22 February 2015

Fear: The Elements of Prediction...

"Just as some things must be seen to be believed, some must be believed to be seen." "...so one way to reduce risk is to learn what risk looks like." --Gavin De Becker

These words from his book The Gift of Fear reminds us of how many people talk about Operational Risk Management (ORM), mitigation and implementing risk controls and don't have any context. In order to truly understand something, you actually have to come face-to-face with it, experience it and feel it.

For every 100 people in your organization, how many are a risk?  By that we mean, the factors are high that an individual will do something or be the target of an incident that causes irreversible harm to themselves and or the institution during their tenure as an employee.

The actuaries behind the insurance you purchase for different kinds of hazards or incidents in the workplace could give you some answers here. How likely is it that this kind of event occurs in this industry over the course of one year as an example? Certainly the ratios are known, otherwise the insurance product would not exist to protect you.

Predictive Analytics and processing of information to predict what has a high chance of actual occurrence is a whole other matter. In order to be predictive, you have to have actual experience and it has to be so innate that it now becomes more than just an intuition.

Some call it "Self-talk" and others a gut feeling but whatever it is, it got there because of your past experience. If it's more powerful than that, now you may just be experiencing something we all know as "Real Fear". You have to realize that when you get that tingle sensation up the back of your neck, you are way beyond self-talk and into a whole new dimension of emotion.

DeBecker's elements of prediction can help us figure out the likelihood of a prediction actually occurring:

1. Measurability - How measurable is the outcome you seek to predict?

2. Vantage - Is the person making the prediction in a position to observe the pre-incident indicators and context?

3. Imminence - Are you predicting an outcome that might occur soon, as opposed to some remote time in the future?

4. Context - Is the context of the situation clear to the person making the prediction?

5. Pre-Incident Indicators - Are there detectable pre-incident indicators that will reliably occur before the outcome being predicted?

6. Experience - Does the person making the prediction have experience with the specific topic involved?

7. Comparable Events - Can you study or consider outcomes that are comparable- though not necessarily identical- to the one being predicted?

8. Objectivity - Is the person making the prediction objective enough to believe that either outcome is possible?

9. Investment - To what degree is the person making the prediction invested in the outcome?

10. Replicability - Is it practical to test the exact issue being predicted by trying it first elsewhere?

11. Knowledge - Does the person making the prediction have accurate knowledge about the topic?
This OPS Risk professional has realized that these 11 elements exist in many of the risk management methodologies and systems experienced over the years. What is remarkable is the degree that we see time and time again, these elements being left out, avoided or just plain not utilized in organizations of all sizes and industry sectors.

It's time that CxO's revisit all of these elements in each of the Operational Risk Management (ORM) systems that are in place in their enterprise. From the front door to the intrusion prevention system, in the HR process from interview to termination and from the training room to the board room.

Predictive Analytics is a science that comes in the form of an art. Make sure you have the people who are masters of the art and experts in implementing the science.

15 February 2015

Risk Leadership: From the Inside Out...

The "Leadership of Security Risk Professionals" continues to be an executive management priority in light of the asymmetric threat spectrum unfolding across the globe.  Operational Risk Management (ORM) provides the umbrella for the diverse and yet interdependent processes that pulse throughout the information rich enterprise.  As a leader reflects on this dynamic ecosystem, the vulnerability that still remains most prominent is the failure to effectively integrate risk mitigation tasks by the risk professionals themselves.

How often is your Facility Security Officer (FSO) part of the strategic briefings after a Board of Directors meeting?  Explain the amount of information exchange and substance of the daily dialogue between your head of Human Resources (HR) and the Chief Security Officer (CSO).  What new strategies have been developed this week between your outside counsel and General Counsel (GC) that have also been communicated to the Tier II management in the organization?  How do your customers get educated by your Chief Financial Officer (CFO) in concert with the Chief Information Security Officer (CISO).   What metrics are in place to gauge the risk awareness of new industrial espionage schemes being utilized by Transnational Organized Crime (TOC) syndicates or nation states, to prey on Critical Infrastructure owners and operators?

