Crisis Management and the Error of the Third Kind: The Dangers of Solving the Wrong Problems Precisely

One of the most important but least known errors is the Error of the Third Kind, or E3 for short. E3 is the “error associated with solving the wrong problems precisely.” Indeed, what good does it do to get precise answers to the wrong problems? Not only is it a monumental waste of time and resources, but worst of all, by reaffirming false beliefs, it keeps one going down the “wrong path”. 

Given its importance, it’s disconcerting to say the least that E3 is rarely taught, if at all. Except for those that I’ve taught, I can’t name any other program in which the subject is broached. This is not to say that there are no discussions whatsoever of the various errors associated with problem solving, but that E3 is conspicuously absent.

In terms of CM, E3 is especially important. The most prevalent error is preparing for a few highly select crises, separately and in isolation from one another, thereby not preparing for the full range of crises to which all organizations and institutions are now subject. It’s fundamentally due to not accepting the fact that no crisis ever happens in isolation. Every crisis is the end result of an out-of-control chain reaction of previous crises. Furthermore, unless one is prepared, the current crisis is capable of setting off a new chain reaction of other crises that are even more out-of-control.

Fundamentally, E3 is part of Denial. More often than not, it takes the form, “The worst will not happen to us so that there’s no need to think about it, let alone spend valuable time and resources on it.”

The following is the general set of crises with which the field began. Since the world is constantly adding new ones, it was notably lacking in Public Health crises:

  • Product recalls                                                                                                       
  • Product / service tampering
  • Employee sabotage
  • Fires, explosions, chemical spills
  • Environmental disasters
  • Significant drop in revenues
  • Natural disasters
  • Loss of confidential/sensitive information
  • Major lawsuits 
  • Terrorist attacks 
  • Damage to corporate reputation

The Myers-Briggs Personality Typology Inventory (MBPTI) is especially helpful in gaining further insight into the nature of E3s. Essentially, E3 results from mistaking one’s preferred style of formulating and solving problems as the only acceptable way. 

Four of the MBPTI Types are particularly relevant: Sensing Thinking or ST for short. Intuitive Thinking or NT. Intuitive Feeling or NF. And finally, Sensing Feeling or SF.

STs instinctively approach every situation by automatically breaking it down into its “key essential components,” and then by using impersonal modes of analysis (Logic, Statistics, etc.), to reach specific, detailed conclusions regarding the particular situation or issue at hand. In brief, something is a problem for STs if and only if it’s a technical problem in the narrowest sense such that not only does it have one and only one “right formulation,” but “one and only one right answer” as well.

NTs instinctively approach every situation by looking at the Big Picture, and thereby by considering as many different alternatives as possible. In short, something is a problem if and only if it’s an integral part of a whole System of problems.  

NFs also look at the Big Picture, but it’s not an impersonal one. Something is a problem if and only if it’s part of a whole body of personal problems that directly affect the lives and well-being of the entire communities in which people live and work.

SFs are concerned primarily with their immediate families and close friends. Everything else is too abstract and impersonal. Thus, something is a problem if and only if it directly affects the lives of the small group of people that matter most to them. 

In short, STs focus on specific technical problems separately and in isolation from one another. In sharp contrast, NTs not only focus on multiple perspectives and different versions of the “same problem,” but they pay special attention to the interconnections between problems. NFs also focus on multiple perspectives, but they are highly personal and social. They are concerned with the emotional health and well-being of entire communities. Finally, SFs focus on the emotional health and well-being of their immediate families and close friends.

With regard to CM, the primarily tool of STs is Risk Assessment. That is, they rank various threats in terms of their likelihoods of occurrence and their consequences. Those that are high both in their likelihoods, and especially in their negative consequences, are given primary, if not sole, attention. Those that are low are not given any. In other words, a clear threshold is established below which threats are ignored. The problem—Error—is that those threats like 9/11 and January 6 which are regarded as low in their likelihoods of occurrence are extremely high in their negative consequences. Indeed, the crises we ignore are the ones most likely to come back and do the most damage. 

It seems therefore that NTs and NFs are best positioned to avoid E3s altogether. And, NTs do indeed avoid those E3s that focus narrowly on one or two crises at best. NFs also avoid them as well. NFs are especially tuned to those that affect communities as a whole. Nonetheless, both are still subject to E3s in that they are often weak on dealing with specific technical and personal details that are integral parts of all crises. 

The moral is that all of the Types working together are needed to minimize E3s, and thus to prepare broadly for the full range of crises to which increasingly we all subject. Anything less is the height of social irresponsibility.

Posted in Blog, Crisis Management | Tagged | Comments Off on Crisis Management and the Error of the Third Kind: The Dangers of Solving the Wrong Problems Precisely

Tearing Down the Walls: The Interdisciplinary Nature of Crisis Management

The late great distinguished Social Systems Thinker par excellence, Russell L. Ackoff said it best of all: “Nature is not organized in the same way that universities are.”

The fact that universities put Engineering and Physics in one part of their campuses and Psychology and Sociology, not to mention the Humanities, in other parts does not mean that they are separate in any way when it comes to the actual nature of the problems with which we are faced.

What’s sad is that fields that have the utmost bearing on one another generally operate as if they have nothing to do with each other.

I am constantly amazed that those who generally work on High Reliability Organizations or HROs not only fail to see the connections with Crisis Management (CM), but put it down. To be perfectly honest, those who work in CM often put down other fields as well.

HROs arose from studying those organizations such as aircraft carriers and nuclear power plants that cannot afford to have accidents of any kind, especially catastrophic ones. To its credit, the culture of HROs constantly stress the need to be on the continual alert for the precursors of accidents that can lead to unmitigated disasters so that they can do everything possible to prevent them. The primary focus is primarily on the safe operation of known technologies. Unfortunately, it’s not equipped to handle newer technologies.

One would think that HROs—certainly those who study them—would give serious consideration to the array of crises that can lead to disasters. But no. The study of HROs and CM are generally regarded as two separate fields, a position with which I’m in the strongest possible disagreement. In my view, both have enormous contributions to make to one another. Even stronger, they’re fundamentally inseparable. The difficulty is that both essentially started independently of one another. As a result, they developed different followings both in and out of academia.

As one of the principal founders of the field of CM, I have to accept my share of the blame. Even though I tried to incorporate as many disciplines as I could, I should have reached out to even more.

