Resilience Debt: Strategic Risk Management Deficits and Compounding Threats

Errors and oversights of the past undermine contemporary resilience pursuits. This deficit in understanding and awareness has created systematic risks in systems, structures, and preparedness, resulting in resilience debt. A debt that incurs compounding interest, amplifying the vulnerabilities and potential for harm and cascading failures. This article explores the origins, current state, and corrective actions required to remediate resilience debt. This article elevates resilience debt as a factor of primary concern for governments, corporates and industries. It offers a starting point for risk, security, safety and resilience practitioners to evaluate, explore and discuss within their organisations for system, service and community resilience.

Introduction

Technical debt remains at the forefront of concerns for executive boards, risk managers, security professionals, and business resilience teams. The accumulated vulnerabilities and gaps in digital systems and supporting infrastructure have manufactured a legacy threat and compounding risk for organisations and industries. These technical threats remain concealed or embedded deep within operational systems or activity. As a by-product, the current technical debt attracts compounding interest, introducing new systemic risks. In other words, unresolved and undetected technical vulnerabilities create even more significant risk(s) over time, compounding potential harm, loss, disruption or damage. Therefore, a resulting 'resilience debt' remains present within systems, organisations, industries and communities, which remains a far less discussed or widely realised threat. This article explores the origins, current state, and future danger of resilience debt, including what may happen if left inadequately addressed.

---------------------------------------------------------------------------------------------------------------

"Systemic?risk?is hard to measure and difficult to prevent without solving information asymmetry. As players continue the digital transformations, there is an impetus to introduce novel, forward-looking methodologies for monitoring and anticipating risk that can be supported by enhance data and analytical capabilities. Keeping regulatory functions in formed in real time will also kickstart resiliency plans and recourse measurement to prevent the scaled impact of a potential?crisis"?

World Economic Forum (2021) Beneath the Surface: Technology-driven Systemic Risks and the Continued Need for Innovation, WEF, p. 16??

---------------------------------------------------------------------------------------------------------------

Resilience Debt - Origins

Within the context of this discussion, active and passive measures define resilience. First, active resilience is a proactive measure specific to deeply considered threats and vulnerabilities. Second, in contrast, passive resilience is preparation to endure and survive foreseeable threats, harm, hazards, bad actors, and uncertainty. Third, as a result, being resilient means you can adapt to new opportunities and threats. Not rigid, reactionary, or devoid of understanding of the dangers or risks. In short, being ready, resourceful, responsive and bouncing forward, rather than back, along with detailed consideration of the threats, hazards and potential harm. The lack of cumulative resilience across these three elements has precipitated incomplete or inadequate resilience, hence the accumulation of a deficit or debt. The following are a few specific examples.?

---------------------------------------------------------------------------------------------------------------

"vulnerable are being ‘politically exposed to disaster in order to become resilient’…”

Duffield, M. (2016) ‘How did we become unprepared? Emergency and resilience in an uncertain world', British Academy Review, 21: 55–58.

---------------------------------------------------------------------------------------------------------------

“Rather than enabling the development of peoples and individuals so that they can aspire to secure themselves from whatever they find threatening and dangerous in worldly living, the liberal discourse of resilience functions to convince peoples and individuals that the dream of lasting security is impossible.?”?

Evans, B. and Reid, J. (2014) Resilient Life: The Art of Living Dangerously. Chichester: John Wiley and Sons.

---------------------------------------------------------------------------------------------------------------

Globalisation promises cheaper, faster, and more efficient supply lines and services. Essential commodities, such as medicine, are no longer produced locally but in large, consolidated international production and distribution hubs. There isn't a unified, effective or consistent means of standardisation, disclosure or control other than through commercial means, notwithstanding the growing complexity and technical nature of services, systems and underlying technology. Complex technology, distributed raw materials networks and mesh-style provider relationships drive and shape supply as a service, with each entity and jurisdiction handling their own risk, security and resilience. As a result, the greater the impact when one factor fails, breaks, or is unreliable. This risk includes complex connectors, such as APIs, shared source coding, and other bridging technologies. These must be resilient and secure by design for current and future threats. However, many services, systems, and connectors were not designed with a specific or detailed threat(s) in mind. Or carefully consideration of the tactics and vulnerabilities that bad actors and opportunists may utilise. These converged at the beginning of the pandemic and have only escalated since. With means and access, these networks, systems and processes became a thieves' paradise. Both victim(s) and perpetrator(s) worked remotely and/or with more significant time on their hands during varied global public healthcare restrictions. Subsequently, what was once considered resilience or high reliability had been proven fragile and considerably riskier than understood.?

