Lesson 5: Risk Analysis

Risk—The probability or likelihood that a threat agent can successfully mount a specific attack against a specific system vulnerability.

The concept of relative foresee-ability reflects the standard practice among private security professionals of conducting ‘risk assessments’ on everything from rare events like terrorism to common elements like employee theft. The goal of such risk assessments is to produce a precise estimate of the risks of a certain type of crime to an organization or individual in specified places and time periods. Lawrence W. Sherman

What is risk assessment? Risk assessment lies at the heart of any viable and effective security operation. Without a clear picture of what it is you wish to protect and the impact on an organization from its loss, you cannot develop a program of safeguards that gives you some assurance of its workability.

The first step in risk assessment is to observe the conduct of operations, policies, and procedures, physical security, traffic flow, and other activities over several periods and at different time of the day and night. This will provide a basis of understanding for later surveys, without any possible attempts at creating "protective smokescreens" to cover up problems by expecting the team to arrive. These initial observations would not be cover, simply unannounced. These observations and detailed surveys and examinations of records allow one to conduct a reasonable risk assessment comprising the following four elements:

1. Risk: What are the assets that can be damaged, stolen, or lost? For example, there is little risk of someone stealing a mainframe computer, but perhaps if could be seriously damaged if access to its location is not properly controlled.

2. Vulnerability: How difficult is it to get to the assets of high risk identified by the survey? If your parking areas are unlighted at night, customers, visitors, and corporate personnel are vulnerable to robbery and sexual assault.

3. Probability: What are the chances that an attack on personnel or other assets will ever happen? This will be determined by an examination of frequency patterns of various incidents as reported by the police, and others. Clearly, it is not necessary to develop and emergency plan for flooding if the facility is atop a well-drained hill that is 200 feet above the deepest flood ever recorded. In an extreme example, if a serial killer has been assaulting and killing young women in the area, it would be prudent to develop procedures to better protect your female customers, visitors and staff. How you deal with the risk-vulnerability-probability triad results in cost effective decisions.

4. Countermeasures: These are the ultimate reason for all the risk assessment activity and determine what you can do given the resources available. Countermeasures are based on the interrelationship of the preceding factors, as well as management decisions, operational necessity, cost, and common sense.

Risk assessment allows you to design countermeasures that are effective but do not interfere with the operations of the business. Examination of all these factors allows management to make decisions that balance cost versus the level of protection.

A proper risk analysis covers a systematic examination of information and activities that can be used to develop countermeasures. The first thing that needs to be determined is what has been happening in the past. If the present countermeasures seem to be doing the job, you might leave well enough alone. However, if current countermeasures do not seem to be doing the job, through an examination of loss and incident reports, shift records, investigations, police files, and news reports, combined with informational interviews with personnel at all levels, you can develop a broad picture of what is really happening and infer some correlation that may identify patterns not otherwise apparent.

How do you enter and exit the areas that may need to be secured? Traffic data about pedestrian and vehicular movement must be collected for analysis and development of a clear picture of where access controls might be modified to better match what is actually happening in each area. Combined with the previous actions, a more rational set of strategies can be developed for intelligent routing and monitoring of traffic to reduce probabilities of incidents and losses or easy escape routes. Key and lock controls, placement of high-security locking devices, electronic access cards to track personnel and record access (if needed), and designation of areas restricted to those with actual need to be there can be determined by this type of traffic survey.

The way a security force is organized and equipped can have a favorable or drastically negative impact upon the cost and effectiveness of its operation. Personnel costs constitute the major share of any security budget, and these costly assets must be protected as efficiently and effectively as possible. The age, training, salary, and experience of the security personnel must also be considered because adequately paid and well-trained security staff can do much more with fewer people. Determining the correct staffing will require a detailed review of the survey results and consultation with the parties concerned. How this force networks with the local law enforcement agencies, and with the rest of the organization, can greatly enhance the effectiveness.

The Achilles’ heel of most security operations is the lack of a formal and current policy and procedure manual. Many security operations operate with little or no overall policy guidance from either the security provider or the client’s administration. This causes actions to become merely reactive and seldom proactive. With clear policy statements from the corporate administration, proprietary or contract security providers can develop, publish, and revise a strong set of procedures to implement predetermined guidelines. A number of software programs are available that will help security managers develop their own policy and procedure manual. Security policy is usually extracted from overall administrative policies that are already in writing, or derived through interviews and observation.

The purpose of physical security devices and procedures is to deter, detect, divert, delay, or deny (the "five Ds") access to sensitive areas of the secured operations and facilities. A physical security survey will determine which of these results current physical barriers accomplish and methods then recommend a more effective use of these physical methods or suggest others. Physical barriers include fences, traffic barriers, exterior doors, and so on, and are generally aimed at reducing the use of costly manned posts.

Use of monitoring or specific areas through roving patrols, towers, or closed circuit television is aimed at detecting and preventing criminal activity or other threats before they can occur. Communications are critical to any operation and especially those that are widely dispersed. Communications should be geared for both internal transmissions and coordination with outside agencies or key personnel. Computers and other critical equipment must be secured and protected (as well as data), and security personnel must know how to secure the hardware and software. Surveillance can let security determine what is really occurring in the facility and take action to develop appropriate countermeasures.

Personnel screening involves the hiring process for the entire operation, as well as the security department itself. The security department can become a valuable aid to the personnel department by developing methods of verifying critical issues that would preclude an individual’s employment (drug abuse, criminal record, and so on) or result in his or her dismissal. Standards for security personnel should be very high and far above average. Paper and pencil tests for detecting dishonesty and drug use are now available and effective as screening devices. Close coordination with law enforcement agencies can result in excellent ways to find out about individual criminal records as well as ongoing problems.

This section has discussed the complexity of trying to assess the risk to a company’s assets in some kind of systematic and logical fashion. The tendency in the security industry over the years has too often been to "shoot form the hip" when trying to:

1. determine the most probable targets in a company

2. determine the most logical threats to those targets

3. determine the vulnerability of those targets to specific threats

4. determine the probability of those threats occurring

5. relate the cost of securing those targets as compared to their value to the company and

6. conduct a kind of cost-benefit analysis of their actions in the name of security.

Security departments must be prepared to show the cost and benefit of all their operations, or other departments that have more skill in showing their value of their requests will overpower them. A simple checklist of what is or is not being done for security in various parts of the company is no longer enough to sell the need for countermeasures.