Vulnerability: Threat & System Risk Analysis Informing Scales of Resilience, Risk, Harm and Readiness
Ridley Tony
Experienced Leader in Risk, Security, Resilience, Safety, and Management Sciences | PhD Candidate, Researcher and Scholar
Vulnerability is routinely an inadequately considered or evaluated facet of risk analysis, security risk management, business continuity and resilience.
That is, detailed, systematic and transparent scales for evaluating individual and cumulative threat factors remain opaque and superficial, resulting in non-specific or generic scales of vulnerability, undermining the best intentions of any risk management strategy.
In other words, risk ratings and values remain invalid and unreliable if both threat and vulnerability are not considered in detail and vary according to new information, behaviours and asset(s) exposure.
A dynamic, contextual and scalable approach to considering vulnerability is required. Risk science academics and researchers have recently emphasised the requirement and analysed the inherent weaknesses in contemporary risk management approaches. Especially when considering novel, emergent and systemic risk(s).
"...a single vulnerability classification process can evaluate vulnerabilities for a collection of similar behaving risk events, thereby promoting overall efficiencies in the risk management process."
(Thekdi & Aven, 2021)
Remembering, 'good' vulnerability analysis is only effective if conducted in concert with an equally detailed and systematic analysis of the threat. That is, both threat and vulnerability are required to inform and remain remotely accurate in risk estimates, calculations and forecasts. Moreover, a lack of vulnerability specificity remains one of the defining factors of 'better' risk management practice(s). An absence of detailed vulnerability consideration remains representative of 'poor' risk management practices and associated wastage(s).
"..this transition from an event-specific vulnerability classification system to a collection-of-event-specific system better allows decision-makers to gauge risk based on features of consequences, uncertainty and knowledge, instead of relying on information about unknown or surprising events that cannot be adequately foreseen.?"
(Thekdi & Aven, 2021)
Vulnerability, much like risk, is an accumulation of numerous factors. Each factor must be documented, evaluated and considered in isolation and collectively. Variance, controls, management and improvements must also be reviewed and analysed in time cycles relevant to the threat, environment and potential for harm. That is, if the threat and vulnerability vary...so too must risk management practices and prioritisation.
NOTE: before asserting or espousing "our most vulnerable"... transparent, empirical and repeatable vulnerability assessments must be present. In other words, it is simply not good enough to champion 'the vulnerable' without evidence, analysis and rigour. Otherwise, the 'strength of knowledge' (general and specific) represents the lower end of the scale, thus amplifying uncertainty and non-specificity of risk.
领英推荐
"Decision-makers can benefit from studying why a particular system exhibits some level of vulnerability, which can influence near-term decisions.?"
(Thekdi & Aven, 2021)
In sum, vulnerability remains an essential, contextual aspect of all risk analysis practices and resulting risk management practices. Therefore, the same as is required for threat analysis, vulnerability risk ratings and scales must contain specific, transparent and measurement criteria (quantitative and qualitative).
This includes exposure to specific threat(s). Variance in threat and/or vulnerability should therefore result in commensurate risk, resilience and service continuity measures.
While the majority of security risk management practitioners and professionals remain intimately aware of such requirements, general enterprise risk management practices and frameworks continue to pay lip-service to vulnerability factor analysis.
This is most evident in cybersecurity narratives, failures and omissions.
In short, in very broad terms, risk is the result of exposure and vulnerability to a specific threat(s) within a specific setting - controls and management intervention(s) dependent.
Without understanding and measuring of vulnerability, resilience and continuity can not be assured and wastage is all but inevitable.
Risk, Security, Resilience, Safety & Management Sciences
Reference:
Thekdi, S. A., & Aven, T. (2021). A risk science approach to vulnerability classification. Risk Analysis, 41(8), 1289-1303.