What security practitioners can learn from the United’s failures

united airplane runway
REUTERS/Louis Nastro

The United Airlines incident is now internationally known to the point of actually becoming an international incident, where Asian fliers believe United’s treatment of Dr. Dhao is how they treat all Asians. It is clearly a massive failure of many processes, and when I began to look into the incident, most of the issues that caused the incident to escalate beyond imagine.

Given my belief that organizations should learn from failure, and ideally the failure of others, this is a great opportunity to see if your security program suffers from the same underlying issues as United. It is important to stress that despite United being an airline, and the incident seemingly a customer relations related incident, it was very much a security incident that all professionals should examine.

Relying on outside security teams

While I do not defend United’s business processes that instigated the incident, the most incendiary aspect of the incident, the injuries to Dr. Dhao and him being dragged unconscious off the plane, was the result of actions by police. It was the police who caused Dhao to hit his head, and the same officer dragged his limp body down the aisle.

All of the internet memes and criticism levied on United were primarily the result of the actions of the police, and not United employees. I am usually remiss in criticizing police officers in stressful situations, but from observation, it would appear that the officer could have hurt bystanders in how he wrestled with Dhao. While I can hypothesize about alternatives, the actions were wrong and possibly the result of poor training.

Even more a sign of poor training on the part of the officer was that he dragged Dhao after he was rendered unconscious. As a person who is certified Emergency First Responder, if someone hits their head and is rendered unconscious, you assume a neck injury. Unless there was a life-threatening situation, you stabilize the neck and call for a trained medical professional. The officer’s action could have caused serious injury to Dhao. Despite United having no control over the actions of the police, they are being held responsible for their actions.

Apathetic employees

I’ve personally flown more than 2 million miles across many airlines, and I can say that the worst incidents I’ve experienced on an airplane were almost always when I flew United and Continental. It was generally the result of actions of the flight crew. On one flight for example, when the crew did the obligatory, “It was our pleasure serving you,” a passenger yelled out, “You could have fooled us.”

Apathetic employees become rude and create a hostile environment that can quickly escalate incidents that wouldn’t otherwise escalate. Instead of treating customers who are being erred with compassion, those customers are being unnecessarily antagonized, creating incidents that would never otherwise occur.

Processes that create incidents

The incident in question was initiated by poor business processes. Overbooking, overselling, or whatever excuse United wants to attribute to the incident is a well established aspect of the airline industry that all airlines have to deal with. United’s process for dealing with the issue creates four times the rate of involuntary bumping of passengers than Delta does for example. This is just one of many processes that causes loss for United.

Business processes can either create or decrease loss. When you have consistently inefficient business processes you can expect an increased amount of security incidents and general loss.

Possibly the most consistent criticism of United is its treatment of passengers in a way that makes them feel inferior. In this incident, Dhao was made to feel inferior. There was one report where several United passengers on a flight were moved around like pawns, made to feel inferior, and the plane returned to the gate. So Oscar Muniz, United’s CEO, could take a flight with his family. In another case, a passenger was threatened with jail for not giving up his assigned seat to another customer with higher frequent flier status.

I have to assume that United treats its employees similarly. Whether it is customers or employees who are made to feel inferior, any experienced security professional will tell you that the insider threat increases significantly. Even if the insiders do not do something adverse, they are less likely to attempt to protect assets or report incidents that could result in losses to the organization.

Systematic failures

While it is not politically correct to say this, Dhao instigated the incident. Whether it is morally right or wrong, if a police officer tells you to do something, I recommend that you do it and fight the battle later. However, United has clearly created an environment from the CEO down, that created a proverbial powder keg.

There are systematic failures where processes are inefficient and instigate security-related incidents. Management facilitates a poor employee attitude, which in turn facilitates a poor attitude among customers. While Dhao should have behaved differently, an incident was inevitable.

As a security professional, you need to ask yourself if similar problems are festering in your organization. It might be a difficult question to ask, and you might actually be powerless to impact the underlying issues, but you do need to be aware of the root causes of what will be inevitable incidents that arise from that environment.


Copyright © 2017 IDG Communications, Inc.

7 hot cybersecurity trends (and 2 going cold)