The time is way beyond where we can continue to divide up the world into separate disciplines and professions. The world doesn’t work this way anymore, if it ever truly did.

Inter and Transdisciplinary thinking is far from a luxury. It’s absolutely essential if we are to survive.

Posted in Blog, Business, Crisis Management | Tagged | Comments Off on Tearing Down the Walls: The Interdisciplinary Nature of Crisis Management

Internal Assassin Teams: The Best Protection for Crises

While there are no sure-fire methods that will guarantee that one is prepared for any and all crises, Internal Assassin Teams are among the best of all of the known alternatives. At the same time, it’s also one of the hardest things to do emotionally for it requires thinking of as many ways as possible of attacking one’s organization, institution, and society in the worst of all imaginable means. 

Years ago, in hopes of learning what drug companies were doing to protect themselves from Product Tampering, the major threat that perpetually hung over the entire industry, I visited a major pharmaceutical company. I asked the person who agreed to talk with me what they were doing to combat it. Given the 1982 poisonings of Tylenol capsules, which was the single event most responsible for starting the entire field of Crisis Management (CM), Product Tampering had only become even more important. 

Without hesitating at all, he said, “We’ve formed several Internal Assassin Teams.” To which I blurted out, “You did what?!”

(As an important aside, the teams varied according to the educational level of its members. Thus, some had members with no more than with a high school education, while others had those with PhDs.) 

“Yeah, one day we held up a bottle of one of our pain killers, and we looked at the cap as the front door of a house, and the sides as the walls. We then asked ourselves the hard question, ‘How could a burglar break in, remain undetected for as long as possible, and cause the most damage?’ We quickly learned that there were no sure-fire ways to keep a determined burglar out so that tamper-proof bottles were completely out of the question. The best we could come up with is tamper-evident seals so that if a bottle was compromised, a consumer would be alerted immediately.”

In the many years since, I’ve been able to use the Internal Assassin Team exercise with a very few organizations. Most do not want to go through an exercise that forces them to contemplate the worst that not only can–even worst will most likely–happen to them. In a nutshell, very few organizations can undertake such exercises. They certainly cannot do it entirely by themselves. They need the considerable help of outsiders who are not afraid to ask the most uncomfortable of questions. They also need them to take the heat for putting them through an emotionally trying exercise.

Can you imagine what might have happened if Facebook had used an Internal Assassin Team exercise prior to or soon after the launch of its “product”? Hopefully, it would have picked up and taken appropriate corrective action with regard to its being used as a major vehicle for Cyberbullying, not to mention the spread of the worst conspiracy theories and dis and misinformation. 

The point is that the abuses, misuses, and unintended consequences of technology need to be viewed as different distinct forms of Product Tampering. The category has been broadened by the nature and scope of technology itself. Indeed, the most onerous case is genetic modification. The worries are all-too-real that it can be used by nefarious actors to create half-human like monsters. The body itself is thereby the “ultimate product that is ripe for tampering”  

Given the direct interference in our elections by foreign governments, the “body” is no less than the whole of society, the veritable “Body Politic!”

In brief, while Product Tampering is not the only kind of crisis for which one needs to be prepared, it’s one of the most universal. It applies to every organization, institution, and aspect of society.

In fact, with little modification, all of the other types of crises can be viewed as different, distinct types of Product Tampering. Thus, Ethical Breaches can be viewed as tampering with the Ethical and Moral foundations of an organization, institution, etc. 

In this regard, all of the various forms and types of crises can be reinterpreted as different ways of causing deliberate harm by altering the attributes of the environment, organizations, institutions, and whole societies. 

  • Product recalls/defective products 
  • Product/service tampering  
  • Employee sabotage/nefarious actors 
  • Fires/explosions/chemical spills
  • Environmental disasters/climate change 
  • Significant drop in revenues/financial 
  • Natural Hazards
  • Loss of confidential/sensitive information/privacy
  • Terrorism
  • Pandemics

In this way, Product Tampering is indeed the most universal type. And, while not perfect, Internal Assassin Teams are the best defense of which we know. 

Pogo’s words have never been more apt, “We’ve met the enemy, and he is us!” The only defense we have is Thinking the Unthinkable, and then doing everything we can to counteract it before someone does it to us!

Posted in Blog, Business, Crisis Management | Tagged | Comments Off on Internal Assassin Teams: The Best Protection for Crises

The Key Role of Personality in Crisis Management

The Myers-Briggs Personality Framework, which is encapsulated in the Myers Briggs Typology Indicator or MBTI is crucial to the understanding of Crisis Management (CM).

Before I begin, I need to acknowledge that the MBTI is not without substantial controversy. Its validity has been questioned repeatedly. In spite of this, its record is no less than any other personality framework in accounting for human behavior. Indeed, my colleagues and I have used it successfully for years in helping organizations cope better with the complex problems facing them.

The MBTI is based on the pioneering work of the Swiss Psychologist/Psychoanalyst Carl Jung. As a highly educated person of his time, Jung was well versed in European History, Literature, and Philosophy, to mention only a few of the many subjects in which he was knowledgeable. No matter what the particular subject matter with which he was familiar, Jung observed the same fundamental differences again and again with regard to how people approached their work. 

Two dimensions of the MBTI are key: (1) what people regard and thus take in as Information, and (2) the process they bring to bear to make decisions with regard to the Information that they have recognized as such. 

The first dimension is bounded by Sensing or S on the one end and Intuiting or N on the other. N is used for Intuiting for the letter I is already used for Introversion. 

Sensing Types automatically prefer to break any and all situations down into their “essential components.” As such, they are Reductionists through and through. To be accepted as valid, things need to fit in standardized, well-recognized categories according to separate disciplines.

In sharp contrast, Intuitive Types are basically attuned to see the Big Picture and thus to make connections between things that on their surface are totally unrelated. 

The second dimension in bounded by Thinking or T at the one end and Feeling or F at the other. 

Thinking Types automatically use impersonal modes of analysis such as Logic and Statistics in reaching important decisions. 

In sharp contrast, Feeling Types use their “personal likes and dislikes” in making important decisions. Although it’s especially sensitive to the emotional states of others, Feeling itself is not necessarily “emotional” for all of the Types can be highly emotional in defending their ways of perceiving and reacting to the world.

Combining the two dimensions in all possible ways results in the four basic Personality Types: (1) Sensing-Thinking or ST; (2) Intuitive-Thinking or NT; (3) Intuitive-Feeling or NF; and (4) Sensing-Feeling or SF.

