Risk Estimation Security risk is a function of the likelihood of attack, consequence of successful attack, and security system ineffectiveness. To estimate relative security risk, the qualitative estimates for likelihood of attack, system ineffectiveness, and consequence are logically combined. A simple method, based on expert judgment, for combining the three risk parameters to estimate security risk will be discussed. The security risk estimates are relative, not absolute, but they can be used to make risk management decisions. A relative risk level is valuable to:
Compare risk levels for a spectrum of malevolent threats
Compare risk levels for a spectrum of facilities, industries, or organizations
Compare the cost-effectiveness and other impacts of potential improvements
Comparison of Estimated Risk Levels
Estimated risk levels are compared to a predetermined risk threshold to decide whether further analysis is required. The threshold is determined by the analysis team and the security risk managers.
Risk Reduction Strategies
If the estimated baseline risk level for the threat spectrum is judged to be above the established threshold (too High), risk reduction strategies for the system may be considered. Risk reduction strategies focus on reducing the levels of the parameters of the security risk equation: likelihood of attack, system ineffectiveness, and consequence. In practice, risk reduction is made most successful by improving protection system effectiveness and mitigating consequences. Risk Reduction Upgrades – Security system planners must address how to reduce security risk. Planners might consider adding features to increase physical or cyber-protection system effectiveness and/or to reduce or mitigate consequences. Sitespecific vulnerabilities identified in the system effectiveness analysis provide guidance for adding/modifying features. Upgrades to the system might include retrofits, additional safeguard features, or additional consequence mitigation features. Consequence analysis and system effectiveness analysis should then be repeated for the upgraded system in order to estimate a risk level associated with the upgraded system. If the estimated risk for the upgraded system is below the threshold, the upgrade is completed. If the risk is still above the threshold, the upgrade process should be repeated until the risk level is judged to be below the threshold. Impact Analysis – Once the system upgrade has been determined, it is important to evaluate the impacts of the risk reduction on the mission of the facility and the cost. If system upgrades put a heavy burden on normal operation, a trade-off would have to be considered between risk and operations. Budget can be the driver in implementing security upgrades. A trade-off between risk and total cost may have to be considered. The assessed level of risk and the upgrade impact on cost, mission, and schedule are valuable information to security risk managers.
PRESENTATION TO MANAGEMENT
The final step in the risk assessment process is the preparation of a presentation package for the risk managers and stakeholders. The presentation generally includes the threat description, the security risk estimates for the baseline system, descriptions of any risk reduction packages, and the results of the impact analysis for the risk reduction package(s). By using comparison to the baseline risk levels, managers are able to understand what the upgrade package is buying them in risk reduction as well as other potential impacts. The total presentation package provides invaluable information for risk management decision makers.
RISK MANAGEMENT DECISIONS
Building owners, stakeholders, and risk managers have the risk assessment information package to help them make difficult security decisions. Most importantly, risk managers must decide on the design basis threat or the threat level to which the security system will be designed.
INFORMATION PROTECTION
The risk assessment process provides valuable, detailed information for risk managers; likewise, the information could provide valuable information to any potential adversaries. Because the process begins with basic facts and assumptions and each step builds on previous step(s), allowing the information to get into the wrong hands could provide a roadmap for the malevolent threat. Each step of the process provides security sensitive information:
1. Facility characterization identifies the security concerns, critical asset(s), and their locations.
2. Threat analysis ultimately defines the level of protection to which the security system is designed. If the perceived highest threat level is the terrorist, the security system will be designed to be much stronger than if the perceived threat is the vandal.
3. Consequence analysis prioritizes the assets in terms of criticality or value.
4. System effectiveness assessment provides possible attack scenarios and documented system weaknesses or vulnerabilities. For these reasons, once the process is applied to a specific facility, the entire analysis package must be protected. Most sites will have to develop the infrastructure for protecting, storing, and sharing the risk assessment package.
Click Here to Purchase this Book