This essay looks at what the move from a security environment characterized by knowable threats to one largely comprised of diffuse risks means for our ability to anticipate future challenges. It further examines how public policy has reacted to this change.
From Threats to Risks in International Security – and Subsequent Challenges for "Knowing" the Future
By Myriam Dunn Cavelty for the ISN
Threats as Measurement of the Knowable
During the Cold War, the two superpowers combined geopolitical objectives with military capabilities that included weapons of mass destruction and the means to deliver them over intercontinental distances. Security threats were thus directly linked to military capabilities and arose mainly from the aggressive intentions of the other powerful actor in the international system. Although there were numerous strategic surprises during the Cold War, the ability to monitor each superpower’s strategic and military posture created a sense of certainty through calculability. To identify the level of threat, one looked at the capability of the enemy and their intent or motivation, in addition to one’s own vulnerability.
From a western perspective, there was not always agreement on the exact nature of the Soviet threat. The debate, however, evolved around the threat in terms of what could be measured; in other words, the threat in the form of actor, intention and capability was known or at least knowable. In addition, there was a belief that it was possible to defeat the threat and achieve security through known measures. The concept of deterrence in particular – which refers to the attempt to create risks so high in comparison to a possible gain that opponents refrain from engaging in a certain policy or action – existed as a credible option to prevent the threat from being enacted.
The Rise of Risks in Security Policy
In the post-Cold War era, stable and narrow security conceptions were broadened and deepened. Paralleled by discussions on moral necessities, western security policies were expanded to include political, societal, economic and environmental issues. As a result, the referent object of security was extended to groups, individuals, but also on inanimate objects such as technical infrastructure systems. At the same time, the notion of threat, understood as a problem that is deliberately created by one security actor for another, was losing saliency in many parts of the world. Several of the new challenges that security policy started to focus on in the post-Cold War world – global health issues, financial stability, critical infrastructure protection, but also terrorism to some extent – seemed much better captured by the concept of risk.
Risks are indirect, unintended, uncertain, and are by definition situated in the future. Therefore, risks exist in a permanent state of virtuality. This characteristic is linked to thinking in terms of probabilities; to calculate the level of risks, actors in the public policy sector have drawn from the economic or technical realm to adopt the well-known risk “formula”. The level of risk is the product of the likelihood or probability of occurrence times the expected damage of an event (likelihood x damage = level or risk). These characteristics also imply that risks can be shaped by human agency in the present. At the same time, their indeterminate nature means that perception and definition of risks is always almost contested between different social groups and that giving meaning to these phenomena is a new source of power for different social actors.
In the last decade, numerous western states have adopted and transposed the risk logic into the realm of national security. This means that risk methods and tools are having a considerable impact on how different actors endeavor to capture, measure and handle public security challenges that are no longer framed as actor-based threats. Since eliminating all risks completely is neither feasible nor desirable, the broad concept of risk management, adapted mainly from the private sector, has increasingly made its way into security policy. The rest of this text looks at the impact the shift from knowable threats to diffuse risks has on the ability to forecast future events – and how governments deal with this challenge.
Reducing Uncertainty Through Risk Identification
When moving towards a multitude of diverse risks, one of the key questions becomes which risks are relevant for security in the first place. In order to systematise the new landscape, comprehensive risk assessment efforts have been launched by many countries. Risk management, therefore, encompasses several steps, namely the identification, assessment, and mitigation of unacceptable risks. In order to identify risks, elaborate scenario-based approaches combining expert-knowledge from various fields are used. The aim of these undertakings is to develop a concrete basis for political action by ranking the identified risks by their estimated probability and severity: the more likely and the more damaging, the more urgent the response.
However, the whole idea of risk mitigation logically only works if a) there is some type of (political) agreement over which risks to focus on and b) the relevant issues are actually in some ways already “imagined”. This is considered one of the bigger challenges – how can we know whether what we assume to be the risks to be concerned about actually are the risks to be concerned about? Actually, we cannot. But we can try to break “out-of-the-box” of conventional thinking. In general, public and private-sector organizations that cope with uncertain futures have developed tools for what is called alternative analysis; a set of techniques intended to stretch the thinking abilities of analysts and policymakers, by trying to challenge underlying assumptions that may constrain thinking. There are many methods that can be used as future methods, like scenarios, delphi exercises, horizon scanning, etc.
The advantage of these techniques is that they can stimulate strategic thought and communication, improve internal flexibility of response to environmental uncertainty and provide preparation for possible system breakdowns. However, they do not bring back certainty. Alternative analysis is designed to overcome biases: using them does not mean that one can know the future; and none of them are tools that claim to be able to predict future events. Rather, they enable engaging with different futures (e.g. plausible, possible, probable or preferable futures) and considering the implications for decision making at the present moment. They are focused on changing mindsets and making us realize that the future will always surprise us.
The Shocks That Will Come
In recent history, major shocks with global implications (one of the terms used for them is systemic risks) have intensified the discussion about the limits of the knowable and foreseeable, and, by implication, also the limits of the concept of risk and risk management, which implies manageability of the future based on linearity and extrapolation from past experience. Among the more prominent challenges is Nassim Taleb’s popular Black Swan Theory, which looks at the disproportionate role of high-impact, hard to predict, and rare events that are beyond the realm of normal expectations. We hardly ever see them coming due to cognitive and psychological limitations that make us blind to uncertainty and also unaware of the massive role of the rare event in historical affairs.
In other words: there is absolutely no way to foresee the threats of the future; and we must expect to be hit by major, unexpected, unforeseen events (which previously were unknown risks).
Two points can be made. First, risk management is necessary but never enough. It needs to be complemented by something else, which is called business continuity management in the private sector and goes under the term “resilience” in the broader security discourse. Risk management reduces risks to a certain degree, but they are hardly ever entirely eliminated. This means that even the really well-‘known’ risks can manifest as harmful events in the present. As soon as such an adverse event occurs, there is need for a Plan B that ensures that the critical functionality of a given system – be it technical or societal – is restored as quickly as possible. A resilience perspective promotes a society’s process of preparing and responding to risks and emphasizes the security of processes required for the normal development of society.
Second, the future has always been uncertain and will remain so. The concept of risk is a way to deal with this uncertainty because it allows us to find ways to manipulate some aspects of the future. But threats can and will emerge suddenly anytime, anywhere, and in a variety of forms. The shift from threats to risks has made it much more difficult for states to be security providers. However, risks also help to reinforce that protection and defense now need to be complemented by additional concepts. Accordingly, resilience forms the basis for a new philosophy of risk management applied to security.