STs are guided primarily in breaking things apart into their “essential components” and analyzing them separately in terms of standardized methods to reach well-validated conclusions. In this regard, Mathematics is the unequivocal standard. Starting from Primitive Truths whose veracity can’t be doubted, and using the accepted procedures of mathematical operations, one proves general theorems whose Truth is supposedly not in question.

NTs are not only guided by the Big Picture, but by using the broadest possible ways of looking at the world, in perpetual search for multiple and even conflicting Truths about any situation. In doing so, they are not ruled by what is acceptable given today’s knowledge, but in formulating new creative breakthroughs and insights. As such, they are not interested in theorems per se but in Wonder and Enlightenment. 

NFs are also guided by the Big Picture, but it’s not an impersonal one. Instead, they are concerned with improving the “General State of Humankind” as a whole.

Finally, SFs are concerned with the intimate details of their families and close personal friends. Humankind is too abstract a concept for them to take seriously.

While all of the Types are critical with regard to CM, NT and NF play leading roles. 

Given that no crisis is ever a single, well-defined, and isolated crisis, NT is critical. In brief, every crisis is part of a whole interrelated system of crisis. Every crisis either sets off a chain reaction of other crises or it’s the result of previous ones. In reality, both happen at the same time, thus creating vicious feedbacks. In this way, the various Types of crises constantly reinforce one another and thus make it harder to cope.

NF plays an equally critical role. First of all, it’s needed to convince the members of an organization and its Stakeholders that they need a comprehensive program in CM. To do this, one needs to consider how the basic fears and anxieties of people regarding the crises they dread the most can be addressed, if not overcome. In this regard, Organizational Psychologists who are able to conduct realistic simulations that will give people a sense of the emotions they will feel in the heat of an actual crisis play a crucial role. 

ST plays an important role in ensuring that the enumerable details that crisis plans entail are carried out correctly and in time. It’s also needed to monitor the effectiveness of crisis plans and procedures.

Finally, SF is needed as well. One-on-one personal interviews with how individuals are coping is an absolute necessity. Led by trained facilitators, small groups are needed in providing serious and ongoing support to one another.

In sum, all of the Types need to play an integrated role in planning for and coping with crises. None of them can go it alone.

Posted in Blog, Business, Crisis Management | Tagged | Comments Off on The Key Role of Personality in Crisis Management

Digging Deeper: Crisis Management, A Special Form of Inquiry

Given that so much is riding on it, Crisis Management (CM) expressly calls for a special in-depth examination in terms of an IS. Basically, an IS is a systematic way of producing knowledge with respect to an important matter. Specifically, what ensures that an organization—let alone an entire society–will be adequately prepared for the worst possible crises that are increasingly likely in today’s complex and turbulent world?

The main features of an IS are as follows. 

Every IS starts with a preferred set of Inputs which it regards as the “basic Facts or elementary Truths of a situation.” The Inputs are thereby the essential starting points of Inquiry. An IS then Operates on the Inputs in such a way to produce a set of Outputs which are regarded as the “deeper and more wide-ranging Truths of a problematic situation.” In many cases, the Outputs are the set of Actions one is strongly advised to take in order to cope more fully with the situation at hand. Lastly, the Guarantor is by far the most critical part of an IS. Its fundamental function is “to guarantee” that starting with the “correct Inputs,” Operating on them in the “correct ways,” that ultimately one will arrive at The Truth. In essence, the Guarantor insures the validity of the End Results of an Inquiry.

With regard to CM, two ISs are operating in tandem. The first is the general IS that pertains to CM universally. The second is the specific IS that pertains to the crisis preparations of a specific organization.

The general IS is as follows. The Inputs are not only the full array of the basic Types of crises that are possible, but the basic facts associated with them. Namely, what is the frequency with which the various Types have occurred in a specified time, how and why they’ve occurred, and what are the forms they’ve assumed in various organizations and industries?

The Operator is the full set of actions that an organization needs to take Before, During, and After a crisis. To reiterate, the basic actions that need to be undertaken Before is the explicit consideration of how each of the known Types of crises can happen to an organization. Namely, what are the forms that they can assume such that they pose a serious threat? For another, what can the organization do to set up an appropriate series of mechanisms such that they will pick up the inevitable Early Warning Signals that generally precede all crises? In particular, what needs to be done to ensure that the bearers of bad news will be rewarded and “not killed”? Just as important, Crisis Management Teams (CMTs) that will meet regularly to assess the status of an organization’s crisis preparations need to be fashioned. 

Since I’ve written about it in previous blogs, I will not detail the actions that need to be undertaken During a crisis. In brief, the CMT needs to meet as soon as possible to assess the full nature of a crises, and especially what it needs to do to ensure the safety of its Stakeholders. 

The basic task of After is to ensure that the correct lessons are learned so that the organization is better prepared for the next crises.

The Output is the honest assessment of the true Crisis Preparedness of an organization, and what remains to be done to make it better prepared. 

Once again, the Guarantor is the most important component of all. Generally, it’s the underlying Culture of an organization. Namely, what does the organization truly value? Profits before people and safety? Are its actions in sync or out of sync with what it espouses? Does it require fundamental changes to be a Proactive Crisis Prepared organization? Is it prepared to undertake them? 

Fundamentally, the Guarantor is what has been learned from the best Proactive Crisis Prepared organizations.

In short, this is the general IS that pertains to CM universally. With regard to a particular organization, it’s its enactment of the general IS. Namely, it’s its track record with respect to its preparations and handling of previous crises. In particular, the Operator is an honest Audit of the Crisis Potential of an organization. The Output is the series of actions that need to be undertaken to help ensure that it’s Crisis Prepared.

In sum, the actions of organizations need to match the complexity of today’s world. In short, every organization is nothing less than a complex, messy system. It must therefore be treated as such. It’s the only true Guarantor that we have in coping with a world that grows more complex with every passing day.  

Posted in Blog, Business, Crisis Management | Tagged | Comments Off on Digging Deeper: Crisis Management, A Special Form of Inquiry

Crisis Audits: The Lifeblood of the Socially Responsible Organization

Crisis Audits are the foundation of the Socially Responsible Organization. They are fundamental in assessing the crisis potential of organizations They are thereby the foundation upon which the Crisis Management (CM) plans and preparations of an organization are built.