The risk professionals in your organization are operating each day in the fog of unvalidated intel and exploits. What have you done to update, adapt, renew and change the way you will operate since yesterday?  It is this level of situational awareness and predictive sense-making that is necessary, if you aspire to become even more resilient tomorrow.  Knowing what has changed on each others "Risk Watch" is only one part of the daily real-time analysis.  The knowledge most time-sensitive, may be the understanding of the behavioral implications of your people, processes, systems and external events as they unfold before you:
According to counterintelligence presented by the Federal Bureau of Investigation's Insider Threat Program, employees, former employees or contractors -- those who joined the organization with no intent of wrongdoing -- pose the biggest threat. 
These findings a few years ago, which are based on 20 years of espionage case investigations, indicate that contrary to popular belief, when it comes to data loss and spying, the real-world insider threat is not a stereotypical hacker who covertly siphons off sensitive information on internal systems and networks. 
Authorized users with a level of organizational trust, who are doing legitimate activities with malicious intent, pose the biggest threat, according to Patrick Reidy, the FBI's chief information security officer heading up the Insider Threat Program. 
Reidy said the FBI spends about 35% of its response time on these types of incidents. Focusing on education can help minimize these problems; he said these incidents have dropped 7% at the FBI in the past year. 
Insider threats are not numerous, according to Reidy, but in terms of damages they are the most costly. Of more than 1,900 incidents reported during a 10-year period, Reidy said about 19% were malicious insider threats. Based on information from multiple, "open source" data breach reports and data loss surveys, the average cost per incident is $412 thousand, and the average loss per industry is $15 million. In several instances, damages reached more than $1 billion.
The "Speed of the Connected Enterprise" can be your best ally, or your greatest adversary.  How you integrate, explain, orient, exchange and adapt in real-time, is now the name of the game.  Leadership of Security Risk Professionals operating each day on the front lines to the back office of your organization, require Operational Risk Management excellence.

Without it, they will continue to operate in the haze of that invisible adversary we call, complacency.  Complacent employees, suppliers and customers will remain your most lofty vulnerability.  Your leadership effectiveness of the Security Risk Professionals operating in your organization, partner business and client facilities are continuously at stake.

07 February 2015

Frames of Mind: The Risk of Analytic Convergence...

Are there growing Operational Risks to our national security and private sector enterprises as our intelligence communities (IC) continues it's path of convergence?

We are using the tools and software to automate as much of the collection and the work flow as possible before the human "Grey Matter" is necessary to the final analysis. The fact that 80% of the time is spent on collection/searching and 20% on actual human processing, tells us that we have a long way to go.

Getting to the point where we are spending even more than half of the time doing actual human analysis is a long way off in to the future. Software systems are getting automated crawlers to pull more relevant OSINT into the "Big Data" bases for unstructured query, yet what about the front line observer who is the witness to an incident. They must process this by interfacing with a paper based report that is filled in with a #2 pencil or an electronic form on a PDA to check boxes and select categories that best describe the observed event that risk managers, watch commanders and operations directors need for more effective decision support.

It dawned on us again that perhaps the most vulnerable area of our entire mission is the actual analytical process. We have highlighted the "Analysis of Competing Hypotheses" (ACH) methodology in the past:
Use ACH when the judgment or decision is so important that you can't afford to be wrong. Use it to record and organize relevant evidence prior to making an analytical judgment or decision. Use it to identify and then question assumptions that may be driving your thinking, perhaps without realizing it. Use it when the evidence you are working with may be influenced by denial and deception. Use it when gut feelings are not good enough, and you need a more systematic approach that raises questions you had not thought of. Use it to prevent being surprised by an unforeseen outcome. Use it when an issue is particularly controversial and you want to highlight the precise sources of disagreement. Use it to maintain a record of how and why you reached your conclusion.
To our own demise, how much time are we teaching people how to create .csv files and excel spreadsheets so they can be imported into a link analysis chart or tool. Getting the correct, clean and accurate data into the tool is very important. Once the intel analysts take over and start the Who, What, When, Where exercises to gain a visual picture of the incidents, actors and cues and clues associated with the "Modus Operandi" (MO) people start to get way to excited about the possible outcomes. That is when it's time to stop, assess and use ACH.

