Security Risk Analysis; by Hugh Jones MSc CSyP FSyI CPP. This article is based on two case studies. The first explores the methodology used and the second demonstrates the use of Failure Mode Effects Criticality Analysis (FMECA) and Fault Tree/Event Tree Analysis in security-related incidents and risk engineering.
In the article we examine core elements of the risk survey: methodology, factors influencing risk, survey process and system design. The paper emphasises that a Security Risk Analysis (SRA) requires detailed examination of diverse aspects within the organisational setting.
To be effective and offer organisational reward an SRA must take a holistic view of the organisation and its operations, be multi-disciplinary and include the co-operation and support of Senior Management and Financial and Administrative resources. In addition, any SRA must examine the organisation’s operations and operational requirements and its culture and subcultures as well as any external elements, which influence operations.
Case Studies
The factual basis of the case studies is based on actual SRA’s conducted in different geographic locations. The principles, methodologies and findings are still valid within the European context.
Security in the world is dynamic. What is perceived today as being a low risk may tomorrow be a high risk, making it a dynamic environment. Potential threats include:
• Armed assault, kidnapping and extortion;
• Theft, sabotage, murder or piracy;
• Attacks on supply chains or convoys.
Case Study 1
The organisation is involved in the oil industry. Personnel include expatriates and local nationals, each having distinct cultural foundations and ontologies. The employee base has direct implications for risk perception and management.
Case Study 2
This study uses two incidents to explore the application of engineering principles of FMECA and Fault/Event Tree analysis in the SRA process. The site includes an expatriate camp, hospital, and a landing strip, staffed by security personnel from the National Police, private security contractors and members of the local security forces. The complex has an extensive security infrastructure, which includes perimeter protection, CCTV, access control and lighting.
What is Risk?
Risks originate from natural and man-made hazards. Security counter-measures protect assets, including people, from malevolent threats although there is always a residual risk factor. Risks must be managed kept ‘As Low as Reasonably Possible’ (ALARP) . Garcia cites five methods of managing risk: Avoiding; Reducing; Spreading, Transferring; and Accepting the risk.
Types of Risk
There are two primary types of risk: Speculative Risk – (loss/gain), and Pure risk – (no gain). Physical Security focuses on Pure Risk. The goal of an SRA is to mitigate the pure risks or eliminate organisational risks.
Risk Perception
Risk perception is fundamental in an SRA. No two people or organisations perceive risk in the same way or as having the same consequence or probability. The influences on risk are: political, environmental, sociological and technological (PEST).
For an SRA to be valid, the analyst must always conduct the analysis from a neutral perspective. SRA’s must include those people who will develop a holistic, multi-disciplined evaluation of asset risk profiles, probability of risk exposure, criticality, vulnerability and mitigation priority.
Survey Methodology
There are two approaches to this: an ‘outside-in’ approach, and an ‘inside-out’ approach. The methodologies employed international are generally empirically based and grounded in the analyst’s personal experience, bias and competency.
Any SRA should seek to answer three questions : What can go wrong, what is the likelihood it will go wrong and what are the consequences if it goes wrong?’
Four other asset elements, which must be considered in the SRA include: Identification of the Loss Event Probability (LEF); Loss Event Profile (LEP); Loss Event Criticality (LEC); and Asset Vulnerability (VA) .
Addressing these enables the analyst to identify risks and the probability and consequences of their occurrence. Consequences often overlooked by the risk analyst include the financial implications and how to manage them.
This paper describes how to build an analytical security analysis based on in-depth analysis, risk identification, and asset vulnerabilities.
Planning
When planning a SRA the organisation must ensure:
• The lead analyst is experienced in Risk Analysis with appropriate training;
• The survey team must understand the facility and it’s operations;
• The plan must identify areas covered.
• The team must use a checklist to ensure all influences in the risk profile have been assessed.
• There must be a defined scope and timeframe for the analysis.
This methodology has five stages, which create accurate and practical reports.
The five stages are: Obtaining data, analysing data, devising methods and means to mitigate risks, implementing the mitigation measures, and evaluating the efficiency of the implemented measures (OADIE).
Areas addressed during Risk Analysis
Once a survey is done, mitigation strategies must be designed and implemented. These include:
• Physical security – Fire protection, policies, procedures, communications, information and personnel protection,
• Contingency/continuity planning;
• Journey management (including safe-havens , attack response, rules of engagement, communications);
• Logistical support and Supply Chain management,
What is a Security system?
Blanchard and Fabrycky (1998) define a system as:
‘…A collection of interacting components …integrated and organised to react to an input and produce a predictable output.’
Rogers (2006: 67) states that:
‘…A complex system is defined as a diverse system of sub-systems working together towards a common goal.’
