Risk Clusters: Major themes in risk analysis and management

Any sufficiently detailed consideration of threat/s or harm specific to an organisation or entity will typically result in a clustering of risk themes.

This taxonomy subsequently acts as a framework for analysis, identification of controls and modifiers and scales of harm that inform the over risk rating associated to both the threat and asset at risk.

As a result, it can be helpful to start with a high-level understanding of key risk areas or compare iterative results with a final, considered framework.

A word of caution. The natural clustering of risk should not be confused with 'shopping' for risk items and agendas within each category. That is, creating a table of contents of key risks any one individual, department or organisations thinks they may be exposed to, then simply writing risk entries in each category to create the appearance that risk has been considered, measured and mitigated. This process, while common, is neither risk management nor the hallmark of professionals.

Adapted from:

Smith, C and Brooks, D (2012) Security Science: The theory and practice of security, Butterworth-Heineman, p.60

If done well (correctly) risk clusters only emerge after detailed consideration of threats, vulnerabilities, controls, protective measures, adaptive agents (friend and foe) and scales of harm.

Determinations around probability and likelihood (and extremely rudimentary risk calculus) are a distant second in the process, supported by research, analysis and evidence...not random values and numbers spontaneously generated in a workshop, phone call or risk register review.

The aforementioned guidance is for relatively simple risks. That is, those that don't involve humans, animals or nature.

Adversarial threat assessments are detailed considerations of the capabilities, intent, resources, expertise, network and objectives of adaptive human actors deliberately seeking to circumvent protective measures, security artefacts and control systems.

In other words, bad actors do just as much planning, research and preparation as good actors...sometimes even more!

As a result, if security risk analysis and clustering does not exhibit evidence of criminology, sociology, psychology, intelligence, research, statistics and scientific methods... the 'risk' is inadequately understood and more likely a journal entry founding repeated in other countries or generic standards and common terms of reference.

In other words, it is yet another generic security risk shopping list non-specific to the environment, organisation, threat and commensurate foreseeable harm.

In short, not a risk assessment at all.

Risk clusters should be comprised of threat clusters (next article).

If not, the inherent risk is the process which is not fit for purpose nor consistent with security, risk and management sciences which are typified by evidence-based decision making.

Tony Ridley, MSc CSyP MSyl M.ISRM

Security, Risk & Management Sciences