05/12/2025
๐๐ก๐ข๐๐ ๐๐ข๐ฌ๐ค ๐๐๐๐ข๐๐๐ซ
NGHแป QUแบขN TRแป RแปฆI RO
1. Moves from traditional risk and compliance frameworks into the management of multi-vector, cross-domain, and asymmetric threats that transcend conventional boundaries.
2. Develops expertise in hybrid risk governance.
3. Equips with the skills to design cross-sector resilience strategies, integrate governance across silos, and align risk frameworks with organizational, regulatory, and geopolitical realities.
4. Provides practical methodologies for hybrid stress testing, assisting organizations to withstand hybrid risks.
5. Advances the careers of CRCMPs by adding specialized expertise in hybrid risk and resilience, and offering strategic, cross-sector perspectives that are highly valued by organizations and boards.
The program provides with the skills needed to become a Certified Risk and Compliance Management Professional in Hybrid Risk and Resilience Management - CRCMP(HRยฒM), a certification that provides independent evidence to firms and organizations that you have a quantifiable understanding of the subject matter.
Target Audience
The CRCMP(HRยฒM) program is designed for professionals who already hold the CRCMP designation and are ready to expand into the advanced domains of hybrid risk and resilience. It is especially relevant for those engaged in multi-vector risk environments, cross-sector resilience, and global governance:
1. Risk Managers and Professionals. The CRCMP(HRยฒM) advanced specialization develops expertise in handling hybrid threats, strengthens resilience strategies, enhances communication with leadership, and provides a competitive advantage in a world where risk and compliance are central to organizational survival and success.
It also equips professionals with essential counterintelligence awareness, helping them recognize and mitigate risks stemming from espionage, insider threats, and information manipulation. In addition, the program emphasizes hybrid stress testing, enabling organizations to anticipate cascading crises across digital, financial, regulatory, and geopolitical domains, well beyond the scope of traditional stress testing.
2. Compliance Managers and Professionals. They ensure adherence to laws, regulations, and internal policies. The CRCMP(HRยฒM) advanced specialization broadens this role by mapping hybrid threats into compliance obligations, enabling them to anticipate emerging risks and strengthen organizational resilience. It prepares them to address challenges that increasingly intersect with legal, ethical, and governance obligations.
Regulators expect boards and executives to demonstrate governance over resilience and hybrid threats. The CRCMP(HRยฒM) advanced specialization assists compliance managers in translating hybrid risks into board-reportable compliance obligations, and in preserving the evidence needed to withstand scrutiny from regulators and courts, where every word, every document, and every decision counts.
3. IT, Cybersecurity, and Information Security Professionals. This advanced specialization provides the skills to bridge the gap between technical security, compliance, and executive decision-making.
IT, cybersecurity, and information security professionals face the challenge of translating highly technical issues into business and governance terms that leadership can understand and act upon. The CRCMP(HRยฒM) advanced specialization gives a much better understanding of how to present IT and cyber risks in strategic, regulatory, and financial contexts.
By combining technical expertise, compliance knowledge, and counterintelligence awareness, participants learn to demonstrate the business impact of threats, justify security investments, and align incident response with legal and regulatory expectations.
4. Internal Auditors. The CRCMP(HRยฒM) advanced specialization develops expertise in evaluating the adequacy and effectiveness of risk, compliance, and resilience frameworks in the face of complex and hybrid threats. It equips internal auditors with the knowledge to provide independent assurance that organizational strategies, controls, and compliance measures are robust enough to withstand crises that cut across cyber, financial, regulatory, and geopolitical domains.
The program integrates counterintelligence awareness, enabling auditors to recognize risks related to insider activity, information manipulation, and hostile influence that can undermine governance structures. Through hybrid stress testing, auditors understand better how cascading crises might expose hidden vulnerabilities in controls, reporting systems, and compliance obligations.
5. Legal, Regulatory, and Corporate Governance Professionals.
The CRCMP(HRยฒM) advanced specialization develops expertise in understanding and managing the legal, regulatory, and governance implications of hybrid threats. Professionals can understand better compliance and governance under conditions of hybrid stress.
