RISK AND

VULNERABILITY
ASSESSMENT
THE MALAWI PARLIAMENT SECURITY STAFF
PRESENTED BY
STEPHEN KASOMPHE pcqi
SafetyPLus Technonologies
Scope
• Introduction to risk
• Introduction to vulnerability assessment
• Risk terminology
• Security risk
• Risk and asset characterization
• Probability matrices
• Security justification
• Risk management presentation to management
Class and group norms
Risk Terminologies

• Safety: refers to systems that react to/in

abnormal events by minimizing their
impact, preserving human life and
protecting property
Risk Terminologies
• Security: security represents the systems that prevent, detect, delay,
respond to, interrupt and neutralize a malevolent human adversary.
(examples could be Industrial espionage, direct facility attack or
fraud).
• Safeguards: is an integrated system of physical protection material,
accounting and control measures designed to Deter, prevent, detect
and respond to unauthorized possession use or sabotage
Operations
• Operations seeks produce, transfer, experiment with store and
maintain products materials and work-in process
• This implies open access non intrusive control and accountability
What is risk
PRESENTED BY
STEPHEN KASOMPHE pcqi
What is Risk
Risk management framework
Risk taking
Benefits of taking a risk
Risk options
Loss Event Profiling
Presented by
Capt. Stephen Kasomphe (rtd) PCQI
SECURITY RISK MANAGEMENT

Stephen Kasomphe BASRM, PCQI

 UNIT ONE
• Unit one discusses risk and threat identification as a basis and source
of risk information for management.
SECURITY VULNERABILITY
• INTRODUCTION
• A basic precept of asset protection is that an effective security plan or
program must be based on a clear understanding of the actual risks it faced.
• Until the actual threat to assets is assessed accurately, precautions and
countermeasures – even those of the highest quality, reliability and repute –
cannot be chosen, except by guesswork. The value of a security program
depends as much upon the relevance of resources as upon their high quality.
• First understand the problem, then consider solutions.
Defining the problem
• Defining a security problem involves an accurate assessment of three factors
1. The kinds of threats or risks affecting the assets to be safeguarded.
2. The probability of those threats becoming actual loss events
3. The effect of the assets or on the enterprise responsible for the assets if the loss
occurs.

