Cybersecurity’s Human Factor_ Lessons From the Pentagon

8/17/2019 Cybersecurity’s Human Factor_ Lessons From the Pentagon

1/26

David M. Upton, Chritopher Kirchho , JameA. (and) Winnefeld Jr.,

Cerecurit’ Human Factor:

Leon from the Pentagon

The vat majorit of companie are more expoed to cerattack

than the have to e. To cloe the gap in their ecurit, CO can

take a cue from the U.. militar. Once a vulnerale IT colou, it

i ecoming an adroit operator of well-defended network. Toda

the militar can detect and remed intruion within hour, if not

minute. From eptemer 2014 to June 2015 alone, it repelled

more than 30 million known maliciou attack at the oundarie

of it network. Of the mall numer that did get through, fewer

than 0.1% compromied tem in an wa. Given the

ophitication of the militar’ ceradverarie, that record i a

ignicant feat.

hr.org

David M. Upton i the American tandardCompanie Profeor of Operation Managementat Oxford Univerit’aïd uine chool.

https://getpocket.com/redirect?url=https%3A%2F%2Fhbr.org%2F2015%2F09%2Fcybersecuritys-human-factor-lessons-from-the-pentagon


2/26

One ke leon of the militar’ experience i that while technical

upgrade are important, minimizing human error i even more

crucial. Mitake network adminitrator and uer—failure to

patch vulnerailitie in legac tem, micongured etting,

violation of tandard procedure—open the door to the

overwhelming majorit of ucceful attack.

The militar’ approach to addreing thi dimenion of ecurit

owe much to Admiral Hman Rickover, the “Father of the

Nuclear Nav.” In it more than 60 ear of exitence, the nuclear-

propulion program that he helped launch han’t uered a ingle

accident. Rickover focued intenel on the human factor, eeing

to it that propulion-plant operator aoard nuclear-powered

veel were rigoroul trained to avoid mitake and to detect and

correct anomalie efore the cacaded into eriou malfunction.

The U.. Department of Defene ha een teadil adopting

protocol imilar to Rickover’ in it ght to thwart attack on it

IT tem. Two of thi article’ author, and Winnefeld and

Chritopher Kirchho, were deepl involved in thoe eort. The

article’ purpoe i to hare the department’ approach o that

uine leader can appl it in their own organization.

The Danger from Within

Rik management Magazine Article

The igget threat to our cerecurit ma e an emploee

or a vendor.

https://hbr.org/2014/09/the-danger-from-within


3/26

Like the Defene Department, companie are under contant

omardment from all tpe of ource: nation-tate, criminal

ndicate, cervandal, intruder hired uncrupulou

competitor, digruntled inider. Thieve have tolen or

compromied the credit-card or peronal information of hundred

of million of cutomer, including thoe of on, Target, Home

Depot, Neiman Marcu, JPMorgan Chae, and Anthem. The’ve

managed to teal proprietar information on oil and ga depoit

from energ companie at the ver moment geological urve

were completed. The’ve wiped negotiation trategie o internal

corporate network in the run-up to major deal, and weapon

tem data from defene contractor. And over the pat three

ear intruion into critical U.. infratructure—tem that

control operation in the chemical, electrical, water, and tranport

ector—have increaed 17-fold. It’ little wonder, then, that the

U.. government ha made improving cerecurit in oth pulic

and private ector a national priorit. ut, a the recent hacking

of the federal government’ Oce of Peronnel Management

undercore, it i alo a monumental challenge.

The Militar’ Cerjourne

ack in 2009, the Defene Department, like man companie

toda, wa addled with a vat arra of diparate IT tem and

ecurit approache. ach of it three militar ranche, four

uniformed ervice, and nine unied comatant command had


4/26

long functioned a it own prot-and-lo center, with utantial

dicretion over it IT invetment. Altogether, the department

compried 7 million device operating acro 15,000 network

enclave, all run dierent tem adminitrator, who

congured their part of the network to dierent tandard. It wa

not a recipe for ecurit or ecienc.

