Risk Analysis

Security Risk Assessment

Overview

Various aspects of the threat assessment will influence your judgment about both the likelihood and impact of a certain threat. To illustrate, we can use an example of armed crime.

If the threat assessment identifies a threat from large, well-armed criminal groups working in a city with poor lighting at night and a weak police force, then the likelihood of a successful attack may be high. If a criminal group is known to use weapons during armed robberies and has a history of killing all witnesses, then the potential impact could be loss of life, so the risk associated with this group would be greater than if they did not have weapons and a history of using these.

A person’s presence in an area of poor lighting, where the criminal group is known to operate, makes him or her vulnerable and affects the risk assessment. The risk associated with an attack by even a small, unarmed criminal group will be higher if the target is not properly protected. A lack of ability to control the after-effects of a serious incident is also a form of vulnerability and needs to be examined. The risk of someone dying after being shot in an armed robbery, for example, will increase if proper medical attention is not given to the victim.

Only after you have identified all the major threats and established their corresponding risks are you ready to make sound decisions on how to lower risks.

The Concept of Likelihood

The determination of Likelihood has traditionally been one of the most difficult and ambiguous steps in the SRM process. Cognitive bias and limited data available to risk managers have sometimes resulted in Likelihood assessments (and, therefore, risk assessments) that are inaccurate and, often, unhelpful. Inflation of risk unnecessarily inhibits the delivery of business objectives of organizations.

Determining Likelihood through scientific, quantitative methods is only possible with any degree of reliability in cases of events with large data sets. Using quantitative methods in most contexts in volatile environments will very rarely produce valid results because the amount of data available is insufficient to construct valid models. The SRM model recognizes that a purely mathematical approach, utilizing statistical analysis and modeling is not always a realistic method in our context.

Organizations often deal with threats of a deliberate nature and it is particularly the case for the threat of terrorism, where improbable disastrous events do sometimes transpire. These types of events are improbable as opposed to impossible. However, just because improbable events sometimes do take place does not mean that all improbable events, therefore, become probable. To avoid or to ignore this elemental consideration is to engage in faulty planning and decision-making.

Likelihood in the SRM model is defined as “a rating of the assessed potential for a harmful event to affect the Organization”. And is measured on a scale of 1-5 or Very Unlikely, Unlikely, Moderately Likely, Likely, Very Likely.

In the SRM process, the Likelihood of an event is a product of Threat and Vulnerability (i.e., Likelihood = Threat x Prevention Vulnerability).

Remember that threat is a combination of Intent, Capability and Inhibiting Context and this was assessed in – the Specific Threat Assessment.

The Likelihood score for an event is achieved by multiplying the Threat Score for the event (calculated in the Specific Threat Assessment step) by the 1-5 Prevention Vulnerability score (explained below).

This approach to Likelihood has been developed to reflect the “potential” of a deliberate event to occur by measuring both the changing threat (Intent, Capability, and Inhibiting Context) and our relative ability to prevent the event from occurring (Prevention Vulnerability). Even though an event has never happened before, if the intent and capability are rising in a formerly permissive environment, and we’ve done nothing to prevent the event from occurring and affecting us, then the event is more likely to occur and affect us.

Prevention Vulnerability Assessment

As noted previously, Vulnerability is defined as “a weakness that can allow a threat or hazard to cause harm”. A Vulnerability Assessment is an assessment of the strengths and weaknesses of our security system – an assessment of whether the necessary security countermeasures are in place and effective (strength) or absent and/or ineffective (weakness).

At this stage, it is important to remember that the SRM process divides vulnerability into two components – Prevention Vulnerability and Mitigation Vulnerability. Prevention Vulnerability deals with Likelihood while Mitigation Vulnerability deals with Impact (see below for more on Mitigation Vulnerability).

When discussing Likelihood, therefore, the following two definitions are required:

1. Prevention Vulnerability: inadequate security countermeasures meant to reduce the Likelihood of the event occurring as described.
2. Prevention Vulnerability Assessment: An assessment of the degree to which the organization has implemented effective security countermeasures to lower the Likelihood of the event occurring.

The SRM Process uses a 1-5 scale for Prevention Vulnerability:

1. Effective preventive risk management countermeasures/procedures completely in place and consistently effective.
2. Effective preventive risk management countermeasures/procedures completely in place (but a weakness exists that could be exploited given substantial resources).
3. Preventive risk management countermeasures/procedures not completely in place OR not consistently effective.
4. Preventive risk management countermeasures/procedures not completely in place AND not consistently effective.
5. No effective preventative risk management countermeasures/ procedures in place.

