Mitigation of Identified Risks in a Security Context - Coursework Example

a) How can identifying the likelihood and consequences components of risk facilitate the process of effectively and efficiently mitigating identified risks in a security context? (b) Based on the outcomes from part a, how does knowledge in the domains of criminology, international relations and law influence this mitigation process? Introduction Analysis of different forms of risk in the contemporary society has been at the heart of security studies in the domains of criminology, international relations and law. The risks have been explored within the context of military threats with recent shifts into new kinds of threats that are non-military in nature (Jarvis, 2007). Risk is the “potential” for “unwanted” outcome”. The term potential implies “likelihood”, while unwanted denotes the “consequences.” Therefore, the concept of likelihood denotes the probability that a specified risk will cause unwanted outcomes. The consequences consist of the unwanted outcomes (DOD, 2006). The present-day society is characterised by risks such as chemical pollution, nuclear weaponry proliferation, cybercrime, terrorism and theft, which affect individuals according to inequalities and new patterns. In response, the modern world has introduced global risk parameters such as crime, chemical ecology, transport and finance to mitigate risks based on their “likelihood” and “consequences” (Elliot, 2002). To meet the society’s desire to reduce the fears about risk and security, Jarvis (2007) showed that human and technological development, international relations and legal frameworks have interrelated to objectively mitigate the risks. In light of these perspectives, this paper will show that identification of the likelihood and consequences of risk components facilitate the process of risk mitigation, which in turn is influenced by the knowledge in the domains of criminology, international relations and law. Identification of “likelihood” and “Consequences” of risks within security context According to Barnes et al. (2007), the capacity to identify threats to security of a protected entity from criminal activities is critical if the right mitigation strategies have to be selected. US Department of Defence (DOD, 2006) defines risk as the “potential” for “unwanted” outcome”. The term potential implies “likelihood”, while unwanted denotes the “consequences.” As stated by Hameiri and Kuhn (2011), risk refers to a function resulting from the likelihood of a particular threat, which triggers or exploits certain vulnerabilities, resulting to a consequence. Identifying the likelihood and consequences of the components of risks facilitate the process of mitigating identified risks within the context of security. Hence, likelihood refers to how easy it is for individuals to exploit threat. On the other hand, consequences are the rate of unwanted income. The components of risk include the future root cause, which can be eliminated or corrected. Second is the likelihood, which is assessed at the current time. Third are the consequences. The likelihood of occurrence of a certain threat, which exploits a particular vulnerability, and the resulting consequence on a protected entity, are two functions of risk (Hameiri and Kuhn, 2011). This implies that risk should not be treated as a single factor but as a mix of vulnerabilities and threats that are likely to occur, and which may have adverse effects on the safety or security of an entity. Talet and Houri (2014) link risks to likely negative events, which may include “material threat” to the security of an “entity.” It is therefore clear that risks comprise the multiple unwelcome crime events that are likely to occur. Applied within the security context, “entity” depicts a protected facility, individual, nation-state, national government or organisation from crime activities. Relying on this perspective, use of contingency planning can offer an effective means to risk management, which would in turn provide an effective and efficient means of tackling an unwanted event, such as criminal activity (Ranong & Phuenngam, 2009). The criteria are to reduce the physical opportunities for crime or to increase the chances of getting caught (Clarke, 1980). Mitigating risks in Security Context Effective rating of Risks Identification of the likelihood and consequences of risks enables effective rating of risks based on their potential to occur. HHS (2007) observed that entities that are protected from crime opportunities should identify the potential threats and vulnerabilities, as well as rate them based on the likelihood that they could occur. The ratings used to express the likelihood of occurrence may be high, medium and low. According to Walsh (2011), ratings used are dependent on the protected entity’s approach. HHS (2007) suggests that a protected entity may select to use “high, medium and low”, where High Likelihood shows that probability does exist and that the perceived threat can exploit or trigger vulnerabilities due to deficiencies in configuration of security controls. Medium Likelihood depicts existence of a moderate probability. In this case, a risk does exist due to one organizational deficiency -- such as lack of security measures. Third, Low Likelihood refers to low probability of existence of one organizational deficiency -- such as bad configuration of security controls. The associated likelihood ratings influence the availability, integrity and confidentiality of a protected facility (HHS, 2007). To this end, it is argued that rating of risks shows an entity the range of risks that exist, which threaten its operability. Identification of the likelihood and consequences of risks enables covered (or protected) entities to determine the severities or levels of risks (Shedden, 2010). Bones et al. (2006) observed that defining risks involves the values of the likelihood of the lower and upper limits at the relevant value of severity with an