The first can be called loss event profile, the second can be called loss event
probability or frequency, and the third can be called loss event criticality.
The relationship among these three aspects of a loss event is fundamental in any
system of countermeasures. Each aspect increases or decreases in significance in
the light of other aspects.
LOSS EVENT PROFILE
• Recognizing individual loss events that might occur is the first step in
dealing with asset vulnerability.
• It requires clear ideas about the kinds of loss events or risks as well as
about conditions, circumstances, objects, activities and relationships
that can produce the loss events.
• A security countermeasure should be planned is if the loss event has
the following characteristics:
• The event will produce an actual loss, measurable in some standard medium
such as money.
• The loss is not speculative in the sense that nonoccurrence of the event
would result in a gain.
Loss event profile Cont’
• This kind of event that may produce either a loss or a gain is often called a
business or conventional risk. if a product can be sold profitably, it will result in
net income to the seller. Whether or not this is possible depends upon many
factors including:
• Controlling manufacturing costs
• Securing a suitable share of the available market
• Being price competitive
• Maintaining quality levels
To the extent that these contingencies are properly maintained, sales are profitable. Loss
results from failure to manage them correctly – for example, by misjudging the cost or
availability or raw materials, or the time needed to manufacture the final item, or the actual
market demand. This loss is not the kind of loss being described here. The individual events of
manufacture, distribution and sale could have produced either a gain or a loss. Properly
gauging the profit and loss potential is the task of conventional business management.
Loss Event profile
• But if the profits were not realized because of some event the could
only cause a loss, the situation would call for positive assets
protection and loss prevention measures.
• The kinds of events that are loss only oriented and that involve so-
called pure risks
• Recognizing a particular loss event in any given enterprise is not
necessarily a matter of simple common sense, it often demands the
special skills of an experienced security professional to perceive that a
given exposure is present.
PURE RISK LOSS EVENTS
• War
• Natural catastrophe: earthquake, flood, hurricane, tidal wave, typhoon, volcanic eruption.
• Industrial disaster: Explosion, fire, major accident, environmental incident, structure collapse.
• Civil disturbance: insurrection, riot
• Crime: common crimes against the person (murder, rape, assault) and crimes against property
(larceny, arson, vandalism)
• Conflicts of interest: bribery dissatisfaction, espionage, kickbacks, sabotage, competitive
intelligence, unfair competition.
• Workplace violence: acts of revenge, disaffection, personal grudge
• Terrorism: bombing, extortion, kidnapping, assassination with political or militant activist
overtones.
• Other risks: disturbed persons, personnel piracy, traffic accidents.
UNIT TWO
• In loss event profiling the unique and most
important thing is to identify the risk to an asset,
operation, process, activity or function.
RISK IDENTIFICATION
• Risk identification ascertains the sources and nature of risk and the effect of
uncertainty on achieving the organization’s objectives. A thorough risk
identification process will consider the myriad of uncertainties that may affect
organizational objectives. These may include natural, intentional, and
unintentional events such as malevolent, criminal, technical, institutional,
logistical, logical, demographic, environmental, or social/political events. It is
more than asking “what can go wrong” but also includes asking which risks
may be pursued as an opportunity.
• While different risk disciplines use a range of techniques for identifying the
nature and sources of risk, they all should contain the following components
along with an understanding of the interplay between these components for
a comprehensive identification and characterization of the risks:
RISK IDENTIFICATION
• Asset and service identification, valuation, and characterization;
• b) Threat and opportunity analysis;
• c) Vulnerability and capability analysis; and
• d) Criticality and impact analysis.
• Risk identification can be conducted using qualitative or quantitative analyses or a
combination of both. Regardless of the method of evaluation the assumptions,
level of precision in estimating parameters, and reliability of information used
should be noted.
• Risk identification is part of a good business and risk management strategy.
• Therefore, when conducting the risk identification the business SWOT (strengths,
weaknesses, opportunities, and threats) analysis should be consulted as a key input
RISK IDENTIFICATION QUESTIONS
• Identifying risks should answer the following questions:
a) Why could something happen?
• · A cause or factor creating risk.
• · Effectiveness of risk treatments.
b) Who could be involved?
• · Individuals or groups associated with threat, control of risk, and/or impacted by risk.
c) How could it happen?
• · A source of risk.
d) What could happen?
• · Potential event and likelihood.
• · Potential consequences and likelihood.
e) When could something happen?
f) Where could it happen?
INFORMATION SOURCES RELATED TO
RISK IDENTIFICATION
Information sources related to the risk identification process include (but are not limited to):
• a) SWOT analysis;
• b) Business plans;
• c) Intelligence;
• d) Threat advisories;
• e) Meteorological and geological reports;
• f) Significant fluctuations in the availability and pricing of basic commodities such as food, water,
• and natural resources ;
• g) Previous, current, and emerging data and trends;
• h) Political, social, and economic trends;
• i) Insurance information;
• j) Internal and external stakeholders;
INFORMATION SOURCES RELATED TO
RISK IDENTIFICATION
• Audit findings and exercise reports;
• l) Internal crime, loss, and risk event data;
• m) External risk event and crime data;
• n) Industry risk data;
• o) Law enforcement agencies;
• p) Government/international agencies;
• q) Industry associations;
• r) Media, internet, and public reports;
• s) In-house systems; and
• t) Informal and personal relationships.
METHOD OF SOLICITING INPUT
• Methods for soliciting input include (but are not limited to):
• a) Conducting an exercise;
• b) Scenario evaluations;
• c) Questionnaires;
• d) One-on-one structured interviews;
• e) Incident, exercise or audit reports;
• f) Brainstorming sessions;
• g) Group discussions;
• h) Workshops;
• i) Stakeholder and focus group discussions; and
• j) Expert testimonials (including public and private sector sources).
RISK IDENTIFICATION ACTIVITIES
• When conducting risk identification activities it should be noted that, some
risks are continuous and some vary with time. Additionally, threat,
opportunity, vulnerability, and criticality levels may be time-dependent.
• At times, dependencies that will affect consideration of the level of risk and
the need for treatment include:
a) Duration of an event;
b) Cultural context of time;
c) Day, week, or month of the year;
d) Time of day (e.g., break periods, business hours, shift work);
e) Timelines for service and product delivery;
f) Supply chain context of time; and
g) Time restrictions on travel.
ASSET IDENTIFICATION, VALUATION
AND CHARACTERIZATION
• Usually the preliminary step is to identify and evaluate sources of
uncertainty in achieving
• Organizational objectives. Asset characterization identifies what
assets may be at risk, what is their criticality to the organizational
objectives, and what are the potential consequences of those assets
being compromised. Questions that should be answered:
a) What are the activities, functions, and assets that contribute to achieving the organization’s
