Threat assessment and risk analysis

This chapter outlines different parts of the DHS organization and the importance of each area of homeland security risk management.. This chapter outlines different parts of DHS and the

THREAT ASSESSMENT AND RISK ANALYSIS

THREAT ASSESSMENT AND RISK ANALYSIS

Acquiring Editor: Tom Stover

Editorial Project Manager: Hilary Carr

Project Manager: Priya Kumaraguruparan

Cover Designer: Mark Rogers

Butterworth Heinemann is an imprint of Elsevier

The Boulevard, Langford Lane, Kidlington, Oxford OX5 1GB, UK

225 Wyman Street, Waltham, MA 02451, USA

Copyright © 2016 Elsevier Inc All rights reserved.

No part of this publication may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying, recording, or any information storage and retrieval system, without permission in writing from the publisher Details on how to seek permission, further information about the Publisher’s permissions policies and our arrangements with organizations such as the Copyright Clearance Center and the Copyright Licensing Agency, can be found

at our website: www.elsevier.com/permissions

This book and the individual contributions contained in it are protected under copyright by the Publisher (other than as may

be noted herein).

Notices

Knowledge and best practice in this field are constantly changing As new research and experience broaden our

understanding, changes in research methods, professional practices, or medical treatment may become necessary.

Practitioners and researchers must always rely on their own experience and knowledge in evaluating and using any information, methods, compounds, or experiments described herein In using such information or methods they should be mindful of their own safety and the safety of others, including parties for whom they have a professional responsibility.

To the fullest extent of the law, neither the Publisher nor the authors, contributors, or editors, assume any liability for any injury and/or damage to persons or property as a matter of products liability, negligence or otherwise, or from any use or operation of any methods, products, instructions, or ideas contained in the material herein.

ISBN: 978-0-12-802224-5

British Library Cataloguing-in-Publication Data

A catalogue record for this book is available from the British Library.

Library of Congress Cataloging-in-Publication Data

A catalog record for this book is available from the Library of Congress.

For Information on all Butterworth Heinemann publications

visit our website at http://store.elsevier.com/

Threat Assessment and Risk Analysis.

© 2014 2016 Elsevier Inc All rights reserved.

Homeland Security Platform 2

Risk Analysis and Management for Critical Asset Protection 4

Asset Characterization and Screening 5

Homeland Security Act of 2002 6

Homeland Security Presidential Directives 7

Abstract

The Department of Homeland Security (DHS) has set the

frame-work and best practices for all security professionals This chapter

outlines different parts of the DHS organization and the importance

of each area of homeland security risk management Central to this

policy are the premises that security partners can most effectively

manage risk by working together and that management

capabili-ties must be built, sustained, and integrated with federal, state, local,

tribal, territorial, nongovernmental, and private sector homeland

security partners Although successful integration requires

imple-mentation across the entire homeland security enterprise, the DHS

plays an essential role in leading the unified effort to manage risks to

the nation from a diverse and complex set of hazards, including acts

of terrorism, natural and human-made disasters, pandemics, cyber

attacks, and transnational crime

http://dx.doi.org/10.1016/B978-0-12-802224-5.00001-4 DOI:

2 Chapter 1 IntroductIon to the department of homeland SecurIty

Introduction

The Department of Homeland Security (DHS) has set the work and best practices for all security professionals This chapter outlines different parts of DHS and the importance of each area of homeland security risk management According to the Homeland Security Risk Management Doctrine:

frame-…In May 2010, the Secretary of Homeland Security established a

Policy for Integrated Risk Management (IRM) Central to this policy

is the premise that security partners can most effectively manage risk

by working together, and that management capabilities must be built, sustained, and integrated with Federal, state, local, tribal, territorial, nongovernmental, and private sector homeland security partners

While successful integration requires implementation across the entire homeland security enterprise, the Department of Homeland Security (DHS) plays an essential role in leading the unified effort to manage risks to the Nation from a diverse and complex set of hazards, including acts of terrorism, natural and manmade disasters, pandemics, cyber attacks, and transnational crime.1

Homeland Security Platform

Before learning about risk itself, it is a good idea to understand how everything is placed together to form the mindset of risk analy-sis and organizational security Terrorism has been around for at least hundreds, if not thousands, of years, and we have all read about ter-rorist attacks around the world and the destruction caused and lives they have taken But not until the 1993 World Trade Center bomb-ing did Americans realize that terrorism could be directed against us and even occur on our own soil This definitely should have been a

1 Beers, 2011.

Keywords: Department of Homeland Security (DHS), Central

Intelligence Agency (CIA), Federal Bureau of Investigation (FBI), Transportation Security Administration (TSA), Risk Analysis and Management for Critical Asset Protection (RAMCAP), asset characterization, threat characterization, consequence, vulnerability, threat, risk, Homeland Security Act of 2002, Homeland Security Presidential Directives (HSPD), National Incident Management System (NIMS), Federal Emergency Management Agency (FEMA), National Continuity Policy

Chapter 1 IntroductIon to the department of homeland SecurIty 3

wakeup call; however, it was not until the September 9/11 bombings

that we realized that international terrorism is as much of a threat as

domestic terrorism Intelligence agencies across the world failed to

protect us, and nearly 3000 lives were taken in an act that should have

been prevented

More lives would have been lost if it were not for Rick Rescorla,

director of security for Morgan Stanley, who made employees

work-ing in the Twin Towers at the World Trade Center practice an

emer-gency evacuation plan on a monthly basis, for years prior to the

attack His forethought singlehandedly saved all of his employees’

lives, yet he died in the attacks At least one person tried to be

pre-pared for such a horrific event

As a result of this event, we realized not only that our intelligence

community was not prepared to protect our nation but also that our

law enforcement community had not been informed of the terrorist

activity leading up to the attacks

The 19 terrorists involved in the bombings had performed their

own due diligence regarding soft and hard areas to attack that would

make an immediate impact on this country without being noticed

We discovered that the terrorists lived in the Las Vegas, Nevada, area

for months in hopes of attacking the city and placing stress on the

city’s financial sector However, they learned that Las Vegas was an

expendable money city, and an attack would not be financially

crip-pling During this time, terrorists were stopped by local and state

police for traffic violations, but there was no hint of any terrorist

activity or movement The 9/11 attack could have been stopped if our

intelligence community had obtained information on these activities

However, this was not the case, and the attacks showed other

coun-tries our vulnerabilities and incapability to handle such events on our

own soil

The U.S DHS was created and founded on November 25, 2002,

in response to the 9/11 attacks This agency’s purpose is to

pro-tect the homeland of the United States and U.S territories DHS

is one of the most important agencies in the country because it is

responsible for responding to terrorist attacks, natural disasters,

and man-made accidents Before the attacks on 9/11, most of the

U.S population believed that we were unbeatable and unaffected by

attacks occurring in other countries The 9/11 attacks opened many

Americans’ eyes— and the federal government’s—to our vulnerability

The DHS was created to thwart further attacks on the United

States and its territories Before 9/11, most local, state, and federal

agencies did not communicate with each other to share

informa-tion about illegal activities, let  alone terrorists’ movements These

were agencies such as the Central Intelligence Agency (CIA); Federal

Bureau of Investigation (FBI); and Bureau of Alcohol, Tobacco,

4 Chapter 1 IntroductIon to the department of homeland SecurIty

Firearms and Explosives (ATF) Prior to 9/11 limited information was shared between agencies on terrorist activities or the collaboration of terrorist investigations If more information would have been shared the likelihood of the 9/11 attacks may not have occurred

The DHS was put into place as an effort to centralize all mation-sharing initiatives from agencies, such as the FBI, CIA, ATF, and other defense agencies within the United States The intent was to defend our borders more effectively against further attacks Some have questioned the effectiveness of DHS because we have not had another foreign terrorist attack on US soil, but others suggest this is due to the presence of this department and that it has worked

infor-to plan

The American people have noticed some inconsistencies

in the DHS approach to national security (e.g., changes in the Transportation Security Administration [TSA] procedures) However, changes are constantly being made in the hopes of seeing examples

of proper protection of this nation Although our efforts need to be accurate 100% of the time, a terrorist attack only has to be right once for a disaster to occur

