Risk, Security, Safety and Resilience Newsletter - Week of 30 November 2024

The following is a summary of articles on security, risk, safety, and resilience, as well as topics and issues, ending on 30 November 2024.

Key themes for this month include:

1. Risk: Appetite, Quantitative Risk Analysis & Uncertainty
2. Resilience: Critical Infrastructure, Systems & Assessments
3. Security:?Cybersecurity, Frameworks, Crime Prevention
4. Safety: Infrastructure, Public & Risk Analysis
5. Business Continuity: Infrastructure, Horizon Scanning & Analysis

-------------------------------------------

Risk Matrix #5 Fungibility

Read More -->> https://buff.ly/416rhqc

" We want to be able to say how a person comes to be in one rather than another cell of the #riskmatrix and consequently also how a person sometimes moves (or better, is moved, since this is not something not something we can just decide to do) from one cell to another. But all such responses must be made against a baseline sense of a usual situation, which will already include various features intended to control risk. This is easiest to see for activities like parachute jumping or scuba diving, which in the absence of considerable precaution would simply be methods of committing suicide. Parachute jumpers and scuba divers are not struck with terror at the thought of doing what they go to a lot of expense and trouble to do. "

Read More -->>https://buff.ly/416rhqc

Risk Management: Guide for Directors

Read More -->> https://buff.ly/4hshaBL

"#Riskmanagement should be integrated with governance in a single framework for any organisation overseen by a board or other governing body. The board should put in place a structured, continuous process to identity, manage and respond to risk. "

Read More -->> https://buff.ly/4hshaBL

Risk Management Handbook: NASA

Read More -->> https://buff.ly/3WTSf1Y

Read More -->> https://buff.ly/3WTSf1Y

Risk Assessments: Qualitative, Quantitative & Mixed Methods

Read More -->> https://buff.ly/3QaYU43

"No approach works exclusively with statistical techniques or with testimonies. The two kinds of data are not exclusory. The complexity of life in society and the accelerated process of change now require the overcoming of reductionist stances in terms of operation and techniques. "

Read More -->> https://buff.ly/3QaYU43

Risk Appetite: Guidance

Read More -->> https://buff.ly/4aTZ8G7

"Risk appetite is not a single, fixed concept. There will be a range of appetites for different risks which need to align and these appetites may well vary over time: the temporal aspect of risk appetite is a key attribute to this whole development."

Read More -->> https://buff.ly/4aTZ8G7

Research onion: Risk, safety, security & resilience analysis

Read More -->> https://buff.ly/3CJAono

"...how you collect your data belongs in the centre of the research ‘onion’, the diagram we use to depict the issues underlying the choice of data collection techniques and analysis procedures in Figure <below>. In coming to this central point you need to explain why you made the choice you did so that others can see that your research should be taken seriously (Crotty 1998). Consequently, there are important outer layers of the onion that you need to understand and explain rather than just peel and throw away! "

Read More -->> https://buff.ly/3CJAono

Quantitative Risk Assessments: Risky Business

Read More -->> https://buff.ly/3CLzabj

"The Alchemy of QRA: If we imagine the future in terms of probabilities, then risks look safe” (Clarke, 2005, p. 42)Clarke’s warning is that the expression of risks as probabilities, quantified and given the appearance of objectivity, allows risk to be written off as safe, or in the case of cybersecurity: controlled. As a tool to advocate for budget and the acceptance of risk appetite, QRA operates as an enabling device, convincing the organization that approved projects can control against the complex, uncertain and ambiguous world of cybersecurity by following an objectively laid path of risks enumerated as probabilities. While QRA could potentially be viewed by an organization as a collection of expert information in its systems, once the information is gathered from SMEs and transformed into a QRA, the risk in question is legitimized, and any systems expertise communicated is obfuscated by numbers (Clarke, 1999). (p.41)

Read More -->> https://buff.ly/3CLzabj

Strategic risks: National Assessment

Read More -->> https://buff.ly/40P1MbJ

"The risks identified are varied, can occur over different time horizons and have very different impacts in terms of immediacy, reach and costs. They can also be within varying degrees of national control. Many of the risks may also be interlinked, with the potential for cascade effects or multiple risks occurring concurrently. "

Read More -->> https://buff.ly/40P1MbJ

CISO: Chief Information Security Officer

Read More -->> https://buff.ly/4jJ9b57

"Chief Information Security Officers (CISOs) are increasingly finding that the tried-and-true, traditional information security strategies and functions are no longer adequate when dealing with today’s increasingly expanding and dynamic cyber risk environment. Many opinions and publications express a wide range of functions that a CISO organization should be responsible for governing, managing, and performing. How does a CISO make sense of these functions and select the ones that are most applicable for their business mission, vision, and objectives? "

Read More -->> https://buff.ly/4jJ9b57

Security & Resilience - Protective Security Architecture and Framework

Read More -->> https://buff.ly/4hLvgy0

"Clarity on what protective hashtag#security is, what it means, how it can be implemented, and how its benefits can be measured, will be helpful to managers, regardless of the sector. This is particularly important for the many organizations that have expended substantial resources on various security measures that have not necessarily been coordinated or informed by the full range of security risk. In an increasingly complex security environment, this document aims to provide clarity in this regard and to provide a basis for better enterprise security outcomes as a result. "

Read More -->> https://buff.ly/4hLvgy0

Crisis Communications: Planning Guide

Read More -->> https://buff.ly/42Hp71E

"The STOP planning checklist sets out the key elements of a good crisis comms plan. Strategy: Clear objectives rooted in audience insights Tactics: Set out key actions for the first hour, day, and week of a crisis Organisation: Build key relationships, clear sign-off processes, and assign roles People: Support your team with the right training "

