Applying Risk Management in International Security Studies | Washington D.C. & Maryland Area

Thank you to Dr. Joshua Sinai, Professor of Practice in Intelligence and Security Studies, for writing the following insightful and informative piece on risk management in the counterterrorism and global security sector.

The subject of risk management is at the top of every government’s national security agenda. How does one lower the risk of catastrophic threats that might imperil one’s country? Most recently, the catastrophic threat of the COVID-19 pandemic has resulted in the deaths of an estimated 6.5 million people and caused billions of dollars in economic damages around the world. In other risk areas of concern, how can the risk of severe climate change and its associated extreme weather events be significantly decreased? This was the subject of the November 2022 Sharm el-Sheikh Climate Change Conference (COP 27) in Egypt. Another risk of concern is the proliferating cyberattacks against virtually every country’s critical infrastructure sectors. The ever-present risk of terrorist attacks, whether by international or domestic terrorist groups is also a national security concern for many countries. Finally, Russia’s military intervention in Ukraine, which began in February 2022, among other impacts, has disrupted the global supply chain of significant commodities, posing a new type of risk to governments and their economies.

To assess how various types of risks might impact on international security, the first requirement is to define it. Within the context of international security, risk is the likelihood of occurrence of a threatening event that can adversely affect the security of a country, an organization, a company, a population, or other entities. Risk, in general, implies uncertainty that a threat in the form of an attack of various types might be imminent. If an attack is highly certain to occur, however, then it is not a risk.

The second requirement is to explain the components of risk. Risk is a function of the interaction between threat (such as intent, capability, and local presence), vulnerability (to be attacked, including the attractiveness of the target to the threat actor), and consequence (of being attacked, such as in loss of life, physical and economic damages, etc.). Thus, for example, if the threat of being attacked is high, but the threatened target is hardened and impossible for a threat actor to attack (for instance, in the case of a virus pandemic if all citizens in a country are immunized against it), then the consequence of being attacked will be negligible. This will result in a lowered overall level of risk. On the other hand, if the threat is high, the vulnerability of a target to be attacked is also high (i.e., it lacks effective protective measures), the consequences of being attacked will also be high, it will result in a high overall risk level.

It is important to be aware that the nature and magnitude of specific risks might evolve over time, so they need to be continuously reviewed on a regular basis. For example, a COVID-19 type pandemic might evolve into an entirely new unanticipated catastrophic virus, terrorists might shift from using conventional weapons in their attacks to weapons of mass destruction such as chemical or nuclear weapons, and cyber weapon attackers might use new and more destructive cyber technologies to attack their adversaries. Continuous monitoring of the evolving nature of risks facing a country is therefore required, as it will also result in a comprehensive and dynamic risk accountability and due diligence to those tasked with assessing risks in all their evolving dimensions.

Once a category of risk is identified and assessed, such as pandemics, climate change, terrorism, and cyberattacks, etc., it then needs to be prioritized in terms of its likelihood of occurrence. A qualitative scoring system can be applied, such as highly likely, moderately likely, or low likelihood. Such a scoring system can also be used to measure what the risk assessment policy makers might deem to be a level of risk that is considered to be “acceptable.” This is a controversial degree of risk because to some even an “acceptable” level of risk might be considered as “unacceptable.” Moreover, for instance, is having terrorists kill only a few of a country’s citizens in their attacks annually an “acceptable” level of risk that will not change overall counterterrorism policies since they are considered to be effective, whereas having several dozen citizens killed by terrorists annually would be considered “unacceptable,” and thereby leading to new counterterrorism response measures?

Once the overall level of risk posed by the various threats facing a country is prioritized, the next step is to prioritize the allocation of protective resources to mitigate the likely considered threats. When this is done in a systematic manner, prioritizing mitigation measures and their likely impacts in lowering an identified threat will result in a cost-benefit allocation of resources that are judged to produce a beneficial return-on-investment (ROI). The end result, in the best-case scenario, will substantially upgrade the overall resilience of the threatened country, corporation, organization, and societies that engage in effective risk management and risk mitigation.

The field of risk management and risk mitigation is so significant that it has been codified in governments’ and industry trade associations’ standards and guidelines. The U.S. Government’s National Institute of Standards and Technology (NIST), for example, has published the “Integrating Cybersecurity and Enterprise Risk Management (ERM) framework. ASIS International, a leading professional association of public safety practitioners, has published the standards “Risk Assessment – ANSI/ASIS/RIMS RA.1-2015,” and its updated “Guideline: Enterprise Security Risk Management – ASIS ESRM-2019.” One of the leading textbooks on risk management is by Thomas L. Norman, Risk Analysis and Security Countermeasure Selection [Second Edition] (Boca Raton, FL: CRC Press, 2016).

The subject of risk management and how to examine it in all its components is part of Capitol Technology University’s core curriculum at the Bachelor’s, Master’s, and Doctoral levels. Two programs, in particular, (1) Counterterrorism studies, and (2) Intelligence and Global Security studies, feature courses on risk management. Academic and practitioner conceptual frameworks and methodologies that are applied to case studies in their respective threat areas in national and international security are used in their instruction curriculum.

For further information about these programs, please contact: Dr. Joshua Sinai, Professor of Practice, Intelligence and Global Security studies, Capitol Technology University (email: jbsinai@captechu.edu).