This information and discussion presentation offers the first step in unpacking and understanding the change, requirements and demands of security and risk management practices and processes within the critical infrastructure and systems of national significance. Moreover, this presentation explores the technical and professional nuances of security management and risk management and how it is inadequately defined or communicated in legislation and practice. Posing the greatest question for governments, operators, and security/risk practitioners. Security for who, when, how, to what standard and in what context? In addition to the reality that if ‘risk’ management was inadequate and unable to self-regulate or evolve to face the evolving and changing threats, what changed? In short, changing laws, rules and expectations fails to raise the bar of security and risk management practices without a commensurate increase in the underlying information, knowledge, education and experience of security and risk representatives. This deficit will not be corrected nor rectified overnight, with the subsequent ‘gap’ likely evident for years after the new threat and legislation. For now, the current individual and collective risk profile is likely that of fragility and vulnerability, not resilience, with the greatest liability that of humans, not infrastructure.

1. All slides and material are commercial-in-confidence. © Insync Surveys Pty Ltd. All rights reserved
1 |
insync.com.au/risk-compliance
Critical Infrastructure &
Systems of National
Significance: Security Risk
Management Challenges
for Managers and Industry
Tony Ridley MSc CSyP CAS MSyl M.ISRM

2. Tony Ridley
All slides and material are commercial-in-confidence. © Insync Surveys Pty Ltd. All rights reserved
2 |
Enterprise Security Risk Management
Tony Ridley MSc CSyP CAS MSyl M.ISRM
Principal – Risk & Resilience Consulting
Education, licenses and certifications
• Master of Science (MSc) Security and Risk Management, University of Leicester
• Doctor of Public Safety, Charles Sturt University (Currently Studying)
• Chartered Security Professional (CSyP), Registered Charter of Security Professionals
(UK)
• Certified Anti-Terrorism Specialist (CATS), Anti-Terrorism Advisory Board (ATAB)
• Lead Auditor, Integrated Management Systems: Quality, OHS, Environment and
Management Systems
• Security & Risk Management, - Diploma
• Security Operations Management, Diploma
• Assessment and Workplace Training, Certificate IV
Professional Associations
• Vetted Member (MSyl), The Security Institute
• Business Continuity Institute (BCI)
LinkedIn Profile
Overview
Tony has worked in executive-level enterprise security and operational
risk & resilience roles worldwide. His extensive experience includes
remote sites, national operations, multinational firms, and government
agencies. As a criminologist, security and risk scientist, intelligence
analyst and public safety professional, he is passionate about helping
organisations build and maintain robust, risk-informed systems and
decision-making processes leading to sustainable resilience.
Tony helps clients build, review, and improve security, risk and resilience
teams, supply chains and enterprise security risk management systems,
using advanced academic methodologies, practical experience and
applied scientific means.

3. All slides and material are commercial-in-confidence. © Insync Surveys Pty Ltd. All rights reserved
3 |
Also…
www.riskdepartment.global
www.linkedin.com/company/riskdepartment

4. CLIENT LOGO
Agenda
- Context (UK, US , Aust)
- Challenge
- Considerations
- Recommendations
Young Professionals

5. All slides and material are commercial-in-confidence. © Insync Surveys Pty Ltd. All rights reserved
5 |
Critical Infrastructure &
Systems of National
Significance:
Context, Growth,
Complexity, Dependencies

6. Security, Risk, Resilience & Maturity
insync.com.au/risk-compliance
Protective security is an enduring process, not a state.
…the language of ‘maturity’ implies an ideal end state that does
not exist.
In reality, the risks keep moving and no security will stay
‘mature’ for long unless it too keeps moving.
Reference: Martin, P. (2019) The Rules of Security: Staying Safe in a Risky World, Oxford University Press, p.22

7. All slides and material are commercial-in-confidence. © Insync Surveys Pty Ltd. All rights reserved
7 |
Security of Critical Infrastructure (Definitions) Rules (LIN 21/039)
2021
Reference:
"As the threats and risks to Australia’s critical infrastructure evolve, so too must our approach to ensuring the ongoing
security and resilience of these assets and the essential services they deliver." - (Department of Home Affairs, 2021)
Definitions

8. All slides and material are commercial-in-confidence. © Insync Surveys Pty Ltd. All rights reserved
8 |

9. insync.com.au/risk-compliance
Resilience, Risk & Resourcefulness
“…although resilience appears at first sight
as a systems theory, its main effect is to
emphasize the need for adaptability at the
unit level. ”
Reference:
Bergstrom, J. and Dekker, S. (2019). The 2010s and Onward: Resilience Engineering, in Dekker, S. (ed) Foundations of Safety Science; A century of understanding accidents and disasters. pp. 391-429

