Risk, Security, Safety and Resilience Newsletter - Week of 14 Jan 23
Tony Ridley, MSc CSyP FSyI SRMCP
Group Manager Risk (incl. Resilience, Insurance & Internal Audit) | PhD Candidate, Researcher and Scholar
The following is a summary of security, risk, safety and resilience articles, topics and issues ending the week of 14 Jan 23.
Key themes for this week include:
-------------------------------------------
"The purpose of a risk management framework is to assist an organisation integrate risk management into strategic activities, functions and decision-making. The effectiveness of managing risk will subsequently depend on the governance, leadership and commitment of the organisation and support from stakeholders."
- National recovery and resilience agency (2020) National emergency risk assessment guidelines, Australian Disaster Resilience Handbook Collection, 1st ed (updated) , Australian Institute for Disaster Resilience, Australian Government
"The #Fraud Tree: Occupational Fraud and Abuse Classification. Conclusions to fraud investigations are supported with evidence that is relevant, reliable and sufficient. Investigators shall be alert to the possibility of conjecture, unsubstantiated opinion and bias of witnesses and others, and shall consider both exculpatory and inculpatory evidence. Professional Ethics makes clear that an investigator’s report may conclude on a person’s conduct; however, conclusions may not include the investigator’s opinion regarding the legal guilt or innocence of any person or party. That determination is made by a judge or jury. "
The information, data and knowledge you produce, store, mix, use, distribute and rely upon are very similar to that of chemical compounds, physics and advanced chemistry.
That is, seeminlgy harmless or inert material may combine to form dangerous compounds, explosive and acidic materials or dangerous, harmful situations.
Your personal and community safety and security are therefore dependent upon understanding how these elements, bits, data or information 'chemicals' function, in addition to enthalpy, entropy, phase transitions and first, second and third-order risks. Just because it's information doesn't make it any less volatile, harmful or dangerous.
Ironically, if information and data were physical, most individuals and organisations would already have rudimentary, widespread regulatory knowledge and practices.
Unfortunately, the same rigour is less evident or universal when it comes to information and the protection, management, storage and 'safety' associated.
Data science, analysis and visualisation are critical aspects of my Doctoral research, professional life and applied scientific practice(s), including criminology and risk/security sciences. As a result, I'm constantly learning, experimenting and analysing micro, meso and macro data sets, suites and business systems. Especially those related to safety, security, risk, resilience and business continuity/services. The courses and subscriptions provided by my university are first-class, with abundant resources to support my efforts and learning. This one was fantastic and informative and reinforced the advanced data analytics, modelling and structures I've been building for years.
What was once the exclusive remit of expensive systems or service provider system(s) and subscriptions can now be done by individuals or in-house, using the ever-growing, powerful options provided by Microsoft 365. I recommend these programs and knowledge for any senior, working and technical professionals.
"The Chief Security Officer leads and sets strategic directions for the #security agency. He/She is expected to uphold the professionalism of security personnel, manage the resources required by the security agency, build security awareness and foster collaboration among stakeholders. His duties include overseeing response to incidents, designing contingency plans and developing security plans. "
Security remains a perpetual, unfinished and adaptive practice, poorly represented by divisive, siloed and role-based behaviour(s).
That is, in order to provide security, it requires holistic consideration of the threats, assets, environments, technology, social factors, organisation/entity and freedom of action or constraints.
Therefore, security can not be solved by one person, discipline or perspective because all hazards require all hands, disciplines, perspectives and considerations.
This division, myopic view and division present gaps and exploitable vulnerabilities and play security actors, protectors, representatives and disciplines off against each other... not the adversary, threat, danger or hazard. As a result, a better approach (read comprehensive, inclusive and excluding nothing) is the provision of security, not a job title, role, responsibility, budget, audit or other factorial aspects involved in the assessment, design, implementation, delivery and maintenance, of a secure or safe environment.
A simple enough premise, it seems overly simplistic but remains the primary Achilles heel and exploitable weakness for human adversaries, criminals, bad actors and organised groups with deliberate, malevolent intent.