Because they are so critical, they cannot be conducted by the members of an organization themselves. As a general rule, people only see the crises that are directly associated with their immediate jobs and positions, if they are able to see even them. Thus, even though one starts an audit by asking the open-ended question, “What is a crisis for your organization?”, the answers one gets are largely dependent on where one is and does in an organization. For this reason, it’s not advisable to give the respondents a general list of the different kinds of crises where they can then check off all those that they think apply to their organization. Instead, one wants to see what comes to their minds without being prompted.

After they have responded to what they believe is a crisis for their organization, follow-up questions probe for how well prepared they are to handle it.

It’s advisable to interview as many members of an organization as possible to get as accurate a picture as one can of the full range of crises to which they feel they are susceptible. This not only includes the top officers of an organization but those as far down as possible. The responses between them couldn’t be more different.

After having ensured the respondents that everything they say will be treated in the strictest confidence, and that no names whatsoever will be attributed to anything that is said, those at the bottom are much more likely to be forthcoming about the potential for employee sabotage. They are also likely to be more forthcoming about sexual harassment, especially women respondents. They are equally likely to be sensitive to threats, real and imagined, between fellow workers, especially those directed upwards to their superiors. Unless they have strict assurances that they will not be punished for reporting their suspicions, let alone their direct observations, they will not report anything for fear of retaliation, either physically and/or the loss of their jobs. One of the best ways of assuring that they will not be punished are anonymous tip lines. But this means that someone in the upper hierarchy—the most appropriate being the head of Human Relations (HR)–has given them their full support.

As a general rule, the heads of HR are concerned about the general morale and well-being of employees. They are also concerned about those who are most vulnerable to outside pressures that would cause them to engage in acts of internal sabotage. They worry constantly about disgruntled workers. 

The heads of Information Technology (IT) are primarily concerned about the general security of the organization’s proprietary information. They worry constantly about hackers. But most of all, they worry about potential alliances between insiders who know the system’s inner workings and outsiders who can link up with them and thereby do the most damage by exploiting its vulnerabilities.

The heads of Security are concerned primarily with the physical protection of an organization. How secure is the organization to persons gaining unauthorized entry?

The Chief Financial Officers (CFOs) are primarily interested in the financial health and well-being of the organization. How well are their stocks doing in markets around the world? Is the organization vulnerable to hostile takeovers? How well are they protected from insider-trading?

The Chief Legal Officers are concerned primarily about lawsuits, especially those without merit. In short, how do they protect the legal liabilities of their organizations? 

Finally, the Chief Executive Officers (CEOs) are concerned about the general reputation of the organization. They are equally concerned about unfair competition. And they are concerned about the loss of proprietary information that can pose major threats to their organizations as a whole. In this regard, they are especially concerned about the threats posed by foreign competition, particularly lower wage jobs. They are also focused on anything that can disrupt long-term strategic goals and objectives.

The one thing that emerges time and again from such audits is how virtually no one sees the full range of crises to which they are susceptible and thus prepares for them as a whole. Because no one sees the complete picture, they don’t see the interconnections between the various Types of crises, especially how anyone of them can set off any of the others. Just as bad is the fact that the preparations for each of the crises that the various parties do acknowledge are at best fragmented and incomplete. 

If this weren’t serious enough, it’s made worse by the fact that organizations are facing a whole new series of threats for which they are largely unprepared, if they’ve even given them any thought. Thus, few give serious thought to the unintended consequences of their products and services, manufacturing processes, technologies, and so forth. Likewise, few are prepared for how others will abuse and misuse their products and services for nefarious purposes. In addition, little if any thought is given to dis and misinformation and how it could affect them. Virtually none is given to what if they are the sources of dis and misinformation.

By far, the biggest factor is the Culture of an organization. Does it truly value and thereby give CM the importance it requires? Are the organizations reward systems in sync with CM? Are the bearers of bad news rewarded or “killed”?

Is the organization even aware of how national and international crises such as Domestic Terrorism and Pandemics could affect them?

Without a doubt, the biggest and most difficult job of a Crisis Auditor is presenting the full picture of the crises that can affect an organization in such a way so as not to scare off the top executives who for one reason or another decided to do a Crisis Audit in the first place–the most prominent reason being that they’ve had a recent “near death experience.” Somehow or another, someone in authority has gotten the “light” that they need to assess their full vulnerabilities. 

In the end, one is playing a highly dangerous and tricky game. Is there time enough to allow people slowly to come to grips with the realities with which they are faced, while betting that the worst doesn’t happen to them in the interim?

Posted in Crisis Management | Tagged , | Comments Off on Crisis Audits: The Lifeblood of the Socially Responsible Organization

Cybersecurity Crisis Management: What Can Go Wrong and How to Get It Right

by Natalia Smalyuk and Ian I. Mitroff

Solar Wind, the Colonial Pipeline, Canada Post. Hardly a week goes by without a massive hack hitting the headlines. The new pandemic of attacks, with threat actors targeting critical sectors, from public service to infrastructure to healthcare and the COVID-19 vaccine supply chain, not only looks like, but increasingly is an actual cyber war. What’s changed the battlefield? What does it mean for organizations and their ability to protect themselves from such attacks and the crises they unleash? We asked this of crisis and security experts across industries to understand better what can go wrong and how to get it right. What emerged were nine common mistakes that organizations need to correct if they are to keep themselves safe and secure.

Not investing in cyber defense

According to theCisco Security Outcomes Study: Endpoint Edition, over 40 per cent of organizations report having had a major security incident in the last two years. In the vast number of breaches, current protections were inadequate. 

When a disastrous hack compromised thousands of organizations across the globe through a malicious code snuck into SolarWinds’ network-management software updates, the New York Times characterized SolarWinds as a “ripe target” for the assault due to its “dubious security precautions.” The company was criticized for its weak protections for passwords and for not having a Chief Information Security Officer. 

While organizations lag behind in their cyber defenses, the intruders are continually upping their game by exploiting system vulnerabilities. According to the 2021 IBM X-Force® Threat Intelligence Index, ransomware is the top threat, comprising 23 percent of all attacks. Traditional defenses, such as strong passwords, two-factor authentication, antiviruses and firewalls, are no longer enough. The shift to remote work brought on by the pandemic opened new doors for cyber criminals. It was facilitated by the large numbers of employees accessing tremendous amounts of data on a plethora of devices and cloud applications. The anticipated post-pandemic transition to hybrid workplaces will, no doubt, create new gaps. Heading into 2022, organizations should re-think the entire continuum of prevention, detection and mitigation to boost their resilience to cyberattacks.

