Risk, Security, Safety and Resilience Newsletter - Week of 31 October 2024
Ridley Tony
Experienced Leader in Risk, Security, Resilience, Safety, and Management Sciences | PhD Candidate, Researcher and Scholar
The following is a summary of articles on security, risk, safety, and resilience, as well as topics and issues, ending on 31 October 2024.
Key themes for this month include:
-------------------------------------------
Complex Systems: Success & Failure
Read More -->>https://buff.ly/3AWXNAR
#RiskManagement #Resilience "Failure free operations are the result of activities of people who work to keep the system within the boundaries of tolerable performance....system operations are never trouble free, human practitioner adaptations to changing conditions actually create #safety ( and #security ) from moment to moment"
"Safety cannot be purchased or manufactured; it is not a feature that is separate from the other components of the system. This means that safety cannot be manipulated like a feedstock or raw material. The state of safety in any system is always dynamic; continuous systemic change insures that hazard and its management are constantly changing."
Read More -->> https://buff.ly/3AWXNAR
Systems, Systems Thinking & Complex Systems
Read More -->> https://buff.ly/48Qh4R7
"...the lens of ‘systemic risk’, there is a need for data and research evidence that is sufficiently representative of the multiple interdependencies of global threats. "
"...neither data nor research evidence generated at global and national levels are sufficiently able to account for the complexity required in an era of #polycrisis ." (p.1)
"..the polycrisis demands greater use of complexity science and systems thinking. Interdependency of the global threats must be viewed through the lens of systemic risk: risk embedded in wider contexts of systems’ processes, global in nature, highly interconnected with complex, non- linear, causal structures." (p.2)
Read More -->> https://buff.ly/48Qh4R7
Technology Risk Management
Read More -->> https://buff.ly/3O9PncB
"Senior Management: ...approving and implementing technology risk management procedures which are robust and sound, and commensurate with the risk exposure of the capital market entity so that it may assist the capital market entity in achieving security, reliability and resilience of its IT operating environment..."
Read More -->> https://buff.ly/3O9PncB
Risk Analysis: Fundamental Principles
Read More -->>https://buff.ly/4eAW0iX
#RiskManagement "To solve #risk problems, the risk analysis approaches and methods are combined with knowledge from statistics, psychology, social sciences, engineering, medicine and many other disciplines and fields. The problems require multidisciplinary and interdisciplinary activities.
Read More -->>https://buff.ly/4eAW0iX
Technology Debt: Layered Vulnerabilities
Read More -->> https://buff.ly/4fT2omn
"Each layer and channel requires specialist skills, experience, empowerment, resourcing and above all else, a coordinated, structured approach. Because weak or vulnerable representation results in exploitable vulnerabilities that attract threats and create risk(s) that cause physical, digital and mental harm(s).
Read More -->> https://buff.ly/4fT2omn
Cybersecurity: Tendering Guidance
Read More -->> https://buff.ly/4ey1F9s
#Cybersecurity #RiskManagement "The #security requirements provided during procurement should be used to rank the vendor’s solution and be part of the tender evaluation process. This ensures that vendors compete not only on the SuC’s functionality requirements but also on the security aspects. By clearly specifying security design requirements, the procurement avoids un- fairly treating a vendor who priced the adequate cyber-protection solution. Ensuring a level playing field is in the interest of the PTO, who will avoid costly design modifications that always involve litigation measures. The concept of trusted vendors can also be used to build security into the procurement process by creating a list of trusted suppliers that, for example, have:> gone through a cybersecurity certification process.> include test and development tools, facilities and processes.> follow a secure development life cycle.> ensure security integrity through delivery, installation and commissioning phases. Without being overly prescriptive, the contract should clearly state which cybersecurity requirements are mandatory and which are optional. This document will give the Procurement Managers guidance on what should be the minimum mandatory requirements."
