No Result
View All Result
SUBSCRIBE | NO FEES, NO PAYWALLS
MANAGE MY SUBSCRIPTION
NEWSLETTER
Corporate Compliance Insights
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe
No Result
View All Result
Corporate Compliance Insights
Home Risk

A Cognitive Risk Framework for the 4th Industrial Revolution

Introducing the Human Element to Risk Management

by James Bone
June 10, 2019
in Risk
illuminated light bulb with brain inside, in businessman's hands

As we move into the 4th Industrial Revolution (4IR), risk management is poised to undergo a significant shift. James Bone asks whether traditional risk management is keeping pace. (Hint: it’s not.) What’s really needed is a new approach to thinking about risks.

Framing the problem

Organizations, generally speaking, have one foot firmly planted in the 19th century and the other foot racing toward the future. The World Economic Forum calls this time in history the 4th Industrial Revolution, a $100 Trillion Dollar opportunity, that represents the next generation of connected devices and autonomous systems needed to fuel a new leg of growth. Every revolution creates disruption, and this one will be no exception including how risks are managed.

The digital transformation underway is rewriting the rules of engagement.[1] The adoption of digital strategies implies disaggregation of business processes to third-party providers, vendors and data aggregators who collectively increase organizational exposure to potential failure in security and business continuity.[2] Reliance on third-parties and sub-vendors extend the distance between customers and service providers creating a “boundaryless” security environment. Traditional concepts of resiliency are challenged when what is considered a perimeter is as fluid as the disparate service providers cobbled together to serve different purposes. A single service provider may be robust in isolation but may become fragile during a crisis in connected networks.

Digital transformation is, by design, the act of breaking down boundaries in order to reduce the “friction” of doing business. Automation is enabling speed, efficiency, multilayered products and services all driven by higher computing power at lower prices. Digital Unicorns, evolving as 10- or 20-year “overnight success stories,” give the impression of endless opportunity, as do the capital returns from so many early stage tech firms that continue to drive rapid expansion in diverse digital strategies.

Thus far these risks have been fairly well managed, but with notable exceptions. Given this rapid change it is reasonable to ask if risk management is keeping pace as well? A simple case study may clarify the point and raise new questions.

In 2016, the US presidential election ushered in a new risk, a massive cognitive hack. Researchers at Dartmouth University’s Thayer School of Engineering developed the theory of cognitive hacking in 2003 although the technique has been around since the beginning of the internet.[3]

Cognitive hacks are designed to change the behavior and perception of the target of the attack. The use of a computer is optional in a cognitive hack. These hacks have been called phishing or social engineering attacks but these terms don’t fully explain the diversity of methods involved. Cognitive hacks are cheap, effective and used by nation states and amateurs alike. Generally speaking, “deception” in [defense or offense] on the internet is the least expensive and most effective approach to bypass or enhance security because humans are the softest target.[4]

In “Cognitive Hack,” one chapter entitled, “How to Hack an Election,” describes how cognitive hacks have been used in political campaigns around the world with great effect.[5] It is not surprising that it eventually made its way into American politics. The key point is that deception is a real risk that is growing in sophistication and effectiveness.[6]

In researching why information security risks continue to escalate it became clear that a new framework for assessing risks in a digital environment required a radically new approach to thinking about risks. The escalation of cyber threats against an onslaught of security spending and resources is called the Cyber Paradox.[7] We now know the root cause is the human/machine interaction, but sustainable solutions have been evasive.

Here is what we know…… [Digital] risks thrive in diverse human behavior! 

Some behaviors are predictable but evolve over time. Security methods that focus on behavioral analytics and defense have found success but are too reactive to provide assurance. One interesting finding noted that a focus on simplicity and good work relations play a more effective role than technology solutions. In a recent 2019 study of cyber resilience, “infrastructure complexity was a net contributor to risks while the human elements of role alignment, collaboration, problem resolution and mature leadership played key roles in building cyber resilience.”[8]

In studying the phenomena of how the human element contributes to risk it became clear that risk professionals in the physical sciences were using these same insights of human behavior and cognition to mitigate risks to personal safety and enable better human performance.

Diverse industries, such as, air travel, automotive, healthcare, smart phones and many others have benefited from human element design to improve safety and create sustainable business models. However, Crime as a Service (CaaS) model may be the best example of how organized criminals in the Dark Web work together with the best architects of CaaS products and services making billions selling to a growing market of buyers.

