This essay has been submitted by a student. This is not an example of the work written by our professional essay writers.
In today highly use and development of information technology it make organizations became more and more dependent on their information systems. As companies and organization become more dependent on information technology, information security seems as one of the most important concern for the company to deal with. This highly uses of information technology have made that many companies to face with threats on information security. Every company which their businesses based on information and communication technology should pay more attention on information security. The security of information and ICT is a critical and complex task and need more attention in inside and outside threats and attacks. Integrated operation in our oil-gas company are used to monitor the system and making better decision and productivity and also we use computer network for remote operation and communication and this became big challenge for security management. Control, monitoring and communication systems should be secured against any possible threats and attack. Information security incidents can disturb the production process of the company. Any possible attack on the system can cause of failure of control system, stopping communication and losing monitoring process and can have impact on Health, Safety and Environment (HSE) aspects that depends on reliable e-operation.
The performance of the company depends on their information security infrastructure. There are indicators that show growing of vulnerability and threats. These indicators means that without proper information security measures the company may lose the performance that have.
Mitigate information security threats and vulnerability is still a battle for every company. Good security infrastructure means good productivity for every company. Our company need to pay more attention to the information security to have a good performance in productivity. Safety and efficiency is the first priority of every company.
High reliability organizations
HRO (High reliability organizations) is very effective and efficient management mechanism within the organisation and it is a security mechanism which gives an early warning for any possible incident in the organization. The application of scientific theory of human behaviour to plan, organize, deployment, leadership and control of the process of human behaviour to improve safety and reliability of the organization. Speaking about the ICT and security in general, human factor and their behaviour play very important role in every organisation. High reliability organization is the organization itself from the angle of incidence of the organization and security incident management. High reliability organizations, safety management and effective management mechanism have become an important part in the performance of the organisation. Organizational factors play a very important role in almost all accidents and are a critical part of understanding and preventing them. HRO oversimplifies the problems faced by technicians and engineers and organizations building safety-critical systems and infrastructure and follow some of the recommendations could lead to accidents. Highly Reliable Organizations are better at mitigating, preventing and responding to accidents and incidents when we compare to other organizational models and can be an early alert and signal which tells us to take proper and effective response measures against any incident. When the system is complex, independent failure events and incidents cannot be predicted by the designer and operators of the system. While it is usually impossible predict all accident that could occur in complex systems, although through analysis of the system hazards we can prevent potential accidents. And there are some ways to mitigate the consequences of the incidents which dose not require completeness in identifying potential causes.
According to Weick and Sutcliffe (2001) there are three form of unexpected: when an event or incident that was expected to happen fails to occur, when an event or incident that was not expected to happen it occur, when an event or incident that was simply unthought of happen. Weick and Sutcliffe describe how to manage unexpected situation and the discuss about five kind of principals as factors to organize an employeeâ€™s mind, and what influence have the employees if they take properly action and making a properly kind of decision.
These five principles of High Reliability Organizations are:
Preoccupation with failure
Reluctance to simplify
Sensitivity to operations
Commitment to resilience
Deference to expertise
Preoccupation with failure: High reliability organizations are preoccupied with failures. A failure occurs when something goes wrong. Failures can occur due to tow things: First, failure occurs because employees did not pay attention to weak signal of failure that these failures later can cause major problems for the organization. Second, failure occurs due to strategies applied by HRO which describe the mistakes that employees donâ€™t dare make. According to Weick and , high reliability systems should encourage employees to report errors and incidents and talk about these in order to learn from them and do not make the same errors in the future. For the errors and mistakes, employees are highly sensitive, and they are afraid that the weakness will reflects the organization, so even a small mistakes, they will excluded from work. As long as there is no wrong, they can report the mistakes at early stage in order to give an early response. In high reliability organization employees should constantly report the errors in order to rapid response and avoid the risk. An HRO should:
Make employees to give attention to early alert of small errors
Encourage them to report the errors
Organization should be worried that it could not caught everything
Try to avoid large errors with catastrophic consequences, but should not forget to avoid small errors as well.
Look to catastrophic incidents before they started etc.
HRO organization should understand past failures in order to be prepared for the future incident and make the system to not fail.
Reluctance to simplify: High reliable organization supports simplification of the work process in a way to achieve to handle complex work by simplifying them, thus to find a convenient way to ignoring some certain aspects and becoming this more efficient and reliable. By simplifying work processes make it easier and more desirable, but the simplification has some limits that should take into consideration, because some undesirable situation could occur due to oversimplify. It is necessary to adjust the organization activities by focusing on a specific problem and finding its solution. When we simplify our work we always should ask ourselves what we are missing due to the over-simplification. In this case this is not the KISS (Keep it simple stupid) theory, we always must be focused on the key issues and indicators and prepared to manage the unexpected situation.