objectives?
b) What is the value chain of the organization and what are the activities, functions, and assets that contribute to the critical value
generators?
c) What is the tangible and intangible value of the asset for the organization and its supply chain?
d) What are the dependencies of the organization’s activities and functions on the asset?
e) Is there a potential for significant positive, neutral, or negative consequences related to the asset?
ASSET CHARACTERIZATION
• The loss of the most valuable assets or disruption of critical value
generating activities and functions may result in unacceptable damage to
the organization and/or disruption of dependent activities and functions.
The value of an asset is frequently measured relative to more than one
consequence. For example, minor harm to people may result in major harm
to brand and reputation. Furthermore, when characterizing the activity,
function, or asset, consideration should be given to its value relative to the
organization and its supply chain, as well as its potential value to an
adversary or competitor.
• All activities, functions, and assets that contribute to achieving the
organization’s objectives, and within the scope of the risk assessment,
should be considered
TANGIBLE AND INTANGIBLE ASSETS
• Tangible and intangible assets include (but are not limited to):
a) Internal and external human resources;
b) Property (e.g., facilities, equipment, materials, products, physical systems);
c) Process controls (physical and cyber);
d) Financial and administrative processes (e.g., funds, inventory, accounting, and
recordkeeping systems);
e) Information and telecommunication systems;
f) Transportation systems;
g) Access to critical infrastructure and support utilities;
h) Intellectual property and proprietary information; and
i) Brand, image, and reputation.
IDENTIFICATION ACTIVITIES
• After identifying activities, functions, and assets that contribute to
achieving the organization’s objectives for each activity, function, and
asset consider:
a) Its contribution to the value chain of the organization and the achievement of objectives;
b) The potential for risk to be exploited for the advantage of the organization;
c) Severity and timeframes of the consequences if activities, functions, or assets were lost, or offer a potential
opportunity;
d) Critical infrastructures, dependencies, and interdependencies (internal and external);
e) Functions and countermeasures that currently exist for protection and support;
f) Criticality to value chain and achieving the organization’s objectives; and
g) Priority and critical value relative to other activities, functions, and assets.
THREAT AND OPPORTUNITY ANALYSIS
• Sources of risk and related threats and opportunities should be identified and analyzed once priority and critical activities,
functions, and assets have been identified. This will provide a basis for understanding what risk events may contribute to
uncertainty in achieving the organization’s objectives. The process should consider both threats and potential
opportunities.
• Threat analysis considers impacts, timeframes, and factors that may prevent achievement of objectives. Unintentional
events look at the possibilities of human error. Threats can be intentional and unintentional and may occur through errors
of commission and omission.
• Opportunity analysis typically looks at the potential for change that an organization might undergo to improve its overall
results. Opportunities might increase the overall demand or discrete price points for its products and services, broaden or
restrict its offerings, as well as increase efficiencies through expense reductions and operational improvements. Whatever
the goal, undertaking an opportunity analysis helps to provide an understanding of what potential effects, positive and
negative, are likely to take place if different decisions are taken.
THREAT AND OPPORTUNITY ANALYSIS
• Sources of risk and related threats and opportunities should be identified and analyzed once priority and critical activities,
functions, and assets have been identified. This will provide a basis for understanding what risk events may contribute to
uncertainty in achieving the organization’s objectives. The process should consider both threats and potential
opportunities.
• Threat analysis considers impacts, timeframes, and factors that may prevent achievement of objectives. Unintentional
events look at the possibilities of human error. Threats can be intentional and unintentional and may occur through errors
of commission and omission.
• Opportunity analysis typically looks at the potential for change that an organization might undergo to improve its overall
results. Opportunities might increase the overall demand or discrete price points for its products and services, broaden or
restrict its offerings, as well as increase efficiencies through expense reductions and operational improvements. Whatever
the goal, undertaking an opportunity analysis helps to provide an understanding of what potential effects, positive and
negative, are likely to take place if different decisions are taken .
THREAT AND OPPORTUNITY ANALYSIS
• Threat and opportunity analysis can be conducted using either quantitative, qualitative,
or a combined approach. Regardless of the method, a common set of metrics and
scales should be defined so that the calculations can be performed and reported using
consistent scales and parameters. Comparisons will only be valid if values are
determined using the same methods and metrics. All priority and critical activities,
functions, and assets should be analyzed.
• Sources of risk give rise to potential threats and opportunities. Threat and opportunity
analysis sets the boundaries as to the type of threats and opportunities that can be
addressed, therefore, the range of risk sources associated with the achievement of
organizational objectives should be considered. Threat and opportunity analysis often
contains subjective estimates, therefore the confidence in the predictions should be
considered within the context of the reliability of the information. Likelihood estimates
are particularly sensitive to the information and assumptions they are based on.
THREAT AND OPPORTUNITY ANALYSIS
• Using the output from the asset identification, valuation and
characterization, consider sources of risk that create uncertainty in
achieving the organization’s objectives. Consider both intentional and
unintentional risk events that may affect the achievement of the
organization’s objectives (natural and man-made hazards; social,
economic, and political factors; as well as actions with mal-intent).
Determine what are the threats and/or opportunities associated with
potential risk events. The output of the threat and opportunity
analysis assessment should be comprehensive list of threats and
opportunities focusing on prioritizing the most relevant to the
achievement of objectives.
UNIT THREE
• This unit focusses on identifying the actual threat or aggressor and
making the right assessment
MALEVOLENT THREATS
• Threats may be identified in terms of “threats from” and “threats to”. “Threat
from” is based on the nature and attributes of the threat and how the threat may
cause harm and/or uncertainty. “Threat to” considers the locations of the
potential assets and services. In assessing the threat, the nature of the threat
should be considered (e.g., is it malevolent, naturally occurring, or accidental).
For a malevolent threat the assessment should consider “who/why” (e.g.,
description of the adversary), “what” (e.g., the material used by the adversary),
and the “how/when/where” (e.g., the characteristics of scenario and related
tactics).
• Malevolent threat is assessed by evaluating the combination of motivation/intent
and capability of an adversary to impact priority or critical asset, function,
activity, or capability. Figure 7 illustrates the interaction of these elements
Elements of Threat
 Elements of Threat

