Learn from Safety Literature

hi so I'm Martin sols and I'm going to be talking about what it Security Professionals can learn from Sydney literature I personally have been doing I.T security for about 20 something years and nowadays I work as a researcher and also um in the ethereum foundation so what this talk is going to be about let me try to make this slide a little bigger so I can see it myself as well um foreign so basically safety engineering I think has a lot to teach us I.T Security Professionals and um I hope by highlighting some of the the commonalities between what Safety Science has to offer us we can become sort of better IIT Security Professionals and this stock is

Not By Any Means comprehensive the ID safety literature is immense and clearly I cannot squeeze it down into a 30-minute talk but this is to pick your interest and maybe you can you know look I'll have plenty of references at the end and you can try to have a look at what you're you know interested in and try to bring some of these ideas into your practice as an I.T security engineer and I would also like to know like clearly obviously security is not the same as safety right when you're in a mine there's nobody trying to release methane gas on purpose and like lighting it on fire that's that's what's happening in the mind but at the same

time when you know there are miners who will like turn off the methane gas detectors because it annoys the hell out of them there's going to be um management who said production targets that cannot possibly be met uh given the the tick box exercise of security of safety that that they mandate without any form of inventive idea of of trying to meet those safety goals um that those stick boxes are supposed to meet and there's going to be people who are who've been doing this for a while and feel uncomfortable and leave the mind and just stop working because they don't feel comfortable doing this and in some sense I think these I.T Security Professionals have all been in

this mind right we've all seen all these issues in our daily uh work and and feel sort of hmm is there something that we can do you know that we can learn from these accidents and and and issues that have happened um in in safety so I also want to talk a little bit about what this is not about um this talk is not going to be about some kind of prescriptive thing that you're supposed to do as a as a mandatory thing um this is a bunch of ideas that other other people have have thought about and put quite a lot of effort into and and for you to sort of just think about them

and see how you can incorporate some of this into your daily practice um you need to find your own way there's no there's no way that is prescribed to do this and I think you have been as it Security Professionals you sort of know this inherently when you go to a new company that you work at or a new consultancy gig that you got you have to sort of understand their context and where they're coming from and incorporate your knowledge and know your know-how into their processes so you can help them the best you can um but I think it's important to also realize that a lot of time effort and money has gone into Safety Science and

plenty of people unfortunately died uh to to that that eventually resulted in massive amounts of work done to to try to understand why and how can we prevent this from happening again right so I just want to start with something called down and down and in versus up and out um and I'm going to start with something a scenario that I think we're sort of familiar with or let's hope we we can all try to be familiar with let's say there's an attacker you know that got into your company uh without with some kind of phishing attack and they pivoted around in your infrastructure and uh this was this was noticed because somebody was just looking around their

their their their AWS account let's say and they they saw something suspicious that didn't feel right and then they they notified you know the the the people they knew best which was the administrative team like hey something is off is this your account and the administration State team was like oh wait a second this is definitely not okay and they shut down the the the this attacker um at their trails and this you know that there's no real leak of information I think that actually happened that you would need to report okay so this is a scenario that I think we can all sort of agree can happen in a large Enterprise and let's look look at sort of the class

interpretation that you would have within an Enterprise well user clicked the bad email right so therefore the user needs to be trained I think we've all heard this explanation we lack preventative measures against pivoting right let's add the preventative measures that we lacked so the attacker could in people's around their infrastructure we lack detective measures because clearly the stock didn't see this happening somebody else did so let's add these these detective measures that Were Somehow missing because when the the system was conceived security didn't wasn't even asked whether they have any requirements that would need to be be part of the requirements analysis that they did for the system when they built it right and the Cs admin team had

manually fixed the stuff right so they had to go in and manually fix it there was clearly no reactive measures so that we were lacking reactive controls so this is kind of a classical like explanation that you'd see in almost all I.T security places that I've worked at they go through this kind of interpretation and like that's that's what happened this is this is the thing right and this is what in safety literature this would be called down and in and I'll talk a little bit about what I mean by up and out so there are two ends of this sort of uh instrument there's the sharp end the people who are actually writing the the

the code the people who are the systems that are at the end of of what happened right so the the the user who clicked the email like that's clearly a sharp end there's this admin team that reacted right and there is the system that was compromised these are all very close to the action that happened right we all understand that these are in intimately close to what actually took place in this scenario that I just described but there's also the blunt end and I think very often we forget the blunt and forget to ask questions about it and if you actually think about if you have a look at some of the safety literature they'll talk about the blunt and

