Today’s pace of business is many times that of business two decades ago. Yet most organizations do not update their corporate security risk picture with any greater frequency than they did back then. That is because most organizations do not have a risk-based security program. Many have an incident-based or budget-based program, especially when it comes to deploying physical security technology.
This assertion is borne out by the ASIS/SIA Risk Assessment Survey conducted within the last year by ASIS International and the Security Industry Association (SIA), and available for download as shown in the sidebar titled, “Risk Assessment Survey” on page 62. Here is the study’s primary focus:
How and to what extent are risk assessments actually performed, and how do they affect spending decisions?
Some of the most significant findings are:
• The majority of respondents perform risk assessments at least every two years, but about one-third do not conduct risk assessments often or regularly.
• Although security practitioners generally favor prevention, three out of four respondents state that loss events — not risk assessments — are the most popular trigger that leads to security upgrades.
• One-third of security practitioners who perform risk assessments believe their assessments are futile and could not be the basis of a security upgrade.
• Between one-third and one-half of respondents do not install security equipment or make other security upgrades in response to a risk assessment.
• About one-third of respondents fail to conduct cost-benefit analyses when evaluating options to mitigate risk.
• A thoroughly completed risk assessment would likely minimize the top three barriers to the purchase of security systems, which are:
• budget limits (a barrier for four out of five respondents);
• management directives (barrier for nearly half); and
• ROI not justified (barrier for 3 out of 10).
• Less than half of respondents measure the effectiveness of security systems after installation.
Where does your own security program fall with regard to these findings?
The ASIS/SIA survey addresses facility security assessment. What about cyber security? Organizations use electronic information systems and the Internet to accomplish real-time tracking of supply chains, manage inventory, manage business processes, generate online commerce, facilitate working from home and more. That is why the financial consequences of a cyber security incident can be substantial.
“The Financial Impact of Cyber Risk: 50 Questions Every CFO Should Ask” is a newly released guide from the American National Standards Institute (ANSI) and the Internet Security Alliance (ISA). “An organization that is unprepared to avert or manage a data breach can suffer severe financial losses and irreparable damage to its reputation and customer base,” the guide says. “Conversely, when an organization is prepared and responds skillfully to a cyber threat, the crisis can go down in history as an event that cements customer loyalty and a positive brand image.”
The occurrence of a cyber security event can hugely impact business operations teams and generate new and immediate demands on physical and corporate security. As news accounts have shown recently, the effects of data breaches are clearly not limited to the IT department.
Current Economic Crisis
One reason to pay more attention to risk factors now is that national and global economic conditions are changing the financial and operational risk pictures significantly for many organizations. Many companies are reacting without considering the security consequences. For example, company layoffs significantly increase the risk of proprietary information loss from insiders, as well as the workplace violence risk. An announcement of possible action — or even rumors of it — can drastically change the risk picture. It is vital that appropriate security measures are already in place or are put in place before taking actions or announcing them.
Security Risk Assessment
Averting or successfully responding to any type of security threat requires having the right business security measures in place. Determining and prioritizing those measures is the objective of a security risk assessment. The remainder of this article is intended to provide some helpful insights in that regard.
This article is not a tutorial on performing risk assessments or designing security programs. Its purpose is to identify and present references providing guidance in establishing a risk-based security program, and to provide an example of using business language for risk descriptions. Business language facilitates management’s understanding and helps collaboration with business unit managers around risk treatment planning and related security initiatives.
Risk-Based Program
A risk-based security program directs spending and attention where it is needed most, resulting in stronger security. It aligns the people, process and technology of security with business priorities, according to the potential damage of various threat factors. In a risk-based program, security managers work with business managers to identify the biggest threats to business operations and to set priorities for security investments. A cost-benefit analysis is used to ensure that an appropriate security budget is established and spent wisely. A proven approach is outlined in the 22-page General Security Risk Assessment Guideline, available for download as shown in the “Security Program Guidelines” sidebar below.
The key elements of the risk assessment process presented in the ASIS General Security Risk Assessment Guideline are as follows:
• Understand your organization and identify the people and assets at risk.
• Specify loss risk events/vulnerabilities.
• Establish the probability of loss risk and frequency of events.
• Determine the impact of the events.
• Develop options to mitigate risks.
• Study the feasibility of implementation of options.
• Perform a cost-benefit analysis.
The guideline then calls for ongoing reassessment of risks.
ISO 27001-2005, a guideline standard for establishing an Information Security Management System, specifies additional steps:
• Select objectives and controls for the treatment of risks.
• Obtain management approval of the proposed residual risks (the risks remaining after the security controls are put into place).
