Situational Awareness: An Imperative for a Mature Cybersecurity Model

The Human Factor

The human factor is, simultaneously, an organization’s most valuable asset and its greatest vulnerability. However, it can be developed into its strongest security control. It has been determined that 69% of breaches are the result of human error and, in those instances, a lack of situational awareness has been determined to be the number one cause of that human error. Even the most experienced people can lack situational awareness, especially when performing tasks that have become routine and are perceived as mundane.

Defining Situational Awareness

On the most basic level, situational awareness is about recognizing what is occurring in the environment and the implications of that activity for the present and the future. While this is reasonable and straightforward in a stable and simple situation, it can become a real challenge in the fast paced, complex and constantly changing threat environment of cybersecurity. In cybersecurity, where volatility, uncertainty, chaos and ambiguity are more the rule, situational awareness is especially relevant and is a significantly greater challenge to develop and maintain.

The operating environment of any organization is a passive hostile environment that can rapidly become an aggressive hostile environment relative to cybersecurity. In such a volatile setting, individuals must be able to quickly recognize patterns of behavior that might indicate a threat and act immediately based on the information they have been given.

Increasing Importance of Situational Awareness in WFH Environment

The importance of situational awareness has increased due to the expanded attack surface created by the work from home (WFH) environment that has become the norm. The expanded threat landscape created by WFH has increased the risk of data theft, operational disruption, brand erosion and employee and customer compromise ten-fold. The digital supply chain environment, required for many corporate roles, has added another layer of threats and vulnerabilities that necessitate expanded situational awareness in the organization’s daily operations.

A high level of situational awareness, as part of the organization’s effort to develop a mature cyber model across the full spectrum of the operational environment, ensures that unsafe situations are recognized as critical, are addressed in as close to real time as possible, and the security leader’s intent regarding countermeasures are implemented.

Organizational situation awareness with respect to industry threats, status of the maturity of the organization’s cyber model within the enterprise culture, potential attack surfaces and related vulnerabilities relative to their unique operating environment, and an understanding of current risk to critical assets provides the context for developing individual situational awareness according the role of each person.

Situational Awareness is a Mindset

A mindset is what provides perspective. Every individual has a latticework of mental models they have developed through education, experience and the environment in which they currently operate. Given the percentage of breaches being attributed to a lack of situational awareness, it is fair to say the subject of situational awareness needs much greater understanding and attention.

Tunnel Vision

Humans, in general, lack situational awareness. This deficiency is easily confirmed by observing people walking with their head down, focused on one particular activity, and rarely assessing their surroundings. Such behavior can be attributed to our natural cognitive limitations.

There are two types of responses to a threat once it manifests itself: an immediate emotional response — commonly referred to as fight, flight or surrender — or a planned cognizant response that enables a person to respond with assertiveness, decisiveness and composure. Such a planned response is proactive and is fostered through training, response preparation and the experience obtained through scenario testing and after-action reviews.

If situational awareness is to be improved, the organization must first demonstrate a proactive approach to cybersecurity that involves anticipating cyber events and stressing the importance of each employee being prepared to act within the security leader’s intent on a daily basis.

Three Levels of Situational Awareness

The strategies for improving situational awareness training must prepare the individual regarding the following three levels of situational awareness with the goal to enhance the planned response effectiveness.

The three levels of situational awareness are:

  1. Perception of the situation. Situational awareness starts from the knowledge of the situation in a person’s operational role. At this level, the individual must observe the activity in their environment (i.e. the behavior of those with whom their role requires them to interact) and recognize important details that would serve as an alert to aberrant behavior.

The perception of such behavior is mostly dependent on past experiences and current knowledge of the operational environment. The vigilance necessary to capture this big picture can only be achieved by strengthening the “grit” component of mental toughness.

An individual’s ability to recognize important details varies greatly, but is mostly dependent on past experiences. For this reason, experiences encountered during training scenarios are vital to the improvement of the observation skills required in the rapidly changing threat environment of their unique role. The skill of observation must be continuously cultivated

2. Assessment of the situation. Situational awareness does not just involve taking note of what is happening around us. The second level demands processing that information to understand its meaning. We must assess and interpret the information we have collected to make sense of it. In many cases, we carry out this evaluation instantly and with little effort from the recognition of key patterns.  

But in other cases, especially when the environment changes, we must make a continuous effort to understand the connections between people, places and/or events and apply the new mental models we have added to our latticework.