basically Non-Stop and they'll and and if you still start talking about the sharp end they just look at you like have you lost your mind like are you kind of interested in like losing your mind here because it will be not interesting to them because they understand that if you fix what's on the right hand side the LA the stuff on the left will not only be fixed but all the other issues will also be fixed so what is on the blunt end well this is what they call the distal cause so the things that are like further away from the direct thing that actually happened and this is the lack of priority for the

detective measures right because there's 50 people let's say in your organization this is a large organization like what the hell are you doing there was really doing something else right because they they they weren't just like sitting at their desk and like twiddling their thumbs so they must have done something else and they must know that detective measures are important right so what else was important and more importantly if the other thing was more important that who made the decision and why was that decision made and you shouldn't try to blame this person who made this decision but we should all sit down together and decide how are we making decisions about priorities because you

haven't actually thought about the way that you make that decision if you arrive and and correctly in a way because you clearly arrived at something that wasn't what you really wanted right so maybe the the people who make these kind of decisions need to do that differently and it could be various other ways but maybe there's something to be done there now let's say that there's this system right that was built without the involvement of IIT security they built this system and they somehow forgot to write and to talk to it security about the the the required you know during the requirements analysis phase so the preventative measures were never included why right like why was that why did this

happen why why was it security never informed and I'm not I don't mean going there with a baton and like hitting the head you're you should be actually curious of why we're just completely unaware that we're there that we exist actually do they know we exist do they do they know our our you know our emails do they do they know that they you know for every new system that they're building that is anything major they probably should be including these kind of things and if they don't then like that maybe says something about your communication methods towards the the Enterprise itself because you're part of this Enterprise you haven't communicated that you exist let's see that there huh well anyway

um let's hope the oh it comes back that's good um okay so we can also talk the same way about phishing email right uh we can say that this phishing email likely was The observed by other employees um why didn't they notify us do we have actually a good good good report with people are they afraid to send us this email I have seen organizations that people are actually afraid to report security incidents because then the security Personnel come down on them and then it's a huge pain for them and they're like oh let's just keep it internal right let's not talk to the IIT secretary but if that's happening then maybe your attitude towards what's

happening around is the problem and you can try to fix that right and I think you all understand if we get that thing right you'll this thing on the per user clicking the wrong email it's going to be almost almost a secondary question right of course it's interesting we do I want to understand that but the thing is you start here and you end up there the problem is that the people start here in the end here okay so next thing is who do we on bling and of course if you blame the pink thing that's at the sharp end what will you get well you will get trainings right you will get some detective

systems and you'll get some preventative measures and that's more or less what probably happens right now in most Enterprises right so notice that it's always easy to blame the things at the sharp end because they're obviously connected to what just happened right they were obviously there like the person obviously clicked the email right but it's not that obvious to think about okay but who else got this email and why didn't they actually notify us that's a more complicated question to both ask and to answer okay so instead of what other things can you do well you can as I just explained right you can try to understand why security was not involved you know or

you can try to say well you know there was something really interesting happened here actually that we sort of forgot halfway through this this scenario uh discussion because somebody actually did something that they clearly were not you know like that was not their job role there was not their part of their policy or guideline or the you know the ways of working or whatever they noticed something that was not right so there was some kind of positive slack in the system there was some kind of positive control in the system that that actually helped you get out of this sticky situation right and if you think about it the assistant admin team that's not their role it's not the thing that

they normally do but they actually did do the right thing right so again there was some kind of positives back in the system that worked in your favor to get rid of this problem and actually if you have a look at all the things on the left hand side it's all the negative slack it's all the things that like you look the thing you look at the thing and you found the whole you found something that was missing that's called the negative slack you you found something that was just not there even though you really hoped it was gonna be there right but on the right hand side if you have a look at the things that actually did go

right uh it was things that were positive stack in the system things that were you know you never trained the system admin team to do this you never ask people you know you never trained this person to look around for for things that didn't go wrong that wasn't the kind of stuff that they were expecting yet they did the right thing it's not this this kind of uh scenario is something that is actually in my mind but it's more an amalgam of other things I've seen and I have read about and it's quite classical that the things that do go right are actually the positives like in your system and they are the ones that will save your ass and not the

