Habit number 5 of Stephen Covey’s 7 Habits of High Successful People is ‘Seek First to Understand, and Then be Understood’. This habit is about communication, and you may wonder what this has to do with reduce threat, risk and vulnerability. The answer is this; do you really understand what is meant by these terms in the security context? Do you understand how they fit together, and therefore how to dismantle them and reduce each one?
Rather like my recruit training at the Guard’s Depot in the mid 80’s, before I was allowed to fire my weapon, I was taught about the component parts, how they fitted together, how to strip them down and ‘clean’ them. This process reduced the risk of handling and using firearms. I believe the same should be true when it comes to assessing threat, risk and vulnerability.
I am sure there are different versions of these meanings, however these are the ones that I was taught, have used whether it comes to defusing an argument or a terrorist threat, and most importantly, they work.
By the end of this article, I hope you with have a better understanding of each term, what the component parts of the terms are and how to defuse the risks you may be faced with.
If we work from the end result, Risk, and work backwards we can see that Risk is made up by a combination of the Impact and Likelihood of an ‘attack’. The Likelihood and Impact are derived from the Threat and Vulnerability and these are derived from the Intent and Capability of the threat actor.
The threat actor, person of concern of subject of interest is the entity from which the threat comes and is defined by their desire to cause harm and their ability to do so. There are two component parts to a Threat, Intent and Capability, both of which must be present for a Threat to be considered viable. Remove or defuse either one and the Threat is reduced or disappears.
The Intent is their desire, the reason why they want to cause harm. It may be the result of ideology, greed, anger or any number of emotions of reasons. Targeted violence is often, but not exclusively driven by a grievance of some description, which forms the Intent or motivation. This Intent forms the basis of the Prevent element of Contest which is the United Kingdom’s counter-terrorism strategy, but is equally applicable to a domestic dispute or an argument is the street. What is it that has motivated, inspired, caused this dispute or grievance? Resolve that and the Intent dissipates and with it any Threat.
However, Intent is just a thought process without the capability and arguable is the foundation of any Threat. In order for the Threat to be serious, and perhaps to account for the level of Threat there has to be capability to action their Intent.
As an example, the US Government has the Capability to destroy the UK with the might of their military capability, but thankfully they do not have any Intent. Conversely, the Iranian and North Korean Governments have the Intent to harm others but lack the Capability to do so. It is for this reason that the UN, driven by the Western governments have sought to limit the Capabilities of such states.
Equally, should a high-profile person be targeted online and abused and threatened, we seek to identify the person responsible to ascertain their Capability to carry out their threat. If we identify that they do indeed have such Capability, we then look to defuse their Intent and/or their Capabilities to act. Either one reduces the Threat.
In the event of such a Threat being made, the Threat actor etc, must then look to identify the Vulnerabilities of their target, often by way of hostile reconnaissance.
If we are unable to reduce the Threat, because we cannot defuse their Intent or their Capabilities, we are then left with the option of assessing the Vulnerabilities of the subject of the Threat, to reduce any likelihood of a successful attack. The word attack conjures up an image of a physical assault of some description, but can equally be applied to a reputational, financial, psychological attack too.
The Vulnerability is the weakness of gaps in the potential victim’s defences, their Achilles Heel or chinks in their armour. Everyone and every organisation/state has Vulnerabilities and it is the job of the Threat actor to seek out and exploit these, and the security professional or agency to counter that. The level of that response is proportionate to the Threat.
I am aware that on any given day any state actor could hack into my systems and cause me digital harm. My levels of digital security are not designed to counter such a Threat, because it is highly unlikely that that is where the Threat will come from. Having assessed the Threat, I then introduce the appropriate methodology to counter where I believe I am most likely to be targeted from.
I could decide that because Threats exist, I will never log on to the internet, leave my house, drive a car etc etc….and therefore I can reduce my Vulnerabilities to modern day Threats. That, however, would not be a proportionate response. When assessing the Vulnerabilities, a proportionate response is necessary. In my previous role of looking after UK Politicians, this was crucial. We could tell them to never meet the public, share any contact details or say anything that others may disagree with. That would require them to stop doing their job and in the long run make them ‘Vulnerable’ to losing their job! Because we couldn’t shut down all Vulnerabilities, we have to look at what was proportionate and how we could mitigate those Vulnerabilities. Many organisations fail to recognise the value of the assets they have and how Vulnerable they are; hence, they are subject to attacks.
Research data is a prime example. Universities and research centres are a target for state sponsored activity. Why spend millions developing their own research, when they can steal already completed research, be that weapons, medical or other. This data can be acquired either by cyber-attacks or by planting insiders to steal the required data for example.
A factor of this was the Impact of any ‘attack’. If there is little or no Impact, then the Risk is reduced. If however, the Impact is catastrophic then the opposite is true.
A major high street retail outlet in the heart of London’s shopping centre decided some years ago, not to implement any security measures. They conducted an assessment of the cost (Impact) of their losses per annum from shoplifting, against the cost (Impact) of introducing counter measures. Their calculation estimated that the Impact was such that they could live with the losses and not implement any security measures. I hasten to add that that chain has now changed their policy.
The Impact is not always felt immediately. It can have a delayed implication. Consider a terrorist attack on a major city anywhere is the world. The immediate Impact will be devastating loss of live and damage to infrastructure. The longer-term Impact may be a loss in public confidence in the security services to keep the public safe, reduced tourism and investment and financial.
The Threat, Vulnerability and Impact all go towards assessing the Risk. Risk can be defined as the amount of harm that is likely if no action is taken.
Risk is uncertain future event, that may or may not happen. How we assess Risk is related to a number of additional factors, such as our experience. We will all have a level of Risk tolerance or appetite and much of that depends on our experiences. My Risk tolerance will differ from others. Understanding my clients Risk tolerance is a key component of managing the Risk that they are comfortable with, which brings us back to seek first to understand.
So effectively, if we assess that by doing nothing the value of Risk is ‘x’ as our starting point, we then start working to identify and defuse the Threat, by targeting the Intent and/or Capability. If we are unable to defuse that, we then look to reduce the Vulnerabilities so as to make any attack less likely. Once we have done that, we then look to diminish any Impact.
If an example, a person is subject to blackmail and a Threat that unless they pay a ransom, a secret will be exposed about them. If they then choose to publish that secret themselves, the Impact has disappeared, and the Threat of blackmail becomes null and void.
That is how Risk is reduced.
Let us now bring this all together with a diagram that demonstrated how they fit together.
This is called the Risk Chain
Defuse Global specialise is reducing risks to high profile people & organisations by defusing threats online. For more information please visit www.defuseglobal.com/whitepaper