The International Telecommunications Union (ITU) published its second Global Cybersecurity Index (GCI) noted that approximately 38% of countries have a cybersecurity strategy and 12% of countries are considering a strategy to cybersecurity.[9]

The agency said more effort is needed in this critical area, particularly since it conveys that governments consider digital risks high priority. “Cybersecurity is an ecosystem where laws, organizations, skills, cooperation and technical implementation need to be in harmony to be most effective,” stated the report, adding that cybersecurity is “becoming more and more relevant in the minds of countries’ decision makers.”

Ironically, social networks in the Dark Web have proven to be more robust than billions in technology spending.

The formation of systemic risks in a broader digital economy will be defined by how well security professionals bridge 19th century vulnerabilities with next century business models. Automation will enable the transition but human behavior will determine the success or failure of the 4th Industrial Revolution.

A broader set of solutions is beyond the scope of this article; it will take a coordinated approach to make real progress.

The common denominator in all organizations is the human element, but we lack a formal approach to assess the transition from 19th century approaches to this new digital environment.[10] Not surprisingly, I am neither the first nor the last to consider the human element in cybersecurity, but I am convinced the solutions are not purely prescriptive in nature given the complexity of human behavior.

The assumption is humans will simply come along as they have so often in the past. Digital transformation will require a more thoughtful and nuanced approach to the human/machine interaction in a boundaryless security environment.

Cognitive hackers from the CIA, NSA & FBI agree that addressing the human element is the most effective approach.[11] A cognitive risk framework is designed to address the human element and enterprise risk management in broader ways than changing employee behavior. A cognitive risk framework is a fundamental shift in thinking about risk management and risk assessment and is ideally suited for the digital economy.

Technology is creating profound change in how business is conducted. The fragility in these new relationships is concentrated at the human – machine interaction. Email is just one of dozens of iterations of vulnerable endpoints inside and outside of organizations. Advanced analytics will play a critical role in security but organizational situational awareness will require broader insights.

Recent examples include the 2017 distributed denial of service attack (DDoS) on Dyn, an Internet infrastructure company who provides Domain Name Service (DNS) to its customers.[12] A single service provider created unanticipated systemic risks across the East Coast.

DNS provides access to the IP address you plug into your browser.[13][14] A DDoS attack on a DNS provider prevents access to websites. Much of the East Coast was in a panic as the attack slowly spread. This is what happened to Amazon AWS, Twitter, Spotify, GitHub, Etsy, Vox, Paypal, Starbucks, Airbnb, Netflix and Reddit. In an unrelated event in 2013, Level 3 Communications experienced a fiber optic switch failure that resulted in millions of cable subscribers losing Internet service for a short time. The switch failure also impacted Facebook and Twitter demonstrating how unexpected consequences must become part of the contingency playbook.

These risks are known but require complex arrangements that take time. These visible examples of bottlenecks in the network offer opportunity to reduce fragility in the Internet however resilience on the Internet will require trusted partnerships to build robust networks beyond individual relationships.

The collaborative development of the Internet is the best example of complete autonomy, robustness and fragility. The 4th Industrial Revolution will require cooperation on security, risk mitigation, and shared utilities that benefit the next leg of infrastructure.

Unfortunately, systemic risks are already forming that may threaten free trade in technology as nations begin to plan for and impose restrictions to Internet access. A recent Bloomberg article lays bare the global divisions forming regionally as countries rethink an Open Internet amid political and security concerns.[15]

So why do we need a cognitive risk framework?

Cognitive risk management is a multidisciplinary focus on human behavior and the factors that enhance or distract from good outcomes. Existing risk frameworks tend to consider the downside of human behavior but human behavior is not one-dimensional and neither are the solutions. Paradoxically, cyber criminals are expert at exploiting trust in a digital environment and use a variety of methods [cognitive hacks] to change behavior in order to circumvent information security controls.

A simple answer to why is that cognitive risks are pervasive in all organizations but too often are ignored until to late or not understood in the context of organizational performance. Cognitive risks are diverse and range from a toxic work environment, workplace bias and decision bias to strategic and organizational failure.[16][17][18] More recent research is starting to paint a more vivid picture of the role of human error in the workplace but much of this research is largely ignored in existing risk practice.[19][20][21][22][23] A cognitive risk framework is needed to address the most challenging risks we face ….. the human mind!

