Keywords

quantitative risk; qualitative risk; physical security; risk assessment method (RAM); National Infrastructure Protection Plan (NIPP); security survey; security audit; investigation; recovery; business continuity plan; risk analysis; risk identification; loss; security survey; emergency planning

Introduction

In any system, security should be commensurate with risks. However, the process to determine which security controls are appropriate and cost effective is quite often a complex, and sometimes subjective, matter. One of the prime functions of security risk analysis is to approach this task objectively.

Every organization should first consider its objectives in order to determine relevant risk assessments to use. The scope of risk assessment that management chooses to perform depends on business priorities and objectives. For instance, a company may choose a broad risk assessment, or it might choose a narrow assessment that is specific to a particular risk within the industry (e.g., financial, energy, transportation).

From a business perspective, risk analysis is defined as a technique used to identify and assess factors that may jeopardize the success of a project or achievement of a goal. Risk assessment can also help define preventive measures to reduce the probability of these factors occurring and to identify countermeasures to successfully address them when they do occur.

Risk analysis is a systematic process of determining the uncertainties and risks encountered in business. The process identifies organizational risks, allowing the business to understand how and when they arise and to estimate the impact they may have. After a risk has been determined, action can be taken to mitigate the risk and create a successful outcome. Some businesses face risks daily. Looking at how often your organization may face identified risks is a crucial step in risk analysis.

As we move through this chapter, we will address quantitative risk analysis, a mathematical process that looks at variables that cannot be controlled, as well as a decision-making process to address them. This quantitative risk model calculates the impact of uncertain measures and determines a solution to either reduce or eliminate the risk. The bottom line is to look at the impact of the uncertainty and the consequences it has for that decision-making process.

Risk can be interpreted as anything that disrupts business or potentially alters a business outcome. To determine a risk, you must first understand the risk and the impact it can have. With quantitative risk analysis, you are estimating the risk and the impact, as well as the probability of risk occurrence.

The underlying goal is to look at how risk analysis can provide an organization with the right information to make sound business decisions. First, you need to identify what assets need protection; this could be anything from employees to tangible items (inventory). Identifying assets helps determine what risks could occur. Determining the probability of risk occurrence also helps determine the impact on the organization.

To keep risk analysis as an objective approach, a specific methodology must be used to create an assessment and a consistent process to follow to achieve the desired end result. Done correctly, risk analysis can provide an organization with a sound decision-making process for reacting to almost anything that may occur. One goal of risk analysis is to provide an assessment of the economic impact of a potential risk. It is important to maintain a systematic approach to determine both the rate of risk occurrence and the economic impact of those risks.

Physical Security Risk Assessments

Risk seems to always have a negative effect because it can cause both financial and physical asset loss. However, risk identification is a positive process because it can mitigate the negative outcomes of a potential risk.

Risk assessment can provide both qualitative and quantitative information when assessing a situation. Risk reduction attempts should be cost effective. However, the worst thing to do is to ignore a potential threat; doing so could bring an organization to its knees financially.

As stated, the level of security within any organization should be commensurate with it risks; however, security controls must be cost effective and in line with the risks that could occur.

Over the years, we have seen businesses perform risk analyses that have been unreliable and based on inaccurate data. Controls and countermeasures should be implemented to take care of potential risks.

Before going any further with risk analysis, you must understand how threat and vulnerabilities play a role in risk analysis methodologies. Threats are things that can go wrong or that can attack a system (threats are present in every system). Vulnerabilities are areas where an organization may be more likely open to attack.

When a threat occurs, we must look at countermeasures for these vulnerabilities. If we deter the controls, it will reduce the likelihood of a deliberate attack. Organizations must develop preventive controls to protect vulnerabilities and deter attacks or reduce their impact. Companies must develop two sets of controls: detective controls to identify attacks and corrective controls to reduce the effect of attacks. All of these processes can reduce or eliminate potential risks. Most threats are man-made, and the risk from them ranges from minimal to extensive.

Before a threat is identified, a vulnerability assessment must first take place. This process considers the imminent or potential impact of a successful attack from that threat as well as the associated vulnerability. A key component of the vulnerability assessment is to clarify the impact of loss from the threat.

Each organization has different specific vulnerabilities, yet broadly, they are the same. That is, every organization identifies a target, how successful of a target it is, and the countermeasures to protect that target that are present in that organization.

