August 4, 2014

Risk Management

He who defends everything defends nothing

"He who defends everything, defends nothing."
                      -Frederick the Great
This historical quote is very fitting in the security arena.  In a fiscal environment with finite resources, trying to spend money in order to protect everything is not a wise investment. I know you're shocked to hear this coming from a person who makes their living in the security field, but it is true. The secure everything at all costs averts money away from areas that could provide the proverbial "more bang for your buck."

               "Billions of dollars are being spent on uncoordinated, ill conceived programs that focus on buying additional gates, guns, guards, and Geiger counters—the toys, technology, and pork of homeland security. This means we do not have adequate resources for those initiatives that would make a difference."
                                   - Randall J. Larsen, former chairman, Department of Military Strategy and Operations at the National War College

If you cannot secure everything, then how do you decide what you should? 

The best method in reasonably securing your items is using the five step risk management process geared towards security. For those unfamiliar with risk management, it is the comparison and analysis of the relative threat (intent and capability to collect the information); the vulnerability of the asset; the cost and administrative burden of possible countermeasures; and the value of the asset used to determine the appropriate level of protection to control and reduce the risk of compromise or disclosure to acceptable levels. Risk management allows the acceptance of risk in the security process based upon a cost-benefit analysis. In simple terms, risk management is a balancing act between potential loss with potential cost.

When I talk about risk management I'm not referring to the exact process spelled out in ISO 31000 or what Department of Homeland Security uses in emergency management programs, however, they do have similarities. The outline I use is based on the risk management processes taught in many classes on different security disciplines, such as physical security, antiterrorism, cyber, and operations security (OPSEC). The terminology the different disciplines use may vary, but at the root of it all, they all have the same steps.

In a way, security is a process that manages risk. Before implementing a new security measure that requires the expenditure of funds, security practitioners need to know the assets requiring protection, the threat, and the associated risks.

5 Step Risk Management Model

Step 1: Determine your assets.
First start off listing off your important assets. Assets can be people (employees), information, equipment, or any other physical thing. When coming up with your list ask yourself:
  • What are the critical things you need to operate? 
  • If you were to take any asset away, what kind of impact would it have on your operation?
  • If something were to happen to the asset, would/could there be other implications? Fines?
  • Is it easily replaceable? How long would it take to replace it?
These questions help you to think about how important your assets are to your overall operation. Some missing items may be a nuisance, while one certain item may be catastrophic if it was gone. Maintain a list of critical assets ranking their importance. You want to focus your security efforts on protecting valued items.

Step 2: Determine the threat.
 Look at the different types of threats in your area and industry. A threat contains the capability  to cause your organization harm or go after your assets. For non-weather related threats, you'll also consider their intent. There are different categories of threats you can look at. I provide some below, but this list is not all inclusive.
  • Crime. The FBI Uniform Crime Reports can provide crime statistics to help you determine what kind of criminal threat you are likely to deal with near your location. The FBI have other threat information resources on their Reports and Publications page. Your local police department can be another source of valuable information.
  • Cyber. Multiple news stories about cyber data breaches and hackers circulate daily. The Internet Crime Complaint Center (IC3) publishes an annual cyber crime report to provide you a basic overview of reported cyber threats. Additionally,  Stay Safe Online provides information and resources on cyber threat trends.
  • Natural. Good ol' Mother Nature could pose as a formidable foe, striking you with thunderstorms, earthquakes, hurricanes, or tornadoes. Are you located in tornado alley? Are you in a flood zone? The National Oceanic and Atmospheric Administration's (NOAA) State of the Climate provides historical weather data so you can figure out the answer to these questions as well as learn about what other natural weather phenomena your area is prone to. 
  • Civil unrest. It can come under the names of protests, demonstrations, riots, and civil disobedience. The Ferguson, Missouri incident in 2014 provides a great example. These can be a little less predictable.
When looking at the different threats, you're looking at what is the likelihood of it affecting your operations and the severity of impact. Focus more on what tactics, tools, and methods the threat uses to cause harm rather than  the actor itself. Countermeasures you develop later in this process will be design against the method. Additionally, look to see if the threat has a recent history in your local area, since this would indicate an increased probability.

Keep in mind that you should review and update this list at least annually as threats may change.

Step 3: Vulnerability assessment. 
Vulnerabilities are weaknesses or gaps in your protection that make your asset susceptible to your identified threat(s).  During this step you take the information from the previous steps to assess how vulnerable your assets are to the listed threats. Often times this step looks like a traditional security survey. What can the threat exploit? You try to put yourself in the bad guys shoes and look at your organization from his perspective. If I were a bad guy how would I get to [insert asset]? When identifying vulnerabilities, considering the tactics, tools, and skill level used by the threat. A typical "smash-and-grab" type criminals will not use the same tools and tactics as a professional bank embezzler. Both types of threats are stealing, but they have different approaches. Additionally, what you are most likely going to deal with? A small convenient store will likely deal with an unsophisticated petty theft, while a large bank may need to be more concerned about the sophisticated embezzler.

Vulnerabilities come in three categories: physical, technical, and operational. Physical deals with the facility, its layout, walls, floors, ceiling, locks, doors...well, you get the idea. Technical looks primarily at mechanical equipment and electronic systems. Operational focuses on the organizations practices and procedures, which are the things people do. Are there things that people do that create exploitable gaps your threat could exploit? You want to look at these things when conducting a vulnerability assessment.

