This information and discussion presentation offers the first step in unpacking and understanding the change, requirements and demands of security and risk management practices and processes within the critical infrastructure and systems of national significance. Moreover, this presentation explores the technical and professional nuances of security management and risk management and how it is inadequately defined or communicated in legislation and practice. Posing the greatest question for governments, operators, and security/risk practitioners. Security for who, when, how, to what standard and in what context? In addition to the reality that if ‘risk’ management was inadequate and unable to self-regulate or evolve to face the evolving and changing threats, what changed? In short, changing laws, rules and expectations fails to raise the bar of security and risk management practices without a commensurate increase in the underlying information, knowledge, education and experience of security and risk representatives. This deficit will not be corrected nor rectified overnight, with the subsequent ‘gap’ likely evident for years after the new threat and legislation. For now, the current individual and collective risk profile is likely that of fragility and vulnerability, not resilience, with the greatest liability that of humans, not infrastructure.
6. Security, Risk, Resilience & Maturity
insync.com.au/risk-compliance
Protective security is an enduring process, not a state.
…the language of ‘maturity’ implies an ideal end state that does
not exist.
In reality, the risks keep moving and no security will stay
‘mature’ for long unless it too keeps moving.
Reference: Martin, P. (2019) The Rules of Security: Staying Safe in a Risky World, Oxford University Press, p.22
9. insync.com.au/risk-compliance
Resilience, Risk & Resourcefulness
“…although resilience appears at first sight
as a systems theory, its main effect is to
emphasize the need for adaptability at the
unit level. ”
Reference:
Bergstrom, J. and Dekker, S. (2019). The 2010s and Onward: Resilience Engineering, in Dekker, S. (ed) Foundations of Safety Science; A century of understanding accidents and disasters. pp. 391-429
13. insync.com.au/risk-compliance
Risk, Resilience & Resourcefulness
“While risk and resilience are related, resilience has
been favoured for unknown, unquantifiable, systemic
risks. In other words, resilience is an “asset based”
rather than “threat based” approach. ”
Reference:
Kekovic, Z. and Ninkovic, V. (2020). Towards a conceptualisation of resilience in security studies, Institute for Political Studies: Faculty of Security Studies, University of Belgrade.pp.153-173
17. insync.com.au/risk-compliance
Resilience, Risk & Resourcefulness
"Complex systems, though seemingly stable, are not in
equilibrium. Rather, complex systems are constantly
adapting to balance multiple goal conflicts. Such
complex systems are inherently vulnerable to ' drifting
toward failure as defences erode in the face of
production pressure' ”
Reference:
Bergstrom, J. and Dekker, S. (2019). The 2010s and Onward: Resilience Engineering, in Dekker, S. (ed) Foundations of Safety Science; A century of understanding accidents and disasters. pp. 391-429
22. insync.com.au/risk-compliance
Risk, Resilience & Resourcefulness
“…recognition of resilience as an emergent property of complex
adaptive systems. Resilience is both a function of planning for and
preparing for future crisis (planned resilience), and adapting to
chronic stresses and acute shocks (adaptive resilience). ”
Reference:
Kekovic, Z. and Ninkovic, V. (2020). Towards a conceptualisation of resilience in security studies, Institute for Political Studies: Faculty of Security Studies, University of Belgrade.pp.153-173
25. insync.com.au/risk-compliance
Risk, Security & Resilience
“security is essentially preventive and proactive in
nature, ... whereas resilience, is a combination of
proactive and reactive measures aiming at reducing
the impact but not at preventing threats as such”
Reference:
Fjäder, C. (2014). “The nation-state, national security and resilience in the age of globalization.” Resilience 2 (2).pp.114– 129.
27. insync.com.au/risk-compliance
Risk, Resilience & Vulnerabilities
“Risk and resilience are important
paradigms for guiding decisions made
under uncertainty, in particular decisions
about how to protect systems from a
portfolio of threats. ”
Reference:
Kekovic, Z. and Ninkovic, V. (2020). Towards a conceptualisation of resilience in security studies, Institute for Political Studies: Faculty of Security Studies, University of Belgrade.pp.153-173
29. Melbourne | Sydney | Gold Coast
insync.com.au
Resilience, Risk & Resourcefulness
insync.com.au/risk-compliance
Reference:
The Royal Society (1992) Risk Analysis, Perception & Management. Report of the Royal Society Study Group, page 181
“Issues of how to constitute decision advice procedures, both of an
ex-ante and ex-post kind, how to allocate blame and liability, how
to organise affective regulatory structures, how to bring together
different kinds of expertise into an affective policy debate, arise in
different ways in all of these cases and go to the heart of the
institutional aspects of risk management”
31. Security, Risk, Resilience & Human Factors
insync.com.au/risk-compliance
One of the main reasons why so many
security systems remain vulnerable is
that threat actors pay more attention to
the psychology of their victim than do
most security designers and
practitioners.*
*Reference: Martin, P. (2019) The Rules of Security: Staying Safe in a Risky World, Oxford University Press, p.96
34. Security, Risk, Resilience & Protection from Harm
insync.com.au/risk-compliance
Good protective security has nine
distinguishing characteristics: it is risk-
based, well governed, holistic,
understandable, regularly tested, well
measured, layered, designed-in, and
dynamic.
Reference: Martin, P. (2019) The Rules of Security: Staying Safe in a Risky World, Oxford University Press, p.173