10. All slides and material are commercial-in-confidence. © Insync Surveys Pty Ltd. All rights reserved
10 |
Little, R. (2012) Managing the Risk of Ageing Infrastructure, IRGC - Public Sector
Governance of Emerging Risks - Infrastructure Case - November 2012
Reference:
Interdependence
Between one or
more assets and
those that are/aren’t
‘critical’

11. All slides and material are commercial-in-confidence. © Insync Surveys Pty Ltd. All rights reserved
11 |
Liveable
Infrastructure Australia (2021) Reforms to meet Australia’s future
infrastructure needs, Australian Government
Reference:

12. All slides and material are commercial-in-confidence. © Insync Surveys Pty Ltd. All rights reserved
12 |
https://www.cpni.gov.uk/protecting-your-assets
Reference:
Built
Environment

13. insync.com.au/risk-compliance
Risk, Resilience & Resourcefulness
“While risk and resilience are related, resilience has
been favoured for unknown, unquantifiable, systemic
risks. In other words, resilience is an “asset based”
rather than “threat based” approach. ”
Reference:
Kekovic, Z. and Ninkovic, V. (2020). Towards a conceptualisation of resilience in security studies, Institute for Political Studies: Faculty of Security Studies, University of Belgrade.pp.153-173

14. All slides and material are commercial-in-confidence. © Insync Surveys Pty Ltd. All rights reserved
14 |
Crime Prevention Through Environmental Design
(CPTED)

15. All slides and material are commercial-in-confidence. © Insync Surveys Pty Ltd. All rights reserved
15 |
Protection
Defence In Depth

16. All slides and material are commercial-in-confidence. © Insync Surveys Pty Ltd. All rights reserved
16 |

17. insync.com.au/risk-compliance
Resilience, Risk & Resourcefulness
"Complex systems, though seemingly stable, are not in
equilibrium. Rather, complex systems are constantly
adapting to balance multiple goal conflicts. Such
complex systems are inherently vulnerable to ' drifting
toward failure as defences erode in the face of
production pressure' ”
Reference:
Bergstrom, J. and Dekker, S. (2019). The 2010s and Onward: Resilience Engineering, in Dekker, S. (ed) Foundations of Safety Science; A century of understanding accidents and disasters. pp. 391-429

18. All slides and material are commercial-in-confidence. © Insync Surveys Pty Ltd. All rights reserved
18 |
Cascading Failure(s)
Where are you?
Reference:
National recovery and resilience agency (2020) National emergency risk assessment guidelines,
Australian Disaster Resilience Handbook Collection, 1st ed (updated) , Australian Institute for
Disaster Resilience, Australian Government

19. Risk Contexts, Considerations and Analysis
insync.com.au/risk-compliance

20. All slides and material are commercial-in-confidence. © Insync Surveys Pty Ltd. All rights reserved
20 |

21. All slides and material are commercial-in-confidence. © Insync Surveys Pty Ltd. All rights reserved
21 |

22. insync.com.au/risk-compliance
Risk, Resilience & Resourcefulness
“…recognition of resilience as an emergent property of complex
adaptive systems. Resilience is both a function of planning for and
preparing for future crisis (planned resilience), and adapting to
chronic stresses and acute shocks (adaptive resilience). ”
Reference:
Kekovic, Z. and Ninkovic, V. (2020). Towards a conceptualisation of resilience in security studies, Institute for Political Studies: Faculty of Security Studies, University of Belgrade.pp.153-173

23. COSO Enterprise Risk
Management Framework
Risk – Frameworks influencing the Enterprise
All slides and material are commercial-in-confidence. © Insync Surveys Pty Ltd. All rights reserved
23 |
Reference:
https://www.csu.edu/internalaudit/documents/COSOEnterpriseRiskManagementFramework.pdf

24. Principles, Framework
and Process
Risk – Frameworks influencing the Enterprise
All slides and material are commercial-in-confidence. © Insync Surveys Pty Ltd. All rights reserved
24 |
Reference:
National recovery and resilience agency (2020) National emergency risk assessment guidelines,
Australian Disaster Resilience Handbook Collection, 1st ed (updated) , Australian Institute for Disaster
Resilience, Australian Government

25. insync.com.au/risk-compliance
Risk, Security & Resilience
“security is essentially preventive and proactive in
nature, ... whereas resilience, is a combination of
proactive and reactive measures aiming at reducing
the impact but not at preventing threats as such”
Reference:
Fjäder, C. (2014). “The nation-state, national security and resilience in the age of globalization.” Resilience 2 (2).pp.114– 129.

