Security Risk Management: Architecture, Connections, Protection, Threats and Resilience within Systems

Security risk management across physical and digital domains shares common architecture but protects differing assets in varying ways.

However, entities, relationships, functions and roles should not only be clear but mapped to demonstrate the complex, distributed network requirements or security risk management to protect one or more assets.

In other words, physical and digital security risk management requires planning and clear understanding of who/what does what at any given time, along with the process for governance, accountability and performance management.

Risk should therefore be considered within the context of both the security system/s and threats (internal and external).

Not surprisingly, popular risk management tools and practices fail to adequately consider, evaluate and validate each of these dynamic, protean factors, resulting in superficial perspectives and understanding of threat, harm and risk within complex systems that are comprised of both digital and physical security mechanisms.

"..security metrics that can quantify the overall risk in an enterprise system are essential in making sensible decisions in security management.?"

-(Singhal and Singapogu, 2012)

A single enterprise may have one or more such security risk management architectures, especially if digital assets or value such as information, knowledge or data is in both static and mobile states.

Perspectives of risk must be revisited and validated for each specific, new or emergent threat.

Quality of protection, services, security objectives, business goals, hardware/software and the security/resilience of all these connections and relationships must also be evaluated in full.

That is, assessments are mandatory, not discretionary. Moreover, risk calculations dearth of specific, detailed assessments are not risk calculations at all.

It is also worth noting that, unlike conventional, tangible assets, value and utility of digital assets may also amplify and modify overall asset worth.

In other words, data, information and the knowledge picture it creates, while intangible, is infinitely more valuable than generic titles and classifiers of 'data', requiring considerable investment and design of commensurate security risk management practices and architecture to protect said high-value assets.

Professionals can assess the quality and efficacy of security risk management claims by the architecture, evidence and measurement of the system and all its parts, digital and physical.

"Good models provide a rationale for measurements and these data models can be updated and calibrated as new data becomes available.?"

-(Singhal and Singapogu, 2012)

Executive leadership and boards should start to do the same thing for the same reason.

In sum, security risk management across digital and physical domains requires considerable planning, evidence of existence and assessments of efficacy on a routine basis.

Network architecture serves as a valuable start point but requires supporting, detailed security risk analysis at each connection and junction before individual or collective assertions around resilience, protection and prevention can be substantiated.

As a result, risk is determined based not only on the asset/s, threats, vulnerabilities and the system status but also that of the evaluation process/es which attest to protection, prevention, detection and response throughout.

Remembering that protection and resilience is fleeting in both the physical and digital world... meaning that everything can change within seconds with the introduction or appearance of a novel, unanticipated, complex or adaptive threat targeting you and your assets.

Tony Ridley, MSc CSyP MSyI M.ISRM

Security, Risk & Management Sciences

Reference:

Singhal, A. and Singapogu, S. (2012). Security ontologies for modeling enterprise level risk assessment. In?Proceedings of the 2012 Annual Computer Security Applications Conference, Orlando, FL, USA?(pp. 3-7).