Security Risk   Management August 14, 2008 Print Article Citation , XML

Email

Authors

Talbot Julian

AbstractAlmost everyone can recognise the benefits of investments in security risk management when it comes to the basics of putting locks on the office door or the factory gate. Equally, the benefits of significant investments in security measures are obvious when an organisation wishes to operate in a high threat environment.

Introduction

Almost everyone can recognize the benefitsof investments in security risk management when it comes to the basicsof putting locks on the office door or the factory gate.  Equally,the benefits of significant investments in security measures are obviouswhen an organization wishes to operate in a high threat environment. Drilling for oil in the developing world for example, is a situationwhere an organization would invest readily in security measures in orderto achieve the potentially considerable rewards which can only be achievedif protective measures are put in place. 

Understanding the risks involved isno mean feat for humankind however.  We continue to over or underestimaterisks and to make a range of poor quality decisions.  In December2001 David Myers, Professor of Psychology at Hope College postulatedthat if Americans “now fly 20percent less and instead drive half those unflown miles, we will spend2 percent more time in motor vehicles.  This translates into 800more people dying as passengers and pedestrians.  So, in just the

next year the terrorists may indirectly kill three times more peopleon our highways than died on those four fated planes.”[1]

As it turned out, domestic air travelin the United States following the terrorist attacks of September 11dropped more than 30% relative to the same period the previous yearand US motor vehicle fatalities were 1,085 higher in 2002 than in 2001.This obviously does not show a cause and effect but it remains thoughtprovoking, particularly given that 2001 was actually on a slight downtrend(931 less deaths than 2000).  To put it all in context in fact,the same year that 3,000 people died in the 911 attacks and severalhundred billion dollars were allocated to counter-terrorism, 42,000Americans died on US roads without much hue and cry at all. 

As Bruce Schneier points out, we cancalculate the risk of any number of security threats including murder,mugging, identity theft, etc. After all, insurance companies do it allthe time.  The reality however, is that “security is alsoa feeling, based not on probabilities and mathematical calculations,but on your psychological reactions to both risks and countermeasures.You might feel terribly afraid of terrorism, or you might feel likeit’s not something worth worrying about.” [2]

The challenge for us as security professionalsis to understand the risks and apply an optimal balance of neither toomany nor too few resources to achieve an appropriate cost-effectiveresult.

The business benefits for deployingSRM

The ability to operate in a high threatenvironment can offer competitive advantage to organisations which canoperate where their competitors may not be able to (or at least maynot be able to deploy as quickly).  The challenge of course isthat most organisations do not operate in either extremely low or extremelyhigh threat environments.  Most of us need to tailor the investmentin security protection to meet the appropriate threats and opportunities.

In this paper I would argue that mostorganisations either a) take on more risk than they realise, b) over-engineertheir risk mitigation strategies thereby allocating resources inefficientlyor c) don’t take risks.    This paradigm of being riskaverse or unconsciously accepting unnecessary levels of risk would bebad enough but when put into context that the Corporation is the dominant

entity of our time, it becomes an increasingly prevalent challenge formodern society. 

The root cause of this inefficientallocation of resources and/or management of risk is that as humanswe are the weak link in the equation (and equally so are potentiallythe strongest link). We have evolved to manage risk in the emotionalcentre of the brain – an adequate system when we lived in small Paleolithiccommunities. The complexity of the modern world and the new securitytrade-offs that come with it means that we need to apply more rationaland scientific approaches to risk management. 

Some scary things are not really asrisky as they seem, and others are better handled by staying in thescary situation to set up a more advantageous future response. Thismeans that there’s an evolutionary advantage to being able to hold offthe fight-or-flight response while you work out a more sophisticatedanalysis of the situation and your options.  We humans have a muchmore sophisticated pathway to deal with analysis which is the neocortex,a more advanced part of the brain that developed very recently, evolutionarilyspeaking, and only appears in mammals.

The neocortex is intelligent and analytic.It can reason. It can make more nuanced trade-offs. It’s also much slower. So here’s the first fundamental problem: we have two systems for reactingto risk, a primitive intuitive system and a more advanced analytic system,and they’re operating in parallel. And it’s hard for the neocortex tocontradict the amygdala.  Essentially, the neocortex, the partof our brain that has to make security trade-offs, is still in betatesting.

Of course, all that wouldn’t be sucha problem if we still lived in small village communities.  We haveany number of multi-national corporations that are more powerful thanmost of the nations on this planet, all of which operate in an incrediblycomplex world but a governed by human beings who to a large extent arestill governed by a Neolithic piece of technology.

