framework for security: security in the community context

1

Security in the Community Context

Jere Peltonen

Diplomatic Security AdviserMinistry for Foreign Affairs of Finland

EUROPEAN SECURITY CONFERENCE24 April 2006Nice, France

http://www.asisonline.org/

2

%%

What is Security?

3

What is Security?

1 : the quality or state of being secure : as a : freedom from danger : SAFETY b : freedom from fear or anxiety c : freedom from the prospect of being laid off <job security>2 a : something given, deposited, or pledged to make certain the fulfillment of an obligation b : SURETY3 : an evidence of debt or of ownership (as a stock certificate or bond)4 a : something that secures : PROTECTION b (1) : measures taken to guard against espionage or sabotage, crime, attack, or escape (2) : an organization or department whose task is security

Merriam-Webster Online Dictionary

4

What is Security?

1 : the quality or state of being secure : as a : freedom from danger : SAFETY b : freedom from fear or anxiety c : freedom from the prospect of being laid off <job security>


5

What is Security?



freedom from DANGER

6

What is Security?



freedom from DANGER

freedom from FEAR or ANXIETY

7

What is Security?

freedom from DANGER


in operational context become:

8

What is Security?

freedom from DANGER


in operational context become:

freedom from impact of actual threats

freedom from feeling unsure because of perceived threats

9

What is Security?

These should not be seen as purely alternative explanations of security.



10

What is Security?

These should not be seen as purely alternative explanations of security.

Security should be understood as being combination of both.



11

What is Security?



In theory and in practice, concept of security should not be limited to “security”, i.e. traditional security manager's area of expertise

Security should be understood as covering all threats to operation, e.g. traditional business risks fall in the definition of security also

12

What is Security?

This helps to see (and manage) everything that can affect the operation’s success in one coordinated way

This clearly makes security the issue of the Chief Executive Officer (or equivalent)

In theory and in practice, concept of security should not be limited to “security”, i.e. traditional security manager's area of expertise

Security should be understood as covering all threats to operation, e.g. traditional business risks fall in the definition of security also

13

What is Security?

This helps to see (and manage) everything that can affect the operation’s success in one coordinated way

This clearly makes security the issue of the Chief Executive Officer (or equivalent)

In practice, CEO needs to use experts in different ‘areas’ of threat countermeasures and risk management (e.g. traditional “security”, business risks, information security, legal aspects)

14

What is Security?



15

What is Security?



Sureness about realization of expected

future, based on sufficiently realistic interpretation of relevant

factors.

16

What is Security?



Sureness about realization of expected

future, based on sufficiently realistic interpretation of relevant

factors.

17

What is Security?



Sureness about realization of expected future, based on

sufficiently realistic interpretation of relevant factors.

18

What is Security?





19

What is Security?





20

What is Security?

SECURITY = ACTUAL RISKLESSNESS



SURENESS+

21

What is Security?




SURENESS+

22

What is Security?




SURENESS+

23

Security in the Community Context- Why?

• The starting point for the successful management of security (or anything else) is the comprehension of basic factors, i.e. relevant fundamentals.

• This is essential for the successful management of broader

complexes that adapts to different environments and changing circumstances.

• “Security in the Community Context” is a model of relevant factors and their relationships.

• It is a model of the concept of security (on a general level).

24

Security in the Community Context- Why?

• “Security in the Community Context” is a model of relevant factors and their relationships.

• The model can be applied to any traditional area of expertise that is somehow related to threats to or risks of operation.

• As a general level model, ”Security in the Community Context” binds these areas together.

25

What is Community?

• Group of individual people who interact

• Community is held together by common goal(s) supposedly serving satisfaction of individual needs, i.e.

• Community is held together by individual perceptions of usefulness of the common goal(s)

26Individual need:wants to be rich

Individual need:wants to have good life

Individual need:wants to be the best

Common goal(s)

”Let’s do something together that helps us achieve our personal goals!”

Individual persons have needs of their own. They want/expect the needs to be satisfied.

Very often persons cannot achieve their individual goals by themselves alone.

In order to achieve their own goals, individual persons join forces.

Community is held together by common goal(s) supposedly serving satisfaction of individual needs.

In other words, community is held together by individual perceptions of usefulness of the common goal(s).

27

In order to achieve common goal(s), specific ’tools’ are needed, i.e. sufficient levels of operational elements are needed for successful operation.

Operational Elements are:•Assets

•Processes

•Operational Structures

•Operational Environment

It is important that individual members of community understand the relevance of operational elements in achieving common goal(s), and in turn personal goals.

28

Extra input needed to establish sufficient level of assets

Input needed to maintain sufficient level of assets

Assets

• All tangible and intangible assets form an element, which is required by the operation in order to reach the goal(s).

• Examples of assets:• money, tools, people, information,

communication channels, reputation, etc.

• In a way, assets are like pieces of puzzle, i.e. basic ingredients needed to create the whole of the operation.

29

Processes

Extra input needed to establish sufficient level of processes

Input needed to maintain sufficient level of processes

• Series of actions, an element, which is required by the operation in order to reach the goal(s).

• Examples of processes:• logistical processes, information

management, raw material processing, assembly line manufacturing, staff recruiting, etc.

• Processes are means to bind assets - the pieces of puzzle - together as a whole that contributes to the operation.

30

Operational structures

Extra input needed to establish sufficient level of structures

Input needed to maintain sufficient level of structures

• Structures of community relating to the utilization of assets and processes.

• Successful operation requires existing structures to be functional.

