Being human - behaviour that needs to be on board
Being human - behaviour that needs to be on board

On the night of April 14th, 1912, the RMS Titanic scraped an iceberg and sank to the bottom of the ocean in only two hours and 40 minutes resulting in the death of 1,517 people.

Look behind the Titanic disaster and you will find a string of human errors. Look behind a security breach and you are guaranteed to find a similar causal chain.

The disaster makes for a riveting tale. In addition to being one of the worst peacetime maritime disasters in history, the Titanic provides a context for insights into social status, modern consumerism and for the purpose of this article, the consequence of human error. Before continuing with an infosec theme, I feel that I should briefly note that the severity of the Titanic and an Info Sec breach are self-evidently not suitable for comparison.

However, the behaviour associated with both events presents some interesting lessons to be learnt. Human error is far more likely to cause serious incidents (in both the truly tragic and infosec breach varieties) than any technical or structural vulnerabilities. It could even be argued that the latter are simply products of human errors.

In exactly the same way that an exogenous agent (iceberg) caused the Titanic to sink, an exogenous agent (hacker) could cause businesses losses in terms of shareholder value, intellectual property, finance and reputation. However, it must be remembered that people create the threats, vulnerabilities and impacts. We are the key to preventing and responding effectively to incidents.

In a state of panic, people can act more or less on impulse. Examples from the Titanic disaster clearly demonstrate this: lifeboats were launched only partly loaded, some were launched with too many passengers aboard (ironically putting them all in danger) and in one instance, the crew narrowly avoided launching one lifeboat directly on top of another already in the sea!

In the event of an incident, social cohesion is far more likely to disappear, taking with it the ability to react quickly and prevent critical consequences. It is clear that incident response and crises management procedures need to be simple, easy to follow and most importantly in existence.

Key decisions need to have been taken in advance of a crisis and be embedded in procedures, thus removing the need for people to take daunting decisions when under maximum stress (a toxic combination).

Therefore, identifying the source and impact of possible incidents and developing appropriate procedures is crucial. Employees involved in crises management must also practice the procedures to ensure they learn what their role entails and that any problems are ironed out before there is a real crisis (to restate a point – it never hurts to reduce the mental workload when a crises occurs!) It is for this very reason that the military relies on drill and practice to ensure personnel perform their best under stress. Practice prevents panic!

 

The Titanic was designed with safety features that were notably advanced for her time, such as watertight compartments and remotely activated watertight doors. She was also designed according to maritime regulations in force at the time, and surprisingly carried more than the legal minimum of lifeboats.

However, as is well known, there were not enough seats on the lifeboats for everyone aboard. This is effectively a failure to adopt a ‘safety critical' design. Safety critical design is much more comprehensively understood now than it was in 1912, and we would argue that organisations also need to adopt a ‘security critical' design and operational standpoint. By which I mean, the effect of failure modes on security must be considered.

Communication is an essential part of good operational process, and again there exists a great (albeit very tragic) example from the Titanic disaster. Naturally, people must understand how to communicate in the event of an incident. Without a proper communication plan and notification system, key players will not be notified of a critical incident and therefore not engage in effective response mechanisms.

After the Titanic disaster, The International Convention for the Safety of Life at Sea mandated that the firing of red rockets from a ship must be interpreted as a sign that help is required. This removes all possible ambiguity and the need for deliberation before help is given. Arguably this is also an example of regulations failing to keep pace with technology.

Performing lifeboat drills only became law in 1914, after being incorporated into the International Convention for the Safety of Life at Sea. Tragically, a lifeboat drill was due to take place on the same day the Titanic hit an iceberg. This was cancelled last minute by Captain Edward Smith, for reasons that remain unknown to this day.

Prioritising training in order that it's scheduled regularly will produce improvements in behaviour, in both day-to-day an incident response scenarios. It is training for ‘the unusual', the incidents, that requires specific practice.

Put bluntly, people need to know what to do and how to act. Training goes straight to the heart of human behaviour. However, changing people's behaviour such that they behave securely requires more than just courses. People need to practice what they have learned during business as usual hours. Investing in employee training and development entails numerous benefits, such as enhancing company image, increasing job satisfaction and employee's feelings of competency and confidence. From an infosec perspective, training also benefits and protects the business itself.

In the aftermath of the Titanic disaster a raft of regulations were brought into force, such as the first International Convention for the Safety of Life at Sea (SOLAS) and the International Ice Patrol.

This clearly demonstrates that prior to the disaster; the regulatory environment had been too light. However easy it is to say this with the benefit of hindsight, it could be argued that regulations must look to the future and attempt to predict new risks brought about by technological advancements.

Regulatory bodies such as governments and trade bodies must strike a balance between making organisations act in a responsible manner and ensuring that they are able to trade freely and make returns on shareholder investments.

In addition, globalisation brings with it challenges with differences in legal jurisdictions. Arguably, the age of the sea brought with it the first significant globalisation challenge, the rise of jet air travel the second, the Internet the third. Examples from the Titanic disaster abound; US law differed from UK law in many important respects, particularly around the liability of ship owners and operators in the event of a disaster at sea. Interestingly, the sea-faring nations of Europe had more stringent laws that the US at the time of the sinking of the Titanic, where the ship-owner is liable to pay the sums provided by the workmen's compensation acts in those countries. Differences in laws between legal jurisdictions effectively offer companies a ‘choice', but also a risk - work under the least stringent laws and potentially reap greater profit. It is easy to under-regulate on the basis that this ‘will never happen here' … until a disaster occurs.

Titanic is a name that will forever be associated with disaster. Even the name is fairly self-explanatory in conveying how an incident can remain in public consciousness and be examined from multiple angles. Reputation and risk are notoriously inseparable social institutions due to the former being notoriously difficult to measure and intangible. 

Paul Midian is consultancy director at Information Risk Management