Cert Review, CPP, 2018, Domain 1

A Comprehensive Study Guide for the
CERTIFIED PROTECTION PROFESSIONAL (CPP)
Examination
Spring 2018
www.asishouston.org
ASIS INTERNATIONAL – HOUSTON CHAPTER https://www.vexels.com/vectors/preview/143499/skyline-houston-illustration
SECURITY PRINCIPLES AND PRACTICES
Study Guide for the

CERTIFIED PROTECTION PROFESSIONAL (CPP)
Examination

PAGE 3 /66

Domain I Task Index
• Task 01/01 Plan, develop, implement, and manage the organization’s security
program to protect assets
– 01/01/01 Principles of planning, organization, and control
– 01/01/02 Security theory, techniques, and processes
– 01/01/03 Security industry standards
– 01/01/04 Continuous assessment and improvement processes
– 01/01/05 Cross-functional organizational collaboration
• Task 01/02 Develop, manage, or conduct the security risk assessment process
– 01/02/01 Quantitative and qualitative risk assessments
– 01/02/02 Vulnerability, threat, and impact assessments
– 01/02/03Potential security threats (for example, all hazards, criminal activity)
• Task 01/03 Evaluate methods to continuously improve the security program with
auditing, review and assessment
– 01/03/01 Cost-benefit analysis methods
– 01/03/02 Risk management strategies (for example, avoid, assume/accept, transfer, spread)
– 01/03/03 Risk mitigation techniques (i.e., technology, personnel, process, facility design)
– 01/03/04 Data collection and trend analysis techniques
Revised Spring 2018 ASIS INTERNATIONAL, HOUSTON CHAPTER David P. Cribbs, CPP, PSP | dpcribbs@gmail.com
PAGE 4 /66

Domain I Task Index
• Task 01/04 Develop and manage external relations with law enforcement or others to
achieve security objectives
– 01/04/01 Roles and responsibilities of external organization and agencies
– 01/04/02 Methods for creating effective working relationships
– 01/04/03 Techniques and protocols of liaison
– 01/04/04 Local and national Public/Private Partnerships
• Task 01/05 Develop, implement, and manage security awareness to achieve

organizational goals and objectives
– 01/05/01 Training methodologies
– 01/05/02 Communication strategies, techniques, and methods
– 01/05/03 Awareness program objectives and program metrics
– 01/05/04 Elements of a security awareness program
(i.e., roles and responsibilities, physical risk, communication risk, privacy)
PAGE 5 /66

Principles of Security Management
• Security leaders…
– Leaders of each operating unit: Front-line accountability for protecting the organization
– Organization’s security function: Risk assessment, policy, and supporting infrastructure
– Multi-faceted security program leadership

• Generalist knowledge
• Relevant background at a senior level within a business, governance function, or some element of the security mission
ASIS CSO.1-2013, Sect. 6
– The CSO reports to a senior-level executive to ensure a strong liaison with leadership, demonstrate
commitment and support, and highlight the importance of Security
– Security department placement in the organization impacts its ability to

• Exert influence
• Remain informed
• Garner resources to support programs and strategies
ASIS POA, Vol. 1, Sect. 4.4.3
– Today’s security professional must

• Have a broad array of security expertise
• Be an adaptable, strategic thinker
• Be skilled in process management and program implementation
ASIS POA, Vol. 1, Sect. 4

ASIS POA, Vol. 1, Sect. 4.4
Three managerial dimensions of the asset

protection professional
PAGE 6 /66

• CSO Attributes…

ASIS CSO.1-2013, Sect. 6.1
PAGE 7 /66

• Security managers…
– Security managers are security specialists AND business managers
– Effective security managers are business partners

– Security managers should be in senior management

ASIS GDL FPSM-2009, Sect. 3.7.1
• Key management terminology for security operations…

– Span of control: The ratio of direct reports to a
single supervisor
• Effective management = limited number of direct reports

• The number depends on…
– ... nature of the work
– ... type of organization
• Generally: 1 to 10 is best, but…
– …1 to 100 is possible with technology and
flattened organization
• Less important in team environments and
flat organizations
– Unity of Command: An individual reports to

only one supervisor
PAGE 8 /66

Assets Protection
• Assets protection program management…
– Three tools of a strategically-managed assets protection program

1) Planning
2) Management
3) Evaluation
– A single office (or person) should be the assets protection focal point
– Convergence
• 2005 definition (ASIS): The integration of traditional and IT security
• Contemporary definition: The merging of various fields to protect critical assets
Compliance
Safety
Emergency Risk
Management Management
Quality
Investigations
Assurance
ASIS POA, Vol. 1, Sect. 4.1.2, 4.3.4
PAGE 9 /66

Assets Protection
• Assets protection program management (continued)…
– Protection of assets exact science
• One solution does not fit all
– Factors that change the understanding of and approach to assets protection
• Threats mutate
• Technology advances
• Management evolves
• Business transforms
– Asset protection changes are occurring

frequently in
• Technology
• Integration
• Security duties
• Legal and liability issues
• Regulations
• Public/private partnerships
• Antiterrorism
Evolving threats • Convergence
impact assets protection • Global business relationships
• Risk management
PAGE 10 /66

Assets Protection
• Program management (continued)…
– Means of identifying acceptable asset protection strategies

• WAECUP (Waste, Accidents, Error, Crime, Unethical Practices) for objectives setting
• SWOT (Strengths, Weaknesses, Opportunities, and Threats) Analysis for project analysis
• The STEP (Social, Technological, Environmental, and Political) Model for threat identification
• Concepts of the underlying principles of assets protection…

1) Five avenues to address risk
• Acceptance
• Avoidance
• Reduction (Mitigation)
• Spreading
• Transfer
2) Balancing security and legal considerations

• Strong security alleviates need for legal protections?
• Strong legal protections alleviate the need for security?
• Finding the appropriate mix of both solutions is the key
3) The Five D’s (used to be “3 D’s”)

• Deter
• Deny
• Detect
• Delay
• Destroy
PAGE 11 /66

Assets Protection
• Five forces shaping assets protection:
1) Technology and touch
• Balancing technology and human solutions
• We look for the quick fix
• We fear and worship technology
• We blur the distinction between real and fake
• We accept violence as normal
• We love technology as a toy Technology is often
• We live our lives distanced and distracted viewed as a toy
• Over-reliance on technology to protect assets
• Depersonalization of the workplace leads to crime without
conscience
2) Globalization in business (increases risks to) 4) Convergence of security solutions

• Business transactions • The merging of disciplines, techniques, and tools from
• Information assets various fields for the purpose of protecting critical assets
• Product integrity
• Corporate ethics
• Liability
• Far-flung people and facilities
5) Homeland security and the international security
environment
3) Standards and regulation
• Voluntary standards (ANSI, ISO, NFPA, UL, etc.)
• Statutory and regulatory standards (CFR, NISPOM, EO's, OSHA, etc.)
• Mixed standards (voluntary standards required by AHJ's or insurance companies)
ASIS POA, Vol. 1, Sect. 4.3, 4.3.1, 4.3.2, 4.3.3, 4.3.4, 4.3.5
PAGE 12 /66

Assets Protection
• Industry challenges…
– Healthcare
– Aerospace • Facilities are open to the public, 24/7
• Global competition • Open environments
• Major contracts, many vendors • High stress environment
• International partnerships • Information assets can be at risk (privacy, research)
• Classified information, regulatory compliance • Regulatory impacts to security (HIPAA, JCAHO, etc.)
• Safety, travel security • Higher rates of workplace / domestic violence
• White collar crime • Debate over armed security officers
• Extremism (animal rights, etc.)
• Reputation of the institution
– Telecommunications • High profile patients
• Information, network, computer security
• Fraud prevention, physical security
• Government regulation
• Wide exposure of electronic signals
susceptible to physical/electronic threats
• Property rights, access issues
(cable routes, etc.)
PAGE 13 /66

Assets Protection
• Industry challenges (continued)…
– Education
• Insulated from violence?
• Vandalism, theft
• Information protection
• IT threats, white collar crime
• Premises liability
• Natural disasters, crisis management
• Exchange students with different cultural norms
• University image
• Security Directors in education should consider factors in security planning such as:
– The size and demographics of the school
– The characteristics of the surrounding area
– The mission and culture of the institution
– The types and values of assets
– The school’s image
– The school's management style
– Any identifiable threats
– Fast Food ("Quick-service Restaurant“ – QSR – industry)

