Dr Marc Siegel - ASIS International - Security Awareness – Better Understand How Human Factors Impact Security

© 2016 Dr. Marc Siegel, Director, Security and Resilience Projects Homeland Security Graduate Program, San Diego State University, [email protected]

Security Awareness Better Understand How Human

Factors Impact SecurityDr. Marc H. Siegel

Director, Global Security and Resilience ProjectsHomeland Security Graduate Program

San Diego State University

14th Annual National Security Summit, 30‐31 August 2016, Canberra, Australia


SDSU Graduate Program in Homeland Security• The HSEC Program offers interdisciplinary graduate

study leading to the Master of Science degree in Homeland Security.

• We are focused on:• Supply chain risk management for international

trade optimization.• Integration of business and risk management to

build profitable, sustainable and resilient organizations.

• Security awareness for businesses and communities.

• Promote human rights and ethical issues as part of security operations.

• Analytical tools for risk assessment and management.

• Viz Center focuses on humanitarian assistance disaster relief, civilian‐military interactions, international relief, wireless and optical networks, data fusion, and visualization.

• Collaboration and coordination between public and private security operations.

The HSEC program, in partnership with key community, academic, public and private‐sector partners, is engaged in several collaborative efforts including projects in bioterrorism defense, port and border security, critical infrastructure, information technologies and communications, and international trade.


Security Risk Management is About Solving This Problem


An Important Variable – People

• Key to solving the equations is understanding the human context:

• Who are the stakeholders?• What are their cultural characteristics?

• What are their needs and perceptions?

• What is their reality?• What is their perception of time?• What are your assumptions?• What are your biases?


Understanding Biases

• Social and cultural biases• Familiarity and confirmation bias• Perception, observational selection, and memory biases

• Belief and behavioral biases• Relational, group‐think, and tribal biases

• Confirmation and post rationalization biases

• Information availability bias• Decision making biases • Illusion of control biases • Time perception biases


Assumptions• What are the assumptions based on?• How are the underlying assumptions impacting the outcomes?• How is the assumption affected by the level of uncertainty?• Are the assumptions a reflection of your biases?• Are assumptions that something is a “given” based on opinions or evidence?• How do the assumptions affect the confidence in the interpretation of evidence?• Are assumptions about likelihood balanced by potential consequences in achieving objectives?

• Could the assumptions be different if made by another individual?• Would the outcomes be different if they were based on different assumptions?• Were the assumptions made when setting the assessment criteria still valid in light of the evidence and data gathered?

6


Identify Value – Understanding the Organization What is important to the organization? What are short, medium, and long-term strategic,

tactical and operational objectives? What are the human, tangible and intangible

assets? What impacts your reputation and brand? What value creators are internal and subject to

your control and which value creators are external and may not be subject to your control?

What and who determines value? What are the measures of success? What is the risk attitude?


Context Matters• Context matters – local culture, customs, economics, social dynamics, and the political and legal environment will have profound impact on your security operations and must be understood.

• Before beginning a risk assessment, you must understand the risk environment and factors that will impact your objectives.

• Who are your stakeholders: • Stakeholders are not just your people and your clients, don’t forget the different communities you operate in.

• How will the internal and external stakeholders impact your security operations?

• How will your security operations impact the internal and external stakeholders?

• What are your stakeholders’ perception of risk?• What are you supply chain risks – dependencies and interdependencies?

• YOUR REPUTATION AND BRAND IS YOUR MOST PRIZED ASSET!


Risk Appetite

• “Your” risk appetite is a myth.• To determine a risk appetite you must consider:

• Your company’s risk attitude• Your client’s risk attitude• NGO’s perceptions of risk and activism in your area of operation• Impacted communities’ perceptions of risk and activism in your area of operation

• Perceived risk can outweigh actual risk and cannot be dismissed as “they don’t understand”.

• Establish a risk committee with top management and representatives of the various functions in the organization to consider strategic, tactical, reputational and operational risk.


Human Rights Risk Assessment • Respecting human rights is not just the ethical thing to do – it is the business sensible thing to do.

• A human rights risk and impact analysis considers:• Respecting people and their dignity in the workplace• Providing adequate remuneration and benefits to employees• The perceptions of external stakeholders• Potential impact of the company’s activities on internal and external stakeholders

• Information flow to support proactive risk management in security operations• PROTECTS REPUTATION OF THE ORGANIZATION AND ITS CLIENTS

• Respecting human rights pays for itself and builds positive morale.