As with the determination of components for Specific Threats, this Manual cannot provide a comprehensive list of all descriptors and qualifiers for Prevention Vulnerability. Security professionals must ensure that they fully consider the multitude of variables in determining Prevention Vulnerability in an objective, realistic and evidentiary (i.e. fact-based) manner.

As with the Threat Assessment step above, it is important for the security professional to conduct a “validity check” by comparing the numerical rating made for Prevention Vulnerability for one event description with the rating given for other event descriptions to see if there are any anomalies that render the overall assessment inconsistent and/or invalid. Simple questions like, “Does it make sense that the Prevention Vulnerability rating for this event is lower than for this other event?” helps ensure consistency throughout assessments.

When making the Prevention Vulnerability assessment, security professionals must record what prevention measures are in place and how effective they are to lower the likelihood of the event. This information will be used to design recommendations for lowering likelihood/lowering prevention vulnerability later (see “Step 6: Security Risk Management Measures”). It is important to note that in this step, security professionals reflect only on the measures currently in place and their effectiveness. For example, the drafter may note untrained guards are in place or access control measures are in place and effectively implemented. At this stage, the drafter does NOT consider measures that are not in place.

The components of the Specific Threat Assessment – Intent, Capability, and Inhibiting Context – are completed during the Specific Threat Assessment stage of the SRM process. Risk managers, therefore, only require the Prevention Vulnerability assessment for each specific event description to complete the likelihood assessment. Security professionals should take care to consider all aspects of the Prevention Vulnerability assessment, using associated descriptors as a guide, to arrive at a reasonable and objective assessment of its measures to hinder specific threats.

Once each event description is assessed on Prevention Vulnerability, you should multiply the Prevention Vulnerability score by the Threat Score for the event (from the Specific Threat Assessment) to generate the Likelihood score for that event. The Likelihood Score will then establish a Likelihood Rating from 1 to 5, with the accompanying descriptor, as follows:

1. Very Unlikely
2. Unlikely
3. Moderately Likely
4. Likely
5. Very Likely

Impact

The determination of impact in the SRM process is the second phase of the Security Risk Assessment. On its surface, judging impact may appear to be relatively simple and it is generally well done within the limited guidance currently available. However, the judgment of impact depends on how one attributed values to certain components. For example, if we believe an event will kill a staff member but will have no effect on operations, would we assess the impact of this event as equivalent to an event that does not affect personnel at all, but completely shuts down an operation? What relative importance does the organization place on staff, operations and assets? Should the SRM process measure the potential effect of a given event or the actual/historical effect of past examples of the event (incidents)?

Impact is defined as:

A rating of the assessed potential harm that an event would have (if it were to occur) on the Organization. And is also measured on a 1-5 scale from Negligible, Minor, Moderate, Severe and Critical.

It is important to note that the SRM model uses the descriptor of “intended effect” when speaking of impact. This is the effect that the security professional judges that the threat actor wishes to achieve if the event were to occur. Security professionals will have to assess the reasonably-expected result of each Event Description (noting that the Event Description often has a reference to the effect in the description itself).

The SRM model attributes three components to the measure of Impact for each Event Description:

1. The intended effect on staff
2. The intended effect on operations (including assets)
3. The Mitigation Vulnerability

The SRM model uses a 1-5 scale, with associated descriptors, to record the measurement of these three components, as follows:

Effect on Staff

1. No Effect
2. Slightly Injurious Effect
3. Moderately Injurious or Psychologically Traumatic Effect
4. Fatal (individual or small numbers), Severely Injurious or Severely Psychologically Traumatic Effect
5. Catastrophically Fatal Effect (mass casualties)

Effect on Operation

1. No Effect
2. Slightly disruptive effect on projects and/or slight damage to assets
3. Major disruptive effect on projects and/or significant damage to assets
4. Short- to medium-term suspension of projects
5. Long-term suspension or cancellation of projects

Mitigation Vulnerability Assessment

When discussing Impact, therefore, the following two definitions are required:

• Mitigation Vulnerability: inadequate security countermeasures meant to reduce the Impact of the event as described, if it were to occur.
• Mitigation Vulnerability Assessment: An assessment of the degree to which the organization has implemented effective security countermeasures to lower the Impact of the event if it were to occur.