That ear, recognizing oth the opportunitie of greater

coherenc and the need to tem the rie in harmful incident,

Roert Gate, then the ecretar of defene, created the U.. Cer

Command. It rought network operation acro the entire .mil

domain under the authorit of one four-tar ocer. The

department imultaneoul egan to conolidate it prawling

network, collaping the 15,000 tem into a ingle unied

architecture called the Joint Information nvironment. The work

ha een paintaking, ut oon hip, umarine, atellite,

pacecraft, plane, vehicle, weapon tem, and ever unit in

the militar will e linked in a common command-and-control

tructure encompaing ever communication device. What once

wa a jumle of more than 100,000 network adminitrator with

dierent chain of command, tandard, and protocol i evolving

toward a tightl run cadre of elite network defender.

At the ame time, the U.. Cer Command ha een upgrading

the militar’ technolog. ophiticated enor, analtic, and

conolidated “ecurit tack”—uite of equipment that perform a

variet of function, including ig data analtic—are giving


5/26

network adminitrator greater viiilit than ever efore. The

can now quickl detect anomalie, determine if the poe a threat,

and alter the network’ conguration in repone.

The U.. Department of Defene experience 41M can, proe,

and attack a month.

The interconnection of formerl eparate network doe

introduce new rik (a, that malware might pread acro

tem, or that a vulnerailit in one tem would allow

omeone to teal data from another). ut thee are greatl

outweighed the advantage: central monitoring, tandardized

defene, ea updating, and intant reconguration in the event

of an attack. (Claied network are diconnected from

unclaied network, of coure.)

However, unied architecture and tate-of-the-art technolog are

onl part of the anwer. In nearl all penetration on the .mil

network, people have een the weak link. The Ilamic tate rie

took control of the U.. Central Command’ Twitter feed in 2015

exploiting an individual account that had not een updated to

dual-factor authentication, a aic meaure requiring uer to

verif their identit paword plu a token numer generator

or encrpted chip. In 2013 a foreign nation went on a four-month

pree inide the U.. Nav’ unclaied network exploiting a

ecurit aw in a pulic-facing weite that the nav’ IT expert

knew aout—ut failed to x. The mot eriou reach of a


6/26

claied network occurred in 2008, when, in a violation of

protocol, a memer of the Central Command at a Middle atern

ae inerted a thum drive loaded with malware directl into a

ecure dektop machine.

While the recent intruion how that ecurit toda i no

mean perfect, the human and technical performance of the

militar’ network adminitrator and uer i far tronger a

numer of meaure than it wa in 2009. One enchmark i the

reult of command’ cerecurit inpection, whoe numer

have increaed from 91 in 2011 to an expected 285 in 2015. ven

though the grading criteria have ecome more tringent, the

percentage of command that received a paing grade—proving

themelve “cer-read”—ha rien from 79% in 2011 to over 96%

thi ear.

Companie need to addre the rik of human error too. Hacker

penetrated JPMorgan Chae exploiting a erver whoe ecurit

etting hadn’t een updated to dual-factor authentication. The

exltration of 80 million peronal record from the health inurer

Anthem, in Decemer 2014, wa almot certainl the reult of a

“pear phihing” e-mail that compromied the credential of a

numer of tem adminitrator. Thee incident undercore the

fact that error occur among oth IT profeional and the roader

workforce. Multiple tudie how that the lion’ hare of attack

can e prevented impl patching known vulnerailitie and

enuring that ecurit conguration are correctl et.


7/26

The clear leon here i that people matter a much a, if not more

than, technolog. (Technolog, in fact, can create a fale ene of

ecurit.) Cerdefender need to create “high-reliailit

organization”— uilding an exceptional culture of high

performance that conitentl minimize rik. “We have to get

eond focuing on jut the tech piece here,” Admiral Mike

Roger, who overee the U.. Cer Command, ha aid. “It’

aout etho. It’ aout culture. [It’ aout] how ou man, train,

and equip our organization, how ou tructure it, the operational

concept that ou appl.”

The High-Reliailit Organization

The concept of a high-reliailit organization, or HRO, rt

emerged in enterprie where the conequence of a ingle error

can e catatrophic. Take airline, the air-trac-control tem,pace ight, nuclear power plant, wildre ghting, and high-

peed rail. Within thee highl technical operation, the

interaction of tem, utem, human operator, and the

external environment frequentl give rie to deviation that mut

e corrected efore the ecome diatrou prolem. Thee

organization are a far cr from continuoul improving “lean”

factorie. Their operator and uer don’t have the luxur of

learning from their mitake.

The annual gloal cot of cercrime againt conumer i $113.