---------------------------------------------------------------------------------------------------------------

"The barriers put in place to reduce the spread of COVID-19 effectively represent an experiment in deglobalization, and may mark a turning point in this direction for the longer term, if companies decide to reduce their dependence on fragmented international supply chains and seek to produce goods closer to home.?"?

Wakefield, A. (2021).?Security and Crime: Converging Perspectives on a Complex World. SAGE.

---------------------------------------------------------------------------------------------------------------

Many bad actors are often' smarter', faster, syndicated and global, better resourced, informed, adaptive, and less constrained by rules, laws and compliance. In other words, human threats are increasingly outperforming human protectors and their solutions. This asymmetry is most prominent in those that don't maintain observations or understanding of bad actors. More so among those that are too slow to respond, prepare or protect—further compounded by information asymmetry and security decay. Threats, risks and vulnerabilities have been changing at differing rates and speeds. Many protectors, defenders and organisations fail to keep pace with tactics, design, responses or knowledge to remain secure, resilient or less at risk. In short, two decades of sub-optimal decisions, focus and preparation during seemingly limited disruption or overt threats have had unintended consequences. Primarily, resilience debt is typically accompanied by compounding interest and dependent complexities. But what does this look like in practice?

---------------------------------------------------------------------------------------------------------------

“Today's governments remain overly focused on old problems and are inadequately structured for the complex risks of today, which are varied, global, complex and catastrophic* as exemplified by the COVID-19 pandemic~.”?

*Centre for the Study of Existential Risk (2019) Managing Global Catastrophic Risks: Part 1: Understand. Cambridge: CSER.?

~Wakefield, A. (2021).?Security and Crime: Converging Perspectives on a Complex World. SAGE.

---------------------------------------------------------------------------------------------------------------

Digital personas, automation, system linkage, growing information creation and data storage have grown exponentially in recent times. As a result, much disparate technology, moving parts, relationships, trials, and human actors have been introduced to systems, industries and organisations. Commensurate investment in protection, personnel, processes or standards has been lacking. They are undermining community and commercial resilience objectives. Furthermore, most senior executives have been less technologically savvy, digital investment prioritised, or technical risks represented. Thus, sowing the seeds for future disruption, vulnerability, exploitation and failure. Hastening the catch-up culture of late and revealing the accurate scale of resilience debt.?

---------------------------------------------------------------------------------------------------------------

"The concept of security goes beyond military considerations; it embraces all aspects of the society including economic, political and social dimensions of individual, family, and community, local and national life. The security of a nation must be construed in terms of the security of the individual citizen to live in peace with access?to basic necessities of life while fully participating in the affairs of his/her society in freedom and enjoying all fundamental human rights.?"?

Africa Leadership Forum (1991) The Kampala Document: Towards a Conference on Security, Stability, Development and Cooperation in Africa. Kampala: Africa Leadership Forum.

---------------------------------------------------------------------------------------------------------------

Resilience Debt - Current State

The reality of exposure to known and adaptive, changing threats has supplanted the veneer of protection. This includes technology, supply lines, regulation, infrastructure, human resilience and community preparedness factors. When exposed to emergent threats, duress or cascading failures, many seemingly robust or resilient organisations, industries, and systems have been found to be brittle, fragile or in advanced states of decay. While some remain 'cautiously optimistic', reluctant to acknowledge prevailing and realised resilience deficits, the gap between what is needed and current conditions of vulnerability remains considerable with industries, services and systems failing businesses and communities with alarming frequency. Hence, resilience debt remains a bonafide catastrophe, maturing at different rates and scales within locations and systems. They are often concealed behind unsubstantiated claims, assurance, controls and quasi-scientific methods and reporting. In short, vulnerable inner workings are concealed in seemingly hardened exteriors.?

---------------------------------------------------------------------------------------------------------------

"Levee Syndrome: A condition in which the presence of safety (security) measures decrease risk awareness and leads to a lack of preparation and a liberal attitude towards the hazard (threat)."

Paton, D. and Johnston, D. (2006) Disaster Resilience: An Integrated Approach, Charles C Thomas Publishing, p. 111??

