Chapter 8

Risk Analysis and the Security Survey

Hi, gang!  If you got to this point, you are about 1/3 through and have one exam under your belt.  We're going to make it together. 

Goal: To examine the various means of implementing an effective Risk Management program through security surveys and risk analysis.

Objectives: 

• Identify the concept of risk management and threat assessment
• Provide a clear understanding of the security survey and its objectives.
• Understand the application of Probability, Criticality and Vulnerability analysis in constructing a survey.
• Understand the options available to optimize Risk Management Alternatives.

Abbreviated Lecture:

From this chapter we learn that security is not a piecemeal concept, but a package covering the entire organizational structure. Try to understand that there's a difference between "risk avoidance" and "risk management."  The former is perhaps what security and management tried to do in the "good old days."  That is, try to prevent all losses by having a very  costly security program.  You can, for example, avoid all shoplifting by having a security officer escort each and every shopper and by having all shoppers searched leaving the store.  But what would that cost in terms of dollars spent, dollars lost (no customers), etc. ?!  You get the picture.  In risk management, we try to identify those security problems most likely to occur at the business location, select the ones we want to try to counter and accept that the system isn't perfect.  But it will help the business avoid the main problems.

Keep in mind that some places will lean more toward risk avoidance, though.  For example, I used to work with nuclear weapons.  In that environment, we could not afford any threat getting through!  But it was very, very expensive and very, very intensive.  We were always being inspected and tested.

One professor friend of mine describes "Risk Management" as " before-loss arrangement for after-loss continuity." Risk analysis involves identifying potential loss scenarios and then coming up with countermeasures.  We try to answer the question: What causes the losses?

 Well, traditionally in the security field, we talk about threats or hazards.  There are two main types: natural and man-made.  Under natural threats we list things such as storms, fires, floods, earthquakes, and other natural events.  Under man-made, we list things like theft, assault, drug abuse, trespass, terrorism, sabotage (look up that word; it comes from the act of throwing a wooden shoe, a "sabot," into the machinery), espionage, etc.  Does this mean as a security manager you will be responsible for keeping an earthquake from happening in Utah?  Of course not!  But we'll see later that you will probably play a major role in planning for the response to that quake.

We identify risks as specific vulnerabilities.  Vulnerability is the exposure you have to the threat(s).  Risk is the likelihood that one or more threats will have an impact on your facility. 

As a security manager, your job involves identifying for management the types of threats that might affect your place and then figuring out the risk.  If your boss says, "I want to protect this plant from a surprise landing of a UFO," you would say, "Boss, that's a good point (never smart to say, "Boss, that's the dumbest thing I ever heard!!!"); however, I've done some research.  It is very unlikely that a UFO crew would have any interest in this place and the likelihood of them landing here is slim to none.  I suggest you accept that risk and not spend time or money on a UFO defense system.  But, we are having losses of those new Snap-On tools from the maintenance shop. Last month we lost $3000 worth of new tools.  I can set up a tool accountability system for $1500.  It'll pay for itself in a half month."  (Note: bosses like it when you can show them what is called "return on investment" or "ROI" and you can show that the security measure will more than pay for itself.  Can't always do this, though! )  I just received the OK to upgrade our closed circuit TV system.  I couldn't prove that it will save more than it costs but I could show that its cost is less than .01% of the value of the property it will help protect.  Try to present figures and dollars.  These are what management understands.

Here is another term: Criticality- this is a measure of how important a facility or asset is to the entire enterprise.  If your business is a manufacturing facility, your production buildings are going to be more critical than, say, the office area.  (I'm not suggesting that the office area is not important!  As security manager, your office is probably there.  What I am saying is that if you lost all or part of the office area, you could have the office people work in a rented trailer.  But the production facilities are absolutely important to the business' survival.)

Most companies offset risk by buying insurance.  You may hear "we are self-insured."  Usually this means the company has a very high deductible.  Some business simply write off a certain amount every year for loss or "shrinkage."  Retail usually does this.