In other words, thieves, hackers, bad actors, terrorists and criminals are focused on the prize(s), outcomes, obstacles and means required for success.
Threat actors DO NOT CARE about your org chart, budget allocation/cost code, job title, department, agency, pedigree or where you went to school.
The bad actors benefit from division, poor communication, duplication, inefficiency, rivalry, confusion and other organisational separations.
"The next decade will be characterized by environmental and societal crises, driven by underlying geopolitical and economic trends. “Cost- of-living crisis” is ranked as the most severe global risk over the next two years, peaking in the short term. “Biodiversity loss and ecosystem collapse” is viewed as one of the fastest deteriorating global risks over the next decade, and all six environmental risks feature in the top 10 risks over the next 10 years. Nine risks are featured in the top 10 rankings over both the short and the long term, including “Geoeconomic confrontation” and “Erosion of social cohesion and societal polarisation”, alongside two new entrants to the top rankings: “Widespread cybercrime and cyber insecurity” and “Large-scale involuntary migration”. "
It is naive to think you 'aren't valuable' to criminals, thieves, curious digital nomads and active cyber foragers, no matter your physical location, wealth, status and age.
It is naive to think there are incalculable, infallible, and 24/7 digital walls, barriers, complex security and 'protection' between you, harm, loss, disruption, destruction or exploitation.
But it's not you; specifically, they may be hunting or seeking to leverage, but that of your community, locale, country or demographic(s).
Moreover, a single adversary prefers to hunt the pack, like a predatory African mammal, like a lion. But instead of hunting a pack for a single meal (usually the slowest, weakest or least attentive), contemporary, syndicated, capable and persistent digital threats want to consume the entire herd... or multiple herds at once.
Forget physical apex predators; the modern digital adversary, both human-centric (corporeal) and automated (AI, ML, Bots, etc.), continues to be an adaptive, agile and intelligent danger the world and human history have never experienced.
Unlike traditional or conventional criminals, bad actors and terrorists are limited in time, space and effort to harm and attack victims. Even wars are constrained to specific territories, adversaries and munitions. Digital actors can achieve mass casualties with the click of a mouse or by hitting enter on their devices. You, your business, your community, your data, your life, your information, your money, your health and your future are all worthy rewards in one form or another to one or more digital predators. Remembering, of course, the digital predator may be a child, elderly, person with a disability, infirm or gravely ill (and invisible to you or the other side of the world), but they remain a deadly and effective predator nonetheless.
Defying conventional reasoning or thinking of who may/may not be a threat or cause you harm.
"#Risk mitigation entails a methodical approach for evaluating, prioritising and implementing appropriate risk-reduction controls. A combination of technical, procedural, operational and functional controls would provide a rigorous mode of reducing risks. Physical access control systems of office entrances, visitor management procedures at the building’s entrance, deployment of guards at branches are examples of such controls."
"Much ado about nothing" is not only a famous Shakespearean play and stage production, but is commonly representative of many beliefs, practices and performances in safety, security, risk and resilience. That is, much is said and done in the name of professional practice, standards and the industry of each and all of these disciplines, but a considerable portion of 'controls', countermeasures, tactics and strategies are nothing more than unsubstantiated, ad-hoc and random personal opinions, long outdated legacy conduct, 'group think', ecological fallacies (taking one set of beliefs, practices and data and applying it elsewhere assuming the same results) and folk lore.
"Security theater is the practice of taking security measures that are considered to provide the feeling of improved security while doing little or nothing to achieve it."
By definition, security theater provides no security benefits (using monetary costs or not), or the benefits are so minimal it is not worth the cost.[3] Security theater typically involves restricting or modifying aspects of people's behavior or surroundings in very visible and highly specific ways,[3] which could involve potential restrictions of personal liberty and privacy, ranging from negligible (confiscating water bottles where bottled water can later be purchased) to significant (prolonged screening of individuals to the point of harassment).[4]
"The purpose of this guidebook is to raise awareness of homeowners, developers, architects, and town planners on the concepts and principles of #Crime Prevention Through Environmental Design (CPTED). CPTED seeks to enhance the safety of developments and minimise the opportunities for crime to be committed. This guidebook presents information, illustrations and suggestions on how this can be done through the application of CPTED."