Sensitivity to operation: High reliability organizations are sensitive and paying high attention to operation. When we talk about paying attention to the sensitive operation it means that we are responsive for reality inside our system. Being sensitive to operation means to be aware about what is happening with the system. Recognizing and understanding an event or incident as something that has happened before, it will make us more concern then comfort. The similarities between the present incident and the past could hide some deeper differences that could be fatal for the system. To be sensitive to operation is about detecting these small differences.
Every small changes on the operation deserve to have attention
We should continuously perform adjustments on the system in order to prevent small errors on the present before they become fatal error
We must notice any anomalies on the system and isolate them before they become catastrophic accident etc.
Commitment to resilience: Organizations not only try to avoid the faults, they also try to prevent and forecast the unexpected situation. Their existence depends on avoiding, detecting, preventing and forecasting the unexpected situation. Therefore, when a fault or an unexpected situation occurs they need to prepare and to know how to respond to it. To be resilient means to be mindful that the unexpected situations that have already occurred must be corrected before they get worsen and can cause more serious harm. A system is resilience if the system experiences some failures but still avoid catastrophic failure. The organizations reliability depends on that how well they are prepared to response in case of unexpected or unpredictable situation. According to Weick and Sutcliffe resilience has three components:
Absorb strain and preserve function despite adversity
Maintain the ability to return to service from untoward events
Learn and grow from previous episodes
Deference to expertise: HROs expertise leaders must accept insights and recommendations, and respond to insight form the lower people and employees who have knowledge about the situation. Those people who know exactly what happened in an unexpected situation and how processes really work they need to be listen and accepts their insight even if they have less organizational prestige. Those people that have important information about errors, faults, threats and failure, and they know about the safety and quality must have the opportunity to express their ideas and the concern about the situation, regardless of their position in the organization. Therefore, these expertises form the lower management who maintains the exclusive knowledge about the situation need to be empowered to make quick and accurate important decisions. Decision-making should made by people who have the right knowledge for the problem, not by people who do not guarantee solution of the problem.
Small wins strategy
As we described on the background section, information security is becoming a major concern for every organization. According to Weick and Sutcliffe for a reliable, secure, safe, resilient and mindful organization we need to implement the five principles: Preoccupation with failure, reluctance to simplify ,sensitivity to operations, commitment to resilience, deference to expertise. High reliability system is very effective and efficient management and security mechanism which as a primary goal for it is to protect the organisation against threats and incident. One of the most important part of every organization and HRO theory is to control the people behaviour. People play very important part, so the main focus of this theory is to the people. The first principle describes the incident, errors, faults ect, which can be mistakes of the employees, but employees do not report because they are afraid the they will be fired. HRO encourage people to report every error or incident even if the incidents are caused by employees. In information security organisations have established incidents report system to encourage their employees to report the incidents. As we can see HRO can improve the security by making people aware to report every incident that can occur. The principles of simplification and sensitivity of operation describe how to simplify the work process and being sensitive to operation. Simplification is important factor although oversimplification can cause problem, simplification make much easier to find the solution. Even simplified computer security infrastructure is important to have because it is easier to control and for any incident it is easier to find the solution for it. HRO support simplification of the work. Sensitivity of operation is very important in information security. Being sensitive on security incidents means to be aware for the situation what is happening in the system. In case of security incident it is important to recognise the incident and being sensitive because it will make us more concern and look and learn more form this incident in order to be prepared in the future. Sensitivity means being concerned and prepared for every incident, and being more concerned if a similar incident happen again, because there is a weakness in the system that allowed to occurred the same incident or there is a hide deeper difference between the present incident and the past which that could be fatal for the system. The last principle is deference to expertise which describes how important is to accept the insight for expertise of the lower staff people. People who has knowledge and experience in our case for security incident and the information security in general they need to have the attention of higher management. A good example for this principle is the case of working hard and working smart. If the security group of an organisation ask for more investment in security the management should take it seriously into consideration, because as we know working hard is better-before-worse behaviour, and working smart is worse-before-better behaviour. In case of working hard first the performance will improve but latter it will start to decay and leads to an undesired behaviour which is a bad resilient state. Working smart the performance will deteriorates, but lately it will lead to a desired behaviour. This is an example form the lectures in IMT4651. What I want to show with this example is that top management should listen and accept the insight for people of low-management but who maintains the exclusive knowledge for the problem or situation. This is the requirement of the last principle of HRO.
My conclusion for HRO principles as security improvement is that it is very important for every organisation to implement high reliability practices because the main goal of these principles are people behaviour, and by some authors people are often referring to as the weakest link in the information security, but people are the most important factor and play very import role in effective information security.