Lectures and literature Security and Organisaton
Lecture 1a
Shell Moerdijk indicent
Explosions at the Moerdijk installation. The first mistake was made manually
heating up the vessels because the temperature was not increasing fast enough. This
caused the temperature to rise above normal levels. But this was not the main
problem. Another problem was that important information on the design was lost
and not available at that moment. Because of this shell was unable control the
failure. The pressure in the reactors raises so much because of the increased
temperature. This caused the reactors to explode. The conclusion is that Shell has
not learned enough from past mistakes. An important question within this problem
is: how can organizations manage safety and security in terms of risk? And therefore
prevent harm.
Uses of Risk:
1. Our organization faces many risks risk as an event
2. The risk of a flood is 1:10.000 risks involved in an event
3. The risk in this facility is very high
4. Locks would reduce the risk of burglary ensure more safety
We accept a certain amount of risk. To get to self-fulfillment, which is the top of the
Maslow pyramid unwanted side effects can occur. We try to prevent or minimize the
unwanted effects. But mostly they are not very harmful and do not always involve
death.
The annual loss expectancy is the expected monetary loss that can be expected for
an asset due to a risk over a one year period expected frequency x expected
impact.
Risk characterizes uncertain future events in terms of likelihood and impact. 1 – e^-
x/x. This is exponential distribution. Often to calculate risk, models are used instead
of numbers.
The Trespass Project say which attack opportunities are possible, which are most
urgent and which countermeasures are most effective. The project combines
knowledge from technical sciences, social sciences and state-of-the-art industry
processes and tools.
But it is important to see if the technology or the people must be fixed and if a
countermeasure always helps to improve the situation.
Lecture 1b
Safety is used when the threat is an unwanted side effect of something else we want.
Safety thus is associated with incidents and accidents. Security deals with malicious
acts, such as sabotage and terrorism. Safety is the condition of being safe, freedom
1
, from danger, risk, or injury. Danger is also called hazard or threat. Dangers make us
feel unsafe. Though models, risk science tries to understand the risk and help predict
future behavior and risks. These models are linear, the consequence has one single
cause. Definitions:
Hazard: A potential source of harm or damage to people, property, or the
environment. Hazard has to be ‘controlled’ to be safe.
Safety: Freedom from unacceptable risk.
Risk: An estimate of the probability of a hazards-related incident or exposure
(= scenario) occurring and the severity of harm or damage that could result.
Approaches:
o Deterministic: only one outcome – MCA (maximum credible accident)
o Probabilistic: change variation. All 'conceivable' accidents in relation
to their probability of occurrence.
Lecture 2
Risk management is to protect 5 assets: life, properties, reputation, business
continuity and procedures. Risk management is important because it makes it easier
to set priorities and better management. In this lecture, the focus is on
organizational level of the policy from safety and security. Examples of policy
objectives could be: zero incidents; minimize organizational vulnerability; ensuring
safety, security and well being of personnel. There are hundreds of risk management
systems.
Security risk management 1. Prevent 2. Control 3. Stabilize
Safety risk management 1. Prevention 2. Recovery 3. Protection 4. Mitigation
Risk assessment is to identify and classify the risks:
1. Understand risk prioritization
a. What criteria are used?
b. Expert opinions or quantitative scoring methods
2. Understand the statistics for severity
a. Impact: deaths, permanent injury etc.
b. Likelihood
3. Prioritize risks based on severity, importance & risk appetite
Risk inventory is about classifying the key risk indicators. They are used to predict
a risk observation. This is mostly done in a quantitative way. Reported in key
performance indicators, which state what is most effective. This is done on the basis
of CBS, academic research, peer benchmarking, SWOT (strengths, weaknesses,
opportunities, threats). When looking at the nature and the source of the risk, this is
called root cause analysis.
Risk classification What can go wrong (scenario’s)? What is the likelihood of it
2
Lecture 1a
Shell Moerdijk indicent
Explosions at the Moerdijk installation. The first mistake was made manually
heating up the vessels because the temperature was not increasing fast enough. This
caused the temperature to rise above normal levels. But this was not the main
problem. Another problem was that important information on the design was lost
and not available at that moment. Because of this shell was unable control the
failure. The pressure in the reactors raises so much because of the increased
temperature. This caused the reactors to explode. The conclusion is that Shell has
not learned enough from past mistakes. An important question within this problem
is: how can organizations manage safety and security in terms of risk? And therefore
prevent harm.
Uses of Risk:
1. Our organization faces many risks risk as an event
2. The risk of a flood is 1:10.000 risks involved in an event
3. The risk in this facility is very high
4. Locks would reduce the risk of burglary ensure more safety
We accept a certain amount of risk. To get to self-fulfillment, which is the top of the
Maslow pyramid unwanted side effects can occur. We try to prevent or minimize the
unwanted effects. But mostly they are not very harmful and do not always involve
death.
The annual loss expectancy is the expected monetary loss that can be expected for
an asset due to a risk over a one year period expected frequency x expected
impact.
Risk characterizes uncertain future events in terms of likelihood and impact. 1 – e^-
x/x. This is exponential distribution. Often to calculate risk, models are used instead
of numbers.
The Trespass Project say which attack opportunities are possible, which are most
urgent and which countermeasures are most effective. The project combines
knowledge from technical sciences, social sciences and state-of-the-art industry
processes and tools.
But it is important to see if the technology or the people must be fixed and if a
countermeasure always helps to improve the situation.
Lecture 1b
Safety is used when the threat is an unwanted side effect of something else we want.
Safety thus is associated with incidents and accidents. Security deals with malicious
acts, such as sabotage and terrorism. Safety is the condition of being safe, freedom
1
, from danger, risk, or injury. Danger is also called hazard or threat. Dangers make us
feel unsafe. Though models, risk science tries to understand the risk and help predict
future behavior and risks. These models are linear, the consequence has one single
cause. Definitions:
Hazard: A potential source of harm or damage to people, property, or the
environment. Hazard has to be ‘controlled’ to be safe.
Safety: Freedom from unacceptable risk.
Risk: An estimate of the probability of a hazards-related incident or exposure
(= scenario) occurring and the severity of harm or damage that could result.
Approaches:
o Deterministic: only one outcome – MCA (maximum credible accident)
o Probabilistic: change variation. All 'conceivable' accidents in relation
to their probability of occurrence.
Lecture 2
Risk management is to protect 5 assets: life, properties, reputation, business
continuity and procedures. Risk management is important because it makes it easier
to set priorities and better management. In this lecture, the focus is on
organizational level of the policy from safety and security. Examples of policy
objectives could be: zero incidents; minimize organizational vulnerability; ensuring
safety, security and well being of personnel. There are hundreds of risk management
systems.
Security risk management 1. Prevent 2. Control 3. Stabilize
Safety risk management 1. Prevention 2. Recovery 3. Protection 4. Mitigation
Risk assessment is to identify and classify the risks:
1. Understand risk prioritization
a. What criteria are used?
b. Expert opinions or quantitative scoring methods
2. Understand the statistics for severity
a. Impact: deaths, permanent injury etc.
b. Likelihood
3. Prioritize risks based on severity, importance & risk appetite
Risk inventory is about classifying the key risk indicators. They are used to predict
a risk observation. This is mostly done in a quantitative way. Reported in key
performance indicators, which state what is most effective. This is done on the basis
of CBS, academic research, peer benchmarking, SWOT (strengths, weaknesses,
opportunities, threats). When looking at the nature and the source of the risk, this is
called root cause analysis.
Risk classification What can go wrong (scenario’s)? What is the likelihood of it
2