3. Decision-making. Situational awareness is not merely a contemplative process but is also focused on the future. Although discerning meaning is focused on analyzing the past, the resulting information looks to the future. In other words, we take note of our environment in order to anticipate its trajectory and act accordingly. We imagine the most likely scenarios to make more effective decisions.

Diagnosing the Situation

That means that situational awareness determines the decisions we make regarding different events in life. It enables an individual to make the most informed decision based on knowledge, experience, training and planning. This is true in any environment but it can be critical relative to the security of digital assets. An example of this universal importance is found in the results of a study carried out at the Baylor College of Medicine in Houston. In this study, it was found that in cases of diagnostic errors by doctors, the lack of one of the components of situational awareness was evident.

The same might be said for an error in the decision and subsequent response by an individual confronted with the need to diagnose an anomaly or the appropriate initial response in a cybersecurity situation.

Conditions

The WFH environment creates a situation in which every individual is an outpost that creates an attack surface for the cybercriminal. In a military context, an outpost is defined as a small military camp or position at some distance from the main force, used especially as a guard against a surprise attack. In the WFH operating environment, the individual should be regarded as both an isolated or remote branch capable of providing an early alert and as a potential vulnerability in the perimeter.

Role-based situational awareness training provides the individual with the ability to identify, process, comprehend and respond to critical elements of information provided or identified regarding the environment in which they are operating.  If taught fully and correctly, the person will maintain the necessary level of awareness the condition warrants. They will act, while performing the duties of their role in the organization’s operating environment and confronted with a potential threat, in the manner desired by the security leader.

Five States of Mind

There are five conditions in a physical threat environment associated with situational awareness. They are:

  1. Tuned out
  2. Relaxed awareness
  3. Focused awareness
  4. High alert
  5. Comatose

There is an analogous state of mind for information security.     

Here we will examine the states of relaxed awareness, focused awareness and high alert in the context of human behavior, relative to information security. They are, potentially, the day-to-day states of the normal operating environment for any role in the organization.  We will explore the comatose state when we examine the importance of considering the situational factor in improving situational awareness.  

If an organization is to successfully navigate the transition between these states of awareness, as the threat environment requires, clear, concise and regular communication will be the critical component.

The color code is a way for the organization to establish, based on the security team’s assessment, the condition in which it is operating at that time.

Tuned Out – Condition White

This is the lowest situational awareness level and is where people are most vulnerable. Because the person believes there is no jeopardy, they have chosen to not actively assess the potential threat indicators related to their role in the operational environment. Essentially, the individual is ‘switched off’ and unaware of what’s occurring around them. This could be due to various reasons that cause them to be stressed or impaired physically or psychologically and, therefore, they’re unprepared to take any action.  

This is a condition the security team must make every effort to avoid through daily status alerts of its perception of the current threat environment and the subsequent level of awareness individuals should be operating.

In this state of awareness, were any behavior indicative of the presence of a threat to occur, the person would be completely unprepared and would be reactive in any response.

Relaxed Awareness – Code Yellow

This quite possibly is the daily level of organizational and individual awareness. The person understands that there is a persistent threat to the organization’s critical digital assets used in the execution of their operational role. This level of awareness causes them to be alert and aware, and, as such they are actively scanning their operational environment for potential threat indicators or anything noteworthy while going about their daily routine.

Focused Awareness – Code Orange

Situational awareness level orange refers to a heightened level of awareness. Ostensibly a behavior was detected that breaks an established baseline.

It is a mindset in which the individual focuses on a specific threat, perhaps due to an alert generated from the security team, and is prepared to take action in accordance with the security leader’s intent.

In today’s WFH environment, the individual would have delegated decision making authority within the established policies and procedures for such a scenario. Acceptable actions for the type of threat identified would have been stressed during scenario training and testing.

Hight Alert Awareness – Code Red

Code red is where action must be taken. Perhaps a breach has been detected and the situation has reached a point where the organization must actively protect what’s important. This is a situation that will involve all of the human emotions (i.e., fear, uncertainty, doubt, tunnel vision) that both cloud and interfere with decision making that results in a diminished “tempo” in taking action. Tempo is critical in this situation because the competitor who acts with the highest tempo will cause the other competitor to adjust to their actions which most often results in victory for that competitor.

Regardless of your state of situational awareness, it’s good practice to think about it according to these levels. They can be vital to ensuring you have the necessary mental and physical preparedness.