Just to add to the complexity of thesituation, there is no simple correct answer to how much should be investedin security for any given scenario.  Even if there was, it wouldvary depending on the organisation.  For example, a low risk operationsuch as a stationary manufacturer would reasonably expect to spend muchless on security than might the bank or oil refinery next door. If they were allocating similar resources to mitigating security threats,

their shareholders might have good reason to query the appropriatenessof one of more of the organisations security measures.

Any number of coronial inquiries andpost-incident investigations have shown an inappropriate allocationof security measures and the reasons for this are many and varied. Shareholder financial expectations, management agendas, management competence,technology, political events and more can be found at the root of thesebut there are perhaps two main issues worthy of further investigation:

1. Managers lack structuredcost-benefit methods to evaluate and compare alternative security solutions

2. Business cases for securityrisk management (if they are used at all) often fail to identify theultimate ‘problem’ that they are attempting to resolve (be thatrealising and opportunity or mitigating a threat)

Defining a structured cost-benefitframework for security is worthy of several PhD’s and therefore beyondthe scope of this presentation but much can be found in management andfinancial literature on this topic.  One key area which can berelatively easily managed is in terms of context setting within thedevelopment phase of a business case for investments in SRM. HB167the Security Risk Management Handbook to AS/NZS4360 Risk ManagementStandard provides solid guidance in this area.  Indeed, there areany number of methodologies for this but one of the simplest is theone most commonly overlooked.  What is the problem that we areattempting to address?  The eight step problem solving processbelow is one method of initiating development (or review) of a robustbusiness case:

1. What is the problem?2. Why is it a problem?3. What causes the problem?4. What are the possible fixes?5. What is the best fix (or

fixes)?6. Why is it the best fix?7. What action do we recommend

to implement it? I.e. What are we proposing?8. What are the possible questions

that our managers might ask and what are the answers to those questions?

As simple as these questions are, thefact that they went unasked and unanswered, often lies at the heartof an over or underinvestment in security risk management measures. In many cases this is a reflection of the maturity of the organisationin terms of SRM management systems.

Maturity levelsof organisations in their approach to SRM?

Little research has been conductedin the area of maturity levels of organisations for enterprise securityrisk management, however it is safe to say that it is extremely variable. Australia in many respects is a model of world class performance inthis area.  The development of AS/NZS 4360 Risk Management Standardhas helped Australian organisations develop leading edge practices. This standard is currently the basis for development of an internationalstandard for risk management (ISO31000) and it is a tribute to Australiathat the ISO committee selected an Australian (Kevin Knight who wasinstrumental in developing 4360) as its Chairperson.  Similarlydocuments such as HB167 Security Risk Management Handbook, the CommonwealthGovernment Protective Security Manual, etc together with a strong welldeveloped SRM training and education sector have ensured that Australiansand Australian organisations are well regarded internationally for (amongother things) their SRM capabilities.

In order to put this in some sort offramework however, it is worth perhaps considering what an SRM maturitymodel might look like.  Fully developed capability maturity modelshave proven effective in a number of disciplines in understanding thedegree of sophistication of a business management system as well asit’s reliability and effectiveness in meeting objectives.  Anumber of risk management capability maturity models have been proposedincluding by Hillson[3], Hopkinson[4] and Chapman[5]

and these have been adapted in the Security Risk Management Body ofKnowledge (SRMBOK) to provide guidance on a Security Risk ManagementCapability Maturity Model based on four levels:

Level 1– INITIAL

The Level 1 organisation has limitedunderstanding of the benefits of security risk management.  SRMpractices are ad hoc, reactive and unstructured typically showing minimalor excessive security measures implemented after incidents and unlikely

to reflect the actual risks.  Usually there is little attempt tolearn from the past or to prepare for future uncertainties.

Level 2– BASIC

Risk Controllers

The Level 2 organisation is experimentingwith the application of security risk management usually through a smallnumber of nominated individuals but has no formal or structured managementsystems in place. This organisation has not yet effectively implementedSRM processes and is focussed on threat mitigation, largely unawareof the potential opportunities of SRM.

Level 3– REPEATABLE

Risk Enhancers

The Level 3 organisation has builtSRM management systems into routine business processes in alignmentwith other management systems.  Policies, procedures and guidanceexists for most threats and the organisation is aware of and pursuingopportunity realisation through the SRM process however at this levelit is likely to remain focused on loss mitigation.  Generic securityprocesses are formalised and widespread although they may not yet beconsistently applied.

