Risk Analysis: A Framework for Socio-Technical Risk Consideration within Enterprise Security Risk Management (System Resilience)
Ridley Tony
Experienced Leader in Risk, Security, Resilience, Safety, and Management Sciences | PhD Candidate, Researcher and Scholar
Risk analysis is a judgement-laden exercise, in addition to concepts, fears and aversion to 'risk' being socially, organisational and community constructed or prioritised.
That is, try as we may, there are always varying degrees of human bias, subjective representation and curated elements distributed inconsistently and invisibly across the risk consideration, risk evaluation and risk analysis process.
This further attenuates safety, security and resilience considerations.
As a result, most risk assessments are not transferable from one environment, user, context, audience or organisation to another. Especially where the group, organisational considerations and societal influences are neither provided nor declared.
In other words, a risk assessment is a moment in time -specific to the group or individual conducting the analysis - situated within a complex socio-technical organisational construct.
In order to compare findings or results, the organisational context and framing must also be evaluated, declared and unpacked.
Despite the seeming eagerness and willingness for individuals, groups and organisations to pounce upon any and all freshly minted 'risk assessments' and re-purpose the findings and opinions as specific to their own environment, industry, operational context or business setting.
Not surprisingly, this socio-technical setting, analysis and framework is the most commonly omitted or ill-considered aspect of the majority of all risk assessments and supporting analyses.
Especially where spatiotemporal variance is present or inevitable. That is, time and location influence all risk settings, including analysis. Even more so, safety, security and resilience.
Therefore, a basic means of comparison, particularly where humans, technology and machines interact or interact, is required.
"There is considerable evidence from? organizational psychology and management science that organizational factors (e.g., safety culture and climate, leadership style, leader priorities, reward practices) are strongly related to safety, injuries, and accidents , however these organizational factors have not been fully incorporated into complex technological risk models?"
(Pence et al, 2014)
Because, in order to manage risk, one must first understand and analyse risk. Remembering, however, that risk is specific to a defined threat, exposure, vulnerability and current, active/passive management factors. Put another way; risk values and perspectives come after the threat analysis and vulnerability assessment...not before.
"...the risk assessment is a tool to inform decision-makers about risk?"
(Aven & Thekdi, 2022)
Organisations and any reasonable-sized enterprise is a living beast.
That is, humans, behaviour, choices, decisions, trade-offs and day-to-day activity vary across the organisational setting and enterprise as a whole.
There are habits, traits, states, cultures and sub-cultures distributed and represented throughout. Each changing, adapting and interacting each hour across various mediums through both weak and strong ties. Consideration of risk, safety, security and resilience should therefore be predicated and informed as to the overall and 'child' structures within the organisation that construct, remediate, embrace, reject and attenuate threats, risk, safety, security and ultimately risk. Visible or otherwise.
"Socio-Technical Risk Analysis?(SoTeRiA) has foundations in Social-Technical Systems (STS) theory and Probabilistic Risk Assessment?(PRA), and further can be used with big data analytics. STS theory emerges from an ‘eclectic empiricism’ that addresses the interactions of people and technology in the workplace as well as the differences between complex living systems and complex mechanical systems with respect to their failure mechanisms.?"
(Pence et al., 2014)
.."model systemic accidents, it is necessary to go beyond the causal chains – we must describe system performance as a whole, where the steps and stages on the way to an accident are seen as parts of a whole rather than as distinct events.??"
(Aven & Thekdi, 2022)
Whether using a simple 'step through' linear risk analysis model or a more complex, ethnographic, Bayesian Network or similar approach, organisational context and setting remains essential. Especially if the risk analysis findings are to be used over time, across industry or as a collective summation of a related/shared community.
Moreover, consumers, users and management/board members should always seek out or confirm this organisational context in all risk analysis narratives, ratings and findings.
If not, provenance and efficacy should be questioned and chosen model(justified) before any major decision or investment is pursued.
In sum, a risk analysis by itself is incomplete. The organisational setting and socio-technical landscape in which it was created, viewed and endorsed should also be considered and documented in full.
Especially if the 'risk analysis' process is to be used over extended timelines or relied upon by an enterprise or industry. If not, direct comparisons and relevance will be distorted in ways not clear to end users and decisions makers, at all levels.
In short, risk analysis includes consideration of the organisation and the various socio-technical factors relevant to the enterprise and overall 'risk' environment. Because the organisation and human interface with technology remains integral to understanding and evaluating the 'risk environment'.
Particularly from a safety and security perspective, as threats remain specific to organisational assets, functions and revenue producing activity. All measures of resilience flow from these fundamentals, which can't be forced.
That is, no active organisational or enterprise risk analysis or mitigation, and resilience can neither be assured nor assumed.
Risk, Security, Safety, Resilience & Management Sciences
Reference:
Aven, T. & Thekdi, S. (2022) Risk Science: An Introduction, Routledge, p.101-102
Pence, J., Mohaghegh, Z., Kee, E., Yilmaz, F., Grantom, R., & Johnson, D. (2014, June). Toward monitoring organizational safety indicators by integrating probabilistic risk assessment, socio-technical systems theory, and big data analytics. In 12th International Probabilistic Safety Assessment and Management Conference, PSAM.