Security risk management is an ongoing process that allows an organisation to understand its exposure to risk, so that it can make intelligence-led decisions. This requires a clear understanding of all the components of risk and how they will impact upon an organisation’s activities, their operations and ability to comply with their legal and regulatory requirements. An adversary’s capability and intent, and the ability to exploit vulnerabilities, can be determined by developing an appreciation of the organisation’s security environment. The probability of a threat occurring and the impact upon operations will determine the level of risk and provide a basis for security planning and design.
The threat assessment is a judgement based upon available intelligence that provides an indication of the events that may affect an organisation and its assets. The information can be accrued from official government departments, historical records and open-source research and can address a spectrum of activities. This intelligence will assist in determining the capability and intent of the threat and its probability, based upon the value of the asset, its usefulness in achieving an adversary’s goals, publicity value, availability and ease of targets, and the adversary’s perception of the possibility of a successful attack. The spectrum of threats is diverse and will impact upon different areas of the organisation. Consequently, it is necessary to understand and characterise the organisation in the context of its vulnerability to attack.
Vulnerability is the level of weakness within an organisation’s existing physical security measures and procedures that would provide an opportunity for a potential threat to be exploited. It is therefore important to be able to understand and quantify the existing security measures and be able to assess their effectiveness in mitigating the threat. It is advisable to address the effectiveness of these measures and their level of compliance with the appropriate standards during the site surveys.
It is possible to categorise an organisation’s assets in terms of the tangible and intangible, and these can be determined in the context of people; property, including offices, real estate and other physical assets; as well as the information assets whether in hard copy or on computer networks. It is also worth considering the impact upon intangible assets such as reputation and market position. The value of an asset in terms of loss depends on its importance to the continued operations, the cost of physical replacement and the impact of loss to the organisation. It is advisable to consider the impact of aggregation and ensure that those low value assets, where found in high volume, if lost, do not have a significant impact upon the organisation. This principle applies to all types of assets and may influence the level of protection provided over and above that normally anticipated.
Impact and probability determine the level of security risk faced by an organisation from a specific threat, which allows the approach to its management to be considered. The scoring system can be determined using either qualitative or quantitative approaches, depending upon the availability of the appropriate information. As an example, a graduated scale of five stages can be used for both elements, which allows the risk to be addressed across a spectrum of mitigating measures. The five stages relate to impact which could be from ‘Catastrophic’ (5) down to ‘Minor’ (1). Probability is considered from ‘Almost Certain’ (5) to ‘Unlikely’ (1). This approach allows the equation Probability × Impact = Pure Risk to be populated, which provides an indication of the level of risk and an indication of the level of management action required to address the identified risks.
The impact of a threat gives an indication of the cost and operational effect of an adverse event coming to fruition against an organisation. It can be helpful to determine impact by applying a monetary value to either replacing the asset, the cost of lost production or of reducing the risk to an acceptable level. It may be more difficult to ascribe a value to intangible assets such as reputation, but it is worth considering that there remains a potential financial impact. By understanding the impact, the decision-making process is supported by providing an indication of the level of investment required in providing cost effective mitigation.
Frank Knight, a well-known writer on matters of uncertainty, probability and risk provides a succinct summary that is helpful when considering the probability of events occurring: ‘if you don’t know for sure what will happen, but you know the odds, that’s risk and, if you don’t even know the odds, that’s uncertainty’. Assessing probability therefore is about reducing the level of uncertainty, with the probability of a threat reflecting how likely it is to occur. Various methods can be used, such as looking at the frequency with which incidents have occurred in the past, as well as local and regional trends, and by the availability of intelligence suggesting the probability of a threat materialising. Threats against similar organisations across a sector can also help provide an indication of probability, however, it is advisable to assess this in the context of local and regional influences and the commercial and political profile of those organisations.
The probability of the identified threat manifesting is a function of the identified threat level (including capability and intent) through the threat’s perception of an organisation’s attractiveness as a target. This is based primarily on the value of the organisation’s assets in the context of the threat’s agenda. For instance, an animal research laboratory would be an obvious target for animal rights extremists while anything symbolic of western influence in the Islamic world may be coveted as the target of Al Qaeda-type networks. However, a secondary influence on the assessment of attractiveness relates to the probability of success, and this is inextricably linked with the perceived vulnerability of the site. Although some threats, such as criminality, are well recorded and can be assessed based on occurrence, acts of terrorism are less predictable and their probability could change at relatively short notice. This will require flexibility in approach and careful consideration of the contingency arrangements and the emergency response plans.
The mitigation measures can be either probability or impact based, though there may well be an overlap between them. Probability mitigation measures address the threat and target methods of reducing the likelihood of an attack on an organisation and its assets. This can be achieved by using ‘soft’ measures, such as policy changes, changes in procedures and by addressing the cultural approach within the organisation. Alternatively, they may take the form of ‘hard’ technical and/or physical measures, such as enhancing video surveillance coverage, improving counter terrorism measures or improving the perimeter security. These measures essentially aim to reduce the chances of an event occurring.
Impact mitigation measures aim to reduce the consequences to an organisation in the event of a manifested threat. While physical mitigation measures may play a part in this respect, it can be valuable to focus on providing redundancy in the organisation so that production or operations can continue in the event of an incident. It is advisable to use risk management to inform organisation continuity plans, which can then be feedback into a cycle that can be revisited as new threats emerge due to internal and/or external factors. Redundancy can often be helpful when taking the form of duplication of physical or operational assets, and/or training of secondary individuals to immediately assume the role of primary individuals within the organisation in the event of incapacitation or untimely demise. It is worth considering other impact mitigation measures such as transferring the risk, for example, through insurance.
It is advisable to carry out a secondary risk assessment after mitigation measures have been implemented and when both the probability and impact might have been reduced, bringing the overall risk to a more manageable level. It can then be valuable to provide a more sophisticated assessment of risk reduction by apportioning various mitigation measures a quantitative score related to their perceived protective capacities which is fed into a risk matrix. The risk assessment can then be useful to provide the basis upon which security will be designed to mitigate the risk.
It is advisable to use this to assist the decision-making process in adopting the appropriate strategies and influence the level of investment required.
It is worth considering the following options:
The use of a risk matrix enables an organisation to identify, evaluate, and manage risks in a systematic and structured manner. By undertaking the risk analysis process outlined above an organisation can identify both high risks and low risks along with various risk scenarios allowing them to make informed decisions about their risk exposure. As a result, they can establish robust actions to protect their assets, reputation, and operations from catastrophic risk events. If such controls are already in place, a risk matrix can help an organisation evaluate if they are sufficient to handle the identified risks.
Effective security planning integrates physical and procedural measures with organisational goals and regulatory standards.