Situational Awareness Training Considerations

The art of awareness training provides the organization with the tools to shift the line of focus and enough practice to make organizational and delegated decision-making automatic and intuitive. Scenario-based training, per the second principle of the Marine Corps “Doctrine of Maneuver Warfare,” provides excellent conditioning exercises to establish the security leader’s intent and train delegates on their responses in support of that intent. Such training enables instinctive actions or reactions based on their environment and understanding of the current level of situational awareness.

Operating environments are constantly changing, with varying degrees of complexity, risks and threats. People can, and will, develop habits of response to stressful situations based on how they are trained and prepared through practice.

While formal training is an important employee development strategy, informal training through practice is just as, if not more, important and dynamic.

Three Factors in Escalation

There are three basic factors that affect the escalation or de-escalation of a pending or developing risk episode:

  1. Human Factor – This factor involves the mental, physical and emotional status of the primary and secondary persons involved in the encounter.

Several of the nine principles of human nature should be considered in regard to situational awareness training. One of those principles is “humans are not good at multi-tasking” and, when required to multi-task, a condition known as “unintentional blindness” can be the result. A study conducted at the University of Massachusetts is representative of this principle. The study revealed that when we walk and text at the same time, we miss 48.3% of the visual cues that come our way.

The performance of daily tasks associated with a person’s role will cause them to remain focused on those prioritized tasks and fail to recognize cyber threats that exist on the peripheral of their attention span. If one doesn’t expect a threat from the human/environmental/ situational factors, the degree of recognizing and responding to a threat is diminished, and the position of disadvantage and potential consequences is increased.

This same principle applies when an individual is forced to deal with a particularly stressful situation such as a cyber threat. In a situation involving stress, people are susceptible to a very striking phenomenon: their perception is restricted to focus on the danger.  We develop tunnel vision which can negatively affect a person’s perception of the broader situation. Our critical thinking is reduced and we make impulsive decisions that may not be the most appropriate.

Because humans possess cognitive limitations, when we are mentally focused on something, we lose a sense of our surroundings. This principle combined with the lack in ability to multi-task perhaps explains many of the failures in situational awareness related to cybersecurity.

Humans are also creatures of habit. In general, humans follow simple, reproducible patterns and are reluctant to change them. Much of this reluctance can be attributed to our being finite creatures with a limited number of dimensions in behavior. Humans rarely act in isolation but, prefer to interact with the environment that surrounds us. Consequently, the organization must create an environment of a mature cyber model within its enterprise culture.

Cybercriminals view habitual areas, within the corporation, as places of opportunity and perform reconnaissance of individual and corporate social network environments to identify areas where those opportunities present themselves.

