Comment

Foundations & Fundamentals: The Importance of Critical Thinking in Risk Assessments

“Learn from yesterday, live for today, hope for tomorrow. The important thing is not to stop questioning.”

- Albert Einstein

In Part III of this series we examine Critical Thinking. So, how does one conduct a risk analysis and assessment in this environment? There are numerous ways in which to conduct this process and, depending on your situation, every way is done differently. Potentially, every one of these approaches could be correct. It simply depends. However, it has been my experience that nothing can be left to chance. The order of things has to follow a logical, detailed, and systematic process. A venerable and esteemed colleague of mine, Thomas Norman, in his book – “Risk Analysis and Security Countermeasures Selection,” said it best:

“Critical thinking is to thinking as economics is to money management. Critical thinking applies a scientific process to the act of thinking that helps result in far superior conclusions and helps the thinker to support his/her conclusions with rational and defendable arguments...

Critical thinking helps assure that personal weaknesses, prejudices, or personal agendas are not forwarded as part of the conclusions...

Critical thinking is important because it enables one to think about a problem more completely and to consider many factors that may not be intuitively apparent.”[1]


We exist in a knowledge-based culture. The more critical you think the better your knowledge. Critical Thinking equips you with skills to analyze and evaluate information so that you are able to obtain the greatest command of knowledge presented. It establishes the best foundation for making the correct decisions and minimizes risks if a mistake does occur.


Critical Thinking will lead to being a more rational and disciplined thinker. It will reduce your prejudice and bias and provide you with a better awareness of your environment. Critical Thinking will provide you the skills to evaluate, identify, and distinguish between relevant and irrelevant information.

The Importance of Critical Thinking

Critical Thinking:

  • Assures that conclusions are all relevant to the issue under consideration.

  • Helps the thinker reach conclusions that are true to the purpose of consideration of the issue.

  • Helps assure that relevant theories, definitions, axioms, laws, principles, or models underlying the issue are considered in their proper context.

  • Reduces the likelihood of personal biases, prejudices, self-deception, distortion, misinformation, and so on being injected into the conclusion process.

  • Assures that all relevant stakeholders’ points of view are considered, including their concerns, goals, objectives, and intended outcomes.

  • Considers all relevant evidence and excludes irrelevant evidence, including relevant and irrelevant data and experiences.

  • Clarifies for the thinker what assumptions are being taken for granted and considers the relevance of those assumptions to the issue at hand.

  • Considers the implications and possible consequences of various possible recommended courses of action.

  • Helps the thinker infer conclusions from the evidence in the light of all other considerations listed above.

Elements of Thought



Elements of Thought.png

Point of view is unquestionably “the origin” from which you observe something. It involves perspective and outlook. It is necessary to comprehend your limits and take into consideration other relevant viewpoints. Next is your purpose that defines your objectives, direction, and what your trying to accomplish. This leads to what the exact issue at hand is leading into what information, data, facts, and observations you will need to uncover to fully give substance to your thoughts. The succeeding three steps stem from that data gathering and influence the necessary interpretation, applicable laws and principles and, eventually, assumptions that need to be considered. Ultimately this causes certain implications and consequences - essentially, thinking through scenarios before acting upon the information you have.

[1]Norman, Thomas L. Risk Analysis and Security Countermeasure Selection, Second Edition, p. 71. CRC Press.


Critical Thinking Principles.png

The whole point is to be thorough, accurate, systematic, and methodical when reviewing and looking over risks that affect projects that are being worked on or the business itself.

Comment

Comment

The Value of Security Risk Assessments

In many organizations there is often a pattern of behavior that if nothing goes wrong, or at least has not occurred for a long period of time, there really is no need for improvements in security or identification of those respective risks. Obviously, this is not a good pattern to follow. The value of conducting continual risk assessments is critical because of the ever-changing environment that organizations encounter.