---------------------------------------------------------------------------------------------------------------

In the same way that organic or engineering structures decay or decline from within, so too have many digital systems, organisations, services and industries. The appearance of performance and scalable efficiency has obfuscated complex, distributed and often networked weaknesses and vulnerabilities. Routinely papered over or inadequately, incorrectly described as safety, security, resilient or robust. Even worse are assurances made in the absence or understanding of specific threats, hazards, perils and dangers. This reality is most prominent or likely where there is a lack of objective analysis, inspections or resources specifically trained and capable of scrutinising or certifying an array of complex business systems, decisions, behaviours and infrastructure. These skills and experience remain highly specialised and remain scarce. However, this skill, expertise and qualifications should not be confused with or verified by audit functions or practices. However, there remains an abundance of reports, statements, declarations and assurances that systems, communities and organisations are resilient. Most have been found wanting, invalid or unsubstantiated. As a result, many business processes and organisations are currently based on rotting structures and internally decaying physical and digital strategies. But what does this look like in practice??

---------------------------------------------------------------------------------------------------------------

Type I??– errors occur when we believe that there is a genuine effect in our population, when in fact there isn’t *. (rejection of a true hypothesis – Producer's risk/sins of omission)^

Type II – errors occur when we believe that there is no effect in the population when, in reality, there is*. (acceptance of a false hypothesis – Consumer risk/sins of commission)^

Type III – errors that arise from faulty specification of the problem, leading to real solutions to what turn out to be the wrong solutions to real problems^

*Field, A. (2018) Discovering Statistics Using IBM SPSS Statistics, 5th ed, Sage, p. 82

^ Royal Society (1992) Risk: Analysis, Perception and Management, Report of the Royal Society, London, pp.139-140

---------------------------------------------------------------------------------------------------------------

Ever-growing business operations, connections and technology have necessitated enabling technology. The speed of innovation and specialisation has resulted in many organisations employing and maintaining a unique, disparate suite of software and hardware. A secondary market was needed, connecting systems, data and people. As a result, APIs, custom code, specialised scripts, workarounds and mediation solutions have exploded, and quick, cheap and easily obtainable industrial and operational control units. Most of which are connected to networks and the internet, built or installed for expediency, not security or resilience into perpetuity. This invisible network of connections now runs critical infrastructure, financial systems, government services and everyday life. All require reinforcement, maintenance, critical review or outright replacement. Many of these are rotting from within or likely to fracture if stressed further, inclusive of Human systems, supply and redundancies. Many of these connectors, bridges and temporary solutions present a cornucopia of opportunity and exploitation to digital foragers, bad actors and criminal groups. While many of these factors may also be considered technical debt, they collectively present profound resilience debt issues. Especially when it comes to vulnerability detection and zero-day threats, once celebrated with solutions distributed at speed across users, providers and industries.

---------------------------------------------------------------------------------------------------------------

“…service is difficult to frame with any confidence for floods or similar hazards that occur on average once in 100 years or more, and institutional memory tends to be destroyed by frequent reorganisation, any reassurance that such standards or service give must be largely illusionary and may even worsen the capacity to cope satisfactorily when unexpectedly severe hazards do strike (as resilienists would argue)^”

^ Royal Society (1992) Risk: Analysis, Perception and Management, Report of the Royal Society, London, pp.170

---------------------------------------------------------------------------------------------------------------

In contrast, there is now a deep web and black market economy trading in these known, guaranteed and sometimes immense 'open doors' which permit all manner of access by state and non-state actors. This resilience debt remains an invisible network of minor to gargantuan-sized ticking time bombs. However, the underlying vulnerability is one of knowledge and awareness.?

---------------------------------------------------------------------------------------------------------------

“There are, of course, global risks that require global solutions, but for the most part we would do better to avoid impressionistic analysis that talks of ‘society as a whole’ or ‘world risk society’ and aim for greater specificity”

Garland, D. (2003) ‘The Rise of Risk’, in Ericson, R. and Doyle, A. (eds) Risk and Morality, University of Toronto Press, p.77

---------------------------------------------------------------------------------------------------------------

When was the last time you received or read the technical and operations manual for a piece of software, technology, system, or incremental upgrade? When was the last time you mapped all these gradual changes and updates to your network and related systems, code, APIs, privacy, security or data? Patches, updates, fixes, upgrades and new features continue to invisibly rain down on individuals and organisations faster and faster with each passing week. Most people are unaware of the individual changes, let alone the mounting complexity and systemic risk these variable changes make to a network, system, or operating practice. Both knowledge and awareness compound overall resilience debt. This includes departments and individuals representing or being charged with managing risk, security, resilience and continuity. Especially for those who land the role without education or qualifications, not specific to risk, security, resilience or continuity. Short-course, second-career and management generalists. This gap has fostered even more resilience debt within government, corporates and communities. Collectively, these issues cast a profound shadow of resilience debt for tomorrow and into the future.??

