Risk, Security, Safety and Resilience Newsletter - Week of 15 Apr 23
Ridley Tony
Experienced Leader in Risk, Security, Resilience, Safety, and Management Sciences | PhD Candidate, Researcher and Scholar
Of the 178 articles, quotes, resources, research and visuals viewed nearly 124,000 times, clicked 25,490 times, liked 1,347 times and reposted 90 times, here are 10 of the top-rated ones. Included are a number of other articles and posts that are the most popular (2,000+ views) during 1-15 Apr 23.
Members & Subscribers get more at:?https://www.patreon.com/riskmanagement
-----------------------
The following is a summary of security, risk, safety and resilience articles, topics and issues ending the week of 14 Apr 23.
Key themes for this week include:
-------------------------------------------
Manage?#risks?in the workplace. "The ‘person conducting a business or undertaking’ (PCBU), who is usually the employer, must manage risks to health and safety by eliminating risks as much as is reasonably practicable."
Effective security risk assessments
Broad statements of security threats that lack these detailed consideration are?not?security risk evaluations, but are typically mere boilerplates derived from countless 'security' fodder and pulp publications applied as a punitive and restrictive process upon businesses, humans and communities.
In other words, you can't merely read about a 'security threat' on the other side of the world and then impose protection and security investment in the local context on the premise of potential relevance at your location at some time in the future.
That is fantasy,?not?security science.
It is also the underpinning, flawed practice in much of the 'security theatre' we all observe every day.
That is, 'security habits' that have become globally accepted, normative and almost always mandated that you have 'security' where you are through these theatrical practices in the name of?security.
Any sufficiently detailed consideration of threat/s or harm specific to an organisation or entity will typically result in a clustering of threat themes. Much the same way it does with?risk themes.
"In the terminology of multicriteria decision making, the discrete categorization of consequences and probabilities inherent in risk matrices can produce non-compensatory decision rules that do not reflect the risk trade-off preferences of real decision makers and stakeholders.
So, resuming, Risk matrices do not necessarily support good (e.g., better- than-random) risk management decisions and effective allocations of limited management attention and resources.
Research is needed to better characterize conditions under which they are most likely to be helpful or harmful in risk management decision making and that develops methods for designing them to maximize potential decision benefits and limit potential harm from using them."
Protective security. ISO 23234:2021 "...the common word "safety" and the term "protective security" are used to distinguish between methods of combating undesirable unintentional incidents or accidents (safety) and combating undesirable intentional actions (protective security). " Link
Again, it is remarkable (shocking) how many 'risk' entries have little to no supporting assessment or analysis documentation outside of a calendar meeting event or summarised minutes of meeting.
A growing legion of individuals, department and providers continue to manufacture 'pulp' risk content for registers, spreadsheets and debate. Much of which provides little to no supporting evidence, methodological rigour or reliable/verifiable data informing said risk status.
With all these dynamic and disparate factors...how is it your management list of risk is so static and routinely scheduled for update?
So here is a simple test.
Retrieve your current 'risk' register, spreadsheet, dashboard or whatever it is you are using and compare it to all the content, evidence, analysis, assessments and empirical findings you have that informed this final product.
Should you discover a dearth of supporting data, evidence and other empirically defensible materials informing your risk list/s, it is time to add 'management of risk' to your risk spreadsheet, register or dashboard, as you have likely manufactured yet another corporate, theatrical process such as the ever-increasing and vague nomenclature associated with risk; such as resilience, 3 lines of defence, risk enablement and other organisational language that asserts results without evidence or methodological rigour.
"System Development Life Cycle: Although Change Management (CM) is not traditionally regarded as a security function, it must be addressed in the system development life cycle (SDLC) because of its serious?#security?implications. CM is just one component of an information system’s security posture. It falls under the operational controls of an information system and is interrelated with numerous other security disciplines such as project management, risk management, security certification and accreditation, and security awareness training.
