Risk Assessment: Phase 3
• Policy Development and Implementation
Booz-Allen and Hamilton, Inc. (2000). Analytical risk management: A course guide for
security risk management.
Norman, T. L. (2010). Risk Analysis and Security Countermeasure Selection. Boca
Raton, FL: Taylor & Francis Group.
Notes de l'éditeur
Completing the Risk Analysis Puzzle. A presentation prepared by Michelle Magario for BSDP 583, spring 2012
This presentation will be broken into Three units to describe the risk analysis process, limitations of the risk analysis process, interdependencies within the process, available interventions, intervention recommendations, and budgetary considerations. The final unit will apply the principles, on a small scale, to an actual facility.
Simply put, the basic purpose of the risk analysis process is to characterize assets, define risks to those assets, mitigate the risk, and eliminate that risk where possible. We want to create a balance between those things we wish to protect (assets) and defend against those things that pose are hazardous to our assets.
Risk management is not magic, it is a systematic process of determining what you have and how to protect it.
The risk analysis process is divided into 2 distinct phases, analysis of risk and countermeasure options (Norman, 2010). The risk analysis portion involves steps to identify and define assets, threats, vulnerabilities and risks. The countermeasure process involves identifying mitigation opportunities, security plan development and the institution of policies to support the security plan. We will address each of these phases separately and then learn how they are interconnected and dependent upon each other.
The risk assessment phase is based on the assumption that the organization has a number of assets that require protection, that there are negative consequences if that protection is not applied, and that some risks are more certain or probable than others. The assumption is also made that we cannot possibly mitigate all risks, and that we will pick and choose those that are most readily mitigated and those that without mitigation, will result in a catastrophic loss. There are limitations to the risk assessment process. The risk analysis cycle consists of four basic components. The first of these, “Assets” is the component in which the organizations assets are identified and characterized and is the first step in a comprehensive risk assessment program.
Assets can be divided into four categories: people, property, proprietary information, and reputation. People can be described as employees, at all levels of management; contractors, vendors and suppliers that are essential for your day to day operations; customers who provide revenue, and visitors. Property is described as real estate including land and buildings, vehicles, office and manufacturing equipment. Proprietary information consists of IT systems, security systems, communication systems, paper files, and items that are sensitive to exploitation such as confidential documents, customer lists, processes, plans and projects. Reputation is possibly the most difficult to categorize as it is based upon perception and is influenced by a number of different sources. Characterizations of the business’s reputation can be based upon the point of view of management, employees, customers, contractors, vendors, and regulating agencies (Norman, 2010). The organization will need to address each category, identifying who and what is important to the stability, operation and function of the business or agency. Each item will need to be described in relationship to category, location, and criticality of the asset.
Once assets have been identified, they will need to have a qualitative or quantitative assignation of criticality. Using the organizations mission statement, assets that are intrinsic to the mission statement should be identified. Next they will need to be described as to location and type and then ranked as to criticality. Ranking systems can either be numeric, where a numeric value relative to criticality (scale of 1-10) is assigned, or assigned a relative value such as absolutely critical, very critical, critical, somewhat critical, etc. For example, if blue ink pens had been identified as an asset to the organization, a lack of blue ink pens would be “not critical” or assigned a “1” unless the organizations mission statement indicated that the organizations mission was to “produce only the highest quality documents in blue ink possible”. While this is a gross simplification of criticality, it is a good example of how the organizations mission statement will define the criticality of assets.
The next step involves determining threats and hazards. There is a distinct difference between a hazard and a threat. Hazards are categorized as being naturally occurring or manmade and are unintentional. They will involve safety and security deficiencies and exist due to a lack of environmental or behavioral controls. This category also includes natural disasters and those due to political strife or military occupation and control. Examples of natural hazards include tornados and flooding; manmade hazards include smoking in unsafe areas or failing to protect computer passwords and security key codes; and economic instability caused by political or military strife. Hazards usually exist due to environmental or behavioral deficiencies and are more easily corrected than threats as they are more predictable due to the lack of a malicious human element. Threats on the other hand, are always manmade, intentional and enacted with malice. Threats always include a human element, or actor. These “actors” can be described as terrorists, economic criminals, non-terrorist violent criminals, petty criminals and subversives. Terrorists, of which there are five classifications, are those individuals or groups, who utilize violence or threats of violence to intimidate or coerce for political, religious, or economic purposes. Criminals can be classified as economic, violent, or petty. Economic criminals, including organized crime and street gangs, are involved in activities that provide financial or strategic asset gains. Violent criminals usually involve domestic relationships or disgruntled employees in a situation where emotional behavior has reached an irrational or instable level. Violent criminal behavior can also be represented by violent visitors or customers whose demands are not met, sexual predators, muggers and robbers, stalkers, and criminally deranged persons who may have no real reason for violent attacks. Petty criminals include those who are less violent and include pick-pockets, vandals, prostitutes, and intoxicated persons. The final category, subversives, include activist groups or persons, hackers, spies, paparazzi and employees who despite being educated in organizational rules, intentionally fail to comply with the rules of conduct and comportment (Norman, 2010). All of these threats will need to be addressed and defined as to frequency and magnitude which will be covered in the consequence/vulnerability/probability steps.
