Global Security, Privacy, & Risk Management

Risk 102: “Security Ain’t Safefy”; Putting Risk In Context March 26, 2012

In reading through the volumes of blogs, and Linkedin comments on security and risk management a common theme appeared.  When talking about risk management at it applies to security there appears to be a temptation to use the same models and methodologies as those used in safety risk management.  Make no mistake, safety risk management is critical and both aspects may overlap from time to time.  Whether analyzing auto accident risks, designing industrial equipment or other aspect, it is important to understand and analyze the risk of the activity. The difference lies in the catalyst for the events in question. 

In safety, the catalyst is typically failures of equipment, mistakes by operators, or random events such as “acts of God”.  In security, the catalysts for the events in question are humans.  Living, breathing, thinking, rational humans.  For more information about rationality and crime, please read the research brief: “A Failed State of Security”.

Consider the following example: Modern airliners fly across the World every single day. In 2007 there were about 81,000 individual takeoffs every single day.  Every plane that takes to the skies runs the risk of human error, weather,  mechanical failure, or other causes (birds being sucked into engine) causing an accident.  Airlines know the likelihood of a mechanical failure, and other events and they implement maintenance schedules, and training to try to to minimize the likelihood of such failures.  Whether the plane is carrying American’s or Europeans has no effect (other than the likely flight path) on the whether impacting the plane, or whether a flock of birds will be in the flight path.  In short, some, if not much, of the safety risk can be “engineered out” of the plane and flight.  Consider a plane carrying US military personnel, or oil executives or a national airline from a country that is in turmoil.  These are exposed to the same risks (weather etc.) but may have the additional risk of a hijacking or sabotage attempt.  The difference lies in the catalyst for the attack.  While weather can be predicted with some degree of accuracy and steps can be taken to avoid bad weather, when a person is the cause of an event, it is difficult to predict the likelihood of their actions.  Unlike weather, the person who is intent on committing the act, is driven by an internal calculus.  The amount of risk they are willing to assume and the amount of effort they are willing to put into the act is predicated upon their expected utility of the event.  As suicide bombers demonstrate, people driven by ideology are often willing to pay the ultimate price to make their statement.  By contrast, lightening bolt will not strike with any greater force because of the nationality of the people on the plane.

When evaluating risk from a security perspective it is critical that companies evaluate their own position and attempt to calculate whether it would make them a target worthy of greater focus or expense than others.  A company that supports animal testing is likely at greater risk from environmental terrorists than a company that does not.  In much the same way a company that is perceived to support censorship may find themselves at greater risk of being attacked by ‘hacktivists’.  It is the human element driving the event that differentiates security from safety.