October 30–31, 2016: Training
October 31–November 2, 2016: Tutorials & Conference
New York, NY

Security FORCE: A model for highly reliable security behaviors and cultures

Lance Hayden (ePatientFinder)
1:15pm–1:55pm Tuesday, 11/01/2016
The human element
Location: Grand Ballroom West Level: Non-technical
Average rating: ***..
(3.75, 4 ratings)

What you'll learn

  • Learn empirically verified characteristics that make an organization less susceptible to failure and more resilient when failures do occur


Why do some organizations experience severe failures while others avoid them? It’s a key question for every enterprise, but one that’s increasingly important for information security. In recent years, an ever-expanding list of data breaches and security compromises has triggered a wave of soul searching on the part of the security industry and the enterprises it serves. Optimists put their faith in standards, regulations, and compliance. Pessimists say there’s no defense, and eventually everyone gets owned. Neither position enjoys an abundance of empirical analysis, so how does an organization build an effective security strategy against future challenges? Is it simply a matter of bad luck or something more?

Fortunately, there is a body of empirical research that offers valuable insights into the challenges information security faces. For several decades, organizational behavior researchers have explored why some organizations succeed in avoiding catastrophes even in environments that would seem to make them more prone to both everyday as well as severe failures. These high-reliability organizations (HROs) thrive in dangerous and uncertain environments through a culture that emphasizes failure, operations, resilience, complexity, and expertise and include enterprises as diverse as nuclear power plants, aircraft carriers, and intensive care units. Across these diverse organizations, HRO researchers have identified several key characteristics that support high reliability in uncertain and even hostile environments: preoccupation with failure, reluctance to simplify, sensitivity to operations, commitment to resilience, and deference to expertise.

Lance Hayden introduces Security FORCE, a model adapted from research on HROs with a focus on developing highly reliable security cultures that are “future ready.” The FORCE model is a combination of identifiable security program focus areas and defined metrics for evaluating each FORCE characteristic. You’ll learn the background and development of the HRO research literature, the application of HRO research to cybersecurity, and how to use the FORCE model and metrics to evaluate and improve your own security programs.

Photo of Lance Hayden

Lance Hayden


Lance Hayden is the chief privacy officer for ePatientFinder, responsible for the security and privacy of mission-critical enterprise information assets. A leading expert on security culture, strategy, and performance with over 25 years’ experience in information security, Lance focuses on helping organizations better leverage their human capital in support of information security goals and objectives. Over the course of his career, he has worked with companies and teams around the world to measure their security culture, identify sources of behavioral and cultural risk, and develop highly reliable security programs capable of both anticipating and responding to today’s security challenges—as well as tomorrow’s. Lance is the author of People-Centric Security and IT Security Metrics and a regular contributor to industry events and publications. Lance lives in Austin, where he teaches courses on security and privacy at the University of Texas School of Information.

Comments on this page are now closed.


11/22/2016 11:19am EST

Great session! Any chance you might make your slides available?