Level 4– OPTIMISING

Risk Transformers

Level 4 organisations exhibit a culturewhere security risk management, resilience and opportunity realisationare embedded and practiced at all levels.  The organisation hasa proactive approach to SRM and actively uses it to improve capability,business processes and competitive advantage.  Security risk managementis proactive, continually refined and consistently used to manage opportunitiesas well as threats.

The relative focus on threat mitigationversus opportunity realisation can be illustrated in Figure 1

below with ‘Level 1’ not shown on this graphic due to the ad hocimplementation and limited focus on both threat and opportunity.

Figure1: Security Risk Management Maturity Journey 

 

 

Table 1: SRM Maturity Model[6]

  Level1 INITIAL

Level2 BASIC

Level3 REPEATABLE

Level4 OPTIMISING

OVERVIEW Compliance onlyapproach

Risk appetite not defined

No framework developed

No senior management support

No use of SRM to

SRM establishedfor loss prevention

Shared but poorly articulated SRM tolerance

SRM implemented at lower levels

Few Policies & Procedures

SRM built into routinebusiness processes and management systems

Comprehensive SRM Policy and Procedures

Benefits recognised at all levels ofthe organisation

SRM considered criticalto competitive advantage and achievement of objectives

Security risk appetite and approachis documented and promulgated to all levels of the organisation

SRM management systems demonstratecontinuous improvement

SRM proactive & focused on opportunity

inform decision making

realisation

CULTURE SRM implemented to meet minimum legislatedrequirements

SRM exposure defined

Roles & responsibilities defined

Basic SRM decision making mechanisms

Proactive approach to SRM

Support for SRM at all levels of theorganisation

High level security risks reviewedby senior management

SRM culture is lead by the Chief Executive

SRM information is used in decisionmaking

SRM roles and responsibilities includedin inductions, job descriptions and performance appraisals

SYSTEMS SRM strategy and management systemsnon-existent or ad hoc

SRM framework under development

BCM & resilience not addressed

Poor data collection and analysis

Strategy & management systemsdocumented and consistently applied

SRM framework in place and partiallyintegrated with BCM

SRM framework and management systemsare defined and benchmarked against best practice

Continuous improvement is evident atall levels

EXPERIENCE Very limited understanding of SRMsystems or terminology

Limited to small number of securitypractitioners

In-house core of experienced individuals,systems and modelling

Organisation has a depth of experienceat all levels and experiences are analysed as part of normal managementprocesses

TRAINING Training implemented only to the levelrequired by legislation

Training undertaken only by securitypractitioners

Organisational training needs analysedand met

Security training provided to staffat all levels

Training and education programs arebased on robust and up to date training needs analysis

Relevant training is provided to alllevels

MANAGEMENT Management practices focused on meetinglegislated requirements

Response to critical incidents is theprime initiator for SRM

SRM practices based on organisationalmanagement systems

Majority of SRM is reactive

Security systems reviewed on ad hocbasis

Guidance for SRM provided to all levelsof management

Resource allocation commensurate withrisk

Security plans reviewed at least annually

Guidance on SRM implementation isprovided to all levels

Benchmarks are established and monitored

Resource allocation is monitored andoptimised

BCM & SRM are integrated &plans are reviewed and tested at least annually

Collaboration between senior management,IT and risk departments

Security Risk Management has in themain, grown out of the 3G’s of Guns, Guards, Gates or informationtechnology.  Only comparatively recently has the role of ChiefSecurity Officer been created with the main focus (as it needs to be)on business integration, enterprise security and value creation.

The integration of security with standardmanagement systems including financial systems, OHS and human resourcesis a key element of success in this area.  Using existing platformssuch as ISO9000 or Balance ScoreCard is one way to demonstrate alignmentwith the business are key elements of the process.

Establishing an integrated securityrisk management function means setting up the corporate “infrastructure”for risk management that is designed to enhance understanding and communicationof risk issues internally, to provide clear direction and demonstratesenior management support. To be effective, this security risk managementframework needs to be aligned with the organisations overall objectives,corporate focus, strategic direction, operating practices and internalculture. Additionally, in order to ensure security risk managementis a consideration in priority setting and budget allocation, it needsto be integrated within existing governance and decision-making structuresat the operational and strategic levels.

