Chapter 2 Risk Management

Question 1

Key Points 1

Answer 1

Security’s primary objective is to manage risks by balancing the cost of protection measures to the benefit of those measures.

Question 2

Key Points 2

Answer 2

There are six steps in the risk assessment process:
Identify and value assets
Identify threats
Determine the vulnerabilities
Impact of a loss event
Analysis and prioritization
Mitigation baseline approach

Question 3

Key Points 3

Answer 3

Assets can be categorized into three categories: 1) tangible, 2) intangible, and 3) mixed

Question 4

Key Points 4

Answer 4

Assets can be valued using two methods: 1) relative value, and 2) cost-of-loss formula

Question 5

Key Points 5

Answer 5

Threats can be characterized as:1) natural, 2) intentional, and 3) inadvertent

Question 6

Key Points 6

Answer 6

The difference between a vulnerability and a threat is that a vulnerability allows some level of control. Threats are typically outside of the control of the organization.

Question 7

Key Points 7

Answer 7

Impact is usually measured in financial terms.

Question 8

Key Points 8

Answer 8

Analyzing risk can be achieved in two basic steps: 1) calculation of impact, and 2) prioritization the identified risks.

Question 9

Key Points 9

Answer 9

When choosing mitigation measures, it is important to consider the potential adverse effect each strategy may have on the operations of the organization.

Question 10

Key Points 10

Answer 10

One approach to determining risk results uses a basic Risk Formula: (Threat x Vulnerability x Impact)1/3 = Risk

Question 11

Key Points 11

Answer 11

Determining mitigation measures can be done using four steps: 1) select, 2) test, 3) implement, and 4) trai

Question 12

Key Points 12

Answer 12

The difference between qualitative and quantitative assessments:
Qualitative Assessment - uses a general range or description such as high, medium and low to describe asset value and risk element calculations. Typically used for low-value assets or operations.
Quantitative Assessment - uses specific numerical values and scientific formulas to describe asset value and risk element calculations. Typically used for high-value assets or operations.

Question 13

Key Points 13

Answer 13

Five methods of addressing risk: 1) risk avoidance, 2) risk spreading, 3) risk transfer, 4) risk reduction or 5) combination of any or all methods

Question 14

Key Points 14

Answer 14

A security survey is a thorough examination of a facility, its operations, systems, and procedures. It is conducted to assess the current level of security, determine any vulnerabilities, and assess the level of protection needed to address those vulnerabilities.

Question 15

Key Points 15

Answer 15

A cost-benefit analysis typically consists of three factors: 1) cost, 2) reliability, and 3) delay

Question 16

Key Points 16

Answer 16

Three survey approaches: 1) outside-in approach, 2) inside-out approach, and 3) functional (Security Discipline) approach

Question 17

Key Points 17

Answer 17

A SWOT Analysis focuses on Strengths, Weaknesses, Opportunities, and Threats.

Question 18

Key Points 18

Answer 18

Criteria of a Security Survey Report:
Accurate
Clarity
Concise
Timeliness
Consider slant or pitch

Question 19

Key Points 19

Answer 19

Automated assessment tools can be of assistance when you are processing, analyzing, comparing, and storing large amounts of data. Automated tools are not good at assessing the intangible factors in the assessment process.

Question 20

Risk Management

Answer 20

A business discipline that consists of three major functions: 1) loss prevention, 2) loss control, and 3) loss indemnification.

Question 21

Risk

Answer 21

The likelihood of a resulting loss from a threat, security incident, or event.

Question 22

Indirect Cost Examples

Answer 22

Equipment rentals
Leased facilities
Counseling/benefits
Loss of market share
Public relations
Increased insurance premiums
Alternative suppliers and vendors
Temporary workers and administrative support
Additional security (officers, equipment, etc.)

Question 23

Tangible Assets

Answer 23

Assets that can be seen and felt.

Question 24

Intangible Assets

Answer 24

Assets that are not seen or felt, such as reputation, good will, etc.

Question 25

Mixed Assets

Answer 25

Assets with both qualities, such as humans, clientele, etc.

Question 26

Relative Value

Answer 26

Based on priority (usually expressed as a number, 1 = Low and 5 = High

Question 27

Cost-of-Loss Formula

Answer 27

A basic cost-of-loss formula is:

Cp + Ct + Cr + Ci - I = K

Cp = Permanent replacement cost
Ct = Temporary replacement cost 
Cr = Related costs (removal, operational impact, installation, etc.)
Ci = Lost income cost
I = Insurance or indemnity coverage
K = Total cost of Loss

Question 28

Security Risk Rating

Answer 28

Asset Value Rating × Threat Likelihood Rating × Severity (Impact) Rating × Vulnerability Rating

Question 29

Vulnerability

Answer 29

A weakness or organizational practice that may allow a threat to be realized or increases the magnitude of a loss event.

Question 30

Threat Characterizations

Answer 30

Natural
Intentional (man-made)
Inadvertent (accidents, errors and omissions)

Question 31

Questions to ask on Inadvertent Threat

Answer 31

Is security aware of the vulnerability?

