How the definition of security risk can be made compatible with safety definitions

Amundrud, Øystein; Aven, Terje; Flage, Roger

doi:10.1177/1748006x17699145

Cited by 25 publications

(35 citation statements)

References 38 publications

(40 reference statements)

Supporting

Mentioning

Contrasting

Unclassified

Order By: Relevance

“…The controversy investigated takes place within a Nordic societal security context (Larsson and Rhinard 2020), but similar debates on probability's role in security risk assessment has taken place in other countries (Klima, Dorn, and Vander Beken 2011;Mueller and Stewart 2014) and in research on risk and security (Manunta 2002;Ezell et al 2010;Aven and Guikema 2015;Amundrud et al 2017 ).…”

Section: Securing As High Politicsmentioning

confidence: 99%

“…In 2014, Standard Norway issued a standard for security risk assessment pertaining to when the risk stems from harmful, malicious acts (Standards Norway 2014). 1 During and primarily after the standardization, a controversy arose between risk-and security experts and civil servants on the usefulness of the approach (Maal, Busmundrud, and Endregard 2016;Amundrud et al 2017;Jore 2020). 2 The security risk approach presented in the standard represents a critique of an existing standard (Standards Norway 2008).…”

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

Risk assessment without the risk? A controversy about security and risk in Norway

Heyerdahl

2021

Journal of Risk Research

View full text Add to dashboard Cite

Security and 'securing' is high on the public agenda. Questions are raised on where, to what degree and against what the government and others should introduce preventive security measures. This article investigates a controversy in Norway about the role of probability in risk assessment within security. The article asks how the question of the probability of incidents is problematized and addressed by actors involved. It discusses how the controversy can be interpreted and what it might tell us about security and risk. The article builds on an exploratory study of the reasoning of security professionals in relation to a standard on security risk assessment. It shows how the downplaying of probability is defended, but also how it creates dilemmas and is criticized. The argument against estimating probability is that it is often difficult or impossible. Probability is, however, also a moderating factor. Probability turns unlikely futures into lower risks than likely futures. Those arguing against the security risk standard point to the consequence of downplaying probability in risk estimates. A key finding is how risk assessment in areas of low tolerance for incidents introduces a discrepancy that is difficult to handle. On the one hand, security analysts are supposed to deal with threats as risks, implying scaling, comparison and level of acceptance. On the other hand, they are supposed to create security, implying the opposite of scaling and risk acceptance. Risk assessment becomes difficult if there is little appetite for taking risk. Michael Power's three ideal models of risk management logics are introduced in the discussion as heuristic tools of a sensitizing kind. The article concludes that risk research could benefit from engaging with security theory, to investigate how risk management might be shaped by security practises.

show abstract

Section: Securing As High Politicsmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

Risk assessment without the risk? A controversy about security and risk in Norway

Heyerdahl

2021

Journal of Risk Research

View full text Add to dashboard Cite

show abstract

“…Although there are several international and national standards, guidelines and recommendations in textbooks and the scientific literature on how to conduct security risk assessment a literature review concluded that there does not exist a consensus on what is the best practice of conduction security risk analysis and different security risk concepts and management tools vary across countries and sectors (Maal et al 2017). Furthermore, in safety science there are currently ongoing debates in both academia and in the practical community about whether there is a need for a specific risk concept for security that can capture the special features of security risk, or whether perspectives dominating the safety field are adaptable to the security field (Amundrud et al 2017;Jore and Egeli 2015). There are several academics and practitioners who claim that security and safety are distinct issues and should not be merged.…”

Section: How Is Security Different From Safety?mentioning

confidence: 99%

“…Several recent articles address risk analysis from a crossfertilization perspective, looking at similarities, differences, and interdependencies between the risk concept and the risk analysis methodology employed in security and safety risk management. This means that despite the differences between security and safety, some authors claim that the perspectives developed in each field can be applicable to the other (Amundrud et al 2017;Kriaa et al 2015;Piè-Cambacédès and Bouissou 2013).…”

Section: Similarities Between Security and Safetymentioning

confidence: 99%

The Conceptual and Scientific Demarcation of Security in Contrast to Safety

Jore

2017

Eur J Secur Res

View full text Add to dashboard Cite

Increased focus on protection from terrorism, espionage, cybersecurity and other malicious crimes has led to increased academic interest in the topic of security, especially in risk and safety studies. This article aims to investigate the conceptual and scientific demarcation of security in contrast to safety, and discuss the status of security as an independent science. Security is a multifaceted concept and academic definitions often distinguish security from safety in terms of intentionality. However, intentionality also plays a part in safety research thus this is not a sufficient parameter for distinguishing the two fields. The dichotomy of nonmalicious versus malicious is suggested as a means for differentiation. A new definition of security that incorporates elements associated with the current security research field is proposed. Security can be defined as the perceived or actual ability to prepare for, adapt to, withstand, and recover from dangers and crises caused by people's deliberate, intentional, and malicious acts such as terrorism, sabotage, organized crime, or hacking. The conclusion is that before security can be established as an independent discipline, it is necessary to determine what concepts and theories are related to the field, what levels of and objects in society should be included, in addition to the interrelationships and interdependencies with other disciplines.

show abstract

“…Risk assessment of CPS must address both safety and security issues (Amundrud, Aven, & Flage, ; Aven, ; Aven & Krohn, ; Kriaa, Pietre‐Cambacedes, Bouissou, & Halgand, ; Piètre‐Cambacédès & Bouissou, ; Wang, Di Maio, & Zio, ; Zalewski et al., ; Zio, , ). Safety concerns stochastic component failures that can result in accidental scenarios leading the system toward unacceptable consequences.…”

Section: Introductionmentioning

confidence: 99%

Adversarial Risk Analysis to Allocate Optimal Defense Resources for Protecting Cyber–Physical Systems from Cyber Attacks

2019

View full text Add to dashboard Cite

Defenders have to enforce defense strategies by taking decisions on allocation of resources to protect the integrity and survivability of cyber-physical systems (CPSs) from intentional and malicious cyber attacks. In this work, we propose an adversarial risk analysis approach to provide a novel one-sided prescriptive support strategy for the defender to optimize the defensive resource allocation, based on a subjective expected utility model, in which the decisions of the adversaries are uncertain. This increases confidence in cyber security through robustness of CPS protection actions against uncertain malicious threats compared with prescriptions provided by a classical defend-attack game-theoretical approach. We present the approach and the results of its application to a nuclear CPS, specifically the digital instrumentation and control system of the advanced lead-cooled fast reactor European demonstrator.

show abstract

How the definition of security risk can be made compatible with safety definitions

Cited by 25 publications

References 38 publications

Risk assessment without the risk? A controversy about security and risk in Norway

Risk assessment without the risk? A controversy about security and risk in Norway

The Conceptual and Scientific Demarcation of Security in Contrast to Safety

Adversarial Risk Analysis to Allocate Optimal Defense Resources for Protecting Cyber–Physical Systems from Cyber Attacks

Contact Info

Product

Resources

About