• Threat analysis can be conducted using threat tree analysis. Three

types of mapping or matrix techniques include:
• a) Asset tree – asset, means of access, internal or external threat actor,
intentional or unintentional motive, capability, event, consequence;
• b) Threat type tree – type of threat, act, resultant event, consequence;
and
• c) Adversary tree – type of adversary, motivation, capability, methods,
event, consequences.
• In order to determine a realistic threat level, consider the following
flow diagram
Determining Threat Levels
DETERMINING THREAT LEVELS
• The likelihood of threat should be considered as part of the threat analysis. There
are many different approaches which can be used. One is a narrative approach,
which uses a qualitative description for the threat level and threat characteristics.
Subject matter experts may provide input based on an analysis of events, trends
and other indicators or analysis of specific threat characteristics (e.g., intentions,
capabilities, and other attributes). Another approach is the threat ranking
approach which is generally a semi-quantitative approach for estimating the
components of threat and then combining them into some value and/or ranking
with some description. The attributes that are rated for each threat should be
orthogonal (e.g., should not overlap such that there is double counting). In some
cases the rating scores can be used to represent a "risk-like likelihood".
• Threat profiles are usually dynamic. Therefore, threats should be monitored on an
on-going basis.
DETERMINING THREAT LEVELS
• Specific information for individual facilities is often lacking. When estimating the threat levels it is important to understand
the internal and external context of the location being assessed, as well as the unique sources of risk for the location. For
example, sympathy in local communities for the acts of violence may influence the likelihood of the threat of terrorism and
violent crime. Organizations operating in a cultural setting where there is little sympathy or acceptance of violence would
face different threat levels than a society that condones the use of violence as a means to justify perceived wrongdoings.
• Threat and opportunity characterization seeks to identify general and specific sources of risk and describe how they
manifest themselves. Scenarios can be developed to analyze how the threat or opportunity will materialize and what are
the various factors and stakeholders at play. Once a scenario has been identified it can be evaluated for differing
magnitudes of the risk event. Similar scenarios may be triggered by events resulting in similar consequences. By evaluating
the different possibilities it is possible to identify risk treatment options that focus on both likelihood and consequences.
DETERMINING THREAT LEVELS
• When evaluating the potential for intentional threats, consideration
should be given to the presence and proximity of “hard” and “soft”
targets. A resilient and determined adversary will consider the same
factors illustrated in Figure 8 in order to successfully carry out a threat
to cause a risk event.
LOSS EVENT PROBABILITY OR
FREQUENCY
• We know from elementary statistics that probability is
measured as the number of ways in which a particular event
can result from certain activity, divided by the number of all
events which could occur from that activity.
• Stated as an equation this is
• P=
• Where
• P= the probability that a given event will occur
• F= the number of outcomes or results favorable to the occurrence of the event
• N= the total number of equally possible outcomes or results
As a practical example, what is the probability that in two throws of a coin it will come up heads at least
one? The total events possible in two throws of a coin are:
1. First throw, heads – second throw, heads
2. First throw heads – second throw, tails
3. First throw, tails – second throw, heads
4. First throw, tails – second throw, tails
LOSS EVENT PROBABILITY OR
FREQUENCY
• Thus there are four equally possible outcomes for two throws of a coin. Of the four (n=4), three would produce at least
one head in two throws (f=3).
• Thus substituting in the formula, the probability of at least one head in two throws of a coin is P=3/4 of P= 0.75.
• Although this simple statement illustrates the most direct way to calculate probability mathematically, it is not enough for
practical application for a number of reasons. First not all simultaneously possible events will be equally probable.
• Second an event may occur more than once. Such recurrence is actually its frequency. But some events will only occur
once and the reaction will so change the environment that the theoretically probable further occurrences will be
prevented. For example, a theft might so change the method of protecting the asset stolen that future thefts would be
much less likely.
• But we can employ basic concept: the more the ways a particular event can occur in a given circumstances, the greater the
probability that it will occur .
Probability assessment
• For effective assessment of probability, a many as possible of those
circumstances that could produce the loss must be known and
recognized.
• We must emphasize the earlier statement that common sense alone
is not an adequate basis or yardstick for identifying risks. Specialized
knowledge is required and the larger or more complex the enterprise
or loss environment, the greater the need for such expertise.
SECURITY RISK MANAGEMENT

Stephen Kasomphe BASRM, PCQI

UNIT 4 PROBABILITY FACTORS
• The conditions and sets of conditions that will worsen or increase
asset exposure to risk of loss can be divided into major categories.
• The categories are as follows:
• Physical environment
• Social environment
• Political environment
• Historical experience and
• Criminal state-of-art.
Physical environment
• Composition: material, mass, weight, volume and density
• Climate: temperature, range and mean; relative humidity, mean and
range; rainfall; snowfall; onset and end of freezing; storm cycles or
seasons.
• Geography: latitude; longitude; elevation
• Location: neighbouring exposures; sheltered or unsheltered
environment; controlled or uncontrolled.
• Conditions of use: times; processes; procedures
Social environment
• Ethnic Identity: population mix and distribution
• Age groups: children; adolescents; young adults; middle adults: aging; old and infirm.
• Income levels: impoverished; unemployed; blue collar; white collar; affluent; wealthy.
• Neighborhood: percent residential; business; industrial; institutional; recreational;
undeveloped; deteriorated.
• Social history: peaceful; local incidents; major disturbances; chronology of significant
events.
• Planning: reconstruction; rehabilitation; extension; rezoning.
• Crime: high crime; moderate crime; low crime; organized or random; police relations,
amount and frequency of patrols.
Political environment factors
• Government unit: city; town; village; unincorporated hamlet.
• General tone: conservative, liberal, major parties, minor parties,
mixed, apolitical
• Attitudes: tightly organized, loosely organized, no neighborhood
organization, competitive organization, dominant groups.
• Political arena: single election or congressional districts, multiple
districts, identities and affiliations of federal state and local legislators.
Historical Experience
• A special problem exists due to unavailability of data relating to losses.
• Even if the data is available it is not organized in a manner that you can make sense out of
it.
• The losses are described in various forms which may include insurance claims and loss
records.
• Some organizations only keep paper file of which you need to rearrange to make sense out
of the data.
• Accurate historical information about losses or loss events can be among the most useful
information kept by an enterprise.
• First of all, sufficient information permits forecasting future occurrences.
• It is a principle of probability theory that the larger the number of actual cases or events of
the kind that included the predicted event, the greater the agreement between predicted
pattern and the actual pattern of occurrence.
Incident database
• The modern asset protection departments utilizes a database to record
incidents.
• These databases range from complex incident management systems
purchased from specialized software vendors to relatively simple database
software that is provided with most computers.
• At a minimum a database should contain the following information:
• Date of occurrence
• Time of occurrence
• Place of occurrence
• Nature of event under a general head such as crime or incident or accident
• Description of the specific event such as fire, larceny by stealth forced entry, mysterious disappearance etc.
• Method of operation or mode of occurrence, if known
• Number of distinctive events to serve as the general locator for the incident and unite all files, reports and log data.
• Value of the assets involved and value of damage.
PROBABILITY FACTORS
• The conditions and sets of conditions that will worsen or increase
asset exposure to risk can be divided into major categories. The
categories are as follows:
• Physical environment
• Social environment
• Political environment
• Historical experience
• Criminal state-of-art
 Vulnerability/Capability Analysis

