Risk, Security, Safety and Resilience Newsletter - Week of 27 Oct 22
Ridley Tony
Experienced Leader in Risk, Security, Resilience, Safety, and Management Sciences | PhD Candidate, Researcher and Scholar
The following is a summary of security, risk, safety and resilience articles, topics and issues ending the week of 27 Oct 22.
Key themes for this week include:
----------------------------------------------------------
Any sufficiently detailed consideration of threat/s or harm specific to an organisation or entity will typically result in a clustering of risk themes.
This taxonomy subsequently acts as a framework for analysis, identification of controls and modifiers and scales of harm that inform the over risk rating associated to both the threat and asset at risk.
As a result, it can be helpful to start with a high-level understanding of key risk areas or compare iterative results with a final, considered framework.
"The job of Data Protection Officer (“DPO” in this guide) has become essential since the entry into application of the European General Data Protection Regulation (GDPR) on 25 May 2018. This regulation, which harmonises formerly national obligations at the European level, concerns organisations in all their activities: human resources management, prospecting, relations with customers or users, etc. From now on, the processing of personal data is a fundamental component of most business lines.?"
An organisational Approach. Defence-in-depth, layered security practices and universal security tactics for all likely and unknown threats
"The rising number of cyber attacks in the financial sector poses a threat to financial stability and makes cyber?#risk?a key concern for policy makers. This paper presents the results of a survey among members of the Global Cyber?#Resilience?Group on cyber risk and its challenges for central banks. The survey reveals that central banks have notably increased their?#cybersecurity-related investments since 2020, giving technical security control and resiliency priority. Central banks see phishing and social engineering as the most common methods of attack, and the potential losses from a systemically relevant cyber attack are deemed to be large, especially if the target is a big tech providing critical cloud infrastructures. Generally, respondents judge the preparedness of the financial sector for cyber attacks to be inadequate. While central banks in most emerging market economies provide a framework for the collection of information on cyber attacks on financial institutions, less than half of those in advanced economies do. Cooperation among public authorities, especially in the international context, could improve central banks’ ability to respond to cyber attacks.?"
Security risk management is not only the science of risk identification, calculation and protection but also the consideration of adaptive, intelligent and purposeful individuals/groups seeking to circumvent controls and impose loss, harm or damage on assets.
In other words, bad actors, criminals, terrorists and an array of adversaries.
Without adequate and detailed consideration of adversaries, security and all acts, artefacts and expenditure in the name of 'security' are blunt instruments applied to everyone at all times. That is?not?contemporary security risk management nor security as a science.
Therefore, it is not only essential to study, anticipate and protect against specific and broad adversaries, it is also essential to analyse these adversarial actors, associations and capabilities in depth.
"In order to adopt a?#risk-based approach to managing health emergencies and mitigating risk, countries first need to identify hazards and assess their level of?#risk?within the country. The results from a?#riskassessment?allows proper planning and prioritization of efforts to better prevent, mitigate, detect early, prepare for, be operationally ready for, respond to, and recover from a?#health?emergency or disaster.
The Strategic Tool for Assessing Risks (STAR) offers a comprehensive, easy-to-use toolkit and approach to enable national and subnational governments to rapidly conduct a strategic and evidence-based assessment of public health risks for planning and prioritization of health emergency preparedness and disaster?#riskmanagement?activities.?"
Critical infrastructure,?#cybersecurity,?#risk,?#security?and?#resilience?have become hot topics in recent months. Earlier in the year, I put together a summary analysis, key considerations, and threat/?#riskmanagement?overview. Thank you to those that commented, benefited and discussed the findings. Glad to see a few researchers have found it and utilised my analysis and research too. Thank you kindly.
"What is?#fraud? In the broadest sense, the term fraud encompasses actions that are meant to deceive for financial or personal gain. It’s any intentional or deliberate act to deprive another of property or money by guile, deception or other unfair means. Occupational fraud is fraud committed by people who work for, or do business with, an organization. This specific form of fraud represents a real and large?#risk?to any organization that employs individuals.?"
Prevention of crime remains an implied and specified objective of security risk management.
That is, security should delay, prevent, stop or deter crime from happening and respond and capture those that do or when it occurs.
However, so much of 'security' is little more than habits, routine, norms and templated 'group-think' applied over and over, in the hope or chance of preventing all manner of crime.
In other words, poor security is just 'done', without consideration, analysis or context to the threat, vulnerability, exposure and foreseeable or plausible crime(s) that may/may not be perpetrated against individuals, organisations, governments or communities.