Those tasked with creating vulnerability assessments must be trained to look at the impact of loss so they can assess both what occurred and how the impact of the threat affects the organization. Comparing the impact of loss to the identified vulnerability is always used to evaluate potential risks to an organization.

Based on what is found from a risk analysis, the next step is to look at what countermeasures can be put into place to reduce or eliminate the potential threat. The cost of implementing countermeasures must be considered because all costs are reviewed annually. The countermeasures must then be evaluated to determine if all potential countermeasures have been implemented. All of these factors affect the overall risk reduction for an organization.

To become effective at the risk analysis process, you need to train employees to perform the analysis correctly. The first attempt is always the most expensive. Over time, the process becomes less expensive and less time consuming. The investment of time devoted to risk analysis studies should be compatible with the organization’s business objectives.

Many times when completing a security survey, the outcome of the risk analysis may not align with the original intentions.

When a threat occurs, organizations must realize that there are legal risks associated with the countermeasures used for risk reduction. Any time an organization has a security risk, it must be brought to the attention of those who will handle the issue, without exposing the organization to legal liability.

Risk Assessment Method

Any time a potential threat is identified, an organization’s management must support taking corrective actions to either prevent or deter the threat. Authority must be given to the employees tasked with defining the purpose and scope of the risk assessment. This is where trained employees come into play and can accomplish the risk assessment mission. After the assessment is completed, management should review the findings and take appropriate action to implement a plan to use countermeasures.

Threat assessment usually includes a threat occurrence rate and probability of future threats. To create this prediction, it is best to use any available historical reports. If these are not available, try to obtain information from other sources that can assist you with a predetermined plan for future incidents. When a systematic approach to risk identification is taken, it makes the task of risk analysis more manageable, and countermeasures can be more easily put into place.

Risk control comes into play whenever a risk exists in a given environment. To effectively address risk control, it is necessary to examine all activities related to the risk and assess the level of vulnerability in the organization, as well as the impact the risk will have.

There are several ways to develop the data necessary for risk identification. The first step is to review organizational policies and procedures, as well as organizational structure and any previously identified risks. Part of this process includes conducting interviews, performing site inspections, and conducting field operations. In addition, you will need to identify organizational assets and history of any loss exposure.

After all of these steps have been completed, risk exposure will be apparent. This is a learning process, and the responsible person(s) should have the education, training, and practical experience to access and handle such incidents. That is, risk identification requires professionals who have the knowledge and tools to handle such tasks.

One thing to remember is that risk is not always eliminated, but it can be managed, and this is where risk measurement comes into play in determining the impact of an event. In addition to impact, the frequency of event occurrence is also important to determine. One must understand how much of an impact an event does or can have and how to recover from these events.

The cost of an adverse event is an important issue within an organization. This is why obtaining information on how frequently an event occurs relative to an organization’s annual budget is important.

When we look at events, we must compare the financial impact to the frequency of occurrence. Events should be categorized by low or high occurrence levels. All of this goes along with impact and probability because we have to constantly analyze factors pertaining to events. During this time, safeguards must be developed and refined based on information gathered related to the events. After the information is in place, a company can assume an annual loss expectancy based on the impact and frequency of these events.

Let’s go back to a basic understanding of what security is. It is defined as the implementation of acceptable practices, procedures, and principles used to attempt to deter or stop undesirable events from occurring. The problem is that security measures must be consistent in the proper securement of undesirable events. There will always be unexpected events that will occur outside normal circumstances, and security measures must be in place for proper securement.

Most events, even if they seem independent of one other, are connected in a way of occurrence or probability. We should always be vigilant in looking at the probability of event occurrence. Obviously, the basic approach to security is to deter or eliminate any risk of events, but we need to understand the probability of occurrence in order to create potential solutions.

It is crucial to have an adequate database of information to determine event frequency. Yet, at times, you may find that not enough data are available to make an adequate determination of event frequency.

When an event occurs, the potential loss must be examined as to the vulnerability or weakness of the event. Events must be prioritized as to containment difficulty. Exposure must be quantified using historical data to determine both potential loss and frequency of event occurrence. If no historical data are available, the severity of the event must be analyzed and a method developed for collecting relevant data from that point forward. This will help determine the level of preventive measures necessary. One must understand that there are no guarantees that an event can be completely prevented even after the risk has been identified.

