Risk, Security, Safety and Resilience Newsletter - Week of 15 Dec 22
Tony Ridley, MSc CSyP FSyI SRMCP
Group Manager Risk (incl. Resilience, Insurance & Internal Audit) | PhD Candidate, Researcher and Scholar
The following is a summary of security, risk, safety and resilience articles, topics and issues ending the week of 15 Dec 22.
Key themes for this week include:
---------------------------
Not only do various layers of the same organisation conceive and implement safety, security, risk or resilience differently, but they also tend to have varying beliefs and practices on how to control visible strategic failures such as 'accidents', mistakes, errors and fiascos.
That is, while regulators may insist upon greater risk constraints, frontline actors remain dependent upon experience, education, knowledge and psychological factors to identify, mitigate and control a wide variety of actions, factors and probabilities.
This process and variance only compound and varies with greater layers such as teams, management and executive leadership.
"The #coso framework on #EnterpriseRiskManagement -mostly internal #control/ #auditing: sees #riskmanagement primarily as a
#compliance activity. #ISO31000 sees risk management as a strategic process for making #risk-adjusted decisions "
"A system that relies for its robustness largely on the assumption that the mechanism is unknown to an attacker, as opposed to relying on the particular key to a particular message being unknown to an attacker, is a weak system" - Adams, A (2014). 'Security Ethics: Principled Decision Making in Hard Cases' in Gill, M. (ed) (The Handbook of Security, 2nd edn, Basingstoke: Palgrave. pp. 970
Consideration of systems, structures, networks and mental models within the context of risk, safety, security and resilience routinely remains a superficial affair.
That is, what is most visible, tangible, recent or collectively agreed upon drives thinking or perceived understanding of the cause or origins of risk, harm, loss and damage.
In other words, when an event occurs, and the cause seems obvious and collectively agreed upon, there is little desire or apparent commitment to examine the underlying issues any further. In short, it's obvious... look no further!!
Like the proverbial iceberg, events, patterns and trends represent the mere tip of a very big issue, inclusive of complex networks, human decisions, power, group influence, community/culturally accepted action and inaction along with structures that service all these factors inconsistently and irregularly.
It is was lurks below the surface that creates outcomes, is often the most concern and least likely to be considered, resolved and most assuredly has changed in the time since last event or since last though of in any reasonable depth.
"The purpose of the #cybersecurity principles within the ISM is to provide strategic guidance on how an organisation can protect their systems and #data from cyber threats. These cyber security principles are grouped into four key activities: govern, protect, detect and respond. An organisation should be able to demonstrate that the cyber security principles are being adhered to within their organisation. The purpose of the cyber security guidelines within the ISM is to provide practical guidance on how an organisation can protect their systems and data from cyber threats. These cyber security guidelines cover governance, #physicalsecurity, personnel #security, and information and communications technology security topics. An organisation should consider the cyber security guidelines that are relevant to each of the systems they operate. "
"Though statistics of cause of death are relatively easily recorded, they are inadequate as a measure of harm to individuals, their families and society. Fatality accident rates may provide a better indication of #risks incurred by an individual while pursuing a particular activity, be it rock climbing, travelling by air or living adjoining a nuclear power plant". - The Royal Society (1992). Risk: Analysis, Perception and Management, Report of the Royal Society Study Group, p.83
Personal and collective response to seemingly obvious 'risk' is neither consistent nor guaranteed.
That is, even with the communication, open knowledge and declaration of risk over varying times and scales, routinely inadequately estimates or assures individual, community, government or organisational response to danger, threat, peril or hazards.
In other words, even when told of a risk, there are numerous modifiers and variables that influence and distort action at a singular or collective level.
"experience of a natural hazard and trust or lack of trust in authorities and experts are the primary factors that shape individual risk perception of natural hazards in often complex causal arrangements with many intervening factors. "
(Wachinger, et al., 2013)
Risk perception remains a highly complex, variable phenomena inconsistently experienced and acted upon across cultures, communities, age, gender and experience. As a result, action in the wake or revelation of risk should never be assumed nor reasonably expected to be consistent or linear.
"When I use the general term #risk savvy I refer not just to risk literacy, but also more broadly to situations where not all #risks are known and calculable. Risk savvy is not the same as risk aversion. Without taking risks, innovation would end, as would fun, and courage would belong to the past. Nor does risk savvy mean turning into a reckless daredevil or BASE jumper, denying the possibility of landing on one’s nose. Without a beneficial degree of caution, humans would have ceased to exist long ago.
