Security Risk Management: Standards of Content, Evidence and Rigour
On a scale of 1 to 5, how do rank or rate security risk management content which informs or supports your application of security in public or private contexts?
In other words, is your use of security risk management content and knowledge sufficient to defend your choices in a court of law, the court of public opinion or professional/peer-review?
Moreover, how do you mix and match content to support your security risk management strategy, policies and procedures?
Lack of specified, declared or consistent content or knowledge analysis remains a significant point of concern and risk within security risk management strategies, policies and procedures.
5. Empirical Findings
Remains the highest of standards. However, empirical findings within security and/or risk management remains scattered, inconsistent or largely excluded. Moreover, these findings use consistent scientific methods and remain statistically reliable and verifiable. Transparency is the key.
4. Theoretical Findings
Plausible and supported theoretical findings by qualified and experienced author/s comes in as the second highest level. Again, there is significant evidence to support the hypothesis and detailed disclosure of content, references, models and authors is required.
3. Experimental Findings
Clear, transparent and structured experiments are approximately mid-way on the scale. However, said experiments are well documented, structured and conducted by professionals as opposed to brands and random authors.
Recommended by LinkedIn
2. Authoritative Knowledge
Views and opinions of individuals unsupported by specific references, citations and research... especially across disciplines and subjects. Perhaps the most common short form terms of reference which comprises far too much influence and dependencies within public and private security narratives and practices.
1. General Beliefs
Undisclosed authors, normative practices, myths, groupthink, many standards, white papers, brochures and sales/marking spin remains the lowest of all.
However, a critical component of structured knowledge utilisation and application is that of the author/s and the combination in which they mix, match and manufacture content informing security and risk management practices.
That is, the people that use the varied scales of qualitative knowledge remain a key consideration of the overall efficacy, reliability and expertise informing security and/or risk management discussions.
An entry level practitioner citing empirical findings may not necessarily result in superior quality of knowledge, especially when interpretation, understanding and application is a factor. Conversely, experts citing or relying on low-quality, unverified content and knowledge is equally, if not more dangerous for organisations and practices.
In sum, scales of quality and consistency are required when it comes to security and risk management practices, in addition to the underlying knowledge or beliefs upon which strategy, practices and assumptions are based. Surprisingly little effort or attention is apportioned to the latter, with general beliefs, theories, tropes and metaphors permeating security and risk management narratives at all levels. This in turn creates and obfuscates risk within safety, security and risk management practices at all levels of private/public security practices.
Tony Ridley, MSc CSyP MSyI M.ISRM
Security, Risk & Management Sciences