Presentation at the ASIS International European Security Conference 2006 in Nice, France. Framework explains what security is and why it is needed. The original presentation includes animation that is not functional in this SlideShare version. Unfortunately, some slides are therefore blurred. Please, get the original presentation from www.yhteisturvallisuus.net -> materiaali -> Security in the Community Context SCC.pps.
Framework for Security: Security in the Community Context
1. EUROPEAN SECURITY CONFERENCE
24 April 2006
Nice, France
Security in the
Community Context
Jere Peltonen
Diplomatic Security Adviser
Ministry for Foreign Affairs of Finland
1
3. What is Security?
Merriam-Webster Online Dictionary
1 : the quality or state of being secure : as a :
freedom from danger : SAFETY b : freedom from fear
or anxiety c : freedom from the prospect of being
laid off <job security>
2 a : something given, deposited, or pledged to
make certain the fulfillment of an obligation b :
SURETY
3 : an evidence of debt or of ownership (as a
stock certificate or bond)
4 a : something that secures : PROTECTION b (1) :
measures taken to guard against espionage or
sabotage, crime, attack, or escape (2) : an
organization or department whose task is security
3
4. What is Security?
Merriam-Webster Online Dictionary
1 : the quality or state of being secure : as a :
freedom from danger : SAFETY b : freedom from fear
or anxiety c : freedom from the prospect of being
laid off <job security>
4
5. What is Security?
Merriam-Webster Online Dictionary
1 : the quality or state of being secure : as a :
freedom from danger : SAFETY b : freedom from fear
or anxiety c : freedom from the prospect of being
laid off <job security>
freedom from DANGER
5
6. What is Security?
Merriam-Webster Online Dictionary
1 : the quality or state of being secure : as a :
freedom from danger : SAFETY b : freedom from fear
or anxiety c : freedom from the prospect of being
laid off <job security>
freedom from DANGER
freedom from FEAR or ANXIETY
6
8. What is Security?
freedom from DANGER
freedom from FEAR or ANXIETY
in operational context become:
freedom from impact of actual threats
freedom from feeling unsure because of
perceived threats
8
9. What is Security?
These should not be seen as purely
alternative explanations of security.
freedom from impact of actual threats
freedom from feeling unsure because of
perceived threats
9
10. What is Security?
These should not be seen as purely
alternative explanations of security.
Security should be understood as being
combination of both.
freedom from impact of actual threats
freedom from feeling unsure because of
perceived threats
10
11. What is Security?
freedom from impact of actual threats
freedom from feeling unsure because
of perceived threats
In theory and in practice, concept of security should
not be limited to “security”, i.e. traditional security
manager's area of expertise
Security should be understood as covering all threats
to operation, e.g. traditional business risks fall in the
definition of security also 11
12. What is Security?
In theory and in practice, concept of security should
not be limited to “security”, i.e. traditional security
manager's area of expertise
Security should be understood as covering all threats
to operation, e.g. traditional business risks fall in the
definition of security also
This helps to see (and manage) everything
that can affect the operation‟s success in one
coordinated way
This clearly makes security the issue of the
Chief Executive Officer (or equivalent) 12
13. What is Security?
This helps to see (and manage) everything
that can affect the operation‟s success in one
coordinated way
This clearly makes security the issue of the
Chief Executive Officer (or equivalent)
In practice, CEO needs to use experts in different
„areas‟ of threat countermeasures and risk
management (e.g. traditional “security”, business
risks, information security, legal aspects)
13
14. What is Security?
freedom from impact of actual threats
freedom from feeling unsure because of
perceived threats
14
15. What is Security?
freedom from impact of actual threats
freedom from feeling unsure because of
perceived threats
Sureness about realization of expected
future, based on sufficiently realistic
interpretation of relevant factors.
15
16. What is Security?
freedom from impact of actual threats
freedom from feeling unsure because of
perceived threats
Sureness about realization of expected
future, based on sufficiently realistic
interpretation of relevant factors.
16
17. What is Security?
freedom from impact of actual threats
freedom from feeling unsure because of
perceived threats
Sureness about realization of expected
future, based on sufficiently realistic
interpretation of relevant factors.
17
18. What is Security?
freedom from impact of actual threats
freedom from feeling unsure because of
perceived threats
Sureness about realization of expected
future, based on sufficiently realistic
interpretation of relevant factors.
18
19. What is Security?
freedom from impact of actual threats
freedom from feeling unsure because of
perceived threats
Sureness about realization of expected
future, based on sufficiently realistic
interpretation of relevant factors.
19
20. What is Security?
Sureness about realization of expected
future, based on sufficiently realistic
interpretation of relevant factors.
ACTUAL SURENESS
SECURITY = RISKLESSNESS
+
20
21. What is Security?
Sureness about realization of expected
future, based on sufficiently realistic
interpretation of relevant factors.