CM should be addressed throughout the entire life cycle of any given project or task. As mentioned earlier, it is nearly impossible to carry out a systems development or management project with success in the absence of a sound and effective CM process. In the SDLC, the planning of the CM process falls in Phases 2 and 3; the primary implementation of the CM process is performed during Phase 4, the Operations/ Maintenance phase. SDLC and its associated key tasks are depicted in Figure 14-1. "
"Understand why your organisation should care about supply chain cyber security
Why might someone be interested in attacking your supply chain?
Who are behind supply chain attacks, and what are their motives?
What are the potential cyber threats that could cause harm to your organisation?
What vulnerabilities could be exploited within your supply chain via a cyber attack?
What is the impact on your organisation if?these vulnerabilities are exploited?
Once this is understood in the context of your organisation, it becomes a lot easier to talk about and build a case for senior buy-in and investment to promote change around supply chain cyber security within the organisation.?"
#Fraud, from a criminological, corporate security and risk management perspective, is far more than financial improprieties or transgressions identifiable in an accounts or transactions record.?
Moreover, fraud remains concealed in multiple variable layers of errors, omissions, inefficiencies, oversights, poor systems, management lag, visibility and human failings.?
Notwithstanding, fraud is not exclusively limited to customers, criminals, entry-level opportunistic and other stereotypical actors.?
Entire departments, organisations and industries may exhibit one or more fraudulent traits on occasion or systemically.?
However, it is also worth remembering that fraud is not proven by individuals or accusations. It is proven by the courts, which in turn distorts the definition, realities, practicalities and data associated with what might still prevail under a very big umbrella term such as fraud.
From digital and cyber crisis simulation to operational, security, risk and resilience preparedness. After completing another highly complex, technical, challenging, exhausting, yet highly rewarding project, culminating in a 5-hour?#crisis?management and leadership simulation and validation exercise with multi-layered role players, full client representation, strategic injects and fast-paced, challenging tactical decision-making and capacity building. This phase of the knowledge transfer process is complete.
The large national entity is better prepared for today and tomorrow. Always great to participate in such strategic, fun and rewarding projects with fellow professionals and risk scientists. Link
"Organizations are all too slowly realizing that hacker attacks can disrupt production operations, seriously affecting productivity and requiring hours or even days to recover. Adversaries can use various extortion methods to steal sensitive business information, leading to data breaches, property loss, and violations that weaken customer trust and harm brand value. In response to Industry 4.0 becoming a critical aspect of corporate competitiveness, management and cybersecurity leaders should prioritize OT network protection at the top of their cybersecurity strategy. The dangers of insufficient cybersecurity are at the door, and organizations are due for a very rude awakening. First, they need to learn that ICS/OT requires a different set of security solutions, skills, processes, and methods than IT. They need to build specific cyber defenses to manage OT/ICS security risks in order to protect our critical infrastructure and industries for the future.?"
The essential elements of corporate, commercial or private sector?security?risk management are often invisible to only those who understand the?required?anatomy, or only become visible during the?autopsy?of failure.
In other words, security risk management exclusions, omissions and inadequacies are glaringly obvious to experienced professionals.
This discovery/disclosure routinely becomes the focus of failure in the wake of bad happenings, catastrophic failures, crises and other public enquiries.
The architecture for adequate and comprehensive?security risk management?is not measured by policies, procedures, departments or reports.
It is evident from the construction, function and routine activities of many elements and the manufacture and distribution of information and knowledge that informs risk and security choices, including adversarial assessments and scales of harm.
领英推荐
“... Through the process of risk management, leaders must consider risk to <the organisation's> interests from adversaries using cyberspace to their advantage and from our own efforts to employ the global nature of cyberspace to achieve objectives in military, intelligence, and business operations...”
“... For operational plans development, the combination of threats, vulnerabilities, and impacts must be evaluated in order to identify important trends and decide where effort should be applied to eliminate or reduce threat capabilities; eliminate or reduce vulnerabilities; and assess, coordinate, and deconflict all cyberspace operations...”