Read More -->> https://buff.ly/4ey1F9s
Resilience: Critical Infrastructure
Read More -->>https://buff.ly/40QkWzJ
#Resilience "Today’s risk landscape is characterized by increasing complexity, interconnectedness, fast-paced changes and the importance of systemic risks, which, among others, affect critical infrastructures (CI). New instruments have to be developed and implemented to deal with the challenges and to benefit from the opportunities in this new environment. Resilience- driven strategies are suggested and developed as a potential way forward. Resilience is generally defined as a system’s ability to respond to unexpected events that can potentially lead to significant disruptions in functionality. The concept describes a state of dynamic stability of systems to deal with the sudden impact of adverse events, and to restore as quickly as possible ability to function and capacity to act. "
Read More -->>https://buff.ly/40QkWzJ
Travel Risk Management: Youth & School Trips
Read More -->> https://buff.ly/3US537W
#TravelRiskManagement "Trip risk management requires that organizations anticipate and assess the potential for hazardous events, develop risk treatments and communicate anticipated risk exposures to those involved in trips. Advising and providing trip participants and leadership teams with adequate medical, emergency response guidance, security and information security precautions, including challenges to travel logistics, can significantly mitigate the impact of disruptive events."
Read More -->> https://buff.ly/3US537W
Risk: Glossary of Terms
Read More -->> https://buff.ly/3UXRgg3
#RiskManagement "The target audience for the glossary is all individuals who have an interest in risk analysis, ranging from risk analysis professionals and practitioners, to researchers, to students, to decision makers, to bureaucrats, to regulators, and to curious lay people who would like to get simple and practical explanations of key concepts in the field of risk analysis."
Read More -->> https://buff.ly/3UXRgg3
Lessons Management: Best Practice Guidance
Read More -->> https://buff.ly/4hOHjvl
#RiskManagement #Security #Crisis "The aim of this guidance is to inform, encourage, and equip senior leaders, central government departments, agencies, arms-length bodies, and wider #resilience professionals in the effective management of lessons."
"Analysis helps to ensure the right lessons are identified, and that any onward actions to resolve issues are not misinformed or misguided. It encourages a transition from subjective, assumed and/or unvalidated learning, towards increasingly clear, comprehensive, credible lessons identified. "
Read More -->> https://buff.ly/4hOHjvl
Risk Analysis: Core Subjects
Read More -->>https://buff.ly/3OfPGm9
#RiskManagement "Risk analysis as a field is built on two main knowledge-generating pillars (analogous to statistics): A. Risk knowledge related to an activity in the real world(interpreted in a wide sense to include, for example, also natural phenomena), for example the use of a medical drug, the design of a bridge or the analysis of climate change.B. Knowledge on concepts, theories, frameworks, approaches, principles, methods and models to understand, assess, characterize, communicate, manage and govern risk."
Read More -->>https://buff.ly/3OfPGm9
Risk Perspectives: Classification
Read More -->> https://buff.ly/4eF4ANs
"#Risk and how it is perceived is unevenly distributed across communities, professions and disciplines. Moreover, risk is not only socially constructed but also socially influenced, including amplification.
As a result, a broad classification of what risk means to various stakeholders is required as a basic foundational understanding.
In other words, if you don't have a sense or view of how risk may vary across individuals and groups, you really don't have an adequate understanding of risk within organisations or society.
Read More -->> https://buff.ly/4eF4ANs
Assessing Security Maturity
Read More -->> https://buff.ly/3UXD6vv
#Security #RiskManagement "The following tables provide guidance for agencies to assess their own security capability and maturity against the core and supporting requirements of the SAPSF (Protective Security Framework). This guidance can be used to assist agencies in establishing their maturity targets for their security plan and for completing their annual security attestation"
Read More -->> mhttps://buff.ly/3UXD6vv
Exercising: Best Practice Guide
Read More -->> https://buff.ly/3YRtHXA
#CrisisManagement #Security #RiskManagement "The purpose of the Exercising Best Practice Guidance is to provide a practical guide for individuals and teams who plan, prepare and deliver exercises in a civil contingency #resilience setting. It is designed as a ‘hands on’ reference source for practitioners, and is not therefore intended to deliver an academic examination of the subject. "
Read More -->> https://buff.ly/3YRtHXA
Physical Security
Read More -->> https://buff.ly/3ObRCfm
"Implement physical security measures that minimise the risk of harm or compromise to people, information and physical assets " "'Agencies have a responsibility to ensure their people, information, and assets (resources) are protected from harm, including compromise. This policy ensures agencies take the necessary steps to minimise physical security risks to an agency’s resources, while also ensuring agencies incorporate protective security requirements into the planning, selection, design, and modification of their facilities."
