Risk, Security, Safety and Resilience Newsletter - Week of 06 Oct 22
Ridley Tony
Experienced Leader in Risk, Security, Resilience, Safety, and Management Sciences | PhD Candidate, Researcher and Scholar
The following is a summary of security, risk, safety and resilience articles, topics and issues ending the week of 06 Oct 22.
Key themes for this week include:
----------------------------------------------------------
Determination of risk(s) should be the product of exposure to specific threats, hazards, dangers and peril in specific contexts, dependent upon unique vulnerabilities and in consideration of modifying or mitigating practices.
In addition to the detailed analysis and provisional understanding of threat factors, actors and capability or influence.
That is, very little is a 'risk' until one considers relevance, context, exposure, capability, resilience or management (efficacy) interventions.
Any 'risk' narrative that fails to produce, document or consider these phases and variances remains questionable at best, inadequate at worst. Especially when considering 'all-hazards' and security threats.
Particularly human actors, for they are concealed, intelligent, dynamic and deliberately seeking to circumvent any and all 'controls', protection and preventative measures planned or put in place. Digital and physical.
"#Riskmanagement?in the modern world relies on two forms of thinking.?#Risk?as feelings refers to our instinctive and intuitive reactions to danger.?#Risk?as analysis brings logic, reason, quantification, and deliberation to bear on hazard management. Compared with analysis, reliance on feelings tends to be a quicker, easier, and more efficient way to navigate in a complex, uncertain, and dangerous world. Hence, it is essential to rational behavior. Yet it sometimes misleads us. In such circumstances we need to ensure that reason and analysis also are employed." - Slovic, P., & Slovic, S. (2015).?Numbers and nerves: Information, emotion, and meaning in a world of data. Oregon State University Press.p.27
Past history and capability alone do not determine relevance or specific?#risk?to anyone or any particular organisation(s). Intent, desire, focus, motivation or reason must be present. Few threats act without reason or purpose (don't discount them entirely, they do exist and present a threat from time to time, environmental and sociological factors dependent).
That is, with skill, capability and demonstrable desire...is the intent focused on you, your assets, your sector, your industry, your business, your location or your 'value'?
More importantly, what factors are conceivable, identifiable or likely to contribute to overall transient or persistent threat?
"The study of ignorance has attracted growing attention across the natural and social sciences where a wide range of scholars explore the social life and political issues involved in the distribution and strategic use of not knowing. This handbook reflects the interdisciplinary field of ignorance studies by drawing contributions from economics, sociology, history, philosophy, cultural studies, anthropology, feminist studies, and related fields to serve as a path-breaking guide to the political, legal and social uses of ignorance in social and political life." - Gross, M. & McGoey, L. (2022) Routledge International Handbook of Ignorance Studies, 2nd ed, Routledge
"Good cyber hygiene and?#security?– not insurance – are the first line of defence. These come from best-practice technology, specialist staff and widespread training. However, despite an increasing cyber spend by government and business, government entities are a long way off baseline standards of?#cybersecurity, while many businesses are also behind in their?#resilience?against rapidly shifting?#risks.?"
"A fifth point is to underline the need for more research generally, and for more evaluations of which measures work, in what combinations and in what contexts. Clearly in?#security?there is a need for interventions that can help to eliminate?#crime?or reduce its incidence and impact, but increasingly there is a need for them to take account of their carbon footprint too (see chapter by Skudder et al in this Handbook). As this Handbook shows, and the final section in particular, security measures are often impactful and these need to be better understood and better publicised, and likewise where measures fail knowing why is crucial to progress." - Gill. M. (2022) Introducing the Handbook of Security, in Gill, M. (ed) The Handbook of Security, 3rd, Palgrave Macmillan, p.3
Success leaves clues. So too do bad actors, threats and security risk management factors to protect against and readiness for the future.Intelligence, research, knowledge, awareness, and analysis inform and guide the future.
Incident logs are insufficient. Accumulating known or detected events results in bias and myopia. Human actors and threats changed, evolve, get smarter, get new resources and learn new 'tricks'.
Security and information decay?undermine even the best and most effective protective and defensive security plans of today.
In other words, what you protect against today is largely based upon your understanding and knowledge of the past...not what the threat is 'really' like, what was once effective nor what your adversary, threat or human actor(s) may do tomorrow.
"Repeated cyber intrusions into organizations of all types demonstrate the need for improved?#cybersecurity. Cyber threats continue to grow, and they represent one of the most serious operational?#risks?facing modern organizations. National?#security?and economic vitality depend on the reliable functioning of?#criticalinfrastructure?and the sustained operation of organizations of all types in the face of such threats. The Cybersecurity Capability Maturity Model can help organizations of all sectors, types, and sizes to evaluate and make improvements to their?#cybersecurity?programs and strengthen their?#operationalresilience.?"
