Professional Documents
Culture Documents
Risk and Vulnerability Assessment
Risk and Vulnerability Assessment
Risk and Vulnerability Assessment
VULNERABILITY
ASSESSMENT
THE MALAWI PARLIAMENT SECURITY STAFF
PRESENTED BY
STEPHEN KASOMPHE pcqi
SafetyPLus Technonologies
Scope
• Introduction to risk
• Introduction to vulnerability assessment
• Risk terminology
• Security risk
• Risk and asset characterization
• Probability matrices
• Security justification
• Risk management presentation to management
Class and group norms
Risk Terminologies
The first can be called loss event profile, the second can be called loss event
probability or frequency, and the third can be called loss event criticality.
The relationship among these three aspects of a loss event is fundamental in any
system of countermeasures. Each aspect increases or decreases in significance in
the light of other aspects.
LOSS EVENT PROFILE
• Recognizing individual loss events that might occur is the first step in
dealing with asset vulnerability.
• It requires clear ideas about the kinds of loss events or risks as well as
about conditions, circumstances, objects, activities and relationships
that can produce the loss events.
• A security countermeasure should be planned is if the loss event has
the following characteristics:
• The event will produce an actual loss, measurable in some standard medium
such as money.
• The loss is not speculative in the sense that nonoccurrence of the event
would result in a gain.
Loss event profile Cont’
• This kind of event that may produce either a loss or a gain is often called a
business or conventional risk. if a product can be sold profitably, it will result in
net income to the seller. Whether or not this is possible depends upon many
factors including:
• Controlling manufacturing costs
• Securing a suitable share of the available market
• Being price competitive
• Maintaining quality levels
To the extent that these contingencies are properly maintained, sales are profitable. Loss
results from failure to manage them correctly – for example, by misjudging the cost or
availability or raw materials, or the time needed to manufacture the final item, or the actual
market demand. This loss is not the kind of loss being described here. The individual events of
manufacture, distribution and sale could have produced either a gain or a loss. Properly
gauging the profit and loss potential is the task of conventional business management.
Loss Event profile
• But if the profits were not realized because of some event the could
only cause a loss, the situation would call for positive assets
protection and loss prevention measures.
• The kinds of events that are loss only oriented and that involve so-
called pure risks
• Recognizing a particular loss event in any given enterprise is not
necessarily a matter of simple common sense, it often demands the
special skills of an experienced security professional to perceive that a
given exposure is present.
PURE RISK LOSS EVENTS
• War
• Natural catastrophe: earthquake, flood, hurricane, tidal wave, typhoon, volcanic eruption.
• Industrial disaster: Explosion, fire, major accident, environmental incident, structure collapse.
• Civil disturbance: insurrection, riot
• Crime: common crimes against the person (murder, rape, assault) and crimes against property
(larceny, arson, vandalism)
• Conflicts of interest: bribery dissatisfaction, espionage, kickbacks, sabotage, competitive
intelligence, unfair competition.
• Workplace violence: acts of revenge, disaffection, personal grudge
• Terrorism: bombing, extortion, kidnapping, assassination with political or militant activist
overtones.
• Other risks: disturbed persons, personnel piracy, traffic accidents.
UNIT TWO
• In loss event profiling the unique and most
important thing is to identify the risk to an asset,
operation, process, activity or function.
RISK IDENTIFICATION
• Risk identification ascertains the sources and nature of risk and the effect of
uncertainty on achieving the organization’s objectives. A thorough risk
identification process will consider the myriad of uncertainties that may affect
organizational objectives. These may include natural, intentional, and
unintentional events such as malevolent, criminal, technical, institutional,
logistical, logical, demographic, environmental, or social/political events. It is
more than asking “what can go wrong” but also includes asking which risks
may be pursued as an opportunity.
• While different risk disciplines use a range of techniques for identifying the
nature and sources of risk, they all should contain the following components
along with an understanding of the interplay between these components for
a comprehensive identification and characterization of the risks:
RISK IDENTIFICATION
• Asset and service identification, valuation, and characterization;
• b) Threat and opportunity analysis;
• c) Vulnerability and capability analysis; and
• d) Criticality and impact analysis.