A simple way to address an event is to look at how easy it is to correct and put countermeasures in place to resolve the issue. In most cases, this process occurs but not all at one time. Generally, there are increasing levels of security measures used, always with an eye to cost. It must be understood that there is a trade-off between cost and security. That is, security measures can at times be more of an inconvenience than anything, but this is where the dollar value comes into play, based on the risk assessment undertaken. It is based on this risk assessment that management can see the economic value of security countermeasures developed to prevent or reduce event occurrence.

Many professionals take the approach of prevention above all else, as if putting the proper countermeasures into place is sufficient. Certainly, having a contingency plan in place does give a better direction and is more effective than not having one. One can look at whether the benefit of prevention outweighs the cost of the event; if so, prevention should occur.

Performing routine inspections can eliminate an event, as well as reduce a possible cost associated with that event. This is known as a cost-to-benefit ratio and is used for existing and prospective programs coming into play.

When we look at risk, we must look at it based on severity of loss. Therefore, low-, medium-, and high-loss factors are used to assess both the severity and frequency of loss. The type of protective measures used must be tailored to the specific risk within the environment. When addressing cost-effective security solutions, there must be a technique to analyze and develop solutions when the risks do occur. Experienced security professionals can make recommendations on how to improve security and properly protect company assets.

Benefits of Security Assessments

Any security program needs to have policies and procedures in place that are focused on cost effectiveness. Every effort must be taken to review available resources to ensure that financial goals are being met. Resources can include manpower, hardware, or technology. Each must be analyzed based on what is best and most cost effective for the organization.

Cost is always an important factor when it comes to implementing programs and replacing items (e.g., security systems). One example is the security personnel needed for an organization. The cost of having these employees will likely rise on a yearly basis. At times, reduction of personnel must be considered and replaced with a less costly alternative.

Likewise, equipment must be analyzed for both cost and reliability. New security systems may be more or less expensive than older ones, but the key is to focus on reliability and the proper protection of employees and assets.

New technology enters the market almost every day. One must consider each item and how it has been tested, as well as how it relates to company needs. There are no guarantees that any equipment purchased can completely protect assets. This is why you need to look at the equipment that specifically relates to the needs of your organization and make the best choice possible.

When building reliability into a security program, you also need to consider implementing redundancy. Many organizations overlook this piece, which can cause problems if systems, as well as processes, have not been tested to show reliability.

Today, there are many ways to assess risk and vulnerabilities. Risk analysis and vulnerability assessment are similar in that they basically identify the assets and the capabilities within a system. The difference between them is that risk assessment often involves the evaluation of existing security controls and how they rate against threats to the organization. Vulnerability analysis drives the risk management process and focuses on where in the organization the threats are most likely to occur.

Each organization should have an infrastructure protection plan that outlines goals and objectives that create a foundation for what the organization is attempting to accomplish. Part of the plan should include ways to measure the end result of risk management. Did the organization follow the processes and procedures in place pertaining to the risk? Successful reduction of vulnerabilities is based on successful risk management strategies.

Assets can be people, a structure, information, inventory, or even the organization itself. When we examine identified assets, we must look at the threat to those assets as well as the level of vulnerability. Depending on whether the threat will have a direct or indirect impact, the consequences could be as far reaching as affecting public health and safety. There is an important psychological aspect to the impact of that vulnerability to consider. Vulnerability is any physical feature or operational impact that limits an entity, asset system, network, or geographical area that can contain a hazard.

Executive Management Role in Risk Analysis

To best direct resources, responses, and recovery, the Department of Homeland Security ranks critical assets from the greatest risk to the least and looks at the cost effectiveness of threat mitigation. To be able to reduce the largest risk there must be a comprehensive, but coordinated, effort to determine the risk, vulnerability, and desired end result.

The Department of Homeland Security uses established metrics to determine priorities and strategies and to effectively mitigate risk and protect assets. Good management and quality control are important in this process.

The goal of risk management is to manage risk cost effectively in a timely manner (i.e., the least amount of time and money to still be effective). A security survey can assist in establishing the steps needed to make this happen. The survey helps gather information or data that consist of the” who, what, when, where, how, and why” of an organization. It is similar to an investigative process.