"Physical assets are tangible items that are valuable to the agency and require protection to ensure their operability and accessibility, while preventing unauthorised access, use or removal. "
Read More -->> https://buff.ly/3ObRCfm
Enterprise Information Security
Read More -->> https://buff.ly/4fxUdMI
"Information security and cybersecurity are often used interchangeably, but they do have some distinct differences. Information security is the practice of protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction. It involves protecting the confidentiality, integrity, and availability of data and systems, and it is concerned with protecting against a wide range of threats such as natural disasters, human error, and intentional attacks .
Cybersecurity, on the other hand, specifically focuses on protecting against digital threats such as malware, ransomware, phishing attacks, and hacking. It involves the use of technologies, processes, and policies to secure networks, devices, and data from these threats. While cybersecurity is a subset of information security, it tends to be more focused on the digital aspects of information protection.
In summary, information security is a broad term that covers the protection of all types of information and systems, while cybersecurity specifically focuses on the protection of computer systems and networks from digital threats. "
Read More -->> https://buff.ly/4fxUdMI
Risk, Uncertainty & Ambiguity: Formal Definitions
Read More --> https://buff.ly/3CtPoFJ
#RiskManagement "...techniques based on probability theory are quite simply inapplicable to many of the most important decisions over the regulation of technological #risk . In these contexts at least (in the words of the celebrated probability theorist, de Finetti), “probability does not exist”. (p.54)
"...a ‘Bayesian’ extension of the probabilistic paradigm exchanges the positivistic hubris and restrictive applicability of the frequentist approach for enormous sensitivity to contingent and subjective framing assumptions. Under a Bayesian approach to risk assessment, narrowly divergent (but equally reasonable) inputs may yield radically different results. " (p.55)
Read More --> https://buff.ly/3CtPoFJ
Safety Crimes: Corporate/Workplace Manslaughter
Read More -->>https://buff.ly/3YSENLR
#Safety #Security #RiskManagement "... rigorously enforced law of corporate manslaughter may give rise to a risk-averse corporate culture. Rather than experimenting, companies may decide to choose ‘safe’ options. If so, <location> businesses may and themselves falling behind more entrepreneurial competitors operating in less prescriptive states, to their disadvantage and that of the reputation of <local> industry generally."Gobert, J. (2008) ‘The Corporate Manslaughter and Corporate Homicide Act 2007 – Thirteen years in the making but was it worth the wait?’ Modern Law Review 71(3) pp. 413-433
Read More-->>https://buff.ly/3YSENLR
Complex Systems
Read More -->> https://buff.ly/3CHXbzx
#Resilience hashtag#RiskManagement "Organizational focus on human error. The reactions to failure are: blame & train, sanctions, new , and regulations rules technology. These interventions increase complexity and introduce new forms of failure."
"Accident / incident investigation normally stops with human error by practitioners as the ‘cause’ of the event. "
"Practitioners work at the sharp end of the blunt end system. The of the system generates resources, constraints and conflicts that shape the world of technical work and produce latent failures. "
Read More -->> https://buff.ly/3CHXbzx
Cyber Assessment Framework
Read More -->>https://buff.ly/3Z848D0
"The Cyber Assessment Framework (CAF) provides a systematic and comprehensive approach to assessing the extent to which cyber risks to essential function(s) are being managed by the organisation responsible. CAF-based assessments can be carried out either by the responsible organisation itself (self-assessment) or by an independent external entity, possibly a regulator / cyber oversight body or a suitably qualified organisation acting on behalf of a regulator, such as an NCSC assured commercial service provider. "
Read More-->https://buff.ly/3Z848D0
Security Industry & Education Distribution
Read More -->>https://buff.ly/3ALPLe3
"#Security (and #Risk Management) have a problem. Not just the growing complexity, capability and persistency of threats, hazards, dangers, perils and bad actors (criminals, internal threats, opportunists, issue motivated groups, adversaries, etc) but that of consistency of qualification(s) and majority representation (power distribution curve/fat tail/kurtosis) across disciplines, industry and skill sets.
That is, both security and risk lack a universal, consistent definition.
Read More -->>https://buff.ly/3ALPLe3
-------------------------------------------
Certified
5 天前Good script, Thank you Tony
??LinkedIn Top Voice QHSE Consultant & Trainer @ Kuwait Oil Tanker Company | CSP, CRSP, NEBOSH, CSM, STS
5 天前Very helpful