Risk, Security, Safety and Resilience Newsletter - Week of 20 Oct 22
The following is a summary of security, risk, safety and resilience articles, topics and issues ending the week of 20 Oct 22.
Key themes for this week include:
----------------------------------------------------------
Confidence, arguments and beliefs in matters relating to 'risk' are routinely the product of some attempt to objectively calculate the number, value or rating of one or more risks.
That is, the understanding and gravity of risk are formed by adding, multiplying or plotting at least two factors which in turn inform risk.
Great decisions, choices and investments are then predicated upon these 'risk values', often the sum of drawing lines of probability and consequence on a chart or graph.
In other words, very simple models and statements routinely seek to summarise and explain risk, uncertainty, harm, happen-chance, preparation and naturally/frequently occurring phenomena.
"‘#Security incident information management involves collecting, recording, analysing and using information to maintain staff #security and access to beneficiaries. Good security information management finds the right balance between these benefits and the administrative costs of the system.’ "
"Probability theory was invented to help rich aristocrats win more money with their gambling. When Pascal combined probability theory with zero and with infinity, he found God. (p.97) Yet dividing by zero destroys the fabric of mathematics and the framework of logic—and threatens to undermine the very basis of science. (p.199)" - Seife, C. (2000). Zero: The biography of a dangerous idea. Penguin.
"Like any effective #cybersecurity strategy, investigating the board perspective must start by assessing the threat landscape. Just under two-thirds of board members believe that their organization is at #risk of a material cyber attack. This figure drops to 23% for those who believe the #risk is very likely. These figures suggest a boardroom that is at least somewhat aware of the risk posed by today’s sophisticated cyber criminals.
But we see a worrying disconnect when we compare these results with our 2022 Voice of the CISO Report (VOTC). Asked the same question earlier this year, just under half of CISOs felt they were likely to experience a material cyber attack within the next year, and 14% rated the risk as very likely. This disconnect held true around the world, with boards in many countries out of step with their corresponding CISOs. "
"The world 'risk' derives from the early Italian risicare, which means 'to dare'. In this sense, #risk is a choice rather than a fate. The actions we dare to take, which depend on how free we are to make choices, are what the story of #risk is all about. And that story helps define what it means to be a human being" - Bernstein, P. (1996). Against the gods: The remarkable story of risk. New York: John Wiley & Sons.p.8
"#Cybersecurity #risks are a constantly evolving threat to an organisation’s ability to achieve its objectives and deliver its core functions. #Security failings in today’s information-driven economy can result in significant long term expense to the affected organisations and substantially damage consumer trust and brand reputation. Sensitive customer information, intellectual property, and even the control of key machinery are increasingly at risk from cyber attack. The targeting of electronic assets has the potential to make a material impact on the entire organisation and possibly its partners.
The topic of cyber security needs to move from being in the domain of the IT professional to that of the Executive and Board, where its consideration and mitigation can be commensurate with the risk posed. The traditional approach to thinking about cyber security in terms of building bigger walls (firewalls and anti-virus software) - while still necessary - is no longer sufficient. A holistic approach to cyber security risk management – across the organisation, its network, supply chains and the larger ecosystem – is required.
This document provides key questions to guide leadership discussions about cyber #securityriskmanagement for your organisation. They are intended to be non-prescriptive, as organisational context will vary. "
It remains a dangerously narrow, if not foolish notion, to consider cybercrime as constrained to pure cyber and 'space' domains, without any physical security involvement or relationships.
That is, all cybersecurity issues have elements (often very significant elements) of physical and conventional security concern.
This includes events leading up to and resulting in criminal acts.
While compared with similar, historical crimes such as identify theft, fraud, extortion and burglary, on the surface, it may seem it is all now the same thing, just through a computer or network connection.
As with all things of the day, there is an element of truth to this but it is not the entire truth.
"#Cybersecurity #RiskManagement Framework (Objective 1) To provide closer linkage and communication between the risk management processes and activities at the C-suite or governance level of the organization and the individuals, processes, and activities at the system and operational level of the organization. "
Security risk management is implemented through a series of negotiated trade-offs and prioritisation's, modelled around foreseeable adversarial threats and specified protective measures.
Agreed security countermeasures and treatments are based on models of operational security derived from a balanced equation.
In other words, security is the outcome of many opinions, choices and prioritization resulting in an agree balance of priorities and supporting protection.
