errors all increase as a consequence. Let's consider some examples where culture can be shown to have a direct relationship to UIL.
When the Challenger space shuttle exploded, the explanation given to the public was that O-rings, cold weather, and a variety of other factors were the combined cause. However, internal investigations also revealed that there was a culture that was driven to take potentially excessive risk to stay on schedule. (See “Missed Warnings: The Fatal Flaws Which Doomed Challenger,” Space Safety Magazine, www.spacesafetymagazine.com/space-disasters/challenger-disaster/missed-warnings-fatal-flaws-doomed-challenger/.) Despite many warnings about safety concerns relevant to the Challenger launch, NASA executives chose to downplay the warnings and continued with the launch. Even if the Challenger explosion was due to a mechanical failure, it was clearly a UIL because someone made the conscious decision to ignore warnings and proceed despite the risks.
While it shouldn't take a crippling of the entire space program to initiate culture fixes, NASA subsequently issued engineers challenge cards that they could place on the table in the middle of discussions and demand that their concerns be heard.
In perhaps one of the most iconic cases of culture-based UIL, in 2017, the U.S. Navy destroyer USS Fitzgerald crashed into a large freighter, resulting in severe damage and 7 deaths. Another destroyer, the USS John S. McCain, crashed into another large ship 9 weeks later, resulting in massive damage and 10 deaths. Investigations determined that there were major failures in leadership and communications on the individual vessels. (See “Worse Than You Thought: Inside the Secret Fitzgerald Probe the Navy Doesn't Want You to Read,” Navy Times, www.navytimes.com/news/your-navy/2019/01/14/worse-than-you-thought-inside-the-secret-fitzgerald-probe-the-navy-doesnt-want-you-to-read/.) Essentially, the investigators determined that there was a culture on the ship that created those failures. Further studies found that the problems resulting in these collisions were due to a culture that created systematic failings throughout the 7th Fleet, creating poorly trained sailors, failing equipment, and other failures. (See “Years of Warning, Then Death and Disaster,” ProPublica, features.propublica.org/navy-accidents/us-navy-crashes-japan-cause-mccain/.)
In the cybersecurity world, there are many massive failings due to cultural causes. The Equifax hack demonstrated systematic failures that went beyond a straight failing of technologies. (See “Data Protection: Actions Taken by Equifax and Federal Agencies in Response to the 2017 Breach,” U.S. Government Accountability Office, www.warren.senate.gov/imo/media/doc/2018.09.06%20GAO%20Equifax%20report.pdf.) The technological failures would not have occurred without a management infrastructure that allowed them to take place. Some people claimed the Equifax CISO was made a scapegoat and fired, but it is clear that there were management failings.
There is a wide spectrum to the forms that culture-based UIL can take, from small behaviors to widespread negligence. Strong cultures tend to be consistently strong, although they may have some isolated shortcomings to address. Likewise, when you have a weak culture with regard to control of loss, you will find the culture to be consistently weak. Even so, culture is not static. It evolves and changes. If you let culture change organically on its own, you will more likely increase loss. If you take an active role in understanding and influencing culture by determining the desired user behaviors, taking steps to architect those behaviors, establishing open channels of communication for feedback, initiating and improving training, and so on, you can improve your culture and reduce UIL.
Chapter 9, “Security Culture Defined,” explores culture further.
Physical Losses
Physical losses are generally straightforward to categorize. If a user leaves a computer behind on an airplane, it is technically a physical loss. An automobile accident can be considered a physical loss. If a user is somehow responsible for creating a fire, or at least ignoring conditions that would lead to a fire, the resulting damages can be considered a physical UIL.
While there may be some overlap with culture, the USS Fitzgerald is arguably a physical UIL, at least with regard to the resulting damage. We categorize losses in order to determine how the potential loss might be mitigated in any applicable category. Even if the U.S. Navy culture was perfect, it is possible that the freighter could have still steered toward the USS Fitzgerald. No matter what the cause of the accident was, deaths resulted from the actual collision, and it would be legitimate to ask if the construction of the ship could be improved to stand up to future collisions.
We can dissect the 9/11 terrorist attacks to determine many categories of UIL, but there was clearly a successful countermeasure that saved lives. Specifically, prior to the attacks, the Pentagon was renovated to include blast resistant walls and glass. (See “September 11, 2001,” U.S. Department of Defense Pentagon Tours Office, pentagontours.osd.mil/Tours/september11.jsp.) Those renovations were credited with saving lives when an airplane flew directly into the side of the building. Although there were still deaths, the trauma was greatly contained.
The Pentagon renovations were specifically designed to prevent hostile attacks, but they also prepared for other forms of physical damage. Similarly, other building construction often takes into account fire and earthquake protection.
People often think of planning for physical loss in terms of their own immediate organization, but it extends beyond that. If a cloud computer center isn't adequately air-conditioned, the servers can be damaged, affecting an organization's data. To prevent that type of loss, the organization needs to consider not only their own immediate physical assets but those of users in partner organizations as well.
Huge, dramatic losses get a lot of attention, but seemingly small losses accumulate quickly and can be even more damaging. This is what we refer to as “death by 1,000 cuts.” With death by 1,000 cuts, small, inconsequential losses can add up to significant losses. International grocery chains operate on a tiny profit margin. Their meat, produce, deli, and dairy products are highly perishable and have a limited shelf life. Those are physical assets, and any increase in their loss can drastically damage the company's profit. To safeguard that product against loss, many factors need to be considered such as proper training of employees on stock rotation and inventory control, regular maintenance of refrigeration units, and partnering with vendors that will provide the freshest, most reliable product possible.
If an organization has a fleet of delivery trucks, those trucks age. If you don't regularly change the oil, you replace expensive engine parts more quickly. If you don't occasionally balance and rotate the tires, they wear unevenly, and you buy expensive truck tires more often. When equipment wears out and needs to be replaced, that is still a physical loss, and it can be planned for and minimized.
Also consider that people exist physically and thus, are themselves physical resources. If an organization has a high turnover rate, they enter into a constant cycle of acquiring and training new employees. Even if employee retention isn't a problem, it is important to maintain the condition of your people just as you do any other physical resource. For example, one study found that 98 percent of medical residents made a medical error in large part because of the lack of sleep incurred by their required and strenuous schedules (see journalofethics.ama-assn.org/article/after-apology-coping-and-recovery-after-errors/2011-09). Organizations that use trucks or airplanes perform oil changes, tire inflation, and other routine maintenance on their vehicles to keep them working efficiently as physical components in the system. Similarly, regularly addressing the processes, culture, and training maintains an organization's physical users to maximize their efficiency and effectiveness, thereby reducing loss.
To properly mitigate a physical loss, you need to consider what physically exists and how to best safeguard it. Often, this needs to be done in conjunction with addressing other categories that contribute to loss as well, such as training, processes,
