Advertisement

European Journal for Security Research

, Volume 4, Issue 2, pp 175–200 | Cite as

On the Application of the Safety-II Concept in a Security Context

  • Riana SteenEmail author
Original Article
  • 67 Downloads

Abstract

This paper presents an alternative and broader security risk perspective, incorporating uncertainty, as a two-dimensional combination of (1) threat (Th) on value (Vl), (2) vulnerability (Vu) given coping capabilities (Cc), and associated uncertainties U (will the threat scenario occur? and to what degree are we vulnerable?). Moreover, this work attempts to provide an integrated approach to the safety and security fields. We look closely into the issues related to Safety-I, Safety-II and security. Whereas conventional safety management approaches (Safety-I) are based on hindsight knowledge and risk assessments calculating historical data-based probabilities, the concept of Safety-II looks for ways to enhance the ability of organisations to be resilient in the sense that they recognise, adapt to and absorb disturbances. Three determinants that shape the Safety-II concept in the security perspective are the capacity of organisations to operate in changing circumstances; formulating strategies that promote a willingness to devote resources to security purposes, driven mainly by the organisation’s leader; and an organisational culture that encourage people to speak up (respond), think creatively (anticipate), and act as mindful participants (monitor and learn). Based on clarifying some of the fundamental building blocks of security risk assessment, this work develops an extended security risk assessment, including an analysis of both vulnerability and resilience. The analysis explores how the system works following any type of threat scenario and determines whether key functions and operations can be sustained.

