CH.5
Which protocol helps the whole community understand its risks and can be used to estimate capability requirements by matching risks to core capabilities?
(THIRA) Threat and Hazard identification risk assessment protocol
Clear product superiority
- Appearance - Comfort - Features - Ride and handling performance
The FEMA identified several steps to optimal risk reduction strategies:
- Identify potential losses - Quantify losses - Identify risk reduction strategies - Select and implement strategies
Risk management activities can be categorized in the following ways:
- Identify, deter, detect, disrupt, and prepare for threats and hazards. - Reduce vulnerabilities. - Mitigate consequences
Low cost of ownership
- Initial price - Fuel consumption - Reliability - Serviceability
Hollow laws? Laws do exist, but
- Numerous loopholes, flaws, omissions, vagueness - Behaviors not termed criminal
Ford Motor co. Pinto objectives:
1. "green book" objectives 2. True subcompact 3. Low cost of ownership 4. Clear product superiority
There are five different types of risk that security managers need to assess:
1. Dynamic 2. Static 3. Inherent 4. Speculative 5. Pure
Risk management program involves 4 basic steps:
1. Identification of risks through the analysis of threats and vulnerabilities. 2. Analysis and study of risks, which includes the probability and severity of an event. 3. Optimization of risk management alternatives by use of risk avoidance, reduction, spreading, or transfer. 4. Ongoing study of security programs.
The THIRA process involves four basic steps:
1. Identify threats and hazards of concern 2. give the threats and hazards context 3. Establish capability targets 4. Apply the results
Three goals for every incident:
1. Life safety 2. Incident stabilization 3. Property conservation
Uncertainties of risk management:
1. Risk is a statement of uncertainty 2. Risk selection 3. False positives and false negatives 4. Technological failures 5. Reactive Risks 6. Normal accidents 7. The risk management of everything 8. Displacement to organizational risks 9. too much precaution 10. costs more than benefits
Risk management process answers the following questions:
1. What can be done? 2. What options are available? 3. What are the associated trade-offs in terms of costs, benefits, and risks? 4. What are the impacts of current management decisions on future options?
risk management cycle includes:
1. identify threats 2. risk assessment: Assess the risks to the organization and assets in terms of likelihood and impact of envisioned threats. 3. Implementation: Identify and implement security measures to reduce the assessed risks to an acceptable level. 4. Evaluation: Assess the effectiveness of countermeasures and identify the corrective action necessary.
4 lures in risk management
1. positivity 2. noncommitment 3. powerlessness 4. measurable
A risk assessment attempts to answer three question:
1.What can go wrong? 2.What is the likelihood that it would go wrong? 3.What are the consequences?
internal risks
Affect the individual and include egotism, ambition, resistance to change and pessimism, lack of checks and balances, tunnel vision, corporate crime, and lack of innovation or short-term thinking. could also be seen as management failure or mismanagement.
The lure of the measurable
All too often, risk management depends on what can be counted and quantified, and doesn't consider qualitative measures such as a company's image
the risk management of everything
Belief that more will work where less has not
Human Factors
Both human error and failure
Displacement to organizational risks
Demand for governance of unknowable- creates of culture of "defendable compliance" and "responsibility Aversity" (too much carefulness wont take you anywhere; you have to take risks) ¨ Elaboration of rule making ¨ Collect data on everything
False negative
Failing to identify source of actual harm and therefore failing to act to reduce harm
According to Heckman, the Codex Alimentarius Commission (Codex) was created by _____ risks related to Food Standards.
Food and Agricultural organization of the united nations (FOA) and the world health organization (WHO)
Mechanical factor
From machinery or equipment
risk assessment
Helps identify potential hazards and analyze possible outcomes if a hazard occurs. When conducting, security professionals identify vulnerabilities or weaknesses that would make an asset more susceptible to damage, to determine the probability of security risks actually happening, determine the impact and consequences of such an occurrence, and prioritize the risk factors so they can be dealt with effectively.
The lure of positivity
If they call attention to risks, managers may undermine stakeholders' confidence in their ability to deliver. The lure of positivity causes discussion of risk responses to become suppressed or deemphasized.
According to Heckman, why is the theory behind the call for what is designated the "Precautionary Principle" reasonable?
It appeals to common sense to try to prevent harm, rather than to repair damage already caused.
The deterrent of powerlessness
Managers may perceive that identifying risk gives the impression of having too little control. Managers tend to believe that they lack the resources necessary to respond to the risk
The lure of noncommitment
Managers may tend to defer commitments as long as possible, in some cases deferring action until a risk actually materializes. They may act as if risk is fiction until it materializes.
Who regulates car safety?
National highway traffic safety administration (NHTSA); report based on 4-year research on auto fires
too much precaution
Overestimation of high frequency low-frequency, high severity events (hurricanes) and high-frequency, low severity events (road accidents).
Technological failures
Pharma companies produce medicines to manage health risks, in the end also produce drugs with side effects and new risks; create things to solve problems but may cause further problems
Costs more than benefits
Post 9/11 management of risk- invasion of privacy, restriction of liberty, more incarceration, consume scare resources, etc.