When you start conducting a survey, it is interesting to see how many people do not realize that there are vulnerabilities and threats and so may not appreciate the importance of what you are doing. However, the survey must be conducted to properly address security concerns. It should be looked at through the lens of what affects the bottom line because that is a key business factor.

A proper security survey will generally show that losses due to crime far exceed the business losses due to fire or industrial accidents. Internal loss equates to approximately twice that of fires or accidents. It is important to realize how crimes affect an organization’s bottom line. White-collar crime is the most frequent crime and amounts to approximately 5% of an organization’s business loss.

Every organization, whether large or small, would benefit from a security survey. This is an objective review of both internal and external organizational controls. The study provides an organization with insight into what security issues can be improved and helps with planning how to proceed with implementing those improvements.

We have noticed that most organizations take the necessary precautions to protect themselves from external theft, yet internal crime is overlooked. Today, more and more organizations are looking at what exactly reduces their profit, and those issues are readily addressed.

One approach we can take in determining whether there is a need for a security survey is to look at what security services are available for the particular needs of that organization. For instance, if an organization already has a security plan in place, the security survey can detect how effective the plan is and whether or not it is adequate to meet the organization’s needs. Many plans are established for a specific need but are not designed to meet the needs of the organization overall. Setting up policies and procedures that are reviewed annually will help show which policies complement or contradict each other and whether there is room for consolidation.

If an organization has no security plan, a security survey will assist in establishing immediate needs. Critical factors can be identified, and the process of developing an effective security system can begin. Essentially, a security survey can assist in producing a protection plan. Security surveys should be performed by a trained security professional.

Security audits are similar to an investigative process in that they gather evidence to determine an end result and to make recommendations. Auditors are trained to appraise the validity of the processes used. Both of auditors and investigators are trained to gather facts. They then appraise them, draw a conclusion, analyze the results, and make recommendations.

A security survey is similar to audit in that it is a process to objectively look at the findings, come to a conclusion, and make a recommendation. For this to occur, the organization must cooperate, down to the employee level, for the survey to be as accurate as possible. Much of the survey work is conducted in the field, the information is analyzed, and then it is turned into a written report that includes the findings and recommendations. Collected information includes records, written policies, and procedures or guidelines, wherever they can be found. At times this can be a difficult task.

There is not one correct way to conduct security surveys or field work; it depends on the person conducting the field work and the approach he or she takes.

The measurement of all of these aspects usually encompasses three components of a typical security operation: quality, reliability, and cost. The main objective is to assess the adequacy, effectiveness, and efficiency of the present system, as well as proposed systems.

One component of field work is observation. This involves a careful, knowledgeable look at people, as well as how items relate to one another. To accurately observe and evaluate, you must have proper training and experience because you need to understand what you are looking for. You must also be familiar with the norms of the organization so that you will recognize what is accepted as usual and what is out of the ordinary.

As you go through the survey, questioning occurs at every stage of the process. This can be in the form of a written questionnaire or through oral interviews. The latter is more difficult because it is hard to find the truth without upsetting people at times. Generally, you are using interview techniques, but if you encounter someone who does not answer questions or is reluctant, you may need to switch to an interrogation mode.

Analyzing a situation involves examining it to discover the truth. You will need to uncover any hidden aspects of the organization to determine an appropriate solution. Verifying is a process to attest to the truth, accuracy, or the validity of things under scrutiny. It is meant to establish the accuracy or truth of something by putting it to the test. This can be done by looking at standards or best practices. Investigation is an inquiry to uncover the facts and obtain evidence to establish the truth. During a survey or investigation, it is not unusual to detect some type of fraud.

One last piece is the evaluation, which essentially is a conclusion or judgment. This is outcome of weighing the information to determine the adequacy, effectiveness, and efficiency of what has been found. It is one step beyond an opinion—it is the conclusion. Judgment is what gives foundation to a security survey.

When conducting a security survey, a definition and statement of purpose must first be created. When this is accomplished, it brings about a well-thought-out audit to ensure that it is efficiently and economically sound. The statement of purpose gives direction to the survey and helps to avoid any misunderstanding of the process.

Writing a security survey is no easy task, and it takes a lot of practice to be able to write an effective security survey that is both understandable and useful. Being able to write effectively gives a person the ability to communicate well with others. Some will say that fieldwork can be exciting; it can be, but it is also challenging. Having the skills to be able to conduct the survey, investigate, and write a report is not for everyone. A good writer must be someone who has good thinking skills. The survey report must always be clear, concise, complete, accurate, and objective.