---------------------------------------------------------------------------------------------------------------

“Misperceptions differ from ignorance insofar as people often hold them with a high degree of certainty…and consider themselves to be well informed. In practice, rather than a neat delineation, there is a spectrum of false belief from ignorance to delusion”

Duffy, B. (2019) The perils of perception: why we’re wrong about nearly everything, Atlantic Books, p. 9

---------------------------------------------------------------------------------------------------------------

Resilience Debt - Tomorrow's Mounting Threat(s)

The future has always been uncertain and filled with alternate, negative outcomes. Those most adaptive to change, agile and aware of threat(s) have prevailed in nature and business. However, due to the concealed, growing levels of resilience debt, individuals, organisations, and industries have little grounds to be 'cautiously optimistic, or even assured of the accuracy of forecasting that fails to consider the implications of resilience debt in depth. The failure to identify and analyse resilience and debt is a failure in the management of threats, harm, vulnerability and, ultimately, risk. Therefore, when many of these threats materialise, communities, organisations, and individuals will be reduced to a more primal need, that of survival. Because the first demands of resilience, active and passive, have passed. Fortune favours the prepared.?

---------------------------------------------------------------------------------------------------------------

“Quantitative risk assessments do not offer a unique rationality that pinpoints a single right course of action, but rather probabilities that require moral assessment for action”

Ericson, R. and Doyle, A. (2003) Risk and Morality, University of Toronto Press, p.7

---------------------------------------------------------------------------------------------------------------

Those already aware of this deficit and are addressing resilience debt are well along the path of exerting influence in their future. However, the degree and granularity in which everyone else addresses resilience debt are as yet unknown, measured, or foreseeable—ensuring greater risk for all. And legacy cost efficiency thinking of the past, sunk cost fallacies, loss aversion, greater competition and the cost of remediation will impede the resolution of the growing deficit and the accompanying compounding interest. In other words, factors that created the debt continue to influence and inhibit repair and recovery, even for those that can afford such an overhead at this time. The result will probably be that of total or partial organisational, industry and even governmental collapse. They will likely precipitate cascading and overwhelming cumulative risk for specific geographies, services and structures. Confronting, at the very least, but a necessary call to action to address current and future threats.?

---------------------------------------------------------------------------------------------------------------

“The typical manager, short of time, is all too willing in many cases to accept the advice of experts or adopt “industry standards” with limited questioning.”

Elliot, E., Swartz, E. and Herbane, B. (2010) Business Continuity: A crisis management approach, 2nd ed, Routledge, p.183

---------------------------------------------------------------------------------------------------------------

Resilience Debt - Strategy, Tactics, and Recommended Course of Action

As is the case with receiving all types of confronting news or information about bad health, poor condition or life-threatening choices, now is the time to take stock. But don't be rash. From a strategic perspective, a better understanding of the problem is the first step. Context, threat, vulnerability and tactical choices will flow from here. More importantly, cessation of all current beliefs, practices or behaviours contributes to or creates further resilience debt. Awareness drives both change and transformation. Active resilience is the first step.?

---------------------------------------------------------------------------------------------------------------

“Organizations that adopt risk management system as a rational ritual that provides the company with a false feeling of safety and thereby raises their overall risk level*”

Lalond, C. and Boiral, O. (2012) Managing risk through ISO 31000: A critical analysis, Risk Management, 14(4), pp. 272-300

---------------------------------------------------------------------------------------------------------------

Don't create another list or register. Analyse the issue and inform plausible choices. Then make a plan, adjusting and modifying it as more information, results or discoveries are made. Be practical, succinct and ruthless. Your business, livelihood and economic prosperity likely depend upon it. Above all else, don't chase magic formulas, more 'heroic' software or other panaceas that claim to save the day. In part, this is what created resilience debt in the first instance. In other words, plan, do, check act (PDCA) relevant to your needs, vulnerability and objectives. Sounds simple, but the task will be frustrated by bias, resistance, discovery, misinformation, complexity and prioritisation. Again, the same factors manufactured resilience debt. Commitment to change alone won't break old habits and thinking. A 'do over' is likely required. Passive resilience is built on informed choice and risk-informed decision-making. These factors remain extant in reducing resilience debt and mitigating the compounding interest or risk escalation.?