Risk Analysis and Management for Critical Asset Protection

Another framework to address is Risk Analysis and Management for Critical Asset Protection (RAMCAP) RAMCAP is used for risk analysis and management associated with terrorist attacks on critical infrastructure assets RAMCAP provides users with a consistent and sound methodology to identify, analyze, qualify, and communicate the various characteristics and impacts terrorists may use to identify targets and methods of attack This process is primarily used to iden-tify security vulnerabilities but it also provides methods to evaluate what can be done to improve these weaknesses

RAMCAP is simple, yet transparent, and an effective tool to help our nation’s critical infrastructure sectors, whether public or pri-vate It allows us to compare and contrast risks at any level or in any sector and is adaptable to the strengths and weaknesses presented

It looks at alternative pathways to achieve objectives needed for a positive result This process can be used by business owners and operators to assess the consequences and vulnerabilities related

to terrorist attacks on their infrastructures It can also give them the guidance to assess and evaluate risk through a common framework, and it provides an efficient mechanism to both the public and private sectors to report risks to DHS This reporting is an important issue because it gives the baseline for risk assessment and the tools needed

Chapter 1 IntroductIon to the department of homeland SecurIty 5

to protect our critical infrastructure These efforts will foster the

development and distribution of more refined methods for

improv-ing the quality and consistency of risk assessment

If we look back, even before the 9/11 attacks, risk analysis

meth-ods were used in the past; however, after the attacks, they were used

even more but not to the extent that we had expected Both the

public and private sectors have used RAMCAP based on the aspects

of applying risk to terrorism and homeland security The RAMCAP

methods were developed for the application of protecting our critical

infrastructure by using a general and broad-based approach

RAMCAP has both a qualitative and quantitative framework and

is intended to incorporate a cooperative effort with both the

pub-lic and private sectors Each partner, no matter what the level, has

different goals, and by working together, each participant has

infor-mation that is valuable to the others No sector is in the position to

know all of another’s vital information, even that which is

impor-tant to risk assessment The same goes for any facility or system in

understanding the intentions or capabilities of a terrorist

move-ment By working together and sharing information and

knowl-edge through the use of RAMCAP, participants are able to achieve

their goals At any time, RAMCAP can assist with all different types

of processes needed to gain the results important to a terrorist

movement

RAMCAP is comprised of six interrelated steps of analysis They

are as follows

asset characterization and Screening

Asset characterization and screening is analysis of a facility’s or

system’s operational process for the identification of critical assets

and hazards while performing a preliminary evaluation of a terrorist

act

threat characterization

Threat characterization is the identification of specific and general

aspects of a terrorist attacks on a given target DHS has compiled a set

of baseline threats that are evaluated for each asset or system Known

threats are formed by the collaborative activities of law enforcement

agencies and intelligence organizations that are in charge of

under-standing the means, methods, and motivations of terrorists This

evaluation is based on the various types of threats that are present

These partners can then apply these threats to the facility or system

based on knowledge of those assets Not all threats result in the

for-mation of assets

6 Chapter 1 IntroductIon to the department of homeland SecurIty

consequence analysis

Consequence analysis is the identification of the worst quences that could be generated by a certain threat This step looks at facility and system design, layout, and operations to identify the types

conse-of consequences that could result These consequences can be fied as financial costs, as well as fatalities and injuries They can also cause psychological impacts and effects on our nation

quali-Vulnerability analysis

Vulnerability analysis is the determination of the likelihood of a cessful attack by using certain threats on an exact asset This process involves the evaluation of security capabilities, countermeasures, and mitigation in the effort to lessen the probability of a successful attack

suc-threat assessment

Threat assessment involves two steps The first is the evaluation

of asset attractiveness and a full threat assessment This asset ment is perceived to give value to terrorist attacks on a given facility

or system and the value of deterrence on that target These ments are made by the owner or operators of that target The threat assessment is conducted by DHS as it looks at how attractive a target

assess-is and at terrorassess-ists’ capabilities and intent

risk assessment

Risk assessment is a systematic and comprehensive evaluation of previously developed data that was gathered for a specific facility or system The partners create a foundation for the selection of strate-gies and tactics to defend against terrorism on any level

Risk management is a deliberate process of understanding risk and making a decision on implementing a plan to achieve an accept-able level of risk at a cost Risk management includes identification, evaluation, and the control of risk to the level of accepted value.Many assets are considered critical to DHS and those organizations that are required to follow federal compliance policies are required to complete a vulnerability assessment This depends on a conditional risk assessment that an attack will occur All data are gathered and evaluated for possible deterrence of future potential attacks From this process, DHS has the information needed to effectively allocate proper resources for risk reduction of terrorism on a national scale

Homeland Security Act of 2002

The primary purposes of the creation of the Homeland Security Act were to prevent terrorist attacks within the United States, reduce

Chapter 1 IntroductIon to the department of homeland SecurIty 7

the vulnerability of the United States to terrorism, and minimize the

damage and assist with the recovery from any attack on our soil

Based on the Homeland Security Act of 2002, Congress created

a standalone entity to unify our national homeland security efforts

DHS was created through 22 different agencies within the federal

government Shortly after the 9/11 attacks, Tom Ridge was appointed

the first director of DHS as the office coordinated efforts in protecting

our country through a comprehensive strategy against terrorism and

other attacks DHS officially opened its doors on March 1, 2003 On

February 15, 2005, former DHS Secretary Michael Chertoff initiated a

Second Stage Review to evaluate DHS’s operations, policies, and

pro-cedures More than 250 members of the organization and 18 action

teams contributed to the effort The teams also worked with public

and private sector partners, which resulted in a significant

reorgani-zation of the department

In 2010, Secretary Janet Napolitano completed the first ever

Quadrennial Homeland Security Review, which created a more

uni-fied, strategic framework for homeland security missions and goals

When this occurred, DHS conducted a bottoms-up review to align

all departments with the missions and goals that had been put into

place With this review, all of the public and private sector

part-ners were brought together for a better understanding of a unified

approach to national security, with the primary purpose of protecting

our homeland

Homeland Security Presidential Directives

Homeland Security Presidential Directives (HSPD) are issued by

the presiding president on issues regarding homeland security There

are presently three directives affecting the role of our emergency

response system The following are some of the 25 directives that

have been issued:

1 HSPD-5: The Management of Domestic Incidents establishes a

single, comprehensive National Incident Management System

(NIMS) and National Response Framework

2 HSPD-7: Critical Infrastructure Identification, Prioritization and

Protection requires federal agencies to coordinate the protection

of crucial infrastructure and other key resources For example,

the Environmental Protection Agency (EPA) is responsible for our

drinking water and water treatment systems

3 HSPD-8: National Preparedness directs the federal government’s

agencies and departments to be prepared and able to respond to

national direct attacks where they occur in the United States The

Federal Emergency Management Agency (FEMA) provides

assis-tance when needed

8 Chapter 1 IntroductIon to the department of homeland SecurIty

4 HSPD-9: Defense of United States Agriculture and Food

estab-lishes a national policy to defend the agriculture and food system against terrorist attacks, disasters, or any other emergency that may occur The EPA and other federal agencies are tasked with developing and enhancing intelligence operations, focusing on the agriculture, food, and water sectors Surveillance and moni-toring systems are put into place for the development of effective countermeasures

5 HSPD-10: Biodefense for the 21st Century involves coordination

with federal agencies in developing strategies and guidelines for response to and recovery from biological weapons attacks

6 HSPD-12 is a policy for a Common Identification Standard for

Federal Employees and Contractors This is a process whereby a standard is set for secure and reliable identification processes for federal employees and contractors

7 HSPD-14: Domestic Nuclear Detection coordinates efforts to

protect our nation against dangers from nuclear and radiologic materials

8 HSPD-20: The National Continuity Policy was established as a

national policy on the continuity of our nation’s agencies and operations after an emergency Federal agencies need to have a continuity of operations plan in place

9 HSPD-23: The Cyber Security Initiative requires federal agencies

to monitor cyber activity against federal agencies’ computer tems and to plan efforts to eliminate sources of hostile actions

Threat Assessment and Risk Analysis.

© 2014 2016 Elsevier Inc All rights reserved.