To ensure that risk management is integratedin a rational, systematic and proactive manner, and organisation needsto achieve three related outcomes:

DIRECTION. The organisationsdirection on all matters including security risk management must becommunicated, understood and applied -vision, policies, operating principles.

SYSTEMS.  The approachto operationalise integrated security risk management must be implementedthrough existing decision-making structures: governance, clear rolesand responsibilities, and performance reporting.

EXECUTION.  Buildingcapacity – learning plans and tools are developed for use throughoutthe organisation.

Figure2: Relationship of Direction, Systems and Execution

Barriers, guiding principles andapplications for proactive SRM

Effective implementation of securityrisk management processes into organisations and projects is not common. Organisations which have tried to integrate risk management into theirbusiness processes have reported differing degrees of success and somehave given up the attempt without achieving the potential benefits. 

Research conducted by the Risk ManagementResearch and Development Program Collaboration[7] suggeststhat unrealistic expectations and lack of a clear vision regarding whatimplementation would involve or how it should be managed were the causeof many of the unsuccessful implementations.  Organisations attemptingto implement a formal structured approach to risk management need totreat the implementation itself as a project requiring clear objectivesand success criteria, proper planning and resourcing and effective monitoringand control.

One of the critical success factorsbehind any enterprise risk management implementation involves a supportiveorganisational culture.  In this respect there is much to learnfrom a range of other disciplines, not least of all from the disciplinesof behavioural psychology and occupational health and safety.

The US Department of Defence (DoD)conducted significant research and development in the area of aviationsafety based on the work of James Reason[8] which lead to developmentof the Human Factors Analysis and Classification System (HFACS)[9]

which has been adapted by the United States Department of Defence intoa taxonomy involving four layers of:

Errors (perception based,competency, etc), Inappropriate behaviours or deliberate acts

Pre-Conditions such as fatigue,physical environment, inattention, etc

Supervision or inadequateoversight such as leadership, inappropriate operations, failure to correctknown problems

Organisational influencessuch as culture, organisational climate, resources/procurement

HFACS asserts that research indicateshuman error is a causal factor in 80 to 90 percent of incidents andpresent in another 50 to 60 percent.  Although limited empiricaldata and research exists regarding Human Factors Analysis in the SRMfield, anecdotal evidence and results of incident investigations suggestthat similar percentages would apply.

High Reliability Organisations

Further research in the area of enterpriserisk management comes from research into high reliability organisations(HRO’s) such as nuclear power plants, aircraft carriers and air trafficcontrol. 

High reliability institutions are notable,according to Rochlin[10] because “theseorganizations have not just failed to fail; they have actively managedto avoid failures in an environment rich with the potential for error.”That ability to actively and reliably manage to reduce the chances ofmistakes occurring, rather than to avoid the hazards, has been the distinguishing

hallmark of most HRO’s and their experience offers many lessons forthe application of security risk management at the enterprise level.

Work by Karl Weick and Kathleen Sutcliffe[11]

into this area suggests that five key elements contribute to what hedescribes as a state of ‘mindfulness’:

1. Preoccupation with failure2. Reluctance to simplify interpretations3. Sensitivity to operations4. Commitment to resilience5. Deference to expertise

At first many of these processes appearto be self-defeating on multiple levels.  But, as Weick furtherexplains why these processes are necessary if a high reliability organizationis to be successful their validity becomes increasingly more apparent.

Preoccupation with failure

HRO’s like most organisations, celebratetheir successes but Weick also notes that “a chronic worry in HROsis that analytic error is embedded in ongoing activities and that unexpectedfailure modes and limitations of foresight may amplify those analyticerrors.”[12]

Reluctance to simplify interpretations

Most organisations are happy to handlecomplex issues by simplifying them and categorising them, thus ignoringcertain aspects. HROs, however take nothing for granted and supportcultures which attempt to suppress simplification because it limitstheir ability to envision all possible undesirable effects as well asthe precautions necessary to avoid these effects.  HROs pay attentionto detail and actively seek to know what they don’t know.  Theyendeavour to uncover those things that might disconfirm their intuitionsdespite being unpleasant, uncertain or disputed. Scepticism is alsodeemed necessary to counteract the complacency that many typical organisationalmanagement systems foster.