Internal Context

• Governance, oversight, and organizational structure• Chain of command and decision making processes• Strengths, weaknesses, opportunities, and threats• Roles, responsibilities and accountabilities• Strategies, policies, standards and practices• Organizational culture and characteristics• Financial aspects (capital structure, budgets, balance sheets, financial planning)

• Tangible and intangible assets• Humans resources (capabilities, competence, leaderships styles)• Communication, information flow, and reporting systems


External Context• Defining the external context should provide a complete picture of the factors, stakeholders and operating factors that will influence risk and managing respect for human rights, including:

• Security operations and risks• Political, social, and cultural factors that impact the potential for violence• Human rights perspectives of public security forces, paramilitaries, other private security companies local and national law enforcement that impact operations

• Legal and rules of law issues• Interfaces with upstream and downstream supply chain partners, outsourcers, subcontractors, and clients

• Issues for root cause analysis of operational environment• Community hierarchies• Learning what questions to ask


It’s Not Just About You

• Determine the criticality of assets, activities and functions on achieving objectives and the consequences of an undesirable event.

• Does the threat agent have knowledge of the asset?• How much does the threat agent need or desire the asset?• Does the threat agent have specific objectives and a motivation?• Has the threat agent demonstrated an interest in the asset?• How aggressive is the threat agent?• Is the threat agent resilient?• Does the threat agent have potential collaborators, friends, colleagues, sympathizers, family, tribe?


Risk Management is Tailored to the Business Not Vice‐Versa

Risk manager that recognizes that it is about objectives, outcomes, value creation, products, and services

Risk manager that thinks it is about tailoring the business to managing risk


The Risk Assessment and Management Approach

Source: ISO18788http://www.acq.osd.mil/log/ps/psc.html


Need to Clarify From the Start• The context and objectives of the organization.• The extent and type of risks that are tolerable, and how unacceptable risks are to be treated.

• How risk assessment integrates into organizational processes.• Methods and techniques to be used for risk assessment, and their contribution to the risk management process.

• Accountability, responsibility and authority for performing risk assessment.

• Legal and other requirements.• Resources available to carry out risk assessment.• How the risk assessment will be reported and reviewed.


Cultural Shift• Focus on business improvement and changing the culture of the organization.

• Cultural change is not driven by external consultants but driven by management commitment and dedication to meeting objectives.

• Cultural change is an top down – bottom up approach:• Create a “family attitude” in the organization so everyone feels part of the family.• Everyone who is a risk maker and a risk taker is a risk manager.• Empower people to contribute – openness has it’s benefits, your employees are the best early warning system for potential problems.

• Proactive risk management helps prevent potential undesirable events while identifying possible opportunities for improvement.

• Reaping the benefits of implementation comes from everyone in the organization understanding the benefits of their contribution.

• When employees feel valued, their loyalty to the company increases and turnover decreases.


Building Human Capacity• Communication and consultation is a two‐way street.• Break down the implementation of the program into doable bits that can be built on.

• Promotes a mentality of success breeds success:• Achieving interim goals builds a sense of accomplishment and excitement about the implementation process

• Start with the low‐hanging fruit that demonstrates a known problem has been solved

• Start with simpler concepts in the standard to introduce people to the concepts of a management system

• Emphasize teamwork and everyone’s input is welcome and no question is too small or silly

• People learn from simpler examples before tackling more difficult issues

• Maximizes the use of time and resources.


Risk Thinking

• Security awareness is one of the powerful tools.• Ongoing monitoring of risk profile with continual updates of risk profile.• In all operational procedures:

• What are the risks that need to be considered? • Who are the internal and external stakeholders that may be impacted?• Evaluate if the operational procedure decreases the uncertainty in achieving its objectives?

• Are their opportunities for improvements?• Review the risks considered in the operating procedures when conducting performance evaluation.

• YOU ARE USING YOUR PROPCEDURES AS A RISK MANAGEMENT MECHANISM.


Guards ‐ Awareness and Training

• The key to success is a well‐trained workforce ‐ in any service industry the single risk mitigation technique and greatest return on investment is training.

• An investment in training pays back in professionalism and a positive relationship with the client.

• The guards need to understand their role in achieving the organization’s objectives:

• Guards who understand their risk environment know what to look for and understand the importance of “see something, say something”

• Guards who understand you prioritize their safety will share their concerns• Guards understand that their appearance and behavior impacts the way clients and the people they impact with perceive them

• They feel valued and appreciated

• Having a use of force policy and procedures for the use of force prevents problems.


Implementationof a Management System

• Communicate to your employees the importance of the management system and their role in it.

• Lead by example – top management needs to follow its own procedures and demonstrate commitment to the management system and employees

• A management system standard is a living, organic system of management in your organization – the human element is key!

• Management commitment is essential• Start by building excitement and having everyone understand they are an integral part

• Don’t just write procedures, live them• Show people that their contribution is improving their ability to do their job and manage the risks they touch

• Include external stakeholders – security awareness training for clients• "Plans are nothing; planning is everything." ‐ Dwight D. Eisenhower


Dr. Marc Siegel, Director Security and Resilience Projects

Homeland Security Graduate Program, San Diego State UniversityEmail: [email protected]

Government & Nonprofit

Dr Marc Siegel - ASIS International - Security Awareness – Better Understand How Human Factors Impact Security