As we move into the 4th Industrial Revolution (4IR), risk management is poised to undergo a significant shift. James Bone asks whether traditional risk management is keeping pace. (Hint: it’s not.) What’s really needed is a new approach to thinking about risks.
Framing the problem
Organizations, generally speaking, have one foot firmly planted in the 19th century and the other foot racing toward the future. The World Economic Forum calls this time in history the 4th Industrial Revolution, a $100 Trillion Dollar opportunity, that represents the next generation of connected devices and autonomous systems needed to fuel a new leg of growth. Every revolution creates disruption, and this one will be no exception including how risks are managed.
The digital transformation underway is rewriting the rules of engagement.[1] The adoption of digital strategies implies disaggregation of business processes to third-party providers, vendors and data aggregators who collectively increase organizational exposure to potential failure in security and business continuity.[2] Reliance on third-parties and sub-vendors extend the distance between customers and service providers creating a “boundaryless” security environment. Traditional concepts of resiliency are challenged when what is considered a perimeter is as fluid as the disparate service providers cobbled together to serve different purposes. A single service provider may be robust in isolation but may become fragile during a crisis in connected networks.
Digital transformation is, by design, the act of breaking down boundaries in order to reduce the “friction” of doing business. Automation is enabling speed, efficiency, multilayered products and services all driven by higher computing power at lower prices. Digital Unicorns, evolving as 10- or 20-year “overnight success stories,” give the impression of endless opportunity, as do the capital returns from so many early stage tech firms that continue to drive rapid expansion in diverse digital strategies.
Thus far these risks have been fairly well managed, but with notable exceptions. Given this rapid change it is reasonable to ask if risk management is keeping pace as well? A simple case study may clarify the point and raise new questions.
In 2016, the US presidential election ushered in a new risk, a massive cognitive hack. Researchers at Dartmouth University’s Thayer School of Engineering developed the theory of cognitive hacking in 2003 although the technique has been around since the beginning of the internet.[3]
Cognitive hacks are designed to change the behavior and perception of the target of the attack. The use of a computer is optional in a cognitive hack. These hacks have been called phishing or social engineering attacks but these terms don’t fully explain the diversity of methods involved. Cognitive hacks are cheap, effective and used by nation states and amateurs alike. Generally speaking, “deception” in [defense or offense] on the internet is the least expensive and most effective approach to bypass or enhance security because humans are the softest target.[4]
In “Cognitive Hack,” one chapter entitled, “How to Hack an Election,” describes how cognitive hacks have been used in political campaigns around the world with great effect.[5] It is not surprising that it eventually made its way into American politics. The key point is that deception is a real risk that is growing in sophistication and effectiveness.[6]
In researching why information security risks continue to escalate it became clear that a new framework for assessing risks in a digital environment required a radically new approach to thinking about risks. The escalation of cyber threats against an onslaught of security spending and resources is called the Cyber Paradox.[7] We now know the root cause is the human/machine interaction, but sustainable solutions have been evasive.
Here is what we know…… [Digital] risks thrive in diverse human behavior!
Some behaviors are predictable but evolve over time. Security methods that focus on behavioral analytics and defense have found success but are too reactive to provide assurance. One interesting finding noted that a focus on simplicity and good work relations play a more effective role than technology solutions. In a recent 2019 study of cyber resilience, “infrastructure complexity was a net contributor to risks while the human elements of role alignment, collaboration, problem resolution and mature leadership played key roles in building cyber resilience.”[8]
In studying the phenomena of how the human element contributes to risk it became clear that risk professionals in the physical sciences were using these same insights of human behavior and cognition to mitigate risks to personal safety and enable better human performance.
Diverse industries, such as, air travel, automotive, healthcare, smart phones and many others have benefited from human element design to improve safety and create sustainable business models. However, Crime as a Service (CaaS) model may be the best example of how organized criminals in the Dark Web work together with the best architects of CaaS products and services making billions selling to a growing market of buyers.