8/26

afel operating technolog that i inherentl rik in a

dangerou, complex environment take more than inveting in the

et engineering and material. High-reliailit organization

poe a deep awarene of their own vulnerailitie, are

profoundl committed to proven operational principle and high

tandard, clearl articulate accountailit, and vigilantl proe for

ource of failure.

The U.. Nav’ nuclear-propulion program i argual the HRO

with the longet track record. Running a nuclear reactor on a

umarine deep in the ocean, out of communication with an

technical aitance for long period of time, i no mall feat.

Admiral Rickover drove a trict culture of excellence into each

level of the organization. (o devoted wa he to enuring that onl

Michael er Photo : Michael er


9/26

people who could handle uch a culture entered the program that,

during hi 30 ear at it helm, he peronall interviewed ever

ocer appling to join it—a practice that ever one of hi

ucceor ha continued.)

At the heart of that culture are ix interconnected principle,

which help the nav weed out and contain the impact of human

error.

1. Integrit. thi we mean a deepl internalized ideal that lead people,

without exception, to eliminate “in of commiion” (delierate

departure from protocol) and own up immediatel to mitake.

The nuclear nav inculcate it in people from da one, making it

clear there are no econd chance for lape. Worker thu are not

onl unlikel to take hortcut ut alo highl likel to notif

upervior of an error right awa, o the can e corrected

quickl and don’t neceitate length invetigation later—after a

prolem ha occurred. Operator of propulion plant faithfull

report ever anomal that rie aove a low threhold of

erioune to the program’ central technical headquarter.

Commanding ocer of veel are held full accountale for the

health of their program, including honet in reporting.


10/26

2. Depth of knowledge.

If people thoroughl undertand all apect of a tem—including

the wa it’ engineered, it vulnerailitie, and the procedure

required to operate it—the’ll more readil recognize when

omething i wrong and handle an anomal more eectivel. In

the nuclear nav, operator are rigoroul trained efore the ever

put their hand on a real propulion plant and are cloel

upervied until the’re procient. Thereafter, the undergo

periodic monitoring, hundred of hour of additional training, and

drill and teting. hip captain are expected to regularl monitorthe training and report on crew procienc quarterl.

3. Procedural compliance.

On nuclear veel, worker are required to know—or know

where to nd—proper operational procedure and to follow themto the letter. The’re alo expected to recognize when a ituation

ha ecliped exiting written procedure and new one are called

for.


11/26

ee Your Compan Through the e of a Hacker

ecurit & privac Digital Article

Turning the map around on cerecurit.

One of the wa the nuclear nav maximize compliance i

through it extenive tem of inpection. For intance, ever

warhip periodicall undergoe tough Operational Reactor

afeguard xamination, which involve written tet, interview,

and oervation of da-to-da operation and of repone to

imulated emergencie. In addition, an inpector from the Naval

Reactor regional oce ma walk aoard antime a hip i in port,

without advance notice, to oerve ongoing power-plant

operation and maintenance. The hip’ commanding ocer i

reponile for an dicrepancie the inpector ma nd.

4. Forceful ackup.

https://hbr.org/2015/03/see-your-company-through-the-eyes-of-a-hacker


12/26

When a nuclear-propulion plant i operating, the ailor who

actuall control it—even thoe who are highl experienced—are

alwa cloel monitored enior peronnel. An action that

preent a high rik to the tem ha to e performed two

people, not jut one. And ever memer of the crew—even the

mot junior peron—i empowered to top a proce when a

prolem arie.

5. A quetioning attitude.

Thi i not ea to cultivate in an organization, epeciall one

with a formal rank tructure in which immediate compliance with

order i the norm. However, uch a mindet i invaluale: If

people are trained to liten to their internal alarm ell, earch for

the caue, and then take corrective action, the chance that the’ll

foretall prolem rie dramaticall. Operator with quetioning

attitude doule- and triple-check work, remain alert for

anomalie, and are never atied with a le-than-thorough

anwer. impl aking wh the hourl reading on one ocure

intrument out of a hundred are changing in an anormal wa or

wh a network i exhiiting a certain ehavior can prevent cotl

damage to the entire tem.

6. Formalit in communication.


13/26

To minimize the poiilit that intruction are given or received

incorrectl at critical moment, operator on nuclear veel

communicate in a precried manner. Thoe giving order or

intruction mut tate them clearl, and the recipient mut

repeat them ack veratim. Formalit alo mean etalihing an

atmophere of appropriate gravit eliminating the mall talk

and peronal familiarit that can lead to inattention, fault

aumption, kipped tep, or other error.