26. Convergence
Risk – Frameworks influencing the Enterprise
All slides and material are commercial-in-confidence. © Insync Surveys Pty Ltd. All rights reserved
26 |
Reference:
Homeland Security (2006). National Infrastructure Protection Plan: Risk Management Framework,
Department of Homeland Security, US Government
Reference:
Homeland Security (2013) Supplement Tool: Executing a Critical Infrastructure Risk Management
Approach, Department of Homeland Security, US Government

27. insync.com.au/risk-compliance
Risk, Resilience & Vulnerabilities
“Risk and resilience are important
paradigms for guiding decisions made
under uncertainty, in particular decisions
about how to protect systems from a
portfolio of threats. ”
Reference:
Kekovic, Z. and Ninkovic, V. (2020). Towards a conceptualisation of resilience in security studies, Institute for Political Studies: Faculty of Security Studies, University of Belgrade.pp.153-173

28. Assessments of “Risks”
insync.com.au/risk-compliance

29. Melbourne | Sydney | Gold Coast
insync.com.au
Resilience, Risk & Resourcefulness
insync.com.au/risk-compliance
Reference:
The Royal Society (1992) Risk Analysis, Perception & Management. Report of the Royal Society Study Group, page 181
“Issues of how to constitute decision advice procedures, both of an
ex-ante and ex-post kind, how to allocate blame and liability, how
to organise affective regulatory structures, how to bring together
different kinds of expertise into an affective policy debate, arise in
different ways in all of these cases and go to the heart of the
institutional aspects of risk management”

30. All slides and material are commercial-in-confidence. © Insync Surveys Pty Ltd. All rights reserved
30 |
From security to resilience
Reference:
Homeland Security (2013) National Infrastructure Protection Plan (NIPP): Partnering of critical
infrastructure Security and Resilience, Department of Homeland Security, US Government

31. Security, Risk, Resilience & Human Factors
insync.com.au/risk-compliance
One of the main reasons why so many
security systems remain vulnerable is
that threat actors pay more attention to
the psychology of their victim than do
most security designers and
practitioners.*
*Reference: Martin, P. (2019) The Rules of Security: Staying Safe in a Risky World, Oxford University Press, p.96

32. All slides and material are commercial-in-confidence. © Insync Surveys Pty Ltd. All rights reserved
32 |

33. All slides and material are commercial-in-confidence. © Insync Surveys Pty Ltd. All rights reserved
33 |
Security
Contextual Layers

34. Security, Risk, Resilience & Protection from Harm
insync.com.au/risk-compliance
Good protective security has nine
distinguishing characteristics: it is risk-
based, well governed, holistic,
understandable, regularly tested, well
measured, layered, designed-in, and
dynamic.
Reference: Martin, P. (2019) The Rules of Security: Staying Safe in a Risky World, Oxford University Press, p.173

35. All slides and material are commercial-in-confidence. © Insync Surveys Pty Ltd. All rights reserved
35 |
 Essential

36. Melbourne | Sydney | Gold Coast
insync.com.au
Questions??
Insync.com.au/risk-compliance

37. All slides and material are commercial-in-confidence. © Insync Surveys Pty Ltd. All rights reserved
37 |
insync.com.au/risk-compliance
Critical Infrastructure &
Systems of National
Significance: Security Risk
Management Challenges
for Managers and Industry
Tony Ridley MSc CSyP CAS MSyl M.ISRM

38. All slides and material are commercial-in-confidence. © Insync Surveys Pty Ltd. All rights reserved
38 |
But that’s not all…
Learn more about what we
think about the issues
that matter most…
You can learn more about what we think and how we contribute to various
conversations that are relevant to you and your context through visiting the
following links. As a small, focused organisation of around 50- people you
can also be guaranteed that, by engaging with Insync, you are working with
the thought leaders actively involved in leading the debate.
Risk Management
Security Risk Management
A proven and pragmatic
approach to better
decision making in
turbulent times | Insync
To make better decisions
you need 6 things | Insync
So you think you are risk
averse? | Insync
Defence-in-depth: myths,
vulnerabilities and
realities
Safety & security risks.
Transition relationships
Risk landscapes &
environments
Security risk assessments Situational security:
factor analysis
Operational security: a
formulaic approach