Keywords

Security Vulnerability Uncertainty Resilience Safety-II 

Notes

References

  1. Abrahamsen EB, Pettersen K, Aven T, Kaufmann M, Rosqvist T (2017) A framework for selection of strategy for management of security measures. J Risk Res 20(3):404–417.  https://doi.org/10.1080/1366987720151057205 CrossRefGoogle Scholar
  2. Adger WN (2006) Vulnerability. Glob Environ Change 16(3):268–281CrossRefGoogle Scholar
  3. Alberts CJ (2002) Managing information security risks: the OCTAVE approach. Addison-Wesley, Boston. http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.461.7807&rep=rep1&type=pdf. Accessed 18 Nov 2018
  4. Alberts CJ, Behrens GS, Pethia DR, Wilson RW (1999) Operationally critical threat, asset, and vulnerability evaluation (OCTAVE) framework, version 10. US Department of Defense the Software Engineering Institute. https://resources.sei.cmu.edu/asset_files/TechnicalReport/1999_005_001_16769.pdf. Accessed 21 Nov 2018
  5. Amundrud Ø, Aven T, Flage R (2017) How the definition of security risk can be made compatible with safety definitions. Proc Inst Mech Eng Part O J Risk Reliab 231(3):286–294.  https://doi.org/10.1177/1748006X17699145 Google Scholar
  6. Aven T (2011) Quantitative risk assessment: the scientific platform. University Press, CambridgeCrossRefGoogle Scholar
  7. Aven T (2014) Risk, surprises and black swans: fundamental ideas and concepts in risk assessment and risk management. Routledge, LondonCrossRefGoogle Scholar
  8. Aven T (2015) Implications of black swans to the foundations and practice of risk assessment and management. Reliab Eng Syst Saf 134:83–91CrossRefGoogle Scholar
  9. Aven T (2016) Risk assessment and risk management: review of recent advances on their foundation. Eur J Oper Res 253(1):1–13.  https://doi.org/10.1016/jejor201512023 CrossRefGoogle Scholar
  10. Aven T, Renn O (2010) Risk management and governance concepts, guidelines and applications. Springer, BerlinGoogle Scholar
  11. Aven T, Steen R (2010) The concept of ignorance in a risk assessment and risk management context. Reliab Eng Syst Saf 95(11):1117–1122CrossRefGoogle Scholar
  12. Bellini E, Ceravolo P, Nesi P (2017) Quantify resilience enhancement of UTS through exploiting connected community and Internet of everything emerging technologies. ACM Trans Internet Technol (TOIT) 18(1):114–147.  https://doi.org/10.1145/3137572 CrossRefGoogle Scholar
  13. Beyerer J, Geisler J (2016) A framework for a uniform quantitative description of risk with respect to safety and security. Eur J Secur Res 1(2):135–150.  https://doi.org/10.1007/s41125-016-0008-y CrossRefGoogle Scholar
  14. Birkmann J, Cardona OD, Carreño ML, Barbat AH, Pelling M, Schneiderbauer S, Welle T (2013) Framing vulnerability, risk and societal responses: the MOVE framework. Nat Hazards 67:93–211CrossRefGoogle Scholar
  15. Bjerga T, Aven T, Zio E (2016) Uncertainty treatment in risk analysis of complex systems: the cases of STAMP and FRAM. Reliab Eng Syst Saf 156:203–209.  https://doi.org/10.1016/j.ress.2016.08.004 CrossRefGoogle Scholar
  16. Bruneau M, Chang SE, Eguchi RT, Lee GC, O’Rourke TD, Reinhorn AM, von Winterfeldt D (2003) A framework to quantitatively assess and enhance the seismic resilience of communities. Earthq Spectra 19:733–752CrossRefGoogle Scholar
  17. De Berker AO, Rutledge RB, Mathys C, Marshall L, Cross GF, Dolan RJ, Bestmann S (2016) Computations of uncertainty mediate acute stress responses in humans. Nat Commun.  https://doi.org/10.1038/ncomms10996 Google Scholar
  18. Dwyer A, Zoppou C, Nielsen O, Day S, Roberts S (2004) Quantifying social vulnerability: a methodology for identifying those at risk to natural hazards. Geoscience Australia, CanberraGoogle Scholar
  19. Fairchild A, MacKinnon D (2009) A general model for testing mediation and moderation. Effects Prev Sci 10(2):87–99.  https://doi.org/10.1007/s11121-008-0109-6 CrossRefGoogle Scholar
  20. Flage R, Aven T (2015) Emerging risk—conceptual definition and a relation to black swan type of events. Reliab Eng Syst Saf 144:61–67.  https://doi.org/10.1016/j.ress.2015.07.008 CrossRefGoogle Scholar