Legal Risk (Information Security) 19

ISO 17799 and BS 7799: The Key Components of the Standard 20

Information Security Policy for the Organization 20

Creation of Information Security Infrastructure 20

Asset Classification and Control 20

Personnel Security 20

Physical and Environmental Security 21

Communications and Operations Management 21

Access Control 22

System Development and Maintenance 22

Business Continuity Management 23

Compliance 23

Reputational Risk 23

Managing Reputational Risk 23

Abstract

In this chapter, you will learn that security in any system should

be commensurate with its risks However, the process to determine

which security controls are appropriate and cost effective is quite

often a complex and sometimes a subjective matter One of the prime

functions of security risk analysis is to put this process into a more

objective basis Risk management is a process used to implement

security measures to reduce risks to a reasonable and acceptable

level Every organization should have some form of risk management

in place to adequately protect its assets Risk management studies

the risk, vulnerabilities, and threats to any asset that an

organiza-tion faces Risk management can be used to address all the different

http://dx.doi.org/10.1016/B978-0-12-802224-5.00002-6 DOI:

10 Chapter 2 What is Risk?

Introduction

Risk is the potential for an adverse outcome assessed as a function of threats, vulnerabilities, and consequences associated with an incident, event, or occurrence “Risk management” is defined by Department of Homeland Security (DHS) as the process by which society attempts to reduce risk “to an acceptable level at an acceptable cost.”1

Risk is uncertainty

Understanding Physical Security Risk

To understand how to perform an enhanced threat and risk assessment, it is important to understand the different areas that make up the actual process In this text, the process is broken down into the different sections:

● Risk

● Threat

● Vulnerability

● ConsequenceRisk management is a process used to implement security mea-sures to reduce risks to a reasonable and acceptable level Every organization should have some form of risk management in place

to adequately protect their assets Risk management studies the risk, vulnerabilities, and threats to any asset that an organization faces Risk management can be used to address all the different hazards that an organization could potentially face It’s not only used for pro-tection against human-made attacks, but it is also used to protect against naturally occurring events such as tornadoes, hurricanes, and

1 Schanzer and Eyerman, 2010.

hazards that an organization could potentially face It is not only used for protection against human-made attacks; it is also used to protect against naturally occurring events such as tornadoes, hurricanes, and other natural disasters

Keywords: risk management, asset assessment, operational risk,

business continuity, risk assessment, criticality, operational risk, legal risk, access control, physical security, business continuity, compliance, reputational risk

Chapter 2 What is Risk? 11

other natural disasters This tool is used to manage risk to an

accept-able level while remaining an affordaccept-able cost Like everything else in

the world, risk management does not come without a price Having

an effective risk management plan comes with a price, but by

follow-ing our steps, you can have a cost-effective plan

There are five main steps to risk management:

1 Asset assessment: Determine the value of your assets that require

protection This can be anything that possesses a value to your

orga-nization, including your staff, information, hardware, and software

Identify undesirable events and expected impacts and value and

prioritize assets based on consequence of loss

2 Assess threats: Identify threat categories and adversaries, assess

intent of each of your adversaries, assess capabilities of each of

your adversaries, determine the history of past incidents, and

esti-mate the threat related to each valued asset

3 Assess vulnerabilities: Identify vulnerabilities of assets relative to

undesirable events, identify existing countermeasures and their

level of effectiveness in mitigating vulnerabilities, and estimate

degree of vulnerability of each asset from related threat

4 Assess risk: Estimate the degree of impact relative to each valued

asset, to estimate the likelihood of an attack by a potential

adver-sary, to estimate the likelihood that an adversary will be

success-ful in their attack, to determine the potential risk, and prioritize

risk based on asset value

5 Determine countermeasure options: Identify all potential

countermeasures, identify countermeasures’ benefits in term of

risk reduction, identify countermeasure costs, prioritize options,

and prepare a recommendation to the decision maker The main

goal of risk management is to prevent adversaries from exploiting

organizations vital assets

One formula that is used in risk management is as follows:

Risk Threat Vulnerability Consequence

Organizations need to decide if they want to effectively manage

risk or have a risk averse approach Whereas risk averse is when you

are always addressing the worst-case scenario, risk management

allows you to prioritize and address certain risks that could be

detri-mental to an operation

At the beginning of the book, we discussed what risk was Going

forward, we will take a look at what equals risk

Risk has many interpretations and the term is often used to

describe dangers or threats to a particular person, environment, or

business The following is just one definition:

12 Chapter 2 What is Risk?

Understanding risk includes understanding of the different ments and how they fit together For example, considerations from a business perspective may include:

ele-● What are the different types of threats to the organization?

● What are the organization’s assets that need protecting from the threats?

● How vulnerable is the organization to different threats?

● What is the likelihood that a threat will be realized?

● What would be the impact if a threat were realized?

● How can the organization reduce the likelihood of a threat being realized or reduce the impact if it does occur?

Asset: People, property, and information People may include

employees and customers along with other invited persons such as contractors or guests Property assets consist of both tangible and intangible items that can be assigned a value Intangible assets include reputation and proprietary information Information may include databases, software code, critical com-pany records, and many other intangible items

An asset is what we’re trying to protect.

Threat: Anything that can exploit a vulnerability, intentionally or

accidentally, and obtain, damage, or destroy an asset

A threat is what we’re trying to protect against.

Vulnerability: Weaknesses or gaps in a security program that can

be exploited by threats to gain unauthorized access to an asset

A vulnerability is a weakness or gap in our protection efforts.

Risk: The potential for loss, damage, or destruction of an asset as a

result of a threat exploiting vulnerability

Risk is the intersection of assets, threats, and vulnerabilities.

Why is it important to understand the difference between these terms? If you don’t understand the difference, you’ll never under-stand the true risk to assets You see, when conducting a risk assess-ment, the formula used to determine risk is a function of threats exploiting vulnerabilities to obtain, damage, or destroy assets Thus, threats (actual, conceptual, or inherent) may exist, but if there are no vulnerabilities, then there is little or no risk Similarly, you can have vulnerability, but if you have no threat, then you have little or no risk.Accurately assessing threats and identifying vulnerabilities are critical to understanding the risk to assets Understanding the differ-ence among threats, vulnerabilities, and risk is the first step

A security threat assessment is a systematic review or analysis ducted by professional security consultants to examine the effective-ness of current security practices The assessment identifies security deficiencies and includes a review of all security measures presently

con-in place to determcon-ine their effectiveness and functionality as well as their usefulness to the overall security effort After the assessment is

Chapter 2 What is Risk? 13

completed, recommendations are made to correct deficiencies,

miti-gate security risks, and protect the organization’s assets Ideally, these

recommendations become the road map that businesses can use to

develop security plans as a part of their business plans

Today’s business world is constantly changing—it’s unpredictable

and volatile and seems to become more complex every day By its

very nature, it is fraught with risk

Historically, businesses have viewed risk as a necessary evil that

should be minimized or mitigated whenever possible In recent years,

increased regulatory requirements have forced businesses to expend

significant resources to address risk, and shareholders in turn have

begun to scrutinize whether businesses had the right controls in

place The increased demand for transparency around risk has not

always been met or met in a timely manner, however, as evidenced

by the financial market crisis in which the poor quality of underlying

assets significantly impacted the value of investments In the current

global economic environment, identifying, managing, and exploiting

risk across an organization has become increasingly important to the

success and longevity of any business

Risk assessment provides a mechanism for identifying which risks

represent opportunities and which represent potential pitfalls Done

right, a risk assessment gives organizations a clear view of variables

to which they may be exposed, whether internal or external,

retro-spective or forward looking A good assessment is anchored in the

organization’s defined risk appetite and tolerance and provides a

basis for determining risk responses A robust risk assessment

pro-cess, applied consistently throughout the organization, empowers

management to better identify, evaluate, and exploit the right risks

for their business, all while maintaining the appropriate controls to

ensure effective and efficient operations and regulatory compliance

For risk assessments to yield meaningful results, certain key

principles must be considered A risk assessment should begin and

end with specific business objectives that are anchored in key value

drivers These objectives provide the basis for measuring the impact

and probability of risk ratings Governance over the assessment

pro-cess should be clearly established to foster a holistic approach and

a portfolio view—one that best facilitates responses based on risk

ratings and the organization’s overall risk appetite and tolerance

Finally, capturing leading indicators enhances the ability to

antici-pate possible risks and opportunities before they materialize With

these foundational principles in mind, the risk assessment process

can be periodically refreshed to deliver the best possible insights

Organizations that vigorously interpret the results of their risk

assessment process set a foundation for establishing an effective

enterprise risk management program and are better positioned to

14 Chapter 2 What is Risk?

capitalize on opportunities as they arise In the long run, this bility will help steer a business toward measurable, lasting success in today’s ever-changing business environment

capa-Risk ManagementRisk management is the identification, assessment, and prioritiza-

tion of risks (defined in International Organization for Standardization

[ISO] 31000 as the effect of uncertainty on objectives) followed by

coor-dinated and economical application of resources to minimize, monitor, and control the probability and impact of unfortunate events.2 Several risk management standards have been developed, including the Project Management Institute, the National Institute of Standards and Technology, actuarial societies, and ISO standards

