Abstract
This paper presents an alternative and broader security risk perspective, incorporating uncertainty, as a two-dimensional combination of (1) threat (Th) on value (Vl), (2) vulnerability (Vu) given coping capabilities (Cc), and associated uncertainties U (will the threat scenario occur? and to what degree are we vulnerable?). Moreover, this work attempts to provide an integrated approach to the safety and security fields. We look closely into the issues related to Safety-I, Safety-II and security. Whereas conventional safety management approaches (Safety-I) are based on hindsight knowledge and risk assessments calculating historical data-based probabilities, the concept of Safety-II looks for ways to enhance the ability of organisations to be resilient in the sense that they recognise, adapt to and absorb disturbances. Three determinants that shape the Safety-II concept in the security perspective are the capacity of organisations to operate in changing circumstances; formulating strategies that promote a willingness to devote resources to security purposes, driven mainly by the organisation’s leader; and an organisational culture that encourage people to speak up (respond), think creatively (anticipate), and act as mindful participants (monitor and learn). Based on clarifying some of the fundamental building blocks of security risk assessment, this work develops an extended security risk assessment, including an analysis of both vulnerability and resilience. The analysis explores how the system works following any type of threat scenario and determines whether key functions and operations can be sustained.
Similar content being viewed by others
References
Abrahamsen EB, Pettersen K, Aven T, Kaufmann M, Rosqvist T (2017) A framework for selection of strategy for management of security measures. J Risk Res 20(3):404–417. https://doi.org/10.1080/1366987720151057205
Adger WN (2006) Vulnerability. Glob Environ Change 16(3):268–281
Alberts CJ (2002) Managing information security risks: the OCTAVE approach. Addison-Wesley, Boston. http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.461.7807&rep=rep1&type=pdf. Accessed 18 Nov 2018
Alberts CJ, Behrens GS, Pethia DR, Wilson RW (1999) Operationally critical threat, asset, and vulnerability evaluation (OCTAVE) framework, version 10. US Department of Defense the Software Engineering Institute. https://resources.sei.cmu.edu/asset_files/TechnicalReport/1999_005_001_16769.pdf. Accessed 21 Nov 2018
Amundrud Ø, Aven T, Flage R (2017) How the definition of security risk can be made compatible with safety definitions. Proc Inst Mech Eng Part O J Risk Reliab 231(3):286–294. https://doi.org/10.1177/1748006X17699145
Aven T (2011) Quantitative risk assessment: the scientific platform. University Press, Cambridge
Aven T (2014) Risk, surprises and black swans: fundamental ideas and concepts in risk assessment and risk management. Routledge, London
Aven T (2015) Implications of black swans to the foundations and practice of risk assessment and management. Reliab Eng Syst Saf 134:83–91
Aven T (2016) Risk assessment and risk management: review of recent advances on their foundation. Eur J Oper Res 253(1):1–13. https://doi.org/10.1016/jejor201512023
Aven T, Renn O (2010) Risk management and governance concepts, guidelines and applications. Springer, Berlin
Aven T, Steen R (2010) The concept of ignorance in a risk assessment and risk management context. Reliab Eng Syst Saf 95(11):1117–1122
Bellini E, Ceravolo P, Nesi P (2017) Quantify resilience enhancement of UTS through exploiting connected community and Internet of everything emerging technologies. ACM Trans Internet Technol (TOIT) 18(1):114–147. https://doi.org/10.1145/3137572
Beyerer J, Geisler J (2016) A framework for a uniform quantitative description of risk with respect to safety and security. Eur J Secur Res 1(2):135–150. https://doi.org/10.1007/s41125-016-0008-y
Birkmann J, Cardona OD, Carreño ML, Barbat AH, Pelling M, Schneiderbauer S, Welle T (2013) Framing vulnerability, risk and societal responses: the MOVE framework. Nat Hazards 67:93–211
Bjerga T, Aven T, Zio E (2016) Uncertainty treatment in risk analysis of complex systems: the cases of STAMP and FRAM. Reliab Eng Syst Saf 156:203–209. https://doi.org/10.1016/j.ress.2016.08.004