“... Leaders at all levels are accountable for ensuring readiness and security to the same degree as in any other domain...”
- NIST SP 800-30 Rev. 1: Guide for Conducting Risk Assessments?https://buff.ly/40ZmJj0
Critical infrastructure is not only increasingly more complex and networked, but remains ultra reliant on each other. That is, even a rudimentary unpacking of critical infrastructure and systems of state/national significance demonstrates the highly dependent and interdependent relationships not only between infrastructure but that of society.
In other words,?one or more don't work without the other.
It didn't take a pandemic to discover this, merely it took a pandemic to remind everyone on that a few labels, superficial acknowledgements and hastily implemented legislation can not undo or negate what has been occurring over many decades.
Notwithstanding the increased digital and cyber, communications and technology between human and physical structures.
I constructed the below network and relationship diagram as a thought exercise for a client and professional cohort of security, risk and resilience practitioners. While the overlay remains a high level or first order view, it adequately demonstrates the complexity and connectivity.
Pull on but one of these threads... and the result is single, expanding and cascading sequence of delays, disruptions and lack of utility or resilience.
"Contrary to the common perception that cyber-attacks occur only against large organizations, all organizations can be similarly attacked, no matter what their size. Criminals often target SMEs for various reasons such as they offer a good value to risk ratio and as many SMEs provide services to larger organizations they can enable criminals attack those larger organizations through their supply chain.
Despite the measures an organization can implement to protect proactively itself against cyber related risks, there is no guarantee that it will not experience a cybersecurity related incident
"Unsurprisingly, however, this upsurge (digital technology, cybercrime, etc) has been accompanied by an exponential rise in cybersecurity attacks and cybercrime. It is estimated that cybercrime will cost the global economy US$10.5 trillion by 2025,2 following reports of a 13 per cent increase in ransomware attacks worldwide between 2021 and 2022 – an increase greater than that during the five preceding years.3 This is most likely an underestimate, as many countries do not have adequate cybersecurity and cybercrime reporting frameworks.
All countries are scrambling to play catchup with cybercriminals and ensure that the internet stays free, open, and inclusive – key ideals adopted by Commonwealth Heads of Government in their 2018 Commonwealth Cybercrime Declaration.
One of the critical impediments to realising these ideals, and to ensuring the safe, secure, effective and efficient use of both new digital technologies and cyberspace more generally, is the paucity of policy-influencing literature. The Commonwealth Cybercrime Journal (CCJ), published by the Commonwealth Secretariat and fully peer-reviewed, intends to address this.?"
"#Security?Control Selection: An agency must meet the minimum security requirements in FIPS 199 by selecting the appropriate security controls and assurance requirements as described in NIST SP 800-53. The process of selecting the appropriate security controls and assurance requirements for agency information systems to achieve adequate security62 is a multifaceted, risk-based activity involving management and operational personnel within the agency. Security categorization of federal information and information systems, as required by FIPS 199, is the first step in the risk management process.63 Subsequent to the security categorization process, an agency must select an appropriate set of security controls for their information systems that satisfy the minimum security requirements set forth in FIPS 200. The selected set of security controls must be one of three security control baselines from NIST SP 800-53 (see Table 8-2) that are associated with the designated impact levels of the agency information systems as determined during the security categorization process. "
Brief summations of complex, related topics can be extremely helpful for professionals and laypeople alike. However, abbreviated chatter in lieu of full sentences and disclosure can be polarising and exclusionary.
Security and risk management demonstrate these traits on a daily basis.
Some are helpful, some are not.
Some are dangerously outdated or inappropriate for the complexity of the issue/s at hand
Some mnemonics and abbreviated speech are incorrect repurposing of original (sometimes outdated concepts) ideas for contemporary times, others are just attempts at an author or cohort to be immortalised as an original, revolutionary solution and legacy for all time.
