. The human threats to CI manifest in two broad categories. Exogenous [outside the system] threats include acts of terror and other crime attacks by predators. Endogenous [inside the system] threats include technical vulnerabilities arising from human error, occupational fraud, internal theft, corruption, workplace sabotage and workplace violence.
These two broad areas can be inter-related as is the case with corruption.
About Complex Systems
“All complex systems, whether they are biological ecosystems like the human body, natural ecosystems like a rain forest, social ecosystems like an open-air market, or socio-technical ecosystems like the global financial system, or the Internet are deeply interlinked. Individual units within these ecosystems are interdependent, each doing its part and relying on the other units to do their part as well. This is neither rare nor difficult, and complex ecosystems abound.
Bruce Schneier, Liars and Outliers (2012)
Transformative Security Practice
“Transformative security practice” (TSP) is new language for defining transformation of security to ‘learning cultures’ (Ref: Senge, Peter. The Fifth Discipline: The art and practice of the learning organization. 1994).
A security learning culture is generative. It is a shift of mindset from ‘business as usual’ to one of wonder, discovery and continuous improvement. It is a new way to think about how organizations perceive and practice security. It is adaptive, putting technology in the hands of the right people, doing the right things, at the right time.
TSP challenges security to move beyond the limitations of reductionist (cause and effect) solutions. It accepts and embraces chaos that comes with humanity. It applies ‘system’s thinking‘ to explore the inter-relatedness between parts in the organization, and how changes to these parts influence the whole.
With TSP, we learn how to motivate employees in playing a vital role in security as primary over technology. We recognize the influence and impact of beliefs, mental models, heuristics bias (mental shortcuts) and affect (emotions) on security.
A Generative Approach to Security
Security is dealing with new realities including acts of terror, transnational enterprise crime, and a post-industrial age uncertainty that is increasing stress and anxiety in the work force predicted in 1970 (Toffler, A., Future Shock).
TSP takes a behavioral and prevention science approach to security. In factors both the feelings of security and the reality of security (Schneier: Psychology of Security). TSP applies science from multiple disciplines including psychology, neuroscience, social physics, behavioral economics and evolutionary biology to mention a few.
Finally, there are three specific attributes identified for bringing about enduring change:
- new skills and capabilities
- new awareness and sensibilities, and
- new attitudes and beliefs.
TSP promotes deep cycle learning. It encourages lateral thinking to resolve security problems. It centers around Senge’s five disciplines for creating a security learning culture : i) personal mastery, ii) mental models, iii) shared vision, iv) team learning, and v) systems thinking delivered in practitioner-based, problem-solving ways.