  1. Environmental Factor – This factor involves familiarity and the condition of the immediate physical environment, material items introduced into the environment and the scope of jurisdiction and control upon the environment. Environmental factors can be considered “conditions”[i] that, in many instances, are beyond an organization’s control.
    1. Friction – This is the force that resists all action and makes what should be simple difficult and what is difficult appear impossible. Friction can be mental, as in indecision, regarding change to operational procedures needed to improve security. It can be self-induced as the result of a lack of a clearly defined goal, lack of coordination, unclear or complicated plans, complicated communication systems, or vaguely defined command structures. Regardless of the source of the friction, the impact on the human element involved can lead to unfavorable emotional behavior resulting with an insider compromise.
    2. Uncertainty – All actions, in any type of conflict, take place in an atmosphere of uncertainty known as the “Fog of War.” It can take the form of unknowns about the enemy (i.e. potential capability and intent), as well as the friendly situation to include the organization’s capability. Knowledge gained through experience increase awareness which most often translates to being better prepared and, as a result, more confident. Greater confidence, combined with better preparation, effective and timely communications and training reduces fear and uncertainty.
    3. Fluidity – This is the competitive rhythm of merging events with the attacker and defender simultaneously trying to influence and exploit the tempo and continuous flow of events in order to achieve their purpose.
    4. Disorder – In an environment that includes friction, uncertainty, and fluidity, disorder that leads to chaos cannot be completely eliminated and must be anticipated. This disorder will lead to emotionally charged decisions and a failure to improvise and adapt if the data user has not been prepared and has not experienced situations that simulate such an environment.
  2. Situational Factor – This factor involves the stress levels associated with the circumstances presented. Neil Patel, marketing expert and entrepreneur, is quoted in Forbes Magazine as saying, “Emotion influences the entire milieu of the decision-making process.” The mindset and subsequent emotions related to that mindset are significant situational factors that must be continuously monitored and addressed. These four emotional responses are situational factors that are necessary for the organization to address, in a training program, as they will potentially affect each individual and, ultimately, the ability of the team to function during a crisis situation.
    1. Denial – This emotion is frequently connected to the organizational attitude of “It won’t happen to me.” In such a culture, it is mentally natural for an emotional response of “this can’t be happening” when it does happen. This emotion can be a major contributor to inadvertent mistakes that result in successful infiltration.This is a fitting place to further discuss the comatose state of situational awareness. The emotion most associated with this state of, or lack thereof, awareness is denial. Insufficient training is often the cause of the comatose state.The person literally freezes, their brain ceases to process information and they simply cannot react to the reality of the situation. The comatose state is a perfect description of the panic zone which is often the location an organization finds itself in because it has consistently operated in the comfort zone and refrained from deliberate practice to improve. Likewise, as an individual executes the “mundane, repetitive” tasks of their role, the human tendency to become careless, apathetic or negligent may lead to a comatose state of awareness.
    2. Primal Reactions – Emotions such as anger and fear are normal in situations where the outcome is failure. Training and testing must be designed where the result is failure in order to provide a learning experience to learn how to better control these emotions and limit their effect.
    3. Tunnel Vision – The natural response to training and preparation is to continue to use what is perceived to have worked previously and not consider different and opposing views. This emotion is often connected to the human factor and the principles of human nature discussed in that section. Developing a willingness to “think out of the box” must be encouraged. The philosophy of “if everybody is thinking alike, then somebody isn’t thinking”[ii] has value in overcoming Tunnel Vision. The most effective solution to address this factor is the development of a culture that encourages a growth mindset.
    4. Decision Fatigue – This is a product of an active disruption requiring each individual to be guarded in their behavior and continuously questioning if they are making the right decision when responding to an inquiry or instruction.From a daily situational awareness perspective, this emotion can be the product of an insufficient level of mental toughness and the grit to persevere in what may be perceived as a tedious and unrewarding role. It is a human tendency to become careless, apathetic and negligent which leads to complacency and diminished vigilance.

All of these factors are assessable, flexible and can be manipulated to some degree in preparation for, or in response to, threat risk. Training, experience and practice towards addressing these factors increases the chances of ultimately achieving the desired outcome of mitigating the risk of a cyber threat.

Critical Thinking

Continuous vigilance of threats related to the day-to-day performance of an individual’s role in the organization requires critical thinking.  The challenges of working in the rapidly changing and complex threat environment requires the ability to reason well in highly precise contexts as well as ambiguous and uncertain contexts, in order to analyze situations, evaluate decisions regarding action to be taken and respond as required.  Applying these skills in a speedy, effective, logical and organized manner requires focus, resourcefulness, foresight and responsiveness. 

We generally view critical thinking as making judgments based on the systematic analysis of evidence of some problem or topic, rather than relying on impulses, opinions and emotions. It is about trying to reduce errors and illogical reasoning. Most organizations concentrate on the systematic analysis approach to critical thinking because it is easier to catch errors than to notice when insights got missed. The caution, in regards to this approach, is we need to provide greater focus on inconsistencies and should review our arguments and beliefs and assumptions to try to maintain internal consistency. Otherwise we can fool ourselves and draw invalid conclusions. We need to be careful not to put so many restrictions on reasoning and inferences that we inhibit creativity. 

A more recent development regarding critical thinking involves thinking clearly about what is going on around us, and not uncritically accepting what people tell us is happening. It’s about thinking for ourselves, asking ourselves, “is this explanation plausible?” In the cybersecurity environment, this element of critical thinking is strategic to the individual making “in the moment” creative decisions while complying with the security leader’s intent. Instead of blindly accepting the interpretations of others the individual can be alert to weak signals that others aren’t noticing. In their role, they can be sensitive to events that were supposed to happen but didn’t. They can be more mindful within their unique operating environment.

The procedural mindset of procedures and checklists, used in so many organizations, remains important but, the critical thinking necessary to improve situational awareness requires a shift in mindset, from the procedural mindset to an investigative mindset. Procedures are necessary, but they aren’t sufficient. The employee needs to learn the procedures but shouldn’t get trapped by them. They also must learn to better observe the activity, both expected and unexpected, in their operational environment.

Decision-Making

Never tell people how to do things. Tell them what to do, and they will surprise you with their ingenuity.”