"Risk Assessment:?#Riskassessment?analysis is a rational and orderly approach, as well as a comprehensive solution, to problem identification and probability determination. It is also a method for estimating the expected loss from the occurrence of an adverse event. The key word here is “estimating” because?#risk?analysis will never be precise methodology; remember, we are discussing probabilities. Nevertheless, the answer to most, if not all, questions regarding one’s?#security?exposures can be determined by a detailed risk assessment analysis." - Broder, J. (2012) Risk Analysis and the Security Survey, 4th ed, Butterworth Heinemann, p.4
Threat and 'risk' ratings may produce remarkably 'similar' numerical calculations, if distilled to pure numerical representation. However, it doesn't translate to disparate asset classes sharing 'similar' risks, vulnerabilties or harm. In other words, '1 or 2 points apart, and they have the same if not similar overall risk(s)'. Far from it. The underlying factors, variables and scales of harm, identification and warning triggers vary greatly, no matter the proximity to a number of similar or 'tolerable' value.
"The general process for recording Open Source Intelligence (OSINT) artifacts follows an orderly and organized set of phases or sections. There are several reasons for this. The first reason is training. By standardizing the process, new analyst training becomes easy, as well as having their training measured against the standard. The second reason for standardization is for the normalization of the categorical placement of the data within a database.
Moreover, this type of standard categorization places the data into containers that form the basis for variable organization used during the application of higher-order analysis. Lastly, by standardizing the process, we can perform process reviews, make adjustments, and apply various management maturity models that place the process in a repetitive cycle of continuous?improvement.?"
"Many financial institutions (and their boards) have historically had a compliance orientation as far as top-down?#riskmanagement?is concerned. Their aim was to satisfy regulators and stay within the letter of the law. ERM is moving financial institutions away from this mind-set. It is leading to the risk management function having a strategic orientation and being value enhancing. A company that manages?#risk?effectively has a competitive advantage over another company that does not do so." -Hull, J. (2018) Risk Management and Financial Institutions, 5th ed, Wiley, p. 604
You say 'risk', I say 'risk'. The probability that we are both talking about the?same?thing now, yesterday or sometime in the future remains very remote. Now extrapolate that across a group, profession, community and country.
In short, 'risk' does not mean what you think it means, and it doesn't mean what the person you are speaking with right now?thinks?it means.
"Risk"?is contextual, the product of culture and societal influences, in addition to being routinely personally or professional constructed (modified, debated and updated), yet never static in application or usage over time or across groups.
So, which risk definition do you use??Moreover, those that express or explore derivatives such as risk perception, risk culture, risk frameworks, risk management, organisational risk, operational risk, enterprise risk, security risk, safety risk...what do they?mean?
It remains highly improbable (and confirmed) that they aren't speaking about or referencing the same thing.
Further distorting narratives, comprehension or daily discourse associated, about or representative of 'risk'.
"Public servants ought to ensure that whatever facts are presented in the media are accurate, but can generally be expected to remain silent when countervailing facts are omitted. It is improper—a breach of the Code of Conduct—to seek to do otherwise in public, and there is an ‘understandable reluctance of public servants to?#risk?penalties (including jail) for revealing how advice has been manipulated...there are?#risks?in the system to APS policy advising and implementation at an operational level.?" -?- MacDermott, K. (2008). What happened to frank and fearless? The impact of the new public management on the Australian Public Service, The Australian National University E Press, p.37 & 49
“No thief, however skillful, can rob one of knowledge, and that is why knowledge is the best and safest treasure to acquire.” -?L. Frank Baum,?The Lost Princess of Oz
Just as the capability and efficacy of any?#securityriskmanagement?plan or protective?#security?strategy should be documented and evaluated in full, so too should that of the adversary, threat and human actor(s).
In other words, whomever may seek to harm or disrupt one's organisational activities and/or diminish the utility of and organisation's assets and functions, must be quantified and qualified. At the very least.
This applies in equal measure to terrorists, fraudster, hackers and angry customers as it does intimate partners (a prominent perpetrator of workplace violence), criminals and any other internal/external threats. International, domestic and local.
Understanding, there remains far more complex and evidentiary processes and methods, the below construct offers a simple, scalable and evidence-based approach.