things not the holes that you've been plugging all day long okay so this is this kind of positive slack and the negative slack in the system right so when you have this um you see the things that are like missing that the holes that you want to plug on the left hand side right that's kind of what is missing and what are the things that I need to need to fix because it's broken and all you're looking are at are the things that are broken and instead of looking at the things that did go right and actually are kind of interesting and you could do better for example you can try to do War gaming with the with the assistant admin

team like clearly they are quite capable of doing the thing that that you wanted them to do so maybe you can train them to do it better maybe they can be part of the team and we together can try to make this this Enterprise more secure and um yeah so yes so this I already explained playing about the um this person who who noticed something unusual maybe you can try to recruit this person into the IIT security team maybe they could be the I.T security Champion within that department and help help uh that department be part of your you know like sort of project the the knowledge and know-how that you have into the department so

that you can you can make sure that next time they build something they won't be missing the preventative measures okay so this we're just gonna jump a little bit topics here um I think it's also important to recognize that um that security is sort of it can be looked at at least as a hierarchical control system where you know like a normal control system you have this kind of control obviously you want to hit I don't know 100 liters of water and you put some you know some heating into it and then you measure the temperature and eventually it gets too hot and you turn off the hot Heating and then you know it gets too cold and you hit turn on the

heating again right so this is a typical control Loop that you would have in when you try to heat up water now sticky ID security does have a certain thing like like you can look at ID security from this perspective and say wow there's of course the public who is unhappy about certain things and they're going to pressure the lawmakers to make lows so the lawmakers are going to make lows and then they're gonna tell the the lows are going to be made and The Regulators are going to try to enforce these laws and then the regulator is going to try to enforce his laws on the company and the company is then going to try to enforce

that through their managerial control right and then the converter control is eventually trying to address you know um push this control through uh often you the I.T security professional who will write policies and guidelines and ways of working and all that sort of stuff and eventually the person who's writing the code at the sharp end will try to keep in mind that the things that they need to write you know need to meet all those obligations that are up in the here key right and then there's this reporting line that goes all the way back up right where we're going to monitor the people who are writing the code and we're going to write some risk

reports and comply science reports and then that management will be happy about it and then the company reports that back to the regulators and the regulator is going to report back to the government about you know how we we managed to implement the laws that that we have that that have been set by the public right this is this kind of uh this kind of loop um right um the question is not whether this exists I mean I think you all understand that this exists and if you ever had the chance to talk with the regulator you know that this exists look I think it's also it's something to think about of where you are on this chart really like

where are you within this because you are somewhere in this control Loop and it might be an interesting thing to think about or where you are and where you want to be and often a person who is let's say a nice security professional will be in multiple places within this Loop you're also of course part of the public so you can you can influence public opinion and some people in seabase for me you might say have more saying in in pushing public opinion in some in some uh direct Direction than others um but you're also writing code and you know you're also Frontline Personnel in some ways right you're also doing things that get executed and it could

potentially be even online and and affect the overall security of the system directly and of course you have indirect control in other ways right you write risk reports and that get propagated up and then eventually might even reach the regulator and then of course the regulated through government so it's just interesting to think about them and something to to keep in mind that this is this is one way of looking at security as a control Loop okay so I just want to talk about something that I think is quite interesting and you might see some similarities um so how do at how do Frontline people Frontline work gets uh adapted in decentralized mode of safety so Central

Advanced of safety is something that I'm sure you have seen is basically the centralized mode of security uh we all write policies and guidelines and stuff and we just beat people on the head too so that they would they would meet those guidelines right so what happens well there's going to be these guidelines and and and and and and um plans and notes and and and and requirements that these people should be doing as part of their work right this is the plan that we set forth for these people to do and then what happens is that these people actually need to get some work done and clearly the policies and the guidelines and whatever were never

consulted with them so they need to smooth over some of this sort of rough edges they will try to do what's called fluency within the safety literature this is called fluency which is an activity that Smooths over these kind of contradictions that they're supposed to do with you know they're supposed to like meet these policy requirements but clearly you know they also have some work to do and the work to do doesn't quite seem to fit with what is going to you know be set forth in the policy so they try to smooth it over and if you look at it from the outside it sort of looks smooth like they they seem to have