General George S. Patton

In the already dynamic and rapidly changing environment of cybersecurity, the shift in the operating environment imposed by COVID-19 has increased the importance of situational awareness with respect to decision-making. To some extent, this environment will continue to be employed by most organizations. Remote users will be faced with making decisions they previously would have deferred to on-hand leadership. The principle of decentralized decision-making is a tool to be considered in the effort to ensure the decision-making of a remote user aligns with the security leader’s intent.  Every individual has the need to feel competent at what they do and it is a source of internal motivation. There is no better way to satisfy that need than to demonstrate confidence in their decision-making capability by giving them authority to make decisions in critical situations.

In any dynamic and rapidly changing environment such as cybersecurity, success is often the result of immediate action. Decentralized decision-making relies heavily on an understanding of the security leader’s intent and enables those closest to the action to take advantage of on-the-spot information, not immediately available to their superiors, and allows them to exercise initiative. The organization or individual capable of making and implementing decisions consistently faster than their adversary gains a tremendous, and often decisive, advantage.

It is the responsibility of the organization’s security team to ensure that individual roles are aware of the threats relative to the daily performance of their duties. Within that individual’s unique operating environment, decisions properly made in accordance with the security leader’s intent, mitigate the occurrence of accidents, service disruptions and loss of productivity.

In the case of cybersecurity action plans, the trust necessary to reinforce this principle is built during the regular tabletop exercises, testing of the incident response plan and the continuous oversight of the daily execution of the plan.

By delegating the authority to make these decisions and tailoring communications with the aim of arming frontline personnel with the bigger picture into which their actions fit, they will vigilantly supervise the directives of the action plan.

Balancing Risk and Reward

Distributed authority is, by nature, chaotic and has the potential to add increased chaos to the dynamic and uncertain situation that surrounds a cybersecurity attack. This chaos can result in a higher prevalence of mistakes, especially when an overzealous subordinate fails to act in concert with the security leader’s intent. When executing on this principle, the risk-reward trade-off must be accounted for in the action plan. The situations in which such a decision, by an individual, disproportionately determines the outcome of a large-scale competitive encounter also carries considerable risks.

There are three variables that require attention to detail if this principle is to be used successfully.

  1. Trust and open communications must include a clear understanding of the security leader’s vision. Trust is earned through the leader’s daily supervision and presence. As a result, communication channels and processes are developed that enable the free flow of communication during the period of stress. The leader is then able to ensure that his intent is being achieved without suppressing the individual’s initiative.
  2. The degree to which the subordinate has authority to make decisions will vary by individual. In best case scenarios, the subordinate has been delegated the full authority to respond in a manner that results in sufficient speed to allow the organization to avoid missing opportunities. By not having to request permission and wait for orders from a higher authority, opportunities will be seized and the level of potential compromise minimized.
  3. The security leader’s intent, while originating from the top, is actually a mutual agreement. The agreement includes the leader’s vision integrated with the actions of the subordinates. Both pieces must be honored by each party and the subordinate must not fear the leader’s wrath if he must seek help to avoid a potential disaster.

These variables ensure frontline decisions can be made confidently and can mean the difference between experiencing a breach requiring notification to the regulatory board governing that organization’s industry or stopping the infiltration before such action is required.  

Decision making thus becomes a time-competitive process, and timeliness of decisions becomes essential to generating tempo.”

Warfighting by A. M. Gray

Tempo

Tempo is relative speed in time. War is a series of moves and countermoves in which the tempo of execution is important. The competitor who is able to respond faster than the opponent can identify opportunities and make decisions that force the opponent into a constant state of reaction. The constant state of reaction results in breaking the opponent’s will to continue the attack and causes a move to another target.

In most instances today, the typical organization is not operating at a tempo sufficient to impede an adversary. The threat actor’s tempo continues to increase and the rapid increase in malware variants designed to exploit vulnerabilities of existing infrastructure, new technology and persistent human error or negligence are outpacing an organization’s ability to act at a tempo that exceeds that of the cyber adversary.

Four-Step Process of Tempo

Air Force Colonel John Boyd first introduced the mental process of tempo in his lecture, “The Patterns of Conflict.” He identified the four-step mental process of: observation, orientation, decision and action.

He theorized that each party to a conflict first observes the situation. Based on that observation, the information gained is used to form a mental image of the unfolding circumstances of the situation. In the context of situational awareness and cybersecurity, an individual must be able to assess what is going on in their operational environment. How that person assesses these things varies greatly, and is mostly dependent on past experiences. This explains why situational awareness is something that must be continuously cultivated.

