COI Report – Part IV Page 143 of 425 incident is only recognised and treated as such after the damage has been done. These are clearly misguided, and are in fact the direct inverse of their proper order. 432. At this point, one might think of looking to relevant policies and frameworks in place, such as the IR-SOP and SIRF, to identify ambiguities or deficiencies therein in order to better explain Ernest’s misconceptions. While there are certainly aspects of these documents that can and should be improved, and the Committee will make its recommendations on these in Part VII below, one must not lose sight of the fact that the treatment of cybersecurity issues and incidents by staff and middle management is very much shaped by organisational culture. 29 A sense of this can be gleaned from the evidence of Hann Kwang, Ernest’s reporting officer (emphasis added In my view, when a security incident is reported, this is not a trivial matter, and it activates a whole team, including the Cluster ISO, GCIO and senior management. Everyone will have to attend to the security incident. If a security incident is declared when it turns out there is no security incident, this may look bad on the person who made the declaration. 433. The Committee observes the alignment between this comment from Hann Kwang, and Ernest’s emphasis on confirming security incidents and prioritising complaints overall other matters. The evidence suggests that the reluctance to escalate the matter may have come from a belief that it would not reflect well in the eyes of the organisation if the matter turned out to be a false alarm. The Committee also notes parenthetically that there is a logical difficulty with looking to the text of the IR-SOP and SIRF to account for Ernest’s misconceptions, since his own evidence is that he was “not very familiar with the contents” of the SIRF, and that he was familiar with the IR-SOP “but not in great detail”.