• Risk identification can be conducted using qualitative or quantitative analyses or a
combination of both. Regardless of the method of evaluation the assumptions,
level of precision in estimating parameters, and reliability of information used
should be noted.
• Risk identification is part of a good business and risk management strategy.
• Therefore, when conducting the risk identification the business SWOT (strengths,
weaknesses, opportunities, and threats) analysis should be consulted as a key input
RISK IDENTIFICATION QUESTIONS
• Identifying risks should answer the following questions:
a) Why could something happen?
• · A cause or factor creating risk.
• · Effectiveness of risk treatments.
b) Who could be involved?
• · Individuals or groups associated with threat, control of risk, and/or impacted by risk.
c) How could it happen?
• · A source of risk.
d) What could happen?
• · Potential event and likelihood.
• · Potential consequences and likelihood.
e) When could something happen?
f) Where could it happen?
INFORMATION SOURCES RELATED TO
RISK IDENTIFICATION
Information sources related to the risk identification process include (but are not limited to):
• a) SWOT analysis;
• b) Business plans;
• c) Intelligence;
• d) Threat advisories;
• e) Meteorological and geological reports;
• f) Significant fluctuations in the availability and pricing of basic commodities such as food, water,
• and natural resources ;
• g) Previous, current, and emerging data and trends;
• h) Political, social, and economic trends;
• i) Insurance information;
• j) Internal and external stakeholders;
INFORMATION SOURCES RELATED TO
RISK IDENTIFICATION
• Audit findings and exercise reports;
• l) Internal crime, loss, and risk event data;
• m) External risk event and crime data;
• n) Industry risk data;
• o) Law enforcement agencies;
• p) Government/international agencies;
• q) Industry associations;
• r) Media, internet, and public reports;
• s) In-house systems; and
• t) Informal and personal relationships.
METHOD OF SOLICITING INPUT
• Methods for soliciting input include (but are not limited to):
• a) Conducting an exercise;
• b) Scenario evaluations;
• c) Questionnaires;
• d) One-on-one structured interviews;
• e) Incident, exercise or audit reports;
• f) Brainstorming sessions;
• g) Group discussions;
• h) Workshops;
• i) Stakeholder and focus group discussions; and
• j) Expert testimonials (including public and private sector sources).
RISK IDENTIFICATION ACTIVITIES
• When conducting risk identification activities it should be noted that, some
risks are continuous and some vary with time. Additionally, threat,
opportunity, vulnerability, and criticality levels may be time-dependent.
• At times, dependencies that will affect consideration of the level of risk and
the need for treatment include:
a) Duration of an event;
b) Cultural context of time;
c) Day, week, or month of the year;
d) Time of day (e.g., break periods, business hours, shift work);
e) Timelines for service and product delivery;
f) Supply chain context of time; and
g) Time restrictions on travel.
ASSET IDENTIFICATION, VALUATION
AND CHARACTERIZATION
• Usually the preliminary step is to identify and evaluate sources of
uncertainty in achieving
• Organizational objectives. Asset characterization identifies what
assets may be at risk, what is their criticality to the organizational
objectives, and what are the potential consequences of those assets
being compromised. Questions that should be answered:
a) What are the activities, functions, and assets that contribute to achieving the organization’s
objectives?
b) What is the value chain of the organization and what are the activities, functions, and assets that contribute to the critical value
generators?
c) What is the tangible and intangible value of the asset for the organization and its supply chain?
d) What are the dependencies of the organization’s activities and functions on the asset?
e) Is there a potential for significant positive, neutral, or negative consequences related to the asset?
ASSET CHARACTERIZATION
• The loss of the most valuable assets or disruption of critical value
generating activities and functions may result in unacceptable damage to
the organization and/or disruption of dependent activities and functions.
The value of an asset is frequently measured relative to more than one
consequence. For example, minor harm to people may result in major harm
to brand and reputation. Furthermore, when characterizing the activity,
function, or asset, consideration should be given to its value relative to the
organization and its supply chain, as well as its potential value to an
adversary or competitor.