Orientation helps to turn information into knowledge and knowledge, not information, is the real predictor of making good decisions. In this step, you measure your ability to understand what the assessments resulting from your observation mean. This is particularly important because it allows you to coordinate your perceptions of what is going on around you with how you want to react to them.

The whole reason for developing situational awareness is to enable you, as much as possible, to be in control of the environment. Otherwise, you’ll end up using all of your brain power looking, scanning your environment and never being able to process any of that information. The real reason most people make bad decisions is that they often fail to place the information into its proper context. Orientation emphasizes the context in which events occur and facilitates decisions and actions.

On the basis of the orientation, options are considered and a decision is made regarding the selection of the best course of action for this specific OODA Loop cycle.

Turning Observation into Habit

As observation and orientation skills become more of a habitual behavior, the ability to foresee potential threats improves. The combination of foresight with the improved abilities developed in the orientation step (most notably knowing how to analyze new knowledge gained with the execution of successive loops) increases the understanding of your evolving environment. With this increased understanding, you are able to respond to change in the environment and continually put yourself, and the people you are with, in the best position possible for achieving the security leader’s intent.

Once the result of the action is observed, you start over because the action taken created a new situation that begins the process anew.

When you’re doing OODA loops right, accuracy and speed improve together; they don’t trade off.

Boyd argued that the party that consistently completes the cycle faster gains an advantage that increases with each cycle. His enemy’s reactions become increasingly slower by comparison and, therefore, less effective until his will to continue is broken.

An essential task of leadership is to create – mainly through leading by example – an organization that continuously improves in the execution of the OODA loop and strengthens the organization’s security posture in the process.

In cybersecurity warfare, this process has great merit. If the orientation and decision steps are integrated with threat intelligence, the subsequent action should provide an advantage to the defender relative to the risk-reward trade-off resulting from a bold decision.

Continuous oversight plays an important role in tempo. The principle of tempo is only effective if leadership is regularly visible and stressing the importance of enterprise security as envisioned in the action plan. By leading from the front and pushing decision-making to lower levels, the tempo of a response will increase. Decentralized decision-making eliminates excessive debate, and the maneuver warfare practitioner is able to seize the initiative.

In seizing the initiative, a superior state of preparedness for the countermove and a position of relative advantage are assured, resulting in an enhanced ability to predict and prepare for the adversary’s next move.

Improving Observation Skills

Situational awareness training prioritizes attention focus upon the various threat risks potentially encountered. Subsequently, recognition of and response to risk gravitates towards a desired trained result.

Situational awareness training strategies should be diverse, dynamic and practical. Consideration should be extended towards tapping into resources that possess both direct and tangent relationships with the training audience. This enhances training effectiveness and encourages a shared notion that what is everybody’s business – security – is everybody’s responsibility.

A goal of training must be improving the cognitive ability of employees relative to security. Deliberate practice is an invaluable tool for improving cognitive abilities and the performance in decision making.

Deliberate Practice

In order to improve situational awareness, both the individual’s and the organization’s collective cognitive abilities must be improved. That improvement is subject to the organization no longer being content to operate in its comfort zone but instead consistently operating in the learning zone where deliberate practice targeting improved performance is exercised.

Deliberate practice is the prefect venue for the simulation of the environment of disorder that often leads to emotionally charged and unsound decisions due to a lack of preparation and experience.

Incremental Effort and Improvement is the Way Forward

No degree of technological development or scientific calculation will overcome the human dimension. Situational awareness has always been a keystone to organizational readiness. Much like a soldier, the focus of the discipline is on equipping the person with the situational awareness needed to limit the mistakes that are certain to occur.  

As cybercriminals continue to become more sophisticated and the threat perimeter expands, situational awareness has become even more critical to a cyber defense equipped to make rapid decisions in a growing environment of chaos and uncertainty!

Improving situational awareness requires commitment to the effort and that effort can sometimes appear daunting. However, what is more daunting is the effort, expense and reputational damage associated with the public disclosure of a breach caused by the failure to detect anomalous behavior that might have been detected early by improved situational awareness.


[i] In The Art of War by Sun Tzu, one of the five elements of the framework is “Conditions”: things that will always

exist in the operational environment but cannot be controlled by either force. Such is the case of the four Human and Environmental factors. However, as with any “Condition,” the relationship to that which cannot be controlled can be adjusted such that favorable opportunities become available.

[ii] General George S. Patton

Read more: