Chapter 2 Risk Management Flashcards
Key Points 1
Security’s primary objective is to manage risks by balancing the cost of protection measures to the benefit of those measures.
Key Points 2
There are six steps in the risk assessment process: Identify and value assets Identify threats Determine the vulnerabilities Impact of a loss event Analysis and prioritization Mitigation baseline approach
Key Points 3
Assets can be categorized into three categories: 1) tangible, 2) intangible, and 3) mixed
Key Points 4
Assets can be valued using two methods: 1) relative value, and 2) cost-of-loss formula
Key Points 5
Threats can be characterized as:1) natural, 2) intentional, and 3) inadvertent
Key Points 6
The difference between a vulnerability and a threat is that a vulnerability allows some level of control. Threats are typically outside of the control of the organization.
Key Points 7
Impact is usually measured in financial terms.
Key Points 8
Analyzing risk can be achieved in two basic steps: 1) calculation of impact, and 2) prioritization the identified risks.
Key Points 9
When choosing mitigation measures, it is important to consider the potential adverse effect each strategy may have on the operations of the organization.
Key Points 10
One approach to determining risk results uses a basic Risk Formula: (Threat x Vulnerability x Impact)1/3 = Risk
Key Points 11
Determining mitigation measures can be done using four steps: 1) select, 2) test, 3) implement, and 4) trai
Key Points 12
The difference between qualitative and quantitative assessments:
Qualitative Assessment - uses a general range or description such as high, medium and low to describe asset value and risk element calculations. Typically used for low-value assets or operations.
Quantitative Assessment - uses specific numerical values and scientific formulas to describe asset value and risk element calculations. Typically used for high-value assets or operations.
Key Points 13
Five methods of addressing risk: 1) risk avoidance, 2) risk spreading, 3) risk transfer, 4) risk reduction or 5) combination of any or all methods
Key Points 14
A security survey is a thorough examination of a facility, its operations, systems, and procedures. It is conducted to assess the current level of security, determine any vulnerabilities, and assess the level of protection needed to address those vulnerabilities.
Key Points 15
A cost-benefit analysis typically consists of three factors: 1) cost, 2) reliability, and 3) delay
Key Points 16
Three survey approaches: 1) outside-in approach, 2) inside-out approach, and 3) functional (Security Discipline) approach
Key Points 17
A SWOT Analysis focuses on Strengths, Weaknesses, Opportunities, and Threats.
Key Points 18
Criteria of a Security Survey Report: Accurate Clarity Concise Timeliness Consider slant or pitch
Key Points 19
Automated assessment tools can be of assistance when you are processing, analyzing, comparing, and storing large amounts of data. Automated tools are not good at assessing the intangible factors in the assessment process.
Risk Management
A business discipline that consists of three major functions: 1) loss prevention, 2) loss control, and 3) loss indemnification.
Risk
The likelihood of a resulting loss from a threat, security incident, or event.
Indirect Cost Examples
Equipment rentals Leased facilities Counseling/benefits Loss of market share Public relations Increased insurance premiums Alternative suppliers and vendors Temporary workers and administrative support Additional security (officers, equipment, etc.)
Tangible Assets
Assets that can be seen and felt.
Intangible Assets
Assets that are not seen or felt, such as reputation, good will, etc.
Mixed Assets
Assets with both qualities, such as humans, clientele, etc.
Relative Value
Based on priority (usually expressed as a number, 1 = Low and 5 = High
Cost-of-Loss Formula
A basic cost-of-loss formula is:
Cp + Ct + Cr + Ci - I = K
Cp = Permanent replacement cost Ct = Temporary replacement cost Cr = Related costs (removal, operational impact, installation, etc.) Ci = Lost income cost I = Insurance or indemnity coverage K = Total cost of Loss
Security Risk Rating
Asset Value Rating × Threat Likelihood Rating × Severity (Impact) Rating × Vulnerability Rating
Vulnerability
A weakness or organizational practice that may allow a threat to be realized or increases the magnitude of a loss event.
Threat Characterizations
Natural
Intentional (man-made)
Inadvertent (accidents, errors and omissions)
Questions to ask on Inadvertent Threat
Is security aware of the vulnerability?
Is there a potential for a loss event?