• Vulnerability/capability analysis evaluates the efficacy of the risk measures in

place (deliberate and/or inherent) that will have an effect on the likelihood of a
threat or opportunity materializing and the likelihood and extent of consequences.
Vulnerability is dependent on the risk control measures (e.g., countermeasures)
deployed to manage a risk event. Capability is dependent on the adaptability of the
entity and its ability to respond to negative events and to take advantage of
potentially positive ones.
• Risk control measures can be either physical or virtual (e.g., technologies, physical
barriers, administrative procedures, etc.) It should be recognized that some risk
treatment measures may reduce the likelihood of an event taking place but do not
make the target less vulnerable.
• Analysis of vulnerability includes analyzing the attributes of the event and assets,
services, and activities.
Vulnerability/Capability Analysis
• Factors to consider include:
a) Efficiency of risk control measures;
b) Level of profile, recognition, visibility, and iconic status;
c) Value of assets (including symbolic and reputational);
d) Understanding which parties support the objectives of the organization and those that don’t;
e) Alignment with potential adversaries’ intent and motivations;
f) Timing, intensity, and duration of the event;
g) Accessibility;
h) Interdependencies and dependencies;
i) Perceived and actual recovery times;
j) Cascading affects (e.g., a toxic release compounded by wind currents);
k) Demographics and local culture; and
l) Potential for collateral damage.
Vulnerability/Capability Analysis
• Steps to consider in determining the level of vulnerability:
a) Identify risk scenarios (from asset valuations and threat analysis);
b) Define how the risk scenario will be manifested (single or multiple paths);
c) Determine the effectiveness of the risk control measures;
d) Determine the vulnerability based on attributes of the scenario events and potential outcomes; and
e) Determine the level of vulnerability based on severity of the consequences and recovery time periods.
ASSESSING LEVELS OF
VULNERABILITY
• Level of vulnerability is determined based on metrics designed to
measure the achievement of the organization’s objectives. Therefore,
not only is the value of the asset, service or activity considered, but
also the timeframes that asset, service or activity may be unavailable.
When determining the vulnerability consider:
a) Is the vulnerability due to a single weakness or multiple weaknesses?
b) Does the nature of the vulnerability make it difficult to exploit?
c) What is the time dependent nature of the vulnerability, cascading effects, and recovery
time?
d) Is the vulnerability lessened by multiple layers of countermeasures?
EVALUATING VULNERABILITY
• Event trees can be helpful tools in evaluating the vulnerability.
Although many models exist, a simplified example is to:
a) Assume a risk scenario;
b) Identify threat actors and methods;
c) Identify targets and potential consequences;
d) Identify accessibility;
e) Identify countermeasures;
f) Determine if single or multiple layers of defense exist;
g) Determine the efficiency of countermeasures (consider the conditions of deployment); and
h) Determine level of vulnerability.
 Criticality and Consequence (Impact) Analysis

