Taxonomy of Counter Intelligence Threats and Risk Based on ISO31000 - Coursework Example

Taxonomy of counterintelligence threats and risk based on ISO31000 Table of Contents Table of Contents 2 Introduction 3 Definition of Risks 4 Risk management in law enforcement agencies 5 Taxonomy at counterintelligence layer 6 Taxonomy of Risks and Threats 7 Category 1 8 Managing Category 1 risks 9 Category 2 11 Managing category 2 risks 12 Category 3 13 Managing category 3 risks 14 Conclusion 14 Reference List 16 Introduction Counterintelligence is a set of activities involved in acquisition of information to prevent espionage activities by foreign powers or influences (Hastedt, 2003). Leggit et al (2011) expounded on the definition to point at counterintelligence as consisting of security procedures and strategies calculated at neutralising attempts by foreign powers to acquire sensitive and protected information. Drawing on these definitions, it is perceived that effective counterintelligence operations have the potential to create seamless and incessant feedback loops while failure may be catastrophic to both the counterintelligence agency and national security. Prunckun (2012) argues that the purpose of counterintelligence is to support intelligence functions and formulation of sound security measures. Woods and King (2008) offer a parallel view by showing that without counterintelligence, classified intelligence would be open to espionage by adversaries. As argued by Kahan et al. (2010), the concept of risk management presents the foundation of the law enforcement counterintelligence strategies. Risk management is a critical component of internal security enterprise, although it is considerably fragmented and defectively coordinated among the law enforcement agencies (Jackson, 2011; Hrebiniak, 2008). In fact, the fragmentation and the deficient coordination are inconsistent with the strategic approach for management of various risks, as proposed by International Organisation for Standardisation (ISO). Globally, risk analysis is an issue of a standard. ISO put out a document that proposes a common approach for dealing with the risks through provision of generic guiding principle in respect to risk management. The ISO 31000:2009 document specifies that risk is the consequence of uncertainty on objectives while risk assessment describes the entire process of identifying the risk, risk analysis and risk evaluation (Scannel et al., 2013). In this paper, a new taxonomy of counterintelligence threats and risks based on ISO 31000 is created to allow the law enforcement agencies to identify and manage risks based on process-based and rules-based models (ISO, 2009). Accordingly, constructive discussions on security threats and risk law enforcement agencies face regarding the management of the risks related to strategic choices are discussed. Further, the risks are categorised based on analysis of Robert Hanssen and Edward Snowden case studies. This paper argues that fusion of security risk management and intelligence-led Risk management can promote collaboration as well as create stronger risk management culture among the law enforcement agencies based on the process-based model proposed by the ISO 31000:2009. Definition of Risks Risk management, as defined by the US Department of Homeland Security, consists of the processes and activities intended to identify, analyse, assess, and communicate risks as well as accept, transfer, avoid or control the risks to levels that are acceptable in terms of costs and damage (Jackson, 2011). The definition parallels that suggested by ISO 31000:2009, which depicts risks management as a process in which the management policies, practices and procedures are used systematically to determine the context, and identify, analyse, evaluate, treat, monitor and review risk. In Australia, risk management uniformity is narrowed down by AS/NZS 31000:2009, which is applicable to a range of decision and activities in both the public and the private sector. ISO 31000:2009 views risk management as a set of coordinated activities aimed at directing and controlling an organization with respect to the risk (ISO, 2014; Australian Government, 2010). Risk management in law enforcement agencies The complexity of developing a standard approach or taxonomy for facilitating risk management remains evident in the law enforcement agencies (Maniasi et al., 2006). However, based on analysis presented by Oltedal et al. (2004), it is agreeable that the complexity of the problems is the outcome of a range of counterintelligence threats and risks. In the United States, law enforcement agencies such as FBI and NSA face complex sets of risks that vary from the criminal acts of terrorism, corruption within the law enforcement, and series of espionage activities committed by intelligent adversaries (Jackson, 2011). Drawing on this argument, it is perceivable that