  21. Fraser SW, Greenhalgh T (2001) Coping with complexity: educating for capability. BMJ 323(7316):799–803CrossRefGoogle Scholar
  22. George LA (1986) The impact of crisis-induced stress on decision making. In: Solomon F, Marston RQ (eds) The medical implications of nuclear war. National Academies Press, Washington, DC, pp 528–552Google Scholar
  23. Gharajedaghi J (2011) Systems thinking: managing chaos and complexity: a platform for designing business architecture, 3rd edn. Elsevier, AmsterdamGoogle Scholar
  24. Häring I, Ebenhöch S, Stolz A (2016) Quantifying resilience for resilience engineering of socio technical systems. Eur J Secur Res 1(1):21–58.  https://doi.org/10.1007/s41125-015-0001-x CrossRefGoogle Scholar
  25. Hollnagel E (2006) Resilience: the challenge of the unstable. In: David EH, Woods D, Leveson N (eds) Resilience engineering: concepts and precepts. Ashgate, Aldershot, pp 275–296Google Scholar
  26. Hollnagel E (2011) Epilogue: RAG—the resilience analysis grid. In: Hollnagel E, Pariès J, Wreathall J, Woods DD (eds) Resilience engineering in practice: a guidebook. Ashgate, Farnham, pp 275–296Google Scholar
  27. Hollnagel E (2012) FRAM: the functional resonance analysis method: modelling complex socio-technical systems. Ashgate, FarnhamGoogle Scholar
  28. Hollnagel E (2014) Becoming Resilient. In: Nemeth PC, Hollnagel E (eds) Resilience engineering in practice: volume 2: becoming resilient. Ashgate, Farnham, pp 179–192Google Scholar
  29. Hollnagel E (2016) Resilience engineering: a new understanding of safety. J Ergon Soc Korea 35:185–191CrossRefGoogle Scholar
  30. Hollnagel E (2017) Safety-II in practice: developing the resilience potentials. Routledge, LondonCrossRefGoogle Scholar
  31. Hollnagel E, Speziali J (2008) Study on developments in accident investigation methods: a survey of the “state-of-the-art” (1104–1374). https://hal-mines-paristech.archives-ouvertes.fr/hal-00569424/document. Accessed 12 Oct 2017
  32. Hollnagel E, Wears RL, Braithwaite J (2015) From Safety-I to Safety-II: a white paper. Published simultaneously by the University of Southern Denmark, University of Florida, USA, and Macquarie University, Australia: The Resilient Health Care Net. https://www.england.nhs.uk/signuptosafety/wp-content/uploads/sites/16/2015/10/safety-1-safety-2-whte-papr.pdf. Accessed 10 Aug 2017
  33. International Organization for Standardization (2018) Information technology—security techniques—information security risk management, 3rd edn. International standard ISO/IEC, GenevaGoogle Scholar
  34. Jore SH (2017) Safety and security—is there a need for an integrated approach? In: Walls L, Revie M, Bedford T (eds) Risk, reliability and safety: innovating theory and practice. Taylor and Francis Group, CRC Press, London, Boca Raton, pp 852–859Google Scholar
  35. Jore SH, Egeli A (2015) Risk management methodology for protecting against malicious acts: are probabilities adequate means for describing terrorism and other security risks? In: Podofillini L, Sudret B, Stojadinovic B, Zio E, Kräger W (eds) Safety and reliability of complex engineered systems. CRC Press, London, pp 807–815CrossRefGoogle Scholar
  36. Jore SH, Utland I-LF, Vatnamo VH (2018) The contribution of foresight to improve long-term security planning foresight. J Futur Stud Strateg Think Policy 20(1):68–83.  https://doi.org/10.1108/FS-08-2017-0045 Google Scholar
  37. Katsikas SK (2012) Risk management. In: Vacca JR (ed) Computer and information security handbook. Elsevier, Amsterdam, pp 905–927Google Scholar
  38. Kifer M, Hemmens C, Stohr MK (2003) The goals of corrections: perspectives from the line. Crim Justice Rev 28(1):47–69.  https://doi.org/10.1177/073401680302800104 CrossRefGoogle Scholar
  39. Landoll D (2011) Security risk assessment handbook. CRC Press, Boca RatonGoogle Scholar
  40. Levenson E, Jones S (2017) South Carolina inmate used drone, makeshift dummy to escape prison. https://edition.cnn.com/2017/07/07/us/sc-prison-escape-drone/index.html. Accessed 10 Sept 2017
  41. Maitlis S, Christianson M (2014) Sensemaking in organizations: taking stock and moving forward. Acad Manag Ann 8(1):57–125.  https://doi.org/10.1080/194165202014873177 CrossRefGoogle Scholar