Every organization and its respective departments have varying risks. These risks influence how the they achieve their objectives and goals, thereby affecting profitability and value of the organization. While many organizations may dedicate an enormous amount of time to identifying the risks that could impact business, it is important to measure and prioritize risks so that the organization can respond to any given situation appropriately, efficiently, and effectively ensuring the least amount of operational loss.

Comprehensive Risk, Threat, and Vulnerability Assessments (RTVA) offer an organized and systematic approach to assessing risks of the organization. Providing an informed decision-making baseline to determine a particular course of action is the main focus. This "all-hazards" approach provides the analytical framework for risk management. An RTVA should identify key assets that need to be protected and determine how critical each asset is to the business and its operation. Practitioners in our profession associate doing an RTVA with concentration in only one segment of the overall process. For example, security practitioners may focus on the electronic aspects of physical security instead of understanding the overall security program viewpoint respective to that of the corporate risk strategy.

Comprehensive RTVAs involve not only physical, informational, and operational security understanding but how these aspects affect the individual business unit. One way to solicit this information is to have each unit conduct a business impact analysis. The importance of this key aspect of information gathering is to identify departmental risks, their respective value, and how they affect the overall aspect of how an organization achieves its strategic objectives. In this day and age risks are always changing and dynamic. Therefore, it is necessary for organizations to re-evaluate and monitor on an ongoing basis those potential risks that affect them.

The information age and the 24-hour news cycle make it imperative for organizations to track the rate at which risks change. For instance, some organizations utilize near real-time monitoring capabilities for varying conditions using artificial intelligence and deep learning, big data mining, text analytics and data visualization techniques. These Intelligent Control Centers analyze and disseminate actionable information to decision makers in order to establish a comprehensive risk, threat and vulnerability assessment.

So, what can RTVAs offer, what is their significance and what can the organization take away?

They can:

  • Reduce Long-Term Costs

  • If completed by Knowledgeable Experts, Improve Future operations and achievement of strategic objectives.

  • Break Down Barriers

  • Provide Important Self Analysis

  • Facilitate Communication

  • Help You Avoid Breaches

Comment

Comment

Foundations & Fundamentals: Basis for Proper Planning

"Hackers target financial institutions because that’s where the money is, and they target retail chains because that’s where people spend the money. Hotels might be a less obvious target, but they’re hacked almost as often because of the valuable data that passes through them, like credit cards and trade secrets. Thieves have targeted electronic door locks to burgle rooms and used malware attacks to log credit card swipes in real time. They’ve even used Wi-Fi to hijack hotels’ internal networks in search of corporate data. Just about all of the industry’s major players have reported breaches, including Hilton Worldwide Holdings, Intercontinental Hotel Group, and Hyatt Hotels."

51fd6d40-2abd-4a58-9e24-7ac72fd4fbde.png

Headlines, incidents, and occurrences like this are becoming too prevalent in and amongst our organizations and institutions. It is with this backdrop and what has occurred to date that we must endeavor to be more vigilant and knowledgeable about the foundations and fundamentals of security awareness and assessment. It is an essential preamble to: “Back to Basics.” Therefore, understanding the definition of risk and the process of a thorough and comprehensive risk analysis and assessment is indispensable for developing the foundation of a security master plan or comprehensive blueprint for any level of educational institution, organization, or corporate entity. In many instances our institutions have neglected this aspect due to many compromising variables – budgetary, regulations, compliance, quick fixes, policy & procedures, etc.

What is emblematic in every one of these instances is the lack of focus on risk analysis and assessment. It is the disregard and neglect in being aware of our surroundings and comprehending the operational aspects of any organization. These crucial aspects set into motion the necessity to establish a thorough risk analysis and assessment process that can be the basis for proper security master planning and will ultimately assist in the development of subsequent and critical plans – Communication, Crisis Management, Active Shooter Training, a Workplace Violence Plan, etc.