managing these risks calls for strategic collaborative efforts of risk analysis and intelligence community at various levels of the law enforcement agencies, as well as the private sector. According to ISO 31000, consequence and likelihood are the two functions of risk (ISO, 2014). Jackson (2011) discusses that in security agencies, the term ‘probability’ often applies rather than ‘likelihood’ to demonstrate the likely threats or risks in counterintelligence. However, drawing on the specifications of ISO 31000, Prunckun (2012) suggests that both terms are acceptable in counterintelligence. In his work 'counterintelligence theory and practice', Pruckun (2012) advises that risk assessment can be performed in relation to nearly every situation. In his view, Pruckun (2012) elaborated that risk analysis methodologies are applicable to any targets or situations that are not linked to sensitive instance, such as counterterrorism. In spite of this, analysis or risks facilitates the process of recommending measures that can provide security agencies with the capacity to (a) accept the risks as they are or to (b) treat the risks by avoiding it, mitigating it or deferring it to another agency (Jackson, 2011). Taxonomy at counterintelligence layer Taxonomy refers to a breakdown of likely sources of risk. Indeed, when once effectively constructed, taxonomy can create a network of cause and threat categories as the ultimate outcome. Cebula and Young (2010) argued that the taxonomy has to be contextually relevant for counterintelligence and the agencies that operate. In his review of taxonomy of business risks, Davies (2012) opined that since taxonomy is currently embedded into the enterprise management layer of the risk framework, it makes it easy to separate the risks and threats homogenously. This is corroborated by Sjorberg et al. (2007), who suggested that the sectioning out of the risks increases the transparency of risk reports and facilitates benchmarking of risk performance. In risk management, each type of threat demonstrates different disruption mechanisms, as well as poses diverse challenges for improvement of resilience of systems. Cebula and Young (2010) suggest that in such situations, taxonomy of varied causal mechanisms is a significant initial step in the process of classifying threats. It provides a framework for organization and examination of the scope of breadth of counterintelligence issues and therefore offers a framework for understanding the risks related to how counterintelligence agencies operate. However, Davies (2013) argues that the ISO 31000 does not explicitly describe how risk taxonomy can be created. This is paradoxical since ISO 31000 does not also, particularly, recommend that taxonomy should be created although it delineates the types of risks and nature or risk. In delineating risk in this way, ISO 31000 implies that risk taxonomy should indeed exist. At the same time, ISO 31000 also specifies that a risk framework should be adapted to fit the entity it has to be applied to (ISO, 2009). Hence, it could be assumed that building risk taxonomy is not necessarily an overlooked activity under ISO 31000. Still, ISO 31000 expresses how to approach a categorisation system. In any case, the process-based model suggested by ISO 31000 provides an idyllic means of constructing the risk taxonomy (Scannel et al., 2013). Taxonomy of Risks and Threats According to Kaplan and Mikes (2012), the first step in creating risk taxonomy is to understand the qualitative distinctions among the ranges of risks an organisation faces. In respect to the counterintelligence agency, the risks must therefore relate to the tasks the agencies engage in. In aligning Kaplan and Mikes’ (2012) perspective with the provisions of ISO 31000: 2009, it is concluded that organisational risks can be categorised into three: Preventable risks (category 1), strategy risks (category 2), and external risks (category 3). In their interpretation of the three categories they suggest, Kaplan and Mikes (2012) share the perspective that risks from any of the three categories can be fatal to the organisation’s strategy and ultimate survival. Risks Taxonomy Category 1 Category 2 Category 3 Poor records management system. Low public visibility perceived income disparities within the police Low pay FBI’s security management program was based on trust rather than practical steps for security measures. Status problems Deficiencies in training on documentation of security violations diminished loyalty among the employees Lack of financial disclosure presents Authorising senior employees access to sensitive data Tradecraft strategy Managerial secrecy Opportunity for corruption Technological advances Macroeconomic shifts Family pressures Diminished loyalty Table 1: Counterintelligence risk taxonomy THIS WAS CREATED Category 1 Kaplan and Mikes (2012) propose that the first category should