Opinion-based philosophies, practices and ideologies remain persistent factors across risk, security, safety and resilience.
That is, specific perspectives, views, strategies, controls, methodologies and preferences that aren't clearly identifiable or traceable to a specific body of knowledge, source or authoritative content.
This includes a number of 'club' references, standards (that reference themselves or other standards. ie: a standard that is a summary of a bunch of other standards), training materials, books, industry guidance, 'influencers' and self-titled thought leaders.
These normative practices and behavioural traits represent as extremely concerning for many specialist roles, professions and disciplines, but perhaps none more so than safety, security, risk, resilience and the collective 'enterprise' application of all these disciplines.
Because knowledge ages, decays, dates or is simply superseded by community, social and technological advances.
This is the norm, and intent, of science and professional practice. That is, we get better, wiser and more informed with each discovery, addition and update. However, when personal beliefs and unsubstantiated, uncited and poorly recorded content, views and ideology dominate the practice, updates, corrections and improvements are not only super difficult to dislodged but down right impossible to alter.
Recommended by LinkedIn
"A successful #risk management program helps an organization consider the full range of risks it faces. Risk management also examines the relationship between risks and the cascading impact they could have on an organization's strategic goals. "
For many, international security remains constrained to guns, guards, gates, widgets, tools, subscriptions, services and the economy of security 'things'. That is, security is primarily an undefined, arbitrary and universal label for things done by security actors in the name of protection and physical or cyber defence from one or more threat actors, criminals or dangerous situations.
However, security continues to evolve and is increasingly scrutinised and researched by a variety of scientific fields, such as psychology, criminology, sociology, economics and risk sciences and security science.
As a result, security within a contemporary, international, organisational and societal context is a complex concept, practice and dynamic state being constructed, formed, sustained and managed by many stakeholders from differing perspectives and interests.
These collective realities and findings lead to a revision of past security definitions and positions, leading to an updated or 'new' view of security at personal, domestic and international levels.
"Writers often fail to offer any definition of security. And if one is offered, it is rarely accompanied by a discussion of reasons for preferring one definition rather than others."
-Forbes-Mewett, 2018:304
"Organizations are also cautioned that risk assessments are often not precise instruments of measurement and reflect: (i) the limitations of the specific assessment methodologies, tools, and techniques employed; (ii) the subjectivity, quality, and trustworthiness of the data used; (iii) the interpretation of assessment results; and (iv) the skills and expertise of those individuals or groups conducting the assessments.
Since cost, timeliness, and ease of use are a few of the many important factors in the application of risk assessments, organizations should attempt to reduce the level of effort for risk assessments by sharing risk-related information, whenever possible. "
Knowledge, information and facts are formed, created and manufactured at ever-increasing speed and scale all around the world.
Now we have AI and ML contributing to, complimenting and replacing human creation of intelligence, information, knowledge and thinking.
So, creating a form of a Turning Test, I applied the concept to the subject matter and body of knowledge associated with risk, threat, hazards, danger, harm, peril, safety, security and the management practices associated with each or collectively.
Here are the results:
"These pillars are constructed to comprehensively evaluate the world’s largest and most digitally forward economies in their progress toward preparing against, responding to, and recovering from cybersecurity threats. It measures how well these institutions have adopted technology and digital practices to be resilient against cyberattacks, and how well governments and policy frameworks promote cybersecure digital transactions. "
What do you mean when you say 'resilience'? What do others mean when they say resilience? What does the government mean when they say resilience? What does a doctor say when they mean resilience? What does your company, industry or business plan mean when it mentions or declares 'resilience'?
Because not only are there many different interpretations, meaning and definitions for resilience, the concept varies and changes across individuals, communities and professional groups.
