US military can teach CEOs about cybersecurity and building a high-reliability organisation


OXFORD, United Kingdom, Aug. 20, 2015 (GLOBE NEWSWIRE) -- via PRWEB - An article published in the Harvard Business Review, Cybersecurity's Human Factor: Lessons from the Pentagon, by James A. Winnefeld Jr., Christopher Kirchhoff, and David Upton of Saïd Business School, University of Oxford, identifies the six principles at the heart of the US military's success in stopping attacks on its systems and quickly containing the few intrusions that occur

Saïd Business School, University of Oxford

  • Most successful cyber-attacks are down to human error not inadequate technology – cyber-security is a leadership issue
  • Shortsightedness in the C-suite is a serious problem: CEOs need to take charge and create high-reliability organisations
  • To do so, they should embrace the core principles practised by the US military that consistently minimise risk and successfully repel more than 30 million cyber-attacks a year

As organisations worldwide continue to fall victim to cyber-attacks made possible by the mistakes of their own network administrators and users, a new report shows how CEOs can take a cue from the US military and create high-reliability organisations (HROs) that consistently guard against cybercrime.

An article published in the Harvard Business Review, Cybersecurity's Human Factor: Lessons from the Pentagon, by James A. Winnefeld Jr., Christopher Kirchhoff, and David Upton, identifies the six principles at the heart of the US military's success in stopping attacks on its systems and quickly containing the few intrusions that occur. Crucially, the authors also indicate how the principles can be put into practice in other types of organisations.

'A recent survey by Oxford University and the UK's Centre for the Protection of the National Infrastructure found that concern for cybersecurity was significantly lower among managers inside the C-suite than among managers outside it. Such shortsightedness at the top is a serious problem,' said David Upton, American Standard Companies Professor of Operations Management at Saïd Business School, University of Oxford. 'The reality is that if CEOs don't take cybersecurity threats seriously, their organisations won't either … They must marshal their entire leadership team--technical and line management, and human resources--to make people, principles, and IT systems work together.'

The core principles that have enabled the US military successfully to fend off more than 30 million known malicious attacks work together to create a culture that leads people, without exception, to eliminate 'sins of commission' (deliberate departures from protocol) and own up immediately to mistakes. They understand all aspects of the system, and know and follow all operational procedures to the letter, which means that they listen and respond to their own internal alarm bells, helping them to forestall potential problems.

The authors acknowledge that inculcating these principles into an organisation with a formal command structure such as the military may be easier than in a looser, more democratic organisation. However, they have identified measures that leaders in any organisation can take to embed these principles in employees' everyday routines.

1. Take charge. CEOs should ask themselves and their leadership teams tough questions about whether they're doing everything possible to build and sustain an HRO culture. Meanwhile, boards of directors, in their oversight role, should ask whether management is adequately taking into account the human dimension of cyberdefense.

2. Make everyone accountable. All managers--from the CEO down--should be responsible for ensuring their reports follow cybersafety practices. Managers should understand that they, along with the employees in question, will be held accountable. All members of the organisation ought to recognise they are responsible for things they can control.

3. Institute uniform standards and centrally managed training and certification. Merely e-mailing employees about new risks is not enough. Nor is an annual course on digital policies, with a short quiz after each module. Cybersecurity training should be as robust as programmes to enforce ethics and safety practices, and companies should track attendance. After all, it takes only one untrained person to cause a breach.

4. Couple formality with forceful backup. Be clear about who is in charge of what, and what users are and are not allowed to do. Regularly reminding employees that their adherence to security rules is monitored will reinforce a culture of high reliability.

5. Check up on your defenses. CEOs should invest more in capabilities for testing operational IT practices and expand the role of the internal audit function to include cybersecurity technology, practices, and culture. Scheduled audits should be complemented by random spot-checks to counter the shortcuts and compromises that creep into the workplace.

6. Eliminate fear of honesty and increase the consequences of dishonesty. Leaders must treat unintentional, occasional errors as opportunities to correct the processes that allowed them to occur.
However, they should give no second chances to people who intentionally violate standards and procedures.

The Harvard Business Review article can be found here:

For more information, or to speak David Upton, please contact the press office:

Jonaid Jilani, Press Officer, Saïd Business School
Tel: +44 (0)1865 614678, Mob: +44 (0)7860 259996
Email: jonaid.jilani(at)sbs(dot)ox(dot)ac(dot)uk or pressoffice(at)sbs(dot)ox(dot)ac(dot)uk

Kate Richards, Press Officer, Saïd Business School
Tel: +44 (0)1865 288879, Mob: +44 (0)7711 000521
Email: kate.richards(at)sbs(dot)ox(dot)ac(dot)uk

Notes to editors

About Saïd Business School

Saïd Business School at the University of Oxford blends the best of new and old. We are a vibrant and innovative business school, but yet deeply embedded in an 800 year old world-class university. We create programmes and ideas that have global impact. We educate people for successful business careers, and as a community seek to tackle world-scale problems. We deliver cutting-edge programmes and ground-breaking research that transform individuals, organisations, business practice, and society. We seek to be a world-class business school community, embedded in a world-class University, tackling world-scale problems.

In the Financial Times European Business School ranking (Dec 2014) Saïd is ranked 10th. It is ranked 10th worldwide in the FT's combined ranking of Executive Education programmes (May 2015) and 22nd in the world in the FT ranking of MBA programmes (Jan 2015). The MBA is ranked 7th in Businessweek's full time MBA ranking outside the USA (Nov 2014) and is ranked 5th among the top non-US Business Schools by Forbes magazine (Sep 2013). The Executive MBA is ranked 21st worldwide in the FT's ranking of EMBAs (Oct 2014). The Oxford MSc in Financial Economics is ranked 14th in the world in the FT ranking of Masters in Finance programmes (Jun 2015). In the UK university league tables it is ranked first of all UK universities for undergraduate business and management in The Guardian (Jun 2015) and has ranked first in ten of the last eleven years in The Times (Sept 2014). For more information, see

This article was originally distributed on PRWeb. For the original version including any supplementary images or video, visit


Contact Data