Not having a cyber Crisis Management plan

According to the Gartner report, only 37 per cent of organizations have a response plan for cyber incidents. Relying on existing business continuity plans to weather security breaches is a common mistake. In brief, hacks are a fundamentally different kind of “animal” than fires or floods. Other than ITs, the technicalities are poorly understood by other groups, not to mention the general public. Substantial unknowns make it difficult to communicate regarding a breach because investigating the scale, impacts, and root causes may take days or even months. Human factors, such as the risk of exposing personal information and the role of malicious actors, coupled with privacy acts, complex notification procedures, and public disclosure protocols in different jurisdictions, make it particularly challenging. “Borders have disappeared when it comes to data, but not the privacy laws that govern it,” says Brent Arnold, a cybersecurity leader at the law firm Gowling WLG. Finally, hackers may well sneak into the very channels that enable crisis communication. Maersk, a victim of a NotPetya ransomware attack, left its stakeholders in the dark when its systems went down.

All of this requires new crisis plans and thinking that deal specifically with cyber events, starting with an audit of a company’s risk profile and its vulnerabilities to various kinds of attacks. Potential crises can then be classified based on the level of threat they pose to an organization and its stakeholders. Special attention needs to be paid to what can be done to bolster prevention, detection, and response plans for each of the key types of crises. Unfortunately, those crises that are classified as low threats often have an uncanny way of doing great damage. They are ignored at our peril.

Not updating a cyber Crisis Management plan

A list of the different types of cyber crises is never complete. New types and subtypes are constantly emerging. For example, ransomware attackers adopted big game hunting and double extortion tactics, combining data encryption with threats to leak sensitive data on public sites. X-Force discovered intruders who were using targeted spear phishing campaigns against manufacturing businesses and NGOs involved in the vaccine supply chain for COVID-19. To stay ahead of their adversaries, organizations constantly need to monitor trends and to update their cyber crisis plans on a regular basis – ideally, every quarter, at the very least twice a year. 

Unfortunately, far too many consider such exercises a waste of time and money. If a threat scenario has not materialized recently, they deem it not worth the investment of resources. The problem with this “logic” is that it leaves an organization especially vulnerable to cyber crises and their disastrous costs. Preventing a breach – or mitigating it effectively – is far cheaper than dealing with a full-blown catastrophe. According to IBM, the global average cost of a data breach in 2020 was $3.86 million, with the healthcare sector having the highest industry cost, at $7.13 million.

Not thinking about crises systematically

Organizations tend to view cyber readiness as issues for IT only. As a result, they don’t look at all of the factors that can lead to a breach, let alone those that can result from it. Indeed, it’s left primarily to engineers to create a secure cyber architecture. But true resilience requires true interdisciplinary cooperation. For this reason, Mitroff has argued that every serious crisis is a “wicked mess” – a phenomenon that was described by the eminent social systems scientist Russell Ackoff consisting of a system of problems that were highly interactive. In a “wicked mess,” seemingly unrelated or improbable events collide to create an even bigger mess. The right solutions may seem obvious in hindsight, but in real time, organizations struggle to cope as best they can. For example, when the COVID-19 pandemic hit, many organizations had lax policies for remote work. Again, in hindsight, it’s easy to say that they should have prioritized cyber security.  

Wicked messes require that they be viewed from multiple perspectives. The problem is that it takes a lot of collaboration to do so. Traditionally, organizations include the heads of IT, security, operations, finance, human resources, legal and public relations in their crisis teams. Some add their CEOs, board members, and government affairs experts. However, core teams also need to build relationships with their key partners who need to be brought in Before, During, and After crises. These include experts in cyber defense, threat intelligence, digital forensic, cyber insurance and legal services. Lines of communication with third parties and suppliers are highly recommended as well. 

Not thinking about the continuum of “Before,” During” and “After” cyber events

In many ways, crises are comparable to icebergs. To be sure, the crisis is “visible” when it “hits the fan.” But most of the time, crises lie beneath the surface. Unfortunately, stakeholders don’t just see the tip of the iceberg alone. They see the disastrous chain reactions that result from the initial crises. For example, a malware attack on a supplier impacted 44 of Canada Post’s biggest corporate customers, and potentially up to one million Canadians. 

The best way to address the Before phase of Crisis Management is by having explicit conversations with third parties about their cyber practices and adding joint crisis planning to contracts. (In brief, the Before phase includes all the things that need to be done before a crisis occurs to make an organization better prepared to handle it when it does occur, and even better, to help prevent it.)

The lessons that need to be learned after each breach need to serve as the basis for updated crisis plans. However, without an effective investigation, the causes of an incident cannot be understood, and therefore security breaches will continue to blindside an organization. This is where the After phase of Crisis Management morphs into the Before and During phases. Both are integral parts of Proactive Crisis Management. It also consists of learning from what happened in other organizations and contexts. For example, when the U.S. health insurer Anthem disclosed that hackers had potentially stolen the records containing the highly personal information of 80 million customers, the lesson for organizations across industries was that encryption was essential in order to protect sensitive data. 

Not acting on early warning signals

Unfortunately, cyberattacks now happen frequently, often lasting over extended periods of time. While delays in detection make them difficult to manage and communicate, once again, stakeholders press for immediate answers. How bad is it? What took you so long to report the breach? Why did it happen in the first place? When Target’s payment and card readers were infected in 2013, critics speculated that the retailer either didn’t know how to use its FireEye malware detection data or neglected to report the breach.

To add insult to injury, organizations often learn they have been compromised from outside sources – customers, partners, journalists, social media, authorities, or attackers themselves. Home Depot wasn’t aware that its payment systems had been breached until it was notified by banks and law enforcement. Looking proactively for red flags, such as bad actors, irregular behaviors, unplanned updates, and unauthorized configuration changes, goes a long way in early detection and the mitigation of potential attacks. That’s why the design and deployment of effective warning systems is a critical part of Before. 