"Increasingly over the last decade, humanitarian actors have borrowed?#riskmanagement?approaches from the private sector that have helped them identify the inherent?#risks?to their work. Humanitarian actors have similarly copied ways for framing their response to those risks, deploying response strategies for transferring, avoiding and reducing risk and accepting or (less frequently) sharing identified risks. This in turn allows the humanitarian actor to evaluate whether the risk that is left – what is described as residual risk – is of a level that they can tolerate and hence accept, allowing them to proceed with their work.?"
Doctor of Public Safety. 1st year of doctoral research, study, analysis and assessments completed. GPA 6.0 (distinction). Exploring transnational? #safety,? #security? and? #riskmanagement. Includes criminology,?#resilience, risk sciences, security sciences, safety sciences, culture, organisational behaviour and?#businesstravel. Thoroughly enjoying the?Charles Sturt University?experience, staff, program and resources. Covered thus far: Critical Issues in Research (160hrs+) and Comprehensive Literature Review (160hrs+). Hat's off and huge respect to those that have come before me and those considering similar pursuits.?
"#Cybersecurity?is one of the top issues on the minds of management and boards in nearly every company in the world — large and small, public and private. Managing this business issue is especially challenging because even an organization with a highly mature cybersecurity?#riskmanagement?program still has a residual risk that a material cybersecurity breach could occur and not be detected in a timely manner.
Organizations and their stakeholders need timely, useful information about organizations’ cybersecurity risk management efforts. Corporate directors and senior management have begun requesting reports on the effectiveness of their cybersecurity risk management programs from independent third-party assessors.?"
"From a corporate perspective, it is suggested that the ISO principles provide little value to the?#securityriskmanagement?process. These principles are ideal outcomes and if taken without critique, lead only to the failure of?#riskmanagement. Reverse these risk management principles and one highlights the limitations of risk management. For example, decision making becomes a predetermined outcome through?#risk?gaming. Risk management becomes and administration burden driven by process rather than adding value. The ISO 31000 process is cut and pasted for a corporate activity that is either under-engineered or over-engineered, far from tailored." - Cubbage, C. J., & Brooks, D. J. (2012).?Corporate security in the Asia-Pacific region: Crisis, crime, fraud, and misconduct. CRC Press.p.57
Risk is rarely neutral, meaning that people, communities and society influence just how minimal or great a?risk?issue is to them, their lives and their immediate surroundings.
As a result, small risks can become significantly greater than the reality or scale of harm due to the fear, uncertainty, emotion, awareness or media coverage afforded anyone one issue that may/may not represent a threat/harm to individuals or groups.
Shark attacks and cigarette smoking are perfect examples.
So too are terrorist attacks and heart disease.
When was the last time you saw a media report or concerning political statement around the risk of tobacco smoking?
Yet, nearly every single shark encounter with humans is headline news around the world.
"If it bleeds, it leads" - news editor mantra
"Difficult enough to manage on their own, the combination of increased velocity and increased complexity is especially problematic. Crises that now have multiple layers to unwind are occurring with little to no advanced warning, forcing?#risk?professionals to accelerate the assessment and response process."
A more specific threat model, in this instance a MITRE attack, expands upon the basic kill chain framework. Exit by stealth is a significant addition and concern as no residual evidence of exploitation may be identified either immediately or over time. This is key component of?espionage?over damage
" Organizations and their information systems face increasingly?#risks?and uncertainties from a wide variety of sources, including computer-based fraud, espionage, sabotage or cyberattacks. The present paper intends to provide a series of actions, procedures, and considerations that any organization must contemplate when dealing with a cyber-attack. Certain sources of damage such as intrusion attacks or denial of services are becoming more common, ambitious and sophisticated over the time. Absolute?#security?does not exist. That is why organizations must adopt methods and strategies that allow them to prioritize those risks that, due to their probability of occurrence and level of impact, represent a greater potential harm to the business. When preparing to deal with probable cyber-attacks, the key is understanding the logical flow of actions that could be performed during the attack, incorporate best practices assess the levels of risk faced by the organization and proactively design a handbook to react during these scenarios. "
The documented and spoken definition of?security?is neither static nor consistent, confounding even the best attempts of professionals to consistently speak about the same?thing?when discussing or directing security matters, including where?safety?may mean the same, if not similar?thing.
What hope do lay people and the general public have?
Despite the seemingly obvious definition of?security, definitions, context and scope remain constant calibration points prior to progress or application in the name of?security-related?action/s.
#risk?cognition, risk perception, risk analysis, risk assessment, cognitive biases, threat analysis, risk management and security risk management lessons, guidance and research.
"If you want to teach yourself to get a better grasp on?#uncertainty?and?#risk, you have to recognize two very different types of learning: intellectual and experiential. (p.2) The goal of this book is to help you make better judgments involving?#uncertainty?and?#risk, both when you have the leisure to deliberate and, more importantly, when you don’t. (p.4) " - Savage, S. (2009) The Flaw of Averages: Why we underestimate risk in the face of uncertainty, Wiley & Sons,
领英推荐
Security decisions and trade-offs are not only highly threat and risk influenced, but also mediated and curated as information and exposure cascades or escalates within an organisational setting or operational environment.