Security professionals must remember that risk can be mized, but it will never be eliminated Risk assessments are a sys-tematic approach with multiple levels Is it possible to quantify the process? An organization must consider the possibilities involved in

mini-an individual trying to harm mini-an asset or mini-another individual mini-and how the organization will mitigate the consequences of an attack

More than a decade after the attacks on the World Trade Center, facility executives find themselves increasingly focused on the well-being of tenants and employees when assessing physical risks and weaknesses This attention to real-world concerns requires a compre-hensive planning approach Today, security safeguards generally fall into one of three categories: physical security, information security, and operational security

Risk is uncertainty that surrounds actual events and outcomes

that may (or may not) take place The uncertainty surrounds actual

events and outcomes for future events and actual events

Risk management, in regards to physical security, impacts our ability to properly apply and maintain an efficient security plan; even more so, it impacts the protection plan based off the risk assessment completed for the organization

It is important for organizations to remember to allocate material and funding to protect their most critical assets; whether this is the organizational infrastructure or the personnel

To prioritize threats, an organization must assess the risks that the company faces and manage those risks by putting their resources to work in the most effective way

Just as the DHS does not have unlimited resources to protect the nation’s critical infrastructure, neither do organizations, whether they are in the public or private sector As a result, hard choices have to be

2 Hubbard, 2009.

Chapter 2 What is Risk? 15

made on how resources need to be allocated; this is usually done by

using a risk management process that measures risk and can clearly

show organizations how they need to spend their money and plan

accordingly

Regardless of anyone’s political beliefs, Americans want to

pre-vent another terrorist attack from occurring in the United States, and

organizations want to protect their assets In the face of increasingly

diffuse threats and adversaries asymmetrically pursuing vulnerable

targets, the question is how can we best prevent such attacks?

When an organization prepares to complete a risk assessment and

to properly address the risks that are “possible,” the following

ques-tion must be included:

● What is the risk (or threat)?

● What are we trying to protect?

● What is the criticality?

● What or who are the potential actors?

● What are the intentions?

● What are the relevant capabilities?

● What are the organization’s fragilities?

● What are the options to eliminate or at least alleviate those

weaknesses?

For the purposes of this book, we will define risk management as

the identification and management of opportunities and threats

A fundamental aspect of any organization is that all activities

involve risk Gains can only be realized when risks are taken Risk

management enables organizations to determine the level of risk that

will provide the maximum overall gains

When properly applied, risk management techniques have the

potential to increase an organization’s profits over a period by

mini-mizing losses They allow clear decisions to be made about what level

of risk is acceptable and what strategies are most appropriate for

dealing with risks A further benefit of properly applied risk

manage-ment techniques is that organizations can obtain a significant

com-petitive advantage by minimizing their risk management costs and

identifying the real costs and gains of their activities

Operational Risk

Operational risk deals with the day-to-day risks faced by an

orga-nization in areas such as:

● Personnel risk

● Property risk

● Technology risk

● Legal risk

16 Chapter 2 What is Risk?

● Regulatory risk

● Reputation riskPersonnel risk deals with the risks that affect the safety or stabil-ity of personnel within an organization The risks associated with the safety of personnel include areas such as workplace accidents These are generally managed through occupational health and safety management

Another personnel risk is in the area associated with the value that personnel contribute to an organization and the investment that the organization has put into them The value includes the experi-ence and training that they have gained, the criticality of their posi-tion in the organization, and the cost of replacing the personnel if they leave for any reason

Property risk generally deals with the fixed assets of an zation and the risks of the value of these assets being diminished Property risk management works closely in areas such as security and fire management, which deal with direct threats to these assets.Technology risk, which is often included in property risk, looks

organi-at the technology thorgani-at an organizorgani-ation has and the risks of it being unable to carry out the function for which it was designed It may include areas such as equipment failures and technology becoming outdated

Legal risk covers areas such as the legality of contracts and the risks of litigation This is often a large area for organizations to man-age because it is concerned with all contracts such as purchase orders, employment contracts, and major contract agreements.Regulatory risk deals with the rules that an organization must legally follow during normal operations It includes areas such as company reports and financial accounting standards These risks are generally straightforward to manage but may present very high risk if they are incorrectly managed

Reputation risk is an area that can be very difficult to quantify The value of an organization is often largely dependent on the value

of its goodwill The goodwill itself is dependent on the tion’s reputation This area of risk is one that may be very easily dam-aged through adverse publicity or the efforts of competitors When attempting to quantify this risk, it is often useful to start by looking at the cost of promotion that would be necessary to recover from a loss

organiza-in this area

Many areas contribute to these risks These are addressed in this book according to traditional areas of responsibility within an organi-zational structure These areas include:

● Security

● Fire

● Occupational health and safety

Chapter 2 What is Risk? 17

● Payment and processing systems

Security is an area that directly affects the risk areas of personnel,

property, and technology To a lesser extent, it also can include the

areas of legal and reputation risk For example, security may be

rel-evant to personnel in the areas of assault and robbery It also affects

property and technology in the areas of theft and malicious damage

Legal and reputation risks may be affected by security in the area of

protecting confidential information

According to Walker (2001), environmental, health, and safety

directly affect personnel, legal, regulatory, and reputation risks This

is also an area where risk management of these areas can provide

increases in an organization’s gains When effective environmental,

health, and safety programs are put in place, opportunities also exist

to increase staff morale and productivity An organization’s

reputa-tion may also be enhanced through these programs

Technology failures affect personnel and technology risk

Personnel are affected when technology is linked to staff health and

safety For example, the failure of a piece of technology may cause

industrial accidents or fires Technology risk is affected if the failure

leads to a loss of production

Natural disasters can directly affect personnel, property,

tech-nology, and reputation When a natural disaster such as a flood or

earthquake occurs, the effect on these areas may be enough to put an

organization out of operation Natural disasters may not be able to be

accurately predicted, but organizations can take steps to minimize

their exposure to them and manage the consequences if they do occur

Industrial relations are an area of risk that affects personnel and

reputation Industrial relations are often concerned with

maintain-ing low staff costs However, a risk management approach also takes

into account other costs and benefits The cost of staff replacement

through resignations is one of the areas that risk management can

address Whenever a person in an organization is replaced, there

are significant costs associated with recruitment and training of

new staff There are also costs associated with low staff productivity

caused by low morale or lack of experience Good industrial relations

minimize these risks and can provide an organization with a

com-petitive edge through low staff replacement costs and highly

experi-enced staff

18 Chapter 2 What is Risk?

Litigation or legal risk is an area where an organization can fit from a risk management approach When faced with a legal claim, executive management needs to decide if it is going to defend the claim or negotiate a settlement Risk management tools can assist in this decision-making process.3

bene-Legislative compliance is an area where organizations need to continuously monitor changes to minimize their exposure to losses Legislation is an area that constantly changes, and it is possible for

an organization to have procedures and contracts in place that are out of date For example, health and safety legislation may change and impose new standards of managing workplace risks If the new standards are not implemented in an organization and a workplace accident occurs, then significant penalties may be imposed on the organization and its management Legislation may also change in more complex areas such as the requirements of business loans Failure to comply with new legislation in this area may result in debt-ors not having to repay interest on loans Naturally, this is an area of significant interest to financial institutions