To demonstrate the point, along with highlighting the many vulnerabilities and dangers of search engines, AI and the like, I asked ChatGPT what it thought resilience meant and the top 50 responses. Here are some of the results.
You can't blame a machine, computer or technology if it behaves poorly, makes things up or hides information from you, but you can blame humans and hold them accountable, including their invention(s). The same goes for managers, directors, boards and businesses. If you wouldn't accept a child's homework, response or results because it was the pure work product of a search engine...why is AI or any other enabling device or system any different? This is particularly apparent and concerning in areas and disciplines such as risk, intelligence, safety, security and resilience. As demonstrated here.
"The intent for the <building #security guide> is not to assume or recommend that maximum protection is required as a standard but suggests design considerations and ways of preparing the infrastructure for later implementation of higher levels of protection. If project constraints prohibit the full implementation of the relevant guidelines, it is up to the project developer or user of this guide to decide on the extent to which the various protective elements will be implemented, based on the location of the potential threats and subsequent analysis."
"Corporate #governance refers to the system by which companies are directed and managed. This involves a set of relationships between a company‘s board, management, employees, shareholders and other stakeholders. This also provides the structure through which the company achieves its objectives and provides accountability to stakeholders. Good corporate governance therefore is an effectual balance of promoting the long-term success of the company, and providing accountability and control systems which are symmetric with the risks involved."
With a cautious, gradual return to business travel, I'm so proud and humbled that so many researchers, analysts, academics, businesses and professionals are benefiting from my Master of Science (MSc) dissertation, focusing exclusively on business travel risk management. 600 reads is huge in my view. Thank you kindly.
My Doctoral Degree and research follow on from this foundational research, exploring and analysing multivariate threat vectors and better travel risk management practices for international business travellers at all levels. I look forward to sharing more in 2023
Thesis. What are the main private security risk management factors in transnational mobility (business travel)?
"Five principal components must be considered when developing a #security system (Figure 5-1): Policies, Plans, and Procedures; Security Operations and Intelligence; Physical Barriers; Electronic Security Systems and Equipment; and Cyber Security. Failure to address all components may create a weakness in the overall system that a trained aggressor can identify and exploit. A thorough planning process is recommended to integrate all five components of an effective security system, creating layers of security to eliminate weaknesses and limit vulnerabilities in accordance with the operation requirements of a protected facility. An overview of each component is provided below. "
"All organizations are subject to #fraudrisks. It is impossible to eliminate all #fraud in all organizations. However, implementation of the principles in this guide will maximize the likelihood that fraud will be prevented or detected in a timely manner and will create a strong fraud deterrence effect. "
1) Defining Security Risk Management. 2) Conducting Risk Assessments. 3) Developing Security Strategies. 4) Creating a Security Plan. 5) Developing Contingency Plans. 6) Managing Security Incidents. 7) Ensuring Digital Security. 8) Managing People. 9) Contracting Private Security Providers. 10) Security Risk Management Essentials Test.
"In this 3-hour assessment-based certificate program, you will learn how to implement security risk management processes, roles, and procedures that are critical to aid and development organizations. Based on global security best practices, this program enables you to better analyze the context you are working in, assess security risks, develop security strategies and contingency plans, and manage incidents to safely deliver programs to people and communities affected by crisis."
"" Effective crisis management is not just about responding to ongoing crises, but also about scanning for risks in order to avoid the conditions giving rise to crisis in the first place. Unstable information environments may reduce the efficacy of these procedures by making it difficult to identify emerging threats. Technologically-enabled disinformation campaigns might also be used to intentionally distract decision-makers from developing risks. " - Seger, E. (2023) Exploring Epistemic Security: Expert Insight, International Security Journal, Issue 46, Dec 22, p.88-90
---------------------------------------------
Risk, Safety, Security, Resilience & Management Sciences
Realtor Associate @ Next Trend Realty LLC | HAR REALTOR, IRS Tax Preparer
1yThanks for Posting.
The very best article I read from Tony Ridley, MSc CSyP MSyI are of very high impact and full of knowledge to security, risk, safety... professionals. Very much glad to be an associate/Network