organisation's exposure to internal or external crime opportunities. Using the data, an entity may conclude that a risk is not within an unacceptable zone and that the security breaches do not occur frequently. Bones et al. (2006) commented that in such instance, the entity can conclude that the risk is tolerable. Such an approach enables security managers or organisations to establish the Low Likelihood risks as acceptable. Assigning risk level The level of risk may be determined by assigning risk level based on the average levels of likelihood and consequence. Whitney et al. (2009) explained that technology limitations have constrained the efforts to assess risks and the likelihood of risks linked to the unique event occurrence. The researchers noted that large-scale offences committed by terrorists illustrate such events. Hence, estimating such events demand that risk managers should connect to a range of information components to identify the likelihood and consequences of a particular event. Within this perspective, when law enforcers are confronted by varied nuggets of information, they have to effectively identify components that suggest the event, relate the components into a feasible scenario and assess the likelihood that the event will be executed. At this stage, consequence evaluation succeeds scenario creation to assess the likelihood of security breach (Whitney et al., 2009). The outcome data from identification of the likelihood and consequences of risks presents a protected entity with appropriate knowledge on the risk areas that need to be prioritised. The entity is also provided with data that can be used to determine the level of risks, in order to prioritise the risk mitigation efforts (HHS, 2007). Prioritising risk mitigation activities Identifying the likelihood and consequences assists covered entities to prioritise risk mitigation activities that should be performed. Whitney et al. (2009) pointed out that prioritizing risk mitigation strategies are possible once the levels of risks are determined. At this stage, Walsh (2011) points out that the level of risk is established through analysis of the values assigned to the probability of a threat occurring, resulting to the consequence of the threat occurrence. It also helps determine the likelihood of a target’s occurrence. According to HHS (2007), once the risk analysis is carried out, the protected entity will have information required to determine the likelihood of a threat triggering or exploiting certain vulnerability and the consequential impact on the protected entity. At this level, the information gathered can be applied to establish the likelihood and consequence determination (Chaput, 2010). Crime and criminal deterrence Identification of the likelihood and consequences or risk and risk management present the groundwork for ensuring that an entity is protected from criminal activities using effective and efficient security measures. The likelihood of the threats happening may manifest itself as the cause of security breach, with the susceptibility of a protected entity of prime significance (DOD, 2006). The two are on-going processes that present the entity with a detailed understanding of the risks in addition to the security measures required to manage the risks effectively. Whitney et al. (2009) commented that performing the identification and labelling of the risks ensures that a protected entity is protected against anticipated threats to security. Assigning a risk score Identifying the likelihood and consequences of the components of risk is a prerequisite to assigning a risk score, based on the likelihood and consequences of the components or risks (Whitney et al., 2009). Scoring of risks offers suitable prioritisation of resources and concentrating on the areas that face the greatest risks. Walsh (2011) explains that disregarding the method used in identifying the components of risks, prioritisation of the risks is the key rationale for conducting risk analysis. Prioritisation ensures that scarce resources, including physical security components, are applied in areas with the greatest risks to ensure that crime opportunities are reduced. Managing pitfalls in security system Identification of the likelihood and consequences of risks helps identify appropriate actions for managing the underlying pitfalls in security system, and in proposing effective security measures. By assigning action description, a protected entity is provided with additional information that can be used to prioritise management efforts. For instance, if security guards appear to be the most effective physical security components to deter commercial burglary, then priority would be given to it in place of CCTV cameras (Butler, 2001). Hutter (2005) suggests that for the mitigation process to be effective, during the identification of the security measures, it is significant to take the security measure’s effectiveness and the regulatory and legislative requirements into perspective that demand that certain security measures should be used into perspective. At any rate, any security measure to be applied in reducing risk to the protected entity should be detailed out in the documentation. Implementation of the security measures Identification of the likelihood and consequences is a vital step towards effective implementation of the security measures. The outcome data from the identification can be used to development a risk management plan for the protected entity. At this stage, the data is used to identify areas to focus on in the process of actual implementation of the technical and non-technical security measures that can resists and reduce crime opportunities. Bracken, Bremmer and Gordon (2008) suggested that the activities to implement security measures should be carried out in congruence with the identified level of risk. According to Bracken, Bremmer and Gordon (2008), the covered entity may select to apply internal and external resources to perform the implementation. For