You should conduct this type of assessment annually, since the operating environment changes often creating different vulnerabilities.

Step 4: Risk assessment.
In this step we combine the previous three steps together (threat, asset, and vulnerability) to try to piece together a bigger picture of your risk. There are various of methods, some using more qualitative means, while others try quantifying risk. What method you use all varies upon your preference. I propose a simplified risk management spreadsheet you can easily create in an Excel.
risk management spreadsheet
A blank risk management worksheet using a spreadsheet.
In the chart you list out the assets you gathered from step one. When listing your assets, you also include a criticality rating. The higher the criticality rating, the more valuable the asset is to your operation. My proposal uses a criticality rating of 10 to 1 with 10 being the most crucial asset and 1 being the least valuable.
  • 9-10 points Critical: Missing/damaged asset halts operations or loss of life
  • 6-8 points High: Missing/damaged asset severely limits operations
  • 3-5 points Medium: Missing/damaged asset limits operations
  • 1-2 points Low: Missing/damaged asset would not impact operations
A simple risk formula is Risk = [Threat (T) x Vulnerability (V)] x Criticality (C). The risk formula uses multiplication because if there is no threat, vulnerability, or impact, then there is little risk. You must have all three in order to have a significant level of risk. Think about it, if you don't have a threat that will exploit the vulnerability to get your critical asset, then there isn't any risk. On the other side, if you do have a threat that can exploit a vulnerability to get an asset you don't really care about, who cares?
  • 9-10 points for Critical Risk. This means there is an exceptionally highly probability.
  • 6-8 points for High Risk. There is a high probability.
  • 3-5 points for Medium Risk. There is a probability.
  • 1-2 points for Low Risk. There is a low probability.
As you can see, we try to quantitative a subjective process, so there may be some discrepancies between how one person rates an item and another individual rates it. A team approach is recommended in developing an organization's risk.

Risk rating:
  • Very high: 1000-800
  • High: 799-500
  • Medium:499-300
  • Low: 299 and under
Let's try a little exercise! One simple scenario everybody often faces is taking a vacation and leaving their home for an extended period of time. Following our steps, I take inventory of my assets. In the interest of time, I limited my assets to three valuable items with their criticality rating: the house, personal documents, my television. My personal documents receive the highest rating, since I need them for all banking, identification, and other interactions with official agencies. My television, while expensive to replace, receives a lower rating, since I can live without it for an extended period of time.
Risk Management process

Based upon the criminal statistics for my local area, my assets have a threat of burglary, arson, and identity theft. Based upon historical data, tornadoes pose a hazard to my assets; however, I'm not traveling during tornado season, so I am not taking this hazard into consideration. On my risk worksheet I list what threat my assets could potentially face. Then I provide a numerical number to the probability. Now I start to look at vulnerabilities. In the interest of time, I'm only going to look at the house and its highest threat, burglar.

Potential vulnerabilities are:

  • Piles of newspapers and fliers collected at the door. This is a good indicator to a burglar that the home is empty and is not being cared for. I rate this vulnerability as a 7 for a burglar to use as an opportunity to break into the home.
  • Lights stay off all the time. This is a good indicator that the house is vacant. I rate this as a 7.
  • No traffic in/out of the house or driveway throughout the day and night. I rate this as a 5.
  • Unkept lawn. I rate this as a 3 since an unkept lawn doesn't always mean the house is vacant.
  • Back entrances are hard to see. If the back entrances are hard to see, then it is easy for a potential burglar to break in without being noticed. I rate this as a 9.
I could go on, but I think we have a good list going for our little demonstration.

What's our risk? Remember our formula, risk = [threat x vulnerability] x criticality
Asset: house, criticality rating: 9
Threat: burglar,  rating: 7
Vulnerability: newspaper pile, rating: 7

Risk = [threat 7 x vulnerability 7] x criticality 9
Risk = [49]x criticality 9

Based upon my chart our risk is medium. If we are okay with a medium level of risk, we do nothing. If we're not satisfied with that level, then we apply countermeasures.

Step 5: Countermeasures. 
"The level of vulnerability, and hence the level of risk, can be reduced by implementing appropriate security countermeasures." (NIPC, 2002) The simplest and most cost-effective countermeasures are procedural base, which could easily reduce your risk. You should try to use this type of countermeasure prior to using resource intensive measures that cost you in either manpower or money. If you opt to buy some security system or equipment, make sure it actually reduces your risk by mitigating your threat and/or vulnerability; otherwise it just becomes another expensive toy. You re-evaluate the program after applying countermeasures to make sure you are reducing your risk and do not inadvertently create other vulnerabilities.

Using our vacant home scenario, one of our countermeasures could be cancelling the newspaper while we're on vacation. This prevents the newspapers from piling up and indicating to a potential burglar that the house is sitting vacant. This procedural measure mitigates our vulnerability and reduces our risk.

Air Force (2012). AFI 10-245 Antiterrorism. Retrieved from

Defense Treaty Inspection Readiness Program (August 2004). Order Number 940A:  The importance of risk management in site preparation. DTRA DTIRP Arms Control Security Information Article. Retrieved from

National Infrastructure Protection Center (2002). Risk management: An essential guide to protecting assets. US Air Force Air War College. Retrieved from 

(1999). Risk Management Handbook. United States Forces Korea Safety: Safety Manager's Toolbox. Retrieved from

No comments:

Post a Comment