consist of risks that are preventable. Within the context of counterintelligence, they consist of internal risks that arise from within the organisation, and which are controllable and therefore avoidable. Basing on the case of Hanssen and Snowden case studies, these threats and risks are identified as those reflecting the management and the employees of the law enforcement agency’s unethical, unauthorised, unlawful, improper and inapt actions, in addition to the risk resulting from breaches in the routine operational processes. Erhman (2009) suggests that weaknesses in counterintelligence agency’s document and information security lead to information security threats (Bennett, 2003). Robert Hanssen exploited the widespread weaknesses in FBI’s document and information security to access classified national security information, which were subject to limited control and monitoring (Vise, 2002). Low public visibility is an underlying cause for police corruption (Tate, 2003). In addition to the intrinsic discretion enjoyed by police officers, Masse and Krouse (2003) adds that limited level of public visibility makes supervision of the officer difficult. Low public visibility had allowed Hanssen to establish several dead drop sites where he passed the information to the KGB. On the other hand, Snowden managed to relay information to journalists by maintaining low public visibility, before ultimately consenting that his identity be exposed. Newburn (2009) and Lauchs et al. (2011) cited low-pay as an obvious driver to lack of integrity for all public officials, specifically in societies where consumption is greatly valued while salaries remain low. Additionally, diminished loyalty among the employees also threatens counterintelligence. In analysis of espionage agents, caught in the United States over a five-decade period, Kramer et al. (2005) and PERSEREC (2005) concluded that diminished organisational loyalty among employees of intelligence agencies motivated the act. Lack of financial disclosure also puts counterintelligence at risk or espionage. In the case of Hanssen, it is reasoned that since Hanssen had never been asked to submit detailed financial disclosure throughout his career with the FBI, it created a leeway to stay out of suspicion. Managing Category 1 risks Davies’ (2013) point of view regarding management of preventable risks is reflected in the view provided by Kaplan and Mikes (2012). In their view, an effective approach in managing these risks entails monitoring the organisational processes, providing elaborate guidance on employee’s behaviours and guiding employees’ decisions towards desirable norms. These suggestions are consistent with the rules-based compliance approach for identification and management of preventable risks suggested by Kaplan and Mikes (2012) and Simon (1999). They are also relevant to ISO 31000: 2009 standard’s process-based approach. In agreement with Simon’s (1999) earlier work “Levers or Control,” Kaplan and Mikes (2012) point out that organisations cannot anticipate all conflicts of interests or situations employees may encounter. Hence, their first line of defence in preventing the risks entails providing guidelines on how to clarify the goals and values of the company. Towards this end, Category 1 is further sub-divided into mission, values and boundary. In relation to Phanual and Darbi’s (2012) discussion on the potential Impact of mission and vision statements on employee behaviour, it could be suggested that an organisation should have a well-crafted mission statement that expresses its fundamental objectives and purpose, as well as the directions the employees should comply with. In regards to values, Kantabutra and Avery (2010) concluded that organisations should articulate the values that guide the behaviours of the employees towards the public, the community, and other stakeholders. Hence, organisations should initiate strong internal control systems, including segregating activities and having an effective whistle-blowing program, which serve to reduce the likelihood of temptations to relay organisational information to outsiders as witnessed in the Snowden case study. Indeed, Kramer et al. (2005) suggested that counterintelligence specialists should continually monitor and use comprehensive systems for managing information that promote their security. These should include regular financial disclosures, counterintelligence polygraph examination, significant background checks and information audit of computer usage (Perry, 2014). Category 2 In consistency with ISO 31000:2009, Davies (2013) supports Kaplan and Mikes’ (2012) categorisation of category 2 risks and threats. Accordingly, the researchers appear to share the perspective that category 2 risks comprise the strategic risks an organisation voluntarily accepts in the hope of generating favourable returns from its strategy. As stated by Kaplan and Mike (2012), strategic risks differ substantially from the preventable risks since they are not naturally undesirable. In Hanssen’s case, unrestricted authorized access to sensitive data by the senior employees was a threat to counterintelligence. For instance, Hanssen had free and unlimited access to Automated Case Support System (ACS), which is FBI’s collection of computerised databases of investigative files. Tradecraft strategy was also an underlying risk. As Perry (2014) stated, professional standards in counterintelligence work require the agents to hide information, lie, protect their cover, use covert tactics and cover their sources. Bunker (2005) showed that counterintelligence agencies such as the Central Intelligence Agency and Federal Bureau of Investigation teach, expect, controls and promote these tradecraft tactics to ensure the lies are corroborated and consistent. However, these tradecrafts expose the agencies to the risks, as the trained agents develop the tendency to act clandestinely. Managerial secrecy is also widely accepted as threatening counterintelligence (Masse & Krouse, 2003). According to Newburn (2009), the code of silence encourages the police officers to take an adversarial position to any party that seeks to challenge their activity. This perspective is strongly supported by several researchers and authors (Masse & Krouse, 2003). Indeed, it has grounds in the two case studies as it encouraged Hanssen and Snowden’s clandestine activities. Opportunity, as a cause or factor of corruption within the police force has been well-documented (Lamani & Venumadhava, 2013). In a document analysis, Porter and Warrender (2007) cited a report published by the US-based General Accounting Office in 1998, which had found that the police are likely to engage in corruption depending on their level of exposure to opportunities. Moran (2005) corroborated the findings in his study that highlighted that the areas with more opportunities for corruption tended to have higher number of corrupt officers. Managing category 2 risks Kaplan and Mike (2012) view strategic risk as a threat to an organisation’s security, reputation and survival. In a review of police corruption, Papandrea (2014) proposed that strategies with highly expected returns often require that organisations take substantial risks and that managing these risks poses as the key driver in ensuring potential gains. Kaplan and Mike (2012) however contest the idea that unlike the Category 1 risks, the Category two risks cannot be managed using a rules-based control model. Rather, organisations need to institute risk management system specifically created to reduce the likelihood that such assumed risks do often materialise and boost the organisation’s ability to contain the risks should they happen. This shows that Category 2 risk management is based on ISO 31000: 2009 standard’s process-based approach. In agreement, Soltani & Yusof (2012) argues that having such a system in place would not prevent organisations from pursuing risky ventures. On the contrary, organisations become more capable of taking on highly risk yet highly rewarding ventures. Organisations may as well hire independent experts to help in managing category 2 risk. For instance, law enforcement agencies integrated high technology in their operations (such as the internet- and cloud-based technologies) faces high intrinsic risks or cyber-attacks, hacking or internal breaches. This is since the records management may lack the needed expertise in handling the technology to ensure optimal security. For instance, Hansson was had relatively high technology expertise compared to those involved in handling electronic records. He exploited their weakness to access the computer files undetected. Under such scenarios, the management may hire independent technical experts to carry out risk assessment and make risk mitigation decisions (Kaplan & Mike, 2012). Category 3 Category 3 risks, according to Kaplan and Mike (2012), outline the external risks. These therefore consist of risks that happen outside the organisation, and which may be beyond the organisation’s control or influence. These risks include the macroeconomic changes or political upheavals inside or outside the country. Examples include geopolitical changes that have long-term effects such as policy changes, political shifts, wars and coups. They may also include competitive risks with short-term impacts such as disruptive technologies including hacking, cybercrimes. Factor of macro-economy also influence espionage activities. Kramer et al. (2005) illustrated that cases of espionage increased in the United States after the 2008/2011 economic recession that substantially increased financial pressures on employees because of medical expenses and loss of jobs. Diminished national loyalty among the population is another risk. Zegart (2007) suggested that espionage agents tend