instance, if the protected entity plans to integrate new surveillance system to make security operations more efficient, the potential risk of the devices should as well be analysed to see to it that the covered entity is reasonably and acceptably protected (Brooks, 2005). On the other end, if it is established that the security measures in existence cannot effectively protected the entity against risks associated with the new technology, then additional security measures should be determined for the entity (Sun, 2006). Hence, performing the identification of the likelihood and consequences of the risk of a new technology before implementing it enables the covered entity to mitigate the associated risks to reasonable and acceptable levels. Identifying the role of criminology, international relations and law in risk mitigation Once the protected entity is able to identify the likelihood and consequence of security threat, the entity’s risk level is mitigated effectively to acceptable levels. However, knowledge in various fields, such as international relations, criminology and law has significant effects on the risk mitigation process. Law in risk mitigation In regards to knowledge in law, a key message drawn from a survey of literature discloses that state regulations and legislations significantly influence risk mitigation practices, in spite of the confusion about the state regulatory arrangement. Indeed, a landmark research by Hutter and Jones (2006) on the extent of knowledge on the impacts of state regulation on risk mitigation found that a majority of the businesses acknowledged the role of local authority regulators in determining the measures they used in crime mitigation and prevention. The findings further suggested that state regulations and laws bring about higher standards of security. In regards to risk mitigation, Hutter (2005) depicts laws as a means of shaping preference and motives. According to Hutter and Jones (2006), using the law as means to regulate risks in contemporary societies, and specifically in mitigation of risks in businesses, is prevalent. In the United States, many state governments have adopted legislations and regulations in responding to crimes posed by repeat sexual offenders at community levels. The Criminal Justice System 1991 is one such regulation, intended to protect the public (as the entity) form violent offenders. Part 12 of the Criminal Justice Act sets out that an offender should remain in custody until it has been established that the risk he poses has been significantly mitigated or diminished (Mcalinden, 2006). The laws outlined may hence suggest the need for international systems and procedure to ensure compliance with the outlined duties. Although there may be ambiguity on what should constitute compliances, particularly the duties set out in the legislation, the legal mandate gives unambiguous guidance on what is required at a procedural and institutional level from organisations (Hutter, 2001). International Relations in risk mitigation Findings from several empirical studies have established a link between prioritising the risk mitigation strategies on global scope (Ulrich & Natan, 2006). Hameiri and Kuhn (2011) explained that the transition of risk into international relations is not a new concept as international organisations and governments have made risk mitigation process a major policy paradigm in distinct areas such as counter-terrorism. For instance, in 2010, the United States Nuclear Posture Review (NPR) concentrated on reacting to the strategic threat posed by nations with nuclear stockpiles compared to managing the risks of isolated nuclear terrorist attacks. Prioritising areas that require risk mitigation means creating contingency plans to deal with certain threats posed by potentially rogue nations (Ulrich & Natan, 2006). It also means developing a broad range of risk mitigation measures within a national and internationally, with the view of limitation movement of people, technologies and materials that could potentially allow potentially rogue states or terrorist organisations to exploit vulnerabilities in the security of a country. Hameiri and Kuhn (2011) pointed out that identification of the likelihood and consequences of the components of risks provides outcome data that can be used to make potential future threats to security “knowable”. This makes it easy to determine the levels of risk posed by the rogue states, which facilitates prioritising risk mitigation efforts (HHS, 2007). The level of risk may be determined by assigning risk level based on the average levels of likelihood and consequence. Identifying the likelihood and consequences assists a national government to prioritise risk mitigation activities that should be performed to counter the threats posed by the potentially rogue states or terrorists. Hameiri and Kuhn (2011) draws extensively on discourse theory and “governmentality” approach in investigating the politics that shape international governance in regards to issues of security that touch on many countries. Hameiri and Kuhn (2011) demonstrates that despite the global consensus over certain risks that are global in nature, such; as terrorism, the identification of the social and economic causes and effects of different nations can present data on how nations can collaborate to mitigate the risks. Criminology in risk mitigation In criminology, identification of the likelihood and consequences of the components of risks in public protection helps determine the severity of risks posed by high-risk offenders (Kemshal & Wood, 2007). In turn, it influences the level of multi-agency structures and formal procedures that can be used to assess and manage the risks effectively as well as to identify the most appropriate risk mitigation models, based on their level of severities (Wilson & McWhinnie, 2013). Relying on this viewpoint, Kemshal and Wood (2007) expounded that in the criminology domain, the most suitable approach for effectively managing high-risk