Consequence analysis can be expressed as a loss or impact, or both. Losses can involve human lives, property, proprietary information, and reputation; essentially all of your asset characterization groups. Impacts are negative events or forces against the environment. In some industries, those who hold a disproportionate stake in the economic stability of a community or region, impacts from threats or hazards can have a profound negative impact on the economic stability of that community or region. Examples of these industries are very large facilities in rural areas, where a large portion of the population rely upon the facility for employment, or larger banks and financial institutions. When conducting a consequence analysis it is important to include all possibilities or “what if” scenarios. Like criticality analysis, the result of unmitigated hazards and threats will need to be quantified in relationship to the consequences. For example, a loss of human life, regardless of size relationship, will have a profound negative impact or consequence. To illustrate this fact, a single death at a facility that employs 100 people effects only 1% of the asset. That same 1%, as applied to office equipment, would not have a significant impact, but the loss of a human life is always ranked or categorized higher than other losses. Losses that effect proprietary and reputation are also important to consider, and can often be harder to recover than tangible items. A customer is more likely to remember a bad experience than a good one, and bad news travels faster than good, as any nightly news program can illustrate. Proprietary information is also susceptible to loss. Coke and Pepsi have fought diligent and sustained efforts at keeping their “secret recipes” from not only the public, but each other. Another aspect of consequence analysis is to estimate the cost of replacement if the asset is lost. Again this measurement should be quantitated in a clearly define process that expresses the consequences of vulnerability exploitation. So far we have defined, for an organization, what the assets are, how critical their role is, the possible threats and hazards that exist, and the consequences of their loss. The next step involves determining how vulnerable our assets are to loss.
When attempting to conduct a vulnerability analysis, some degree of imagination is required. Scenarios that question a number of “what if” scenarios must be employed to accomplish this task. The vulnerability analysis contains three distinct steps: define the scenarios and establish the consequences of the scenario, evaluate existing countermeasures and mitigation measures, and identify and estimate the vulnerabilities discovered. A facility’s vulnerabilities are dependent upon accessibility, surveillance opportunities, and intrinsic (business specific) vulnerabilities. Counter measures can be described as physical (door locks), electronic (password computer protection), and operational (visitor sign in and ID process) (Norman, 2010). A scenario might involve the presentation of an armed intruder intent on robbery. You would want to examine the scenario in relationship to possible loss of life and property, evaluate how the facility is vulnerable to this scenario (were doors not locked as policy dictates), are locking doors present in the facility, and finally-estimate how vulnerable the facility is to this sort of threat. The effectiveness of the countermeasures in place will determine the success of the threat or attack (Booz-Allen and Hamilton, Inc., 2000). Like all other steps, the vulnerability will need to be expressed quantitatively along with its associated impact. .
The probability assessment expresses the likelihood of exploitation of the facility's assets and is dependent upon which assets threat actors would find most attractive to acquire. An object (or asset) is only vulnerable if someone else desires it, regardless of how important it is to the individual or business. An example of this is my kitchen veggie dicer. I find it to be extremely valuable when cooking however, if I were ever robbed, the perpetrator would likely by pass the chopper in favor of a more lucrative object-such as the TV. Despite how invaluable I find the veggie chopper to be, unless the thief was also a culinary master, he would not realize the value of the chopper he had overlooked. So while I would categorize the asset (veggie chopper) as extremely essential (to the function of my kitchen), it would earn a low vulnerability rating, and therefor generate a low probability of theft because honestly-no one else wants it. To determine the vulnerability, or relative possibility that a loss will occur, you will first need to examine assets from the point of view of those who would exploit the asset. Take a look at all assets and determine which ones would provide the most attractive target. Aside from my previous veggie chopper example, chances are that if your organization finds an asset attractive and desirable, so will someone else. Historical data, both from your organization and from other like organizations, can provide some guidance. Have you experienced a loss, and does the possibility for a recurrent loss still exist? Do other businesses face the same probabilities, that is are they inherent to the business model itself? Numerous government agencies, such as OSHA, FEMA and the Justice Department can provide statistical data regarding risks and probabilities for a number of organizations. The exception to the probability process is terrorism. For all intents and purposes it is not possible to accurately determine the likelihood of a terrorist event (Norman, 2010). The reason for this is a lack of historical data (there have been relatively few terrorist attacks in this country) and the changing emotional surges of terrorism. What might have important to them a few months ago has now changed and so too have their targets. The terrorist picture is simply too fluid to be adequately defined. The best-case scenario for determining terrorist probability is estimation, luck and chance. Again, determining what assets are most attractive to those who wish to possess or destroy it is the most logical place to begin.
