Human Dimension Flashcards
(33 cards)
Define protective security
The means to:
Mitigate risk that arise directly from the potentially harmful actions of people such as criminals, terrorists, hostile states, and malicious insiders
Security risks arise from?
Purposeful adversaries
What is security? (X2)
First duty of government and
basic human need
Security builds (x2)
Trust and confidence
Is security a common good?
Yes
What is risk?
Risk = threat x vulnerability x impact
Are security risks static monoliths?
No they are dynamic and adaptive - a system created by a human can be defeated by a human
Risk funnel top tier - what combine to make the threat?
threat actors intentions
threat actors capabilities
Risk funnel middle tier - what combine to make the likelihood?
Threat and
victims vulnerability
Risk funnel bottom tier - what combine to make the risk?
Likelihood of attack
Impact of attack
What are the main threat actors? (x7)
Terrorists (Islamist, NIRT, XRW)
Hostile foreign state actors
Criminals
Insiders
Hacktivists, script kiddies and other hackers
Political extremists and violence-prone protestors
Fixated individuals
Three stages in risk management cycle?
Understand the risks
Decide on how much risk to take
Act to reduce risks
Characteristics of good security? (x8)
• Risk based (and intelligence-led)
• Proportionate
• Well governed
• Holistic
• Regularly tested
• Well measured
• Layered
• Dynamic
What is an insider?
A person who exploits, or intends to exploit, their legitimate access for unauthorised purposes
Someone who betrays the trust of others by causing harm
Types of insider?
• Insiders may be third parties (e.g. contractors, suppliers)
• Insiders may be malicious or unwitting
• Insiders may be self-starters or cultivated by external threat actors (e.g. criminal or terrorist groups, hostile foreign states)
What is Personnel security?
The defensive measures by which an organization protects itself against insider risk
Differnece between Personnel and Personal security
first is a risk to an organisation, the latter to an individual inside the organisation.
eg the MOD holds a risk from personnel, but provides personal security to senior leaders and Ministers.
2 methods of creating personnel security
verifying identity
assurance of trustworthiness
4 ways we can misperceive risk?
Noting Wikipedia has a list of approx 200 cognitive biases, these 4 are seen as a common group that affect personnel security
• Availability bias
• Optimism bias
• Present bias
• Inattentional blindness
5 biases for mishandling risk
• Confirmation bias
• Groupthink
• Sunk-cost bias
• Hindsight bias
• Outcome bias
What is trust?
a psychological state that reflects a person’s “willingness to rely on another in a risky situation based upon positive expectations of the other’s intentions or behaviors”
Omand
a state of mind that gives confidence that the risks ahead are being managed to a point where everyday life and investments for the future can continue.
How can we measure trust?
Tactical
Are people in org honest? vetting, criminal background checks etc
Risk registers
policies and procedures
Strategic
SROs
Assurance - trust but verify
How do we deter /prevent individuals from becoming a malicious insider?
Good management
Regular check ups 1-2’times a year
What experiential and personality factors predispose individuals towards insider action?
Personal grievances with organisations
Perception of being held back etc