The CRCMP(HRยฒM) program assists in managing conflict-of-laws, advising on jurisdictional risk exposure, and supporting Boards in navigating the global complexities that arise from hybrid threats, including those orchestrated by state-sponsored actors who blend cyber, legal, financial, and disinformation tactics to destabilize organizations.
6. Consultants and Advisory Professionals.
The CRCMP(HRยฒM) advanced specialization develops expertise that enables consultants and advisory professionals to deliver high-value, forward-looking insights to clients facing increasingly complex and hybrid risk environments.
By integrating counterintelligence awareness, consultants can help clients recognize and mitigate risks from espionage, insider activity, and disinformation campaigns. These are challenges that are often underestimated but carry significant reputational, financial, and legal consequences. Through hybrid stress testing, they can guide organizations in simulating the cascading impact of combined cyber, financial, regulatory, and geopolitical crises, explaining vulnerabilities and recommending practical solutions.
This advanced specialization strengthens the consultantโs role as a trusted advisor who anticipates the intersection of risks across domains. It allows consultants to differentiate themselves in the marketplace by providing clients with strategic foresight, resilience strategies, and actionable compliance roadmaps that go well beyond traditional advisory services.
7. Project and Program Managers.
The CRCMP(HRยฒM) advanced specialization develops expertise in embedding risk, compliance, and resilience considerations directly into project and program delivery. For project and program managers, this means gaining the ability to plan, execute, and oversee initiatives that remain robust in the face of hybrid threats spanning digital, financial, operational, and geopolitical domains.
This advanced specialization strengthens the ability of project and program managers to translate organizational resilience goals into actionable plans, ensuring alignment with compliance and regulatory frameworks while maintaining delivery efficiency. It equips them to lead teams through complexity and uncertainty, positioning them as strategic enablers of resilience.
8. Service Providers.
The CRCMP(HRยฒM) advanced specialization develops expertise that is particularly valuable for service providers in IT, security, cloud, financial, legal, or managed services, that play a very important role in the resilience of the organizations they support.
In hybrid threat environments, service providers are prime targets for cyberattacks, espionage, and manipulation, since compromising them can create cascading effects across multiple client organizations. They also serve as critical partners in helping clients meet regulatory, resilience, and security requirements, often acting as an extension of the clientโs own risk and compliance functions.
The program integrates counterintelligence awareness, enabling service providers to understand better threats such as supply chain infiltration, insider risks, and hostile influence campaigns that could undermine client relationships. It also emphasizes hybrid stress testing, equipping them to demonstrate the resilience of their services under combined cyber, regulatory, and operational crisis scenarios, an increasingly important factor in client due diligence and regulatory assessments.
๐ What COSO stands for?
โ
Committee of Sponsoring organisations. First setup in 1992, it has undergone revisions in 2013 (COSO Cube 3D) and 2017
๐ Purpose:
โ
To establish and integrate internal controls into the business processes.
To understand and prioritise risks and create a strong link between risk, strategy and how a business performs.
๐ Pros of using COSO?
โ
Adherence to legal and regulatory requirements.
โ
Achieves uniformity across business processes.
โ
Easy detection of fraudulent activities.
โ
Robust control environment contributes to Strong Risk management.
โ
Achieves efficiency across business processes --> reduce costs and increase profits
๐ Cons of using COSO
โ
Difficult to implement due to broad scope and lack of prescriptive guidance.
โ
Rigid structure making difficult to identify the best way forward for a particular organization.
The Chief Risk Officer (CRO) is authorized by the board of directors to oversee the identification, assessment, and management of the organizationโs aggregate risks, and to ensure that risk management and control activities are designed and executed in accordance with the organizationโs approved risk appetite, fiduciary obligations, and applicable laws and regulations.
At the strategic level, the CRO ensures that risk considerations are embedded in decision-making processes, including mergers and acquisitions, new product development, major investments, and outsourcing arrangements. Every strategic initiative must be accompanied by an assessment of its risk implications and an evaluation of whether the resulting profile remains within appetite.
Part 1. Hybrid Threats and Resilience.
Resilience in the Age of Uncertainty.