Cerecurit reache caued human mitake nearl alwa

involve the violation of one or more of thee ix principle. Here’

a ample of ome the Defene Department uncovered during

routine teting exercie:

A polite headquarter ta ocer held the door for another

ocer, who wa reall an intruder carring a fake

identication card. Once inide, the intruder could have

intalled malware on the organization’ network. Principle

violated: procedural compliance and a quetioning attitude.

A tem adminitrator, urng the we from hi elevated

account, which had fewer automatic retriction, downloaded

a popular video clip that wa “viral” in more wa than one.

Principle violated: integrit and procedural compliance.

A ta ocer clicked on a link in an e-mail promiing

dicount for online purchae, which wa actuall an

attempt the teter to plant a phihing ack door on her


14/26

worktation. Principle violated: a quetioning attitude, depth

of knowledge, and procedural compliance.

A new network adminitrator intalled an update without

reading the implementation guide and with no uperviion. A a reult, previou ecurit upgrade were “unpatched.”

Principle violated: depth of knowledge, procedural

compliance, and forceful ackup.

A network help dek reet a connection in an oce without

invetigating wh the connection had een deactivated in the

rt place—even though the reaon might have een anautomated hutdown to prevent the connection of an

unauthorized computer or uer. Principle violated:

procedural compliance and a quetioning attitude.

Creating a High-Reliailit IT OrganizationTo e ure, ever organization i dierent. o leader need to

account for two factor in deigning the approach and timetale

for turning their companie into cerecure HRO. One i the

tpe of uine and it degree of vulnerailit to attack.

(Financial ervice, manufacturing, utilit, and large retail

uinee are epeciall at rik.) Another i the nature of the

workforce. A creative workforce made up predominantl of

Millennial accutomed to working from home with online-


15/26

collaoration tool preent a dierent challenge from ale or

manufacturing emploee accutomed to tructured etting with

lot of rule.

It’ eaier to create a rule-ound culture for network

adminitrator and cerecurit peronnel than it i for an entire

workforce. Yet the latter i certainl poile, even if a compan

ha a huge numer of emploee and an etalihed culture.

Witne the man companie that have uccefull changed their

culture and operating approache to increae qualit, afet, and

equal opportunit.

Whatever the dnamic of their organization, leader can

implement a numer of meaure to emed the ix principle in

emploee’ everda routine.

Take charge.

A recent urve Oxford Univerit and the UK’ Centre for the

Protection of the National Infratructure found that concern for

cerecurit wa ignicantl lower among manager inide the

C-uite than among manager outide it. uch hortightedne at

the top i a eriou prolem, given the nancial conequence of

cerattack. In a 2014 tud the Ponemon Intitute, the

average annualized cot of cercrime incurred a enchmark

ample of U.. companie wa $12.7 million, a 96% increae in ve


16/26

ear. Meanwhile, the time it took to reolve a cerattack had

increaed 33%, on average, and the average cot incurred to

reolve a ingle attack totaled more than $1.6 million.

The realit i that if CO don’t take cerecurit threat

erioul, their organization won’t either. You can et that Gregg

teinhafel, who wa outed from Target in 2014 after

cercriminal tole it cutomer’ information, wihe he had.

Over the pat 3 ear, intruion into critical U.. infratructure

have increaed 17x.

Chief executive know that conolidating their jumle of network

tem, a the Defene Department ha done, i important. ut

man are not moving fat enough—undoutedl ecaue thi tak

can e maive and expenive. In addition to accelerating that

eort, the mut marhal their entire leaderhip team—technical

and line management, and human reource—to make people,

principle, and IT tem work together. Repeatedl emphaizing

the importance of ecurit iue i ke. And CO hould reit

lanket aurance from CIO who claim the’re alread

emracing high-reliailit practice and a all that’ needed i an

increae in the ecurit udget or the newet ecurit tool.

CO hould ak themelve and their leaderhip team tough

quetion aout whether the’re doing everthing poile to

uild and utain an HRO culture. Are network adminitrator


17/26

making ure that ecurit function in tem are turned on and

up-to-date? How are pot audit on ehavior conducted, and what

happen if a ignicant lape i found? What tandardized training

program for the ehavioral and technical apect of cerecurit

are in place, and how frequentl are thoe program refrehed?