Is there a potential for a loss event?

Question 32

Impact

Answer 32

The severity of the situation when an incident occurs. Impact is usually measured in financial terms. In addition to impact, many risk management models will assess the likelihood or probability that a loss event will occur.

Question 33

Likelihood of Occurrence and Assest Risk Exsposure Factor’s

Answer 33

Historical events
Physical environment 
Political environment 
Social environment
Procedures and processes
Criminal capabilities

Question 34

Risk analysis

Answer 34

The process of identifying potential areas of loss (at a specific time and place) and implementing countermeasures to mitigate the potential for the loss. Analyzing risk can be achieved in two basic steps: Calculation of impact and prioritization of the identified risks.

Question 35

Risk Formula

Answer 35

(Threat × Vulnerability × Impact)1/3 = Risk
This formula uses multiplication, rather than addition, to determine the value. Each element is scaled from 0-100 so if any element of threat, vulnerability, and impact is zero then the resulting risk is zero.

Question 36

Mitigation measures

Answer 36

Determining which protective measures to implement in the effort to mitigate risk can be a difficult task. It is important to consider budgetary constraints and available resources; however, it is more common to consider the potential adverse effect each strategy may have on the operations of the organization. It should also be balanced using sound strategies and operational requirements and should consider the psychological impact it may have on people.

Question 37

Four Steps for Detemining Protective Measures

Answer 37

Select - options and alternatives (capabilities, cost, urgency, convenience, aesthetics, etc.)
Test - environmental conditions, integration with other systems, does the solution work, etc.
Implement - disruption, costs, notifications, policy and procedure changes, time required to implement
Train - staff and maintenance personnel

Question 38

Qualitative Assessments

Answer 38

Uses a general range or description such as high, medium, and low to describe asset value and risk element calculations. This is typically used for low-value assets or operations and to describe basic security applications. It offers a quicker process and is less expensive to perform than a quantitative assessment.

Question 39

Quantitative Assessments

Answer 39

Uses specific numerical values and scientific formulas to describe asset value and risk element calculations. This is typically used for high-value assets or operations, and to describe PPS values such as detect, delay, and response.

Question 40

Five Methods To Address Risk

Answer 40

1. Risk Avoidance(Elimination of Risk Source)
2. Risk Assumption or Acceptance(Organization is liable for loss)
3. Risk Reduction(Taking action to reduce loss)
4. Risk Transfer(Insurance)
5. Risk Spreading(Multiple site or assest distribution)

Question 41

Security Survey

Answer 41

A thorough, onsite examination of a facility, its operations, systems, and procedures to assess the current level of security, identify any deficiencies, and determine the level of security needed to protect assets.

Question 42

Security Survey Purpose

Answer 42

• Determine the existing level or posture of security
• Identify any vulnerabilities or deficiencies in current security measures
• Compare the current level of security with the appropriate level of protection needed
• Make recommendations to improve security and address any vulnerabilities

Question 43

Survey Vulnerabilties

Answer 43

• Ease of access to the site or area
• Inadequate existing security measures
• Lack of redundant security measures or critical function back-ups
• Single points of failure (example: a lock is the only protection measure)
• Storage of hazardous materials
• Collateral damage risk (example: site is adjacent to train tracks that transport dangerous chemicals)
• Lack of an effective response and recovery

Question 44

Cost Benefit Analysis Factors

Answer 44

Cost - acquisition, operational, and replacement costs
Reliability - demonstration of technology and benchmarking with others who have already implemented the solution
Delay - costs associated with delay and time it takes to make it fully operational

Question 45

Survey Approaches

Answer 45

Outside-In Approach
Inside-Out Approach
Functional(Security Discipline) Approach

Question 46

Outside-In Approach

Answer 46

The assessor begins the survey from outside the perimeter and moves inward towards the assets. This approach considers security measures from an attacker’s point of view and is considered a “free reign” approach.

Question 47

Inside-Out Approach

Answer 47

The assessor begins at the asset and works their way outward towards the unprotected or public area. This approach is from a “defender” point of view.

Question 48

Functional(Security Discipline) Approach

Answer 48

his is where the assessor addresses each security function individually. The survey should include environmental factors, neighboring operations, and policies and procedures as part of the analysis. It considers assessing security functions in the following order:

Security Architecture and Engineering
Structural Security Measures
Crime Prevention Through Environmental Design (CPTED)
Electronic Security Systems
Security Officers and the Human Element

Question 49

SWOT analysis

Answer 49

A SWOT Analysis is a tool that can support the security survey process that focuses on the Strengths, Weaknesses, Opportunities, and Threats. It is a situational business process that can be adapted to security, which focuses on internal and external factors.

Question 50

Survey Systems tests

Answer 50

Testing shipping and receiving controls.
Testing intrusion detection alarms and the response to the alarms.
Computer lab/Data room security measures during working and non-working hours.
Testing access controls by trying to gain unauthorized access during working and nonworking hours.