Day-to-day business activities have risks in areas such as tracts and the estimation of time and material costs Risk man-agement of these areas has the potential to make significant improvements in an organization’s profitability If, for example, an organization is experiencing continual losses in a particular area, it may be partly attributable to inappropriate management of the risks

con-By applying risk management techniques, it may be possible for an organization to define what activities or projects it should participate

in, which ones it should outsource, and which ones it should avoid altogether

Finally, payment and processing system errors contribute to losses and are also an area of interest to operational risk

Although we have discussed operational risk in the context of a number of classifications, it is important to remember that they are all interconnected If the risks are treated in isolation, then conflicts and inefficiencies may arise This is often seen in the areas of secu-rity and fire, for example Whereas the needs of security may be for locked doors, fire safety may require the doors to be left unlocked

By taking an overall operational risk management perspective, these risks can be prioritized and treated accordingly An overall perspec-tive can also provide opportunities for treating a number of risks in a single manner A particular area of an organization may have signifi-cant security risks associated with poor industrial relations Instead

of investing in costly security measures, an outsource strategy may address both risks at once and provide higher benefits at lower cost

3 Walker, 2001.

Chapter 2 What is Risk? 19

Treating risks with an overall operational risk perspective also

allows organizations to maximize the effectiveness of their current

resources When developing risk management strategies, the human,

technological, and physical resources of the organization may be

applied An overall perspective allows the most appropriate resources

to be used in the most appropriate manner This is an area where

sig-nificant cost savings in managing risks may be available

Operational risk management is an area where organizations have

the opportunity of turning losses into profits It provides the tools

needed to do this

A major challenge in operational risk is the quantification of the

value at risk The historical data necessary for quantifying the value

at risk are far more fragmented in operational risk than in the areas of

market or credit risk As a result, operational risks are often measured in

terms of high- or low-risk priority ratings However, the data necessary

for making quantitative operational risk measurements are available in

most cases but require significant research to collate and evaluate

When we examine the entire operational risks of an organization,

it is necessary to also look at the areas of credit, market, and

strate-gic risk Although this book deals with operational issues, all risks

facing an organization are interrelated It is important to remember

that the different categories of risk are only management definitions

to enable effective application of staff skills within an organizational

structure For example, a major operational project such a building

construction or a technology implementation will come across issues

of finance (including credit risk); the stability of the financier (market

risk issues); strategic risk; and, of course, the operational risk issues

associated with contracts and costs

The areas of risk management are often isolated functions within

large organizations, both structurally and strategically It may be

argued that to achieve the full benefits from risk management

tech-niques, these areas be combined within an organization’s structure

Legal Risk (Information Security)

Outside of the individual state laws and industry-specific laws and

regulations, there are a number of different physical security laws and

regulations that organizational management and security

profession-als need to keep in mind when they are completing assessments

Although this book does not focus information security,

protect-ing the key asset of an organization’s network, is beneficial for the

survival of a company both in prevention and during an incident ISO

17799 and BS 7799 are guides to making sure an organization is in

compliance with federal laws and regulations

20 Chapter 2 What is Risk?

isO 17799 and Bs 7799: the key Components of the standard

BS 7799 specifies requirements for establishing, implementing and documenting an information security management system The standard has 10 domains that address key areas of information secu-rity management.4

information security Policy for the Organization

This activity involves a thorough understanding of the tion’s business goals and its dependence on information security This entire exercise begins with creation of an information technol-ogy (IT) security policy This is an extremely important task and should convey total commitment of top management The policy cannot be a theoretical exercise It should reflect the needs of the actual users It should be implementable and easy to understand and must balance the level of protection with productivity The policy should cover all of the important areas such as personnel, physical, procedural, and technical

organiza-Creation of information security infrastructure

A management framework needs to be established to initiate, implement, and control information security within the organization This needs proper procedures for approval of the information secu-rity policy, assigning of the security roles, and coordination of secu-rity across the organization

asset Classification and Control

One of the most labor intensive but essential tasks when pleting asset classification, is to manage inventory of all IT assets These assets may include information assets, software assets, physi-cal assets, or other similar services These assets need to be classified

com-to indicate the degree of protection The classification should result

in appropriate categorization to indicate whether it is sensitive or critical and what procedure, which is appropriate for copy, store, and transmit or destruction of the information asset

Personnel security

Human errors, negligence, and greed are responsible for most thefts, frauds, and misuse of facilities Various proactive measures

4 Mukund, NA.

Chapter 2 What is Risk? 21

that should be taken are to establish personnel screening policies,

confidentiality agreements, terms and conditions of employment,

and information security education and training Alert and

well-trained employees who are aware of what to look for can prevent

security breaches

Physical and Environmental security

Designing a secure physical environment to prevent

unauthor-ized access and damage and interference to business premises and

information is usually the beginning point of any security plan This

involves physical security perimeter; physical entry control; creating

secure offices, rooms, and facilities; providing physical access

con-trols; providing protection devices to minimize risks ranging from fire

to electromagnetic radiation; and providing adequate protection to

power supplies and data cables Cost-effective design and constant

monitoring are two key aspects of maintaining adequate physical

security control

Communications and Operations Management

Properly documented procedures for the management and

opera-tion of all informaopera-tion processing facilities should be established

This includes detailed operating instructions and incident response

procedures

Network management requires a range of controls to achieve and

maintain security in computer networks This also includes

establish-ing procedures for remote equipment, includestablish-ing equipment in user

areas Special controls should be established to safeguard the

confi-dentiality and integrity of data passing over public networks Special

controls may also be required to maintain the availability of the

network services

Exchange of information and software between external

orga-nizations should be controlled and should be compliant with any

relevant legislation There should be proper information and

soft-ware exchange agreements; the media in transit need to be secure

and should not be vulnerable to unauthorized access, misuse, or

corruption

Electronic commerce involves electronic data interchange,

elec-tronic mail, and online transactions across public networks such

as the Internet Electronic commerce is vulnerable to a number of

network threats that may result in fraudulent activity, contract

dis-putes, and disclosure or modification of information Controls should

be applied to protect electronic commerce from such threats

22 Chapter 2 What is Risk?

access Control

Access to information and business processes should be trolled according to the organization’s operations and security requirements The areas of focus may include:

con-● Defining access control policy and rules

● User access management

● User registration

● Privilege management

● User password use and management

● Review of user access rights

● Network access controls

● Enforcing the path from the user terminal to the computer

● User authentication

● Node authentication

● Segregation of networks

● Network connection control

● Network routing control

● Operating system access control

● User identification and authentication

● Use of system utilities

● Application access control

● Monitoring system access and use

● Ensuring information security when using mobile computing and teleworking facilities

system Development and Maintenance

Security should ideally be built at the time of inception of a tem Hence, security requirements should be identified and agreed

sys-on before the development of informatisys-on systems This begins with security requirements analysis and specification and providing con-trols at every stage (i.e., data input, data processing, data storage, and retrieval and data output) It may be necessary to build applications with cryptographic controls There should be a defined policy on the use of such controls, which may involve encryption, digital signa-tures, use of digital certificates, protection of cryptographic keys, and standards to be used for cryptography

A strict change control procedure should be in place to tate tracking of changes Any changes to operating system changes

facili-or software packages should be strictly controlled Special tions must be taken to ensure that no covert channels, back doors, or Trojans are left in the application system for later exploitation

precau-Chapter 2 What is Risk? 23

Business Continuity Management

A business continuity management process should be designed,

implemented, and periodically tested to reduce the disruption

caused by disasters and security failures This begins by identifying

all events that could cause interruptions to business processes and,

depending on the risk assessment, preparation of a strategy plan

The plan needs to be periodically tested, maintained, and reassessed

based on changing circumstances

Compliance

It is essential that strict adherence is observed to the provision of

national and international IT laws pertaining to intellectual property

rights, software copyrights, safeguarding of organizational records,

data protection and privacy of personal information, prevention

of misuse of information processing facilities, regulation of

crypto-graphic controls, and collection of evidence

Reputational Risk

How much is your reputation worth? How much should a

com-pany spend to protect its reputation? The threat to a comcom-pany’s good

name can happen to any organization no matter how big or small

Reputational risk can be caused by the company itself as a result of

the employees or investors or by a product produced by the

com-pany It is important that the organization follows best practices and

is socially and environmentally conscious to protect its reputation

Managing Reputational Risk

Reputation risk is the current and prospective impact on earnings

and enterprise value arising from negative stakeholder opinion

According to Koenig (2012), it is “the loss of the value of a brand or

the ability of an organization to persuade.”5

5 Koenig, 2012.

Threat Assessment and Risk Analysis.