That is, routine and non-routine security measures change daily in light of new knowledge or awareness of specific threats.
However, how 'security' or 'safety' is then managed or implemented, remains in the hands of individuals and management alike, being filtered through layers of decisions, hierarchy and proximity/awareness of the specified or identified threat(s).
"This introductory module and the four thematic modules feature a selection of case studies illustrating how key?#security-related principles – including internationally endorsed recommendations – have been operationalized by Governments, private-sector entities, operators of vulnerable sites and civil society organizations. The modules also summarize the content of several tools (e.g., manuals, handbooks, compendiums) which provide guidance on policies and operational actions to reduce the vulnerability of the sites and increase their?#resilience.?"
There will forever be at least two significant factors influencing?#securityriskmanagement?that are neither completely measurable nor totally visible. That is, no one person or organisation will totally know from whom (individual, groups, communities, etc) from which they are at?#risk, nor will they know precisely what means they may use, therefore complete and accurate measurement of protective measures will remain unattainable.
In other words, you don't know always who is your adversary nor do you know if all your?#security?products and services adequately mitigate said?#risk.
A lack of breach, harm, incident or event is not a measure of either.
As a result, organisations, communities and management routinely consider?security?a?grudge?cost, even up to the point where there has been a major loss, harm, damage and/or injury.
Purely because the threat remains invisible and you can't know if your security measures have and will be effective into perpetuity.
"...in times characterized by pervasive disagreements over the nature and importance of?#risks, establishing a workable consensus is not merely a matter of educating the public about expert knowledge. (p.11) ...The growing realization that public perceptions of?#risk?involve numerous factors other than those that experts would take into account has dramatically transformed debates over the role that public and expert views about?#risk?should play in societal decision-making. One emerging point of resolution in these debates is that input from the public is valued for its contribution to ‘social rationality’, which encompasses matters of preference, culture, values and ethics." (p.11) - Bammer, G., & Smithson, M. (Eds.). (2012).?Uncertainty and risk: multidisciplinary perspectives. Routledge.p.xvi
Business continuity, security and risk management do not operate in a vacuum.
That is, each aspect of business continuity and security risk management, regardless of technology and automation, operate across complex human endeavours, relationships, culture and interactions.
The resulting cultural web for business continuity creates the paradigm for individuals, organisations and organisations, which in turn is inherently unique.
Business continuity, security and risk management practitioners should take heed and caution to map and understand these informal structures and relationships as they remain essential elements for activation of strategy, results and resilience.
"#Criticalinfrastructure?acts as the life support system of our everyday existence. Our societies are sustained by a highly complex and sophisticated network of infrastructure systems. Our citizens expect and rely upon functioning institutions and services for their health, safety, security and economic well-being.
This life support system has become more efficient and productive due to technological advances, the interchanges of globalisation, and the demands of an increasingly urban population. The advent of life 3.0 - the overlapping of the digital and physical world allowed us to monitor and even control infrastructure from anywhere in the world.
However, with heavy reliance and real-time connectivity comes vulnerability to threats. The interdependence of our infrastructure through sectors and industries, between cyber and physical areas, and across national boundaries, means that the consequences of an attack could be far reaching.?"?
Perception is critical. Perceptions matter. Perceptions count. Perceptions lead us in all manner of directions, beliefs and perspectives. Because perceptions are neither fully predictable nor consistent across individuals and cultures.
As a result, perception attenuates, distorts and amplifies select and cumulative aspects of risk, safety, security and resilience in real life, throughout analysis and documented narratives.
In other words, if a variety of disparate lenses filter the world and ultimately our perceptions, which in turn vary across time, context and circumstances.
This varies again across people, cultures, demographics and archetypes/stereo types. Particular where 'first impressions' capture very few data points, objective evidence and are made during busy, 'on the run' contexts.
"Organized?#crime?is usually thought of as being committed by highly organized, professional criminals operating at domestic levels. The current researchers are now suggesting that organized crime consists of a much larger number of small, criminal enterprises, often transitory in nature, that develop to exploit opportunities for illegal profit. This new picture of organized crime is reinforced by the results of research on transnational crime such as money laundering, trafficking in women and stolen cars, and counterfeiting of currency and high-value products. Consistent with routine activity theory, these new forms of organized crime have emerged in response to new opportunities for criminal profit resulting from increased globalization and technological development. Globalization has led to increased migration, legal and illegal, which in turn has increased the opportunities for transnational crimes.
