Why the security 'threat' and risk rating you have right now is inaccurate, incomplete and a lesson in reductionism (simple complexity)

The security risk rating and threat analysis you have right now is inaccurate. The question for organisations and industry is ... just how inaccurate?

The reason your security threat and risk analysis estimates, ratings and assessments are inaccurate right now is because you are protecting against and evaluating complex, adaptive, networked, human actors. Both good and bad.

That is, in the time it takes to make your security assessment, report the relative 'risk', things have changed.

Sometimes considerably, some times incrementally. As a result, your estimates, numbers and analysis contains varying degrees of inaccuracy, errors, guesses and summary of numerous factors and phenomena you can't observe or fully monitor.

Notwithstanding, you remain dependent upon inputs, knowledge, update and analysis from many other supporting actors, providers, organisations and government(s).

In other words, your security threat and risk assessment is a momentary attempt to summarise highly complex, dynamic and disparate factors (otherwise known as reductionism) into a simple, digestible and informative waypoint for others to make a decision or judgement upon.

For each and every asset, or thing of value. Because not all things of value are noted, documented or positioned as an 'asset' within organisations or service continuity planning.

"A ‘one size fits all’ approach is unacceptable. Each asset, each threat, and each potential terrorist attack situation has its own unique characteristics.?"

(Daniels et al., 2008)

Risk registers and risk ratings fabricated or constructed by similar accounting and mathematical models routinely overlook or fail to disclosure these limitations or dynamic variables. Reflexive, routine analysis and updates are required. Like it or not.

"Unlike ‘black box’ technologies such as neural networks, the variables and parameters in a Bayesian network are cognitively meaningful and directly interpretable. Unlike traditional rule-based systems, Bayesian networks employ a logically coherent calculus for managing uncertainty and updating conclusions to reflect new evidence. Tractable algorithms exist for calculating and updating the evidential support for hypotheses of interest. Bayesian networks can combine inputs from diverse sources, including expert knowledge, historical data, new observations, and results from models and simulations.?" (Daniels et al., 2008)

However, it remains a rarity that organisations and governments consider, let alone construct Bayesian Relationship or Network calculations and supporting schema.

Not only are the results instructive, they unpack the scales of knowledge, intelligence and expertise that underpin the resulting analysis.

As all security threats and risks are non-linear, it is one of the first artefacts I look for or seek to map, for transparency, consistency and legacy requirements.

The schema also informs triggers, tolerance, intelligence, protection, response and revision.

"Because probabilities are usually estimated from historical data, fault trees are of limited use when dealing with an intelligent, adaptive agent. Nevertheless, fault tree structures can provide insight into important risk factors."?

(Daniels et al., 2008)

Fault trees are derived from engineering practices and inform posterior analysis of relatively fixed events. They are not representative of the real world, complex human decision making or trade-offs or the network effect one or more decisions have on an individual, organisation or community. A common oversight or undeclared limitation for fault tree enthusiasts and devotees. Ironically, 'good actor' analysis and scales of education, experience, accuracy and qualifications are a key (essential) component of a security risk assessment and ongoing security management plan, for digital, physical and converged environments. Another facet routinely overlooked or undeclared. Until there is a trial, accident, negative event or public spectacle.

In sum, security management and risk management are sciences and evolved professions. As a result, security risk management is not only a science but identifiable by empirical practices, research, education, specific qualifications and consistent, repeatable artefacts and analysis that informs practice, including protection. Not only for human threats, but all-hazards, threats, perils and dangers within an organisation's, asset's or community's environment.

Situational awareness and horizon scanning are the early stages of a threat assessment.

The absence of specific threat assessments and analysis, in any context, is routine professional practice, nor 'risk management'. No matter the elegant maths, author or support associated with such narratives, graphics or numbers. Security, risk, safety and resilience 'theatre' are plagued by such practices and accepted behaviour. Hence, the greatest threats are routinely not those evaluated and prioritised by an organisation, but the real-world change, threat and factors not considered in full by individuals, organisations and government(s).

In short, when the facts change (threats, tactics, capability, intent, resourcing, etc), you and your organisation needs to change, along with the 'protective' security, risk, resilience and safety measures or resourcing required.

Threat ignorance and lack of preparedness is rarely recoverable from insurance. It is also not the role of government, tax payers or communities to 'save' the unprepared, ignorant and 'thrifty'. This has been a harsh reminder/lesson for many of late, and will remain a harsh task master for many years to come.

Much like the expression of

"fire can be a wonderful servant to heat your home and warm your food but uncontrolled or prepared for... remains a harsh master that will destroy your environment and cause considerable harm, despite reactionary measures and efforts"

Ridley Tony

Security, Risk, Resilience, Safety & Management Sciences

Reference:

Daniels, D., Linwood, H., Laskey, K., Mahoney, S., Ware, B., & Wright, E. (2008) Terrorism Risk Management, in Pourret, O., Na, P., & Marcot, B. (Eds.). (2008).?Bayesian networks: a practical guide to applications. John Wiley & Sons.pp.239-26