© 2014 2016 Elsevier Inc All rights reserved.

RISK ANALYSIS

Gregory Allen

CHAPTER OUTLINE

Introduction 25

Physical Security Risk Assessments 27

Risk Assessment Method 28

Benefits of Security Assessments 31

Executive Management Role in Risk Analysis 32

3

Introduction

In any system, security should be commensurate with risks

However, the process to determine which security controls are

appro-priate and cost effective is quite often a complex, and sometimes

sub-jective, matter One of the prime functions of security risk analysis is

to approach this task objectively

Abstract

Security in any system should be commensurate with its risks

However, the processes to determine which security controls are

appropriate and cost effective are quite often a complex and

some-times a subjective matter One of the prime functions of security

risk analysis is to put this process onto a more objective basis Every

organization should consider what types of risk assessments are

rel-evant to its objectives The scope of risk assessment that management

chooses to perform depends on priorities and objectives It may be

narrow and specific to a particular risk and the industry (e.g.,

finan-cial, energy, transportation)

Keywords: quantitative risk, qualitative risk, physical security, risk

assessment method (RAM), National Infrastructure Protection

Plan (NIPP), security survey, security audit, investigation, recovery,

business continuity plan, risk analysis, risk identification, loss,

security survey, emergency planning

http://dx.doi.org/10.1016/B978-0-12-802224-5.00003-8 DOI:

26 Chapter 3 Risk AnAlysis

Every organization should first consider its objectives in order to determine relevant risk assessments to use The scope of risk assess-ment that management chooses to perform depends on business pri-orities and objectives For instance, a company may choose a broad risk assessment, or it might choose a narrow assessment that is spe-cific to a particular risk within the industry (e.g., financial, energy, transportation)

From a business perspective, risk analysis is defined as a nique used to identify and assess factors that may jeopardize the suc-cess of a project or achievement of a goal Risk assessment can also help define preventive measures to reduce the probability of these factors occurring and to identify countermeasures to successfully address them when they do occur

tech-Risk analysis is a systematic process of determining the ties and risks encountered in business The process identifies orga-nizational risks, allowing the business to understand how and when they arise and to estimate the impact they may have After a risk has been determined, action can be taken to mitigate the risk and create

uncertain-a successful outcome Some businesses funcertain-ace risks duncertain-aily Looking uncertain-at how often your organization may face identified risks is a crucial step

Risk can be interpreted as anything that disrupts business or potentially alters a business outcome To determine a risk, you must first understand the risk and the impact it can have With quantitative risk analysis, you are estimating the risk and the impact, as well as the probability of risk occurrence

The underlying goal is to look at how risk analysis can provide

an organization with the right information to make sound business decisions First, you need to identify what assets need protection; this could be anything from employees to tangible items (inven-tory) Identifying assets helps determine what risks could occur Determining the probability of risk occurrence also helps determine the impact on the organization

To keep risk analysis as an objective approach, a specific ology must be used to create an assessment and a consistent process

method-to follow method-to achieve the desired end result Done correctly, risk analysis can provide an organization with a sound decision-making process for reacting to almost anything that may occur One goal of risk analysis is

Chapter 3 Risk AnAlysis 27

to provide an assessment of the economic impact of a potential risk It

is important to maintain a systematic approach to determine both the

rate of risk occurrence and the economic impact of those risks

Physical Security Risk Assessments

Risk seems to always have a negative effect because it can cause

both financial and physical asset loss However, risk identification is

a positive process because it can mitigate the negative outcomes of a

potential risk

Risk assessment can provide both qualitative and quantitative

infor-mation when assessing a situation Risk reduction attempts should be

cost effective However, the worst thing to do is to ignore a potential

threat; doing so could bring an organization to its knees financially

As stated, the level of security within any organization should be

commensurate with it risks; however, security controls must be cost

effective and in line with the risks that could occur

Over the years, we have seen businesses perform risk analyses

that have been unreliable and based on inaccurate data Controls and

countermeasures should be implemented to take care of potential

risks

Before going any further with risk analysis, you must understand

how threat and vulnerabilities play a role in risk analysis

methodolo-gies Threats are things that can go wrong or that can attack a system

(threats are present in every system) Vulnerabilities are areas where

an organization may be more likely open to attack

When a threat occurs, we must look at countermeasures for these

vulnerabilities If we deter the controls, it will reduce the likelihood of

a deliberate attack Organizations must develop preventive controls

to protect vulnerabilities and deter attacks or reduce their impact

Companies must develop two sets of controls: detective controls to

identify attacks and corrective controls to reduce the effect of attacks

All of these processes can reduce or eliminate potential risks Most

threats are man-made, and the risk from them ranges from minimal

to extensive

Before a threat is identified, a vulnerability assessment must first

take place This process considers the imminent or potential impact

of a successful attack from that threat as well as the associated

vul-nerability A key component of the vulnerability assessment is to

clarify the impact of loss from the threat

Each organization has different specific vulnerabilities, yet

broadly, they are the same That is, every organization identifies a

target, how successful of a target it is, and the countermeasures to

protect that target that are present in that organization

28 Chapter 3 Risk AnAlysis

Those tasked with creating vulnerability assessments must be trained to look at the impact of loss so they can assess both what occurred and how the impact of the threat affects the organization Comparing the impact of loss to the identified vulnerability is always used to evaluate potential risks to an organization

Based on what is found from a risk analysis, the next step is to look

at what countermeasures can be put into place to reduce or eliminate the potential threat The cost of implementing countermeasures must

be considered because all costs are reviewed annually The measures must then be evaluated to determine if all potential coun-termeasures have been implemented All of these factors affect the overall risk reduction for an organization

counter-To become effective at the risk analysis process, you need to train employees to perform the analysis correctly The first attempt

is always the most expensive Over time, the process becomes less expensive and less time consuming The investment of time devoted

to risk analysis studies should be compatible with the organization’s business objectives

Many times when completing a security survey, the outcome of the risk analysis may not align with the original intentions

When a threat occurs, organizations must realize that there are legal risks associated with the countermeasures used for risk reduc-tion Any time an organization has a security risk, it must be brought

to the attention of those who will handle the issue, without exposing the organization to legal liability

Risk Assessment Method

Any time a potential threat is identified, an organization’s agement must support taking corrective actions to either prevent or deter the threat Authority must be given to the employees tasked with defining the purpose and scope of the risk assessment This is where trained employees come into play and can accomplish the risk assessment mission After the assessment is completed, management should review the findings and take appropriate action to implement

man-a plman-an to use countermeman-asures

Threat assessment usually includes a threat occurrence rate and probability of future threats To create this prediction, it is best

to use any available historical reports If these are not available, try to obtain information from other sources that can assist you with a predetermined plan for future incidents When a system-atic approach to risk identification is taken, it makes the task of risk analysis more manageable, and countermeasures can be more eas-ily put into place

Chapter 3 Risk AnAlysis 29

Risk control comes into play whenever a risk exists in a given

envi-ronment To effectively address risk control, it is necessary to

exam-ine all activities related to the risk and assess the level of vulnerability

in the organization, as well as the impact the risk will have

There are several ways to develop the data necessary for risk

iden-tification The first step is to review organizational policies and

proce-dures, as well as organizational structure and any previously identified

risks Part of this process includes conducting interviews, performing

site inspections, and conducting field operations In addition, you will

need to identify organizational assets and history of any loss exposure

After all of these steps have been completed, risk exposure will be

apparent This is a learning process, and the responsible person(s)

should have the education, training, and practical experience to

access and handle such incidents That is, risk identification requires

professionals who have the knowledge and tools to handle such tasks

One thing to remember is that risk is not always eliminated, but it

can be managed, and this is where risk measurement comes into play

in determining the impact of an event In addition to impact, the

fre-quency of event occurrence is also important to determine One must

understand how much of an impact an event does or can have and

how to recover from these events

The cost of an adverse event is an important issue within an

orga-nization This is why obtaining information on how frequently an

event occurs relative to an organization’s annual budget is important

When we look at events, we must compare the financial impact to

the frequency of occurrence Events should be categorized by low or

high occurrence levels All of this goes along with impact and

prob-ability because we have to constantly analyze factors pertaining to

events During this time, safeguards must be developed and refined

based on information gathered related to the events After the

infor-mation is in place, a company can assume an annual loss expectancy

based on the impact and frequency of these events

Let’s go back to a basic understanding of what security is It is

defined as the implementation of acceptable practices, procedures,

and principles used to attempt to deter or stop undesirable events

from occurring The problem is that security measures must be

con-sistent in the proper securement of undesirable events There will

always be unexpected events that will occur outside normal

cir-cumstances, and security measures must be in place for proper

securement

Most events, even if they seem independent of one other, are

con-nected in a way of occurrence or probability We should always be

vigilant in looking at the probability of event occurrence Obviously,

the basic approach to security is to deter or eliminate any risk of

30 Chapter 3 Risk AnAlysis

events, but we need to understand the probability of occurrence in order to create potential solutions