You might think, why bother if there are experts to consult? But it isn’t that simple. Bitter experience teaches that expert advice may be a dangerous thing. Many doctors, financial advisers, and other risk experts themselves misunderstand risks or are unable to communicate them in an understandable way. Worse, quite a few have conflicts of interest or are so afraid of litigation that they recommend actions to clients they would never recommend to their own families. You have no choice but to think for yourself.
I’d like to invite you into the world of #uncertainty and risk, beginning with weather reports and a very humble hazard, getting soaked." - Gigerenzer, G. (2014). Risk savvy: How to make good decisions. Penguin. p.12
"...if the danger itself is not immediately confrontational, then if the individual is to avoid being harmed, they need to receive some other warning" - Waring, A. & Glendon, I. (1998). Managing Risk: Critical Issues for Survival and Success into 21st Century, South-Western Cengage Learning, p.159
Consideration and investigation of threats that may affect a business or operations is often limited by time, resources, expertise and experience.
Moreover, the shortlist of threats are routinely carried over from year-to-year or practitioner-to-practitioner with limited, legitimate risk analysis or supporting evidence, before leaping into controls development, risk ratings and crisis or continuity planning.
That is, potential threats is more likely a mental accounting list or 'top of mind' consideration than detailed, informed and analytical approach to environment, operational or organisational related threats, actors, hazards or harm.
"The global financial #crisis revealed that, as a result of the chase for growth in the years immediately prior to the crisis, many large banks took far too much #risk, in aggregate. Careful analysis has shown that much of their risk-taking was either substantially underestimated and/or misunderstood, or the subject of insufficient attention and control. And in some extreme cases, risk-taking was even unconscious."
"While manufacturers might not pay sufficient attention to these issues, offenders do and exploit the vulnerabilities in the products for personal gain. " - Johnson, S., Blythe, J., Kim, E. & Sombatruang, N. (2022) Crime and the Consumer Internet of Things, in Gill, M. (ed) The Handbook of Security, 3rd ed, Palgrave Macmillan, p.706
Threats, protection and security, are applied and tolerated differently across industry, location and cultures. As a result, relative risk is also inherent and residual.
That is, security levels before and after the intervention are highly variable, meaning that 'high', 'medium' and 'low' levels of vulnerability, risk or security are highly contextual and routinely incompatible between facilities within the same sector or even geography because of varied threats, expectations and utility provided to the community.
In other words, what you think, measure and think your security level is at any given time is not the same as another site, location or facility because how security is applied is not the same, nor is a threat, resulting in varying levels of risk, even within the same industry.
"This guide provides a structured approach to implementing #riskmanagement on an enterprise- wide basis that is compatible with both #COSO #ERM and #ISO31000. However, the guide places more emphasis on ISO 31000 because it is an international standard and many organisations have international operations. At the same time as publishing ISO 31000, ISO also produced Guide 73 ‘Risk management – Vocabulary – Guidelines for use in standards’. "
"With the increasing likelihood of having to experience events that exceed our capacity to effectively treat #risk, a different type of #leadership is needed." - National recovery and resilience agency (2021) Systemic Disaster Risk, Australian Disaster Resilience Handbook Collection, 1st ed, Australian Institute for Disaster Resilience, Australian Government
The application and outcomes or benefits associated with 'security' do not exist in a vacuum, nor should security tactics, mitigation or controls be applied in the absence of specific, considered and realistic threats.
In other words, security management is not the arbitrary deployment, purchase or management of security widgets, tech, people, processes or practices.
Evidence, analysis, assessments and risk measurement are mandated.
Pursuit of hypothetical 'Boogey men', unrealistic threat actors and the idea that evil, criminals and terrorists are concealed or lurking around every corner diminishes the practice of legitimate security and results in considerable wastage, fear and unnecessary social anxiety.
"The #riskmanagement process described in AS/NZS #ISO31000: 2009 Risk Management – Principles and Guidelines is one way of achieving a structured approach to the management of risk. Consistently implemented, it allows #risks to be identified, analysed, evaluated and managed in a uniform and focused manner.
ISO 3100 recommends that risk management be based on three core elements: 1) a set of principles that describes the essential attributes of good risk management; 2) a risk management framework that provides a structure for risk management; and 3) a risk management process that prescribes a tailored, structured approach to understanding, communicating and managing risk in practice. "
"#Criticalinfrastructure operators cannot prevent intentional attacks from happening, but they can do much to strengthen the #resilience of their infrastructures, and they can equip them with measures and procedures for automated defense." - Keupp, M. (2020) The Security of Critical Infrastructures: Risk, Resilience and Defense, Springer. p.12
Caution should remain a constant state within business continuity, disruption and interruption plans.