- Business continuity, robustness, and resilience.
- Case study, Basel III and resilience.
- Resilience governance.
- Recovery Time Objective (RTO).
- Recovery Point Objective (RPO).
Hybrid Threats.
- Multi-vector threats.
- Convergent threats.
- Asymmetric threats.
- Functional understanding of hybrid threats.
- Holistic understanding of hybrid threats.
The Strategic Landscape of Hybrid Threats.
- Geopolitical Risk and Strategic Competition.
- Political risk.
- Geopolitical risk.
Cyber-Physical Attacks on Critical Infrastructure.
- Cyber-physical attack.
- Cyber-physical system (CPS).
Advanced Persistent Threats (APTs) and Hybrid Threats.
- What is an Advanced Persistent Threat (APT)?
- Is it an APT or a hybrid campaign?
Hybrid Threats, Guerrilla Warfare, Insurgency.
- Guerrilla warfare.
- Insurgency.
- Similarities and differences.
Part 2. The Mind Under Siege
Hybrid Threat Psychology.
- Desire.
- Affection.
- Motivation.
- Direction.
- Intensity.
- Persistence.
- The objects of desire.
- Is passion derived from "the unknown, the risk, the surprise, and the playfulness"?
Manipulation.
- Manipulation, when deployed strategically.
- What distinguishes manipulation from other forms of influence?
- Gaslighting.
- Mirroring.
- Love Bombing.
- Isolation.
Elicitation.
- Techniques.
- Assumed Knowledge.
- Bracketing.
- Response.
- Confidential Bait.
- Criticism.
- Deliberate False Statements / Denial of the Obvious.
- Feigned Ignorance.
- Flattery.
- Good Listener.
- The Leading Question.
- Macro to Micro.
- Mutual Interest.
- Oblique Reference.
- Questionnaires and Surveys.
- Ruse Interviews.
- Target the Outsider.
Hybrid Threats, double deception, engineered insights.
- Double deception.
- Engineered insights.
- Manufactured reality.
- False Information Operations (FIOs).
- Deep Fake Technologies (DFTs).
- Deep Video Portraits (DVPs).
- Narrative Warfare.
- Information Laundering.
- Influence-as-a-Service (IaaS).
- Defensive deception.
From Trust to Treason. Psychology and Insider Threats.
- Motives, stressors, vulnerabilities, personality traits.
1. The malicious insider.
- a. Long-standing grievances.
- b. Unmet expectations.
- c. Identity conflicts.
2. The compromised insider.
3. The unwitting insider.
- The desire to belong vs. the need to be authentic.
- The hiring process.
- Example, Weaponizing the integrity of IT persons.
Fake, in Psychology.
- Fake, in law.
- Counterfeit.
- Forgery.
- Fraud.
- Misrepresentation.
- The "Simulacrum".
Between Luck and Resilience.
- Fortunately, we have not been hacked!
- The declaration of safety.
The weaponization of conspiracy theories.
- Sophisticated evolution in asymmetric tactics.
- Eroding the presumption of legitimacy.
- Radicalization.
- Conspiracy theories provide cover for malicious insiders.
- 1. The DunningโKruger effect.
- 2. The self-serving bias.
- 3. The confirmation bias.
- 4. The pessimism bias.
Part 3. Hybrid Threats | USA, EU, China, Russia.
Hybrid Threats | USA.
- US Department of Defense (DOD) definition and approach.
- Conventional and irregular warfare.
- US Intelligence Community, the Office of the Director of National Intelligence (ODNI).
- The โUpdated IC Gray Zone Lexicon.โ
- Gray Zone.
- Gray Zone Campaign.
- NATO, hybrid activities.
Hybrid Threats | European Union.
- The Joint Framework on countering hybrid threats, a European Union response.
- Recognising the hybrid nature of a threat.
- Foreign Information Manipulation and Interference (FIMI).
Hybrid Threats | China.
- Informatization.
- Systems-of-systems operations.
- Intelligentization.
- The Chinese doctrine.
- The Three Warfares.
- 1. Public Opinion Warfare.
- 2. Psychological Warfare.
- 3. Legal Warfare.
