Humans are central in IBISS whereas technology is supportive for building and maintaining Security awareness and a Safety culture of staff.
From that perspective, the IBISS vision can be made concrete with a toolset that fully utilise human observation capabilities and intellect to continuously learn and improve the security organisation and safety processes in your organisation and its digital and physical environment/surroundings.
In the figure operational processes are red, tactical processes are blue and strategic processes are green. The tools form a whole and collectively cover the Security and Safety spectrum on the operational, tactical and strategic level. An overview:
- On the top and bottom row there are external and internal threats and dangers.
- From right to left are the IBISS levels 1 through 9 that cover the range from specific events or situations to world scale.
- The IBISS tools are on the middle rows.
Levels 9, 8 and 1 are integral to Security & Safety, and for levels 7 to 2 there are separate tools for Security and for Safety. Together, they form an optimal architecture for an IBA and HRO organization. Let’s review the rows one by one:
- The top row contains the steps malicious people take in the preparation and execution of attacks on the organization from the three gates: physical, human and cyber. An attack starts with Select Target (Level 8) and ends with Flight (Level 1). Organising for that is increasingly complex. Therefore, it is wise to integrate information from the three ports from level 8 onwards.
- The second row contains the IBISS Security Tools to increase business-wide or even sector-wide proactive alertness. At Level 9 we will find the Integrated Learning tool. This runs through Integrated Uncertainty and Risk Assessment (Level 8) to After Action Review for Personal and Group Leaders at Level 1. See below for a detailed description of the IBISS Security Tools.
- The third row contains the IBISS Safety Tools for managing unexpected events. Level 9 is Integrated Learning and runs through an assessment on the five principles using Hexagon Sensemaking Canvas (Level 8) to After Action Review for Personal and Group Leaders at Level 1. See below for a detailed description of the IBISS Safety Tools.
- The bottom row contains the properties of an organization not prepared for the unexpected.
These IBISS tools are currently available
After action review
Learning from observations and events forms the basis of IBISS. Of course, a quick recovery of the situation will occur, preferably during the flight phase or as soon as possible after a crisis of experiences and observations.
The IBISS ObservationPoint is the ideal tool for sharing all the subjects, 24/7/365, from the pocket or handbag. This will provide Security and Safety staff with a detailed and current picture of the situation, and in the after action reviews, a clearer picture will be created for swift learning after a crisis.
Observation & rapid response
In a crisis or attack, it is of course a matter of direct action, crisis management or rapid response. At all other moments and soon after Security and Safety events, IBISS trains and supports observation of the IBISS ObservationPoint. The ObservationPoint is a WebApp that allows selected and trained groups of employees and stakeholders to make observations. These ones can provide the necessary supplementary and interpreting information. Target groups for the IBISS ObservationPoint are:
Red teaming is a quality tool, through which realistic security audits are performed by effectively performing scenarios. This increases the alertness of the organization, enhances familiarity with the procedures and becomes familiar with the use of supporting (communication) resources. In addition, it becomes clear whether measures, processes and procedures are effective and connect to each other.
Ideally, observations are made on the Physical, the Cyber and Human Gates and across all levels 1 to 8 of the Security and Safety organization. All observations are gathered in the IBISS ObservationDashboard.
The Security and Safety analyst uses the IBISS ObservationDashboard to evaluate the developments on a daily basis based on the emergence and changing of patterns. The analyst may also use the list of anticipated events and safety gaps. And, if necessary, make additional notes. Special attention is paid to distinguishing true observations from Red Teaming-based observations.
Based on this evaluation, the analyst informs the operational managers.
Anticipation is both a document and an activity.
- As a document, it is the formal list of Security events that takes into account because there are indications from the observations. Events can also be listed from the Integrated Security & Safety Assessment or the Weak Signal Detection. If the customer also uses Safety tools, the Anticipation document also contains Safety gaps.
- As an activity, anticipation is the use and maintenance of the list of anticipated events (and possibly holes and oversights) by the Security and Safety Analyst for planning and controlling the operations.
Weak signal detection
Weak signal detection encompasses analytical and evaluative activities to catch changes and emerging trends early in patterns of narrative metadata. The goal is to detect where dangers are possibly mounting or where changes may occur. Weak signal detection and the actions or projects that may follow from it can be tackled modest to thorough depending on what’s at stake and the availability of resources.
The weak signal detection tool always consists of three steps:
- Acceleration Report – In this study, a large number of combinations of data are being searched for shifts and the emergence of new (weak) patterns. The study consists of visual inspection of combinations of dimensions, possibly supplemented with statistical analysis. The study is required as a foreword for the Insight sessions.
- Insight sessions – In these sessions, insights are made on the Security and Safety situation and developments in it. An Insight session may vary from a day-to-day meeting (with a day-to-day preparation and a part-time part-time) to a series of multiple sessions in which groups with different perspectives build insights.
- Decision-making and Influencing sessions – In these sessions, decisions are made or experiments are made to influence business. Also, watching watchdogs for the ObservationDashboard can be done here.
If it is logistically more convenient, Insight and Decisioning / Influencing sessions can be combined. Our advice is to perform a weak signal detection 2 times in the first year.
This is about specific projects or activities to fill “holes” in the uncertainty map. These holes can come forward from the Integrated uncertainly & risk assessment but also be identified by Weak signal detection. The holes are filled by setting up activities to gather or obtain specific information by deploying people or through so-called Open Source Intelligence activities (OSINT).
Integrated uncertainty & risk assessment
Uncertainty and risk assessment is a strategic process to detect and map uncertainties and risks for an organisation, sector or region/country. It also looks at the status and vulnerabilities of the HRO organisation. The goal is to assess who might be targeting the customers assets, how reduce the attractiveness of that and generates improvement proposals for Integrated Learning.
This is a multi-day activity designed to investigate the state of affairs in a process (where we are looking at IGO and HRO by location, by country, by process, by focus area, by IBISS level, etc.), learning and improving wishes to be set.
In preparation, an investigation may be conducted into issues that have gone wrong throughout the IBISS field: from unexpected attacks to minor accidents. The necessary resources come from the customer organization, but experts from the IBISS network and external parties can also be involved.
The other IBISS tools will become available in 2018.