• Criticality and consequence analysis provide a measure of impact of the risk

event relative to achieving the organization’s objectives and the impact of
losing a tangible or intangible asset, activity, or function will have on the
operations of the organization and its stakeholders, respectively
• A well done criticality and consequence analysis will allow the analysis to
focus on those assets, activities, and functions that are of most importance to
the organization and stakeholders.
• It is important to understand the criticalities and consequences in order to
develop a cost-effective risk management strategy. The consequences will
depend on the nature, location, and other factors of the event. Scenarios are
often used in calculating plausible, implausible, and catastrophic
consequences.
Criticality and Consequence (Impact)
Analysis
• This should be done evaluating the consequences against the
criticality of the asset, activity, or function.
• The criticality of an asset, activity, or function can be intrinsic or
derivative. The intrinsic criticality indicates the direct value of the
asset, activity, or function in achieving the objectives of the
organization.
• The derivative criticality indicates the indirect consequences of risk
event and how the resultant consequences indirectly related to the
asset, activity, or function will affect the organization achieving its
objectives. In evaluating the criticality consider:
Criticality and Consequence (Impact)
Analysis
• The derivative criticality indicates the indirect consequences of risk
event and how the resultant consequences indirectly related to the
asset, activity, or function will affect the organization achieving its
objectives. In evaluating the criticality consider:
• a) The value of the asset, activity or function to on-going operations and value generation;
• b) The value of the asset, activity or function to internal and external stakeholders including competitors and
adversaries;
• c) Timeframe of criticality – time period an asset, activity, or function can be unavailable before effects are
significant;
• d) Derivative affects – the effect on other assets, activities, or functions;
• e) Impact on brand, image and reputation;
• f) Exclusive possession;
• g) Availability of alternatives for the assets, activities, and functions; and
• h) Perception of criticality of supply chain partners and other stakeholders.
Criticality and Consequence (Impact)
Analysis
• Many scales exist for grading consequences. The exact scale should be
determined by the accuracy of the predictions, whether a consequence is
quantifiable, and the intended use of the information. The scales should be
determined also based on their utility to the risk managers and decision-
makers.
• Regardless of the scale used, it should be consistent throughout the risk
assessment process. When assessing the consequences of a risk event consider:
• a) Human impact: Physical and psychological harm to employees, customers, suppliers,
and other stakeholders;
• b) Physical asset impact: Property losses and replacement costs;
• c) Information asset impact: Loss of sensitive, proprietary, or personal information;
• d) Financial impact: Lost or deferred sales/business, loss of market share, lawsuits,
regulatory fines/penalties, overtime pay, stock devaluation;
Criticality and Consequence (Impact)
Analysis
• Reputational impairment impact: Diminished standing in the
community, negative press;
• f) Community/societal impact: Indirect impacts on the regional
economy, reduction in the regional net economy, losses to the tax
base of local jurisdictions; and
• g) Environmental impact: Degradation to the quality of the
environment.
• An example of a flow diagram for considering the consequences of a
risk event illustrating the importance of time considerations is given in
Figure 9.
CRITICALITY CONSEQUENCE
ANALYSIS
Criticality and Consequence (Impact)
Analysis
CLIENTS RISK
EXPOSURE
PRESENTED BY
STEPHEN KASOMPHE pcqi
Social and economic exposure
• Armed robbery
• Bomb attack, terrorist attack
• Hostage taking, kidnapping
• Intrusion (physical)
• Theft of material assets
• Sabotage acts (i.e arson) vandalism
• Labour or other disputes, strike actions, occupation of the parliament
buildings
• Social instability, riots outside parliament building.
Information protection
• Espionage, eaves dropping
• Theft or loss of confidential information, information leak, due to
negligence, low risk awareness
• Social engineering (phishing, pharming, spoofing and private
relations)
Performance
• Loss of human life, injuries due to fire, explosion
• Loss of buildings facilities, due to fire, explosion, leading to business
disturbance and interruption.
• Water, flooding or natural hazard such as a storm, cyclone, lightening,
earthquake, leading to loss of lives, injuries, damage to buildings,
facilities and business interruption.
• Chemical spills, toxic fumes, substances affecting health and safety,
natural environment, buildings and facilities, and causing possibly
business interruption.
Performance
• Pandemic diseases
• Fraud illegal activities and transactions
• Counterparty risks (contractual risks)
• Failure disruption of technical systems, electrical power supply, and
other utilities.
• Failure disturbance of security and security surveillance system
• Misuse or falsification of official documents (e.g. identity cards and
access control badges).
• Lack of business continuity plan and crisis management plan.
Sourcing
• Dependency on key personnel, knowledge
• Dependency on external service providers, knowledge
• Dependency on external deliveries of hard or software
Client’s Risk Fitness
Presented by
Stephen Kasomphe PCQI
Risk Fitness
• Risk fitness is defined by a combination of risk awareness level and
Risk ownership definition and assignment
•.
Relating Risk and Vulnerability

Presented by
Stephen Kasomphe PCQI
Psychology of Security The Psychology of Security, Bruce Schneier,
2008

• Security is both a feeling and a reality.

•
• The “reality” of security is mathematical in nature and can be
calculated based on the probability of different risks and the
effectiveness of different security countermeasures.

• Security is also a “feeling” based on an individual’s physiological

reaction to both risks and countermeasures.
Risk versus Crisis Management

• Practice risk management or become very good at crisis

management. Your choice…..

Risk Crisis
Management ? Management
Perceiving Risk
Perceiving Risk
Reason for Risk?

• Risk arises from uncertainty…..

• Uncertainty with respect to: – Adversary (threat) –

Adversary’s:
• Objectives – one or more?
• Determination
• Capabilities & strength
• Experience & Knowledge
• Time-Line
• Optional targets
Risk Concepts
• Risk is never static
• Risk can be within or outside our sphere of control
• • Risk is affected by both the adversary and the target
• • A convertible asset requires multi-stage “risk continuum” consideration
• What can be done to positively affect the “risk triangle”?

•
• Probability

• Corporate “Risk Appetite”?

Establishing Security Risk
Risk Models
• Risk = P x I
•
• Risk = P x I x V
•
• Risk = PA (1 – PI) C
•
• Risk = P x I x M
•
• Risk = Probability x Impact
• Security Controls
Possibility versus Probability

• Possibility – An event that could occur.

• Probability – The likelihood of the event

occurring.
Probability of What?

• A threat-event will take place?

• The threat-event will be
mitigated to some degree? •
The adversary will be 100%
successful?
• What probability?
– Impossible?
– Even Chance?
– Certain?
Probability (Likelihood)
• Historical Record
• Anecdotal Info
• Police Sources
• Industry Sources
• Networking
• Credible Intelligence
• Security technology inputs
• Industry Experience
• …………………….?
High Impact – Low Probability Events
• Consider a catastrophic event that
occurs ≈ every 300 years…………..
• Is it possible?
• Is it probable?
• What is the impact?
• What is the risk? – R = Probability x
Impact – R = Low x Catastrophic – R = Low,
Medium, High, Critical, _____________? –
The selected risk level describes your
_________?
Dependent & Independent Events

• Probability of a six being on the upper

surface of one dice………?

• Probability of two sixes being on the upper

surface of two dice………?