• Wide geographical dispersion
• Activism, vandalism, and terrorism
• Theft and fraud
• Brand loyalty
• Supply chain/vendor/distribution integrity
• False claims of employee or customer injuries
• Difficulty of security training due to high turn-over and employee dispersion
PAGE 14 /66

Assets Protection
• Defense-in-depth…
– The most effective defense-in-depth program mixes
• Physical measures
• Procedural measures
• Electronic measures
– Compare to traditional philosophy of “manpower,

technology and procedures”
– Compare to the POA statement

in Vol 1, Chapter 4.1.2: “In
today’s asset protection
program, countermeasures
need to include people,
hardware, and software”
– Effective security
“Swiss Cheese” philosophy of a
measures are layered security program
not oppressive or
burdensome
ASIS POA, Vol. 1, Sect. B
PAGE 15 /66

Security Regulations
• Primary objectives of regulations…
Objective: Control of the activity Objective: Generating tax revenue
Screening, Require payment of

oversight, and license and renewal
review fees, penalize
procedures offenders
PAGE 16 /66

• Presidential Policy Directive 21 (PPD-21)…
– Critical Infrastructure Security and Resilience (Supersedes HSPD 7)
ASIS POA, Vol. 1, Sect. 2.4, 6.3.2, 11.8.3
PAGE 17 /66

• Sarbanes-Oxley Act of 2002 ("SOX")…
– Formerly known as the Public Company Accounting Reform and Investor Protection Act of 2002
– Became law on July 30, 2002
– Passed in response to accounting scandals at public companies in the late 1990s and 2000’s
– Established new accounting standards and business practices for U.S. public companies, their boards, and the
public accounting firms that serve them
– Requires CEOs to certify the accuracy of their organization’s financial statements
– Compliance (particularly with Section 404) significantly burdens companies’ officers and boards, and imposes
both civil and criminal penalties on violators who commit fraud
– Established the Public Company Accounting Oversight Board
– Requires all publicly traded companies to have anonymous reporting

methods for questionable accounting or auditing activities
– Limits an organization’s ability to provide strictly internal reporting

mechanisms
ASIS POA, Vol. 1, Sect. 2.4, 6.3.2, 11.8.3
PAGE 18 /66

Security Standards and Guidelines
• Standards in general…
– Address specific needs (like technical issues); health, safety, or environmental concerns; quality or compatibility
requirements
– Used to enhance the quality and reliability of products, services, and processes
– Represent more than 95,000 topics in the United States alone
– Compliance with a standard is voluntary but a regulation may require compliance with a standard
– Nine main types

1) Basic
2) Product
3) Design
4) Process
5) Specification
6) Code
7) Management systems
8) Conformity assessment
9) Personnel certification
ASIS POA, Vol. 1, Sect. 3.1, 3.1.1, 3.1.3
– Development occurs on several levels

• National
• Regional
• International
PAGE 19 /66

• ISO…
– International Organization for Standardization (ISO)

• ISO is not an acronym; "Isos" Greek for "equal"
• The world’s largest standards developer; based in Geneva, Switzerland
• Non-governmental organization; participants are volunteers
• Does not regulate, legislate, or enforce
• A network of national standards institutes from 159 member countries; each has one vote
– The U.S. representative is the American National Standards Institute (ANSI)
• ISO standards often become recognized as industry best practices and de facto market requirements
• Based on international consensus, ISO standards address the global business community and are developed only when there is
an identified market need or to facilitate international or domestic trade; ISO standards are designed to be globally relevant
• Employs a transparent process for developing standards based on consensus among the interested parties, not by majority
vote; all major concerns and objections must be addressed
• Approximately 3,000 technical groups in which more than 50,000 experts participate annually
ASIS POA, Vol. 1, Sect. 3.1.3, 3.2, 3.2.1
– Management systems standards

• Most management systems standards are based on the Plan-Do-Check-Act
("PTCA" or "Deming Cycle") model of total quality management (TQM)
• ISO9000 addresses quality management
• ISO14000 addresses environmental management
ASIS POA, Vol. 1, Sect. 3.4.1, 3.4.2
PAGE 20 /66

• American National Standards Institute (ANSI)…
– Formed in 1916 as "clearinghouse" for Standards Developing
Organizations (SDOs) in the U.S.
• SDO: An organization, company, agency or group that develops standards
– Administrator and coordinator of the U.S. private sector

voluntary standardization system
– Decentralized and partitioned into industrial sectors, and

supported by hundreds of private sector SDOs
– The only accreditor of U.S. voluntary consensus SDOs

• 600 SDOs in the United States
• 200 SDOs accredited by ANSI to develop American National Standards, including ASIS, NFPA, and SIA
– The sole U.S. representative to the two major non-treaty international standards organizations
• ISO
• International Electrotechnical Commission (IEC)
– Market driven, flexible, sector-based, led by the private industry, supported by the U.S. government.
– Represents more than 125,000 companies and

organizations and 3.5 million professionals
ASIS is an ANSI-accredited SDO worldwide
with Liaison Status in the ISO
ASIS POA, Vol. 1, Sect. 3.2.2, 3.3, 3.3.1
PAGE 21 /66

• Security standards…
– Codify best practices and processes, and share lessons-learned

– Provide tools to assess threats, risks, vulnerabilities, criticalities, and impacts
– Define measurement methods
– Document security equipment performance requirements
– Establish design requirements for devices, systems, and infrastructure
– Define effective methods for identification of individuals
– Enhance cross-jurisdictional information sharing and interoperability
– Provide for consistency of services
• Security professionals should develop security standards, not non-security organizations…
– Robust security standards may reduce government regulations

– ASTM International (formerly American Society for Testing and Materials) has more
than 100 active security standards
– The National Fire Protection Association (NFPA) has issued several security standards
– Other security standards have been developed by various government agencies
ASIS POA, Vol. 1, Sect. 3.1, 3.1.2, 3.1.3
PAGE 22 /66

• The ASIS CSO Standard…
– Provides a model for developing a comprehensive,

integrated, and consistent security/risk strategy
– Defines the skills and competencies essential to the protection

of an organization in an ever-changing threat environment
• ASIS Facilities Physical Security Measures Guideline…
– Identifies physical security measures to safeguard or protect assets

(people, property, information)
– Introduce security and non-security readers to the main types of physical

security measures that can minimize security risks
ASIS GDL FPSM-2009, Sect. 1.1, 1
• PS-Prep…
– DHS Voluntary Private Sector Preparedness Accreditation and Certification Program designed to promote, not
require, nationwide resilience in an all-hazards environment by encouraging private-sector preparedness
ASIS POA, Vol. 7, Sect. 6.2.1.3
PAGE 23 /66

Security Policy and Procedure
• Policies and procedures in general...
– Cover items the organization monitors and expects employees to conform to
– Deal with specific items
• Policies…
– Provide broad descriptions of how operations will be conducted
– May be affected by different regulations for different businesses, such as
• Minimum wage (federal and state), FMLA, OSHA

• Regulations for government data
• Building codes
– Should be useful and simple, without overloading employees

– Should be developed closely with managers
– Should provide details of operations and the effects of policy changes
– Should create management buy-in through collaboration in development
– Security policies…
• Establish strategic security objectives and priorities

• Identify those accountable for physical security
• Set forth responsibilities and expectations for managers, employees and others
ASIS GDL FPSM-2009, Sect. 3.8
PAGE 24 /66

Security Policy and Procedure
• Procedures…
– Instruct employees how to react to various issues Procedural controls are the least expensive
countermeasures one can employ
– Are clearly articulated to prevent confusion ASIS POA, Vol. 1, Sect. 5.2
– Address a wide variety of topics, including all topics important for daily functions
– Are widely promulgated and refreshed with employees regularly
– Reflect the ideal functionality of the organization
– Support proper staff behavior and facilitate a hospitable, safe workplace

– Security procedures...
• Are detailed implementation instructions for staff to carry out

security policies
• Are often overlooked as asset protection tools
– Revised procedures can enhance security while improving

the bottom line for the enterprise
PAGE 25 /66

Risk Assessment
• Risk assessment, in general…
– The premises liability of owners has been extended into streets and other public areas
– The ASIS Facilities Physical Security Measures Guideline defines risk management as "a business discipline
consisting of three major functions
1) Loss prevention
2) Loss control
3) Loss indemnification
– A proactive strategy for security/risk mitigation supports sustainable, healthy, productive organizations and is a
critical responsibility of senior leadership and governing boards
– Risk assessment was developed in the insurance industry

Informed decision making is the basis of

risk management
PAGE 26 /66

Risk Assessment
• Risk assessment, in general (continued)…
– Boards of Directors, shareholders, stakeholders, and the public expect organizations and agencies to
• Anticipate risks
• Manage risk
• Have a protection strategy
• Respond to threats
– A senior executive should be responsible for all of the

organization’s security/risk strategy
– The senior security executive should be able protect both

tangible and intangible assets
PAGE 27 /66

Risk Assessment
– Risk: An uncertain situation with a number of possible outcomes, one or more of which is undesirable
– Risk includes all negative events for an organization, their impact, likelihood and how soon they may occur
(imminence)
• Risk assessment defines and quantifies all these risks
– Risk assessment techniques may be
• Heuristic (ad hoc)
• Inductive (qualitative) (bottom-up approach)

– Risks identified at the beginning of the analysis
– Identified risks are the starting point, not the result
– This method may produce incomplete results
– This method makes use of "event trees" that trace an initiating event through
a sequence with different possible outcomes
– Does not readily lend itself to feedback loops in the event trees
– This method focuses on scenarios, which may fail to account for concurrent attacks
• Deductive (quantitative) (top-down approach)

– Risks result from a systemic, deductive, top-down approach
– Uses "logic diagrams" and " fault trees" along with event trees
– Societal risk: When an entire population is at risk

PAGE 28 /66

Risk Assessment
– Risk management
• Systematic
• Statistically-based
• Holistic
• Employs formal risk assessment and management
• Addresses sources of system failures
– Risk assessment is part of the risk management process
• Risk assessments attempt to find answers to three, primary questions
1) What can go wrong?

2) What is the likelihood of it going wrong?
3) What is the impact if it goes wrong?
• Risk management attempts to answer four, primary questions
1) What can be done about identified risks?

2) What options are available?
3) What are the associated tradeoffs of the options?
4) What are the impacts of current management decisions on future options?
PAGE 29 /66

Risk Assessment
Risk assessment helps identify threats, assets,
and vulnerabilities through a systematic,
defensible process
– Risk assessment involves

• Identifying internal and external threats and vulnerabilities
• Identifying the probability and impact of an event arising from such threats or vulnerabilities
• Defining critical functions necessary to continue the organization’s operations
• Defining the controls in place necessary to reduce exposure
• Evaluating the cost of such controls
– Risk formula R=TxAxV

• R = residual risk
• T = threat, a combination of threat definition and likelihood of attack
• A = asset to be protected
• V = vulnerability, represented by system effectiveness
– Risk management is a key concept in PPS design

• Risk Management (ISO): “Coordinated activities to direct and control an organization with regard to risk”
• Although definitions of risk management vary, they generally agree that it relies on
– Risk assessment (which relies on vulnerability assessment)
– Threats
– Asset value
– Vulnerability
PAGE 30 /66

Risk Assessment
– Major types of risk assessment
• Quantitative (hard numbers, history, statistics, etc.)
• Qualitative (“feel”, predictions, experience, etc.)
– Security typically relies on qualitative, not quantitative, assessment

– Risk is expressed in
• Threat
• Consequence (impact)
• Vulnerability (likelihood, probability)
– Risk Analysis includes

• Risk Assessment
• Risk Evaluation
• Risk Management Alternatives
ASIS GDL GSRA 11 2002, Sect. IX
– Recommended approach for conducting general security risk assessments

1) Understand the organization and identify the people and assets at risk
2) Specify loss risk events / vulnerabilities
3) Establish the probability of loss risk and frequency of events
4) Determine the impact of the events
5) Develop options to mitigate risks
6) Study the feasibility of implementation of options
7) Perform a cost/benefit analysis
ASIS GDL GSRA 11 2002, Sect. X
– The value of risk analysis depends on the skill of the analysts

ASIS GDL GSRA 11 2002, Sect. A2
PAGE 31 /66

Risk Assessment
• Higher risk in high rise buildings…
– More people = more property, and more property = more opportunity for crime
– More people = more chances of crime internally
– More people = more anonymity
– Easy access to the public in CBD’s – easy access to mass transit
– Elevators and stairwells can be risky places
– Risky, neighboring tenants
– Tough to control threats and respond to incidents
(too many people and environment is complex)
– Evacuations are very difficult
– The most critical threats in high-rise structures include
• Fire
• Explosion
• Contamination of life-support systems such as air and potable water supplies
– The ability to mitigate threats for high-rise structures depends on

• Its structural design
• The use of technology to
– Deter and detect a threat
– Communicate a threat's nature and location
– Initiate automatic or organizational responses
PAGE 32 /66

Risk Assessment
• Assets…
Three general types of assets

– Tangible assets can be seen, touched, or
directly measured in physical form
• Facilities/buildings - Equipment
• Inventory - Raw materials
• Cash - Accounts receivable
• Supplies/consumables - Telecommunications systems
- Other capital assets
– Intangible assets can include
• Reputation/image - Goodwill/trust
• Brand recognition/loyalty - Relationships
• Vendor diversity - Longevity/history
• Past performance - Experience
• Quality assurance processes - Workforce morale
• Workforce retention - Management style
• Human capital development - Liaison agreements
- Market share
PAGE 33 /66

Risk Assessment
• Assets (continued)…
– Mixed (tangible and intangible) assets can include

• People
• Intellectual property
• Knowledge
• Proprietary processes
• Information technology capabilities
• Land/real estate
• Infrastructure
• Credit rating / financial stability
• Customers
• Contracts in place
• Financial investments
• Geographic location
• Staffing sources
• Certifications
• Continuity posture or resiliency
• Safety posture
– The amount of protection required by an enterprise is a

function of
• The value of the asset How much protection is appropriate?
• The risk tolerance of the enterprise
PAGE 34 /66

Risk Assessment
• Assets (continued)…
– Three general methods of valuing assets

• Dollars (most important measure)
• Consequence criteria
• Policy (prescribed protection levels)
– Asset value may be expressed in

• Criticality
• Consequence of loss
• Severity
– Income formula I = (P x r x t) / 365

• I = Income earned
• r = Annual percent rate of return
• t = Days during which P is available for investment
– Cost-of-Loss formula K = (Cp + Ct + Cr + Ci) - I

• K = Criticality, total cost of loss
• Cp = Cost of permanent replacement
• Ct = Cost of temporary substitute
• Cr = Total related costs
• Ci = Lost Income
• I = Insurance
– Loss isn’t measured just by replacement – it includes lost income, sales, downtime, etc. (indirect costs)
PAGE 35 /66

Risk Assessment
• Threats and loss events (continued)…
– Security losses are

• Direct (money, negotiable instruments, property, information…)
• Indirect (harm to reputation, loss of goodwill, loss of employees, harm to employee morale…)
– Both direct and indirect costs can be measured in terms of lost assets and lost income
• Often, a single loss results in both kinds of costs
PAGE 36 /66

Risk Assessment
• Threats and loss events…
– Pure Risks
• Crime
• Natural disaster
• Industrial disaster
• Civil disturbance
• War/insurrection
• Terrorism
• Accident
• Conflicts of interest
• Maliciously willful or negligent personal conduct
– Loss risk event (threat)

categories
• Crimes
• Non-crime
(human or natural)
• Consequential
– Safety-related events
may have
the same impact as
security events
PAGE 37 /66

Risk Assessment
– Threat classes
• Insiders
• Outsiders
• Collusion
C
– Threat tactic categories OUTSIDER
• Deceit
O
• Force L
•
•
Stealth
Combination
L
U
S
– Threat Spectrum: A detailed list of threats; key to
determining the Design Basis Threat (DBT)
I
O
N
– Design Basis Threat (DBT): The threat
against which
countermeasures INSIDER
are designed
to protect
PAGE 38 /66

Risk Assessment
– Types of events or incidents that may occur at a site can be determined by

• History of previous events
• Events occurring/occurred at similarly situated sites
• Events occurring/occurred within the industry (type of business)
• Natural disasters common to the geographical area
• Recent developments/trends
– Historical data to assist in predicting threat likelihood is generally insufficient due to two reasons
• The information about past losses is unavailable
• The information about past losses is not organized to permit statistical processing
– Threat considerations
• Motivation
• Tools
• Competence
• Knowledge
– A risk analysis that considers the entire threat spectrum must be performed because
• As the threat capability increases, performance of individual security elements or the system as a whole will decrease
PAGE 39 /66

Risk Assessment
– Probability of Loss formula P=f/n

– P = Probability
– f = Statistical data (how often the event has previously occurred)
– n = Total number of "experiments" seeking the event (i.e. days of the year, etc.)
– Cost Abatement: Coverage of losses by insurance