Taking the above into account it follows that a system design must be practical, realistic and cost effective and should be layered using, where possible, single technologies to address multiple risks.
Security system design
A complex system may be too difficult to implement and manage and not meet organisational requirements and security systems as these are often over-designed and not used.
Systems must be integrated and easily managed: A security system protects information, equipment and people. Integration and convergence of systems provides layered security, enabling management to control costs and efficiency.
Obtaining data
The team must get a written mandate and necessary authority from senior management to investigate the risks for the scope of the SRA. All employees should be informed, so that the team’s credibility cannot be questioned.
Data used in defining the LEP, LEF and LEC must be accumulated and include data drawn from historical events, media reports, and interviews.
Analysing
Data analysis is fundamental to the SRA allowing the LEP of assets to be determined along with the LEF, LEC, and VA with assets ranked according to the LEF and LEC. The American Society for Industrial Security (ASIS) suggests the LEF be ranked from ‘A’ – Virtually Certain, to ‘E’ – Probability Unknown.
The LEC rankings are ‘1’ (Fatal to the Enterprise) to ‘5’ (Seriousness unknown) .
If an asset provides an LEF of ‘E’ or an LEC of ‘5’ it should be seen as ‘temporary’ in the absence of more accurate data.
The cost implications of LEF are determined when the data is analysed and ASIS identifies three forms: Real Costs (including permanent, replacement and lost income costs); Direct Costs (money and information); and Indirect Costs, (reputation and staff morale).
Once the LEF and LEC are completed a Vulnerability Assessment (VA) should be conducted for each asset. The sum of the VA’s will determine a global VA.
The principles of Risk Engineering may be applied so that the SRA team has the tools to investigate and evaluate risk and assess vulnerability.
Devise
Once the data analysis is completed, the asset profiles identified and allocated rankings using the risk matrix, the SRA must design counter-measures to mitigate risks. These include: Physical security systems, policies, procedures and processes or a combination of these.
The system design should be standardised using equipment from a single supplier, apply leverage principles to meet multiple needs and fulfil the protection criteria.
Implement
Implementation of the SRA is vital and all staff need to know why and when the system is being implemented. Poor communication creates resistance and undermines its acceptance.
A project manager should manage the process and costs while the system design must be comprehensive so few changes are made.
In devising and implementing any security system it is critical that it is practical and takes the operational requirements into account. Any system that does not do so is doomed to fail.
Evaluate
The evaluation must determine that the measures devised and implemented address the organisational vulnerability and reduce the risks, be cost effective and deliver a return on investment (ROI).
Because risk is dynamic it means that any flaws in the system require a re-evaluation of the methodology used.
Factors
There are four primary areas: Personnel; Information; Physical Security; Reputational Security
Each aspect is analysed and the scope and mandate of the SRA is determined alongside additional security measures.
Personnel Security
People are an organisation’s most valuable asset but may be its greatest risk. Steps such as pre-employment screening, screening for promotion, lifestyle analysis, substance abuse or violent behaviour should form part of the analysis.
Information Security
Information security is wider than the computer infrastructure as people pose a threat to information security. When managing information security, physical and network security combine to define security of proprietary information.
Physical Security
Physical security includes electronic systems, staff screening, company policies and procedures, physical barriers, proper lighting and basic asset protection.
Reputational Security
Reputational risk may be the most under-stated responsibility of the security professional. There is a very real reputational risk for the organisation, be it from the consequence of actions or a non-performance of duty. European legislation is explicit on aspects such as duty and standards. Any security practitioner within the European area has to be aware of all legislative components, which have a bearing on security, as failure to comply with these requirements places the organisation at substantial reputational risk.
Case Study One
Fault Tree and Event Tree analysis in LEP, LEF and LEC analysis.
Background
An employee buys a car and employs a driver. Following corporate policy he tells Human Resources he has employed the person and the employee is provided with an access card. Some time later the driver’s employment is terminated. HR and IT are not informed and the employee keeps his access card, giving him access to the facility. He is known to the police and returns to the premises after and steals his former employer’s car.
Fault Tree/Event Tree analysis of Incident
In analyzing these events it was possible to develop a detailed LEP, LEF, and LEC analysis.
The Fault Tree defined the investigation and helped develop a risk mitigation strategy including operational policies and procedures to defend assets and establish the Risk/Criticality of these.
An Event Tree analysis taken from the Fault Tree analysis identified other assets at risk.
The causal influences of physical security, corporate policy and procedures, and fragmented ownership of security systems components contributed to the loss. Through the Fault/Event Tree analysis it was possible to change policies and procedures in three operational divisions. This protected the asset and the facility’s security.