"#Cybersecurity?is the art of protecting networks, devices, and data from unlawful access or criminal use, and providing confidentiality, integrity, and availability of information. Much of your personal information is stored either on your computer, smartphone, or tablet. Knowing how to protect your information is important, not just for individuals but for organizations, as well. Every time you use the internet, you face choices related to your?#security. Your security and the security of the nation depends on making responsible online decisions. Making the internet safe and secure requires all of us to take responsibility for our own cybersecurity behavior.?"
领英推荐
"A Profession is a disciplined group of individuals who adhere to ethical standards and who hold themselves out as, and are accepted by the public as possessing special knowledge and skills in a widely recognised body of learning derived from research, education and training at a high level, and who are prepared to apply this knowledge and exercise these skills in the interest of others.?"?https://lnkd.in/gQKxqcJz
Read More...What
"The era of market triumphalism has come to an end. The financial?#crisis?did more than cast doubt on the ability of markets to allocate?#risk?efficiently.... The most fateful change that unfolded during the past three decades was not an increase in greed. It was the expansion of markets and market values, into spheres of life where they don't belong". - Sandel, M. J. (2012).?What money can't buy: the moral limits of markets. Macmillan.p.7
"In order to achieve the necessary amount of cost-effective?#security, the security expert who has come to understand the technology (or the "techie" who has gained an understanding of?#security) now has to understand the business. In addition, it is now necessary for the management of the business to understand and have some faith in the security process." - Kovacich, G. L., & Halibozek, E. P. (2005).?Security Metrics Management: How to Manage the Costs of an Assets Protection Program. Butterworth-Heinemann.p.xxvi
Security, like colour(s), present along a spectrum of representation, options, variations, combinations, choice, preference and favouritism. That is, what it comes to security or colour(s), there is considerably more options than just one. And the choice is rarely binary or permanent.
In other words, security could be cyber, protective, national, information, risk management, corporate, physical, sciences or private, just to name a few.
It therefore remains confusing, if not dangerous, that some individuals and organisations choose to paint in just one colour or shades of grey.
Put simply, security is more than just cyber or physical.
"Today’s threats are a result of hybrid attacks targeting both physical and cyber assets. The adoption and integration of Internet of Things (IoT) and Industrial Internet of Things (IIoT) devices have led to an increasingly interconnected mesh of cyber-physical systems (CPS), which expands the attack surface and blurs the once clear functions of?#cybersecurity?and physical?#security. Meanwhile, efforts to build cyber?#resilience?and accelerate the adoption of advanced technologies can also introduce or exacerbate?#security?#risks?in this evolving threat landscape.?"
"The?#risk?manager shares the scientist’s intention to be rational, which sets them both apart from the fatalist and the fanatic. But this shared desire for rationality does not necessarily lead the?#risk?man- ager and the scientist to the same conclusions from the same set of facts, for their assumptions and motives are often quite different. The scientist uses fact and logic to describe the world more accurately. The risk manager uses fact and logic, to the extent?that it is practical, to determine what he ought to do to advance his interests.?" - Borge, D. (2002).?The book of risk. John Wiley & Sons.p.8
"Understand that numbers are insufficient, but they are necessary. To be the raw material for decisions, they need to be well enough thought out that you know what they mean. We have to be careful with what we claim to be measuring, and we have to make sure that our readers have some understanding of what we are measuring in their behalf. Numbers can mislead if they are not understood. Numbers are much like?#security?in that they are a means rather than an end. Numbers exhibit vulnerabilities like computer systems in that whether misuse is intentional or inadvertent matters little if misuse is at hand. Numbers, like a surgeon's scalpel, can harm or heal, but we need them" - Jaquith, A. (2007).?Security metrics: replacing fear, uncertainty, and doubt. Pearson Education.p.xvi
"Cyber was meant to be the big new business class for insurers. But stuck at just $10bn, it has yet to live up to its promise. Time to stop, rewind and focus on getting to grips with this uniquely dynamic?#risk.?"
Security, risk management, intelligence and crime prevention are not mystical arts practised in secret or behind closed doors. Each of these disciplines and professions has considerable private and public consequences, with variable scales of harm. Primarily where harm, loss and disruption, crime and threat are concentrated in place, time or industry.
More importantly, the understanding and application of security risk management in public and private settings can be enhanced by analysing and reviewing case studies, research and the informing body of knowledge.
Therefore, public inquiry and public documentation provide an excellent opportunity to unpack complex criminological, security sciences, risk management, sociological and ethnographic influences.
In other words, lessons can be learned, and processes studied to prevent similar instances and maintain high standards / better practices.
"This procedure outlines how to identify critical business functions and how to develop?#businesscontinuity?plans.?"