This brief presentation lines up a select few security, risk, management and project mnemonics
"The growing complexity of computer software has direct implications for our global safety and security, particularly as the physical objects upon which we depend—things like cars, airplanes, bridges, tunnels, and implantable medical devices—transform themselves into computer code. Physical things are increasingly becoming information technologies. " p.64
"The relentless pace of these changes and the ever-expanding presence of technology in our lives have been catalyzed through an axiom of technology known as Moore’s law. ...the number of transistors per square inch on an integrated circuit would double every year into the future. This principle, later revised to a doubling every eighteen months to two years, is referred to as Moore’s law and is now commonly applied more broadly to the power and capabilities of all circuit-based technologies."p.58
"...computing power is growing exponentially, and our ability to understand the global information grid and map its vast interconnections is waning. "p.60
"In the criminal days of yore, crime was a simple affair. Any would-be criminal need only buy a knife or gun, hide in a dark alley, and then leap out at an approaching victim and demand, “Give me your money.” Apart from the unsavory morality issue, robbery was a great entrepreneurial business model that had survived for millennia. "
"Fortunately, however, technology provided an answer for would-be criminals on how to surmount the scalability issues their illicit businesses faced, and the solution came from an unlikely place: the locomotive. Of course when trains were invented, nobody ever envisioned that they might become subjected to train robberies. Criminals, however, foresaw the opportunity and lost no time in taking advantage of the new technology. Now, rather than robbing one person at a time, thanks to the locomotive, armed gunmen could rob two hundred or three hundred people simultaneously, thereby vastly expanding their business opportunities and their profits. " - Goodman, M. (2015). Future crimes: Inside the digital underground and the battle for our connected world. Random House. p.61
"Recent unprecedented global events have spawned the term ‘perma-crisis’. Risk managers are ideally placed to engage with management on mitigation strategies. Take your place at the table?'
Security?remains a catch-all expression for many things, people, feelings, actions and terms. With so many taking refuge under this umbrella term, how do you know what is really?security... or not?
Even in everyday conversation,?security?is routinely used. Job-security, portfolio security, national security, home security, cyber security and many other quasi-security?expressions such as community safety, crime prevention, etc.
The only constant among these expressions is that?security?is rarely defined and routinely assumed as meaning the same thing from context to context, person to person and culture to culture.
"Understanding sector-specific risks: This table outlines a select example of identified threat and hazard vectors that impact Financial Services and Markets Sector assets. When identifying risk in a critical infrastructure, each threat or hazard vector should be considered alongside the areas of an entity's operation it may potentially impact to allow for a more impact-led determination of plausible risk scenarios to assess. "
After nearly three long years of the COVID-19 pandemic, the world seems desperate to travel, in addition to the tourism and travel industrial complex desperate for open borders and uninhibited travel across state lines, around the country and all forms of international travel.
However, from a safety, security and risk perspective,?travel has fundamentally changed, and the signs of concern were there long before a pandemic closed borders and restricted people movement at all levels.
This presentation is a summary of a broader article written for an academic textbook focused on post-pandemic travel safety, security, terrorism and risk management.
Risk, Safety, Security, Resilience & Management Sciences (Applied)
Members/Subscription -https://www.patreon.com/riskmanagement
Risk, Project, and Supply Chain/Logistics Management Professional - broad experience in several domains
1 年An impressive collection of interesting material. Thanks #TomRidley.
LATAM Regional Safety & Security Risks
1 年"Want of foresight, unwillingness to act when action would be simple and effective, lack of clear thinking, confusion of counsel until the emergency comes, until self-preservation strikes its jarring gong — these are the features which constitute the endless repetition of history." (Winston Churchill) Thanks for sharing Tony.
Realtor Associate @ Next Trend Realty LLC | HAR REALTOR, IRS Tax Preparer
1 年Thanks for sharing.