Sunday, November 17, 2019

Known knowns and unknown unknowns

"There are known knowns" is a phrase from a response United States Secretary of Defense Donald Rumsfeld gave to a question at a U.S. Department of Defense (DoD) news briefing on February 12, 2002 about the lack of evidence linking the government of Iraq with the supply of weapons of mass destruction to terrorist groups[1]

This quote tells us something about risk management.  Basically there are threats we know about and there are threats we don’t know about and there are threats that we don’t know we don’t know about.

From a risk management standpoint, that’s pretty disconcerting. 

In order to understand the unknowns you have to look at things from the “bad guys” perspective.  In other words, see what the "bad guy" sees.  And to do that you must understand that there are four aggressor types of criminal/man-made threat groups; criminal (sophisticated/unsophisticated, organized/unorganized), protestors (organized/unorganized), terrorist (domestic/transnational/state-sponsored), subversives (saboteurs/intelligence agents [state/non-state sponsored]).  In an effort to design better mitigation strategies planners must understand the “bad guys” motives or the reason(s) behind why they do what they do.  There are also four primary aggressor objectives; inflict injury or death to people, destroy or damage facilities, property, equipment or resources, steal equipment, material or information and create adverse publicity.

So how can I plan to reduce their effects let alone mitigate them?  The answer is really easier than you think.   Traditionally in risk management, we look at things from a probability standpoint.  We ask the question. “Will it happen here, and if so, what will the impact be”?  I believe, likelihood has little influence on risk.  I believe likelihood comes into play when talking about funding.  Our risk management methodologies assume the threat will be successful 100 percent of the time.  We calculate likelihood when it comes to cost benefit.

Our Asset Based Risk Analysis (ABRA) and Critical Asset and Infrastructure Risk Analysis (CAIRA) methodologies combine the aggressors motives and objectives with what the asset owner sees; thereby, giving a complete picture of risk.  

More about ABRA (Platinum GOVIES Award 2017 for Best Government Security Risk Methodology)

More about CAIRA (Platinum 2018 ASTOR Award for Best Risk Analysis Methodology in Homeland Security)

More about risk management and developing mitigation strategies can be found in my new book, The solutions Matrix: A Practical Guide to Soft Security Engineering for Architects, Engineers, Facility Managers, Planners and Security ProfessionalsOrder here

[1] Full quote: Reports that say that something hasn't happened are always interesting to me, because as we know, there are known knowns; there are things we know we know. We also know there are known unknowns; that is to say we know there are some things we do not know. But there are also unknown unknowns—the ones we don't know we don't know. And if one looks throughout the history of our country and other free countries, it is the latter category that tends to be the difficult ones.

No comments:

Post a Comment