offenders is the community protection model. The model is based on the criminal justice system and is associated with the application of surveillance, restriction, prioritising of victim, restriction and monitoring and control. Integral to such risk mitigation models is enabling the subjects to be “risk-knowledgeable” so as to be able to make informed decisions on the risks faced. The model is designed to keep the public safe and to view the public as a likely source of security threat to expert-led risk mitigation strategies. Conclusion To conclude, once the protected entity is able to identify the likelihood and consequence of security threat, the entity’s risk level can be mitigated effectively to acceptable levels by reducing the physical opportunities for criminal activities or increasing the chances of catching and offender. Identifying the likelihood and consequences components of risk enables organisations to rate risks based on their potential to occur. It also enables protected entities to determine the severities or levels of risks. The outcome data from identification of the likelihood and consequences of risks presents a protected entity with appropriate knowledge on which risk areas to prioritise. The outcome data can be used to determine the level of risks, which assists covered entities to prioritise risk mitigation activities. It also presents the groundwork for ensuring that a protected entity is offered with effective and efficient security measures. In addition, it is also a perquisite to assigning a risk score, based on the likelihood and consequences of the components or risks. Further, it helps identify appropriate actions for managing the risks. By assigning action description, a protected entity is provided with additional information that can be used to prioritise risk management efforts. In addition, it is also a vital step towards effective implementation of the security measures. The outcome data from the identification can also be used to development a risk mitigation process for the protected entity. However, knowledge in various fields, such as international relations, criminology and law has significant effects on these risk mitigation process. Reference List Barnes, P., Charles, M., Branagan, M. & Knight, A. (2007) Intelligence and Anticipation: Issues in Security, Risk and Crisis Management. International Journal of Risk Assessment & Management 7(8), 1209-1223. Bones, E., Hasvold, P., Henriksen, E. & Strandences, T. (2006). Risk analysis of information security in a mobile instant messaging and presence system for healthcare. International journal of medical informatics 1-11 Bracken, P., Bremmer, P. & Gordon, D. (2008). Managing Strategic Surprise: Lessons from Risk Management and Risk Assessment. Cambridge: Cambridge University Press Brooks, D. (2005). Is CCTV a Social Benefit? A Psyschometric Study of Perceived Social Risk. Security Journal 18(2), 19-29 Butler, G. (2001). Commercial Burglary: What Offenders say. p.29-41 Chaput, B. (2010). HIPAA Security Risk Analysis and Risk Management Methodology with Step-by-Step Instructions. HITECH Security Advisors LLC Clarke, R. (1980). Situational crime Prevention: Theory and Practice. Brit. J. Criminol 20(2), .136-147 DOD. (2006). Risk Management Guide for DOD Acquisition. (6th edn). Department of Defense Elliot, A. (2002). Beck's Sociology of Risk: A Critical Assessment. Sociology 36, 293-131 Jarvis, D. (2007). Risk, Globalisation and the State: A Critical Appraisal of Ulrich Beck and the World Risk Society Thesis. Global Society, 21(1), 23-46 Hameiri, S. & Kuhn, F. (2011). Introduction: Risk, Risk Management and International Relations. International Relations 25(3) 275 –279 HHS. (2007). Basics of Risk Analysis and Risk Management. HIPAA Security Series, 2(6), 1-19 Hutter, B. (2001). Regulation and risk: occupational health and safety on the railways. New York: Oxford University Press. Hutter, B. (2005). The Attractions of Risk-based Regulation: Accounting for the Emergence of Risk Ideas in Regulation. London: London School of Economics and Political Science Hutter, B. & Jones, C. (2006). Business Risk Management Practices: The Influence of State Regulatory Agencies and Non-State Sources. London: London School of Economics and Political Science Kemshal, H. & Wood, J. (2007). Beyond public protection: An examination of community protection and public health approaches to high-risk offender. Criminology & Criminal Justice 7(3), 203-222 Mcalinden, A. (2006). Managing risk: From regulation to the reintegration of sexual offenders. Criminology and Criminal Justice 6, 197-217 Ranong, P. & Phuenngam, W. (2009). Critical Success Factors for effective risk management procedures in financial industries. Umea School of Business. Retrieved: Shedden, P. (2010). Information Security Risk Assessment: Towards a Business Practice Perspective. Proceedings of the 8th Australian Information Security Management Conference Sun, L. (2006). An Information Systems Security Risk Assessment Model under Dempster-Shafer Theory of Belief Functions. Journal of Management Information Systems, 22(4), 109-142 Talet, A., Mat-zin, R. & Houri, M. (2014). Risk Management and Information Technology Projects. International Journal of Digital Information and Wireless Communications (IJDIWC), 4(1): 1-9 Ulrich B. & Natan S. (2006). Unpacking Cosmopolitanism for the Social Sciences: A Research Agenda. British Journal of Sociology, 57(1), 1–23. Walsh, T. (2011). Security Risk Analysis and Management: an Overview. Retrieved: Whitney, P., Thompson, S., Wolf, K. & Brothers, A. (2009). Bayesian Assessments of Likelihood, Consequence and Risk for Comparing Scenarios. Proceedings of the 18th Conference on Behavior Representation in Modeling and Simulation, Sundance, UT, 31 March - 2 April 2009 Wilson, R. & McWhinnie, A. (2013). Putting the “Community” Back in Community Risk Management of Persons Who Have Sexually Abused. International Journal Of Behavioral Consultation and Therapy 8(3), 72-79 Read More