---------------------------------------------------------------------------------------------------------------

“The root of the last financial crisis: the sophistication of mathematical risk models obscured the question of how, exactly, risks were being measured, and whether those measurements were something you’d really want to bet your global banking system on. “

Harford, T. (2020). How to make the world add up: Ten rules for thing differently about numbers. The Bridge Street Press. p.69

---------------------------------------------------------------------------------------------------------------

Summary

Resilience is comprised of at least three essential factors. First, active resilience, which encompasses detailed consideration of threats and hazards, informs proactive measures for protection, response and reconstitution. Second, passive resilience, which prepares and reinforces critical functions, systems, connections, and relationships derived from risk-informed analysis and awareness. Third, agile and adaptive response focused on bouncing forward, not back. Collectively, these three elements create cumulative resilience, reducing cumulative and systemic risk. However, complex, fast-moving, invisible and networked technologies, including technical debt, have concealed much of what we could classify as resilience debt. Constant duress, persistent active threats and single points of failure may fracture weak points and precipitate cascading risks. A call to action is needed, and this article stimulates the conversation and needs to remediate past and present vulnerabilities.?

---------------------------------------------------------------------------------------------------------------

“Probability is only one among several fundamental types of incompleteness, including also ambiguity and vagueness (or fuzziness).“

Royal Society (1992). Risk: Analysis, Perception and Management, Report of the Royal Society, London, pp.97?

---------------------------------------------------------------------------------------------------------------

Conclusion

Deeper, technical, collective analysis is required. Identification and remediation of resilience debt require informed input from multiple disparate experts at various levels of government and industry. The solution is transparency, collaboration and communication. While resilience debt has become an inherent threat, sustainable mitigation will require better risk analysis, reporting and management across digital and socio-technical environments. New, secure-by-design, and zero-trust procedures and practices will need to be endorsed where legacy systems can't be secured or assured. Enterprise security risk management will guide and inform this process, which requires greater inclusion at the board, executive and strategic levels to prevent the repeat of past shortfalls and siloed culture and behaviour. This includes converged security practices across cyber and physical realms, all the while informed by risk, safety and resilience sciences. Again, survival will favour the informed, prepared, most adaptive, and agile to change. Communities, lives and livelihoods will depend on paying down resilience debt and eliminating further compounding interest or debts faster than threats, hazards and critical disruptions manifest.

---------------------------------------------------------------------------------------------------------------

“The most risky aspects of an organisation may lie not in physical hazards but in the self-reinforcing behaviour associated with power relations and culture in the organisation“

Waring, A. & Glendon, I. (1998) Managing Risk: Critical Issues for survival and success into the 21st Century. South-Western Cengage Learning. p.24

---------------------------------------------------------------------------------------------------------------

Ridley Tony

Risk, Resilience, Safety, Security and Management Sciences

Bibliography?

Aradau, C. (2014). “The Promise of Security: Resilience, Surprise and Epistemic Politics.” Resilience, International Policies, Practices and Discourses 2 (2).pp. 73–87?

Aven, T. & Thekdil, S. (2022 ). Risk Science: An Introduction, Routledge?

Bergstrom, J. and Dekker, S. (2019). The 2010s and Onward: Resilience Engineering, in Dekker, S. (ed) Foundations of Safety Science; A century of understanding accidents and disasters. pp. 391-429?

Bjornsdottir, S., Jensson, P., de Boer, R. & Thorsteienson, S. (2022). The Importance of Risk Management: What is missing in the ISO Standards? , Risk Analysis, 42(4), 103095, DOI 10.1111/risa.13803???

Centre for the Study of Existential Risk (2019) Managing Global Catastrophic Risks: Part 1: Understand. Cambridge: CSER.???

CIO (2022) . IT Leaders take on pandemic tech debt. Available at: https://www.cio.com/article/350328/it-leaders-take-on-pandemic-tech-debt.html?

Critical Infrastructure Centre (2020) Protecting your critical infrastructure asset from foreign involvement risk, Critical Infrastructure Centre, Australian Government?