The International Telecommunications Union (ITU) published its second Global Cybersecurity Index (GCI) noted that approximately 38% of countries have a cybersecurity strategy and 12% of countries are considering a strategy to cybersecurity.[9]
The agency said more effort is needed in this critical area, particularly since it conveys that governments consider digital risks high priority. “Cybersecurity is an ecosystem where laws, organizations, skills, cooperation and technical implementation need to be in harmony to be most effective,” stated the report, adding that cybersecurity is “becoming more and more relevant in the minds of countries’ decision makers.”
Ironically, social networks in the Dark Web have proven to be more robust than billions in technology spending.
The formation of systemic risks in a broader digital economy will be defined by how well security professionals bridge 19th century vulnerabilities with next century business models. Automation will enable the transition but human behavior will determine the success or failure of the 4th Industrial Revolution.
A broader set of solutions is beyond the scope of this article; it will take a coordinated approach to make real progress.
The common denominator in all organizations is the human element, but we lack a formal approach to assess the transition from 19th century approaches to this new digital environment.[10] Not surprisingly, I am neither the first nor the last to consider the human element in cybersecurity, but I am convinced the solutions are not purely prescriptive in nature given the complexity of human behavior.
The assumption is humans will simply come along as they have so often in the past. Digital transformation will require a more thoughtful and nuanced approach to the human/machine interaction in a boundaryless security environment.
Cognitive hackers from the CIA, NSA & FBI agree that addressing the human element is the most effective approach.[11] A cognitive risk framework is designed to address the human element and enterprise risk management in broader ways than changing employee behavior. A cognitive risk framework is a fundamental shift in thinking about risk management and risk assessment and is ideally suited for the digital economy.
Technology is creating profound change in how business is conducted. The fragility in these new relationships is concentrated at the human – machine interaction. Email is just one of dozens of iterations of vulnerable endpoints inside and outside of organizations. Advanced analytics will play a critical role in security but organizational situational awareness will require broader insights.
Recent examples include the 2017 distributed denial of service attack (DDoS) on Dyn, an Internet infrastructure company who provides Domain Name Service (DNS) to its customers.[12] A single service provider created unanticipated systemic risks across the East Coast.
DNS provides access to the IP address you plug into your browser.[13][14] A DDoS attack on a DNS provider prevents access to websites. Much of the East Coast was in a panic as the attack slowly spread. This is what happened to Amazon AWS, Twitter, Spotify, GitHub, Etsy, Vox, Paypal, Starbucks, Airbnb, Netflix and Reddit. In an unrelated event in 2013, Level 3 Communications experienced a fiber optic switch failure that resulted in millions of cable subscribers losing Internet service for a short time. The switch failure also impacted Facebook and Twitter demonstrating how unexpected consequences must become part of the contingency playbook.
These risks are known but require complex arrangements that take time. These visible examples of bottlenecks in the network offer opportunity to reduce fragility in the Internet however resilience on the Internet will require trusted partnerships to build robust networks beyond individual relationships.
The collaborative development of the Internet is the best example of complete autonomy, robustness and fragility. The 4th Industrial Revolution will require cooperation on security, risk mitigation, and shared utilities that benefit the next leg of infrastructure.
Unfortunately, systemic risks are already forming that may threaten free trade in technology as nations begin to plan for and impose restrictions to Internet access. A recent Bloomberg article lays bare the global divisions forming regionally as countries rethink an Open Internet amid political and security concerns.[15]
So why do we need a cognitive risk framework?
Cognitive risk management is a multidisciplinary focus on human behavior and the factors that enhance or distract from good outcomes. Existing risk frameworks tend to consider the downside of human behavior but human behavior is not one-dimensional and neither are the solutions. Paradoxically, cyber criminals are expert at exploiting trust in a digital environment and use a variety of methods [cognitive hacks] to change behavior in order to circumvent information security controls.