Are the mot important cerecurit tak, including the

manipulation of etting that might expoe the tem, conducted

formall, with the right kind of ackup? In eence, CO mut

contantl ak what integrit, depth of knowledge, procedural

compliance, forceful ackup, a quetioning attitude, and formalit

mean in their organization. Meanwhile, oard of director, in

their overight role, hould ak whether management i

adequatel taking into account the human dimenion of

cerdefene. (And indeed man are eginning to do thi.)

Make everone accountale.Militar commander are now held reponile for good

tewardhip of information technolog—and o i everone all the

wa down the rank. The Defene Department and the U.. Cer

Command are etalihing a reporting tem that allow unit to

track their ecurit violation and anomalie on a imple

corecard. efore, information aout who committed an error and

it erioune wa known onl to tem adminitrator, if it wa

tracked at all. oon enior commander will e ale to monitor

unit’ performance in near real time, and that performance will e

viile to people at much higher level.


18/26

Are You a Certhreat to Your Organization?

ecurit & Privac Aement

The goal i to make network ecurit a much of an everdapriorit for troop a keeping their rie clean and operational.

ver memer of an armed ervice mut know and compl with

the aic rule of network hgiene, including thoe meant to

prevent uer from introducing potentiall tainted hardware,

downloading unauthorized oftware, acceing a weite that

could compromie network, or falling pre to phihing e-mail.When a rule i roken, and epeciall if it’ a matter of integrit,

commander are expected to dicipline the oender. And if a

climate of complacenc i found in a unit, the commander will e

judged accordingl.

Companie hould do likewie. While the ame meaure aren’t

alwa availale to them, all manager—from the CO on down—

hould e reponile for enuring their report follow

cerafet practice. Manager hould undertand that the,

along with the emploee in quetion, will e held accountale.

All memer of the organization ought to recognize the are

reponile for thing the can control. Thi i not the norm in

man companie.

Intitute uniform tandard and centrall

managed training and certication.

https://hbr.org/web/assessment/2014/08/are-you-a-cyberthreat-to-your-organization


19/26

The U.. Cer Command ha developed tandard to enure that

anone operating or uing a militar network i certied to do o,

meet pecic criteria, and i retrained at appropriate interval.

Peronnel on dedicated team in charge of defending network

undergo extenive formal training. For thee cerprofeional

the Defene Department i moving toward the model etalihed

the nuclear nav: claroom intruction, elf-tud, and at the

end of the proce, a formal graded examination. To uild a road

and deep pipeline of defender, the militar academie require all

attendee to take cerecurit coure. Two academie oer a

major degree in ceroperation, and two oer minor degree. All

ervice now have chool for advanced training and pecic

career path for cerecurit pecialit. The militar i alo

incorporating cerecurit into continuing education program

for all peronnel.

Relativel few companie, in contrat, have rigorou certraining

for the rank and le, and thoe that do rarel augment it with

refreher coure or information eion a new threat arie.

Merel e-mailing emploee aout new rik doen’t uce. Nor

doe the common practice of requiring all emploee to take an

annual coure that involve pending an hour or two reviewing

digital policie, with a hort quiz after each module.

Admittedl, more-intenive meaure are time-conuming and a

ditraction from da-to-da uine, ut the’re imperative for

companie of all ize. The hould e a rout a program to


20/26

enforce ethic and afet practice, and companie hould track

attendance. After all, it take onl one untrained peron to caue a

reach.

Couple formalit with forceful ackup.

In 2014 the U.. militar created a contruct that pelled out in

great detail it cer-command-and-control tructure, pecifing

who i in charge of what and at what level ecurit conguration

are managed and changed in repone to ecurit event. That

clear framework of reporting and reponiilitie i upported

with an extra afeguard: When ecurit update on core portion

of the Defene Department’ network are made or tem

adminitrator acce area where enitive information i tored,

a two-peron rule i in eect. oth people mut have their ee on

the tak and agree that it wa performed correctl. Thi add an

extra degree of reliailit and dramaticall reduce the rik of

lone-wolf inider attack.

The Department of Defene i conolidating 15,000 network into

a ingle unied architecture.

There’ no reaon companie can’t alo do thee thing. Mot large

rm have alread aggreivel pruned their lit of “privileged”

tem uer and created procee for retracting the acce right

of contractor leaving a project and emploee leaving the rm.