A cognitive risk framework works just like digital transformation by breaking down the organizational boundaries that prevent optimal performance and risk reduction.

Redesigning risk management for the 4th Industrial Revolution!

The Cognitive Risk Framework for Cybersecurity and Enterprise Risk Management is a first attempt at developing a fluid set of pillars and practices to complement COSO ERM, ISO 31000, NIST and other risk frameworks with the human at the center. Each of the 5 Pillars will be explored as a new model for resilience in the era of digital transformation.

It is time to humanize risk management!

A cognitive risk framework has five pillars. Subsequent articles will break down each of the five pillars to demonstrate how each pillar supports the other as the organization develops a more resilient approach to risk management.

The Five Pillars of a Cognitive Risk Framework include:

  • Cognitive Governance
  • Intentional Design
  • Risk Intelligence & Active Defense
  • Cognitive Security/Human Elements
  • Decision Support (situational awareness)

Lastly, as part of the roll out of a cognitive risk framework, I am conducting research at Columbia University’s School of Professional Studies to better understand advances in risk practice beyond existing risk frameworks. My goal, with your help, is to better understand how risk management practice is evolving across as many risk disciplines as possible. Participants in the survey will be given free access to the final report. An executive summary will be published with the findings. Contact me at jb4015@columbia.edu. Emails will be used only for the purpose of distributing the survey and its findings.


[1] https://robllewellyn.com/10-digital-transformation-risks/

[2] https://www.information-age.com/security-risks-in-digital-transformation-123478326/

[3] http://www.ists.dartmouth.edu/library/301.pdf

[4] https://www.csiac.org/journal-article/cyber-deception/

[5] https://www.amazon.com/Cognitive-Hack-Battleground-Cybersecurity-Internal/dp/149874981X

[6] https://www.csiac.org/journal-article/cyber-deception/

[7] https://www.lawfareblog.com/cyber-paradox-every-offensive-weapon-potential-chink-our-defense-and-vice-versa

[8] https://www.ibm.com/downloads/cas/GAVGOVNV

[9] https://news.un.org/en/story/2017/07/560922-half-all-countries-aware-lacking-national-plan-cybersecurity-un-agency-reports

[10] https://www.humanelementsecurity.com/content/Leadership.aspx

[11] http://aapa.files.cms-plus.com/SeminarPresentations/2016Seminars/2016SecurityIT/Lee%20Black.pdf

[12] https://www.wired.com/2016/10/internet-outage-ddos-dns-dyn/

[13] https://public-dns.info/nameserver/us.html

[14] https://en.wikipedia.org/wiki/List_of_managed_DNS_providers

[15] https://www.bloomberg.com/quicktake/how-u-s-china-tech-rivalry-looks-like-a-digital-cold-war?srnd=premium

[16] https://healthprep.com/articles/mental-health/types-workplace-bullies/?utm_source=google

[17] https://www.forbes.com/sites/amyanderson/2013/06/17/coping-in-a-toxic-work-environment/

[18] https://knowledge.wharton.upenn.edu/article/is-your-workplace-tough-or-is-it-toxic/

[19] https://www.robsonforensic.com/articles/human-error-expert-witness-human-factors

[20] https://rampages.us/srivera/2015/05/24/errors-in-human-inquiry/

[21] https://oxfordre.com/communication/view/10.1093/acrefore/9780190228613.001.0001/acrefore-9780190228613-e-283

[22] https://www.jstor.org/stable/1914185?seq=1#page_scan_tab_contents

[23] https://www.behavioraleconomics.com/resources/mini-encyclopedia-of-be/bounded-rationality/


Tags: Automationcognitive hacksCognitive Risk FrameworkCOSOEnterprise Risk Management (ERM)
Previous Post

GRC & Me

Next Post

One Year In, How Has GDPR Improved Data Privacy?

