On the Application of the Safety-II Concept in a Security Context

Abstract

This paper presents an alternative and broader security risk perspective, incorporating uncertainty, as a two-dimensional combination of (1) threat (Th) on value (Vl), (2) vulnerability (Vu) given coping capabilities (Cc), and associated uncertainties U (will the threat scenario occur? and to what degree are we vulnerable?). Moreover, this work attempts to provide an integrated approach to the safety and security fields. We look closely into the issues related to Safety-I, Safety-II and security. Whereas conventional safety management approaches (Safety-I) are based on hindsight knowledge and risk assessments calculating historical data-based probabilities, the concept of Safety-II looks for ways to enhance the ability of organisations to be resilient in the sense that they recognise, adapt to and absorb disturbances. Three determinants that shape the Safety-II concept in the security perspective are the capacity of organisations to operate in changing circumstances; formulating strategies that promote a willingness to devote resources to security purposes, driven mainly by the organisation’s leader; and an organisational culture that encourage people to speak up (respond), think creatively (anticipate), and act as mindful participants (monitor and learn). Based on clarifying some of the fundamental building blocks of security risk assessment, this work develops an extended security risk assessment, including an analysis of both vulnerability and resilience. The analysis explores how the system works following any type of threat scenario and determines whether key functions and operations can be sustained.