Skip to main content

Risk Chain

 

In sequence of “threat” to "asset" becoming a reality and creating negative "impact" is a complete “Risk chain”. There are several links which can be broken to "Protect".

Consider Security Risk Chain like a Fire-Triangle which has Fuel, Heat and Oxygen. When one gone, fire gone. Similarly in Risk Chain, one link broken is “Risk” gone. 

Smart Security is identifying balanced Security measures i.e. infrastructure, technology & automation, process and man-power to be effectuated to brake risk chain at right link. Understanding propitious risk mitigation tool is important for Security Manager.

During sensitive times, Police takes custody of regular offenders from city - Police removes "adversary" from chain. On other site, terrorist select populated areas for bomb explosion, to have maximum "impact" – as explosion in non-populated area will be only for enjoyment as fireworks.

Therefore knowingly unknowingly, Security and Adversary plays around the links. Security tries to break it and Adversaries look for continuation.

In next blog will show tools which can be used to break the chain.

Comments

Post a Comment

Popular posts from this blog

The Master Plan - achieving end state

Master plan is the ‘end state’ Security Manager wants to reach with respect to all desired improvements & upgrades are complete/full-filled, Security is best-in class, best-fit and “perfect” in today’s risk scenarios. The definition of "best-fit Security" is very simple, which is sufficient and logical to balance all credible risks (its a myth). <Overview - how to get visibility of Security Master Plan> But as we know risks are dynamic, changing with time, reshaping and threat-actors are innovating & instituting new ways to attack, therefore “Master Plan” cannot be static. Reaching perfection is a mirage, achieving or completing master plan will never appear possible. Adversary, the bad guy will always find new path to breach, one time made & achieved master plan cannot prevent such innovated risks. So the queries arises, why we need a master plan? how to make it? How to manage master plan? The blog aimed to explain the experience of drafting, practice imp...

The Five Layers

There are five important layers in Security for risk mitigation (refer last Blogs on Risk Chain and Finding Solution to Break the Risk Chain). Implementation of these layers is generally in combination of each other. Correct balancing the implementation of layers at appropriate risk chain link and at right timings will result into Cost-effective and Optimum Security, which every management is looking for. But to have this achieved it is important to understand the components within these five layers. It is also important to note that while you are changing any layer, other layers will be affected. Therefore, change management is not one time activity, need to observe the impact in long term. The five layers includes ‘Infrastructure’, ‘Equipment’, ‘Application’, ‘Process’ and ‘Human Resource’. We will go in detail of each layer, understand the components and interconnections between the layers. All layers together should be seen like an engine, wherein each layer is individual gear, sho...

Speaking Risk

Earlier blogs on Risk Chain and Security tools gave understanding on Risk components and risk treatment (five layers of Security). Even after implementation of Security measures, ‘Risk will exist’. The fact which Security Manager and Management must accept. There are many reasons for existence of Risk even after treatment. 1. 100% risk mitigation is not possible. This is one of the facts Security Manager and especially Management must accept. Known risk but not treated may be due to lower probability or practically not possible to treat due to cost of treatment or risk is low impact-low probable. This is known as ‘Risk Appetite’ of the organization. So, the condition here is, risk still exists but in knowledge. 2. Risk Treatment is not done properly – this is where Security manager or management have not measured the risk properly or not given proper treatment. Risk not estimated or missed in assessment is possible when adequate preparation in Risk assessment is not done – old risk...