• All activities, functions, and assets that contribute to achieving the
organization’s objectives, and within the scope of the risk assessment,
should be considered
TANGIBLE AND INTANGIBLE ASSETS
• Tangible and intangible assets include (but are not limited to):
a) Internal and external human resources;
b) Property (e.g., facilities, equipment, materials, products, physical systems);
c) Process controls (physical and cyber);
d) Financial and administrative processes (e.g., funds, inventory, accounting, and
recordkeeping systems);
e) Information and telecommunication systems;
f) Transportation systems;
g) Access to critical infrastructure and support utilities;
h) Intellectual property and proprietary information; and
i) Brand, image, and reputation.
IDENTIFICATION ACTIVITIES
• After identifying activities, functions, and assets that contribute to
achieving the organization’s objectives for each activity, function, and
asset consider:
a) Its contribution to the value chain of the organization and the achievement of objectives;
b) The potential for risk to be exploited for the advantage of the organization;
c) Severity and timeframes of the consequences if activities, functions, or assets were lost, or offer a potential
opportunity;
d) Critical infrastructures, dependencies, and interdependencies (internal and external);
e) Functions and countermeasures that currently exist for protection and support;
f) Criticality to value chain and achieving the organization’s objectives; and
g) Priority and critical value relative to other activities, functions, and assets.
THREAT AND OPPORTUNITY ANALYSIS
• Sources of risk and related threats and opportunities should be identified and analyzed once priority and critical activities,
functions, and assets have been identified. This will provide a basis for understanding what risk events may contribute to
uncertainty in achieving the organization’s objectives. The process should consider both threats and potential
opportunities.
• Threat analysis considers impacts, timeframes, and factors that may prevent achievement of objectives. Unintentional
events look at the possibilities of human error. Threats can be intentional and unintentional and may occur through errors
of commission and omission.
• Opportunity analysis typically looks at the potential for change that an organization might undergo to improve its overall
results. Opportunities might increase the overall demand or discrete price points for its products and services, broaden or
restrict its offerings, as well as increase efficiencies through expense reductions and operational improvements. Whatever
the goal, undertaking an opportunity analysis helps to provide an understanding of what potential effects, positive and
negative, are likely to take place if different decisions are taken.
THREAT AND OPPORTUNITY ANALYSIS
• Sources of risk and related threats and opportunities should be identified and analyzed once priority and critical activities,
functions, and assets have been identified. This will provide a basis for understanding what risk events may contribute to
uncertainty in achieving the organization’s objectives. The process should consider both threats and potential
opportunities.
• Threat analysis considers impacts, timeframes, and factors that may prevent achievement of objectives. Unintentional
events look at the possibilities of human error. Threats can be intentional and unintentional and may occur through errors
of commission and omission.
• Opportunity analysis typically looks at the potential for change that an organization might undergo to improve its overall
results. Opportunities might increase the overall demand or discrete price points for its products and services, broaden or
restrict its offerings, as well as increase efficiencies through expense reductions and operational improvements. Whatever
the goal, undertaking an opportunity analysis helps to provide an understanding of what potential effects, positive and
negative, are likely to take place if different decisions are taken .
THREAT AND OPPORTUNITY ANALYSIS
• Threat and opportunity analysis can be conducted using either quantitative, qualitative,
or a combined approach. Regardless of the method, a common set of metrics and
scales should be defined so that the calculations can be performed and reported using
consistent scales and parameters. Comparisons will only be valid if values are
determined using the same methods and metrics. All priority and critical activities,
functions, and assets should be analyzed.
• Sources of risk give rise to potential threats and opportunities. Threat and opportunity
analysis sets the boundaries as to the type of threats and opportunities that can be
addressed, therefore, the range of risk sources associated with the achievement of
organizational objectives should be considered. Threat and opportunity analysis often
contains subjective estimates, therefore the confidence in the predictions should be
considered within the context of the reliability of the information. Likelihood estimates
are particularly sensitive to the information and assumptions they are based on.
THREAT AND OPPORTUNITY ANALYSIS
• Using the output from the asset identification, valuation and
characterization, consider sources of risk that create uncertainty in
achieving the organization’s objectives. Consider both intentional and
unintentional risk events that may affect the achievement of the
organization’s objectives (natural and man-made hazards; social,
economic, and political factors; as well as actions with mal-intent).