• Obtain management authorization to implement and operate the proposed security management system.
• Prepare a summary of decisions concerning risk treatment: What is implemented now, why specific additional controls were selected for implementation, and why specific controls were excluded from consideration.
• Formulate a risk treatment plan.
• Implement the plan via the security management system.
• Review risks at planned intervals, and review changes to the organization, technology and business objectives and processes.
Both guidelines go well together, and the security management system approach outlined in ISO 27001-2005 can also be used for physical and corporate security.
From Start to Finish
“Risk Analysis and the Security Survey,” by James F. Broder, CPP, is the classic reference on performing a complete risk analysis, and has been recently updated and expanded for its third edition. The book’s chapters cover each step of performing a business security risk analysis, and provide example letters, proposals and reports plus guidance on the use of a security consultant. The book’s appendices contain additional valuable material including:
• Security Survey Work Sheets;
• Danger Signs of Fraud, Embezzlement and Employee Theft;
• Professional Practices for Business Continuity Planners;
• Sample Kidnapping and Ransom Contingency Plan;
• Communicating with the Media; and
• Security Systems Specifications.
This book is part of the required study material for the ASIS Certified Protection Professional (CPP) and Physical Security Professional (PSP) certifications.
Documenting Risk Treatment Plan Details
Guidance for documenting the details of a risk treatment plan can be found in the book “Physical Security for IT,” by Michael Erbschloe. Chapter 3 explains how to integrate the physical security plan for IT with other security plans, such as:
• Cyber security planning;
• Disaster recovery planning;
• Business continuity planning;
• Organization risk management and insurance planning; and
• Incident response team planning and development.
Such integration is an important, but often overlooked element. For each of the plans listed above, Chapter 3 provides specific recommendations on how to map priorities between those plans and the physical security planning.
Quantitative vs. Qualitative Assessment
For some types of business operations — especially retail store operations — quantitative risk analysis is quite feasible as monetary values are easily assigned to the loss events, and business accounting and inventory records provide information needed to quantify each type of loss in specific time periods. Where quantitative information is not available and cannot easily be developed, a qualitative approach can be used to categorize risks. The main advantage of a qualitative impact analysis is that it prioritizes the risks and identifies areas for immediate improvement in addressing vulnerabilities.
The ASIS General Security Risk Assessment Guideline provides advice for performing each type of analysis in Appendix I and Appendix II of the guideline.
Ongoing Reassessment of Risks
Risk assessment is not just a periodic action. It should be part of the organization’s change management process, so that security can be kept synchronized with changes to business risk. Additionally, there are some threats whose impacts are significant and whose likelihood can change on a moment’s notice. For example, a new building construction project can suddenly have its construction site risk escalate if a news story identifies a prospective tenant — which happens to be a company targeted by activist groups. Similarly, a chain company can become a public target, thus increasing risk for customer businesses. Therefore, some risks warrant real-time risk monitoring, which is the specialty of Risk IQ.
Risk IQ goes beyond news monitoring to monitor social interaction sites and other types of information on the Web, providing the ability to identify and correlate active threats from individuals or groups in real-time — providing its subscribers with the ability to take preemptive action. See the “7 Must-Read Risk Scenarios” on the Risk IQ Web site (http://riskiq.net).
The Business Perspective
When categorizing loss for senior executives, it helps to define risk rating categories in business terms that executives can relate to. This example language is generic and high-level. Often the language can be specifically tailored for the business functions.
It is important for management (as well as Security) to understand that job of the corporate security function is to reduce security risks to acceptable levels at an acceptable cost, in a manner harmonious to the business. That is why the objective of a risk-based security program should not be to find and fix every security vulnerability or gap, but to outline a comprehensive, systematic approach to risk mitigation and management, starting with the most critical risks. When both upper and middle management see that Security has its eye on the business and is looking out for the business bottom line, they are usually eager to help identify their risk tolerance and cost tolerance considerations when Security presents the risk picture information.
Ray Bernard, PSP, CHS-III
Ray Bernard, PSP CHS-III, is the principal consultant for Ray Bernard Consulting Services (www.go-rbcs.com), a firm that provides security consulting services for public and private facilities. He has been a frequent contributor to Security Business, SecurityInfoWatch and STE magazine for decades. He is the author of the Elsevier book Security Technology Convergence Insights, available on Amazon. Mr. Bernard is an active member of the ASIS member councils for Physical Security and IT Security, and is a member of the Subject Matter Expert Faculty of the Security Executive Council (www.SecurityExecutiveCouncil.com).
Follow him on LinkedIn: www.linkedin.com/in/raybernard.
Follow him on Twitter: @RayBernardRBCS.