The aim of the Security Analogies Project is to help spread the message of information security and its importance in the modern world. By drawing parallels between what people already know, or find interesting and how these relate to information security, the industry can increase understanding and support across the whole of society. As for me, I find that the world of aviation lends itself to many information security analogies.
One recent tragic event that we can hope to learn from is a May 2014 accident. On that day, a Gulfstream IV-SP corporate jet was destroyed in a takeoff accident at Bedford-Hanscom Field in Massachusetts. All four passengers and three crew members were killed in the accident.
In Bedford and the Normalization of Deviance, professional pilot Ron Rapp writes that the accident report is one of the most disturbing he's ever laid eyes on. What happened? The highly experienced crew attempted to takeoff with the equivalent of the brakes on. The aircraft exited the end of the runway and broke apart, and the ensuing fire killed all aboard.
While Rapp's analysis is written by a pilot for pilots, there is a lot in it that is highly relevant for IT and information security professionals. Particularly around complacency and human error.
Two of the more devastating outcomes of the report is that there are five Gulfstream checklists which must be run prior to flying. The pilots ran none of them. The cockpit voice recorder and pilot interviews revealed that checklists simply were not used. This was not an anomaly, it was standard operating procedure for them.
Rapp writes that obviously the gust lock was not removed prior to flying. This is a very big, very visible, bright red handle which sticks up vertically right between the throttles and the flap handle. It's hard to miss the gust lock handle protruding six inches above the rest of the center pedestal. But it's also the precise reason there are checklists and procedures in the first place.
While processes can be used as a method for improvement, if they are not followed, the results can be catastrophic. Bedford shows that it's not only important just to have processes, they must be followed also.
Information security processes
So what does all this mean for information security? The ability to have a comprehensive set of information security processes can be of great benefit. Enterprises may want to consider developing a catalog of security processes. By formalizing information security processes, some of the benefits that can be obtained include:
- process improvement and optimization
- easier continuity of operations in the event of turnover
- can reduce redundancy
- ability to audit security tasks
Sign up for CIO Asia eNewsletters.