Midize and maller enterprie hould do the ame.


21/26

One form of ackup can e provided inexpenive, ea-to-

intall oftware that either warn emploee when the’re

tranferring or downloading enitive information or prevent

them from doing it and then monitor their action. Regularl

reminding emploee that their adherence to ecurit rule i

monitored will reinforce a culture of high reliailit.

Check up on our defene.

In June 2015 the U.. Cer Command and the Defene

Department announced weeping operational tet for oth

network adminitrator and uer. The militar alo i etalihing

rigorou tandard for cerecurit inpection and tightl

coordinating the team that conduct them.

Companie hould follow uit here a well. While man large

rm do ecurit audit, the often focu on network’

vulnerailit to external attack and pa too little attention to

emploee’ ehavior. CO hould conider inveting more in

capailitie for teting operational IT practice and expanding the

role of the internal audit function to include cerecurit

technolog, practice, and culture. (xternal conultant alo ma

provide thi ervice.)

In addition to cheduled audit, rm hould do random pot-

check. Thee are highl eective at countering the hortcut and

compromie that creep into the workplace—like tranferring


22/26

condential material to an unecured laptop to work on it at

home, uing pulic cloud ervice to exchange enitive

information, and haring paword with other emploee. uch

ehavior i important to dicover—and correct—efore it reult

in a eriou prolem.

liminate fear of honet and increae the

conequence of dihonet.

Leader mut treat unintentional, occaional error a

opportunitie to correct the procee that allowed them to occur.

However, the hould give no econd chance to people who

intentionall violate tandard and procedure. dward nowden

wa ale to acce claied information convincing another

civilian emploee to enter hi paword into nowden’

worktation. It wa a major reach of protocol for which the

emploee wa rightfull red. It made man militar leader

realize that an operational culture that treed integrit, a

quetioning attitude, forceful ackup, and procedural compliance

could have created an environment in which nowden would

have een topped cold. uch a reach of the rule would have

een unthinkale in the reactor department of a nav veel.


23/26

At the ame time, emploee hould e encouraged to

acknowledge their innocent mitake. When nuclear-propulion-

plant operator dicover a mitake, the’re conditioned to quickl

Michael er Photo : Michael er


24/26

reveal it to their upervior. imilarl, a network uer who

inadvertentl click on a upiciou e-mail or weite hould e

conditioned to report it without fear of cenure.

Finall, it hould e ea for everone throughout the

organization to ak quetion. Propulion-plant operator are

trained to immediatel conult a upervior when the encounter

an unfamiliar ituation the aren’t ure how to handle. imilarl,

enuring that all emploee can readil otain help from a

hotline or their manager, companie can reduce the temptation to

gue or hope that a particular action will e afe.

Ye, we’re calling for a much more formal, regimented approach

than man companie now emplo. With certhreat poing a

clear and preent danger to individual companie and,

extenion, the nation, there i no alternative. Rule and principle

are needed to plug the man hole in America’ cerdefene.

Couldn’t companie jut focu on protecting their crown jewel?

No. Firt, that would mean multiple tandard for cerecurit,

which would e dicult to manage and, therefore, hazardou.

econd, the crown jewel often are not what ou think the are.

(One could argue that the leak of emarraing e-mail wa the

mot damaging apect of North Korean hacker’ attack on on

Picture ntertainment.) Finall, hacker often can gain acce to

https://hbr.org/2015/07/they-burned-the-house-down


25/26

highl enitive data or tem via a eemingl low-level tem,

like e-mail. A compan need a common approach to protecting all

it data.

Technical Capailit, Human xcellence

Over the pat decade, network technolog ha evolved from a

imple utilit that could e taken for granted to an important et

vulnerale engine of operation, whoe ecurit i a top corporate

priorit. The oaring numer of cerattack ha made thataundantl clear. Technolog alone can not defend a network.

Reducing human error i at leat a important, if not more.

mracing the principle that an iracile admiral implanted in

the nuclear nav more than 60 ear ago i the wa to do thi.

uilding and nurturing a culture of high reliailit will require theperonal attention of CO and their oard a well a utantial

invetment in training and overight. Cerecurit won’t come

cheap. ut thee invetment mut e made. The ecurit and

viailit of companie—a well a the economie of the nation in

which the do uine—depend on it.


26/26

Michael er

Documents

Cybersecurity’s Human Factor_ Lessons From the Pentagon