It is crucial to have an adequate database of information to mine event frequency Yet, at times, you may find that not enough data are available to make an adequate determination of event frequency

deter-When an event occurs, the potential loss must be examined as to the vulnerability or weakness of the event Events must be prioritized

as to containment difficulty Exposure must be quantified using torical data to determine both potential loss and frequency of event occurrence If no historical data are available, the severity of the event must be analyzed and a method developed for collecting rel-evant data from that point forward This will help determine the level

his-of preventive measures necessary One must understand that there are no guarantees that an event can be completely prevented even after the risk has been identified

A simple way to address an event is to look at how easy it is to rect and put countermeasures in place to resolve the issue In most cases, this process occurs but not all at one time Generally, there are increasing levels of security measures used, always with an eye to cost It must be understood that there is a trade-off between cost and security That is, security measures can at times be more of an incon-venience than anything, but this is where the dollar value comes into play, based on the risk assessment undertaken It is based on this risk assessment that management can see the economic value of security countermeasures developed to prevent or reduce event occurrence.Many professionals take the approach of prevention above all else, as if putting the proper countermeasures into place is suffi-cient Certainly, having a contingency plan in place does give a better direction and is more effective than not having one One can look at whether the benefit of prevention outweighs the cost of the event; if

cor-so, prevention should occur

Performing routine inspections can eliminate an event, as well as reduce a possible cost associated with that event This is known as

a cost-to-benefit ratio and is used for existing and prospective grams coming into play

pro-When we look at risk, we must look at it based on severity of loss Therefore, low-, medium-, and high-loss factors are used to assess both the severity and frequency of loss The type of protective mea-sures used must be tailored to the specific risk within the environ-ment When addressing cost-effective security solutions, there must

be a technique to analyze and develop solutions when the risks do occur Experienced security professionals can make recommenda-tions on how to improve security and properly protect company assets

Chapter 3 Risk AnAlysis 31

Benefits of Security Assessments

Any security program needs to have policies and procedures

in place that are focused on cost effectiveness Every effort must be

taken to review available resources to ensure that financial goals are

being met Resources can include manpower, hardware, or

tech-nology Each must be analyzed based on what is best and most cost

effective for the organization

Cost is always an important factor when it comes to implementing

programs and replacing items (e.g., security systems) One example is

the security personnel needed for an organization The cost of having

these employees will likely rise on a yearly basis At times, reduction

of personnel must be considered and replaced with a less costly

alternative

Likewise, equipment must be analyzed for both cost and

reliabil-ity New security systems may be more or less expensive than older

ones, but the key is to focus on reliability and the proper protection of

employees and assets

New technology enters the market  almost every day One must

consider each item and how it has been tested, as well as how it

relates to company needs There are no guarantees that any

equip-ment purchased can completely protect assets This is why you need

to look at the equipment that specifically relates to the needs of your

organization and make the best choice possible

When building reliability into a security program, you also need

to consider implementing redundancy Many organizations overlook

this piece, which can cause problems if systems, as well as processes,

have not been tested to show reliability

Today, there are many ways to assess risk and vulnerabilities Risk

analysis and vulnerability assessment are similar in that they

basi-cally identify the assets and the capabilities within a system The

difference between them is that risk assessment often involves the

evaluation of existing security controls and how they rate against

threats to the organization Vulnerability analysis drives the risk

management process and focuses on where in the organization the

threats are most likely to occur

Each organization should have an infrastructure protection plan

that outlines goals and objectives that create a foundation for what

the organization is attempting to accomplish Part of the plan should

include ways to measure the end result of risk management Did the

organization follow the processes and procedures in place pertaining

to the risk? Successful reduction of vulnerabilities is based on

suc-cessful risk management strategies

Assets can be people, a structure, information, inventory, or even

the organization itself When we examine identified assets, we must

32 Chapter 3 Risk AnAlysis

look at the threat to those assets as well as the level of ity Depending on whether the threat will have a direct or indirect impact, the consequences could be as far reaching as affecting public health and safety There is an important psychological aspect to the impact of that vulnerability to consider Vulnerability is any physical feature or operational impact that limits an entity, asset system, net-work, or geographical area that can contain a hazard

vulnerabil-Executive Management Role in Risk Analysis

To best direct resources, responses, and recovery, the Department

of Homeland Security ranks critical assets from the greatest risk to the least and looks at the cost effectiveness of threat mitigation To

be able to reduce the largest risk there must be a comprehensive, but coordinated, effort to determine the risk, vulnerability, and desired end result

The Department of Homeland Security uses established metrics

to determine priorities and strategies and to effectively mitigate risk and protect assets Good management and quality control are impor-tant in this process

The goal of risk management is to manage risk cost effectively

in a timely manner (i.e., the least amount of time and money to still

be effective) A security survey can assist in establishing the steps needed to make this happen The survey helps gather information or data that consist of the” who, what, when, where, how, and why” of

an organization It is similar to an investigative process

When you start conducting a survey, it is interesting to see how many people do not realize that there are vulnerabilities and threats and so may not appreciate the importance of what you are doing However, the survey must be conducted to properly address security concerns It should be looked at through the lens of what affects the bottom line because that is a key business factor

A proper security survey will generally show that losses due to crime far exceed the business losses due to fire or industrial acci-dents Internal loss equates to approximately twice that of fires or accidents It is important to realize how crimes affect an organiza-tion’s bottom line White-collar crime is the most frequent crime and amounts to approximately 5% of an organization’s business loss.Every organization, whether large or small, would benefit from

a security survey This is an objective review of both internal and external organizational controls The study provides an organiza-tion with insight into what security issues can be improved and helps with planning how to proceed with implementing those improvements

Chapter 3 Risk AnAlysis 33

We have noticed that most organizations take the necessary

precautions to protect themselves from external theft, yet internal

crime is overlooked Today, more and more organizations are

look-ing at what exactly reduces their profit, and those issues are readily

addressed

One approach we can take in determining whether there is a need

for a security survey is to look at what security services are available

for the particular needs of that organization For instance, if an

orga-nization already has a security plan in place, the security survey can

detect how effective the plan is and whether or not it is adequate to

meet the organization’s needs Many plans are established for a

spe-cific need but are not designed to meet the needs of the organization

overall Setting up policies and procedures that are reviewed annually

will help show which policies complement or contradict each other

and whether there is room for consolidation

If an organization has no security plan, a security survey will

assist in establishing immediate needs Critical factors can be

identi-fied, and the process of developing an effective security system can

begin Essentially, a security survey can assist in producing a

protec-tion plan Security surveys should be performed by a trained security

professional

Security audits are similar to an investigative process in that they

gather evidence to determine an end result and to make

recommen-dations Auditors are trained to appraise the validity of the processes

used Both of auditors and investigators are trained to gather facts

They then appraise them, draw a conclusion, analyze the results, and

make recommendations

A security survey is similar to audit in that it is a process to

objectively look at the findings, come to a conclusion, and make a

recommendation For this to occur, the organization must

coop-erate, down to the employee level, for the survey to be as accurate

as possible Much of the survey work is conducted in the field, the

information is analyzed, and then it is turned into a written report

that includes the findings and recommendations Collected

infor-mation includes records, written policies, and procedures or

guide-lines, wherever they can be found At times this can be a difficult

task

There is not one correct way to conduct security surveys or field

work; it depends on the person conducting the field work and the

approach he or she takes

The measurement of all of these aspects usually encompasses

three components of a typical security operation: quality, reliability,

and cost The main objective is to assess the adequacy, effectiveness,

and efficiency of the present system, as well as proposed systems

34 Chapter 3 Risk AnAlysis

One component of field work is observation This involves a ful, knowledgeable look at people, as well as how items relate to one another To accurately observe and evaluate, you must have proper training and experience because you need to understand what you are looking for You must also be familiar with the norms of the orga-nization so that you will recognize what is accepted as usual and what

care-is out of the ordinary

As you go through the survey, questioning occurs at every stage

of the process This can be in the form of a written questionnaire or through oral interviews The latter is more difficult because it is hard

to find the truth without upsetting people at times Generally, you are using interview techniques, but if you encounter someone who does not answer questions or is reluctant, you may need to switch to an interrogation mode

