#15 - September 2020 "On human error…"​

#15 - September 2020 "On human error…"

More posts available on Martin's Log

I was prompted to reflect on human error following a post by John Scott, Head of Security Education at Bank of England. He quoted Professor James Reason from his seminal book “Human Error” published in 1990.

Dr Jim Reason was my tutor at Leicester University in the early 1970s. I never made the most of my time at Uni, or his mentoring. Then, I was a shallow and feckless student of psychology, with no direction in my life. I spent most of my time at the University Air Squadron flying Chipmunk aircraft, and the rest trying to lose my virginity, so inevitably I left with a mediocre degree. I do recall for weeks at Jim’s request logging all the everyday mistakes I made and trying to assign reasons. My input and that from his other students subsequently became part of his famous research into human error.

John, you said you looked forward to “reading the blog post”. Here it is. It’s not an academic treatise, just my thoughts…

The nature of human error

Human error is the basis of just about every accident, security incident and data breach. It’s every cybersecurity practitioner’s basic diet, the fundamental keystone of every transformation project, security awareness campaign and culture change programme. We should understand it better. 

We all want to succeed. None of us want to fail. From the earliest age, even as infants, we all want to please and to receive reward, and we learn to achieve these things by trial and error. Accordingly, people make mistakes.

There are so many variables in everyday life, and our fate is so often determined by luck not skill, by the actions of others and not ourselves. “Luck - success or failure apparently brought by chance rather than through one's own actions.” Synonyms: fortune, fate, destiny, lot. Whilst the physical universe is defined by the laws of physics, life consistently and inconsiderately refuses to adhere to these rules. That same bold or cautious move can save or kill us in equal measure. Simple acts of trust in others can lead both to betrayal and loyalty. Falling in love can result in heartbreak or happiness (sometimes both at once!) We can do the same thing 99 times without anything going wrong, but on the 100th occasion it will rear up and bite us.

Successful people are often just luckier than unsuccessful people; “right time, right place”. But that said, I believe passionately that you make your own luck. As Samuel Goldwyn famously said, “The harder I work, the luckier I get”, and remember Arnold Palmer’s truism, “The more I practice, the luckier I get”.

There are no guarantees where success is concerned. You can sit back and expect the world to deliver success to your doorstep, or you can go out and look for it; the choice is yours, see Dexter’s Principle.

The fear of failure

Failure is one of the biggest fears we all face in our lives, but it is an essential ingredient in the learning and growing process. Human error is part of life. Those who never made a mistake never made anything. Even as we try, we will fail.

In my last blog I describe how my dear old dad always taught me not to be afraid of failure, nor to use this as a reason for not trying. There are others more erudite than him who over the years have put it much better:

·        “Success is not final, failure is not fatal: it is the courage to continue that counts.” Winston Churchill

·        “Only those who dare to fail greatly can ever achieve greatly.” Robert F. Kennedy

·        “Our greatest glory is not in never failing, but in rising every time we fail.” Confucius

·        and my favourite, I love it, my goodness how true is this? “Success is measured by how high you bounce when you hit bottom” George S. Patton


Error management

In 2003, Jim Reason and Alan Hobbs defined a number of principles to manage errors and failure. They are so worth a revisit, here are some of them; I commend them to you at home and at work, for ourselves, our loved ones and our colleagues:

1.      Human error is both universal and inevitable We can try to be perfect, but this will never be. Human fallibility can be contained but it can never be eliminated.

2.      Errors are not intrinsically bad Success and failure are close bedfellows, both essential if we are to learn and evolve. 

3.      Errors are symptoms, not the disease An error simply points to its cause. It’s the cause we must identify if we are to prevent reoccurrence.

4.      The best people can make the worst mistakes To err is indeed completely human. And when those trying the hardest do inevitably screw up, then often the impact of their mistakes will be even greater and more visible than those of lesser mortals like you and me.

5.      Manage the manageable Since human nature is largely unmanageable, we must focus on those things we can control. Hence the importance of technical (including automation, machine learning and AI), procedural, and organisational measures. For example, in an aircraft cockpit the checklist is king and procedures are his courtiers.