to have diminished national loyalty. A study by Defense Personnel Security Research Center on spies caught in the United States showed that spies tended to be unpatriotic individuals. Zegart (2007) pointed out that spies showed increased acceptance of global values makes it easy for potential leakers to rationalise actions, which are in fact driven by ulterior financial motives. Lastly, family pressures such as that patronage ties, children’s tuition fees or where sick child is involved also trigger individual corruption cases. Managing category 3 risks According to Kaplan and Mike (2012), Category 3 risks should be approached differently from the Category 1 and Category 2 risks. Since organizations cannot prevent the external events from occurring, the organizational management should focus on identification and mitigation of their impact based on ISO 31000: 2009 standards’ process-based approach. Kaplan and Mikes (2012) state that since the third category of risks cannot be averted or prevented using the approaches for managing strategy or preventable risks, organisations should centre on identifying them, evaluating them and determining how they could be mitigated in case of their occurrence. On the other hand, a number of external risk events are imminent and can be managed simultaneously with the strategy risks. The external risk events call for different analytics approach since their likelihood of occurrence is minimal, or since managers find trouble envisioning them in the event of their normal strategy processes. Conclusion The fusion of security risk management and intelligence-led risk management can promote create stronger risk management culture among the law enforcement agencies based on the process-based model proposed by the ISO 31000:2009. ISO 31000:2009 views risk management as a set of coordinated activities aimed at directing and controlling an organization with respect to the risk. Law enforcement agencies face the risks or espionage, which undermine their counterintelligence strategies. Managing these risks calls for strategic collaborative efforts of risk analysis and intelligence community at various levels of the law enforcement agencies as well as the private sector. In itself, intelligence-Led Risk Management signifies the fusion of risk management and intelligence based on a collaborative framework with the view of promoting effective risk management across the law enforcement agencies. While ISO 31000 does not explicitly describe how risk taxonomy can be created, it specifies that a risk framework should be adapted to fit the entity it has to be applied based on a process-based model. The process-based model provides an idyllic means of constructing the risk taxonomy for the law enforcement agencies. Three categories are developed to this end. Category 1 consists of preventable risks that mainly accrue from law enforcement management. In managing category 1 risks, organisations need to initiate strong internal control systems, including segregating activities and having an effective whistle-blowing program, which serve to reduce the likelihood of temptations to relay organisational information to outsiders. To this end, counterintelligence specialists should continually monitor and use comprehensive systems through regular financial disclosures, counterintelligence polygraph examination, significant background checks and information audit of computer usage. Category 2 risks are mainly strategic risks, which threaten to an organisation’s security, reputation and survival. Strategies with highly expected returns often require that organisations take substantial risks and that managing these risks poses as the key driver in ensuring potential gains. Category 3 risks outline the external risks that happen outside the organisation, and which may be beyond the organisation’s control or influence. Since organizations cannot prevent the external events from occurring, the organizational management should focus on identification and mitigation of their impact based on ISO 31000: 2009 standard’s process-based approach. Reference List Australian Government (2010). AS/NZS ISO 31000:2009 Risk Management – Principles and Guidelines. Retrieved: Bennett, R. (2003). Espionage: Spies and Secrets. London: Virgin Books Ltd Bunker, R. (2005). Networks, Terrorism and Global Insurgency. New York: Psychology Press Cebula, J. & Young, L. (2010). A Taxonomy of Operational Cyber Security Risks. Hanscom: Carnegie Mellon University. Davies, M. (2012). Importance of risk categories. Retrieved: Davies, M. (2013). Risk Dashboards should serve the stakeholder. Retrieved: Erhman, J. (2009). What are We Talking About When We Talk about Counterintelligence? Studies in Intelligence 53(2) Hastedt, G. (2003). Espionage: A Reference Handbook. New York: ABC-CLIO Hrebiniak, L. (2008). Making Strategy Work: Overcoming the Obstacles to Effective Execution. Ivey