Analyzing a situation involves examining it to discover the truth You will need to uncover any hidden aspects of the organization to determine an appropriate solution Verifying is a process to attest

to the truth, accuracy, or the validity of things under scrutiny It is meant to establish the accuracy or truth of something by putting it to the test This can be done by looking at standards or best practices Investigation is an inquiry to uncover the facts and obtain evidence to establish the truth During a survey or investigation, it is not unusual

to detect some type of fraud

One last piece is the evaluation, which essentially is a sion or judgment This is outcome of weighing the information to determine the adequacy, effectiveness, and efficiency of what has been found It is one step beyond an opinion—it is the conclusion Judgment is what gives foundation to a security survey

conclu-When conducting a security survey, a definition and statement of purpose must first be created When this is accomplished, it brings about a well-thought-out audit to ensure that it is efficiently and eco-nomically sound The statement of purpose gives direction to the survey and helps to avoid any misunderstanding of the process.Writing a security survey is no easy task, and it takes a lot of prac-tice to be able to write an effective security survey that is both under-standable and useful Being able to write effectively gives a person the ability to communicate well with others Some will say that field-work can be exciting; it can be, but it is also challenging Having the skills to be able to conduct the survey, investigate, and write a report

is not for everyone A good writer must be someone who has good thinking skills The survey report must always be clear, concise, com-plete, accurate, and objective

All organizations should have a business continuity plan This is the plan for an organization to be prepared in case of an emergency, whether it is a human-made or a natural disaster We know that we

Chapter 3 Risk AnAlysis 35

cannot predict what emergencies will come our way, so the plan

should be generic enough to adapt to any possible disaster

There are four phases to emergency planning: mitigation,

pre-paredness, response, and recovery As a business continuity plan is

designed and implemented, it is used as a planning model for

pre-vention, protection, response, and recovery If those components are

addressed, the security plan can be put into place and used

effec-tively in the event of a disaster

Mitigation is a process that is used to reduce or eliminate

long-term risk to both people and the other assets of an organization The

best way to look at it is as a vulnerability reduction or, essentially,

crime prevention Mitigation is considered a cost-effective process

Preparedness refers to the steps a person or organization would

take to be ready to respond to and survive the effects of a disaster

This is where you need to have your plans and resources in place and

be prepared for a disaster You will need to constantly update and test

your organization’s preparedness plan An effective plan will give you

the capability to manage and respond to an incident at any time

The response to a disaster can have both positive and negative

effects on people and an organization Today, organizations have to

respond to threats that they had not encountered before, such as

ter-rorist attacks Organizations must now be able to respond to myriad

potential situations in a positive manner With these responses, we

must be able to reduce not only injuries but also protect assets and

mitigate losses for a smooth recovery of business processes The

bot-tom line is that a response is an action taken to manage, control, or

mitigate the effects of an incident This can be easy or difficult, but

either way, the response will be easier for an organization that is

prepared

Recovery basically involves a postdisaster plan If a disaster does

occur, the protocol is to contact regulatory agencies, as well as the

Occupational Safety and Health Organization The recovery plan will

give direction needed to restart the organization and get it back on its

feet to reach predisaster levels Many disasters require an

investiga-tion into the cause, as well as the response to the incident If

neces-sary posttraumatic stress counseling should be made available in

case of fatalities or major damage The factors should be part of the

basic recovery plan for most large organizations

The bottom line is to make sure that we are prepared for anything

that comes our way or at least attempt to be prepared There are so

many potential human-made and natural disasters that could

con-front us, and we need to be able to protect the employees and assets

of our organization

When we discuss risk analysis, we must also address business

impact, if or when a disaster occurs This involves establishing the

36 Chapter 3 Risk AnAlysis

value of an organization—its components and employees Business impact helps us when we need to discuss recovery and involves financial and other consequences to an organization We look at how soon an organization can be up and running after a disaster has occurred We must look at what functions are critical to recovery, as well as understand any risks that may occur for that organization to

be up and running Time is an important issue when establishing business impact When developing these processes, a cost analysis must be implemented when addressing the business cycle and its revenues Additionally, impact must be considered both on a depart-mental level and to the organization as a whole

As we look at this, we must understand that a business impact analysis identifies the financial, as well as the operational, loss of that organization’s business No matter the issue, impact objectives must

be met Functions and processes are critical to recovery objectives

A business continuity plan should be designed with strategies that allow a business to function without any disruption If a disas-ter occurs, the organization will want to resume business at its full-est capacity Even though a business continuity plan is important, the planning process is even more important All of the components—from risk identification to recovery strategies—lead to a successful recovery plan A business continuity planning process can be simple; however, the implementation of the plan may be complex and time consuming The organization must identify its top issues and rank them for importance Cost-effective strategies must also be viewed to make sure what is being accomplished is cost effective to the organization

A key issue today is that when a disaster occurs, the tion must respond immediately The goal is to protect the safety of employees, as well as minimize damage as much as possible The business is attempting to bring operations back to normal the best and most cost efficient way possible

organiza-No planning efforts for a disaster would be successful unless there is support from upper management It must be communicated efficiently for all levels to understand that the support is there This

is why it is so important to have response and recovery policies and procedures in place Do not take for granted that everything will be in place if a disaster occurs Having the best continuity strategies is the key to an effective recovery method that works for your organization.Understand that a business continuity plan is a management pro-cess that identifies the organization’s critical functions and develops

a cost-effective strategy to recover those functions if they are lost or denied An organization must have the resources needed for this recovery plan through either internal or external resources If the resources are not present, they must be found and acquired for the welfare of the organization

Threat Assessment and Risk Analysis.

© 2014 2016 Elsevier Inc All rights reserved.

THREAT IDENTIFICATION AND

A full security threat assessment is an in-depth study of all risks

and threats, both perceived and actual The assessment covers a wide

range of topics to include the physical interior and exterior features

of the building or buildings Entrances and exits, including stairwells,

are examined Doors and windows are evaluated for their

physi-cal characteristics and durability Locks and other security devices

are examined for deficiencies Security policies and procedures, if

in place, are reviewed for effectiveness and completeness, and the

assessment will determine if employees are complying with the

secu-rity policies and procedures

Keywords: hazard, potential threat element (PTE), risk, threat,

design-basis hazard, jurisdiction, infrastructure, critical infrastructure,

all-hazards, design-basis threat, man-made (terroristic) hazard,

man-made (accidental) hazard, natural disaster

http://dx.doi.org/10.1016/B978-0-12-802224-5.00004-X DOI:

38 Chapter 4 ThreaT IdenTIfIcaTIon and raTIng

authority Public agencies have jurisdiction at an incident, which can

be political or geographical You need to find out the consequences of the threats and rate them in severity Finally, you need to mitigate and make decisions on how you are going to protect your organization This process takes place no matter the industry you are in (Fig 4.1)

All-Hazards Approach versus Design-Basis Threat

As defined by the National Infrastructure Protection Plan (NIPP), jurisdiction preparedness and readiness actions need to address terrorist attacks, man-made hazards, and natural disasters This all-hazards approach provides for the systemic approach to mitigating all disasters, not just terrorist attacks For example, the devastation caused by Hurricane Katrina demonstrated that natural disasters could cause as much (or more) than a terrorist attack

Step 2: Asset value assessment Step 1: Threat identification and rating

Step 3: Vulnerability assessment

Step 4: Risk assessment

Step 5: Consider mitigation options

Identifying threat Collecting information Determine design basis threat Determine threat rating

Figure 4.1 assessment process.