Security, Risk, Safety and Resilience Newsletter - Week of 24 Feb 22
Ridley Tony
Experienced Leader in Risk, Security, Resilience, Safety, and Management Sciences | PhD Candidate, Researcher and Scholar
The following is a summary of security, risk, safety and resilience articles, topics and issues ending the week of 24 Feb 22.
Key themes for this week include:
-------------------------------------
Forced, rapid and new changes within organisations, industries and economies has created a new 'target rich environment' for both traditional threats and new predators such as criminals, cyber hackers, terrorists and syndicated/organised bad actors.
That is, what was once considered 'safe', 'secure' and even 'protected' has fundamentally changed during an as a result of the pandemic and the impact it has had on organisations, supply chains, industry and individuals.
In practical terms, think about how many more people have, and continue to, work remotely or from home.
As a result, this act alone has expanded the 'surface area' of organisations exponentially.
"Enterprise risk management (ERM) takes a broad perspective on identifying the risks that could cause an organization to fail to meet its strategies and objectives. Once risks are identified, the next issue is to determine the root causes or what drives the risks. A suggested approach is described and followed by a discussion of several qualitative and quantitative procedures for assessing risks.?"
"Risk Means: "effect of uncertainty on objectives". “uncertainty” is not about how things will happen, but is more about our state of knowledge. It is more about our “lack of knowledge” about how things will turn out.?Events will happen, we just don't know which, how and when.?Uncertainty is our ignorance. Uncertainty is "the state, even partial, of deficiency of information related to understanding or knowledge of an event, its consequence or likelihood."?If we replace this meaning of uncertainty in the definition of risk, we come up with:?#Risk?= the effect of ignorance on objectives.?"
All too often, security risk management documentation within organisations are constructed in the opposite manner in which they are needed.
That is, systematic, administrative and wordy narratives around what security is, how it works and what will happen in the event of x, y or z all have its place but they are of?very low value in an emergency, crisis or critical security event.
Clear, concise, easy to access and fast to implement 'actions on' rule the day during crisis and prevent and protect to a greater degree than lengthy corporate or government documentation.
"Schools serve as the setting for some of the most critical and poignant experiences in one’s life, helping students establish a foundation for future educational and career aspirations, develop lifelong social and emotional skills, and forge critical connections with their peers and mentors.?Alongside this noble mission, school communities must also increasingly contend with an evolving and unique set of threats, hazards, and?#security?challenges, including violence and crime-related incidents. Schools often face these threats with limited resources and experts, and the specificities and nature of risks can vary dramatically based on a school’s geographic setting and campus characteristics. Every day, our kindergarten through grade 12 (K-12) schools must balance safety, teaching and learning, school operations and culture, and the surrounding community, creating a complex environment and set of priorities.?"
Forecasts abound when it comes to security, risk and resilience. That is, there seems to be a new universal safety, security, risk or resilience forecast every day or so.
However, have you noticed the lack of universal process, measurement and vastly differing inputs and a lack of disclosure on methods, prior accuracy and author bias, competencies or qualifications?
In other words, not all forecasts are created equal, nor should they be consumed or relied upon equally either.
Moreover, any reasonable, professional forecasts -- regardless of the domain such as safety, security, risk or resilience -- both the forecast, methods and findings are measurable whether it be for accuracy, completeness, context and errors.
领英推荐
"Risk communication is the term of art used for situations when people need good information to make sound choices. It is distinguished from public affairs (or public relations) communication by its commitment to accuracy and its avoidance of spin. Having been spun adds insult to injury for people who have been hurt because they were inadequately informed. Risk communications must deal with the benefits that?#risk?decisions can produce (e.g., profits from investments, better health from medical procedures), as well as the risks — making the term something of a misnomer, although less clumsy than a more inclusive one.?"
"The three main components of the?#Cybersecurity?Framework are the Core, the Framework Implementation Tiers (Tiers), and the Profile. These terms are frequently used in this Framework guidance document and defined below.
1) The Core is a set of “cybersecurity activities, desired outcomes, and applicable Informative References that are common across critical infrastructure sectors.” The Core comprises four elements: Functions, Categories, Subcategories, and Informative References.?
2) Tiers describe an organization’s approach to “cybersecurity?#risk?and the processes in place to manage that risk,” ranging from Tier 1 (Partial) to Tier 4 (Adaptive). Each Tier demonstrates an increasing degree of rigor and sophistication of cybersecurity risk management and integration with overall organizational needs.??
3) Profiles align the Framework core elements with business requirements, risk tolerance, and organizational resources. The Profile can be used to identify opportunities for improving cybersecurity posture by comparing a Current Profile to a Target Profile. Profiles provide a roadmap to reduce cybersecurity risk consistent with business practices.?"
Precautionary principles and risk mitigation strategies are routinely in conflict or traded off between a binary choice of one or the other.
As a result, risk management practices and belief are likely a mix of both concepts in varying degree of representation or consideration.
Therefore, consideration of which factor (precautionary or risk analysis) should remain top of mind for practitioners, management and governing boards.
While not immediately intuitive, segmentation between beliefs, science and other evidentiary factors routinely trigger the process and ultimately lead to one of many, diverse outcomes.
"The objective of this emergency action plan template is to help organizations prepare their personnel for active shooter scenarios. This template documents basic information recommended for an effective emergency action plan. Organizations are encouraged to consider their unique circumstances and/or structure to ensure a more comprehensive plan. It applies to permanent employees, temporary employees, contractors, and visitors associated with this organization.?"
"Attacks on organizations in critical infrastructure sectors have increased dramatically, from less than 10 in 2013 to almost 400 in 2020 — a 3,900% change.?Attacks targeting process integrity can result in lethal impact by undermining the physical process while hiding changes from plant operators.?Governments across the world are now realizing their national critical infrastructure has been an undeclared battlefield for decades. They are mandating more security controls for the cyber-physical systems (CPS) that underpin mission-critical efforts, and increasing their national security efforts to counter attacks on critical infrastructure.?The traditional network-centric, point solution security tools originally deployed in critical infrastructure operations are no longer adequate to account for the speed and complexity of the emerging threat environment.?"
Tony Ridley, MSc CSyP MSyI M.ISRM
Safety, Security, Risk & Resilience Sciences
Bachelor of Commerce - BCom from Nizam College at Hyderabad Public School
3 年????