Business Journal ISO. (2009). Overview of ISO 31000:2009 Risk Management. Retrieved: ISO. (2014). ISO 31000 - Risk management. Retrieved: Jackson, D. (2011). Intelligence-Led Risk Management For Homeland Security: A Collaborative Approach For A Common Goal. Monterey: Naval Postgraduate School. Kahan, D., Jenkins, H. & Braman, D. (2010). Cultural cognition of scientific consensus. Journal of Risk Research, 1–28 Kantabutra, S. & Avery, G. (2010). The power of vision: statements that resonate. Journal Of Business Strategy 31(1), 37-45 Kaplan, R.S. & Mikes, A. (2012). Managing risks: A new framework. Harvard Business Review, June 2012 Kramer, L., Heuer, R. & Crawford, K. (2005). Technological, Social, and Economic Trends That Are Increasing U.S. Vulnerability to Insider Espionage. PERSEREC Technical Report 05-10 May 2005 Lamani, R. & Venumadhava, G. (2013). Police Corruption in India. International Journal of Criminology and Sociological Theory, 6(4) 228-234 Lauchs, M., Keast, R. & Le, V. (2011). 'The motivation and structure of corrupt police networks: theorising the dark side of the ‘thin blue line’. 15th Annual Conference of the International Research Society for Public Management (IRSPMXV), Trinity College, Dublin, Ireland, 11-14 Leggit, J., Schechter, O. & Lang, E. (2011). Cyberculture and Personnel Security: Report I – Orientation, Concerns, and Needs. PERSEREC Technical Report 1-0- May 2011 Maniasi, S., Britos, P. & Garcia-Martinez, R. (2006). A Taxonomy-Based Model for Identifying Risks. Buenos Aires: Buenos Aires Institute of Technology Masse, T. & Krouse, W. (2003). The FBI: Past, Present, and Future. CRS Report for Congress Order Code RL32095 Moran, J. (2005). ‘Blue Walls’, ‘grey walls’ and ‘cleanups’: Issues in the control of police corruption in England and Wales. Crime, Law and Social Change, 43, 57-79 Newburn, T. (2009). Understanding and preventing police corruption: lessons from the literature. Research Development Studies Police Research Series Paper 110 Oltedal, S., Moen, B., Klempe, H. & Rundmo, T. (2004). Explaining risk perception. An evaluation of cultural theory. Trondheim: Rotunde publikasjone Papandrea, M. (2014). Leaker Traitor Whistleblower Spy: National Security Leaks and The First Amendment. Boston University Law Review 94(1), 449-544 Perry, J. (2014). Toward a Theory of Public-Service Motivation. Journal of Public Administration and Theory 10(2), 471-488 PERSEREC. (2005). Technological, Social, and Economic Trends That Are Increasing U.S. Vulnerability to Insider Espionage. PERSEREC Technical Report 05-10 Phanual, W. & Darbi, K. (2012). Of Mission and Vision Statements and Their Potential Impact on Employee Behaviour and Attitudes: The Case of A Public But Profit-Oriented Tertiary Institution. International Journal of Business and Social Science 3(14), 96-108 Porter, L. & Warrender, C. (2009). A Multivariate model of police deviance: examining the nature of corruption, crime and misconduct. Retrieved: Prunckun, H. (2012). Counterintelligence Theory and Practice. Lanham: Rowman & Littlefield Scannel, T. Curkovic, S. & Wagner, B. (2013). Integration of ISO 31000:2009 and Supply Chain Risk Management. American Journal of Industrial and Business Management, 3(1), 367-377 Simons, R. (1999). How Risky is your Company" Harvard Business Review, May-June Sjorberg, L., Moen, B. & Rundmo, T. (2007). Explaining risk perception. An evaluation of the psychometric paradigm in risk perception research. Trondheim: Rotunde Publicjasjoner Soltani, F. & Yusof, M. (2012). Concept of Security in the Theoretical Approaches. Research Journal of International Studies 1, 7-16 Tate, J. (2003). Police Corruption: FBI Investigations Are Not The Answer. Eastern Michigan University School of Staff And Command Vise, D. (2002). The Bureau and the Mole: The Unmasking of Robert Philip Hanssen, the Most Dangerous Double Agent in FBI History. New York: Atlantic Monthly Press Woods, M. & King, W. (2008). An Assessment of the Evolution and Oversight of Defense Counterintelligence Activities. Journal Of National Security Law & Policy 3(1), 169-219 Zegart, A. (2007). CNN with Secrets:’’ 9/11, the CIA, and the Organizational Roots of Failure. International Journal of Intelligence and Counterintelligence Read More

Risk management in law enforcement agencies The complexity of developing a standard approach or taxonomy for facilitating risk management remains evident in the law enforcement agencies (Maniasi et al., 2006). However, based on analysis presented by Oltedal et al. (2004), it is agreeable that the complexity of the problems is the outcome of a range of counterintelligence threats and risks. In the United States, law enforcement agencies such as FBI and NSA face complex sets of risks that vary from the criminal acts of terrorism, corruption within the law enforcement, and series of espionage activities committed by intelligent adversaries (Jackson, 2011).

