232 Handbook of SCADA/Control Systems Security
that leads to improvement in the organization’s overall performance, posi-
tive reinforcement (recognition and awards) may be considered and lessons
learned applied more broadly in the organization.
• Where the line unit meets its requirements but does not exceed them or
apply any innovative practices, then that compliance should be applauded
as a matter of fact but not necessarily rewarded.
• Where the line unit fails to meet its requirements, but does so because of the
impact on other critical processes or systems and can express this clearly in
risk management terms (this is accountability in play), then the functional
authority and line management should determine how to change the require