figured it out and what happens is that when they keep on figuring like sort of smoothing over this kind of contradictory requirements they're going to start discounting the kind of stuff that they smoothed over what they'll say is like yes you know like we kind of know that it's not exactly through point you know according to policy but it's kind of not too far away and and this kind of uh discounting will bubble up to management as well and they're like well sort of you know aware of this and you know but but it's like not not very far and then what happens is that people will get into this what they call Double binds where it's to say that they they

have committed to some kind of work item that they need to get done but they also you know must have committed to all the policies that they when they sign up to to work for you right so there's this this document the design they'll they'll meet all the policy guidelines and policies and guidelines and somehow you know they realize that this these are actually quite contradictory and they'll they'll sort of Smash with each other and and you can sort of you can't just like pick one because it will immediately invalidate the other Etc and now what happens is two options one of them is what's called Road retreat within actually the safety literature and I'm sure you have seen this when

people say well I'm just like following policy and and basically they don't get any work done right because they follow follow policy and obviously the policy means that they cannot get the work done and I have seen this in like machine learning for example they say well gdpr says I can't possibly use this data because we haven't actually asked the users for all the required consent so I'm just gonna sit here and Tumble my fingers and this is going to be great because I you know you're asking me something that I cannot do and therefore I'm just gonna be I was called in in this work to roll so that this is my role and I'm just gonna work the roll

it's kind of an interesting I'm sure you've seen this and then the other one and this is more often at least in it uh this typically what happens what's called covert work systems and we have all been here I have seen this many many times basically what happens is work is done so that the thing that they actually do on a daily basis is basically hidden from you because if you see it you're gonna throw your head into the nearest trash bin so they you're not you're not gonna be happy about it so what happens is that they're gonna start Building Systems to get the work done right but this is going to be insanely

insecure like insanely insecure and they're gonna hide it from you and this is the difference between this kind of work as done and work as imagined because if you ask this I.T Security Professionals they'll tell you all these are the policies and these are the things that everybody's doing and then you like go down to the trenches you know and the people like you know like you're actually hitting the Mind wall and you're like what what is going on here you're like what like I didn't even like the entire like entire systems of work are there that you have no idea about right and this this is not like oh it's an accident or something this is a

continuation of of all the things that are here it's not an it's not an accident that this happened this is what's going to happen unless you do something about it this is just the result of this centralized mode of control all right so what is you that I.T security professional doing within this centralized mode of control well in of course from safety so this it's the Safety and Security overlaps so so crazily it's very interesting once you start reading this this literature by the way there's lots of accidents that happen there so I think we can all relate to that um so we support the fast-paid identification of Hazards right we do like Risk analysis we all do this there

are threat modeling we want to call it that right so high level risk assessment like hey do we meet gdpr and the other one the the task base was like Hey does this team you know do things that would violate gdpr we develop controls for tasks and processes right we all know this we write the rich sheet we set a list of you know requirements that they need to meet because clearly they they missed the the the detective control and the preventative control and the reactive control so we're just going to add all those controls in we monitor proactively blah blah obviously we are like we're going to have a look at detective measures and we're gonna do

Incident Management provide safety and incident compliance reporting right so an upper management and to the to the to the regulator so we write these reports the the management is going to look at it they're going to change priorities Etc support line management decision making right so we help them make the decisions to change the way the things they the the way they do things so that you know there's going to be lower risk there's some parts here this promote authority to stop work that's not something that we normally do and we develop and promote safety culture and Improvement programs so we all know this like let's say uh safety security Champion programs and and uh

and what Cisco calls this the uh the uh you get like these belts you get like black belt if you're really good and then white belt is very start like I mean everybody has this and then this is kind of the stop down thing right so we're gonna write some nice um presentations and we're gonna you know do some monthly meetings where all these Security Professionals are going to tell all these stupid people you know how they should be doing their work right and this this kind of like very top down like we're gonna we're gonna show you how a security really is right so what's what can we do instead right that's the real question because these

are all kind of like known you have seen most of these probably if you have spent maybe a few years in this space you'll you'll notice that this has happened to you like personally and um well what when we do well we can try to explore everyday work we can try to sit next to the engineers repeat the Frontline workers right the people who are like actually writing the code of like what the hell are they doing like maybe you could just understand like let's start there right not a bad place to start I'd say uh you can try to support the practices that they actually are doing right try to understand what they're doing and understand you know