• Insurance pay-off should be subtracted from the total loss of an asset
• Insurance payments/premiums should reduce the insurance pay-off
– Consequence criteria can be determined through the use of a "consequence table"

• Data sources for assessing probability

– Crime analysis: Looks at crimes that have defeated countermeasures, and
• When they occurred

• How often they occurred
• The impact of their occurrence
• Revised countermeasures to prevent further occurrences
PAGE 40 /66

Risk Assessment
• Probability factors for threats and loss events…
– Physical environment (neighborhood/vicinity)

– Overall geographical location
– Social environment Criminal state-of-the-art
– Political environment is a major probability factor
– Economic environment
– Historical experience for the organization
– Historical experience for the industry
– Procedures and processes
– Criminal state-of-the-art
– Threat likelihood may be expressed in

• Frequency
• Probability
• Qualitative estimate
Consider all the “environments”

when determining probability
PAGE 41 /66

Risk Assessment
• Vulnerability testing the PPS…
– Vulnerability: A weakness that can be exploited by an adversary
– Vulnerability assessment: The process of identifying and quantifying vulnerabilities
– Vulnerability analysis: A method of identifying the weak points of a facility, entity, venue or person
– A vulnerability assessment is used to determine PPS effectiveness

– A vulnerability assessment also determines system requirements before design

and implementation
– Frequency of vulnerability assessments

A threat exploits a vulnerability
to compromise an asset
• Before system implementation
• Upon upgrades
• Periodic system effectiveness tests
PAGE 42 /66

Risk Assessment
• Vulnerability testing the PPS (continued)…
– Vulnerability assessment team
• Team leader: A security specialist experienced in security systems design and project management
• Team members
– A security systems professional
– A response expert
– A data analyst
– Operations representatives
– Subject matter experts, such as...
• Technical writers
• Locksmiths
• Explosives personnel
• Safety or EH & S
• Legal
• IT professionals
– A vulnerability assessment should include, at a minimum

• Facility and operations description (“facility characterization”)
• Threats and assets
• Constraints related to the VA or the site
The use of pictures is encouraged to
• Existing countermeasures
emphasize key points or document vulnerabilities
• Vulnerabilities in countermeasures
• Baseline analysis of system effectiveness
• Recommendations for countermeasures improvement
• Analysis of expected improvements
– A site survey is part of the vulnerability assessment

PAGE 43 /66

Risk Assessment
– Tests
• Functional testing (components are performing as expected)
• Operability testing (components are being used properly)
• Performance testing (repeats tests to determine component effectiveness against different threats)
– Testing conditions
• Day vs. night
• Different times of the year / seasons
• Operating hours vs. non-operating hours, shift changes
• Different weather conditions
• Normal operations vs. duress operations
(emergencies, labor strikes, etc.)
– Testing approaches
1) Compliance-based
– Conformance to specified policies or regulations
– "Feature-based" approach
– Effective only for low threats, low loss impacts, and CBA-supported cost decisions
– Easier to perform
– The metric for this analysis is the presence of the specified equipment and procedures
2) Performance-based
– Evaluates how each element of the PPS operates
PAGE 44 /66

Risk Assessment
– Six-step process for performance-based vulnerability assessments
1) Create an adversary sequence diagram for all locations

2) Conduct a path analysis
3) Perform a scenario analysis
4) Complete a neutralization analysis, if appropriate
5) Determine system effectiveness and risk
6) Develop and analyze system effectiveness upgrades (if risk is unacceptable)
Vulnerability Assessment
Countermeasures implementation
Three general steps

of the "systems Effectiveness
approach to problem
solving"
evaluation

PAGE 45 /66

Risk Assessment
– The biggest mistake made when conducting a VA is to concentrate on individual PPS components and address
upgrades only at that level, not at the level of the overall system
– Three primary functions of a PPS to be tested

1) Detection measures
– Probability of detection
– Time required to report and assess alarms
– Includes entry controls
• Throughput
• False acceptance rate
• False rejection rate
2) Delay measures
– Layers of security sum up to total delay time
– Delay time considered after detection
3) Response measures
– Time to interruption of adversary
– Accuracy of deployment
– An effective assessment system provides two types of information

1) Whether the alarm is valid or nuisance
2) Key details about the cause of the alarm (what, who, where, how many)
PAGE 46 /66

Risk Assessment
• Vulnerability assessment methods…
– CARVER + Shock vulnerability assessment
• Developed by the U.S. Government during WWII as a targeting process
• Declassified in 2003
• Criticality (impact of attack)
• Accessibility (ability to get in and out)
• Recoverability (ability of target to recover)
• Vulnerability (ease of compromising target)
• Effect (direct loss)
• Recognizability (target identifiability)
• Shock (combined health, economic and psychological impacts)
– The Vulnerability Identification Self-Assessment Tool (ViSAT) (DHS)

• Evaluates strengths and weaknesses of individual security operations
• Online; 200 questions
• Emphasizes a team approach
• Covers seven areas:
1) The security plan, policies and procedures
2) Security force and security awareness training
ViSAT AND RSAT
3) Cargo, personnel and vehicle access control ARE PARTICULARLY
4) Physical security issues GOOD FOR
5) Security technology EVENT ASSESSMENTS
6) Communication security
7) Information security
– Risk Self-Assessment Tool (RSAT) (DHS)

• Designed for large venues
• Emphasizes designation of single person as event security director
• Each security team member has specific duties
PAGE 47 /66

Risk Assessment
• Risk management options…
– Mitigation
– Acceptance
– Transfer
– Spreading
– Avoidance
– "Risk Financing“ = Insurance

ASIS POA, Vol. 2, Sect.
• Risk Mitigation…
– Risk can be reduced in three ways

• Preventing an attack
• Protecting against an attack
• Mitigating consequences of an attack
– Mitigation means reducing consequences

• Mitigation focuses solely on reducing consequences
• May be implemented before, during, and after an attack
– General categories of risk reduction (mitigation) options

• Equipment and hardware
• Policies and procedures, management practices
• Staffing
PAGE 48 /66

Risk Handling
• Risk mitigation (continued)…
– A security countermeasure can be planned if the loss event has the following characteristics
• The event will produce an actual loss, measurable in some standard medium (money)
• The loss is not the result of a speculative risk
– Mitigation strategies must be evaluated by

• Availability
• Affordability
• Feasibility
• Application to operations
– Except for certain high-value, irreplaceable items, an organization should base its protection strategies on a
realistic, cost-effective rationale
– Often overlooked as asset protection tools, procedural controls are the least expensive countermeasures one
can employ
• Revised procedures can enhance security while improving the bottom line for the enterprise
PAGE 49 /66

External Resources and Liaison
• Evolution of liaison…
– Consequences of September 11, 2001
• Increased security budgets, reduced resistance to security policies
• Increased communication between security and executives
• Improved security awareness
• Made security more tolerable
• Focused on personal privacy vs. public protection
• Improved information sharing between security and law enforcement
• Advanced technologies in threat and vulnerability assessment, information sharing,

and protective measures
• Increased risk management in strategic protection
• Increased research on security and assets protection
• Wasted resources with knee-jerk reactions
• Overemphasized terrorist attacks instead of more realistic security risks
PAGE 50 /66

• Policing…
– Originally, people in the community acted as “security”
• All able-bodied men protected their homes and community
• "Hue and cry“: call-to-order for assistance against a crime

similar to "observe and report" of today
• Evolved into "watch and ward", administered by "shire reeves"

appointed by the king; “shire reeve” later shortened to "sheriff"
• Constables evolved with sheriffs; crime control transitioned

to the government
– Government policing was first described as "the king's peace“
• The result of government realizing the revenue to be gained by enforcing law and confiscating criminals' property
• Civil torts became crimes against the king's peace; the "State" collected penalties instead of people obtaining civil judgements
• Punishment by the government limited violent retribution by private individuals
– First police department organized by Sir Robert Peel, London, 1829 (the “Peelers”)
PAGE 51 /66

• Private policing…
– Cost effectiveness of private security over public law enforcement
• Flexible labor
• Better incentives and penalties
• More precise accountability
• More focus on results
• Market competition
– Opponents argue that private policing reduced labor costs are achieved through
– Less qualified, less trained personnel
– Inadequate benefits to employees
– Focus on part-time employees
– Creative accounting methods
– Most police officials welcome partnership with private security

if it frees up officers for crime fighting
– Arrangements of public safety policing

a) Private Environment Supplement
b) Public Environment Replacement (rare, problematic)
c) Public Environment Supplement
ASIS POA, Vol. 1, Sect. 7.4.1, 7.4.2, 7.4.3
PAGE 52 /66

• Private policing (continued)…
– Implications of private policing
• Political
• Operational
• Legal
• Ethical
• Societal
– Public safety policing model structure

• Tactical operations
• Technological systems
• Order maintenance provisions
– Two core questions for public safety policing
1) Can police be first responders AND focus on community service?
2) What future role will others have in public safety services?
– Private police have arrest powers only on duty

(may include qualified immunity)
– Private police must be accountable to the community, the law,

and the larger society
PAGE 53 /66

– Distinctions between public and private policing
• Public police – duly sworn

• Public police – monopolized service is less efficient, even complacent
• Public police – constitutional protections apply
• Private police – employed by private firms
• Private police – perception of lacking the same authority as public police officers
• Private police – tends to focus on loss reduction or asset protection
• Private police – provider competition drives better service and value
– Five specific categories of distinction between public and private policing
1) Philosophical – private police have limited authority (real and perceived)

2) Legal – private police have limited powers of arrest
3) Financial – private police are less expensive
4) Operational – private police are more flexible
5) Security/Political - private policing encourages citizens to follow community standards
PAGE 54 /66

– "Low level" crimes and tasks addressed by private police

• Traffic accidents/ traffic control
• Parking tickets/ abandoned vehicles
• Vehicle lock-outs
• Building checks
• Alarm response
• Animal complaints
• Funeral escorts
• Paperwork/subpoena services
• “Cold call” follow-ups
• Vandalism complaints/reporting
• Theft/burglary/lost-and-found reporting
• Crime scene security
• Prisoner transport/security
– Success of privatized police requires

• Competition
• Accountability
• Standards
PAGE 55 /66

– Public safety policing growth factors
• Cost savings: Municipalities spend a lot on the salaries and benefits of public police officers
• Low priority call handling, like residential alarms: 20% = crime, and 80% = non-emergencies
• Police are diverted from crime prevention to produce arrest statistics and
other quantifiable measures
• Crime prevention and order maintenance are priorities of private

security, resulting in increasing roles in public safety
• Community policing efforts are expensive and

resource-intensive
• Fear of crime is exacerbated by signs of criminal activity
• Incivility and disorder represent chaotic conditions that result in

more serious criminal activity
– If incivility (or disorder) is not perceived to be a problem, residents

may be able to cope with higher rates of crime
Fear of crime is exacerbated by signs

of criminal activity
PAGE 56 /66

– Order maintenance
• Used in community policing, may reduce crime (lack of order can lead to high crime or fear of crime)
• A core goal of community policing is to focus on fear reduction through order maintenance techniques
• Disorder is characterized by reduced social controls, such as panhandling, loitering, youths taking over parks and street
corners, public drinking, prostitution, graffiti and other disorderly behaviors
• Disorder tends to cause a greater sense of risk and loss of control
• Disorder causes more awareness of the consequences of a criminal attack
• As disorder causes crime to increase, the community sinks further with conditions that lead to even more crime
– Physical deterioration, poor housing, and abandoned buildings

– High population density and resulting anonymity
– Economic insecurity, family disintegration and conflicting social norms
– An absence of constructive positive agencies
– Teen loitering, transience, and vandalism
– Drug use
• An alternative theory to socioeconomic impact of crime is that the completion of a crime simply requires the convergence in
time and space of an offender, a suitable target, and the absence of guardians
PAGE 57 /66

– Operation Cooperation
• Published by a group of law enforcement and security organizations
• Communicates partnership models where security and police work together and advocates more of the same
• Includes history of public-private partnerships
• Describes some of the most effective public-private policing partnerships
– The Business/Law Enforcement Alliance (BLEA) in California

– The Area Police-Private Security Liaison Program (APPL) in New York City (now NYPD Shield)
– The Downtown Detroit Security Executive Council (DDSEC) in Michigan (Operation Cooperation, 2000)
– Private police have replaced public police

with varied results
• Reminderville, Ohio
• Sussex, New Jersey
PAGE 58 /66

• Security consultants…
– Three categories of consultants
• Security management consultants
– Largest group
– Assist in managing protection strategies
– Generalists within the security discipline
– Will not cross into technical specifics
• Technical security consultants

– Special technical expertise
– Generally focus on specialties
– Produce blueprints and equipment specifications
– Requires years of technical training and experience
– May provide management consultant services
– Often assist with new construction or renovation projects
– Work with the architects and design engineers
– Recommend security hardware and software
– Save money with up-front security inclusion (not added on later)
• Security forensic consultants

– Deal with investigation, evidence, vulnerability assessment, mitigation strategies, litigation
– May be referred to as an “expert witness” (outdated term)
– Works exclusively on security-related issues
– Security management consultants and technical security consultants may undertake forensic assignments
ASIS POA, Vol. 1, Sect. 8.2, 8.2.1, 8.2.2, 8.2.3
PAGE 59 /66

• Security consultants (continued)…
– The decision to retain security consulting services is typically driven by a specific
• Problem
• Need
• Challenge
• Goal
– Security consultants might be retained because of
• Lack of in-house time or specialized knowledge

• Need for objective assessment, particularly for liability or due diligence situations
• Need for fresh ideas, or independence from internal politics
• Need for flexibility of contracted personnel
• Recognition that management may be more amenable to a consultant’s ideas
because of broader experience and industry knowledge
ASIS POA, Vol. 1, Sect. 8.1, 8.3
– Resistance to the use of a security consultant usually reflects concerns
• Asking for outside help suggests the security staff is incompetent

• A negative report from an outsider reflects unfavorably on the security program
• The organization and its policies and procedures could be compromised by
an outsider who would become intimately familiar with the enterprise
PAGE 60 /66

– The security consultant seeks a mix of security solutions
• CPTED
• Changing environmental design
• Updating policies and procedures
• Adding security personnel
• Upgrading physical security requirements
– Clients should be concerned if a consultant promotes

only one product or a limited range of security measures
– Effective security programs typically include a

well-thought-out array of security measures
– Finding a security consultant

• Best source: Referral from a colleague
• Industry associations with consultants as members
• Industry-specific associations
– Professional consultants are restrictive in the assignments they will accept

– Most consultants specialize and may not see themselves as suited for every need
– Clients should be cautious of a consultant claiming to be able to address all aspects of security
– Consulting alliances: Consultants with different specialties and strengths

PAGE 61 /66

– When a security consultant has been hired, stakeholders affected by his activities should be made aware
– A “project coordinator” should coordinate the consulting project, typically the CSO or VP of Security
• A Security Project Committee (spin-off from the Security Advisory Committee – SAC – and chaired by the CSO or VP of
Security) may be formed to coordinate with the consultant
• The SPC needs a project sponsor
• Remember NDA’s
• Remember that consulting reports are subject to discovery
• The Project Coordinator should create a consulting SOW

ASIS POA, Vol. 1, Sect. 8.7.1, 8.7.2, 8.7.3, 8.7.4
PAGE 62 /66

– Security Advisory Committee (SAC)
• Comprised of members from key corporate functions

– Chaired by a project coordinator
– Members should have stature and creditability
– Members should be able to offer useful opinions about security
• Purposes
– Determine adequacy of security measures – determine if a consultant is necessary
– Critically examine the security program
– Maintain general oversight of the security program
– Assist in meeting corporate and government requirements
• Objectives
– Review the corporate security program at least quarterly
– Determine if additional protective measures are needed
– Advise of any needed changes to security policies or procedures
– Review new program suggestions
– Field criticism or suggestions
– Security consultant payment considerations

1) Hourly fees
2) Daily fees
3) Fixed fees
4) Not-to-exceed (NTE) fees
5) Retainers
6) Project-based pricing
PAGE 63 /66

Security Awareness
• Security awareness…
– “An assets protection program will not succeed unless it cultivates the willing
cooperation of those affected by it and meshes its goals with the personal goals
of the workforce”
– Means consciousness of the program, its relevance, and individual risk responsibility
– Is a continuing attitude that encourages actions in support of security
– Solicits conscious attention, and is embraced by senior personnel
– Causes all personnel to become force multipliers
– Highlights the program's contribution to financial goals
– Conveys the program’s benefits and ROI
– Conveys to middle management support of business goals
– Conveys to supervision the program’s value
– Conveys to employees the importance of leading by example
– Is refreshed more often than just at new hire orientation
– Is explained in depth to non-employees

ASIS POA, Vol. 1, Sect. 10, 10.1, 10.1.1, 10.1.2, 10.1.3, 10.1.4, 10.1.5
PAGE 64 /66

Security Awareness
• In general…
– One of the most cost effective assets protection tools is security training and awareness
– One of the most important missions of security awareness is to familiarize employees with the organization’s
policies and procedures
– Good policies are not enough to ensure staff will react properly to an incident
– Two categories of employees fail to follow policies

1) Uneducated employees
2) Arrogant employees
– May not contain specific security task information, but may point to other resources
– Should be enjoyable and interesting

PAGE 65 /66

Security Awareness
• Benefits of awareness include better…
– Protection of assets
– Understanding how security facilitates successful operations
– Identification of individuals’ security obligations
– Recognition of the connection between security objectives and measures
– Identification of sources of help for security compliance
– Compliance with statutory requirements for notice (trespassing, etc.)
– Compliance with regulatory, contractual, and policy requirements
– Preparation for emergencies
– Communication of security value
• Awareness programs typically address…

– The reason for and value of protection strategies
– Actions required to protect specific assets
– Employees’ security responsibilities and how they meet them
– How to report violations
– How to identify and react to risk indicators
PAGE 66 /66

Security Awareness
• Potential obstacles to a security awareness program…
– Low credibility of the security department
A cooperative employee is less
– Organizational culture likely to circumvent security
– Naiveté
– Perception of a minimal threat
– Indifference
– Lack of reporting capability

• Methods to maximize positive contacts with employees

– Conducting home protection clinics
– Lending property-marking devices
– Offering group purchase opportunities for burglary and fire protection devices
– Conducting personal protection programs
– Conducting cyber security awareness programs
– Conducting children’s fire prevention poster campaigns with cash prizes

ASIS POA, Vol. 1, Sect. 10.4, 10.4.1
PAGE 67 /66

Practice Test 44 QUESTIONS
• Question 01: Which of the following is NOT true of security

standards?
 A. They codify best practices and processes, and share lessons-learned

 B. They specify security technology for government systems
 C. They provide for consistency
of services
 D. They define effective methods

for identification of individuals
PAGE 68 /66

• Question 01: Which of the following is NOT true of security

standards?
 A. They codify best practices and processes, and share lessons-learned

 B. They specify security technology for government systems
 C. They provide for consistency
of services
 D. They define effective methods

for identification of individuals
PAGE 69 /66

• Question 02: What are the three measures categories most

effectively mixed to achieve “defense in depth?”
 A. Physical, procedural, and electronic

 B. Technical, manpower, procedural
 C. Insider, outsider, collusion
 D. High security, moderate
security, and convenience
PAGE 70 /66

• Question 02: What are the three measures categories most

effectively mixed to achieve “defense in depth?”
 A. Physical, procedural, and electronic

 B. Technical, manpower, procedural
 C. Insider, outsider, collusion
 D. High security, moderate
security, and convenience
PAGE 71 /66

• Question 03: What are the three general types of assets?
 A. Physical, virtual, and people

 B. Local, remote, and virtual
 C. People, property, and
information
 D. Tangible, intangible,
and mixed
PAGE 72 /66

• Question 03: What are the three general types of assets?
 A. Physical, virtual, and people

 B. Local, remote, and virtual
 C. People, property, and
information
 D. Tangible, intangible,
and mixed
PAGE 73 /66

• Question 04: Often overlooked as asset protection tools, _______________

are the least expensive countermeasures one can employ.
 A. Procedural controls
 B. Good management practices
 C. Highly-aware employees
 D. Access controls
PAGE 74 /66

• Question 04: Often overlooked as asset protection tools, _______________

are the least expensive countermeasures one can employ.
 A. Procedural controls
 B. Good management practices
 C. Highly-aware employees
 D. Access controls
PAGE 75 /66

• Question 05: What are the three categories of security consultants?
 A. Management, technical, and forensic

 B. Technical, administrative, and management
 C. Government services, private,
and mixed
 D. None of the above
PAGE 76 /66

• Question 05: What are the three categories of security consultants?
 A. Management, technical, and forensic

 B. Technical, administrative, and management
 C. Government services, private,
and mixed
 D. None of the above
PAGE 77 /66

• Question 06: Which of the following is one of the most cost effective
assets protection tools?
 A. Technology
 B. Manpower
 C. Information technology
 D. Training and awareness
PAGE 78 /66

• Question 06: Which of the following is one of the most cost effective
assets protection tools?
 A. Technology
 B. Manpower
 C. Information technology
 D. Training and awareness
PAGE 79 /66

• Question 07: Who has front-line accountability for protecting

the organization?
 A. Executive management
 B. The Security department
 C. Leaders of each operating unit
 D. Front-line security supervisors
PAGE 80 /66

• Question 07: Who has front-line accountability for protecting

the organization?
 A. Executive management
 B. The Security department
 C. Leaders of each operating unit
 D. Front-line security supervisors
PAGE 81 /66

• Question 08: Which of the following is NOT one of the three tools of a
strategically-managed assets protection program?
 A. Administration
 B. Evaluation
 C. Planning
 D. Management
PAGE 82 /66

 B. Evaluation
 C. Planning
 D. Management
PAGE 83 /66

• Question 09: Which of the following would be considered an

intangible asset?
 A. Inventory
 B. Brand loyalty
 C. Raw materials
 D. Revenue
PAGE 84 /66

• Question 09: Which of the following would be considered an

intangible asset?
 A. Inventory
 B. Brand loyalty
 C. Raw materials
 D. Revenue
PAGE 85 /66

• Question 10: What are the five avenues to address risk?
 A. Acceptance, Mitigation, Avoidance, Transfer, and Hardening

 B. Acceptance, Spreading, Mitigation, Transfer, and Avoidance
 C. Avoidance, Mitigation, Transfer,
Acceptance, and Maximization
 D. Elimination, Avoidance,
Transfer, Mitigation
and Spreading
PAGE 86 /66

• Question 10: What are the five avenues to address risk?
 A. Acceptance, Mitigation, Avoidance, Transfer, and Hardening

 B. Acceptance, Spreading, Mitigation, Transfer, and Avoidance
 C. Avoidance, Mitigation, Transfer,
Acceptance, and Maximization
 D. Elimination, Avoidance,
Transfer, Mitigation
and Spreading
PAGE 87 /66

• Question 11: The two primary goals of government regulation are:
 A. Protecting the public, and generating tax revenue

 B. Increasing government control, and decreasing private industry influence
 C. Standardizing services, and
control of the activity
 D. Control of the activity, and

generating tax revenue
PAGE 88 /66

• Question 11: The two primary goals of government regulation are:
 A. Protecting the public, and generating tax revenue

 B. Increasing government control, and decreasing private industry influence
 C. Standardizing services, and
control of the activity
 D. Control of the activity, and

generating tax revenue
PAGE 89 /66

• Question 12: The ASIS Facilities Physical Security Measures

Guideline defines risk management as "a business discipline consisting of three
major functions.” These functions are:
 A. Loss management, loss indemnification, loss identification

 B. Loss prevention, loss
management, loss recovery
 C. Loss preparedness, loss

prevention, loss protection
 D. Loss prevention, loss control,

loss indemnification
PAGE 90 /66

• Question 12: The ASIS Facilities Physical Security Measures

Guideline defines risk management as "a business discipline consisting of three
major functions.” These functions are:
 A. Loss management, loss indemnification, loss identification

 B. Loss prevention, loss
management, loss recovery
 C. Loss preparedness, loss

prevention, loss protection
 D. Loss prevention, loss control,

loss indemnification
PAGE 91 /66

• Question 13: Two approaches can be used when testing systems:
 A. Efficiency-tuned and effectiveness-tuned

 B. Return-on-investment (ROI) and Cost/Benefit Analysis (CBA)
 C. Performance-based and
compliance-based
 D. Probability of detection (Pd)

and Nuisance Alarm Rate (NAR)
PAGE 92 /66

• Question 13: Two approaches can be used when testing systems:
 A. Efficiency-tuned and effectiveness-tuned