- Natarajan, M (ed) (2019) International and Transnational Crime and Justice, Cambridge University Press. Kindle Edition.?p.161
Deriving better practices and lessons learnt from any and all public health, safety, security, risk and crisis events requires comprehensive analysis and ethnographic consideration of all representative findings, views, practices and affected parties.
As with most sciences, this process should be public, structured and contributed to by qualified, trained and experience professionals. Otherwise, public slinging matches between power, influence, politics and concealed preferences ensue.
More importantly, the understanding and application of security risk management in public and private settings can be enhanced by analysing and reviewing case studies, research and the informing body of knowledge, by technical and scientific means.?
Therefore, public inquiry and public documentation provide an excellent opportunity to unpack complex health, governance, security sciences, risk management, sociological and ethnographic influences.?
In other words, lessons can be learned, and processes studied to prevent similar instances and maintain high standards / better practices.
Despite the relative niche subject matter and expertise, I'm both flattered and over the moon practitioners, professionals and academics are reading my extensive research and thoughts on matters relating to international?#travel?and potential?#safety,?#security?and?#risk(s), including?#terrorism?and?#crime. Thank you.
"... opportunity reduction needs to be focused, systemic and tailored to the nature of the?#crime?problem in question " - Sutton, A., Cherney, A. & White, R. (eds) (2014). Crime Prevention: Principles, Perspectives and Practices, 2nd ed, Cambridge, p.65
Despite persistent public opinion and constant blurred or overlapping lines between public and private security, there remains a significant difference between private security education, qualification, roles, responsibilities and application when compared to that of policing within a public security environment.
There will forever be tension, disputes and misunderstanding(s) between those that seek to govern or regulate and those that are 'busy playing the game' or entities and industries trying to make money.
Particularly where either-side has little to no experience in each other's role or responsibility(ies).
These divides are particularly acute and even more pronounced in matters of security, safety or risk.
In other words, if you are a junior or senior regulator/governance individual, with little to no actual experience in the day-to-day running of operations, business, administration, contracts, projects, technology and the endless, growing bureaucratic demands of running a profitable, sustainable business...you will never know all the formal and informal rules and requirements of the 'the game', often viewing even the most basic of 'play (read business) as reckless, dangerous and requiring even more control, regulation and 'frameworks'. Like a hovering parent.
Risk, Security, Safety & Resilience are dependent upon learning. Learning in advance. Learning on-the-go and learning after events, disaster, crisis and occurrences.
That is, throughout the entire safety, security, risk and resilience vocation, practice and phenomena, there are demands, opportunities and requirements to learn.
But, how do we learn? More importantly, how do we learn during live events?
Learning is often is non-structured, non-linear and presents differently to different people in differing ways and different time(s).
In other words, cognitive models of learning inform all professions, but threats, vulnerabilities, danger, hazards and 'risk' arise and occur at varying times and places.
"Salus Journal?is an independent and peer-reviewed online open access journal. It engages in serious and scholarly exploration contemporary challenges, and aims to?advance knowledge, inform or innovate practice, and improve responses to issues related to:
1) national?#security,
2)?#crime?and control,
3)?#emergencymanagement, and
4) justice studies."
Security (and Risk Management) have a problem. Not just the growing complexity, capability and persistency of threats, hazards, dangers, perils and bad actors (criminals, internal threats, opportunists, issue motivated groups, adversaries, etc) but that of consistency of qualification(s) and majority representation (power distribution curve/fat tail/kurtosis) across disciplines, industry and skill sets.
That is, both?security?and?risk?lack a universal, consistent definition.
It could mean anything and everything, therefore anyone can work in 'security' or 'risk' if vague enough, unregulated or accepted based purely on stories, titles and past 'deeds'.
Furthermore, the education, knowledge and qualifications that feed into both security and risk are scattered, unstructured and tainted/confused by a growing cohort of 'certifications', accreditations, post nominals and other 'participation rewards'. Ranging from an online forms, a few hours of instruction, structured national education programs, university degrees and advanced (Masters/Doctoral) programs.
----------------------------------------------------------
Risk, Security, Safety, Resilience & Management Sciences
The focus on risk categorization, resilience demands, and critical infrastructure aligns with the current challenges organizations face
The inclusion of tools like the Strategic Toolkit for Assessing Risks reflects the commitment to evidence-based approaches in managing health emergencies. This newsletter is a valuable resource for staying informed about the latest developments in the field
Entrepreneurial Leader & Cybersecurity Strategist
11 个月The articles on risk clusters, operational security, cyber risk in central banking, and a new generation of adversaries provide practical perspectives for risk management professionals.
Owner at Arcuri Group
2 年Excellent and very educational. Thanks Tony Ridley, MSc CSyP MSyI M.ISRM!