ACTUAL SURENESS
SECURITY = RISKLESSNESS
+
21
22. What is Security?
Sureness about realization of expected
future, based on sufficiently realistic
interpretation of relevant factors.
ACTUAL SURENESS
SECURITY = RISKLESSNESS
+
22
23. Security in the Community Context
- Why?
• The starting point for the successful management of
security (or anything else) is the comprehension of basic
factors, i.e. relevant fundamentals.
• This is essential for the successful management of broader
complexes that adapts to different environments and
changing circumstances.
• “Security in the Community Context” is a model of
relevant factors and their relationships.
• It is a model of the concept of security (on a general level).
23
24. Security in the Community Context
- Why?
• “Security in the Community Context” is a model of
relevant factors and their relationships.
• The model can be applied to any traditional area of
expertise that is somehow related to threats to or
risks of operation.
• As a general level model, ”Security in the
Community Context” binds these areas together. 24
25. What is Community?
• Group of individual people who interact
• Community is held together by common
goal(s) supposedly serving satisfaction of
individual needs, i.e.
• Community is held together by individual
perceptions of usefulness of the common
goal(s)
25
26. In order words, community is of
Individual persons have own heldtheir
other to achieve their needs
together by individual perceptions of
goals, individual persons join forces.
own. They want/expect the needs to
be satisfied. the common goal(s).
usefulness of Common goal(s)
”Let’s do something together
Community is held together by
that helps us achieve our
common goal(s) supposedly serving
Very often persons cannot achieve personal goals!”
satisfaction of goals by needs.
their individualindividual themselves
alone.
Individual need: Individual need: Individual need: 26
wants to be rich wants to have good life wants to be the best
27. It order to achieve common goal(s), specific ‟tools‟ are
Inis important that individual members of community
understand sufficient levels operational elements in
needed, i.e. the relevance of of operational elements are
achieving common goal(s), and in
needed for successful operation. turn personal goals.
Operational Elements are:
•Assets
•Processes
•Operational Structures
•Operational Environment
27
28. Assets
• All tangible and intangible assets
form an element, which is required
by the operation in order to reach the
goal(s).
• Examples of assets:
Input needed to maintain • money, tools, people, information, co
sufficient level of assets mmunication
channels, reputation, etc.
Extra input needed to establish
sufficient level of assets • In a way, assets are like pieces of
puzzle, i.e. basic ingredients needed
to create the whole of the operation.
28
29. Processes
• Series of actions, an
element, which is required by the
operation in order to reach the
goal(s).
• Examples of processes:
Input needed to maintain • logistical processes, information
sufficient level of processes management, raw material
processing, assembly line
Extra input needed to establish manufacturing, staff recruiting, etc.
sufficient level of processes
• Processes are means to bind
assets - the pieces of puzzle -
together as a whole that contributes
29
to the operation.
30. Operational structures
• Structures of community relating to the
utilization of assets and processes.
• Successful operation requires existing
structures to be functional.
• Intentionally and unintentionally formed
official and unofficial relationships and
arrangements between individual
Input needed to maintain persons, groups, and operational units.
sufficient level of structures
• Examples of operational structures:
Extra input needed to establish • official organizational hierarchy, informal
sufficient level of structures social
hierarchy, interdependencies, responsibili
ty and duty arrangements, etc.
• Operational structures are the base30
on
which the puzzle can be assembled.
31. Operational environment
• Element, which cannot directly be influenced
by the input of participants but is required for
the operation to be successful.
• From the standpoint of operation, operational
environment is an external element.
• Operational environment is an element, which
can possibly be chosen, and it may be
possible to prepare for the changes and their
impacts. Some measures can possibly protect
the operational environment against threats.
• Examples of operational environment:
• political and economic stability, specific
weather conditions, adequate traffic
connections, functional communications
infrastructure, etc.
• It is not possible to assemble a puzzle in31
a
dark room.
32. Input
• Sufficient levels of assets, processes and
operational structures are established
and maintained by input from participants
(=members of community).
• Without sufficient input operational
elements cannot be acquired/created or
properly utilized.
• Input is also required to acquire/create
Input needed to maintain and properly utilize measures against
sufficient level of elements threats.
Extra input needed to establish • In order to contribute input, participants
sufficient level of elements need to feel sure about the outcome of
the operation (=common goal(s)).
• Examples of input:
• money, work 32
contribution, knowledge, etc.
33. Participants
All those who
1. have expectations regarding
outcome of the operation,
2. have given or are giving input for the
operation,
3. who are able in some way to alter
the level of their input if wanted.
• Examples of participants:
• investors, employees, executives, cu
stomers, citizens, companies, etc.
• The practical scope of community can vary a
33
lot, depending on the goal(s), so can the
types of participants.