the raw conflicts that they have to deal with every day like smoothing and and discounting and and building these covert systems and try to understand why are they doing this like is there something that I can do to help them do this better in a way that is like actually secure right because the only other option is you try to beat them and then there's somebody else will come because they're leaving and they'll build their own covered systems and now you're back to the same place except it's a year later oh no I'm still good okay oh that went off um right you can try to facilitate information flow between the Frontline workers and the upper management like

try to actually bridge the gap right and and try to explain the upper management like okay but like clearly you're asking them to do this and this at the same time and they cannot possibly like there's no there's no way for this to actually work so we have to do something else and and it's not an easy thing neither to communicate that nor to find like ways to fix that which is obviously the next thing which is to to generate like sort of operational scenarios that could actually work and try to find a not a middle ground but a way to make this all work in a in in in in in in such that we

meet the the regulatory requirements that we have and and and we all feel like this is something that that the shareholders let's say would be comfortable with and I think the hardest part within this uh in my perspective at least is facility sacrifice judgments so when you're there obviously some of the things will not be met and now you'll have to figure out what are the things that you think would be best not to meet because something is not going to get met and so it's kind of difficult to think it's it's people are not not comfortable with saying that oh yeah we can't do that but you can't do that that's the point that's the point and

now you need to figure out you know which are the ones that we're gonna we're gonna let go and you have to help you have to have upper management sign off on that basically or like guide them towards the solution that actually makes sense and now okay the next the last one is sort of in contrast to this kind of top-down like you know security Champion stuff where you sort of instead of going there and telling these people how security is supposed to be done you let them tell you how they think security is being done right and and guide them through this process of trying to do it better so I mean this is sort of just a

question towards you about uh about what do you want to be like do you want to be this kind of Setters of requirements so do you want to be providers of capability you're like okay this is actually by this Lance Levinson uh she does a really good job actually she's she there was a workshop on this Stamper thing um this summer and basically the question is you know are you writing on contextualized policy documents that no one knows exists in the organization and then holding employees accountable to those requirements said you know with poor understanding of operational context in other words are you writing policy documents that you have no idea how they're going to get executed and you

know like how the work actually gets done you know day to day and I have seen documents that had no relation to how work was getting done like zero and and and and and the worst part about it is that the the IIT Security Professionals themselves discount things they know we're like oh yeah we know but it's like you know it's not such a big deal so they start acting exactly like Frontline Personnel in a way and they start they they sort of understand that by the way they're these like covert systems that we you know it's kind of insane almost right so I think the real question is like maybe we should try to be providers

of capability like this positive slack right and improving this positive slack that is in the system rather than trying to you know like set these requirements and basically try to plug every single hole you see okay so this is I think by Decker no actually it's holding again it is quite nice so they have this idea of safety one and safety two it's a safety one I mean at this point I think you're all on the same like you understand at least where I'm coming from and you should be quite clear like where this is going so the safety one is like you know you learn from errors right you you see the errors and you

only count the errors not the successes never never count the successes only the errors that's that's uh it's a very important aspect of this uh system um safety is defined by absence you look for holes and you pluck the holes right it's a reactive approach whenever there's a problem you fix it there's no problem you don't fix it uh you're understanding what goes wrong right all you're interested in is what went wrong that's the question that you that every single incident uh report that you read answers it's something to think about actually um exiting causation models right so I mean this is maybe not that interesting for us but it's usually what happens is that they look the the the the accident

and there's a lot of literature in this and it's very interesting but I'm not gonna waste your time too much basically the idea is that you go forward only and you say okay that's this is where they were and this is where they went and eventually went you know went wrong and you never understand like okay but if they did something else they might have just went wrong as well this is a classical mistake people make in this kind of position system um anyway and avoidance of Errors like you try to avoid oil errors because they're all error is bad instead of like trying to learn from error story um and you reduce losses right that's

the that's the whole point and then the safety two is this kind of you learn from successes you try to understand what went right and what are the things that we can do better even better so that the things that went right will go even better right um safety defined by presence the presence of positive capability right presence of the things that are there to make sure that if things go wrong we'll we'll be able to recover we'll be we'll be there to fix it a proactive approach right understanding of what goes right instead of what goes wrong like instead of looking for holes um repeating of what went right and creating new processes that are based on