The critical problem with security choices and alternate models is that they are rarely visualised and compared with alternates.
Moreover, these choices, preferences, pros/cons are rarely presented to non-security executives to aid in decision making or clarify the various strengths and weaknesses of each model and choice.
These visuals serve to provide these comparative choices, mapping the respective relationship between asset, protector and threat.
"With more than 80 percent of the world’s population now within mobile coverage, burgeoning efforts to enable people to send, receive, and store money using their mobile phones have the potential to greatly improve people’s lives and leapfrog more conventional banking models to safer, more affordable alternatives. Often called “mobile money,” these services reduce the #risks and costs of financial transactions, help increase savings, and bring more people into the formal financial sector. This timely publication investigates the current anti-money laundering/ combating the financing of terrorism (AML/CFT) regulatory environment for mobile money and provides guidance on the design of a framework for mobile money that adequately addresses ML/FT risks. "
"Organisational reliance on bureaucracy can lead to a very lax, non-critical approach to managing #risk, which becomes an exercise in document completion rather than conversations about an understanding of the #risks associated with work." -Smith, Gregory. Paper Safe: The triumph of bureaucracy in safety management (p. 39). Wayland Legal. Kindle Edition.
"Now a state of #crisis is the new normality. Climate-related natural disasters, looming recession, an accelerating cost of living catastrophe in Europe, food shortages, employee welfare and skills deficits, and a rapidly industrialising cyberattack landscape are overlaid by intensifying geopolitical tensions and the very real threat of financial liquidity and solvency risks for businesses. This has forced many organisations not just to rewrite their #riskregisters, but to tear up outdated #risk taxonomies that favour old-style siloed thinking. Sudden, systemic organisation-wide #risks with contagious, unpredictable ramifications throughout the enterprise are no longer seen as Black Swan events - but as interlocking elements of a continuous storm. "
Consideration of human threats, adversaries and bad actors requires not only formulation of indicative behaviours but also foreseeable exploitation and tactics applied against assets/s.
That is, what will any one person or group do in order to get into, around and out of a physical or cyber environment.
Despite significant limitations in the approach, such as depicting adversaries as 'like' to that of protectors or defensive security actors, valuable thought processes and primers present for practitioners at all levels of security risk management. Notwithstanding the dominant military and masculine themes throughout some of these concepts.
Recommended by LinkedIn
Find, Fix, Track, Target, Engage and Access (F2T2EA)
"There have been many efforts to define #riskculture and this multiplicity tells us something, namely that it is conceptually rather fuzzy. We decided to go out and listen to the way that different organisations – banks, insurers and their advisors – think about and operationalise risk culture change programmes. We think that this is where the action is – where risk culture becomes, or does not become, an organisational reality. Our report paints a rich picture and we have attempted to provide some intellectual structure to the diversity we have observed. To aid the readability of this report we have shifted a large body of material on methods and other matters to a series of appendices. "
"In The Audit Society, I argue that institutionalized pressures exist for #audit and inspection systems to produce comfort and reassurance, rather than critique." - Power, M. (1997). The audit society: Rituals of verification. OUP Oxford. Location 215 of 4404 (Kindle Edition)
"The #riskappetite statement outlines the level of #risk that can be taken in delivering the department’s objectives. In areas where the department has the lowest appetite, staff must implement controls and actions to make sure the risk level is within the acceptable range. In areas of lowest appetite, the target risk level must be low. "
Risk analysis is a judgement-laden exercise, in addition to concepts, fears and aversion to 'risk' being socially, organisational and community constructed or prioritised.
That is, try as we may, there are always varying degrees of human bias, subjective representation and curated elements distributed inconsistently and invisibly across the risk consideration, risk evaluation and risk analysis process.
This further attenuates safety, security and resilience considerations.
As a result, most risk assessments are not transferable from one environment, user, context, audience or organisation to another. Especially where the group, organisational considerations and societal influences are neither provided nor declared.
In other words, a risk assessment is a moment in time -specific to the group or individual conducting the analysis - situated within a complex socio-technical organisational construct.
