Security, Risk, Safety and Resilience Newsletter - Week of 31 Mar 22
Ridley Tony
Experienced Leader in Risk, Security, Resilience, Safety, and Management Sciences | PhD Candidate, Researcher and Scholar
The following is a summary of security, risk, safety and resilience articles, topics and issues ending the week of 31 Mar 22.
Key themes for this week include:
-----------------------------------------------------------
Much is said and even more relied upon when it comes to 'situational awareness, yet little is offered or measured when it comes to consistent application or units of analysis.
That is, just what are you being 'aware of' in any given situation, what modifies your view, response or efficacy, and how can you compare your approach to that of others?
In other words,?situational awareness?is not merely a process of looking around, asking questions, thinking deeply about a problem or reading/researching widely.
Moreover, how you perceive and interpret any given situation will vary from person to person and be further modified by groups, power, authority and privilege.
Overall, situational awareness remains a learned and observable phenomenon, not merely an intuitive 'gut feel' passed from person to person or as part of organisational culture, exposure or demand.
Expressions of?#risk,?#resilience, and guidance on urgent business actions such as?#crisis?are routinely dearth of specific organisational contexts or characteristics. That is, risk and resilience are not neutral nor universal across all types of organisations and typologies meaning that crisis or any other extraordinary ‘call to action’ must be planned, considered, and actioned within the context in which the organisation exists. Moreover, threats and crises that impact multiple organisations, industries and geographies must also consider a multitude of organisational constructs, typologies, and characteristics too.
Business continuity, security and risk management do not operate in a vacuum.
That is, each aspect of business continuity and security risk management, regardless of technology and automation, operate across complex human endeavours, relationships, culture and interactions.
The resulting cultural web for business continuity creates the paradigm for individuals, organisations and organisations, which in turn is inherently unique.
Business continuity, security and risk management practitioners should take heed and caution to map and understand these informal structures and relationships as they remain essential elements for activation of strategy, results and resilience.
"While societies and citizens are powerless to prevent the occurrence of, for example, the seismic, volcanic, and tsunami activity that arises from plate tectonics, there is much they can do to mitigate their?#risk?and to understand and manage the consequences they could experience should a disaster occur" Paton, D. and Johnston, D. (2017) Disaster Resilience: An integrated approach, 2nd ed, Thomas Books
"Security" remains a term, practice and derived benefit unevenly distributed across various domains.
That is, security means and appears as different things to different audiences dependent upon benefits, costs, roles and priority of support.
Moreover, individual perception, application and benefit of security provided by many and varied public, private, commercial and corporate actors varies immeasurably and is rarely effectively mapped or measured, let alone remain constant.
Furthermore, security varies further across geospatial and temporal scales.
In other words, specific 'security' varies from one geographical place to another and is typically applied at different times for different proactive, defensive or reactive reasons.
For example, military security, national security and community resilience which is predicated upon securitisation (water, food, societal, crime, violence, equality, etc) is not the same as public, homeland or corporate security yet acts collectively to create safety, security and resilience outcomes for individual and collective communities.
领英推荐
"This research begins with the premise that corporate leaders’ efforts to manage?#security?#risks—threats to physical assets, IT infrastructure and personnel—will be more effective when informed by a clear understanding of those risks’ societal motivators. Executives and board members recognise that sources of conflict—such as ethnic or religious differences, poverty and income inequality, hunger and resource scarcity— motivate many of the insecurity risks they face, a global survey conducted by The EIU reveals.??"
Any sufficiently detailed consideration of threat/s or harm specific to an organisation or entity will typically result in a clustering of risk themes.
This taxonomy subsequently acts as a framework for analysis, identification of controls and modifiers and scales of harm that inform the over risk rating associated to both the threat and asset at risk.
As a result, it can be helpful to start with a high-level understanding of key risk areas or compare iterative results with a final, considered framework.
"What is Security Risk Management? Security?#RiskManagement?is our system of identifying future harmful events that may affect the achievement of objectives: assessing them for likelihood and impact; and determining an appropriate response. Any United Nations objective, from global strategic goals to local programme plans, may fail because of various obstacles. In the?#security?context, obstacles are called threats. All managers must identify threats and evaluate how these threats may affect their objectives. In many of the places where we work, the effect of threats, if not managed, can be fatal to personnel and programmes.?#Risk, on the other hand, is the combination of the likelihood of a threat being carried out and the subsequent impact for an organization. The process whereby a manager identifies, evaluates and systematically deals with obstacles to success is risk management. Security measures can either be used to prevent a vulnerability from being exploited or mitigate the impact of an exploitation, or both. One way to think of risk management is that it is the systematic determination and implementation of timely and effective approaches for managing the effects of threats to the organization.?#SecurityRiskManagement?is merely the management of security-related risks?"
Security risk management is not only the science of risk identification, calculation and protection but also the consideration of adaptive, intelligent and purposeful individuals/groups seeking to circumvent controls and impose loss, harm or damage on assets.
In other words, bad actors, criminals, terrorists and an array of adversaries.
Without adequate and detailed consideration of adversaries, security and all acts, artefacts and expenditure in the name of 'security' are blunt instruments applied to everyone at all times. That is?not?contemporary security risk management nor security as a science.
Therefore, it is not only essential to study, anticipate and protect against specific and broad adversaries, it is also essential to analyse these adversarial actors, associations and capabilities in depth.
"Defining Business Continuity Management: Holistic management process that identifies potential threats to an organization and the impacts to business operations that those threats, if realized, might cause and which provides a framework for building organizational resilience with the capability for an effective response that safeguards the interests of its key stakeholders, reputation, brand and value-creating activities?"
"#Cybersecurity?threats posed by an organization’s employees and contractors are commonly referred to as insider threats. Insiders typically fly under the radar of traditional security defenses, making it difficult to detect and prevent any improper activities. According to government and industry experts, the most common insider threats arise from: 1) accidental leaks, which might originate from a phishing attack or from an employee forwarding a sensitive email to the wrong person; 2) misuse of network access or database privileges, where an employee intentionally circumvents cybersecurity policies or procedures; and 3) data theft, where an employee removes data from an organization with the intent of selling or otherwise inappropriately releasing it.?"
"Enterprise risk management (ERM) in healthcare promotes a comprehensive framework for making risk management decisions which maximize value protection and creation by managing?#risk?and uncertainty and their connections to total value.?"
Tony Ridley, MSc CSyP MSyI M.ISRM
Security, Risk & Management Sciences
BOARD CERTIFIED SECURITY PROFESSIONAL
2 年Tony you are one of the best resourceful person I have encountered remotely. Your contributions and experience in matters security is amazin and the fact that you share freely is wow...
Manager, Technology Resilience, Governance, Risk & Regulatory Compliance
2 年Love your work Tony Ridley, MSc CSyP MSyI M.ISRM