Read More -->> https://buff.ly/42Hp71E

Uncertainty: Risk Analysis

Read More -->> https://buff.ly/4jMO41N

"This report reviews #uncertainty and uncertainty analysis methods in risk assessment, with a specific focus on issues related to import risk assessment. The report is motivated by the availability of qualitative and quantitative methods for import risk assessment. It examines how the challenges posed by uncertainty influence choices between these two approaches. The project’s terms of reference are to summarise and categorise the different sources of uncertainty in risk assessment problems, and review the practicality and applicability of a range of treatment methods. The report is intended for scientists and managers involved in, or contemplating the use of, qualitative or quantitative risk assessment. Whilst the report focusses on import risk assessment, readers from other application domains will find that much of the information and analysis presented here is relevant to them. "

Read More -->> https://buff.ly/4jMO41N

Enterprise Risk Oversight: Global View

Read More -->> https://buff.ly/436w1xN

"Uncertainties abound that can introduce highly complex risks that can interconnect to create significant, and sometimes catastrophic, events to manage. This report confirms that this view is global with no region of the world immune to that reality. Risks are increasing in volume and complexity, suggesting that risks can appear suddenly and blindside all kinds of organisations, regardless of geography. Unanticipated risk events are leading to significant operational surprises"

Read More -->> https://buff.ly/436w1xN

Auditing: Cybersecurity Risk Assessment for Critical Information Infrastructure

Read More -->> https://buff.ly/3QbZYVa

"With rapid advancement in technology, shifting cyber threat landscape and increased digitalisation, organisations may be exposing themselves to greater #cybersecurity h#risks that may potentially have an adverse impact to their organisation and business objectives. Thus, it is imperative for organisations to manage these cybersecurity risks effectively. Cybersecurity risk assessment (referred to as “risk assessment”) is an integral part of an organisation’s enterprise risk management process.

By conducting a risk assessment, organisations would be able to:? Identify “what could go wrong” events that are often a result of malicious acts by threat actors and could lead to undesired business consequences.

? Determine the levels of cybersecurity risk that they are exposed to. A good understanding of the risk levels would allow an organisation to dedicate adequate action and resources to treat risks of the highest priority.

? Create a risk-aware culture within the organisation. Risk assessment is an iterative process that involves engaging employees to think about technology risks and how they align to business objectives. "

Read More -->> https://buff.ly/3QbZYVa

The Risk Matrix

Read More -->> https://buff.ly/42IzbaH

"...the costs of avoiding one risk include the costs of accepting some other risk"

Read More -->> https://buff.ly/42IzbaH

Critical Infrastructure Annual Risk Review

Read More --->>> https://buff.ly/3EwqMx1

"Owners and operators of critical infrastructure need to maintain clear visibility of the extent of risks they face, including from cyber, personnel and physical threats, and from supply chain hazards and natural disasters. This review was designed to reach a diverse audience across all levels of enterprise, government, and the broader community. "

Read More --->> https://buff.ly/3EwqMx1

Risk-Based Internal Audit

Read More --->> https://buff.ly/4jQhCLJ

"...risk-based internal #audit is being viewed by the management as an important tool to assess the management of the risks that are barriers to the objectives and success of the organization. Risk-based internal audit involves the assessment of the risks' maturity level, expressing opinion on adequacy of the policies and processes established by the management to manage the risks. Risk-based internal audit mainly report on the risk management that includes identification, evaluation, control and monitoring of the risk. A risk-based internal audit mainly focuses on the objectives rather than looking at the controls and transactions. This demands the internal auditor to have the skills to provide broad level of the assurance to the management. "

Read More --->> https://buff.ly/4jQhCLJ

Uncertainty Analysis: Risk Assessments

Read More -->> https://buff.ly/3CDG96d

"The Futures Toolkit takes you through 12 different Futures thinking tools, with advice on how to implement them. It also pulls these together into a number of pathways to meet specific objectives. The toolkit is intended to be accessible to people who have little or no experience using these tools, as well as a useful reference for those who are more experienced and a guide for those commissioning Futures projects. "

Read More-->> https://buff.ly/3CDG96d

Analytical Risk Management

Read More -->> https://buff.ly/42Uo2U2

"...it should be stressed that risk assessment methods as a means to identifying countermeasure options are not beneficial if they are presented as excessively detailed, overly quantitative, or if they are not integrated into the management decision-making process. It is the intent of this guide to encourage users to select and apply analytical tools that are appropriate for their tasks and in the context of their customer’s decision-making system. Excessive formalization that tends to over-complicate the risk management process should be avoided." (p.1)

Read More -->> https://buff.ly/42Uo2U2

CPTED: Crime prevention through environmental design

Read More -->> https://buff.ly/42MveBG

Read More --> https://buff.ly/42MveBG

Horizon Scanning: Emerging Risks

Read More -->> https://buff.ly/4hzzU2r

"Horizon scanning can be a good technique for people to look at complexity, challenge assumptions and review multiple ways that events could unfurl, in order to increase the resilience and reliability of their organisations. It is not about trying to predict the future but rather to review options so that evidence-based decisions can be made. There are many definitions of horizon scanning, for instance:

? An organised and formal process of gathering, analysing and disseminating value-added information to support decision-making

? A systematic examination of information to identify potential threats, risks, emerging issues, and opportunities allowing for better preparedness and the incorporation of mitigation and exploitation into the policy-making process

? Exploration of what the future might look like to understand uncertainties better and to analyse whether the organisation is adequately prepared for potential opportunities and threats"

Read More -->> https://buff.ly/4hzzU2r

-------------------------------------------

Tony Ridley, MSc CSyP FSyI SRMCP

Risk, Safety, Security, Resilience & Management Sciences

Risk Management Security Management Crisis Management

Risk, Security, Safety, Resilience & Management Sciences