6.      Everyone needs to account for and acknowledge their errors Mistakes are made at every level in an organisation, so failure needs to be attributed fairly. Don’t pass the buck, and certainly not downwards towards the ones least able to defend themselves. Indeed, the higher up an organisation an individual is, the more dangerous and impactful can be his or her errors. 

We must never give up, and the best we can ever hope to achieve is to reduce and/or contain human error. That’s why security awareness and education is a process, not an event.


Those unforgiveable errors

There is no single best way to avoid human error, prevention is a smorgasbord of countermeasures. Human failings of all types occur at every level within organisations of widely differing cultures for different reasons, and all require different management techniques. Error management is a continuous process that must look at reform of the system as a whole - responding to individual errors is like playing whack-a-mole, a route leading only to failure and exhaustion. 

But then there are the frustrating and unforgiveable errors that keep occurring and that we really don’t need to make. They are the common ones, the simple ones, the repeated ones, the easily-avoided ones that happen all the time because we’re just careless, or lazy, or stubborn. There lies the real challenge; to change our behaviours routinely so that we don’t share passwords, drink and drive, forget anniversaries, lose our keys, practice unsafe sex, leave the iron switched on. How difficult can it be to understand the proper use’s of the apostrophe! These are the errors that don’t need to happen, but they can prove just as fatal as the bigger ones. Heartbreakingly, they can be avoided by our just being careful, and I find them difficult to forgive in myself or others.

Accidents (see Air Crash Investigation, a great programme!) rarely happen because of a single failure. Most often they are caused by the aggregation of many simple errors. Jim Reason refers to the holes in Dutch cheese lining up together. I’ve always said, “In life you’re rarely eaten by an alligator, usually you’re nibbled to death by a thousand chickens.”

No alt text provided for this image


Responding to failure

Good managers understand that failures will happen, that they and their staff will make mistakes. How we respond makes a huge difference in both how those errors are managed and resolved, and how we and our teams learn. I never mind mistakes in others, except where they are easily preventable - where they’ve been caused by simple carelessness or laziness, and then doubly so when those mistakes are repeated. There is very little excuse for making the same mistake more than once, and none for errors that could have been avoided just by taking care and checking. My motto is never to make mistakes you don’t need to.

I have always tried to lead by example, by acknowledging my errors to those around me when I’ve gone wrong and accepting responsibility. Oh boy, and how I’ve failed! Smith is either flying high above the clouds, or crashing ignominiously into the hills. There’s nothing in between for me. Read about the con that nearly did for me or the day I nearly started World War 3 as classic examples, but here’s another...

It was winter early in 1977 and Flying Officer Smith was the Station Security Officer at RAF Lyneham in Wiltshire. I was totally unprepared for this or any other responsible, public-facing role in the real or any other world. Straight out of initial training, this was my very first tour. I was supposedly “in charge” of a dozen highly experienced RAF Police, including some with trained police dogs, and the small fire section. My weary but not unfriendly flight sergeant’s main task was to keep me out of trouble whilst I found my feet as an officer.

We were on Taceval; “Tactical Evaluation - a NATO-wide programme that evaluated and assessed the military combat readiness and capabilities of tactical air forces on behalf of the Supreme Allied Commander Europe (SACEUR))”. It was the middle of my second night on duty, I’d been working for more than 24 hours in the Station Operations Centre (SOC), where again I was supposedly “in charge” of the hundreds of guards sparsely deployed around the many miles of station perimeter to defend the airfield and its aircraft. By this stage of the practice war, the enemy Red Forces (in those days it was supposed to be the Russians, oh how wonderfully simple life was back then) had invaded and laid waste most of the UK mainland, captured Swindon, and were fast advancing on us from the direction of Wootton Bassett. The airfield was under air attack. Skirmishes had broken out at several places towards the end of the main runway as enemy ground forces approached. The situation wasn’t improved by the referees (“Directing Staff”) nominating many Blue Forces (our) guards and their commanders as casualties, and telephone cables becoming nominally severed by exercise explosions and exercise enemy bombardment. I was left blind to the situation on the ground.

I was exhausted, hungry and scared. I had very little grasp on the situation before things had begun to get this desperate, so now I hadn’t the faintest clue about what was going on or what to do to. The phone on my desk rang constantly, I had others in the SOC shouting instructions at me, I just prayed for the Russians to get a move on so that we could surrender and my nightmare would end. 