Drawing on this argument, it is perceivable that managing these risks calls for strategic collaborative efforts of risk analysis and intelligence community at various levels of the law enforcement agencies, as well as the private sector. According to ISO 31000, consequence and likelihood are the two functions of risk (ISO, 2014). Jackson (2011) discusses that in security agencies, the term ‘probability’ often applies rather than ‘likelihood’ to demonstrate the likely threats or risks in counterintelligence.

However, drawing on the specifications of ISO 31000, Prunckun (2012) suggests that both terms are acceptable in counterintelligence. In his work 'counterintelligence theory and practice', Pruckun (2012) advises that risk assessment can be performed in relation to nearly every situation. In his view, Pruckun (2012) elaborated that risk analysis methodologies are applicable to any targets or situations that are not linked to sensitive instance, such as counterterrorism. In spite of this, analysis or risks facilitates the process of recommending measures that can provide security agencies with the capacity to (a) accept the risks as they are or to (b) treat the risks by avoiding it, mitigating it or deferring it to another agency (Jackson, 2011).

Taxonomy at counterintelligence layer Taxonomy refers to a breakdown of likely sources of risk. Indeed, when once effectively constructed, taxonomy can create a network of cause and threat categories as the ultimate outcome. Cebula and Young (2010) argued that the taxonomy has to be contextually relevant for counterintelligence and the agencies that operate. In his review of taxonomy of business risks, Davies (2012) opined that since taxonomy is currently embedded into the enterprise management layer of the risk framework, it makes it easy to separate the risks and threats homogenously.

This is corroborated by Sjorberg et al. (2007), who suggested that the sectioning out of the risks increases the transparency of risk reports and facilitates benchmarking of risk performance. In risk management, each type of threat demonstrates different disruption mechanisms, as well as poses diverse challenges for improvement of resilience of systems. Cebula and Young (2010) suggest that in such situations, taxonomy of varied causal mechanisms is a significant initial step in the process of classifying threats.

It provides a framework for organization and examination of the scope of breadth of counterintelligence issues and therefore offers a framework for understanding the risks related to how counterintelligence agencies operate. However, Davies (2013) argues that the ISO 31000 does not explicitly describe how risk taxonomy can be created. This is paradoxical since ISO 31000 does not also, particularly, recommend that taxonomy should be created although it delineates the types of risks and nature or risk.

In delineating risk in this way, ISO 31000 implies that risk taxonomy should indeed exist. At the same time, ISO 31000 also specifies that a risk framework should be adapted to fit the entity it has to be applied to (ISO, 2009). Hence, it could be assumed that building risk taxonomy is not necessarily an overlooked activity under ISO 31000. Still, ISO 31000 expresses how to approach a categorisation system. In any case, the process-based model suggested by ISO 31000 provides an idyllic means of constructing the risk taxonomy (Scannel et al., 2013).

Read More