• Probability of three sixes being on the upper

surface of three dice…..?
Probability of Security System Failure
• A system with three components fails if one
or more components fail. The probability that
any given component will fail is 1/10.
What is the probability that the system will fail?
Impact (Consequence)
• Business Impact Analysis
• S.W.O.T Analysis
• Past Experience
• Risk Manager
• In-house counsel

• Public relations • Employees

• Etc……….
Manageability
• Manageability is definable
– People
– Technology
– Process
• Issue directly manageable –
Monitor/overview • Issue
indirectly/partially manageable
– Prevention/avoidance of issue
• Issue cannot be managed
– Minimization of damage
Manageability Definitions
• Complete (95%)
• Potential issues are familiar to management team. Day-to-day issue management process
is sufficient to handle.
• High (75%)
• Weekly overview and reporting of potential issues required in addition to daily issue
management process. Expected variations are manageable.
• Moderate (50%)
• Continuous overview of potential issues (by project champion) is required in addition to
daily issue management process. Expected variations can be managed with difficulty.
• Low (25%)
• Expected variations cannot be managed effectively. Risk manager provide
options prior to further forward movement.
Qualitative Risk Identification
Probability

Critical
Impact

High

Medium

Low
Quantitative Risk Equation
• R = PA * [1-(PE)] *C
• R = Risk to the facility of an adversary gaining access to assets (ranges from 0 to 1.0)
• PA = Probability of an adversary attack during a period of time
• PE = Probability of Preventing the Event
• = P(I) INTERUPTION x P(N) NEUTRALIZATION
• C = Consequence Value
•
• Note: If PE is the probability of preventing the event then [1-PE] must be the probability
of the adversary being successful
• * The Design and Evaluation of Physical Security Systems, Garcia, Mary Lynn,
Butterworth-Heinemann, 200
Vulnerability

“Vulnerability Paradox”

Out of your vulnerabilities will come your strength”

Sigmund Freud
Vulnerability
• Vulnerabilities are always present?
• Vulnerabilities are not static •
• Vulnerabilities become transparent if not treated
• Vulnerabilities are measurable
 Vulnerability

• Vulnerability 1:
– Exposure –
• At risk assets
– Resistance –
• Measures taken to prevent,
reduce or avoid loss
– Resilience –
• Ability to recover to a prior
state or achieve a desired
post-event state

Vulnerability = Exposure x Resistance x Resilience

Vulnerability Assessment, Cees van Westen, ITC, United Nations University,
Vulnerability Considerations
Vulnerability Questions

What is vulnerable?

Why is it vulnerable?

What makes it vulnerable?

Is the vulnerability easily exercised?

Can the vulnerability be mitigated?

Vulnerability Analysis
• Pareto Analysis
• Pair-wise Comparison
• Fault Tree Analysis
• Attack Tree Analysis
• Failure Mode & Effect Analysis
• Failure Modes, Effects & Criticality Analysis
• C.A.R.V.E.R (modified)
• Cause & Effect (Ishikawa)
Monte Carlo Simulation •
Design Basis Threat

1. Develop the protection design to meet

DBT.
2. Identify appropriate elements of the
design.
3. Identify how protection system will be
evaluated for effectiveness over time.
DBT Adversary Capability Matrix
Characteristic Insider Criminal Organized Crime
Objective Steal assets such as tools, parts Steal large quantity of valuable assets Steal large quantities of finished product.

Motivation Personal gain, revenge Personal gain Large gain for criminal organization

Base Enhanced Base Enhanced Base Enhanced

Planning/System Good depending on Significant Some, opportunistic Significant if in collusion Good to high level Extensive information
Knowledge position with insider and level of access

Weapons None Edged weapons Edged weapons Hand guns, shot guns Unlikely Wide array of weapons

Tools and Equipment Access keys or Access keys, Hand tools or readily Hand and power tools Hand tools or readily Access keys,
credentials credentials & available tools at the available tools at the credentials and
combinations facility facility combinations. Hand
and power tools.

Contaminants N/A N/A N/A N/A N/A N/A

IMPACT (damage) to Minimal Notable Notable Significant Notable to Significant to
Asset(s) Significant Critical

Injury to Persons No Possible but Possible but Possible Possible but Possible and intentional
unintentional unintentional unintentional

Fatalities No No No Possible but Possible but Possible and intentional

unintentional unintentional
Total Adversary Tasking
Adversary Attack Pathway
Control Measures Effectiveness

Define the Context – Measuring What?

Identify all contributing security

element(s)
Use known or reasonably foreseeable
threat(s)
Step through the process and assign
scores – Does it make sense?

Team approach/peer review

Security Control Effectiveness
Threat Security Control Effectiveness Control Vulnerability Overall
Event Control Effectiveness
Trespasser Fencing

Employees

SOs

CCV
Security Measures Effectiveness
Security Measures Effectiveness
• Executive Overview
– The effectiveness of existing
security measures is marginally
acceptable at this time.
– Areas which may require specific
attention include:
• Lighting
• Communications
Policies & Procedures – It may not be practical to
enhance some security measures => supported
by other protection?
Risk & Vulnerability
IT/Information Technology Risks
• Failure, disruption of IT (hardware, software, network) lead to
disturbances, business interruption
• IT services risks (availability, integrity, confidentiality, non-repudiation)
manipulation of data/ IT components.
• Malware, virus
• External attacks on parliament IT(DO’s Botnet) disturb business
processes and/ or destroy data.
• Lack of non-performance of IT disaster recovery lead to business
interruption.
IT/ Information Technology Risks
• Failure, disruption of telecommunication links and services
• IT technology risks.
Organization
• Effectiveness of organization, organization structure
• Decision making process
• Empowerment risks
• Lack of change readiness
• Sub-optimum development of human resources
• Insufficient motivation and incentives
• Sub-optimum internal communication and corporate culture.
Governance
• Lack of security and risk awareness
• Compliance risks
• Inconsistency of mission statement, strategy, procedures and
implementation.
COST OF LOSS CALCULATION
• Taking the worst-case position and analyzing each security vulnerability in light of the
probable maximum loss for single loss occurrence of the risk event that should occur under
typical circumstances, we can use the following equation
• K=(Cp+Ct+Cr+Ci)-(I-a)