 B. Return-on-investment (ROI) and Cost/Benefit Analysis (CBA)
 C. Performance-based and
compliance-based
 D. Probability of detection (Pd)

and Nuisance Alarm Rate (NAR)
PAGE 93 /66

• Question 14: Which of the following are legitimate threat

tactic categories?
 A. Deceit, stealth and force

 B. Internal, external, and collusion
 C. Physical, information,
and virtual
 D. Local, regional, and global
PAGE 94 /66

• Question 14: Which of the following are legitimate threat

tactic categories?
 A. Deceit, stealth and force

 B. Internal, external, and collusion
 C. Physical, information,
and virtual
 D. Local, regional, and global
PAGE 95 /66

• Question 15: What industry is responsible for the development of

risk assessment?
 A. Security
 B. Insurance
 C. Legal
 D. Safety
PAGE 96 /66

• Question 15: What industry is responsible for the development of

risk assessment?
 A. Security
 B. Insurance
 C. Legal
 D. Safety
PAGE 97 /66

• Question 16: Which of the following is NOT a function of

security policies?
 A. Establish strategic security objectives and priorities

 B. Identify those accountable for physical security
 C. Provide guidelines for
completing specialized
security tasks
 D. Set forth responsibilities and

expectations for managers,
employees and others
PAGE 98 /66

• Question 16: Which of the following is NOT a function of

security policies?
 A. Establish strategic security objectives and priorities

 B. Identify those accountable for physical security
 C. Provide guidelines for
completing specialized
security tasks
 D. Set forth responsibilities and

expectations for managers,
employees and others
PAGE 99 /66

• Question 17: What are the three outer components (red, green and yellow
circles) of this depiction?
 A. Probability, impact, and vulnerability

 B. Threat, likelihood, and consequence
 C. Asset, vulnerability, and
probability
 D. Asset, threat and vulnerability ? ?
Risk
?
PAGE 100 /66

• Question 17: What are the three outer components (red, green and yellow
circles) of this depiction?
 A. Probability, impact, and vulnerability

 B. Threat, likelihood, and consequence
 C. Asset, vulnerability, and
probability
 D. Asset, threat and vulnerability
PAGE 101 /66

• Question 18: What two categories of employees typically don’t

follow security policies and rules?
 A. Complacent employees, and those employees ignorant of the rules

 B. Executive management, and senior management
 C. Arrogant employees, and
uneducated employees
 D. New employees, and

temporary employees
PAGE 102 /66

• Question 18: What two categories of employees typically don’t

follow security policies and rules?
 A. Complacent employees, and those employees ignorant of the rules

 B. Executive management, and senior management
 C. Arrogant employees, and
uneducated employees
 D. New employees, and

temporary employees
PAGE 103 /66

• Question 19: Which of the following is a probably factor for threats

and loss events?
 A. Criminal state-of-the-art
 B. Physical environment
 C. Social environment
 D. Geographic location
 E. All of the above
 F. B & C
PAGE 104 /66

• Question 19: Which of the following is a probably factor for threats

and loss events?
 A. Criminal state-of-the-art
 B. Physical environment
 C. Social environment
 D. Geographic location
 E. All of the above
 F. B & C
PAGE 105 /66

• Question 20: What are the two major types of risk assessments?
 A. Internal and external

 B. Government and private
 C. Qualitative and quantitative
 D. Pure and speculative
PAGE 106 /66

• Question 20: What are the two major types of risk assessments?
 A. Internal and external

 B. Government and private
 C. Qualitative and quantitative
 D. Pure and speculative
PAGE 107 /66

• Question 21: What are the three primary classes of risk?
 A. Insider, outsider, and collusion

 B. Speculative, pure, and economical
 C. Direct, indirect, and mixed
 D. Physical, information, and
personnel
PAGE 108 /66

• Question 21: What are the three primary classes of risk?
 A. Insider, outsider, and collusion

 B. Speculative, pure, and economical
 C. Direct, indirect, and mixed
 D. Physical, information, and
personnel
PAGE 109 /66

• Question 22: Which of the following is NOT a legitimate

arrangement of public and private policing?
 A. Private Environment Replacement

 B. Private Environment Supplement
 C. Public Environment
Replacement
 D. Public Environment
Supplement
PAGE 110 /66

• Question 22: Which of the following is NOT a legitimate

arrangement of public and private policing?
 A. Private Environment Replacement

 B. Private Environment Supplement
 C. Public Environment
Replacement
 D. Public Environment
Supplement
PAGE 111 /66

• Question 23: The amount of protection required by an enterprise

is a function of:
 A. Value of the asset and risk tolerance of the enterprise

 B. Value of the asset and consequence of the threat
 C. Value of the asset and
likelihood of the threat
 D. Likelihood and consequence

of the threat
PAGE 112 /66

• Question 23: The amount of protection required by an enterprise

is a function of:
 A. Value of the asset and risk tolerance of the enterprise

 B. Value of the asset and consequence of the threat
 C. Value of the asset and
likelihood of the threat
 D. Likelihood and consequence

of the threat
PAGE 113 /66

• Question 24: What is a vulnerability analysis?
 A. A weakness that can be exploited by an adversary

 B. The process of identifying and quantifying vulnerabilities
 C. A method of identifying the
weak points of a facility, entity,
venue or person
 D. The process of correcting

identified vulnerabilities
PAGE 114 /66

• Question 24: What is a vulnerability analysis?

venue or person

PAGE 115 /66

• Question 25: Which of the following is NOT one of the factors

that change the understanding of and approach to assets protection?
 A. Mutating threats
 B. Evolution of management
 C. Increasing reliance on
technology
 D. Transformation of business
PAGE 116 /66

• Question 25: Which of the following is NOT one of the factors

that change the understanding of and approach to assets protection?
 A. Mutating threats
 B. Evolution of management
 C. Increasing reliance on
technology
 D. Transformation of business
PAGE 117 /66

• Question 26: Which of the following is NOT a risk

assessment technique?
 A. Physical
 B. Inductive
 C. Deductive
 D. Heuristic
PAGE 118 /66

• Question 26: Which of the following is NOT a risk

assessment technique?
 A. Physical
 B. Inductive
 C. Deductive
 D. Heuristic
PAGE 119 /66

• Question 27: Security losses are of what two types?
 A. Monetary and criticality

 B. Tangible and intangible
 C. Immediate and future
 D. Direct and indirect
PAGE 120 /66

• Question 27: Security losses are of what two types?
 A. Monetary and criticality

 B. Tangible and intangible
 C. Immediate and future
 D. Direct and indirect
PAGE 121 /66

• Question 28: What is the Design Basis Threat?
 A. The anticipated path of an adversary through layered security measures

 B. The range of threats potentially impacting an enterprise
 C. The most insignificant threat
in the threat spectrum
 D. The threat against which

countermeasures are designed
to protect
PAGE 122 /66

• Question 28: What is the Design Basis Threat?
 A. The anticipated path of an adversary through layered security measures

 B. The range of threats potentially impacting an enterprise
 C. The most insignificant threat
in the threat spectrum
 D. The threat against which

countermeasures are designed
to protect
PAGE 123 /66

• Question 29: Except for certain ______________, an organization

should base its protection strategies on a realistic, cost-effective rationale
 A. Strategically-important documents
 B. Critical personnel
 C. High-value, irreplaceable items
 D. Bitcoins and fidget spinners
PAGE 124 /66

• Question 29: Except for certain ______________, an organization

should base its protection strategies on a realistic, cost-effective rationale
 A. Strategically-important documents
 B. Critical personnel
 C. High-value, irreplaceable items
 D. Bitcoins and fidget spinners
PAGE 125 /66

• Question 30: Which of the following is NOT one of the four

primary questions Risk Management attempts to answer?
 A. What can be done about identified risks?

 B. What options are available?
 C. What is the cost of available
options?
 D. What are the impacts of

current management decisions
on future options?
PAGE 126 /66

• Question 30: Which of the following is NOT one of the four

primary questions Risk Management attempts to answer?
 A. What can be done about identified risks?

