Risk, Threat and Vulnerability

"[W]e cannot protect every single person against every single threat at every moment and in every place…Given finite resources and personnel, we have to focus ourselves on those priorities which most demand our attention…the department must focus on risk in the context of consequences, vulnerability and threat”. (DHS Secretary, Michael Chertoff)

Understanding the relationship between the terms risk, threat and vulnerability is the key to how we distinguish and then prioritize our security decisions. Throughout history, security professionals, mathematicians and political scientists have tried to come up with a formula, an algorithm or a model to measure these three terms and the relationship between them.

The magic model that they (politicians and executives, mainly) sought was aimed at finding a decision making process for security priorities that would shelter them from being liable or accountable for the consequences of their decision. After all, if you can plug information into a model that generates an automatic “do” or “do not” decision, you can always blame the model if something goes wrong.

Today more than ever, millions if not billions of dollars are wasted on research conducted by corporations and government agencies towards finding such a decision making scheme that will bear no political or personal accountability. Well … good luck, because the magic model is nowhere to be found. Any tribal leader, military commander or cartoon superhero will tell you, to quote Spiderman: “with great power comes great responsibility.”

In fact, the relationship between Risk, Threat and Vulnerability is immeasurable. Why?

 

  • The manifestation of threats is unlimited and yet very specific to each protected environment.
  • Risk is truly measurable only for events that occurred in the past. Future events (threats that have not yet been tested in reality) cannot be quantified statistically.
  • Vulnerability is hard to measure because there is no real success matrix for security. One can not measure (quantify) good security as oppose to bad security.

Decision making regarding risk, threat and vulnerability is, simply put, a hard task and there is no way around it. You cannot pass off the decision downwards or upwards in the chain of command. Risk is something you take, threat is something you face, and vulnerability is something you accept. What you do in between is try to mitigate, prevent and reduce.

Secretary Chertoff is right. We must prioritize risks, evaluate the threats, and then realize our vulnerabilities. But mostly, we must have the capacity and courage and take the responsibility to actively make decisions. In light of the undisputable, wretched response to Hurricane Katrina we all wonder: “Where was the leadership? Where were the decision makers?” The saddest element of the Katrina debacle was not that bad decisions were made, but that the decisions were not made at all. When it comes to leadership in security and emergency response, the most important skill needed is a sense of capacity and empowerment to make the necessary decisions.

Amotz Brandes
Managing Partner
Chameleon Associates LLC

 

<< Return to Newsletters | Print this page
 
© 2008 Chameleon Associates
SWG -Web Services