"History shows that most improvements in?#security?come in response to terrible events, not as a way of pre venting them. Good security is intelligent and proportionate to the?#risks. It is a practical discipline concerned with safeguarding lives, property, information, wealth, reputations, and societal wellbeing. But what constitutes good security and how is it achieved? Deciding what is needed, and then making it happen, is not easy. The threats to our security are complex and rapidly evolving, as criminals, hackers, terrorists, malicious insiders, and hostile foreign states continually find new ways of staying one step ahead of us—their potential victims. At the same time, we are continually creating new vulnerabilities as we adopt new technologies and new ways of working. Furthermore, the practical application of security is often distorted by vested interests and conflicting agendas.
Those who do not understand the fundamentals of?#security?open themselves and those around them to avoidable dangers, needless anxieties, and unnecessary costs. Inadequate?#security?may leave them exposed to intolerable?#risks, while the wrong kind of?#security?is expensive, intrusive, and ineffective.?" - Martin, P. (2019).?The rules of security: staying safe in a risky world. Oxford University Press.p.6
"A key to estimating what a theorized breach might cost is to analyze business systems that are dependent on technology in comparison with?#cyberrisk?events. A prerequisite to a systematic approach to determine breach impact is a business systems inventory. This allows a determination of how systems may be used to achieve the goals of a potential cyber attacker and allows a comprehensive list of possible cyber?#risk?events to be constructed. With such a list, both individual and patterns of events can be analyzed in order to understand what actual change would befall people,processes, and technology and, from there, estimate the potential impact of that situation. This information should prompt the selection of units of measure for loss estimation and then a breach cost estimate may be determined" - Rohmeyer, P., & Bayuk, J. L. (2019).?Financial cybersecurity risk management: Leadership perspectives and guidance for systems and institutions. Apress.p.53-54
Without permission or consent, one or more bad actors can pretend to be an entire country. That is, they now poses the full personal details and digital identify information to create a fake, virtual version of 10 million people.
The scale and gravity of this reality is not only unprecedented, but vastly 'different' than a simple loss of data and the inconvenience of replacing or updating information.
"The data that an enterprise collects about its data subjects have the potential to reveal a great amount of personal information. In an age when 2.5 quintillion bytes of data are created daily and digital trust is becoming paramount, enterprises that demonstrate they protect data and preserve user privacy can gain a considerable competitive advantage. This paper reports on the state of enterprise privacy.?"
"Organisations are socio-technical systems, and to manage them effectively for continuity, all elements must be considered (p.3)... 'service continuity' might be a more appropriate term than 'business continuity' -Elliott, D., Swartz, E., & Herbane, B. (2010).?Business continuity management: A crisis management approach. Routledge.p.4.
#securityriskmanagement?"These are just several examples of convergence frameworks and is not intended to be all inclusive or suggest one framework versus another. There are many other approaches, and organizations should be encouraged to seek out the best approach for their organization. Here, the goal is to demonstrate, as the research has indicated, that convergence is defined, developed, and implemented in many forms but based upon the common set of principles of communication, coordination, and collaboration.?" - Darnell, D., Uchid, C., Swatt, M. & Anderson, K. (2022). Security Convergence and Business Continuity: Reflecting on the Pandemic Experience, ASIS Foundation, p.9.
"#Security?#RiskManagement?Body of Knowledge (SRMBOK) is a repository of knowledge in the form of a book (both hard copy or electronic) that provides an overview of those areas of?#SecurityRiskManagement?that are generally recognised as better practice. The identification of better practice has been a key element in developing SRMBOK. It is built on several hundred years experience of the authors and co-authors, two years of research and development and peer review workshops in four major cities before finally being subjected to peer review by independent subject matter experts prior to publication." - Talbot, J. & Jakeman, M. (2009). Security Risk Management Body of Knowledge (srmbok), Risk Management Institution of Australasia Limited, p.16
"Many?#safety?professionals who have done a course or workshop in the past think that this is sufficient for the remainder of their professional career" - Bush, C. (2016). Safety Myth 101, Mind the Risk, p.15
Casinos, Organised Crime, Money Laundering, Security Threats, Intelligence Failures & Risk Management Disasters?reads like a movie title or spy thriller novel. However, despite the headline grabbing title, the matter and findings are real life issues, resulting in considerable harm and represent an accurate summary of events.
As introduced in part 1 of this 2 part series, public inquiry and documents afford opportunity for learning, analysis and discussion. Therefore, this article in particular unpacks security, risk, resilience, safety and management sciences associated with events, findings and factors.
---------------------------------
Risk, Security, Safety, Resilience & Management Sciences