Risk is described as the product of probability, times vulnerability, times consequence. Since our model indicated that quantitative values be assigned to these items, calculating risk becomes a simple matter of applying a mathematic equation.
As stated earlier, determining risk is a mathematic measure that expresses the relationship between probability, vulnerability and consequences. While the formula itself is more than a simple equation, the relationship between these three entities is what is most critical to discern. To aid in the process, there are a number of commercially available software programs that can perform these functions over a wide range of assets. Once calculations for all of the risks is completed, prioritization becomes a bit easier. There are five basic methods of prioritizing risks based on the relative risk as described by the formula, by probability, by consequences, by criticality, or by cost. The risk prioritization method chosen will be related to the organizations business model, arena, and environments. While one organization may prioritize based on probability, due to the socioeconomic environment present (such as pawn shops or retailers), another organization might prioritize based upon consequences (such as nuclear power plants and electric companies). Cost should never be used to prioritize risk as it proves to be too constricting in a fluid environment. Once the prioritization model, that is organizationally based, is selected, it is a simple matter of sorting items in that category to obtain a final listing of priorities that are arranged in numeric order. The final step in this process is that of risk management. Risk management is the process of providing direction and recommendations for countermeasures that will help to mitigate or eliminate the risks.
Phase 2 begins with assessing countermeasures. At the completion of phase 1, you have identified and prioritized your assets, evaluated their criticality, and defined the probability of loss for each of them. Now its time to protect them. Countermeasures are those step that are taken, through planning and policy implementation, to protect your assets. They include both safety and security measures and enforcement of policies designed to provide protection to those assets prioritized in Phase 1. One item that deserves consideration is that of budgetary restrictions. All businesses operate under financial restrictions. It is important to not only consider what interventions are needed, but to also consider your budgetary restrictions. As mentioned previously, it is not possible to mitigate against all risks. Determinations need to be made that will have the most positive effect on mitigation taking into consideration financial constraints.
Assessing safety measures: The first step is to identify what safety practices are in place. Employees are always considered an asset, and usually have a relatively high ranking in prioritization practice. There are a number of questions to ask yourself when assessing “in place” safety measures. Are employees adequately equipped to perform their duties in the safest manner possible? If safety equipment is available, is it adequate for its intended purpose? And finally: Is the protective equipment being used consistently and effectively to provide the intended safety measure? An example of this is eye protection in factory settings-is the eye protection properly rated for the job performed, impact resistant, and properly fitting? Is there a policy in place that mandates that employees on the factory floor wear the eye protection in the manner designed by the manufacturer (not on top of the head, or hanging on a lanyard)? It is very possible that a risk was identified that you have already mitigated, and the problem lies in enforcing the mitigation protocol. There is no need to re-invent the wheel. Use what is already in place to achieve the goal, whenever possible. If you have identified deficiencies, you will need to evaluate products to mitigate that risk. If the product has wide spread applications, it might be easier and more cost effective to start with a small group or area, to evaluate the effectiveness and suitability of the safety measure. Once the measure has been “tested and approved” by the target user, wide spread implementation can begin. The process does not end here-you must perform a follow-up evaluation to assess the continued applicability and usability of the product. Enforcement is also very important. A clearly defined policy, explaining the need for, use of, and compliance mandate for each newly implemented safety protocol must be developed and disseminated.
The steps for security evaluation are the same as for a safety assessment. The difference lies in intent or lack thereof. Safety practices are used to mitigate against accidental mishaps; Security practices are used to mitigate against intentional exploitation. Security options are described as Hi-Tech, Lo-Tech, and No-Tech (Norman, 2010). Hi-Tech options include electronic video, surveillance, access control, alarm, voice communication, and IT systems. Lo-Tech options include door locks, barrier devices, lighting, signage, and other manual measures. No-Tech options include operational elements and include security personnel, managers, and even employees and visitors. Just like safety, safety assessment will involve assessing what you have, if it is effective, and is there a lacking enforcement component. The practice for new measure identification and implementation is also the same, start small when you can, evaluate, implement, assess. And refine, adjust and enforce where applicable.