35. Output
Successful utilization of operational elements creates
output, which satisfies the expectations of
participants regarding the output of operation, and in
turn satisfies their personal needs. This also creates
confidence in the usefulness of the operational
elements. 35
37. Threats
Something that may have
negative influence on
operation by causing damage
to the operational elements, or
by some other way hindering
or preventing the successful
utilization of the operational
elements.
Participants make their own
interpretations of threats.
Interpretations are not
necessarily correct.
37
38. Threats
Something that may have
negative influence on
operation by causing damage
to the operational elements, or
by some other way hindering
or preventing the successful
utilization of the operational
elements.
Participants make their own
interpretations of threats.
Interpretations are not
necessarily correct.
38
39. Threats
Something that may have
negative influence on
operation by causing damage
to the operational elements, or
by some other way hindering
or preventing the successful
utilization of the operational
elements.
Participants make their own
interpretations of threats.
Interpretations are not
necessarily correct.
39
40. Sureness
X X X
X X X
Participants need to feel sure
about the realization of
expected output in order to
give input for the operation.
Sureness is positive feeling
about the realization of
wanted future.
It is not connected to the
actual realization of
expectations as such but is
based on subjective
impressions regarding
realization. 40
42. Sureness
At the end of the day:
It was NOT the actual
threat that killed
operation,
It was the lack of
sufficient sureness!
42
43. Measures
Measures are actions and means
aimed at
1) protecting operational elements
against threats, or
2) establishing and maintaining level
of preparedness to carry on operation
in case of realized threat
consequences.
Measures are also needed to fix
vulnerabilities.
Effective measures reduce risks.
Participants make their own
interpretations of measures.
43
Interpretations are not necessarily
44. Measures
Measures are actions and means
aimed at
1) protecting operational elements
against threats, or
2) establishing and maintaining level
of preparedness to carry on operation
in case of realized threat
consequences.
Measures are also needed to fix
vulnerabilities.
Effective measures reduce risks.
Participants make their own
interpretations of measures.
44
Interpretations are not necessarily
45. Vulnerabilities
Weaknesses or breaches, which
hinder the protection of the
operational elements with
measures, or harm the preparedness
to carry on operation in case of
realized threat consequences.
Vulnerabilities are well described by
saying "chain is as strong as its
weakest link".
Vulnerabilities can be fixed by
measures.
Participants make their own
interpretations of vulnerabilities.
Interpretations are not necessarily
correct.
45
46. Vulnerabilities
Weaknesses or breaches, which
hinder the protection of the
operational elements with
measures, or harm the preparedness
to carry on operation in case of
realized threat consequences.
Vulnerabilities are well described by
saying "chain is as strong as its
weakest link".
Vulnerabilities can be fixed by
measures.
Participants make their own
interpretations of vulnerabilities.
Interpretations are not necessarily
correct.
46
47. Risk %
Risk is used as means to
measure the operational
relevance of threat.
In a way, risk is used as threat
indicator, with information about
the possibility and influence of the
negative impact.
Risk can be defined as potential
% harmful outcome, whose
harmfulness and level of
possibility are 'known'.
Risk is needed as a tool in order
to be able to deal with the
uncertainty of the future in
appropriate way in the operational
47
context.
48. Measures
Measures are actions and means
aimed at
1) protecting operational elements
against threats, or
2) establishing and maintaining level
of preparedness to carry on operation
in case of realized threat
consequences.
%
Effective measures reduce risks.
Preparedness, created from
input by specific measure(s)
”Stored input”
48
49. Measures
Measures are actions and means
aimed at
1) protecting operational elements
against threats, or
2) establishing and maintaining level
of preparedness to carry on operation
in case of realized threat
consequences.
%
Effective measures reduce risks.
Preparedness, created from
input by specific measures
”Stored input”
49
50. Security in the
Community Context
Both
1) the realization of risks
(=impact of threats), and
2) the input decisions based
on incorrect interpretations
regarding all relevant factors
%
ALONE
can prevent or hinder the
community from fulfilling its
purpose, in other words, the
operation succeeding.
50
51. Security in the
Community Context
Therefore, it is equally
important to manage
1) the actual risks, and
2) the subjective
interpretations made of them
by the individual participants
% of the community.
51
52. Risk Management
Actions and means aimed at
actually minimizing the impact
of threats to operation.
%
52
53. Sureness Management
Actions and means aimed at
establishing and maintaining
sureness of participants based
on as realistic interpretation of
relevant factors as possible.
53
54. Security Management
Security management is:
1) risk management, and
2) sureness management.
%
54
55. DEFINITIONS
Security
Sureness about realization of
expected future, based on
sufficiently realistic interpretation
of relevant factors.
Security in the Community
Context
% Sureness of participants about
realization of expected
future, based on sufficiently
realistic interpretation of relevant
factors and weighted by the
significance and alteration
sensitivity of individual inputs.
55
56. Additional information can be
found online at
yhteisturvallisuus.net
or
ysecurity.net
(→ English)
%
jere.peltonen@formin.fi
QUESTIONS?
56