Chapter 2

Question 1

What are the three approaches to performing a security survey?

Answer 1

Outside-In Approach, Inside-Out Approach, Functional (Security Discipline) Approach

Question 2

What is a SWOT Analysis used for in the security survey process?

Answer 2

To focus on Strengths, Weaknesses, Opportunities, and Threats.

Question 3

How can outside support like consultants benefit the risk assessment process?

Answer 3

By providing a fresh perspective, collective knowledge, and regulatory compliance assistance.

Question 4

What tests should be considered during the security survey process?

Answer 4

Shipping and receiving controls, intrusion detection alarms, computer lab security, access controls.

Question 5

What criteria should the security survey report adhere to?

Answer 5

Accurate, clear, concise, timely, considerate of slant or pitch.

Question 6

What is the goal of a security survey in relation to leadership?

Answer 6

To provide actionable intelligence for informed decision-making regarding risk.

Question 7

How can automated assessment tools assist in security surveys?

Answer 7

By processing, analyzing, comparing, and storing large amounts of data efficiently.

Question 8

Define risk management.

Answer 8

Risk management is the systematic approach of identifying, calculating, and minimizing risks to an acceptable level.

Question 9

What is the main objective of security?

Answer 9

The main objective of security is to manage risks by balancing protection measure costs with benefits.

Question 10

What are the three categories in which assets can be divided?

Answer 10

Tangible assets, intangible assets, and mixed assets.

Question 11

How can assets be valued?

Answer 11

Assets can be valued using relative value based on priority or the Cost-of-Loss Formula.

Question 12

What does the basic Cost-of-Loss Formula consist of?

Answer 12

The Cost-of-Loss Formula consists of Cp, Ct, Cr, Ci, and I, yielding the total cost of loss.

Question 13

What is one method to prioritize assets based on security risk?

Answer 13

Security risk can be calculated and used to rank or prioritize each asset.

Question 14

How many steps are involved in the risk assessment process?

Answer 14

The risk assessment process involves six basic steps.

Question 15

What are the initial steps in the risk assessment process?

Answer 15

The initial steps include identifying and valuing assets, identifying threats, and determining vulnerabilities.

Question 16

What is the goal of risk management programs in organizations?

Answer 16

The goal is to develop a comprehensive protection strategy based on sound practices.

Question 17

What formula is used to determine risk results?

Answer 17

Threat x Vulnerability x Impact /3 = Risk

Question 18

Why is multiplication used instead of addition in the Risk Formula?

Answer 18

To determine the value; each element is scaled from 0-100.

Question 19

How is overall risk placed back on a 0 to 100 scale?

Answer 19

By using the cubed root in the risk formula.

Question 20

What is the goal of risk analysis?

Answer 20

To provide management with decision-making information.

Question 21

Why is it important to prioritize risk based on criticality?

Answer 21

Because it is not practical to eliminate all risk.

Question 22

What should be considered when determining protective measures?

Answer 22

Budgetary constraints, available resources, and adverse effects.

Question 23

What must a physical security professional consider when selecting protective measures?

Answer 23

Adversary’s sophistication, capabilities, and types of threats.

Question 24

Why should physical security measures be scalable and agile?

Answer 24

To constantly evolve and improve in a changing environment.

Question 25

What are the two main types of risk assessments mentioned?

Answer 25

Qualitative and Quantitative assessments.

Question 26

When should Qualitative assessments be used?

Answer 26

For low-value assets or basic security applications.

Question 27

When should Quantitative assessments be used?

Answer 27

For high-value assets or to describe specific values.

Question 28

How many methods are there to address identified risks within an organization?

Answer 28

There are five methods mentioned.

Question 29

Why must residual risks be analyzed within an organization’s risk management program?

Answer 29

Despite best efforts, some risks always remain.

Question 30

What approach do some professionals prefer when conducting risk assessments?

Answer 30

A blended approach using both qualitative and quantitative methods.

Question 31

Why should automated tools not be solely relied upon in conducting a physical security assessment?

Answer 31

Automated tools are not good at assessing intangible factors and are only as good as the program inputs.

Question 32

Explain the significance of the saying ‘garbage in, garbage out’ in the context of automation of results.

Answer 32

It highlights that the quality of automated results is only as good as the input data.

Question 33

What are some considerations that may affect the effectiveness of automated assessment tools?

Answer 33

1) Qualification of the assessor, 2) Cost of commercial tools, 3) Complexity of software, 4) Poor assessment of intangible factors.

Question 34

Define All-Hazards approach in physical security.

Answer 34

A holistic, full-scope, and balanced approach to understanding prevalent threats.

Question 35

Explain the difference between a hazard and a peril with an example.

Answer 35

A hazard contributes to a peril; e.g., stress (hazard) leading to an active shooter incident (peril).

Question 36

List the three characterizations of threats.

Answer 36

Natural, Intentional (man-made), Inadvertent (accidents, errors, and omissions).

Question 37

What is a vulnerability in the context of security?

Answer 37

A gap or weakness that allows a threat to compromise an asset or function.

Question 38

Explain the difference between vulnerability and threat.

Answer 38

Vulnerability is controllable by the organization; threat is typically outside the organization’s control.

Question 39

How can vulnerabilities be calculated?

Answer 39

By measuring them in terms of observability and exploitability.

Question 40

What does ‘impact’ refer to in risk management?

Answer 40

It refers to the severity of the situation when an incident occurs.

Question 41

What factors can affect likelihood of occurrence and risk exposure?

Answer 41

Historical events, physical environment, political environment, social environment, procedures, and processes.

Question 42

What is risk analysis in the context of security?

Answer 42

The process of identifying potential areas of loss and implementing countermeasures.

Question 43

How can risk analysis be achieved?

Answer 43

By calculating impact and prioritizing identified risks.

Question 44

Why is it important to analyze high consequence loss events?

Answer 44

Even if low likelihood, they can have significant impacts on security.

Question 45

What are the five methods of addressing risk?

Answer 45

Risk Avoidance, Risk Assumption, Risk Transfer, Risk Reduction, Risk Spreading.

Question 46

Which method of addressing risk involves the elimination of the risk source?

Answer 46

Risk Avoidance.

Question 47

What is the most direct way to remove risk?

Answer 47

Risk Avoidance.

Question 48

What is the aim of risk reduction?

Answer 48

To reduce vulnerability of assets.

Question 49

How is risk reduction achieved?

Answer 49

Through site-hardening and reducing vulnerability of assets.

Question 50

What is a security survey also known as?

Answer 50

A physical security assessment.

Question 51

What does a security survey focus on?

Answer 51

Vulnerability aspects.

Question 52

What is the purpose of a security survey?

Answer 52

To assess current security level and identify vulnerabilities.

Question 53

What does a security survey examination entail?

Answer 53

An on-site examination to assess security level and vulnerabilities.

Question 54

What may be appropriate to conduct alongside a security survey?

Answer 54

Cost-benefit analysis.

Question 55

What components are typically included in a cost-benefit analysis?

Answer 55

Cost, Reliability, Delay.

Question 56

Why may a checklist be helpful during a security survey?

Answer 56

To ensure no important elements are missed and maintain a sequential process.