  42. Masse T, O’Neil S, Rollins J (2007) The department of homeland security’s risk assessment methodology: evolution, issues, and options for congress. Congressional Research Service, Washington, DCGoogle Scholar
  43. Mintzberg H (1978) Patterns in strategy formation. Manag Sci 24(9):934–948.  https://doi.org/10.1287/mnsc.24.9.934 CrossRefGoogle Scholar
  44. Mohaghegh Z, Kazemi R, Mosle A (2009) Incorporating organizational factors into probabilistic risk assessment (PRA) of complex socio-technical systems: a hybrid technique formalization. Reliab Eng Syst Saf 94(5):1000–1018.  https://doi.org/10.1016/j.ress.2008.11.006 CrossRefGoogle Scholar
  45. Murphy DM, Paté-Cornell ME (1996) The SAM framework: modeling the effects of management factors on human behavior in risk analysis. Risk Anal 16(4):501–515.  https://doi.org/10.1111/j.1539-6924.1996.tb01096.x CrossRefGoogle Scholar
  46. NS 5831 (2014) In Samfunnssikkerhet—Beskyttelse mot tilsiktede uønskede handlinger—Krav til sikringsrisikostyring: societal safety—protection against intentional unwanted actions—requirements to security risk management. https://www.standard.no/no/Nettbutikk/produktkatalogen/Produktpresentasjon/?ProductID=718201. Accessed 10 Sept 2018
  47. Ocasio W (1997) Towards an attention‐based view of the firm. Strateg Manag J 18(1):187–206. https://onlinelibrary.wiley.com/doi/epdf/10.1002/%28SICI%291097-0266%28199707%2918%3A1%2B%3C187%3A%3AAID-SMJ936%3E3.0.CO%3B2-K. Accessed 05 Oct 2018
  48. Ojanen H (2017) The EU’s power in inter-organisational relations. Springer, Berlin, p 122.  https://doi.org/10.1057/978-1-137-40908-9 Google Scholar
  49. Papazoglou IA, Bellamy LJ, Hale AR, Aneziris ON, Ale BJM, Post JG, Oh JIH (2003) I-Risk: development of an integrated technical and management risk methodology for chemical installations. J Loss Prev Process Ind 16(6):575–591.  https://doi.org/10.1016/j.jlp.2003.08.008 CrossRefGoogle Scholar
  50. Rajesh S, Jain S, Sharma P (2018) Inherent vulnerability assessment of rural households based on socio- economic indicators using categorical principal component analysis: a case study of Kimsar region, Uttarakhand. Ecol Ind 85:93–104.  https://doi.org/10.1016/j.ecolind.2017.10.014 CrossRefGoogle Scholar
  51. Renn O (2008) Risk governance: coping with uncertainty in a complex world (Earthscan risk in society series). Earthscan, LondonCrossRefGoogle Scholar
  52. Society for Risk Analysis (2018) Society for risk analysis glossary. http://sra.org/sites/default/files/pdf/SRA%20Glossary%20-%20FINAL.pdf. Accessed 05 Oct 2018
  53. Sutcliffe KM, Vogus TJ (2003) Organizing for resilience. In: Cameron KS, Dutton JE, Quinn RE (eds) Positive organizational scholarship: foundations of a new discipline San Francisco. Calif, Berrett-Koehler, pp 94–110Google Scholar
  54. Taleb NN (2007) The black swan: the impact of the highly improbable. Allen Lane, LondonGoogle Scholar
  55. Tangenes T, Steen R (2017) The trinity of resilient organisation: aligning performance management with organisational culture and strategy formation. Int J Bus Contin Risk Manag 7(2):127–150CrossRefGoogle Scholar
  56. Turner BL, Kasperson RE, Matson PA, McCarthy JJ, Corell RW, Christensen L, Schiller A (2003) A framework for vulnerability analysis in sustainability science. Proc Natl Acad Sci USA 100(14):8074–8079.  https://doi.org/10.1073/pnas.1231335100 CrossRefGoogle Scholar
  57. Weick KE (2016) D. Christopher Kayes: organizational resilience: how learning sustains organizations in crisis, disaster, and breakdowns. Adm Sci Q.  https://doi.org/10.1177/0001839215615333 Google Scholar
  58. Weick KE, Sutcliffe KM, Obstfeld D (2005) Organizing and the process of sensemaking. Organ Sci 16(4):409–421.  https://doi.org/10.1177/0001839215615333 CrossRefGoogle Scholar
  59. Zio E, Aven T (2011) Uncertainties in smart grids behavior and modeling: what are the risks and vulnerabilities? how to analyze them? Energy Policy 39(10):6308–6320.  https://doi.org/10.1016/j.enpol.2011.07.030 CrossRefGoogle Scholar

Copyright information

© Springer Nature Switzerland AG 2019

Authors and Affiliations

  1. 1.BI Norwegian Business SchoolOsloNorway

Personalised recommendations