All organizations should have a business continuity plan. This is the plan for an organization to be prepared in case of an emergency, whether it is a human-made or a natural disaster. We know that we cannot predict what emergencies will come our way, so the plan should be generic enough to adapt to any possible disaster.

There are four phases to emergency planning: mitigation, preparedness, response, and recovery. As a business continuity plan is designed and implemented, it is used as a planning model for prevention, protection, response, and recovery. If those components are addressed, the security plan can be put into place and used effectively in the event of a disaster.

Mitigation is a process that is used to reduce or eliminate long-term risk to both people and the other assets of an organization. The best way to look at it is as a vulnerability reduction or, essentially, crime prevention. Mitigation is considered a cost-effective process.

Preparedness refers to the steps a person or organization would take to be ready to respond to and survive the effects of a disaster. This is where you need to have your plans and resources in place and be prepared for a disaster. You will need to constantly update and test your organization’s preparedness plan. An effective plan will give you the capability to manage and respond to an incident at any time.

The response to a disaster can have both positive and negative effects on people and an organization. Today, organizations have to respond to threats that they had not encountered before, such as terrorist attacks. Organizations must now be able to respond to myriad potential situations in a positive manner. With these responses, we must be able to reduce not only injuries but also protect assets and mitigate losses for a smooth recovery of business processes. The bottom line is that a response is an action taken to manage, control, or mitigate the effects of an incident. This can be easy or difficult, but either way, the response will be easier for an organization that is prepared.

Recovery basically involves a postdisaster plan. If a disaster does occur, the protocol is to contact regulatory agencies, as well as the Occupational Safety and Health Organization. The recovery plan will give direction needed to restart the organization and get it back on its feet to reach predisaster levels. Many disasters require an investigation into the cause, as well as the response to the incident. If necessary posttraumatic stress counseling should be made available in case of fatalities or major damage. The factors should be part of the basic recovery plan for most large organizations.

The bottom line is to make sure that we are prepared for anything that comes our way or at least attempt to be prepared. There are so many potential human-made and natural disasters that could confront us, and we need to be able to protect the employees and assets of our organization.

When we discuss risk analysis, we must also address business impact, if or when a disaster occurs. This involves establishing the value of an organization—its components and employees. Business impact helps us when we need to discuss recovery and involves financial and other consequences to an organization. We look at how soon an organization can be up and running after a disaster has occurred. We must look at what functions are critical to recovery, as well as understand any risks that may occur for that organization to be up and running. Time is an important issue when establishing business impact. When developing these processes, a cost analysis must be implemented when addressing the business cycle and its revenues. Additionally, impact must be considered both on a departmental level and to the organization as a whole.

As we look at this, we must understand that a business impact analysis identifies the financial, as well as the operational, loss of that organization’s business. No matter the issue, impact objectives must be met. Functions and processes are critical to recovery objectives.

A business continuity plan should be designed with strategies that allow a business to function without any disruption. If a disaster occurs, the organization will want to resume business at its fullest capacity. Even though a business continuity plan is important, the planning process is even more important. All of the components—from risk identification to recovery strategies—lead to a successful recovery plan. A business continuity planning process can be simple; however, the implementation of the plan may be complex and time consuming. The organization must identify its top issues and rank them for importance. Cost-effective strategies must also be viewed to make sure what is being accomplished is cost effective to the organization.

A key issue today is that when a disaster occurs, the organization must respond immediately. The goal is to protect the safety of employees, as well as minimize damage as much as possible. The business is attempting to bring operations back to normal the best and most cost efficient way possible.

No planning efforts for a disaster would be successful unless there is support from upper management. It must be communicated efficiently for all levels to understand that the support is there. This is why it is so important to have response and recovery policies and procedures in place. Do not take for granted that everything will be in place if a disaster occurs. Having the best continuity strategies is the key to an effective recovery method that works for your organization.

Understand that a business continuity plan is a management process that identifies the organization’s critical functions and develops a cost-effective strategy to recover those functions if they are lost or denied. An organization must have the resources needed for this recovery plan through either internal or external resources. If the resources are not present, they must be found and acquired for the welfare of the organization.