Safety Awareness and Security Awareness

In my post Safety Hazards and Security Threats I discussed how safety hazards and security threats have many similarities. A new safety presentation designed to raise awareness of safety issues, concerning the sinking of the MV Herald of Free Enterprise in 1987, provides a further analogy.

The MV Herald of Free Enterprise roll-on/roll-off (ro-ro) ferry was built in 1980 to operate on the short Dover (England) to Calais (France) route, but was moved to the much longer Dover to Zeebrugge (Belgium) Channel crossing. It capsized killing 193 passengers and crew following water entering the bow doors which had not been closed prior to departure.

The safety training material outlines lessons to be learned:

• lack of procedures
• lack of steady team structures and responsibility
• reduced staff resources
• inability to identify changed hazards
• poor change management practices
• reliance on a single layer of protection
• creeping changes moved beyond design specification
• insufficient monitoring
• poorly designed controls
• failure to implement controls
• insufficient time to react to incident.

These points could equally have been written about a catastrophic network breach. Clearly most web servers don't have a direct impact of human life, unlike in public transport where safety risk analysis considers human lives to be valued at millions of pounds each. However, an organisation may not survive a significant data breach and we can all learn lessons from other events such as this.

There can be a tendency to treat security as a "technical" issue, and specifically as an "IT issue". Most of the above lessons to be learned are not of the technical type. Focus on what will make a difference.

Further reading is available in "The MV Herald of Free Enterprise: Report of Court No. 8074", Department of Transport, Her Majesty's Stationery Office, ISBN 0 11 550828 7.