Human Dimension

Question 1

Define protective security

Answer 1

The means to:

Mitigate risk that arise directly from the potentially harmful actions of people such as criminals, terrorists, hostile states, and malicious insiders

Question 2

Security risks arise from?

Answer 2

Purposeful adversaries

Question 3

What is security? (X2)

Answer 3

First duty of government and
basic human need

Question 4

Security builds (x2)

Answer 4

Trust and confidence

Question 5

Is security a common good?

Answer 5

Yes

Question 6

What is risk?

Answer 6

Risk = threat x vulnerability x impact

Question 7

Are security risks static monoliths?

Answer 7

No they are dynamic and adaptive - a system created by a human can be defeated by a human

Question 8

Risk funnel top tier - what combine to make the threat?

Answer 8

threat actors intentions
threat actors capabilities

Question 9

Risk funnel middle tier - what combine to make the likelihood?

Answer 9

Threat and
victims vulnerability

Question 10

Risk funnel bottom tier - what combine to make the risk?

Answer 10

Likelihood of attack
Impact of attack

Question 11

What are the main threat actors? (x7)

Answer 11

Terrorists (Islamist, NIRT, XRW)
Hostile foreign state actors
Criminals
Insiders
Hacktivists, script kiddies and other hackers
Political extremists and violence-prone protestors
Fixated individuals

Question 12

Three stages in risk management cycle?

Answer 12

Understand the risks
Decide on how much risk to take
Act to reduce risks

Question 13

Characteristics of good security? (x8)

Answer 13

• Risk based (and intelligence-led)
• Proportionate
• Well governed
• Holistic
• Regularly tested
• Well measured
• Layered
• Dynamic

Question 14

What is an insider?

Answer 14

A person who exploits, or intends to exploit, their legitimate access for unauthorised purposes

Someone who betrays the trust of others by causing harm

Question 15

Types of insider?

Answer 15

• Insiders may be third parties (e.g. contractors, suppliers)

• Insiders may be malicious or unwitting

• Insiders may be self-starters or cultivated by external threat actors (e.g. criminal or terrorist groups, hostile foreign states)

Question 16

What is Personnel security?

Answer 16

The defensive measures by which an organization protects itself against insider risk

Question 17

Differnece between Personnel and Personal security

Answer 17

first is a risk to an organisation, the latter to an individual inside the organisation.

eg the MOD holds a risk from personnel, but provides personal security to senior leaders and Ministers.

Question 18

2 methods of creating personnel security

Answer 18

verifying identity
assurance of trustworthiness

Question 19

4 ways we can misperceive risk?

Answer 19

Noting Wikipedia has a list of approx 200 cognitive biases, these 4 are seen as a common group that affect personnel security

• Availability bias
• Optimism bias
• Present bias
• Inattentional blindness

Question 20

5 biases for mishandling risk

Answer 20

• Confirmation bias
• Groupthink
• Sunk-cost bias
• Hindsight bias
• Outcome bias

Question 21

What is trust?

Answer 21

a psychological state that reflects a person’s “willingness to rely on another in a risky situation based upon positive expectations of the other’s intentions or behaviors”

Omand
a state of mind that gives confidence that the risks ahead are being managed to a point where everyday life and investments for the future can continue.

Question 22

How can we measure trust?

Answer 22

Tactical
Are people in org honest? vetting, criminal background checks etc
Risk registers
policies and procedures

Strategic
SROs
Assurance - trust but verify

Question 23

How do we deter /prevent individuals from becoming a malicious insider?

Answer 23

Good management
Regular check ups 1-2’times a year

Question 24

What experiential and personality factors predispose individuals towards insider action?

Answer 24

Personal grievances with organisations
Perception of being held back etc

Question 25

Is money an important motivator for insiders?

Answer 25

No

Question 26

How can we avoid recruiting malicious insiders?

Answer 26

Vetting
Russians tried to infiltrate US security with sleeper agents, does not appear to have worked

Question 27

How can we avoid creating malicious insiders?

Answer 27

Good management!

Question 28

What are the early lead indicators of potential insider action and how can we detect them?

Answer 28

Change in lifestyle
Negative Change in performance
Working unusual hours when compared to their baseline of normal

Question 29

How can we improve people’s ability to assess risk?

Answer 29

Experience
Training - classroom and live exercises
Exposure
Lessons learned

Question 30

How can we help people to understand complex adaptive systems?

Answer 30

use of examples - covid and the 2nd, 3rd…nth order effects. War in Ukraine affecting gas and food prices globally

push the need for resilience in systems

Question 31

How can we counter optimism bias and other cognitive biases?

Answer 31

Red teams
Premortums
Lessons learned

Question 32

How can we help decision-makers to make better decisions, especially under pressure?

Answer 32

highlight how resilience can benefit organisations

training - exposure to real time issues

Question 33

How can we help organisations to learn from experience and become more resilient?

Answer 33

Culture of openness
lessons learned
Premortem exercises