HROs in Information Security
Since my first encounter with the HRO research literature as a student, I have been struck by how much this body of work has to offer information security.
I've observed many companies that behave, from a security perspective, less like organizations committed to surviving in the midst of complexity and existential danger, and more like ones that are complacent and even confident that they are unlikely to ever really get hurt. Even organizations that take security seriously are often plagued by the very deficiencies that HROs have evolved to avoid.
I have been using elements of HRO research in my security work for a long time. Adapting and applying the behavioral lessons of HROs to security programs is a more straightforward project than full-blown cultural transformation. But until recently, I have always used the lessons of HROs in a piecemeal fashion and not as a fully developed model in its own right, one that would be prescriptive and measurable in the context of a security program. My interest and research into people-centric security changed that. As I formulated a model of security culture that could lead to long-term change, I recognized the need for a complementary transformational model. Basing that model on HROs was the natural choice.