What is tantamount is, therefore, an understanding and awareness of the environment in which these organizations reside. Considering that the people, property, proprietary information, business reputation, and infrastructure are the life-blood of our institutions, it is critically important that this understanding of risk, the process of risk analysis and assessment, and the eventual planning are done meticulously. It goes to the very essence of not only protecting our greatest assets, but also to our culture’s future.

THIS IS A FIRST IN A SERIES ON RISK ASSESSMENT.

Comment

Comment

Trends in International Security & Organizations Operating in MENA

A few days ago, I had the distinct pleasure of being part of a panel discussion sponsored by Concur that focused on trends in international security and organizations dealing with threats in the Middle East and North Africa.  I thought it would be beneficial to pass along some of the exchange.  

Using the studies put out by the World Economic Forum, National Intelligence Council, and the Atlantic Council, they gave the baseline as well as great perspective when viewing current risk and developing strategies to risks and threats for corporations moving forward on risk strategies.

Strategically, we would be seeing Increased Cyber Attacks, Extreme Weather events and climate change, Water and Fiscal Crisis, Unemployment/Underemployment, Political & Social Instability as well as a Global Governance Failure.  Organizations would need to focus on how they would adapt to the reality of a shifting climate and breakneck technological innovation.

Further awareness needed to be paid to the dominance of the West in international affairs will fade and global power will become more evenly distributed between the West and the rising powers in Asia.  As society and the distribution of global power changes, the challenges to defense and security will increase.

Panel Question:  Given that you manage risk for organizations, what are the most important points you address in developing comprehensive risk, vulnerability and threat assessments?  What sources do you use for creating assessments?  What are absolute priorities?

Reply:  You need to examine the entire landscape of your organization's reach as well as its position within the market.  Critically important is understanding of the corporate Risk Management strategy.  That will play into how risk is defined and ultimately how risk assessments are performed.  A Comprehensive Risk Assessment is designed to consider the organization’s vision, mission, values, and culture, as well as strategic and tactical objectives.  It may consider an organization's broader objectives and activities or some specific goals and objectives but in all cases it assesses what can affect the achievement of these both positively or negatively.

I use a customized tool that can be used on a tablet.  I created in conjunction with a technology firm that makes the risk assessment completely digital and in real-time.  We are in current stages of refining the criticality piece that will be the first of its kind in the industry.  Other sources for laying best practices is looking to the standards developed and modifying other assessment tools utilized in various industries that I have been involved.  What is an absolute is having a logical, structured and consistent approach to assessing risk.

Panel Question:  We’ve heard a lot about social media and the potential for reputation risk and image damage for organizations. How do you monitor and address reputation risk created by social media?

Reply:  It boils down to having a reputational management strategy prior to even getting to the point of dealing with Social Media.  Social Media only exacerbates the issues of how you handle any given incident or crisis.  The main point to embrace social media and see how it can benefit the company as well as monitor the pitfalls.  Having a good policy around the social media aspect internally is equally necessary.  

Particularly, you should be paying close attention to the following four points:

  • Overcoming direct challenges from influential activist and political forces
  • Managing corporate scandals, including executive compensation
  • Use external, seemingly unrelated events to boost reputation
  • Build a reputation management process into everyday operations    

Panel Discussion:  How do your clients deal with the threat of Jihad in countries in which they operate? 

Reply:  I try to educate and advise clients on what Jihadism means to them personally and to their company.  Take for example the term "Jihadist Globalism." It is often used in relation to Jihadism as well as  Jihad Cool,  a term used by Western security experts concerning the re-branding of militant Jihadism into something fashionable, or "cool", to younger people through social media, magazines, rap videos, etc. and other means. It is a sub-culture mainly applied to individuals in developed nations who are recruited to travel to conflict zones on Jihad.

It simply goes back to a structured but flexible travel risk management strategy and plan developed on travel habits of the corporation as well as ensuring employees are situationally aware of their environment.

Comment