Impact
The severity of the situation when an incident occurs. Impact is usually measured in financial terms. In addition to impact, many risk management models will assess the likelihood or probability that a loss event will occur.
Likelihood of Occurrence and Assest Risk Exsposure Factor’s
Historical events Physical environment Political environment Social environment Procedures and processes Criminal capabilities
Risk analysis
The process of identifying potential areas of loss (at a specific time and place) and implementing countermeasures to mitigate the potential for the loss. Analyzing risk can be achieved in two basic steps: Calculation of impact and prioritization of the identified risks.
Risk Formula
(Threat × Vulnerability × Impact)1/3 = Risk
This formula uses multiplication, rather than addition, to determine the value. Each element is scaled from 0-100 so if any element of threat, vulnerability, and impact is zero then the resulting risk is zero.
Mitigation measures
Determining which protective measures to implement in the effort to mitigate risk can be a difficult task. It is important to consider budgetary constraints and available resources; however, it is more common to consider the potential adverse effect each strategy may have on the operations of the organization. It should also be balanced using sound strategies and operational requirements and should consider the psychological impact it may have on people.
Four Steps for Detemining Protective Measures
Select - options and alternatives (capabilities, cost, urgency, convenience, aesthetics, etc.)
Test - environmental conditions, integration with other systems, does the solution work, etc.
Implement - disruption, costs, notifications, policy and procedure changes, time required to implement
Train - staff and maintenance personnel
Qualitative Assessments
Uses a general range or description such as high, medium, and low to describe asset value and risk element calculations. This is typically used for low-value assets or operations and to describe basic security applications. It offers a quicker process and is less expensive to perform than a quantitative assessment.
Quantitative Assessments
Uses specific numerical values and scientific formulas to describe asset value and risk element calculations. This is typically used for high-value assets or operations, and to describe PPS values such as detect, delay, and response.
Five Methods To Address Risk
- Risk Avoidance(Elimination of Risk Source)
- Risk Assumption or Acceptance(Organization is liable for loss)
- Risk Reduction(Taking action to reduce loss)
- Risk Transfer(Insurance)
- Risk Spreading(Multiple site or assest distribution)
Security Survey
A thorough, onsite examination of a facility, its operations, systems, and procedures to assess the current level of security, identify any deficiencies, and determine the level of security needed to protect assets.
Security Survey Purpose
- Determine the existing level or posture of security
- Identify any vulnerabilities or deficiencies in current security measures
- Compare the current level of security with the appropriate level of protection needed
- Make recommendations to improve security and address any vulnerabilities
Survey Vulnerabilties
- Ease of access to the site or area
- Inadequate existing security measures
- Lack of redundant security measures or critical function back-ups
- Single points of failure (example: a lock is the only protection measure)
- Storage of hazardous materials
- Collateral damage risk (example: site is adjacent to train tracks that transport dangerous chemicals)
- Lack of an effective response and recovery
Cost Benefit Analysis Factors
Cost - acquisition, operational, and replacement costs
Reliability - demonstration of technology and benchmarking with others who have already implemented the solution
Delay - costs associated with delay and time it takes to make it fully operational
Survey Approaches
Outside-In Approach
Inside-Out Approach
Functional(Security Discipline) Approach
Outside-In Approach
The assessor begins the survey from outside the perimeter and moves inward towards the assets. This approach considers security measures from an attacker’s point of view and is considered a “free reign” approach.
Inside-Out Approach
The assessor begins at the asset and works their way outward towards the unprotected or public area. This approach is from a “defender” point of view.
Functional(Security Discipline) Approach
his is where the assessor addresses each security function individually. The survey should include environmental factors, neighboring operations, and policies and procedures as part of the analysis. It considers assessing security functions in the following order:
Security Architecture and Engineering Structural Security Measures Crime Prevention Through Environmental Design (CPTED) Electronic Security Systems Security Officers and the Human Element
SWOT analysis
A SWOT Analysis is a tool that can support the security survey process that focuses on the Strengths, Weaknesses, Opportunities, and Threats. It is a situational business process that can be adapted to security, which focuses on internal and external factors.
Survey Systems tests
Testing shipping and receiving controls.
Testing intrusion detection alarms and the response to the alarms.
Computer lab/Data room security measures during working and non-working hours.
Testing access controls by trying to gain unauthorized access during working and nonworking hours.