the things that we have identified as success okay so I don't know if I have too much time maybe a little [Music] um that's good okay well then we'll have a discussion it's gonna be fine um yes ah always fun um so drift into failure so this that we all know this I think we have all heard about is the Challenger accident is a very classical one on this one uh where you know there was this theme and they they they always kind of wrong but you know it's kind of good we're gonna run with it we're gonna launch this this chapel and it like it went well so okay maybe it's fine then let's launch it

again and again and like and then you start off the margin uh it just gets get eroded and eroded in order to your margin of of safety gets eroded and eventually things blow up into your face right this is kind of we all we have heard about this I think and So within the I.T security space the way this works is that there's the system X and you know it's been running for a long number of years and therefore system X must be safe right it's been running for a long time it's good and but notice that the risk gets evaluated by people it's not even if it's a system that eventually you know calculates the

risk somehow it's like some risk sheet or some automated system is the people who actually enter the information into the system and people are usually working in a group and there is the group reinforces each other so you can sort of get down into some mechanism of toads that just carries you and more interestingly the people the the people who are decision makers get are actually part of this group or at least are strongly influenced by this group right and how is this group made up actually because what happens is that in a large organization people come and leave and some people when they build the system they knew that they were like the margin

was was tight right but the thing is that they like okay they kept on eroding it a little bit because they're like oh there seems to be more more leeway here and then what happens is that these people leave and the newcomers they come in the new hires come in and they're like oh this is the norm uh this is the norm we can try to erode we can try to like you know this might have too much margin of error let me uh you know let's squeeze it a little bit and so what happens is that as people come in into the organization they'll they'll they'll be indoctrinated basically into this kind of risk that

you're sort of living with we're sort of accepted this risk somehow um right and uh have you noticed that when you have a new hire and you tell them about the things that you're like the risks that you're running with they're like really surprised they're like are you sure and that's kind of this effect when they're like oh they haven't been indoctrinated into your view of of of the risk right because what happens is that you have done all the discounting already you have like you have you have all these like oh yeah it's kind of bad I know but like have you thought about XYZ so you yourself have done this discounting and you sort

of lived into this world and you have this effectively group thing already going on within the I.T security space and I'm not talking about the the the the other Frontline Personnel in this sense you are the fortnite personnel right so accepting risk this is more like a bit of a side note but in in safety there is it's a it's an interesting thing about accepting risks because people can die and how can you accept that I accept that you die you know like I can't possibly accept that right it's like there's no way that I can accept you dying right but uh in 1960 somehow we sort of like we we forget about this because

have you thought about a risk to whom actually do you have like a column about the risk to whom in your risk sheets like is it like first party victim like the employee who's like computer got a malware and clearly this like attacker so everything they were doing I mean they might have been doing some personal things on their laptop right they might have been writing personal emails to their other colleagues and chatting and whatnot like they're a victim in this scenario right have you thought about before okay the second party victim is the customer right the second part is the the person who sort of signed up to your company to to do their their their their things but

but they clearly did not sign up for their data to be leaked and then there's the third party victim who had no idea right they they're like the the the let's say that the the direct messages that people send on Twitter will now suddenly be available to everyone and I might have talked about someone who never used Twitter right and now this person is a third-party victim who who is victimized but like and who accepted the risk while some manager accepted the risk right they clearly didn't accept the risk right so it's a kind of an interesting thought to think about of course when somebody dies it's a bit different because like you know an airplane fall on your house

then you're like clearly didn't accept that risk uh and some manager did by the way but but but in this case you know um you know it's not as obvious but still there is risk to people that never accepted that risk and somebody accepts that risk even though I'm not sure they have the authority to do so see something to think about as as you work as I.T Security Professionals because you will also be part of this risk acceptance process right you will be there and you will be part of the people who actually help that person accept that risk okay they're more like an ethical sort of question to think about okay so I'm just going to talk quickly

about this thing called the high reliability organizations this is kind of a this used to be a very trendy at one point and now it's very trendy again um it's kind of trending Healthcare but it's been well known in in oil and gas and Mining and it's kind of high-risk organizations like or Aerospace space Etc and so Wikipedia says I'm going to read it because it's actually not that bad so high Willow about the organization is an organization that's exceeded in avoiding catastrophes in an environments where normal accidents can be expected due to risk factors and complexity right so what do hros do and I think you will this is not like now that you have to listen to me for like