Institutional Risks
Risk associated with an organization's ability to develop and maintain effective management practices, control systems, and flexibility and adaptability to meet organizational requirements
Risk Selection
Risk portfolios are often created and is grounded in cultural, social, economic, and political processes; which is more risky? very fundamental to why we think some things are more risky than others
strategic risks
Risk that affects an organization's vital interests or execution of a chosen strategy, whether imposed by external threats or arising from flawed or poorly implemented strategy
Operational Risks
Risk that has the potential to impede the successful execution of operations with existing resources, capabilities, and strategies.
External risk
Risk to an organization that is based on factors external to the organization. include trends on a global, political, or societal scale, the effects of extreme weather, acts of terrorism, cyberthreats, pandemics, and human-made accidents or technical failures.
Reactive risks
Simultaneous risk management-defensive driving...etc; some people are constantly monitoring
procedural factors
Some risk is caused by the use of specific procedures or routines
Risk is a statement of uncertainty
Terrorists are in business of uncertainty- playing on randomness and creating fear and intimidation
Which organization provides the Threat and Hazard Identification and Risk Assessment protocol?
The U.S. Federal Emergency Management Agency (FEMA)
risk
The measure of probability or potential and severity of adverse effects. characterizes the likelihood of an unfavorable outcome or event occurring; - Maximize freedom of action to take risks while reducing freedom's harmful consequences.
What according to Heckman is Risk Management?
The process of deciding what should be done to minimize a risk or hazard; policy making tool, which takes into account the scientific assessment and quantification of the risk potential, while considering feasible alternatives, and appropriate policy and regulatory responses.
Speculative risks
These affect the organization when new activities or programs are initiated
Inherent risks
These are associated with the particular product, location, or industry and cannot be avoided.
Pure risks
These include natural disasters and criminal or terrorist acts.
Dynamic risks
These may change under certain conditions, including weather, time, or location.
Static risks
These usually remain constant, regardless of their environment, such as laws, standards, and regulations
"green book" objectives
Thick, top-secret manual, step by step production plan detailing metallurgy, weight, strength and quality of every part in car
Why does enforcement fail in dealing with corporate illegalities?
Two red herrings ¨ Myth- corporate illegality not violent (its not like the street criminals; corporations do bad things but they don't kill you or rape you; "not that serious") ¨ Public is less concerned with corporate illegalities (hardly comes to attention of public; didn't become area of study until 1940-corporate crime, it did not take off though.
Key principles for effective risk management:
Unity of effort Transparency Adaptability Practicality Customization
While Heckman advances support for the Precautionary Principle, he sardonically observes that precautionary measures should be taken even in the absence of scientifically established cause and effect relationships. If not, we can end up ____
With a policy that would allow for an attempt to ban water; no new development can survive the impossible burden of proving no potential for harm.
False positive
Wrongly identifying source of harm and failing to act in ways to reduce harm
Normal accidents
a consequence of interactive complexity and tight coupling of system components
March 13, 1990
a jury acquitted ford of charges of failing to warn about or offer to repair fuel system defects in the Pinto before the day the three women were fatally burned.
Incident
actions and directions after an incident has occurred in order to manage the incident and bring it under control
Post-incident
actions taken to minimize the impact of an incident on overall business objectives until a full recovery can take place
Crisis
an event or series of events that causes a disruption of normal operating procedures and has resulted or is substantially likely to result in a negative consequence
What according to Heckman is a major challenge for policy makers?
communicating risks to the public
What is an increasing risk to critical infrastructure?
cyber risks
Indiana case killing three young women
first time that an American corp. was prosecuted on criminal charges
Personal advantage of privilege
lighter sentences and can pay for competent legal teams
Paucity of resources:
no funds, personnel underpaid (very little resources)
Pre-incident
preparations and training before an incident occurs; the time when things are going well
True Subcompact
size & weight
How does the U.S. Department of Homeland Security (DHS) define risk?
the potential for an unwanted outcome resulting from an incident, event, or occurrence, as determined by its likelihood and the associated consequences
risk management
the process used to plan for continuing operations after a loss or other incident
How soon was the ford pinto rushed into production compared to other cars?
took 25 months usually takes 43 months
2000/2000 rule
weigh less than 200lbs and cost less than $2000
minor incident
· an event or series of events that causes a disruption of normal operating procedures · The potential negative consequences are manageable, temporary, and not severe
Incident management plans (IMPS)
· are used when an incident is actually occurring that is of the size and scope that requires managing · provide structure to the people managing the incident and provide checklists of items that generally need to be accomplished during specific incidents
Business Continuity plans (BCPs)
· are used when the incident is stabilized, and decisions need to be made on how to keep the organization functioning while work is done to get back to normal operations · contain pre-populated recovery strategies and information necessary to make informed decisions · Information contained within can be used to develop interim recovery guidelines and procedures for operating between the "time of disaster" and the recovery back to "normal operations" · At this stage, it doesn't matter what happened. The key is getting back operational as soon as possible
Disaster Recovery
· is the process, policies and procedures that are related to preparing for recovery or continuation of technology infrastructure which are vital to an organization - The ability for the site to operate its critical functions if technology is lost - The process in place to recover the lost technology
General security
· practices should be implemented at all sites to educate employees about what their roles and responsibilities are before and during an incident · include instruction for what employees are, protestors, and so on. Expected to do during a fire, severe weather, a bomb threat, active shooter