In exasperation, I grabbed the phone. “Fuck off, leave me alone” I shouted, and slammed it down. Several heads turned to look in my direction. It rang again, I picked it up again, but before I could say anything a voice said “This is the Station Commander. Who is this speaking?” A sharper knife in the drawer might have answered Micky Mouse, but not me. “Flying Officer Smith, sir. Station Security Officer.” It then dawned on me to whom I’d just spoken so sharply. “See me in my office at 9am, Smith,” he said, and the phone went dead. 

The blood drained from me, my stomach lurched and I felt physically sick. The exercise ended in due course, it was unclear to me whether we’d won or lost but by then I had no interest in anything except my impending doom. I returned to my married quarter for a shower and to change into my number one uniform. Sleep was never going to happen until I’d faced the music.

At 9am I duly reported to the station commander’s outer office. His PA, a fierce sergeant who’d clearly already eaten the juicy parts of a junior officer for his breakfast, instructed me to sit. “The Group Captain will see you when he’s ready”, he said. “Wait there.” Exhausted and beaten, I did as I was told.

I sat. For hours. I was ignored completely by the station commander as he arrived. The sergeant proved not unfriendly in the end and brought me tea and biscuits from time to time; at midday he stood me down for my lunch, I was to be back by 1pm. I was.

I sat. The afternoon looked set to be a repeat of the morning but then the sergeant said the station commander would see me. I marched into his office, hat on my head, saluted smartly and stood to attention. He looked up from his desk and said quietly, “Fuck off, leave me alone” before returning to his papers. I saluted again, spun on the spot and marched out. The sergeant looked up at me and winked. “Lesson learned, sir?”

Thirty years later I told this story whilst giving an after-dinner speech at a Rotary Club dinner in Market Harborough. Someone in the audience asked me what that lesson had been, I replied that there were indeed several, and all ones I’d never forgotten. The value of courtesy, the need for calmness under pressure, the importance of recognising when you’re out of your depth and asking for help (and equally in my defence when not to throw someone into the deep end before they can swim), and more. But, I said, what had stuck with me most was the humorous, subtle, and ultimately kindly way in which my error was brought home to me and my punishment served. I said I believed that “how you respond to your own mistakes illustrates your character, but that how you respond to others’ mistakes defines it”. In that moment, I said, that station commander had earned this young officer’s total and everlasting respect and loyalty, and that I’d often wished that I could explain to him, all these years later, about how much I’d grown from the way he’d handled my indiscretion and how his example had taught me so much about dealing with human error. It was quite a good ending to my speech, I felt, and I got a healthy round of applause.

Afterwards in the bar an elderly man, small and stooped with wispy grey hair, approached me. “I’m Group Captain Amos”, he said. “It’s lovely to meet you again after all these years. Thank you for your kind words, I’d forgotten all about that. I’m so pleased it’s all worked out for you.” It was him! We shook hands, he smiled and left. One of the heroes of my life…

Peter Baird

Information Security Consultant and Programme Manager

4y

Air Crash Investigation should be part of the mandatory training for all risk and security professionals. So often there’s a chain of “unlikely” events that leave the pilot (our colleagues) in an impossible situation.

I loved this article and there are elements in there that I fully intend to take forwards into life. The TACEVAL section in particular resonates with me and I have seen similar types of situations handled extremely well, and extremely badly. Thank you for your openness and honesty.

Like
Reply
David Prendergast

Senior Manager with Deloitte Risk Advisory Cyber Team

4y

Great story - thanks for taking the time to write it 👏

Like
Reply
Tarquin Folliss OBE

Vice Chairman, SASIG Events

4y

Lovely story, Martin. In leadership EQ is at least as important as IQ. It is all to easy to forget our own transgressions when viewing others.

🔅Tim Rawlins

Director and Senior Adviser at NCC Group Plc Improving your Rumsfeld Score by reducing your unknown unknowns

4y

An excellent blog Martin Smith MBE FSyI. The lessons we learn we must pass on to increase the total sum of knowledge and stories are by far the best way to do so. We salute Group Captain Amos and will remember your well learnt lesson :) TimR.

Like
Reply

To view or add a comment, sign in

Insights from the community

Others also viewed

Explore topics