Why we focus security training on capabilities rather than vulnerabilities
People - their decisions and behaviours - are at the heart of good security risk management. The ability of any organisation to manage its safety and security risk is only as good as its weakest link. Only by having robust policies and plans that make sense to the individuals who must understand and follow them – whether they are the CEO in London or the security guard in Kinshasa – can be considered good security risk management. For security to operate in practice, it must be about people and how they understand and contribute to their personal safety and security as well as that of the organisation.
People, on the other hand, are a complicated bunch. We are complex and our decision-making when it comes to risky behaviour is sometimes a mystery. Sometimes people heed some security recommendations and disregard others. Sometimes people have been trained on what they should do, and they do something else entirely. We believe that part of this arises from a security training emphasis on vulnerability rather than capability.
Vulnerability is at the heart of most NGOs' risk assessment process, and it's at the heart of any security risk management. The interaction of threat impact and threat vulnerability results in a risk that may be ranked from high to low.
Vulnerability is defined as 'the quality or state of being exposed to the possibility of being attacked or harmed'. We identify a threat, such as carjacking, and then analyse employees vulnerability to carjacking. We may consider how frequently vehicles are used, where they are used, and when. We may recognise that drivers are at higher risk because of the amount of time they spend driving. Perhaps employees who work in each place are more vulnerable because of the increased number of carjackings in that area. Staff who haven't been trained in avoiding or responding to a carjacking are more vulnerable.
Vulnerability is defined as 'the quality or state of being exposed to the possibility of being attacked or harmed'.
Our risk assessment though doesn’t normally deal with individuals but only with the average - how vulnerable are most of our employees to carjacking on average? Or, how vulnerable are the most vulnerable employees to carjacking?
Vulnerability is rightfully the focus of any risk assessment process and good risk assessments takes an intersectional perspective. This means incorporating perspectives of those who receive the risk assessment as well as those who conduct it. It means including threats which are often taboo or hidden, like sexual violence. It means not presuming that certain people – like women – are more vulnerable – if there is no evidence that they are more frequently targeted.
Vulnerability is the right tool to use when mapping a threat to a risk matrix. Where it fails when we then try to train people on the risks identified using vulnerability alone. Actual people require risk managers to shift from a vulnerability approach to a capabilities approach.
Capability is core to our navigating the world successfully and particularly to our safety. Capability is defined as "the amount of someone's power or ability to do something.” Capability restores individual agency to the security equation. It allows the individual to recognise that they have a role to play.
Capability is defined as "the amount of someone's power or ability to do something.”
We have an impact on every place we enter just as those environments impact us. Every day, we bring all our previous life and work experiences, language ability, gender, sexual identity, roles, connections, education and training, religion, health and physical abilities, preferences, and aspirations to our work. While some of these things may make us vulnerable, they also make us capable - something that standard security training typically ignores.
At Safer Edge, we've found that employing a capabilities approach in our training can change people’s attitudes to security training as well as their participation in an organisation’s security culture.
Here are a few examples of how vulnerability and capability differ.
Capability recognises that our characteristics, as well as our behaviours, experience, choices, and actions, can be advantages as well as disadvantages in different contexts.
Vulnerability also has additional negative connotations when it comes to women, the LGBT+ community, people with disabilities or those of minority ethnicities or religions. Most traditional security training still refers to these as ‘additional vulnerabilities’ rather than what they are – personal characteristics which may be vulnerabilities but may also be capabilities.
What does this look like in real life? Let's look at a carjacking scenario. A group of five NGO employees – three national and two international – are travelling down a remote road when they are assaulted by carjackers. The carjackers brandish weapons and order them to exit the vehicle. They tell the driver to stay in the car and drive away with them.
While our risk assessment indicated that the group was at high danger of a carjacking, we have seen that each person in the vehicle is vulnerable in different ways and has varied capabilities.
The two overseas employees in the car have received security training and have been taught what to do in the event of a carjacking. No such training has been provided to the three national staff members. They are less capable of responding effectively.
However, one of the international staff members is traumatised by a previous carjacking event and hence freezes. Trauma has hampered his capacity to use his expertise and respond to the demands of the carjackers.
Because one of the national staff members is of the same ethnicity as the carjackers and speaks the same language as them, the carjackers target her and call her a traitor. Understanding the dynamics of the carjacking and what the carjackers are saying, however, improves her capability.
One of the national staff members is the driver's cousin, and while he understands that he must comply with the carjackers' demands, his worry for his cousin's safety limits his response, and instead of fleeing, he attempts to persuade the carjackers to release his cousin, which enrages them.
Each person in the car is vulnerable to carjacking – but their capabilities vary. Good security training teaches people to think through both their vulnerabilities and capabilities giving them a better understanding of why they may react in certain ways and how to cope with both the event and their reaction.
Much of the time capabilities go unrecognised because they are not the ones that security trainers, security managers, or international expatriate personnel have, or know how to teach. In a high-risk location, for example, the capability to communicate in the local language, as well as the ability to comprehend and navigate local power dynamics, is essential. Negotiation skills, the capacity to defuse violent situations, empathise with aggressive people, recognise deteriorating interpersonal situations and the ability to blend in are all valuable capabilities that are glossed over in security training in favour of physical action.
Security training that integrates a capabilities approach says that a person's ability to do anything will both be enabled or constrained by who they are, in that environment, at the time the event occurs. Certain people will be advantaged. Certain people will be disadvantaged. This allows us to treat people in security training as what they are – people. Not numbers or points on a risk matrix. The more complicated or higher risk the environment the more important that we trust and rely on people to identify their capabilities in the face of risks identified as well as their vulnerabilities.