![Sample our Economics, Finance,Business & Industry journals, sign in here to start your access, latest two full volumes FREE to you for 14 days]({"type":"image" , "src" : "/sda/5931/TOC-Subject-Sample-2021-Economics-Finance-Business-Industry.jpg"})
Abstract
Security and ‘securing’ is high on the public agenda. Questions are raised on where, to what degree and against what the government and others should introduce preventive security measures. This article investigates a controversy in Norway about the role of probability in risk assessment within security. The article asks how the question of the probability of incidents is problematized and addressed by actors involved. It discusses how the controversy can be interpreted and what it might tell us about security and risk. The article builds on an exploratory study of the reasoning of security professionals in relation to a standard on security risk assessment. It shows how the downplaying of probability is defended, but also how it creates dilemmas and is criticized. The argument against estimating probability is that it is often difficult or impossible. Probability is, however, also a moderating factor. Probability turns unlikely futures into lower risks than likely futures. Those arguing against the security risk standard point to the consequence of downplaying probability in risk estimates. A key finding is how risk assessment in areas of low tolerance for incidents introduces a discrepancy that is difficult to handle. On the one hand, security analysts are supposed to deal with threats as risks, implying scaling, comparison and level of acceptance. On the other hand, they are supposed to create security, implying the opposite of scaling and risk acceptance. Risk assessment becomes difficult if there is little appetite for taking risk. Michael Power’s three ideal models of risk management logics are introduced in the discussion as heuristic tools of a sensitizing kind. The article concludes that risk research could benefit from engaging with security theory, to investigate how risk management might be shaped by security practises.
Correction Statement
This article has been republished with minor changes. These changes do not impact the academic content of the article.
Disclosure statement
No potential conflict of interest was reported by the author.
Notes
1 Standard Norway is the Norwegian member of the European Committee for Standardization (CEN) and International Organization for Standardization (ISO).
2 The controversy became visible not least in Busmundrud et al. (Citation2015), in blogposts and a few newspaper articles, but took mostly place in informal discussions among security- and risk professionals.
3 ‘Value’ is often translated as ‘asset’, but it has a more wide-ranging connotation of being what is valuable/critical to an organization. All translations are done by the author.
4 There is only one concept in Norwegian for both probability and likelihood (‘sannsynlighet’), referring to both numerical and qualitative judgements. The term ‘probability’ is used for both.
5 Aradau refers to the difference between risk and danger; the distinction is not elaborated on in the present article (Luhmann Citation1993).
6 Securitization is linked to a claim of something extraordinary, and how the extraordinary, if accepted by the audience, legitimizes measures not otherwise acquiesced (Buzan, de Wilde, and Waever Citation1998).
7 Names of the 2014 interviewees are included in Busmundrud et al.
8 Risk and Vulnerability Analysis, The Emergency Planning College (NUSB) 24-26 September 2018, Risk Assessment, Norwegian National Security Agency (NSM) 18 September 2019, Basic Preventive Security, NSM 7-10 October 2019, Security-Risk Analysis, The Norwegian Business and Industry Security Council, 2-3 October 2019.
9 Anne-Kari Valdal, ProActima Bransjemøte sikring – Statens jernbanetilsyn 12. juni 2019, last accessed 14/10/2020.
10 There is a variety of perspectives, and for some probability should be estimated, but not expressed in the final risk assessment.
11 In practice, it depends on the assumptions and judgements conducted in the risk assessment. Some argue that a more precise value (asset) assessment reduces the scope and hence the risk.
12 The government had decided years earlier to implement certain physical security measures, but the decision had not been implemented. The case is none the less used as an example of the consequence of using probabilities in security risk judgements.