Viewing entries tagged
#sia

Comment

Foundations & Fundamentals: The Importance of Critical Thinking in Risk Assessments

“Learn from yesterday, live for today, hope for tomorrow. The important thing is not to stop questioning.”

- Albert Einstein

In Part III of this series we examine Critical Thinking. So, how does one conduct a risk analysis and assessment in this environment? There are numerous ways in which to conduct this process and, depending on your situation, every way is done differently. Potentially, every one of these approaches could be correct. It simply depends. However, it has been my experience that nothing can be left to chance. The order of things has to follow a logical, detailed, and systematic process. A venerable and esteemed colleague of mine, Thomas Norman, in his book – “Risk Analysis and Security Countermeasures Selection,” said it best:

“Critical thinking is to thinking as economics is to money management. Critical thinking applies a scientific process to the act of thinking that helps result in far superior conclusions and helps the thinker to support his/her conclusions with rational and defendable arguments...

Critical thinking helps assure that personal weaknesses, prejudices, or personal agendas are not forwarded as part of the conclusions...

Critical thinking is important because it enables one to think about a problem more completely and to consider many factors that may not be intuitively apparent.”[1]


We exist in a knowledge-based culture. The more critical you think the better your knowledge. Critical Thinking equips you with skills to analyze and evaluate information so that you are able to obtain the greatest command of knowledge presented. It establishes the best foundation for making the correct decisions and minimizes risks if a mistake does occur.


Critical Thinking will lead to being a more rational and disciplined thinker. It will reduce your prejudice and bias and provide you with a better awareness of your environment. Critical Thinking will provide you the skills to evaluate, identify, and distinguish between relevant and irrelevant information.

The Importance of Critical Thinking

Critical Thinking:

  • Assures that conclusions are all relevant to the issue under consideration.

  • Helps the thinker reach conclusions that are true to the purpose of consideration of the issue.

  • Helps assure that relevant theories, definitions, axioms, laws, principles, or models underlying the issue are considered in their proper context.

  • Reduces the likelihood of personal biases, prejudices, self-deception, distortion, misinformation, and so on being injected into the conclusion process.

  • Assures that all relevant stakeholders’ points of view are considered, including their concerns, goals, objectives, and intended outcomes.

  • Considers all relevant evidence and excludes irrelevant evidence, including relevant and irrelevant data and experiences.

  • Clarifies for the thinker what assumptions are being taken for granted and considers the relevance of those assumptions to the issue at hand.

  • Considers the implications and possible consequences of various possible recommended courses of action.

  • Helps the thinker infer conclusions from the evidence in the light of all other considerations listed above.

Elements of Thought



Elements of Thought.png

Point of view is unquestionably “the origin” from which you observe something. It involves perspective and outlook. It is necessary to comprehend your limits and take into consideration other relevant viewpoints. Next is your purpose that defines your objectives, direction, and what your trying to accomplish. This leads to what the exact issue at hand is leading into what information, data, facts, and observations you will need to uncover to fully give substance to your thoughts. The succeeding three steps stem from that data gathering and influence the necessary interpretation, applicable laws and principles and, eventually, assumptions that need to be considered. Ultimately this causes certain implications and consequences - essentially, thinking through scenarios before acting upon the information you have.

[1]Norman, Thomas L. Risk Analysis and Security Countermeasure Selection, Second Edition, p. 71. CRC Press.


Critical Thinking Principles.png

The whole point is to be thorough, accurate, systematic, and methodical when reviewing and looking over risks that affect projects that are being worked on or the business itself.

Comment

Comment

The Value of Security Risk Assessments

In many organizations there is often a pattern of behavior that if nothing goes wrong, or at least has not occurred for a long period of time, there really is no need for improvements in security or identification of those respective risks. Obviously, this is not a good pattern to follow. The value of conducting continual risk assessments is critical because of the ever-changing environment that organizations encounter.

Every organization and its respective departments have varying risks. These risks influence how the they achieve their objectives and goals, thereby affecting profitability and value of the organization. While many organizations may dedicate an enormous amount of time to identifying the risks that could impact business, it is important to measure and prioritize risks so that the organization can respond to any given situation appropriately, efficiently, and effectively ensuring the least amount of operational loss.

Comprehensive Risk, Threat, and Vulnerability Assessments (RTVA) offer an organized and systematic approach to assessing risks of the organization. Providing an informed decision-making baseline to determine a particular course of action is the main focus. This "all-hazards" approach provides the analytical framework for risk management. An RTVA should identify key assets that need to be protected and determine how critical each asset is to the business and its operation. Practitioners in our profession associate doing an RTVA with concentration in only one segment of the overall process. For example, security practitioners may focus on the electronic aspects of physical security instead of understanding the overall security program viewpoint respective to that of the corporate risk strategy.

Comprehensive RTVAs involve not only physical, informational, and operational security understanding but how these aspects affect the individual business unit. One way to solicit this information is to have each unit conduct a business impact analysis. The importance of this key aspect of information gathering is to identify departmental risks, their respective value, and how they affect the overall aspect of how an organization achieves its strategic objectives. In this day and age risks are always changing and dynamic. Therefore, it is necessary for organizations to re-evaluate and monitor on an ongoing basis those potential risks that affect them.

The information age and the 24-hour news cycle make it imperative for organizations to track the rate at which risks change. For instance, some organizations utilize near real-time monitoring capabilities for varying conditions using artificial intelligence and deep learning, big data mining, text analytics and data visualization techniques. These Intelligent Control Centers analyze and disseminate actionable information to decision makers in order to establish a comprehensive risk, threat and vulnerability assessment.

So, what can RTVAs offer, what is their significance and what can the organization take away?

They can:

  • Reduce Long-Term Costs

  • If completed by Knowledgeable Experts, Improve Future operations and achievement of strategic objectives.

  • Break Down Barriers

  • Provide Important Self Analysis

  • Facilitate Communication

  • Help You Avoid Breaches

Comment