Not conducting a deep assumptional analysis 

The history of technology shows time and time again that innovators don’t consider all the uses, misuses, and abuses of their creations, let alone their unintended consequences. The default assumption is that consumers are responsible and reasonably intelligent. They will not exploit technology for nefarious purposes. Facebook’s proclaimed mission is to give people the power to build community and bring the world closer together. Sadly, Facebook’s platform also served as a prime vehicle for cyberbulling, spreading disinformation, hate speech, and fake news. 

To uncover an organizations’ weaknesses and inherent flaws, leaders need to surface and challenge critical assumptions that underlie important decisions and plans.

One of the best ways of doing this is by assigning red teams – or “hackers for hire” – to poke holes in an organization’s cyber architecture and thus to understand how it can be exploited by criminals. Mitroff recommends going even further by digging down into the assumptions of cyber adversaries by what is known as “internal assassin teams.” For example, it’s known that ransomware attackers, such as Sodinokibi, went after law firms in 2020. If law firms thought like “assassins,” they could have hopefully anticipated such threats. Namely, “They’ll pay ransoms because they don’t want us to leak the secrets of their high-profile clients.”  Law firms could have thereby counter-attacked by the encryption of sensitive data.  

Not stress-testing crisis plans

Those who’ve been through major crises often use the same words to describe their experience as soldiers who’ve been thrown into battle. How many times have we heard that “being in a crisis is tantamount to being in a war”? Sophisticated hacker attacks are, indeed, a new battleground, and one for which we shouldn’t send soldiers without giving them basic training. “Battle readiness” is built through regular drills. Without them, crisis plans provide little more than a false sense of security. Regular decision exercises and scenario simulations test cyber defenses to pinpoint gaps and build coping strategies that are essential to persevering under extreme stress. Case studies train participants to think outside rigid rules when dealing with the evolving patterns of risk and the messy realities of crises.

Cyber awareness and crisis training should not stop with the formation of Crisis Management Teams. In fact, the biggest security risk in organizations is the errors or misbehaviors of ordinary employees. Confidential documents can easily be sent to the wrong parties. Key employees can lose their laptops, open phishing emails, or let outsiders use their log-ins. While these cannot be eliminated entirely, they can be mitigated by means of enterprise-wide cyber security training and “how-not-to” war stories. 

Misjudging reputational risk

Crisis communicators run into many “what-if” dilemmas where they are damned if they do and damned if they don’t. Investigations can take months, if not years, but stakeholders want answers now. What, if anything, can the organization tell them and when? What if by breaking bad news, it sets off a perceptual crisis of its own making? FireEye was praised for admitting their SolarWinds breach in a blog detailing the incident and the company’s response, but others targeted in the same attack choose to wait and see.

Going silent and acting as if nothing happened is an all-too-common mistake. The Deloitte hack was first made public by the Guardian rather than by the company itself. Observers speculated that the delay in communication may have led a whistleblower to contact the newspaper. While it’s only natural for companies to feel that they need to confirm the facts and solve problems before disclosing them to the world, stakeholders favor those organizations that take full responsibility, communicate early, and show empathy. Uber failed to report a security incident and was forced to pay $148 million to settle claims over the alleged cover-up of a 2016 data breach where hackers stole personal information of 25 million customers and drivers in the U.S.

As the saying goes, the best defense is offense. Cyber-resilient organizations act, not react. To win an invisible war, they study their adversaries, anticipate their moves, and attack – and thus expose – their own vulnerabilities before hackers do.

____________

Ian I. Mitroff is credited as one of the founders of the modern field of Crisis Management. He has a BS, MS and PhD in Engineering and the Philosophy of Social Systems Science from the University of California, Berkeley. He is Professor Emeritus from the Marshall School of Business and the Annenberg School of Communication at the University of Southern California. Currently, Mitroff is a Senior Research Affiliate in the Center for Catastrophic Risk Management, UC Berkeley, which brings together Crisis Management leaders from diverse industries to exchange their learnings and best practices. He has published over 40 books. 

Natalia Smalyuk, MBA, MA, is an award-winning communications strategist with a focus on crisis and reputation management. With a passion for helping people and organizations fulfil their missions and live their dreams, Smalyuk believes there’s no such thing as “business as usual.” Known for her ability to dig into the issues from a 30,000-feet-view right to the core to unpack insights and paths to value creation, she quickly zeroes in on the real problem. And the real story. Her firm NBAU Consulting offers crisis leadership consulting and training to guide organizations through adversity and build resilience.

Posted in Blog, Business, Crisis Management, Media + Politics | Tagged , , , , | Comments Off on Cybersecurity Crisis Management: What Can Go Wrong and How to Get It Right

A Pandemic of Ignorance and Obfuscation: Why We Repeatedly Fail to Heed the Serious Warning Signs of Major Crises

By Ian I Mitroff and John Radke
Center for Catastrophic Risk Management, UC Berkeley

A front-page article in the Monday, March 30, 2020 edition of The New York Times is nothing less than devastating : The “Fail-Safe System that the Chinese set up to warn them of major pandemics failed miserably because it was blocked by local Party Officials .”[i] Chinese doctors in Wuhan who saw the first signs of the Coronavirus were prevented by local government officials from passing critical information on to Beijing because they feared that top officials didn’t want to “hear bad news.”  Thus, in order to save their jobs, they not only failed to protect their own country, but the entire world. There’s no better example of the messengers of bad news shooting themselves!

We are no less guilty of not wanting to hear bad news. As early as 2017, Dr. Anthony Fauci was warning of the serious possibility of a major Pandemic and thus of the need to make substantial preparations to weather the worst. Indeed, Infectious Disease Experts have in fact sounded similar alarms for years. Even though they were brought repeatedly to the attention of President Trump, he deliberately ignored the warnings time and again. After all, in his “tremendous mind,” the Virus was nothing more serious than the flu. And, wasn’t the stock market more important, certainly to his reelection? The delays in responding put us in the dire position of reacting to the crisis, virtually making it virtually impossible to get out in front and take control.

If the Early Warning Signals that precede all crises are picked up and acted upon in a timely manner, then many crises can be prevented before they happen, the best possible form of Crisis Management. Unfortunately, more often than not, the Signals are blocked because people don’t want to hear bad news, let alone take action. The crucial point is that to pick up on the impending signals of a crisis, one has to acknowledge the serious possibility of it in the first place.