 B. What options are available?
 C. What is the cost of available
options?
 D. What are the impacts of

current management decisions
on future options?
PAGE 127 /66

• Question 31: Threat likelihood may be expressed in…
 A. Frequency, probability, and qualitative estimate

 B. Certainty, quantified estimate, and criticality
 C. Probability, annual loss
expectance, and criticality
 D. Qualitative, quantitative,
and mixed measures
PAGE 128 /66

• Question 31: Threat likelihood may be expressed in…
 A. Frequency, probability, and qualitative estimate

 B. Certainty, quantified estimate, and criticality
 C. Probability, annual loss
expectance, and criticality
 D. Qualitative, quantitative,
and mixed measures
PAGE 129 /66

• Question 32: A site survey is part of what process within the

risk management program?
 A. Risk assessment
 B. Vulnerability assessment
 C. Threat evaluation
 D. Asset valuation
PAGE 130 /66

• Question 32: A site survey is part of what process within the

risk management program?
 A. Risk assessment
 B. Vulnerability assessment
 C. Threat evaluation
 D. Asset valuation
PAGE 131 /66

• Question 33: What are the two primary categories of risk?
 A. Insider and outsider

 B. Speculative and pure
 C. Direct and indirect
 D. Tangible and intangible
PAGE 132 /66

• Question 33: What are the two primary categories of risk?
 A. Insider and outsider

 B. Speculative and pure
 C. Direct and indirect
 D. Tangible and intangible
PAGE 133 /66

• Question 34: Risk assessments attempt to find answers to what three,

primary questions?
 A. What can go wrong, what is the likelihood of it going wrong, and what is the
impact of it going wrong?
 B. What is the likelihood of

something going wrong, how
quickly will it occur, and what
is the impact of it going wrong?
 C. What can go wrong, what is

the impact of it going wrong, and
how long will it take to recover
from it?
 D. What can go wrong, how often

will it go wrong, and what is the
total impact of all occurrences?
PAGE 134 /66

• Question 34: Risk assessments attempt to find answers to what three,

primary questions?
 A. What can go wrong, what is the likelihood of it going wrong, and what is the
impact of it going wrong?
 B. What is the likelihood of

something going wrong, how
quickly will it occur, and what
is the impact of it going wrong?
 C. What can go wrong, what is

the impact of it going wrong, and
how long will it take to recover
from it?
 D. What can go wrong, how often

will it go wrong, and what is the
total impact of all occurrences?
PAGE 135 /66

• Question 35: Asset value may be expressed in…
 A. Criticality, severity, and consequence of loss

 B. Criticality, dollars, and likelihood
 C. Dollars, likelihood and impact
 D. Severity, consequence of loss,
and probability
PAGE 136 /66

• Question 35: Asset value may be expressed in…
 A. Criticality, severity, and consequence of loss

 B. Criticality, dollars, and likelihood
 C. Dollars, likelihood and impact
 D. Severity, consequence of loss,
and probability
PAGE 137 /66

• Question 36: Which of the following tests is executed to ensure

system components are operating as expected?
 A. Acceptance
 B. Performance
 C. Operational
 D. Functional
PAGE 138 /66

• Question 36: Which of the following tests is executed to ensure

system components are operating as expected?
 A. Acceptance
 B. Performance
 C. Operational
 D. Functional
PAGE 139 /66

 B. Evaluation
 C. Planning
 D. Management
PAGE 140 /66

 B. Evaluation
 C. Planning
 D. Management
PAGE 141 /66

• Question 38: What are the three primary functions of a

Physical Protection System (PPS)?
 A. Delay, Detect, and Deter

 B. Delay, Detect, and Respond
 C. Deny, Delay, and Detect
 D. Deny, Respond, and Destroy
PAGE 142 /66

• Question 38: What are the three primary functions of a

Physical Protection System (PPS)?
 A. Delay, Detect, and Deter

 B. Delay, Detect, and Respond
 C. Deny, Delay, and Detect
 D. Deny, Respond, and Destroy
PAGE 143 /66

• Question 39: Which of the following is NOT a general category of risk

reduction options?
 A. People/staffing
 B. IT/information
 C. Procedures/policy
 D. Equipment/hardware
PAGE 144 /66

• Question 39: Which of the following is NOT a general category of risk

reduction options?
 A. People/staffing
 B. IT/information
 C. Procedures/policy
 D. Equipment/hardware
PAGE 145 /66

• Question 40: Which of the following is NOT one of the most critical
threats in high rise buildings?
 A. Fire
 B. Explosion
 C. Workplace violence
 D. Contamination of life-support
systems
PAGE 146 /66

• Question 40: Which of the following is NOT one of the most critical
threats in high rise buildings?
 A. Fire
 B. Explosion
 C. Workplace violence
 D. Contamination of life-support
systems
PAGE 147 /66

• Question 41: Mitigation strategies must be evaluated by all but…
 A. Availability
 B. Affordability
 C. Feasibility
 D. Application to operations
 E. Effectiveness
PAGE 148 /66

• Question 41: Mitigation strategies must be evaluated by all but…
 A. Availability
 B. Affordability
 C. Feasibility
 D. Application to operations
 E. Effectiveness
PAGE 149 /66

• Question 42: The ratio of direct reports to an immediate supervisor is

referred to as…
 A. Management ratio
 B. Supervision span
 C. Span of control
 D. Control spread
PAGE 150 /66

• Question 42: The ratio of direct reports to an immediate supervisor is

referred to as…
 A. Management ratio
 B. Supervision span
 C. Span of control
 D. Control spread
PAGE 151 /66

• Question 43: What is a vulnerability assessment?

venue or person

PAGE 152 /66

• Question 43: What is a vulnerability assessment?

venue or person

PAGE 153 /66

• Question 44: Which of the following is not a method of risk reduction?
 A. Preventing an attack
 B. Protecting against an attack
 C. Responding to an attack
 D. Mitigating consequences of
an attack
PAGE 154 /66

• Question 44: Which of the following is not a method of risk reduction?
 A. Preventing an attack
 B. Protecting against an attack
 C. Responding to an attack
 D. Mitigating consequences of
an attack

Cert Review, CPP, 2018, Domain 1

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Cert Review, CPP, 2018, Domain 1

Uploaded by

Copyright:

Available Formats

A Comprehensive Study Guide for the

CERTIFIED PROTECTION PROFESSIONAL (CPP)

Study Guide for the

SECURITY PRINCIPLES AND PRACTICES

SECURITY PRINCIPLES AND PRACTICES

SECURITY PRINCIPLES AND PRACTICES

• Task 01/05 Develop, implement, and manage security awareness to achieve

SECURITY PRINCIPLES AND PRACTICES

– Organization’s security function: Risk assessment, policy, and supporting infrastructure

– Multi-faceted security program leadership

ASIS CSO.1-2013, Sect. 6

– Security department placement in the organization impacts its ability to

– Today’s security professional must

ASIS POA, Vol. 1, Sect. 4

Three managerial dimensions of the asset

SECURITY PRINCIPLES AND PRACTICES

ASIS CSO.1-2013, Sect. 5

SECURITY PRINCIPLES AND PRACTICES

– Effective security managers are business partners

– Security managers should be in senior management

• Key management terminology for security operations…

• Effective management = limited number of direct reports

– Unity of Command: An individual reports to

SECURITY PRINCIPLES AND PRACTICES

– Three tools of a strategically-managed assets protection program

SECURITY PRINCIPLES AND PRACTICES

– Protection of assets exact science

• One solution does not fit all

– Factors that change the understanding of and approach to assets protection

– Asset protection changes are occurring

ASIS POA, Vol. 1, Sect. 4.1.3

SECURITY PRINCIPLES AND PRACTICES

– Means of identifying acceptable asset protection strategies

ASIS POA, Vol. 1, Sect. 5.4.3

• Concepts of the underlying principles of assets protection…

2) Balancing security and legal considerations

3) The Five D’s (used to be “3 D’s”)

SECURITY PRINCIPLES AND PRACTICES

2) Globalization in business (increases risks to) 4) Convergence of security solutions

SECURITY PRINCIPLES AND PRACTICES

ASIS POA, Vol. 1, Sect. 4.2.2

SECURITY PRINCIPLES AND PRACTICES

– Fast Food ("Quick-service Restaurant“ – QSR – industry)

SECURITY PRINCIPLES AND PRACTICES

– Compare to traditional philosophy of “manpower,

– Compare to the POA statement

SECURITY PRINCIPLES AND PRACTICES

Objective: Control of the activity Objective: Generating tax revenue

Screening, Require payment of

ASIS POA, Vol. 7, Sect. 6.3

SECURITY PRINCIPLES AND PRACTICES

ASIS POA, Vol. 1, Sect. 2.4, 6.3.2, 11.8.3

SECURITY PRINCIPLES AND PRACTICES

– Became law on July 30, 2002

– Requires CEOs to certify the accuracy of their organization’s financial statements

– Established the Public Company Accounting Oversight Board

– Requires all publicly traded companies to have anonymous reporting

– Limits an organization’s ability to provide strictly internal reporting

SECURITY PRINCIPLES AND PRACTICES

– Represent more than 95,000 topics in the United States alone

– Nine main types

ASIS POA, Vol. 1, Sect. 3.1, 3.1.1, 3.1.3

– Development occurs on several levels

SECURITY PRINCIPLES AND PRACTICES