- Chinaโs National Intelligence Law and Counter-Espionage Law.
Hybrid Threats | Russia.
- Russiaโs doctrine of information warfare and hybrid threats.
- A doctrinal tradition spanning decades.
- The link to Soviet active measures.
- The doctrine of information confrontation.
Hybrid Threats | Private Sector.
- The private sector.
- Ambiguity.
- Deniability.
- Distance, dispersion, and disguise.
- Compounding.
- Operational slack.
- Cognitive slack.
- Reputational slack.
- The boundary between national security and corporate risk.
- Extraterritorial application of regulations.
- Incident management, a legal, communications, technical process.
Hybrid Threats Targeting Sectors | Examples.
- Hybrid Threats Targeting the Maritime Sector.
- Hybrid Threats Targeting the Aviation Sector.
- Hybrid Threats Targeting Online Gaming. (It sounds ridiculous. It is not).
Part 4. Hybrid Threats and the Law.
Hybrid Threats and the Law in the USA.
- Presidential Directives, Executive Orders.
- Executive Order 13636.
- Executive Order 13691.
- Presidential Policy Directive 41 (PPD-41).
- Executive Order 13800.
- Executive Order 13848.
- Executive Order 13873.
- Executive Order 13984.
- Executive Order 14028.
- Executive Order 14034.
- Executive Order 14110.
- Executive Order 14117.
- Executive Order 14144.
- Executive Order 14306.
Hybrid Threats and the Law in the EU.
- Europeโs Resilience Doctrine.
- 1. The Digital Operational Resilience Act (DORA).
- 2. The Critical Entities Resilience Directive (CER).
- 3. The Cyber Resilience Act (CRA).
- 4. The Internal Market Emergency and Resilience Act (IMERA).
- EU and hybrid campaigns.
Part 5. Hybrid stress testing.
- What is hybrid stress testing?
- Pe*******on testing, red teaming, blue teaming, purple teaming, and hybrid stress testing.
- The Aviation Analogy.
- The Architecture Analogy.
- The Ecology Analogy.
- โI will tell you the outcome. We fail.โ
- Which factors are accelerating the adoption?
- Is the world mature enough for hybrid stress testing?
- Which are the main reasons for resistance to hybrid stress testing?
Hybrid stress test, steps.
- Example: Trust Erosion Hybrid Stress Test.
Step 1: Objectives and Scope.
Objectives.
- a. Regulatory Compliance and Assurance.
- b. Operational Resilience.
- c. Strategic and Governance Readiness.
Scope.
- a. Business Functions in Scope.
- b. Datasets in Scope.
- c. Third-Party Providers and Jurisdictions in Scope.
- d. Time Horizon and Severity.
Step 2: Dependencies.
- a. Data Flows.
- b. Jurisdictional Exposure.
- c. Third-Party Dependencies.
- d. Critical Datasets.
- e. Safeguards.
- f. Supply Chain and Ecosystem Dependencies.
- g. Shadow IT and Informal Practices.
Step 3: Hybrid Threat Scenarios.
- Scenarios are not predictions.
- Hybrid scenarios must be intentionally designed to overwhelm.
- Effective scenarios are layered.
Step 4: Stress Parameters and Triggers.
- The boundaries of what stress means in practice.
- The specific events that activate the scenario.
- Technical parameters.
- Legal parameters.
- Operational parameters.
- Reputational parameters.
- Financial parameters.
- Examples of triggers.
Step 5: Ex*****on of the Stress Test.
- Testing methodologies.
- 1. Table-top Exercise.
- 2. Live Simulation.
- 3. Hybrid Approach.
- Red Teaming and Adversary Emulation are not hybrid stress tests.
- Wargaming.
Step 6: Measuring Impact and Resilience.
- a. Technical.
- b. Legal and Compliance.
- c. Operational.
- d. Reputational.
- e. Strategic.
Resilience metrics.
- a. Recovery Time Objective (RTO).
- b. Recovery Point Objective (RPO).
- c. Compliance Continuity.
- d. Decision-Making Latency.
- e. Communication Effectiveness.
- f. Cross-Functional Coordination.
