WALUBENGO: On terrorism, a knee-jerk reaction can only make matters worse

We have been hit yet again. The terrorist attack at Garissa University College is a stark reminder that the war against terror is far from over. Obviously, the temptation to urgently hit back is overwhelming, but is it the best course of action?

In the film The Godfather, the Italian Mafia boss says that revenge is a dish that is best served when cold. Whereas Christian teaching prohibits revenge, this expression is still useful and loaded with vital lessons, one of which is that knee-jerk reactions to a crisis can only trigger more crises — a vicious cycle of bloodletting on both sides, with no overall winner.

A better approach should be premised on the fact that the war against terror is long-term. We cannot win it through using a “tit-for-tat” approach. We must have a comprehensive, systematic and long-term approach that aims to win the war, rather than a few battles in between.

I must put up a disclaimer from the onset: I know nothing about traditional military or police security. However, I do know a thing or two about information security — the science of securing organizational data from the bad guys. My hypothesis is that the approaches and strategies should not be too different.

READ: Nkaissery: Attack caught us by 'surprise'

READ: FRANCESCHI: Garissa university attack is not about religion

READ: Why varsity was easy terrorist target

READ: WARAH: Garissa could have been avoided

APPROPRIATE AGENDA

In one case, the state is charged with the duty to protect lives and property against potential threats. In the other case, the ICT professional is charged with the duty to protect information resources against potential threats. We will review how it is done in the ICT world — perhaps there are some parallels or similarities worth learning.

First and foremost, organizations must have a "security governance framework". The framework has several components that define the security structure; roles and responsibilities; information assets; risk management; security policy and procedures; security training and awareness; and security monitoring and business continuity.

With regard to the security structure, and roles and responsibilities, our Constitution seems to have sorted that out by establishing the National Security Council, chaired by the President. Membership includes the Deputy President and ministers in charge of Internal Security, Defence and Foreign Affairs.

The Chief of Defence Forces, the Director of Intelligence and the Inspector-General of Police are the technical members who complete the membership list of the National Security Council.

The structure cannot be any better than this. The question is whether the National Security Council meets regularly, with an appropriate agenda and supported by timely information on the prevailing security situation across the country.

INFORMATION ASSETS

Judging from the enraged reactions from the Interior minister and the President regarding the most recent travel advisories against Kenya, and Garissa in particular, one can only wonder if the technical members of the National Security Council are telling the President what he needs to know, or what he wants to hear.

With regard to information assets, ICT security professionals would take stock and document all the ICT resources. This includes hardware, software, network and communication resources and ICT personnel, among others. The basic rationale is simple — you cannot protect what you did not know exists in your organization.

Identifying information assets feeds into the risk management component, where the information assets are profiled in terms of identifying the possible threats and their likely occurrence. Impact assessment follows by calculating the risk values for each threat. Those threats with the highest impact and highest probability of occurrence become candidates for urgent protection or countermeasures.

Impact assessment is measured and quantified in terms of loss of life, loss of business, damaged reputation and down time, among others.

Clearly, no organization has unlimited budgets to allow it to implement all the countermeasures as a way of neutralizing all the threats. And so each risk is ranked or prioritized according to the impact it would cause to the organization.

RISK ASSESSMENTS

Often the top three to five risks are such that their occurrence can cause loss of life or closure of the business entity. In such a case, the organization has no choice but to look for the budgets to implement the countermeasures. Other risks with a lower impact may be outsourced through insurance or accepted pending budgetary provisions.

Does our security system regularly carry out risk assessments, trying to identify our vulnerable targets, prioritizing and establishing possible methods that the enemy can use in attacking those targets?

More importantly, do we regularly review and update the list of targets in light of emerging global terror tactics such as those demonstrated by Boko Haram militants, who are infamous for attacking schools and abducting students?

Do the technical members of the National Security Council seek such information and do they provide the data to our political leadership or are they overly concerned with political (opposition) related data? As civilians, we will of course never know, but we hope the agenda does spare some time for discussing real security stuff.

Next week, we will complete the discussion by looking at the remaining components of a security governance framework: security policy and procedures, security training and awareness, security monitoring and business continuity.

Mr Walubengo is a lecturer at the Multimedia University of Kenya, Faculty of Computing and IT. Twitter:@jwalu; email: [email protected]