35 minutes I think you probably are sort of familiar with some of the things that are going to reset here so they're going to be preoccupation with failure right not success remember uh so pre-consuming failure you know process failures are dressed immediately and completely it's still interesting to link to think about some of these things that that they do here and they do manage to um avoid failure quite often there's something to be learned from hros I think reluctance to simplify complex problems get complex Solutions when was the last time you had like a really complex problem and somebody came up with a really simple solution and it did not work it just did not work

um sensitivity operations so this is more closer to what this basically safety two this kind of I would say guided mode of of of of security or safety where every voice matters so that is to say you actually are interested what the people are doing on the ground and try to understand what they're up to um next one is uh commitment to resilience so basically you uh commitment to resilience so basically recovery recovery is Swift point being that that um you uh you try to have this kind of positive slack in your system so that you can recover from potentially dangerous uh situations quite quickly and finally the reference to expertise so instead of here key it's the deaf the

experts who are actually you know guiding this organization towards a more safe uh scenario the HR was actually kind of interesting and there's quite a lot of literature in it and I mean it's part of Wikipedia so it's like not as like at the edge of knowledge you know it's kind of well known you can read quite a lot about them okay so this is by Decker's talk at the devops summit a few years ago um Becker is one of this kind of well-known people within the space Sydney Decker I'll have a list of references um so here's this thing called Safety currently and safety differently um he's kind of preoccupied with this idea of safety differently and again

this is nothing new to you right now so you know the this in safety currently there's people are the problem you need to control them right you know we need to tell them what to do and you have to count your successes by the absence of the negative right yeah and you count all your successes by you know all the holes that you didn't find and if differently is when you when the people are the solution like the the the the the the um the person who was looking around and found this in the attacker accidentally while sort of snooping around their own AWS account or actually the solution or the the the the assistant admin team

that you know recognize the gravity of the situation and immediately deleted the accounts you know even before the stock was like you know woke up from their dream basically right and you're supposed to be there to ask them what they need so that you can help them get the work done in a way that is secure or safe in the space and you are supposed to count the positive capacities in the system rather than you know like looking for the positive the negative slack you're looking for the positive slack in the system I think I'm going to end here so you can actually um have questions towards me um I want to talk a little bit about the

references here so there's this guy called Mario Platt who uh who who tries to bring a lot of these things together I think and his thing doing really interesting work I find uh you can find him everywhere he's got a very nice blog as well um sitting that code is like he's got a few books here uh drift into failure is something that I think sounds good but more interestingly I would say the the field guide to understanding human error is much much better and it will just it will make fun of all this crap about the the the uh the the down and in and we'll we'll tell you about how to do the up

and out how to how to look for distal causes the things that actually really did go wrong in a way that you can try to fix and so that the the proximal codes will not even be kind of interesting and then there are some others I mean there's Diane woggins the Challenger launch decision so that's about this group thing that I I mentioned um she's actually a sociologist and more interestingly actually most of the people are not technical here which is also Mario plot talks quite a lot about this um that you need to bring in a multi-disciplinary team to do YT security if all you have is IIT Security Professionals with techies basically you you might be able to do better if

you try to bring in others because uh a lot of the things that I talked about actually are more on the social side of things rather than the technical side of things I didn't talk about exercise actually the xss would be the the the proximal course you still need to understand that right you still need to understand how the damn thing went wrong but the thing is that to fix it you don't only need to know the technology you actually need to go up higher and understand what were the the influences that led to that thing going wrong right so Diane Rogan is a is a sociologist and so is Rasmussen and a bunch of others

anyway they're very kind of cool it's been around since a while since 1978 is one of the classics the original sort of this man-made disasters where it's like hey basically everybody at that point everybody beyond the technology and the front line worker like oh they did the wrong thing they pushed the wrong button I mean there's this very classical I don't know if I have the picture somewhere maybe I do have the picture no I don't have the picture where uh where there's like they used to crash the planes from coming back from the uh from from bombing can Paints in the second world war and it's like the the button for taking the flaps down and putting

the the the the the gear down were like the same freaking button next to each other and then like and they blame the pilots like Non-Stop and they're like like those like every and they've been like flying for 16 hours you know I mean of course they're gonna push the wrong button and they just died I mean a lot of people died anyway so this is the uh this is the end I hope you have some questions thank you