James Bone

James Bone

James Bone’s career has spanned 29 years of management, financial services and regulatory compliance risk experience with Frito-Lay, Inc., Abbot Labs, Merrill Lynch, and Fidelity Investments. James founded Global Compliance Associates, LLC and TheGRCBlueBook in 2009 to consult with global professional services firms, private equity investors, and risk and compliance professionals seeking insights in governance, risk and compliance (“GRC”) leading practices and best in class vendors.
James is a frequent speaker at industry conferences and contributing writer for Compliance Week and Corporate Compliance Insights and serves as faculty presenter and independent consultant for several global consulting firms specializing in governance, risk and compliance, IT compliance and the GRC vendor market. James created TheGRCBlueBook.com to provide risk and compliance professionals with transparency into the GRC vendor marketplace by creating a forum for writing reviews on GRC products and sharing success stories on the risk practices that are most effective. James is currently attending Harvard Extension School for a Master of Arts in Management with an emphasis in accounting and finance. James received an honorary PhD in Letters from Drury University in Springfield, Missouri and is a member of the Breech Business School Hall of Fame as well as the Missouri Sports Hall of Fame. Having graduated from the Boston University Graduate School of Education, James received his M.Ed. in Management and Organizational Design in 1997 and a Bachelor of Arts in Business Administration from Drury University in 1980.  

Related Posts

QA logo_bailey leslie

Q&A: For Effective Financial Crime Prevention, Build a Better Mix of Machines and Humans

by Bill Millar
May 3, 2022

To police financial crime, more businesses are incorporating artificial intelligence — machine learning, in particular — into monitoring, prevention and...

How H&R Block Used Quick Wins to Build a Modern GRC Program in Onspring

by Corporate Compliance Insights
March 9, 2022

Migrating your compliance programs from legacy tools to modern platforms may seem like an impossible hill to climb. But as...

protecht series a

Protecht Group Lands $30M in Series A Funding From Arrowroot Capital

by Corporate Compliance Insights
February 22, 2022

Risk management software and services provider Protecht has secured a $30 million Series A funding round from Arrowroot Capital. Founded...

LogicGate’s Risk Cloud Adds CUBE RegAssure Integration for Regulatory Process Automation

LogicGate’s Risk Cloud Adds CUBE RegAssure Integration for Regulatory Process Automation

by Corporate Compliance Insights
February 3, 2022

LogicGate’s Risk Cloud platform has enabled integration with CUBE’s Reg Assure AI-powered regulatory compliance management tool, the companies announced. The...

Next Post
One Year In, How Has GDPR Improved Data Privacy?

One Year In, How Has GDPR Improved Data Privacy?

Compliance Job Interview Q&A

Jump to a Topic

AML Anti-Bribery Anti-Corruption Artificial Intelligence (AI) Automation Banking Board of Directors Board Risk Oversight Business Continuity Planning California Consumer Privacy Act (CCPA) Code of Conduct Communications Management Corporate Culture COVID-19 Cryptocurrency Culture of Ethics Cybercrime Cyber Risk Data Analytics Data Breach Data Governance DOJ Download Due Diligence Enterprise Risk Management (ERM) ESG FCPA Enforcement Actions Financial Crime Financial Crimes Enforcement Network (FinCEN) GDPR HIPAA Know Your Customer (KYC) Machine Learning Monitoring RegTech Reputation Risk Risk Assessment SEC Social Media Risk Supply Chain Technology Third Party Risk Management Tone at the Top Training Whistleblowing
No Result
View All Result

Privacy Policy

Founded in 2010, CCI is the web’s premier global independent news source for compliance, ethics, risk and information security. 

Got a news tip? Get in touch. Want a weekly round-up in your inbox? Sign up for free. No subscription fees, no paywalls. 

Follow Us

Browse Topics:

  • CCI Press
  • Compliance
  • Compliance Podcasts
  • Cybersecurity
  • Data Privacy
  • eBooks Published by CCI
  • Ethics
  • FCPA
  • Featured
  • Financial Services
  • Fraud
  • Governance
  • GRC Vendor News
  • HR Compliance
  • Internal Audit
  • Leadership and Career
  • On Demand Webinars
  • Opinion
  • Resource Library
  • Risk
  • Uncategorized
  • Videos
  • Webinars
  • Well-Being
  • Whitepapers

© 2022 Corporate Compliance Insights

No Result
View All Result
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe

© 2022 Corporate Compliance Insights

Welcome to CCI. This site uses cookies. Please click OK to accept. Privacy Policy
Cookie settingsACCEPT
Manage consent

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.
CookieDurationDescription
cookielawinfo-checbox-analytics11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional11 monthsThe cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy11 monthsThe cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
Functional
Functional cookies help to perform certain functionalities like sharing the content of the website on social media platforms, collect feedbacks, and other third-party features.
Performance
Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.
Analytics
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.
Advertisement
Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to provide customized ads.
Others
Other uncategorized cookies are those that are being analyzed and have not been classified into a category as yet.
SAVE & ACCEPT