In particular, where risk, security or resilience are either informing factors or dependencies for continuity of service.
The reason for this caution is that risk, security and resilience are neither independent variables nor are they static/fixed.
This means that elements of security, risk or resilience could be in varying states of change, decay or subject to information asymmetry, presenting a fleeting, false and potentially fatal assumption of business continuity resilience.
Recommended by LinkedIn
"...embedding #riskmanagement into an organisation to the extent that it reliably makes a difference is still a difficult task. Those seeking to do so inevitably come up against the ultimate challenge: people. Human beings, acting as individuals and interacting in groups, are the ‘wetware’ in the system - not necessarily behaving in the logical, predictable and controllable way that we would like them to. Every individual brings to the job a unique perception of #risk. Every group and organisation has its own approach to risk - its #riskculture - that may or may not be helpful in successful management of risk. The risk culture will influence the mechanisms and techniques that the organisation employs to manage risk but is also in turn influenced by them."
"Embrace #uncertainty: The changing #risk context involves greater uncertainty and challenges to goals and objectives. Recognise there will be many different perspectives to be negotiated. Use inclusive governance and systems thinking to help. Do not be overwhelmed or wait for certainty before taking action." - National recovery and resilience agency (2021) Systemic Disaster Risk, Australian Disaster Resilience Handbook Collection, 1st ed, Australian Institute for Disaster Resilience, Australian Government, p. xi
Individual, group and community orientation have immeasurable influence on views, perspectives and consideration of matters related to risk.
Especially pre-management factors such as threat, hazards and harm.
That is, your own personal ideology, that of the group or the community/organisation in which you evaluate 'risk' influences, distorts and frames not only your thinking but the way you approach risk.
This includes risk awareness, risk identification, risk analysis, risk assessment which all influence the management of risk in many and varied ways.
"Reflecting this new prioritization of #risk, executives at major companies and leading thinkers on #riskmanagement emphasize the board’s and the C-suite’s pivotal role in providing continued leadership and direction. “It’s important that the C-suite be talking as much about risk management as it does about profit, growth, and customers because they are interdependent. The point is that you can’t optimize profit if you do not manage—leverage or mitigate—exposures as appropriate,”
"The lesson that emerges from a review of the development of #Safety, #Security, #Health & #Environment (SSHE) law is that SSHE is plagued by an externality problem where persons who put people or the environment at risk through their business activities do not automatically pay the full cost of their actions"
- Tooma, M. (2019) Safety, Security, Health and Environment Law, 3rd ed, The Federation Press, p. 198
Expert opinion and content, much like in nature, is most recognisable and reliable due to its deep, substantial and diverse roots which form the basis of knowledge, thinking and views.
Conversely, amateur, ad-hoc, lay person and anecdotal narratives are typically superficial, lack depth, are not anchored on verifiable or repeatable findings and are routinely dearth of citations, or influencing perspectives.
In nature, mature, substantial trees are hard to push over due to the roots and traction it has with reality.
Paradoxically, it is also exceptionally difficult to move or displace 'conventional wisdoms', deep-seated bias, and entrenched organisational/academic norms.
"Most #risk models are based on a 350-year-old mathematical object, first developed for gamblers. Unfortunately it gives the wrong answers." - Orrell, D. (2017) Economyths: 11 Ways Economics Gets it Wrong. Icon Books.p.86
No assessment of risk, including security, is either value or judgement free.
That is, analysis of any situation by humans invariable contains degrees of 'noise' and bias that influences the focus, analysis and final risk determinations in positive and negative ways.
This variance is rarely adequate disclosed or even considered in most security risk assessments.
In other words, a security or risk assessment that yield significantly variable outcomes when conducted by different people is more akin to an alchemistic or artistic process than a professional procedure informed by research, statistics and structured knowledge or analysis.
The question for most consumers and dependents on security and/or risk assessments is "what is the overall error'?