Since its founding in 2005 after Hurricane Katrina, as members of the Center for Catastrophic Risk Management at the University of California Berkeley, we have sat through scores of presentations by representatives of virtually every industry, organization, academic disciplines, and professions. As a general rule, they are prepared for a very limited, narrow set of crises. For example, since they experience major fires and explosions all the time, one does not have to prod the members of the Oil and Gas Industry to prepare for them. But the same is generally not the case when it comes to other types of crises.

Mitroff recalls vividly the time he was working with a major Oil Company and was doing his best to get them to prepare for a broad array of crises. When it came to the category of Product Tampering, they  automatically excluded it as a major possibility because in their words, “We’re not in the business of manufacturing or selling consumer goods and products.”  When Mitroff pointed out that the mini-marts which carried food and a host of other items were a prominent part of their gas stations, then and only then did the proverbial light go on. They were not only subject to Product Tampering, but to all of the known and unknown types of crises.

As one of the principal founders of the modern field of Crisis Management, Mitroff and his colleagues have been studying and consulting with major organizations for nearly 40 years regarding their crisis plans and preparations.

And as one of the longtime analysts in Geographic Information Science, Radke has pioneered its use in modeling major wild fires and flood events throughout the state of California and elsewhere. GIS is a critical tool in determining the location and spread of wild fires and therefore how best to mitigate and deploy resources when they occur.

As a result of our work, we’ve been able to see what the best, Proactive, Crisis Prepared Organizations do before, during, and after major crises. In brief, they embrace five core principles:

  1. Everything is connected to everything so think and act systemically. 2. The crises that one believes are the most unlikely to occur are precisely those that need special attention.
  2. Without becoming mired in hopelessness and despair, constantly think and prepare for the worst.
  3. Reward, and most of all, do not punish the bearers of bad news.
  4. Every crisis is a special opportunity to learn what to do better in advance of the next ones that are guaranteed to occur.

First and foremost, no single crisis ever occurs in isolation. Every crisis is connected to a multitude of others in a myriad of ways. Unless one is prepared for multiple crises, every crisis sets off an uncontrolled chain reaction of even worst ones.

The Coronavirus is one of the most dreadful illustrations of the principle. Primarily, the Virus is of course an unruly Global Pandemic. At the same, it’s not only spawned a major Financial, but a serious Credibility Crisis. With his constant falsehoods, outright lies, and ill-advised actions in cutting back the budgets of the nation’s chief Public Health Agencies, the President bears major blame for the crisis spiraling out of control. Both the President and the government’s actions and inactions have seriously hampered our ability to be prepared and respond appropriately. Refusing to accept help from the World Health Organization only increased our inability to test hundreds of thousands who were potentially infected, thus furthering the spread of the virus. By not taking quick and decisive action—indeed once again, punishing those who sounded the first signals of the deadly virus–the credibility of China has been seriously damaged as well. Trust in Governments worldwide, which is always precarious, has plummeted. It’s been further weakened by Social Isolation and the closing down of virtually all public spaces, further exacerbating the Economic Crisis.

To the best of our knowledge, no one simulated and thus warned of the multiple intersecting crises that are the essence of the Virus.

While not perfect, the best organizations actively prepare for a whole slate of crises such as Product Defects as in the case of flawed face masks. We’ve already mentioned major Financial and PR, or Credibility, Crises. Since it is humans, not Nature, who make the critical decisions where to build houses and other structures to what standards and codes, Natural Disasters are better thought of as Natural Hazards. In other words, they become Disasters due to the actions and/or inactions of humans. In this regard, the homeless are especially vulnerable as well as older people with preexisting conditions. Technology plays a major role, especially with regard to the potential spread of Dis and Misinformation, leading back again to who and what one can Trust. These do not exhaust the full range of possible types, but they are sufficient to illustrate the main point that it is never enough to plan for one and only one type of crisis.

The end result is that Worst-Case Scenarios are the very foundation of Crisis Prepared Organizations. To reiterate, Public Health Officials have known for years that we were due for a Major Pandemic. Where, when, and how, and what form it would take, were of course problematic, but it’s occurrence was considered to be just a matter of time.

We know of two organizations that show unequivocally that it is possible to make thinking about the worst an integral part of their everyday operations. One uses in-house Internal Assassin Teams to attack and thereby find weaknesses in their products and manufacturing processes. The other uses a Chaos Team to do the same. In each case, they assume that they are in a perfect position to attack their products and processes because “they know more than anyone else about them.” In short, they are supremely Proactive.

In sum, Crisis Preparedness does not happen by itself. It has to be part of a deliberate organizational strategy to Think the Unthinkable and to do everything in one’s power to thwart it before it happens.

If any good comes out of this terrible tragedy, we hope fervently that it will be a renewed understanding of the extreme importance of Proactive Crisis Management. No organization or society can prosper, let alone survive, without it.


This essay is adapted in part from Techlash: The Future of the Socially Responsible Tech Organization, Springer, New York, 2020.

[i] Steven Lee Myers, “China Had a Fail-Safe Way to Track Contagions. Officials Failed to Use It,” The New York Times, Monday, Mrch 30, 2020, p. A1, A10-11.

 

Posted in Crisis Management | Tagged , , | Comments Off on A Pandemic of Ignorance and Obfuscation: Why We Repeatedly Fail to Heed the Serious Warning Signs of Major Crises

Proactive Crisis Management: Learning from the Best

As one of the principal founders of the modern field of Crisis Management, my colleagues and I have been studying and consulting with major organizations for nearly 40 years regarding their crisis plans and preparations. We’ve been privileged to see what the best, Proactive, Crisis Prepared Organizations do before, during, and after major crises.

They embrace five core principles: 1. Everything is connected to everything else so think and act systemically. 2. The crises that one believes are the most unlikely to occur are precisely those that need special attention. 3. Without becoming mired in hopelessness and despair, constantly think and prepare for the worst. 4. Reward, don’t punish the bearers of bad news. 5. Every crisis is a special opportunity to learn what to do better in advance of the next ones that are guaranteed to occur.

First and foremost, they have learned that no single crisis ever occurs in isolation. Every crisis is connected to every other. Unless one is prepared, every crisis is capable of setting off an uncontrolled chain reaction of even worst ones.