Mitigation Vulnerability refers to the level to which the organization has implemented effective measures to lessen the severity (reducing the level of damage) or the extent (reducing the affected area) of the threat.

Mitigation Vulnerability

1. Mitigation risk management countermeasures and procedures completely in place and consistently effective.
2. Mitigation risk management countermeasures and procedures in place (but may not be consistently effective or may have limitations).
3. Mitigation risk management countermeasures and procedures not completely in place OR not consistently effective.
4. Mitigation risk management countermeasures and procedures not completely in place AND not consistently effective.
5. No mitigation risk management countermeasures and procedures in place.

Security professionals should take care to consider all aspects of the Mitigation Vulnerability assessment, using the associated descriptors as a guide, to arrive at a reasonable and objective assessment of the presence and effectiveness of measures meant to lessen the severity or the extent of the event. This SRM Manual cannot provide a comprehensive list of all descriptors and qualifiers for Mitigation Vulnerability and thus risk managers must ensure that they fully consider the multitude of variables in an objective, realistic and evidentiary (i.e. fact-based) manner. As with the General and Specific Threat Assessments, if it is difficult to choose between two descriptors, the user should choose a “half point” between the two (e.g., 2.5 between 2 and 3. In the Risk Analysis steps, this will also include a 0.5 option).

When making the Mitigation Vulnerability assessment, security professionals must record what mitigation measures are in place (and how effective they are). As with the prevention vulnerability assessment, security professionals reflect only on the measures currently in place and their effectiveness, for example, “First aid kits in all vehicles” or “procedures for the use of PPE (Personal Protective Equipment) in place but not consistently implemented”.

As with the Threat Assessment and Prevention Vulnerability steps above, it is important for the security professional to conduct a “validity check” by comparing the numerical rating made for Impact for one event description with the rating given for other event descriptions to see if there are any anomalies that render the overall assessment inconsistent and/or invalid. Simple questions like, “Does it make sense that the Impact rating for this event is lower than for this other events?” helps ensure consistency throughout assessments.

Once the Impact assessment is completed for each Event Description, you should combine the scores for each variable (Effect on personnel, Effect on operations and Mitigation Vulnerability) into a single Impact Rating score for that event. The Impact Score will establish an Impact Rating from 1 to 5, with the accompanying descriptor, as follows:

1. Negligible
2. Minor
3. Moderate
4. Severe
5. Critical

Risk Levels

The previous sections illustrated how the Likelihood Ratings and Impact Ratings were determined through a structured, qualitative assessment. This section will focus on Risk Levels and their significance to the SRM process.

The assessment of risk is linked to the assessment of possible future events that may occur and the extent to which those events may harm the organization. The risk posed by a particular threat may, therefore, be viewed as a factor of the Likelihood of the undesirable event occurring and the Impact that the event will have if it were to occur (Likelihood x Impact).

The SRM model deconstructs Likelihood and Impact into their component parts and establishes a rating for each. We then reconstruct these ratings into a single Risk Level for each Event Description by multiplying the Likelihood Rating (1-5) by the Impact Rating (1-5). The Risk Level for each Event Description is then attributed a descriptor that identified the level of risk that this event carries for organizational operations thus automatically achieving the same result as in the Risk Matrix below:

These Risk Levels are the end result of the Security Risk Assessment and will form the basis for decision-making further on in the SRM process. Risk managers will use this assessment to form risk management strategies and priorities, likely – but not necessarily – first addressing those Event Descriptions that carry higher risks.

Assigning a Risk Level to an SRM Area or specific mission

As will be seen in Step 8 of the SRM Process, Acceptable Risk balances risk with Project Criticality. To establish whether an activity can go ahead based on its assigned level of project criticality, acceptable Risk requires a “level of risk” with which to balance and on which a decision can be made.

As is clear from the process above, an SRM area will have many Event Descriptions associated with it, so what risk level do we assign to an area for Acceptable Risk decisions?

To make Acceptable Risk decisions, the risk level assigned to an SRM Area or any other project or location to which an Ad Hoc SRM Process was applied shall be the highest risk associated with any of the events that would apply to the project activity under consideration.

Conclusion

Throughout the SRM Process, the SRM tool provides instructions on how to record all manner of information associated with each step. The user needs to ensure accurate and appropriate information is recorded. This record will help support the SRM decision-making and provide insight into how changes in the threat and vulnerabilities resulted in new risk judgments when the cycle is repeated.