Author: Gregory Allen and Rachel Derr
ISBN No: 9780128022245
Review date: 20/04/2024
No of pages: 182
Publisher: Butterworth-Heinemann
Publisher URL:
http://store.elsevier.com/product.jsp?isbn=9780128022245
Year of publication: 06/01/2016
Brief:
Threat Assessment and Risk Analysis
Threat Assessment and Risk Analysis: An Applied Approach, by Gregory Allen and Rachel Derr, published 2015 by Butterworth-Heinemann, ISBN 97801-28022245. Paperback, £31.44. Visit www.elsevier.com.
Threat and risk assessment is very much a part of security management and crime prevention; indeed, we do it ourselves every time we cross the road or fasten our seatbelt. Threat Assessment and Risk Analysis: An Applied Approach, a book by a pair of Americans, sets out what it is, and how to do it.
As an American book, like so many in the field, it draws on American examples, sources, laws and institutions. In this case, the Department of Homeland Security, and the framework Risk Analysis and Management for Critical Asset Protection. RAMCAP for short. That matters because whether you are assessing the risk of a terrorist attack or a hurricane, you need as the authors say ‘a consistent and sound methodology’, to identify where you are vulnerable, and as a way to work out what can be done about those weaknesses. If you don’t do the analysis consistently, in one site (or country) you could overlook a weakness while in another you over-protect.
The book talks in terms of risk (another word for hazard), threat, vulnerability and consequence (as the risk of a tsunami may be vanishingly small in Torquay, even though it would devastate the English Riviera, so you can safety discount the probability). The difference between risk and threat? “Risk is usually a calculated assumption made based on past occurrences. The threat, on the other hands (as opposed to risk), is a real, instant danger,” whether a person, an object such as a ticking bomb, or an extreme of weather (page 120-1).
The book takes us through the ‘five main steps’: assess the value of your assets, whether staff, information, or hardware; assess the threats, from adversaries and from past incidents; assess your vulnerabilities – what are the undesirable events against assets; assess risk, in terms of likelihood, and decide priorities; and ‘determine countermeasure options’. The decision for the organisation is how they want to approach risk, whether to be risk-averse, or to mitigate risks (and which ones).
“Risk is the intersection of assets, threats and vulnerabilities,” they write. Risks can be to do with security (whether physical or against information, for example, due to theft, sabotage or plain human error) or the reputation of a business. Whether you see security in terms of ‘target hardening’ in the case of critical national infrastructure, for instance, or risk in terms of being resilient or prepared for emergencies, the book shows that risk assessment is a process. It doesn’t end once you assess and make a plan; because hazards change, even if your organisation does not. Whatever your sector, this book can be an aid to thinking about risk and threat.