The Coronavirus is one of the most dreadful imaginable. Principally, it’s of course an unruly Global Pandemic. At the same, it’s not only spawned a major Financial, but a serious Credibility Crisis. With his constant falsehoods, outright lies, and his ill-advised actions in cutting back the budgets of the nation’s chief Public Health Agencies, the President bears major blame for the crisis spiraling out of control. Both the President’s actions and inactions have seriously hampered our ability to be prepared and respond appropriately. Refusing to accept help from the World Health Organization only increased our inability to test hundreds of thousands who were potentially infected, thus furthering the spread of the virus. By not taking quick and decisive action—indeed, punishing those who sounded the first signals of the deadly virus–the credibility of China has been seriously damaged as well. Trust in Governments worldwide, which is always precarious, has plummeted. It’s been further weakened by Social Isolation and the closing down of virtually all public spaces, further exacerbating the Economic Crisis.

While not perfect, the best organizations actively prepare for a whole host of crises such as: Product Defects as in the case of flawed face masks, especially where they are intentionally altered by Nefarious Actors who are out to cause as much harm as possible. I’ve already mentioned major Financial and PR, or Credibility, Crises. Since it’s humans, not Mother Nature, who make the critical decisions where to build houses and other structures to what standards and codes, Natural Disasters are better thought of as Natural Hazards. In other words, they become Disasters due to the actions and/or inactions of humans. In this regard, the homeless are especially vulnerable as well as older people with preexisting conditions. Technology plays a major role, especially to the potential spread of Dis and Misinformation, leading back again to who and what one can Trust. These do not exhaust the full range of possible types, but they are sufficient to illustrate the main point that it’s never enough to plan for one and only one type of crisis.

The end result is that Worst-Case Scenarios are the very foundation of Crisis Prepared Organizations. For instance, Public Health Officials have known for years that we were due for a Major Pandemic. Where, when, and how, and what form it would take, were of course problematic, but it’s occurrence was considered to be just a matter of time.

I’m often asked, “But how much should we spend on Crisis Planning, and will it hurt our ‘bottom line’?” The best organizations spend around 1 to 2 % of their annual operating budget on Crisis Preparedness. As much as this is, it’s trivial compared to the costs of major crises. Indeed, the best Crisis Prepared Organizations are substantially more profitable—some to 6 to 12%–than those that just react without any prior preparations. Being Proactive allows one to address potential problems long before they turn into major crises.

I know of two organizations that show unequivocally that it’s possible to make thinking about the worst that can happen an integral part of their everyday operations. One uses in-house Internal Assassin Teams to attack and thereby find weaknesses in their products and manufacturing processes. The other uses a Chaos Team to do the same. In each case, they assume that they are in a perfect position to attack their products and processes because “they know more than anyone else about them.” In short, they are supremely Proactive.

In sum, Crisis Preparedness doesn’t happen by itself. It has to be part of a deliberate organizational strategy to Think the Unthinkable and to do everything in one’s power to thwart it before it happens.

 

This essay is adapted from Techlash: The Future of the Socially Responsible Tech Organization, Springer, New York, 2020, in press.

Posted in Blog, Crisis Management | Comments Off on Proactive Crisis Management: Learning from the Best

Corona Virus: A Prime Example Of A Wicked Mess

As one of the principal founders of the modern field of Crisis Management and a lifelong practitioner of Systems Thinking, I’ve been studying and researching large-scale systems crises for nearly 40 years. The Coronavirus is one of the worst crises in every sense. Unfortunately, except for the palpable connection between the virus and the financial markets, all of the other important connections have not been given the serious attention they demand. Worst of all, they have not been considered as a whole given that they interact in strange and unpredictable ways.

One of the worst aspects of the crisis is that whereas the pandemic is a full-blown crisis to doctors, it’s a “hoax” to conservative talk-show hosts. Unfortunately, denial and obfuscation are major parts of nearly all crises.

A constellation of factors are part and parcel of the pandemic. First and foremost is the failure of the authoritarian government of China to curb the practice of selling the infected meat of animals in close proximity to humans thus making the deadly virus all-too-likely. The Chinese government also failed to acknowledge the existence of the virus and thus did not act swiftly to contain it, thereby resurfacing underlying xenophobic fears And, we have created a financial system that is easily disrupted. In addition, the U.S. economy is largely service-based so that it’s especially at risk if large numbers of people stop going out to shop, attend public gatherings, etc. We have a Public Health system that has been seriously hampered by a President who is woefully ignorant of science, and who has repeatedly lied so that when he needed to be believed, he had no credibility. Add to this a long, drawn-out, nasty contest between the Democrats as to whom is best positioned to replace a President who is not only completely unfit for the job, but exhibits daily growing signs of serious mental disturbance, which only adds to the crisis. And of course, vulnerable populations and the closing of schools only add to widespread fear.
In short, we’re dealing with nothing less than a Wicked Mess.

The late distinguished Social Systems Thinker Russell L. Ackoff appropriated the word Mess to stand for a whole system of problems that were so interconnected such that one couldn’t take any single problem out of the Mess and attempt to analyze and treat it on its own without doing irreparable damage both to the problem and the entire Mess. In short, the interconnections between the problems that constituted a Mess were as important as the so-called “individual problems.” In fact, the notion of “self-standing, independent problems” was an outdated and harmful figure of speech. It does not represent in any way the reality with we are struggling to deal.

The notion of “Wicked Problems” for which none of the academic disciplines or professions has the final say in defining the problem, let alone in how to treat it, only adds to the Mess.

The result is that all of the problems of modern societies are Wicked Messes. For instance, Homelessness is a host of interrelated problems. Thus, Income Inequality, Drug Addiction, Mental Illness, a Poor Housing Market, and Low Paying Jobs are all integral parts of the “Homelessness Mess.” If this wasn’t complicated enough, all Wicked Messes are parts of one another. Given that the that the homeless are especially vulnerable to the virus, Homelessness and the Global Pandemic are heavily interconnected.

Unlike simple exercises, which unfortunately constitute the bulk of traditional education, Wicked Messes do not have single, exact solutions, let alone stable ones. We only cope with them as best we can. Thus far, our coping mechanisms have been less than adequate, indeed almost criminal.

Yes, we need to attack each of the major factors as vigorously as we can. But even more, we desperately need leaders who understand that we are dealing with a Wicked Mess so that we can cope with it as it really is.

Sadly, no one to my knowledge has exerted the kind of leadership that is required to deal with Wicked Messes. If we learn anything from the Coronavirus, my hope is that we will learn how to cope better with the next Wicked Messes.

Posted in Crisis Management | Comments Off on Corona Virus: A Prime Example Of A Wicked Mess