Case Study Two
Background
The national electrical power grid was unreliable and emergency power generators widely used. The residential complex has a security system that includes CCTV, Access Control, Perimeter Alarms, and Lighting. However, power failures and spikes meant that components needed to be repaired or replaced. CCTV and lighting components were most vulnerable to power fluctuations creating further security vulnerabilities.
Risk Assessment
The risk assessment identified three primary risks: Protection of personnel and assets, system redundancy and supply chain cost risk, and reputational risk.
The first is self-explanatory, an ineffective system subject to repeated malfunction placed personnel and assets at risk. The second risk was more complicated as it involved multiple disciplines within the organisation and highlighted the need for the multi-disciplinary approach for the analysis. Lastly, the reputational risk is difficult to quantify as tt is multi-dimensional and may influence the organisational need to recruit personnel to meet the organisational goal and the need to source and maintain the security systems employed at a facility. The scope of this paper does not allow for elaboration as security supply chain management in itself would require a dedicated paper.
Conclusion
This summarises the SRA process, methodology, factors influencing the organisation, risk analysis, and design. It emphasises that the security function is not an orphan inside an organised community but rather a component of the organisational family, providing development, sustainability and achievement of goals. The methodology is a standard, which is employed internationally and successfully, across many sectors.
However, after 30 years of conducting Security Risk Analysis surveys internationally, I have realised that while being functionally correct and able to deliver the desired results, the methodology is flawed.
When conducting these surveys I always knew what I was doing but I did not understand cognitively what, why and how I was doing it. The surveys conducted lacked the benefit of conscious application of refection and analysis of heuristic influences. My knowledge has been empirically grounded in experience gained ‘in the field’, practical training and knowledge from a wide range of subject- and vocational-specific studies. This indicates that the robustness of future surveys can benefit from reflection.
This aspect of Security Risk Analysis, as controversial as it may be, will be covered in a paper ‘Reflexive Risk Analysis’ to be published in 2011.
References and suggested reading
ASIS, (2004), Security Vulnerability, ASIS Protection of Assets Manual Volume 1, Chapter 2 Part 1. Accessed at http://www.asisonline.org. p 2-1-1 – 2-1-B1.
ASIS, (2004), Crime Prevention Through Environmental Design, ASIS Protection of Assets Manual Volume 3, Chapter 19 Part 8. Accessed at http://www.asisonline.org. p 2-1-1 – 2-1-B1.
Douglas, M. (1982), Essays in the Sociology of Perception, London: Routledge and Kegan Paul.
Farrell, G. and Pease, K. (2006), Criminology and Security in M. Gill (Ed), The Handbook of Security, Hampshire: Palgrave MacMillan p 509 – 531.
Fennelly, L. (2004), Handbook of Loss Prevention and Crime Prevention 4th ed. New York: Butterworth-Heinemann.
Fischer, R., Halibozek, E. and Green, G. (2008), Risk Analysis, Security Surveys, and Insurance, Introduction to Security 8th ed. New York: Butterworth-Heinemann p147 – 172.
Frosdick, S. (1997), The techniques of risk analysis are insufficient in themselves, Disaster Prevention and Management Vol.6 Number 3 p 165-177, University of Leicester supplied reading: MSc Security and Risk Management Module 3 unit 4.
Garcia, M. (2006), Risk Management in M Gill (Ed), The Handbook of Security, Hampshire: Palgrave MacMillan p 509 – 531.
Garcia, M. (2008), The Design and evaluation of Physical Protection Systems 2nd ed. New York: Butterworth-Heinemann.
Mars, G. (1982), Cheats at Work: An Anthropology of Workplace Crime, London: George Allen and Unwin Publishers.
Morgan, G. (2006), Images of Organisation. London: Sage Publications.
Mullins, L. (2007), Organisation Structure and Design, Management and Organisational Behaviour 8th Edition. Essex: Pearson Education Limited.
Papura, P. (2008), Security and Loss Prevention 5th ed., Burlington: Butterworth-Heinemann.
Pidgeon, N. (1992), The Psychology of Risk in D. I. Blockley (ed.), Engineering Safety, Maidenhead: McGraw Hill.
Rogers, B. (2006), Engineering Principles for Security Managers
Schneider, R. (2006), Contributions of Environmental Studies to Security in M. Gill (ed), The Handbook of Security, Hampshire: Palgrave MacMillan 90 – 115.
Sennewald, C. (2003), Effective Security Management 4th ed. Burlington: Elsevier.
Toft, B. and Reynolds, S. (2005), The Management of Risk, learning from disasters, 3rd Ed. Hampshire: Palgrave MacMillan.
US Department of state, (2000), Voluntary Principles on Security and Human Rights,
the Bureau of Democracy, Human Rights, and Labour U.S. Department of State, December, 2000.
Whitman, M. and Mattord, J. (2008), Information Security 2nd ed. Canada: Course Technology, Cengage Learning.