Bruneau M, Chang SE, Eguchi RT, Lee GC, O’Rourke TD, Reinhorn AM, von Winterfeldt D (2003) A framework to quantitatively assess and enhance the seismic resilience of communities. Earthq Spectra 19:733–752
De Berker AO, Rutledge RB, Mathys C, Marshall L, Cross GF, Dolan RJ, Bestmann S (2016) Computations of uncertainty mediate acute stress responses in humans. Nat Commun. https://doi.org/10.1038/ncomms10996
Dwyer A, Zoppou C, Nielsen O, Day S, Roberts S (2004) Quantifying social vulnerability: a methodology for identifying those at risk to natural hazards. Geoscience Australia, Canberra
Fairchild A, MacKinnon D (2009) A general model for testing mediation and moderation. Effects Prev Sci 10(2):87–99. https://doi.org/10.1007/s11121-008-0109-6
Flage R, Aven T (2015) Emerging risk—conceptual definition and a relation to black swan type of events. Reliab Eng Syst Saf 144:61–67. https://doi.org/10.1016/j.ress.2015.07.008
Fraser SW, Greenhalgh T (2001) Coping with complexity: educating for capability. BMJ 323(7316):799–803
George LA (1986) The impact of crisis-induced stress on decision making. In: Solomon F, Marston RQ (eds) The medical implications of nuclear war. National Academies Press, Washington, DC, pp 528–552
Gharajedaghi J (2011) Systems thinking: managing chaos and complexity: a platform for designing business architecture, 3rd edn. Elsevier, Amsterdam
Häring I, Ebenhöch S, Stolz A (2016) Quantifying resilience for resilience engineering of socio technical systems. Eur J Secur Res 1(1):21–58. https://doi.org/10.1007/s41125-015-0001-x
Hollnagel E (2006) Resilience: the challenge of the unstable. In: David EH, Woods D, Leveson N (eds) Resilience engineering: concepts and precepts. Ashgate, Aldershot, pp 275–296
Hollnagel E (2011) Epilogue: RAG—the resilience analysis grid. In: Hollnagel E, Pariès J, Wreathall J, Woods DD (eds) Resilience engineering in practice: a guidebook. Ashgate, Farnham, pp 275–296
Hollnagel E (2012) FRAM: the functional resonance analysis method: modelling complex socio-technical systems. Ashgate, Farnham
Hollnagel E (2014) Becoming Resilient. In: Nemeth PC, Hollnagel E (eds) Resilience engineering in practice: volume 2: becoming resilient. Ashgate, Farnham, pp 179–192
Hollnagel E (2016) Resilience engineering: a new understanding of safety. J Ergon Soc Korea 35:185–191
Hollnagel E (2017) Safety-II in practice: developing the resilience potentials. Routledge, London
Hollnagel E, Speziali J (2008) Study on developments in accident investigation methods: a survey of the “state-of-the-art” (1104–1374). https://hal-mines-paristech.archives-ouvertes.fr/hal-00569424/document. Accessed 12 Oct 2017
Hollnagel E, Wears RL, Braithwaite J (2015) From Safety-I to Safety-II: a white paper. Published simultaneously by the University of Southern Denmark, University of Florida, USA, and Macquarie University, Australia: The Resilient Health Care Net. https://www.england.nhs.uk/signuptosafety/wp-content/uploads/sites/16/2015/10/safety-1-safety-2-whte-papr.pdf. Accessed 10 Aug 2017
International Organization for Standardization (2018) Information technology—security techniques—information security risk management, 3rd edn. International standard ISO/IEC, Geneva
Jore SH (2017) Safety and security—is there a need for an integrated approach? In: Walls L, Revie M, Bedford T (eds) Risk, reliability and safety: innovating theory and practice. Taylor and Francis Group, CRC Press, London, Boca Raton, pp 852–859
Jore SH, Egeli A (2015) Risk management methodology for protecting against malicious acts: are probabilities adequate means for describing terrorism and other security risks? In: Podofillini L, Sudret B, Stojadinovic B, Zio E, Kräger W (eds) Safety and reliability of complex engineered systems. CRC Press, London, pp 807–815
Jore SH, Utland I-LF, Vatnamo VH (2018) The contribution of foresight to improve long-term security planning foresight. J Futur Stud Strateg Think Policy 20(1):68–83. https://doi.org/10.1108/FS-08-2017-0045
Katsikas SK (2012) Risk management. In: Vacca JR (ed) Computer and information security handbook. Elsevier, Amsterdam, pp 905–927
Kifer M, Hemmens C, Stohr MK (2003) The goals of corrections: perspectives from the line. Crim Justice Rev 28(1):47–69. https://doi.org/10.1177/073401680302800104
Landoll D (2011) Security risk assessment handbook. CRC Press, Boca Raton