The steps for policy development and implementation are just as critical as the steps to identify and evaluate risks. The first step involves those things that “trigger” a policy change. This can be a break-in, facility accident, a lack in current policy, or intentional exploitation of critical information. The second step is to conduct an annual review of all safety and security policies to assess validity, purpose, enforcement, effectiveness, technological advances, new vulnerabilities, compliance requirements, and policy expiration. Next, an impact statement will be assembled to highlight changes that are needed to the policy. It is possible that your changes will need to be recommended by an expert. If an expert review is performed, make sure that is available to stakeholders, it may provide the added weight needed to achieve your goals. This step is very valuable when changes are driven by new or previously unknown regulatory requirements. The last administrative step involves gaining the approval of senior management and budget administrators. To achieve this goal it is important to highlight why the change is needed, what will be achieved, how compliance will be monitored, how violations will be addressed, and who is responsible for all of these items. Your policy must be enforceable, concise, easy to understand, and create a balance between protection and productivity (Norman, 2010). The final step in this process is not actually a single step but an ongoing process of monitoring, adjusting and adapting the policy when new technologies emerge. The biggest hindrance or obstacle to this process is stakeholder buy-in. If your audience (senior management) does not have faith in, or see a reason for your policy changes, the policy development stage will not be effective. All of the processes described so far have an amount of interdependency. Every step is dependent upon the previous step and all actions will have an affect on another step. This is why monitoring and adjusting policies is so important.
Our model company, Widgets Inc., is a small business, with five employees, that produces “widgets” for a large multinational corporation. The widgets are an essential component in automobile braking systems and is available solely through Widgets Inc. A risk assessment was performed to address losses, primarily in the technology arena. It is rumored that a competing business is planning to release there own version of a widget at some time in the future. The following spreadsheet was complied to assist the company with security concerns.
This risk assessment was performed to identify risks present in our facility. Lets look at each asset individually beginning with those with the lowest risk factor, Employees. All items were assigned a numeric value on a scale of 1-5 with 1 having the least impact and 5 having a catastrophic impact.
Our facility is family owned and operated so there is little risk present. While the consequences of loss are apparent as they are family members, there is little safety concern for the employees. They are not considered to be vulnerable to exploitation and the probability of loss through intentional defection is slim. The risk of loss is relatively low for this asset.
Our facility is located in a secure complex in a relatively crime free area of an industrial park. While the consequences of a loss are quite high, the plant is not considered vulnerable to attack due to location. The probability of a loss is minimal.
The equipment in our facility is absolutely essential to the production of our widgets. The consequences of loss are immeasurable and extreme. This results in the highest of loss consequence rating, however, since all equipment is housed in the facility itself, like the facility it is not considered vulnerable and is not a probable source of loss. This represents the concept of interdependency. When the protection and security of one object is dependent upon the protection and security of another. Since the facility itself does not represent an opportunity for loss (or that opportunity is minimal), the equipment in that facility is also considered relatively protected.
Our proprietary information is extremely valuable to our ability to function. Widgets are solely available through our facility and comprise an essential component in automotive braking systems. We enjoy a very elite status as sole patent and proprietary owners of widget technology. The consequences of losing this proprietary information would be catastrophic for our business. We are extremely vulnerable to loss due to the fact that all of our proprietary information is stored in a single electronic location with no security present to prevent exploitation. We posses information that others highly covet and would be willing to exploit. There is a high probability of exploitation as was proven at a recent convention were items similar to our widget were announced to be in development. These factors indicate a very high risk of loss.
The final asset on our list is our reputation. By far it is our most valuable asset. Our reputation for producing the highest quality, vital automotive braking system component is essential to our business model. A loss of reputation would be catastrophic to our company. The consequences of loss, our vulnerability to loss, and the probability of a loss all are all raked as extremely high. Protecting our reputation will be our highest priority.
We have conducted our prioritization based on relative risk factor. This places the protection of our reputation and proprietary information as our greatest security concerns. The next step in this process is to explore countermeasures to mitigate the present risks.
Opportunities for improvement in our reputation protection include establishing a quality control and assurance program. Routine inspection of sample lots of widgets will being immediately. A visitor management (sign in and credentialing process) will be implemented for all visitors wishing to enter the facility. Proprietary protection measures will include implementing a computer back-up (off-site) process to protect information from possible loss due to corruption of files and power surges. A computer safety program will be implemented by an outside computer security firm to protect against hacking and malicious actions. Patented information will be updated as needed to assure continuation of patent activations. Visitor management will also assist in the protection of vital information.
Our policy development and implementation process is relatively simple due to the size and management structure of our company. The CEO (owner) is responsible for enacting all plans, relaying those plans and policies to the other four employees and monitoring compliance and effectiveness. A yearly evaluation will be performed, by the CEO, to assure that security protocols (especially computer security) are advancing as newer technologies are made available.