Sensitivity to operations

Weick describes sensitivity to operationsas pointing to “an ongoing concern with the unexpected.  Unexpectedevents usually originate in ‘latent failures’ which are loopholes

in the system’s defenses, barriers and safeguards who’s potentialexisted for some time prior to the onset of the accident sequence, thoughusually without any obvious bad effect.”[13]

Management focus at all levels to managingnormal operations offers opportunities to learn about deficiencies thatwhich could signal the development of undesirable or unexpected eventsbefore they become an incident.  HRO’s recognise each potentialnear-miss or ‘out of course’ event as offering a ‘window on thehealth of the system’ – if the organisation is sensitive to itsown operations.

Commitment to resilience

HRO’s develop capabilities to detect,contain, and bounce back from those inevitable errors that are a partof an indeterminate world.  The hallmark of an HRO is not thatit does not experience incidents but that those incidents don’t disableit.  Resilience involves a process of improvising workaroundsthat keep the system functioning and of keeping errors small in thefirst place. 

Deference to expertise

HRO’s put a premium on experts; personnelwith deep experience, skills of recombination, and training.  Theycultivate diversity, not just because it helps them notice more in complexenvironments, but also because rigid hierarchies have their own specialvulnerability to error.  As highlighted by the work of James Reasonand HFACs, errors at higher levels tend to pick up and combine witherrors at lower levels, exposing an organisation to further escalation.

HRO’s consciously evoke the fundamentalprinciple of risk management – that ‘risk should be managed at thepoint at which it occurs’.  This is where you will find the expertiseand experience to make the required decisions quickly and correctly,regardless of rank or title.

Other lessons from HRO’s

Other lessons from HROs include thestrong support and reward for reporting of errors based on recognitionthat the value of remaining fully informed and aware far outweighs whateversatisfaction that might be gained from identifying and punishing anindividual.

The Icarus Paradox

Many experiments have shown that peoplewho succeed on tasks are less able to change their approaches even aftercircumstances change.  (The hammer and the nail syndrome). Weick quotes Starbuck and Milliken in their analysis of the Challengerdisaster: “Success breeds confidence and fantasy.  When anorganization succeeds, its managers usually attribute success to themselvesor at least to their organization, rather than to luck.  The organization’smembers grow more confident of their own abilities, of their manager’sskills, and of their organization’s existing programs and procedures. They trust the procedures to keep them appraised of developing problems,in the belief that these procedures focus on the most important eventsand ignore the least significant ones.”[14] This levelof complacency is a breeding ground for inadequate or ineffective organisationalsecurity risk management.

Another contributor to this ineffectivemanagement systems is that human beings are inclined to show a levelof ingratitude when warned about anything abstract.  By definitionof course, anything that did not happen is ‘abstract’.

Conclusion

On the occasions when our organisationalsecurity risk management systems fail, it is often not because we lackthe tools, will or imagination to mitigate risk.  Very often itis because our perceptions of the threat have failed us. To a largeextent this failure of perception is because the changes in our abilityto perceive and manage risk have not kept up with our changing environment. In short, situations that exist in the world of 2007, but didn’t inthe world of 100,000 BC. Like a possum whose predator-evasion techniquesfail when confronted with a car, or a magpie who finds that evolutionprepared him to survive the hawk but not the shotgun, our innate capabilitiesto deal with risk can fail when confronted with such things as moderntechnology, large faceless human societies, and the media. Worst ofall our risk management systems can be made to fail by others – terrorists,organised crime, email scammers, and so on, who may attempt exploitour natural failures for their gain.

Ultimately, security professionalsmust trade off various elements, applying resources to risk exposures

towards an acceptable level of organisational risk and to agreed qualityrequirements.  These four elements can be considered the ‘quadrupleconstraints’ which a we must trade-off and balance in order to achievean optimal outcome for the circumstances.  Any change in one willresult in a corresponding increase or decrease in one or more of theother elements.  The first step in our managing our risks involvesunderstanding our own inherent risk management limitations.

Figure3: SRM Quadruple Constraints

In managing security risk managementfor the enterprise we have a responsibility which goes far beyond theimmediate.  With the corporation as the dominant entity of ourtime our actions as security professionals, managers and Board membershave far greater ramifications than we can readily appreciate. Similarly, security risks, being abstract concepts do not fit well intoour emotional reptilian fight-or-flight risk management programming. 

We have some inherent limitations inregard to managing the abstract concepts of things which have not yet(and may never happen) but we can do something about it.  By learningthe lessons from other disciplines we can establish and maintain a levelof ‘mindfulness’, to help decision makers understand the real problem(s)and/or benefit(s) as well as the appropriate security measures to addressthem.

Follow “31000risk”

Get every new post delivered to your Inbox.

Powered by WordPress.com