Levenson E, Jones S (2017) South Carolina inmate used drone, makeshift dummy to escape prison. https://edition.cnn.com/2017/07/07/us/sc-prison-escape-drone/index.html. Accessed 10 Sept 2017
Maitlis S, Christianson M (2014) Sensemaking in organizations: taking stock and moving forward. Acad Manag Ann 8(1):57–125. https://doi.org/10.1080/194165202014873177
Masse T, O’Neil S, Rollins J (2007) The department of homeland security’s risk assessment methodology: evolution, issues, and options for congress. Congressional Research Service, Washington, DC
Mintzberg H (1978) Patterns in strategy formation. Manag Sci 24(9):934–948. https://doi.org/10.1287/mnsc.24.9.934
Mohaghegh Z, Kazemi R, Mosle A (2009) Incorporating organizational factors into probabilistic risk assessment (PRA) of complex socio-technical systems: a hybrid technique formalization. Reliab Eng Syst Saf 94(5):1000–1018. https://doi.org/10.1016/j.ress.2008.11.006
Murphy DM, Paté-Cornell ME (1996) The SAM framework: modeling the effects of management factors on human behavior in risk analysis. Risk Anal 16(4):501–515. https://doi.org/10.1111/j.1539-6924.1996.tb01096.x
NS 5831 (2014) In Samfunnssikkerhet—Beskyttelse mot tilsiktede uønskede handlinger—Krav til sikringsrisikostyring: societal safety—protection against intentional unwanted actions—requirements to security risk management. https://www.standard.no/no/Nettbutikk/produktkatalogen/Produktpresentasjon/?ProductID=718201. Accessed 10 Sept 2018
Ocasio W (1997) Towards an attention‐based view of the firm. Strateg Manag J 18(1):187–206. https://onlinelibrary.wiley.com/doi/epdf/10.1002/%28SICI%291097-0266%28199707%2918%3A1%2B%3C187%3A%3AAID-SMJ936%3E3.0.CO%3B2-K. Accessed 05 Oct 2018
Ojanen H (2017) The EU’s power in inter-organisational relations. Springer, Berlin, p 122. https://doi.org/10.1057/978-1-137-40908-9
Papazoglou IA, Bellamy LJ, Hale AR, Aneziris ON, Ale BJM, Post JG, Oh JIH (2003) I-Risk: development of an integrated technical and management risk methodology for chemical installations. J Loss Prev Process Ind 16(6):575–591. https://doi.org/10.1016/j.jlp.2003.08.008
Rajesh S, Jain S, Sharma P (2018) Inherent vulnerability assessment of rural households based on socio- economic indicators using categorical principal component analysis: a case study of Kimsar region, Uttarakhand. Ecol Ind 85:93–104. https://doi.org/10.1016/j.ecolind.2017.10.014
Renn O (2008) Risk governance: coping with uncertainty in a complex world (Earthscan risk in society series). Earthscan, London
Society for Risk Analysis (2018) Society for risk analysis glossary. http://sra.org/sites/default/files/pdf/SRA%20Glossary%20-%20FINAL.pdf. Accessed 05 Oct 2018
Sutcliffe KM, Vogus TJ (2003) Organizing for resilience. In: Cameron KS, Dutton JE, Quinn RE (eds) Positive organizational scholarship: foundations of a new discipline San Francisco. Calif, Berrett-Koehler, pp 94–110
Taleb NN (2007) The black swan: the impact of the highly improbable. Allen Lane, London
Tangenes T, Steen R (2017) The trinity of resilient organisation: aligning performance management with organisational culture and strategy formation. Int J Bus Contin Risk Manag 7(2):127–150
Turner BL, Kasperson RE, Matson PA, McCarthy JJ, Corell RW, Christensen L, Schiller A (2003) A framework for vulnerability analysis in sustainability science. Proc Natl Acad Sci USA 100(14):8074–8079. https://doi.org/10.1073/pnas.1231335100
Weick KE (2016) D. Christopher Kayes: organizational resilience: how learning sustains organizations in crisis, disaster, and breakdowns. Adm Sci Q. https://doi.org/10.1177/0001839215615333
Weick KE, Sutcliffe KM, Obstfeld D (2005) Organizing and the process of sensemaking. Organ Sci 16(4):409–421. https://doi.org/10.1177/0001839215615333
Zio E, Aven T (2011) Uncertainties in smart grids behavior and modeling: what are the risks and vulnerabilities? how to analyze them? Energy Policy 39(10):6308–6320. https://doi.org/10.1016/j.enpol.2011.07.030
Author information
Authors and Affiliations
Corresponding author
Additional information
Publisher's Note
Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.
Rights and permissions
About this article
Cite this article
Steen, R. On the Application of the Safety-II Concept in a Security Context. Eur J Secur Res 4, 175–200 (2019). https://doi.org/10.1007/s41125-019-00041-0
Received:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s41125-019-00041-0