Utilizing an analytic process that incorporates the use of tools and other aides to the human decision maker to increase accuracy is only prudent if you have the time to insure a decision without error. In the absence of time, human intelligence is the only answer. We should not under estimate the "Theory of Multiple Intelligences" put forth by Howard Gardner in his book Frames of Mind.

As you read this book from 1983 and begin to apply the history of what we have learned about human cognition and then use this in the context of an analytic process for intelligence communities, suddenly our current state of the IC and it's attempt to reform itself seems crystal clear. What if we organized the competencies of intelligence organizations more closely to the multiple intelligences that Gardner has been researching for multiple decades?

The people selected, trained and leveraged for their "Grey Matter" would be more closely aligned with what we know about the brain and the way that humans have evolved from a biological perspective in their cognitive capacities. Is it possible that we have the wrong people working in the wrong Intel agencies and the wrong roles?
  • Linguistic Intelligence
  • Musical Intelligence
  • Logical-Mathematical Intelligence
  • Spatial Intelligence
  • Bodily-Kinesthetic Intelligence
  • Personal Intelligence
Is it possible to develop an analytic process that puts the right people in the right sequence of the process so that the outcomes are closer to what we really are seeking?

The answer may lie on one of these pages. They may be the best place to start in order to understand what each of our IC entities is all about at this point in the intelligence analysis and outcomes evolution.

01 February 2015

Think Tank: Leadership of Security Risk Professionals...

"Leadership of Security Risk Professionals" is in the operational risk management think tank.  A program being designed for corporations and other organizations who are raising the bar in their personnel skills, risk knowledge and corporate stewardship of their respective silos of enterprise security risk.

If you think about the typical organization who have dozens of risk managers spread across Legal, Human Resources, Finance, Information Technology and Facilities/Real Estate; they all have their own individual silos and risk landscape.  The challenge is to develop a strategic leadership program for these people and the respective skill sets they all should possess, to provide effective Operational Risk Management in our modern day dynamic enterprise.

This strategic program developed to address "Leadership of Security Risk Professionals" (LSRP) shall have several key modules:
  • Behavioral Indicators
  • Organizational Factors
  • Personal Factors
  • Information Communication Technology (ICT)
  • Situational Awareness
  • Continuity of Operations
  • Incident Command
  • Crisis Response
Wrapped around all of these educational modules shall be practical exercises, realistic scenarios and hands on testing in a simulated environment.  All delivered within the secure facility of an off-site location, where everyone eats, sleeps and learns together over the course of 2.5 days.  The think tank outcomes so far, have expressed a desire to also include a hands-on layer.  This will be devoted to counterintelligence awareness building and the active pursuit of economic espionage, trade secrets and intellectual property theft.

The LSRP program is currently being architected and will be formally launched in early 2015.  In the mean time, we would like to know what you would like to see included, in terms of skills learned and practiced.  What are the sub-topics that you think the program should not leave out or that should not be over done?  The global nature of business environments and the pervasive use of ICT for traditional core office functions are now blending with social media.  Now the risks become even more diverse, ever more so dynamic.

The convergence of thinking by security risk professionals in an organization is paramount to effective enterprise stewardship.  Does the HR recruiter and the Chief Security Officer think the same about what are red flags in the background check of a new potential candidate?  Does the IT admin think about the same red flags that the finance auditor loses sleep over every night?  Probably not.

The point is that the myriad of security risk professionals inside the organization have there own focus on the red flags that are in their respective domains, not all the others inside the same company. This is a key metric for the outcomes as a result of the delivery of the LSRP educational and skills based program.

We look forward to your ideas, thoughts and comments about "Leadership of Security Risk Professionals" in the weeks and months ahead.