The Attributer’s Blog – Accountable

It is exactly a year since The Attributer last visited this attribute. Then the issue was with the Board of Disney and its decisions over cyber security. A group of shareholders were unhappy with the Board position and the company was heading for a clash at the forthcoming annual stockholders meeting. This time we are dealing with the ongoing story of Boeing. Whilst the entertainment industry and the aviation industry are both multi-billion-dollar businesses, no-one ever got killed watching a movie, unless they were on a flight at the time. In the case of Boeing more than 340 people were killed in two crashes involving the ill-fated but hugely popular 737 Max airplane.

Let’s once again look at the definition of ‘accountable’:

Accountable: required or expected to justify actions or decisions; responsible, liable, answerable, chargeable, to blame for failures. Examples: “Ministers are accountable to Parliament.” “The government was held accountable for the food shortage.”

Boeing has a complicated statement of its vision and mission, covering multiple points of view. (https://www.boeing.com/principles/vision.page ). Interestingly one of the points is about safety, as you would expect:

Safety: We value human life and well-being above all else and take action accordingly. We are personally accountable for our own safety and collectively responsible for the safety of our teammates and workplaces, our products and services, and the customers who depend on them. When it comes to safety, there are no competing priorities.”

That’s fairly clear, but the Board obviously failed to take account of its own vision statement. After much talking about the crashes as an ‘unfortunate sequence of events’, eventually Dennis Muilenburg, the Chief Executive of Boeing has had to resign. To suggest that such accidents are nothing more than ‘bad luck’ is an outdated and offensive message. The Attributer has written about a safety engineering methodology called STPA (see a previous article entitled SAFE), systems theoretic process analysis. This new approach to safety engineering is the work of Professor Nancy Leveson and her team at the MIT department of Aeronautics and Astronautics. The so-called ‘swiss cheese’ model in which the holes in cheese slices line up accidentally from time to time is not part of this modern approach. David Calhoun, Mr. Muilenburg’s successor, take note. 

There are many parallels between STPA and SABSA, one of which being the essential presence of governance and accountability. Both frameworks deal with systems engineering. Both make huge reference to the need for good governance at every level of the system, including the high-level corporate system that produces the lower level systems. Whilst the 737 Max is a system, it is only a sub-system of the larger system: the Boeing Corporation. And Boeing is only a sub-system of the entire aviation industry.

The key to safe and secure operations of any systems is therefore embedded in the way they are engineered, and systems engineering demands governance at every level and accountability of the human players who hold responsibility for governing the systems. One of the essential first steps in engineering a system is to state the purpose of the system. What is it meant to do? According to most industry commentators, Boeing has clearly attempted to put profit before safety, violating its own vision statement. The Board saw the purpose of the system to make profits. They neglected to take account of the purpose also being to protect the safety of passengers and to maintain the confidence of the flying public at large.

Every organisation writes and publishes vision and mission statements., but if they don’t actually use them as guiding principles for how they do business then it’s all smoke and mirrors – merely window dressing in a world greedy for profit. If good systems engineering principles are applied, then those mission statements mean something. If not, then the words are empty. Both SABSA and STPA are clear about governance and accountability. If you follow and apply these frameworks, then you will not go far wrong in the world.

The Attributer

2 thoughts on “The Attributer’s Blog – Accountable

Accountability is precisely where tremendous failings occur and that is why I believe that is where SABSA should be speaking to the problems that we are witnessing today. None of us exist in a perfect laboratory where order is predetermined and therefore we can’t possibly separate the various kinds of accountability from the failure of information and mission objectivity.

There is a common thread in the many mistakes and failures leading up to the COVID-19 pandemic and I believe that the application of the systems approach used in SABSA can and should be within Biosurveillance and Pandemic Response.

Security is a multifaceted concept and information security extends much further into organizational theory than many of us have been willing to recognize. Just as I spoke to this problem in Ireland in 2014 and for the same reasons that I am saying these things today, the organizations that society depends upon are failing our society in large part because the can’t possibly respond to the volume and throughout of data, information and knowledge being taken in. Let me be more precise…the very structure of organizations that we build security into are incapable of utilizing the technical solutions being provided.

The way in which we choose to construct organizations hasn’t fundamentally changed in thousands of years but nearly everything else has. If SABSA is to be a continuing part of the evolution of technology implementation then it has to be a part of restructuring organizations to be able to effectively, efficiently and appropriately use the content being delivered.

If we are to fairly look at the problem that we are contributing to we must acknowledge that information security has been used to isolate organizations, not protect content. One can not do the one thing without the other and by definition, systems are always bigger than we choose to specify.

In Ireland I spoke to the need to engineer security to promote the efficiency and effectiveness of organizations by way of inclusive and not just exclusive distribution of content content.

Nowhere today is there a more important need to apply open systems architecture to information systems than in public health and biosurveillance.

Roy…

Roy – thank you so much for your long and considered commentary. This is exactly the type of community contribution that we are seeking to promote. In your response you take us from the original case study (Boeing) into another, now more topical area, the global management of the COVID-19 virus, Bio-Surveillance and Pandemic Response. It just exemplifies the broad applicability of SABSA as a framework for risk management. No matter what the risk domain is, SABSA has a role to play in the analysis of the issues and synthesis of the solutions.

Leave a comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.