How do you determine threat?  First, look at the natural threats or hazards.  Are you on an earthquake fault?  Are you near flood-prone areas?  Are you in "tornado alley"?  Are you in the middle of a forest?  Then look at the man-made threats.  I suggest you look at past loss history.  Look at past audits.  Then contact local, state, and federal law enforcement and intelligence agencies.  If you deal in classified government programs, espionage (spying, usually by foreign powers or maybe by domestic competitors) may be a threat.  How likely?  That's what the intelligence agencies can help you determine.  (By the way, remember earlier in the course we talked about the National Industrial Security Program?  Well, that was set up as a countermeasure to the threat of espionage.  It has been a pretty successful countermeasure.  At least, it usually works against outsiders getting to the classified information.  That's why espionage often involves a trusted insider who's gone bad, such as Aldrich Ames.  Anyone know who he is?)

A key tool in Risk Analysis is the Security Survey or Vulnerability Analysis. This is a systematic look at the threats facing the facility, the criticality of the facility or its parts, and the countermeasures in place.  Review Appendix C, pages 457-463.  You could even apply some of the elements in the survey to your home, school, church, etc.  I just completed a security survey of 2700 miles of railway used for transport of sensitive, high value products.  I had only 10 days to do the survey and two days to draft the report.  Very little sleep; uncomfortable accommodations; bad weather.  It was a lot of work.  But I used the same principles we are talking about in this assignment.  Of course, my security survey checklist was a but different from the one in Appendix C.  But the concept is the same. Notice that in an organization, the survey attempts to look at not only at things like control of keys (always an issue!!) but also protection of proprietary information such as business plans, payrolls, human resources files (imagine the flap that would happen if everyone's pay information got into the wrong hands!)  One thing the list doesn't mention is "how are proprietary materials disposed of?"  Does the organization toss them in the trash?  Bad!!  Do they shred them?  If so, who does it and how do they do it?  (Suppose you hired a contract firm to shred your sensitive material.  They come to you in a big truck that has a heavy duty paper shredder in it.  Do you just hand them bags of material to shred or do you observe the shredding?  Has the contract company been checked out?  How do you know they are not selling your sensitive info.)

What about your companies trash?  Ever hear of "dumpster diving" to get valuable information or materials?  Speaking of trash, I worked a case many years ago in Europe: a supermarket was losing hams, turkeys, steaks, etc.  Turned out it was an inside job.   Here's what was going on: the meat department would receive whole sides of beef.  They would cut and trim the meat.  The fat and bone waste would be put into big cans for a fat-rendering contractor to pick up.  These cans get pretty ugly and smelly with big hunks of meat scraps, bones, etc.  The meat department guys would put turkeys, hams, etc., down in the bottom of the cans and then put the scrap on top.  Who would want to reach down in that mess?!  Then the contractor would pick up the cans and take them to their facility where the good items would be pulled out and set aside for sale on the black market.  The meat department employees and the scrap contractor would split the proceeds.  (By the way, I had a minor role in this case - don't want you to think I'm a Sherlock Holmes!)

Once we identify risks, we look at alternatives for handling those risks: Risk Avoidance or Elimination; Risk Reduction; Risk Spreading; and/or Risk Transfer.  These are discussed on page 143 in your text.  

Another thing I'd like to mention is the question about the cost-effectiveness of security.  It is usually very hard to measure unless you had no security at one time and had high losses.  Then you put in a security system and the losses go down.  But it still might be hard to prove that security caused the savings.  Maybe the threat just went somewhere else.  At best, sometimes we have to live with the fact that security is part of the cost of doing business, like paying the electric bill.  Because it is often hard to prove the effectiveness of security, security is often targeted when the "bean counters" start trying to save money.  This is something to think about if you want to make security management a career.

Assignment: answer review question 1  on page 146 in your book.