"This book is an effort, rather than proving or disproving prevailing views on #riskculture or providing an exhaustive review on topics that should touch #risk #culture, to contribute thoughtful perspectives on risk culture that specifically take on organisational considerations... the complexities in the culture of an organisation and trade-offs intrinsic to management, and #riskmanagement in particular, suggest that a snappy definition of risk culture is not a fruitful goal. Quoting from an oft-cited UK-based report, ‘Our desk research of academic and practitioner literature on risk management, management control, culture and safety issues suggested strongly that risk culture is a way of framing issues of risk and culture in organisations and not a separate object’" -Tuveson, M., Ralph, D., & Alexander, K. (Eds.). (2020). Beyond Bad Apples: Risk Culture in Business. Cambridge University Press.p.2
"Identifying and assessing criticality : For Financial Services and Markets Sector critical infrastructure providers, determining which sites and components of an asset should be considered critical involves identification and analysis of how an asset and its operations may be exposed to, or harmed by, threats and/or hazards. This process is vital for all hazards #riskmanagement, providing input into the identification of plausible risk scenarios that may impact operations. The critical sites and components of an asset are ultimately those most vital to its effective functioning and therefore integral to Australia’s #nationalsecurity interests. Establishing criticality is designed to provide guidance on the allocation of resources to best protect the operational capability of the asset. "
Vulnerability is routinely an inadequately considered or evaluated facet of risk analysis, security risk management, business continuity and resilience.
That is, detailed, systematic and transparent scales for evaluating individual and cumulative threat factors remain opaque and superficial, resulting in non-specific or generic scales of vulnerability, undermining the best intentions of any risk management strategy.
In other words, risk ratings and values remain invalid and unreliable if both threat and vulnerability are not considered in detail and vary according to new information, behaviours and asset(s) exposure.
"...#risk expresses the urge to address uncertainties and the fears they generate. As a probability statement, risk calculations can only make uncertain knowledge claims. Yet people require knowledge of risk as a capacity for action, to feel that they are taming chance even as they are taking it. Furthermore, uncertainty often increases as action is taken under descriptions of risk, because risk is interactive: it is conditional and continuous in response to attitudes and behaviour of the participants in the risk communication system. Uncertainty resides in the values, interests, and intentions of others in the system" - Ericson, R. & Doyle, A. (2003) Risk and Morality, University of Toronto Press, p.16
"‘Security to go’ is intended to provide a simple, easy-to-use guide for non-security experts to quickly set up basic #safety, #security and #riskmanagement systems in new contexts or rapid onset emergency response situations. This guide is applicable to both international organisations and national agencies moving into new regions and/or setting up new programmes; it is especially applicable to environments where the risk levels have changed due to human or natural causes. "
While there is an abundance of resilience definitions and contexts (including the growing use of the expression), there is routinely a dearth of fast, simple and succinct models or measurements upon which to rate and compare 'resilience' narratives, systems, structures and practice(s). That is, it remains far easier to declare, state or utilise the word resilience, but few are able to adequately and expediently explain or demonstrate what they mean, particularly when it comes to known and/or unknown threats, stressors, hazards and perils.
Read More...
" The focus of regulation on the character of #risk - #safety #security, #health and #environment - and the geographical location - work or workplace - limits the capacity for effective enforcement of SSHE (Safety, security, Health & Environment) in the modern, commercial context." - Tooma, M. (2019) Safety, Security, Health and Environment Law, 3rd ed, Federation Press, p.200
Long before the management and mitigation of risk begins, how any one person, group or community perceives risk remains an essential yet routinely glossed over aspect of risk management and resilience practices.
That is:
What you think, see or believe to be a 'risk' determines your focus, interest and evaluation of that issue and all related factors
Moreover, these perceptions are influenced and created through varying lenses.
For example, you may observe directly a hazard, danger, threat, peril or 'risk'.
Not surprisingly, this personal perception is highly variable between people, cultures, time and experience levels.
"Organisations need to identify the type and location of their sensitive data stored electronically, as part of a #security #risk assessment performed to identify the level of protection that their assets require from various threats. For the purpose of this publication, sensitive data refers to either unclassified or classified information identified as requiring protection. This protection is often focused on maintaining confidentiality of the data, although data integrity and availability are also important and are often overlooked. Such data might reside within organisations in various locations including government ministerial submissions and other documents detailing government intentions, strategic planning documents, business proposals, tenders, meeting minutes, financial and accounting reports, legal documents, and intellectual property holdings. "
----------------------------------------------------------
Risk, Security, Safety, Resilience & Management Sciences