• Intentionally and unintentionally formed official and unofficial relationships and arrangements between individual persons, groups, and operational units.

• Examples of operational structures:• official organizational hierarchy, informal

social hierarchy, interdependencies, responsibility and duty arrangements, etc.

• Operational structures are the base on which the puzzle can be assembled.

31

Operational environment

• Element, which cannot directly be influenced by the input of participants but is required for the operation to be successful.

• From the standpoint of operation, operational environment is an external element.

• Operational environment is an element, which can possibly be chosen, and it may be possible to prepare for the changes and their impacts. Some measures can possibly protect the operational environment against threats.

• Examples of operational environment:• political and economic stability, specific

weather conditions, adequate traffic connections, functional communications infrastructure, etc.

• It is not possible to assemble a puzzle in a dark room.

32

• Sufficient levels of assets, processes and operational structures are established and maintained by input from participants (=members of community).

• Without sufficient input operational elements cannot be acquired/created or properly utilized.

• Input is also required to acquire/create and properly utilize measures against threats.

• In order to contribute input, participants need to feel sure about the outcome of the operation (=common goal(s)).

• Examples of input:• money, work contribution, knowledge,

etc.

Input

Extra input needed to establish sufficient level of elements

Input needed to maintain sufficient level of elements

33

Participants

All those who

1. have expectations regarding outcome of the operation,

2. have given or are giving input for the operation,

3. who are able in some way to alter the level of their input if wanted.

• Examples of participants:• investors, employees, executives,

customers, citizens, companies, etc.

• The practical scope of community can vary a lot, depending on the goal(s), so can the types of participants.

34

Operation

The utilization of operational elements in order to reach goal(s).

35

Output

Successful utilization of operational elements creates output, which satisfies the expectations of participants regarding the output of operation, and in turn satisfies their personal needs. This also creates confidence in the usefulness of the operational elements.

36

Operational Elements

Assets, processes, operational structures and operational environment are called operational elements.

37

Something that may have negative influence on operation by causing damage to the operational elements, or by some other way hindering or preventing the successful utilization of the operational elements.

Participants make their own interpretations of threats. Interpretations are not necessarily correct.

Threats

38



Threats

39



Threats

40

XXXXXX

Participants need to feel sure about the realization of expected output in order to give input for the operation.

Sureness is positive feeling about the realization of wanted future.

It is not connected to the actual realization of expectations as such but is based on subjective impressions regarding realization.

Sureness

41

lack of sufficientSURENESS

lack of sufficient INPUT

NO OPERATION

Sureness

(NO COMMUNITY)

42

Sureness

At the end of the day:

It was NOT the actual threat that killed operation,

It was the lack of sufficient sureness!

43

Measures are actions and means aimed at

1) protecting operational elements against threats, or 2) establishing and maintaining level of preparedness to carry on operation in case of realized threat consequences.

Measures are also needed to fix vulnerabilities.

Effective measures reduce risks.

Participants make their own interpretations of measures. Interpretations are not necessarily correct.

Measures

44



Measures are also needed to fix vulnerabilities.


Participants make their own interpretations of measures. Interpretations are not necessarily correct.

Measures

45

Weaknesses or breaches, which hinder the protection of the operational elements with measures, or harm the preparedness to carry on operation in case of realized threat consequences.

Vulnerabilities are well described by saying "chain is as strong as its weakest link".

Vulnerabilities can be fixed by measures.

Participants make their own interpretations of vulnerabilities. Interpretations are not necessarily correct.

Vulnerabilities

46

Weaknesses or breaches, which hinder the protection of the operational elements with measures, or harm the preparedness to carry on operation in case of realized threat consequences.

Vulnerabilities are well described by saying "chain is as strong as its weakest link".

Vulnerabilities can be fixed by measures.

Participants make their own interpretations of vulnerabilities. Interpretations are not necessarily correct.

Vulnerabilities

47

%

Risk is used as means to measure the operational relevance of threat.

In a way, risk is used as threat indicator, with information about the possibility and influence of the negative impact.

Risk can be defined as potential harmful outcome, whose harmfulness and level of possibility are 'known'.

Risk is needed as a tool in order to be able to deal with the uncertainty of the future in appropriate way in the operational context.

Risk %

48

%%




Measures

Preparedness, created from input by specific measure(s)

”Stored input”

49

%%




Measures

Preparedness, created from input by specific measures

”Stored input”

50

%%

Both

1) the realization of risks (=impact of threats), and

2) the input decisions based on incorrect interpretations regarding all relevant factors

ALONE

can prevent or hinder the community from fulfilling its purpose, in other words, the operation succeeding.


51

%%

Therefore, it is equally important to manage

1) the actual risks, and

2) the subjective interpretations made of them by the individual participants of the community.


52

%

Actions and means aimed at actually minimizing the impact of threats to operation.

Risk Management

53

Actions and means aimed at establishing and maintaining sureness of participants based on as realistic interpretation of relevant factors as possible.

Sureness Management

54

%

Security management is:

1) risk management, and

2) sureness management.

Security Management

55

%% Sureness of participants about realization of expected future, based on sufficiently realistic interpretation of relevant factors and weighted by the significance and alteration sensitivity of individual inputs.

Sureness about realization of expected future, based on sufficiently realistic interpretation of relevant factors.

Security


DEFINITIONS

56

%%

Additional information can be found online at

yhteisturvallisuus.net

or

ysecurity.net(→ English)

[email protected]

QUESTIONS?

framework for security: security in the community context

Documents

danger freedom

concept of security

information security

france security

european security conference

realization of expected

anxiety c

safety b