- Measurement must tie back to the objectives.
- Resilience benchmarked over time and across scenarios.
Step 7: Evaluation of Governance and Strategic Posture.
- The organizationโs capacity to make clear, lawful, and timely decisions.
- Evaluation of governance.
- a. Decision-Making Speed.
- b. Clarity of Direction.
- c. Regulatory Alignment.
- d. Strategic Consistency.
Step 8: Documenting and Enhancing.
- Vulnerabilities, strengths, and unexpected dynamics.
- Structured Debriefing.
- What went well and reinforced resilience.
- What failed, delayed response, or created confusion.
- What decisions or actions had unintended consequences.
- What support or information was missing at critical moments.
- Lessons learned must be translated into enhancements across the organization.
- Final report.
Case Study, Scenario.
- A five-day hybrid stress test case study, where participants are guided through a simulated crisis scenario that unfolds over a structured timeline.
- Early warning signs and immediate operational impacts.
- Secondary effects spreading across digital, regulatory, and financial domains.
- Cascading consequences, including reputational damage and geopolitical dimensions.
- Mitigation efforts, strategic decision-making under pressure.
- Long-term lessons.
Part 6. What comes next.
Hybrid Threats and AI.
- Data poisoning.
- Model extraction and inversion attacks.
- Prompt injection.
- Scenario: Prompt injection to blind security infrastructure in a high-security facility.
- The hidden bill of cheap AI.
- AI-generated code.
Decision Sovereignty in the Artificial Reality Age.
- The Artificial Reality Age (ARA).
- Decision Sovereignty.
- 1. At the individual level.
- a. Filtering Information.
- b. Shaping Perception.
- c. Nudging Behavior.
- 2. At the corporate level.
Technologies.
- 1. Virtual Reality (VR).
- 2. Augmented Reality (AR).
- 3. Mixed Reality (MR) and Extended Reality (XR).
- 4. Synthetic Media.
- 5. Generative AI Systems.
- 6. Digital Twins.
- 7. Persistent Metaverses.
Quantum hybrid threats, the next frontier.
- What is โquantumโ and why should I care?
- What constitutes โappropriate measuresโ and โdata protection by design and by defaultโ in the quantum era?
- The โharvest now, decrypt laterโ strategy.
- Should we worry about retroactive exposure?
- Quantum hybrid actors.
- Integrating quantum capabilities and quantum narratives into hybrid campaigns.
DNA computing and hybrid threats.
- DNA as an information carrier.
- The revolution in data storage.
- Encoding audio, images and text into synthesized DNA molecules.
- Encrypting messages within DNA encoded microdots.
- DNA steganography changes espionage and data exfiltration forever.
- Forensic and compliance risks.
- DNA hybrid threats complicate accountability.
- DNA computing and quantum supremacy.
Neuromorphic and brain-inspired computing.
- Processing information in ways that resemble the nervous system.
- Brain-inspired sensing.
- Neuromorphic systems shift sensing, learning, and decision-making.
- Neuromorphic hardware and event-based sensors create a fertile surface for covert compromise.
- Weaponization of on-device learning.
- Compromising adjacent sensors.
- Manipulated neuromorphic controllers embedded in drones, vehicles, and industrial controllers.
- Governance responses, neuromorphic risk.
- The new class of exploits requires expanding incident taxonomies.
- Neuromorphic and brain-inspired computing systems are already in use.
- Neuromorphic vision sensors already embedded in commercial drones and robotics platforms.
- Intel, IBM, large-scale neuromorphic processors, Loihi, Loihi 2, TrueNorth.
- Surveillance and security systems, robotics, industrial automation, defense.
The fusion of physical, digital, and cognitive space.
- Actions triggered by machine perception, not human observation.
- โSeeโ and โKnowโ no longer describe human sensory or cognitive experiences.
- Continuously sensed.
- Algorithmically mediated.
- Triggered by machine perception.
- Hybrid Threats in the Artificial Reality Age (ARA).
# ChakraEnterprise
Mentors CMO
CSO
C-Suite_Executives
MENTORING . CDO Mentee
โs
Counsels www.hoanghunglaw.com Menteeship