"Access by people to cyberspace is possible via many means, although most often through desktop computers, laptops, tablets and mobile phones. Connectivity may be achieved via wireless connections, for example, Wi-Fi or third, fourth and fifth generation mobile communications networks, or physical cables of copper and optic fibre. Cyberspace is created by and dependent on physical assets – power sources, computers, cables, network infrastructure, data centres – as well as the people who operate and manage them. Some of the ‘fabric’ of cyberspace is created automatically by computers without human intervention. "
"Management and other business employees are slow to realise the change to a more educated, intelligent and technical #security profession. However, this change has been gradually taking place over the last several decades. The security profession has become more complex and requires far more skilled security professionals, not only in security-related functions but also in various other disciplines of the business world" - Kovacich, G. and Halibozek, E. (2006) Security Metrics Management: How to Manage the Costs of an Assets Protection Program. Butterworth-Heinemann.p.4.
Security and risk management spending are inherently susceptible to prioritisation based on the last known, visible or experienced failure, loss, breach or drama. That is, security budgeting is routinely distributed left or right of the last 'boom'. In other words, if security ideology is to be distilled into a simple binary cohort, there are those that invest pre-incident with prioritisation on avoidance, mitigation, prevention and protection. Meanwhile, there are those that are compelled, motivated, shamed or restrained in security expenditure until an event, loss, failure or disruption focusing on response, recovery, insurance or other after-the-fact initiatives. Notwithstanding, there may also be those that are distributed unevenly along this continuum, but somewhere within all organisations, communities, governments or cultures is a dominant or subordinate sense of security as either a cost or profit centre.
"It is likely that some organisations will always view security as a cost-centre rather than a profit centre. "
(Talbot and Jakeman, 2008)
"The #riskmanagementframework (RMF) is a living, comprehensive process that requires an appropriate amount of due diligence to be effective. #Enterpriseriskmanagement involves a multitiered approach connecting strategic goals with the daily operations of information systems. "
"...#risk is largely socially constructed phenomenon whose cognition is culturally mediated. Culture, a sociological concept, is one such aspect of risk for which technical #riskanalysis is inappropriate" - Waring, A. and Glendon, I. (1998) Managing Risk: Critical Issues for Survival and Success into the 21st Century, South-Western Cengage Learning, p.82
Matters of 'security' are not all created or conceived equal, nor are the advanced academic programs that inform security within communities, companies or government.
In other words, 'security' remains a catchall phrase meaning many things too many audiences, practitioners Maand organisations.
This lack of clarity or confusion is often transferred to courses, accreditation and advanced academic courses.
That is, uninformed and professionals alike make the flawed assumption that all security courses teach and demand the same knowledge verifications. Untrue.
To demonstrate the simple distinctions, lining up 8 contemporary security courses, at a Masters level, reveals and highlights considerable distinctions. Especially across science, arts, military and business domains.
"...there are benefits from considering how people, communities and business play complementary roles in #riskmanagement, particularly with regard to their roles in facilitating effective, comprehensive recovering following disaster" - Paton, D. and McClure, J. (2017). Business Continuity in Disaster Contexts, in Paton, D. and Johnston, D. (eds) Disaster Resilience: An integrated approach, 2nd ed, Thomas Books, pp. 79-93
Risk is neither consistently understood nor perceived from person-to-person, let alone across cultures, industries or vocations.
That is, risk cognition (the mental action or process of acquiring knowledge and understanding through thought, experience, and the sense) remains highly variable, subject to change and influenced by numerous internal and external stimuli.
Moreover, how information is received, which leads to knowledge, fundamentally shapes and creates risk in the minds of individuals and culture of organisations.
As a result, the process remains inherently unique, unless consistent, structures and discipline is applied to risk cognition, long before assessment or management event make an appearance.
"The most important first input is a defined #project. In order to fully understand and assess #projectrisks we must ensure a mutual understanding of the project under evaluation. Fundamental information about a project includes a clear statement of need. To focus on #risks and uncertainties our project will face, we must know the project in context, scope, schedule, and estimate. Information is commensurate with the level of project development at the time of #riskanalysis. Progressive elaboration should not be confused with scope creep." Washington State Department of Transportation (2018) Project Risk Management Guide, page 2-1
"All #security #risks are composed of three distinct components. They are threat, vulnerability, and impact. Threat is a product of the intentions and capabilities of those whose actions have the potential to cause #harm." - Martin, P. (2019) The Rules of Security: Staying Safe in a Risky World, Oxford University Press
"A defining feature of existential #risk is that there are no second chances—a single existential catastrophe would be our permanent undoing." - UNDP. (2022). Human Development Report 2021/2022. Uncertain Times, Unsettled Lives: Shaping our Future in a Transforming World, United Nations, p.58
---------------------------
Risk, Security, Safety, Resilience & Management Sciences
Transmission Engineer
2yThis will help me awhile lot