Duffield, M. (2016) ‘How did we become unprepared? Emergency and resilience in an uncertain world', British Academy Review, 21: 55–58.?

Duffy, B. (2019) The perils of perception: why we’re wrong about nearly everything, Atlantic Books?

Elliot, E., Swartz, E. and Herbane, B. (2010) Business Continuity: A crisis management approach, 2nd ed, Routledge?

Evans, B. and Reid, J. (2014) Resilient Life: The Art of Living Dangerously. Chichester: John Wiley and Sons.?

Fj?der, C. (2014). “The nation-state, national security and resilience in the age of globalization.” Resilience 2 (2).pp.114– 129.?

Florin, M. and Trump, B. (2018) Resilience in the Context of Systemic Risks: Perspectives from IRGC's Guidelines for the Governance of Systemic Risks. Domains of resilience for complex interconnected systems.,?

Garland, D. (2003) ‘The Rise of Risk’, in Ericson, R. and Doyle, A. (eds) Risk and Morality, University of Toronto Press?

Gigerenzer, G. (2002). Calculated Risks: How to know when numbers deceive you, Simon & Schuster,?

Hayden, E. (2020) Critical Infrastructure Risk Assessment: The definitive threat identification and threat reduction handbook, Rothstein Publishing?

Interagency Security Committee (2015) Best Practices for Planning and Managing Physical Security Resources: An Interagency Security Committee Guide, US Government?

Kekovic, Z. and Ninkovic, V. (2020). Towards a conceptualisation of resilience in security studies, Institute for Political Studies: Faculty of Security Studies, University of Belgrade.pp.153-173?

Keupp, M. (2020) The Security of Critical Infrastructures: Risk, Resilience and Defense, Springer?

Lalond, C. and Boiral, O. (2012) Managing risk through ISO 31000: A critical analysis, Risk Management, 14(4), pp. 272-300?

Leveson, N. (2020). Safety III: A systems approach to safety and resilience, MIT Engineering Systems Lab, Aeronautics and Astronautics Department, MIT.???

Manners-Bell, J. (2014) Supply Chain Risk: Understanding emerging threats to global supply chains. Kogan Page, page 12?

Martin, P. (2019) The Rules of Security: Staying Safe in a Risky World, Oxford University Press?

Paton, D. and Johnston, D. (2006) Disaster Resilience: An Integrated Approach, Charles C Thomas Publishing?

Petersen, A. and Wilkinson, I. (2008). Health, Risk and Vulnerability: An Introduction,? Routledge, pp. 1-15?

Power, M. (2003). Risk Management and the Responsible Organisation’, in Ericson, R. and Doyle, A. (eds) Risk and Morality, University of Toronto Press?

Powers, K. and Burns, J. (2020). ‘The FBI, Cybersecurity, and American Campuses: Academia, government, and industry as allies in cybersecurity effectiveness”, in Gearson, L. (ed) The Routledge International Handbook of Universities, Security and Intelligence Studies. Routledge, pp. 92- 107?

Ridley, G. (2017) ‘Resilience and National Security’, in Dover, R., Dylan, H. and Goodman, S. (eds) The Palgrave Handbook of Security, Risk and Intelligence, Palgrave Macmillan. pp. 79-98?

Savage, S. and Markowitz, H. (2009). The flaw of averages: Why we underestimate risk in the face of uncertainty. John Wiley & Sons.?

Site Toolset (2022) What is technology debt? Available at:

https://sitetoolset.com/blog/2020/04/28/what-is-technology-debt/??

Smith, C. and Brooks, D. (2013) Security Science: The Theory and Practice of Security, Elsevier?

Strategic Risk (2022). Supply Chains at “critical junction”, Q2 2022, July 2022, p.4?

StrategicRisk (2022) June Issue, AIRMIC 2022, www.strategic-risk-global.com, p.11?

Talbot, J. and Jakeman, M. (2008). Security Risk Management Body of Knowledge (srmbok), Risk Management Institution of Australasia Limited?

The Royal Society (1992) Risk Analysis, Perception & Management. Report of the Royal Society Study Group?

Wakefield, A. (2021). Security and Crime: Converging Perspectives on a Complex World. SAGE.?

Waring, A. & Glendon, I. (1998) Managing Risk: Critical Issues for survival and success into the 21st Century. South-Western Cengage Learning?

World Economic Forum (2021) Beneath the Surface: Technology-driven Systemic Risks and the Continued Need for Innovation, WEF