• K= criticality total cost of loss

• CP= cost of permanent replacement
• Ct= cost of temporally replacement
• Cr= total related cost
• Ci= lost income cost
• I = available insurance indemnity
• A= allocable insurance premium
Loss event profiling
Loss event
Operational loss
Protection philosophy
Physical security schema
Physical security protection
Best practices in security design
Cctv
Pure Risk
Vulnerability assessment
The Malawi Parliament
Presented by
Stephen Kasomphe pcqi
Security Vulnerability
• A basic precept of asset protection is that an effective security plan or
program must be based on a clear understanding of the actual risks

• Until the actual threat to assets is assessed accurately, precautions

and countermeasures – even those of the highest quality, reliability
and repute – cannot be chosen, except by guesswork.
• The value of security program depends as much upon the relevance
of resources as upon their high quality.
• First understand the problem; then consider solutions.
Defining the problem
• Defining a security problem involves an accurate assessment of three
factors.
• The kinds of threats or risks affecting the assets to be safeguarded
• The probability of those threats becoming actual loss events
• The effect of those assets or the enterprise responsibility for the assets if the
loss occurs.
LOSS EVENT PRROBABILITY
SECURITY RISK MANAGEMENT

Stephen Kasomphe BASRM, PCQI

UNIT 4 PROBABILITY FACTORS
• The conditions and sets of conditions that will worsen or increase
asset exposure to risk of loss can be divided into major categories.
• The categories are as follows:
• Physical environment
• Social environment
• Political environment
• Historical experience and
• Criminal state-of-art.
Physical environment
• Composition: material, mass, weight, volume and density
• Climate: temperature, range and mean; relative humidity, mean and
range; rainfall; snowfall; onset and end of freezing; storm cycles or
seasons.
• Geography: latitude; longitude; elevation
• Location: neighbouring exposures; sheltered or unsheltered
environment; controlled or uncontrolled.
• Conditions of use: times; processes; procedures
Social environment
• Ethnic Identity: population mix and distribution
• Age groups: children; adolescents; young adults; middle adults: aging; old and infirm.
• Income levels: impoverished; unemployed; blue collar; white collar; affluent; wealthy.
• Neighborhood: percent residential; business; industrial; institutional; recreational;
undeveloped; deteriorated.
• Social history: peaceful; local incidents; major disturbances; chronology of significant
events.
• Planning: reconstruction; rehabilitation; extension; rezoning.
• Crime: high crime; moderate crime; low crime; organized or random; police relations,
amount and frequency of patrols.
Political environment factors
• Government unit: city; town; village; unincorporated hamlet.
• General tone: conservative, liberal, major parties, minor parties,
mixed, apolitical
• Attitudes: tightly organized, loosely organized, no neighborhood
organization, competitive organization, dominant groups.
• Political arena: single election or congressional districts, multiple
districts, identities and affiliations of federal state and local legislators.
Historical Experience
• A special problem exists due to unavailability of data relating to losses.
• Even if the data is available it is not organized in a manner that you can make sense out of
it.
• The losses are described in various forms which may include insurance claims and loss
records.
• Some organizations only keep paper file of which you need to rearrange to make sense out
of the data.
• Accurate historical information about losses or loss events can be among the most useful
information kept by an enterprise.
• First of all, sufficient information permits forecasting future occurrences.
• It is a principle of probability theory that the larger the number of actual cases or events of
the kind that included the predicted event, the greater the agreement between predicted
pattern and the actual pattern of occurrence.
Incident database
• The modern asset protection departments utilizes a database to record
incidents.
• These databases range from complex incident management systems
purchased from specialized software vendors to relatively simple database
software that is provided with most computers.
• At a minimum a database should contain the following information:
• Date of occurrence
• Time of occurrence
• Place of occurrence
• Nature of event under a general head such as crime or incident or accident
• Description of the specific event such as fire, larceny by stealth forced entry, mysterious disappearance etc.
• Method of operation or mode of occurrence, if known
• Number of distinctive events to serve as the general locator for the incident and unite all files, reports and log data.
• Value of the assets involved and value of damage.
RISK ASSESSMENT PROCESS
PLAN

Communicate and

MONITOR AND REVIEW

IDENTIFY HAZARDS

consult
ANALYSE RISKS

EVALUATE RISKS

CONTROL RISKS
Process mapping

Loading zone Receiving Stacking

Issuing De-stacking humidification

Activity mapping

Inputs raw Activity step in Outputs waste

materials progress or losses
Activity step in Outputs waste or
Inputs raw materials
progress losses

Activity step in Outputs waste or

Inputs raw materials
progress losses

Inputs raw materials Activity step in Outputs waste or

progress losses
What is vulnerability?
VMDR
Vulnerability process map
Vulnerability overview
Security risk assessment
Impact analysis
Loss Event Criticality
Presented by:
Capt. Stephen Kasomphe (rtd) PCQI
Loss Event Criticality
Severity vs frequency
Classification of critical assets
Asset strategy performance
Threat management options
Criticality formula
Last Questions?