A simple answer to why is that cognitive risks are pervasive in all organizations but too often are ignored until to late or not understood in the context of organizational performance. Cognitive risks are diverse and range from a toxic work environment, workplace bias and decision bias to strategic and organizational failure.[16][17][18] More recent research is starting to paint a more vivid picture of the role of human error in the workplace but much of this research is largely ignored in existing risk practice.[19][20][21][22][23] A cognitive risk framework is needed to address the most challenging risks we face ….. the human mind!
A cognitive risk framework works just like digital transformation by breaking down the organizational boundaries that prevent optimal performance and risk reduction.
Redesigning risk management for the 4th Industrial Revolution!
The Cognitive Risk Framework for Cybersecurity and Enterprise Risk Management is a first attempt at developing a fluid set of pillars and practices to complement COSO ERM, ISO 31000, NIST and other risk frameworks with the human at the center. Each of the 5 Pillars will be explored as a new model for resilience in the era of digital transformation.
It is time to humanize risk management!
A cognitive risk framework has five pillars. Subsequent articles will break down each of the five pillars to demonstrate how each pillar supports the other as the organization develops a more resilient approach to risk management.
The Five Pillars of a Cognitive Risk Framework include:
- Cognitive Governance
- Intentional Design
- Risk Intelligence & Active Defense
- Cognitive Security/Human Elements
- Decision Support (situational awareness)
Lastly, as part of the roll out of a cognitive risk framework, I am conducting research at Columbia University’s School of Professional Studies to better understand advances in risk practice beyond existing risk frameworks. My goal, with your help, is to better understand how risk management practice is evolving across as many risk disciplines as possible. Participants in the survey will be given free access to the final report. An executive summary will be published with the findings. Contact me at jb4015@columbia.edu. Emails will be used only for the purpose of distributing the survey and its findings.
[1] https://robllewellyn.com/10-digital-transformation-risks/
[2] https://www.information-age.com/security-risks-in-digital-transformation-123478326/
[3] http://www.ists.dartmouth.edu/library/301.pdf
[4] https://www.csiac.org/journal-article/cyber-deception/
[5] https://www.amazon.com/Cognitive-Hack-Battleground-Cybersecurity-Internal/dp/149874981X
[6] https://www.csiac.org/journal-article/cyber-deception/
[7] https://www.lawfareblog.com/cyber-paradox-every-offensive-weapon-potential-chink-our-defense-and-vice-versa
[8] https://www.ibm.com/downloads/cas/GAVGOVNV
[9] https://news.un.org/en/story/2017/07/560922-half-all-countries-aware-lacking-national-plan-cybersecurity-un-agency-reports
[10] https://www.humanelementsecurity.com/content/Leadership.aspx
[11] http://aapa.files.cms-plus.com/SeminarPresentations/2016Seminars/2016SecurityIT/Lee%20Black.pdf
[12] https://www.wired.com/2016/10/internet-outage-ddos-dns-dyn/
[13] https://public-dns.info/nameserver/us.html
[14] https://en.wikipedia.org/wiki/List_of_managed_DNS_providers
[15] https://www.bloomberg.com/quicktake/how-u-s-china-tech-rivalry-looks-like-a-digital-cold-war?srnd=premium
[16] https://healthprep.com/articles/mental-health/types-workplace-bullies/?utm_source=google
[17] https://www.forbes.com/sites/amyanderson/2013/06/17/coping-in-a-toxic-work-environment/
[18] https://knowledge.wharton.upenn.edu/article/is-your-workplace-tough-or-is-it-toxic/
[19] https://www.robsonforensic.com/articles/human-error-expert-witness-human-factors
[20] https://rampages.us/srivera/2015/05/24/errors-in-human-inquiry/
[21] https://oxfordre.com/communication/view/10.1093/acrefore/9780190228613.001.0001/acrefore-9780190228613-e-283
[22] https://www.jstor.org/stable/1914185?seq=1#page_scan_tab_contents
[23] https://www.behavioraleconomics.com/resources/mini-encyclopedia-of-be/bounded-rationality/