Determine what are the threats and/or opportunities associated with
potential risk events. The output of the threat and opportunity
analysis assessment should be comprehensive list of threats and
opportunities focusing on prioritizing the most relevant to the
achievement of objectives.
UNIT THREE
• This unit focusses on identifying the actual threat or aggressor and
making the right assessment
MALEVOLENT THREATS
• Threats may be identified in terms of “threats from” and “threats to”. “Threat
from” is based on the nature and attributes of the threat and how the threat may
cause harm and/or uncertainty. “Threat to” considers the locations of the
potential assets and services. In assessing the threat, the nature of the threat
should be considered (e.g., is it malevolent, naturally occurring, or accidental).
For a malevolent threat the assessment should consider “who/why” (e.g.,
description of the adversary), “what” (e.g., the material used by the adversary),
and the “how/when/where” (e.g., the characteristics of scenario and related
tactics).
• Malevolent threat is assessed by evaluating the combination of motivation/intent
and capability of an adversary to impact priority or critical asset, function,
activity, or capability. Figure 7 illustrates the interaction of these elements
Elements of Threat
Elements of Threat
Presented by
Stephen Kasomphe PCQI
Psychology of Security The Psychology of Security, Bruce Schneier,
2008
Risk Crisis
Management ? Management
Perceiving Risk
Perceiving Risk
Reason for Risk?
•
• Probability
Critical
Impact
High
Medium
Low
Quantitative Risk Equation
• R = PA * [1-(PE)] *C
• R = Risk to the facility of an adversary gaining access to assets (ranges from 0 to 1.0)
• PA = Probability of an adversary attack during a period of time
• PE = Probability of Preventing the Event
• = P(I) INTERUPTION x P(N) NEUTRALIZATION
• C = Consequence Value
•
• Note: If PE is the probability of preventing the event then [1-PE] must be the probability
of the adversary being successful
• * The Design and Evaluation of Physical Security Systems, Garcia, Mary Lynn,
Butterworth-Heinemann, 200
Vulnerability
“Vulnerability Paradox”
• Vulnerability 1:
– Exposure –
• At risk assets
– Resistance –
• Measures taken to prevent,
reduce or avoid loss
– Resilience –
• Ability to recover to a prior
state or achieve a desired
post-event state
What is vulnerable?
Why is it vulnerable?
Motivation Personal gain, revenge Personal gain Large gain for criminal organization
Weapons None Edged weapons Edged weapons Hand guns, shot guns Unlikely Wide array of weapons
Tools and Equipment Access keys or Access keys, Hand tools or readily Hand and power tools Hand tools or readily Access keys,
credentials credentials & available tools at the available tools at the credentials and
combinations facility facility combinations. Hand
and power tools.
Injury to Persons No Possible but Possible but Possible Possible but Possible and intentional
unintentional unintentional unintentional
Employees
SOs
CCV
Security Measures Effectiveness
Security Measures Effectiveness
• Executive Overview
– The effectiveness of existing
security measures is marginally
acceptable at this time.
– Areas which may require specific
attention include:
• Lighting
• Communications
Policies & Procedures – It may not be practical to
enhance some security measures => supported
by other protection?
Risk & Vulnerability
IT/Information Technology Risks
• Failure, disruption of IT (hardware, software, network) lead to
disturbances, business interruption
• IT services risks (availability, integrity, confidentiality, non-repudiation)
manipulation of data/ IT components.
• Malware, virus
• External attacks on parliament IT(DO’s Botnet) disturb business
processes and/ or destroy data.
• Lack of non-performance of IT disaster recovery lead to business
interruption.
IT/ Information Technology Risks
• Failure, disruption of telecommunication links and services
• IT technology risks.
Organization
• Effectiveness of organization, organization structure
• Decision making process
• Empowerment risks
• Lack of change readiness
• Sub-optimum development of human resources
• Insufficient motivation and incentives
• Sub-optimum internal communication and corporate culture.
Governance
• Lack of security and risk awareness
• Compliance risks
• Inconsistency of mission statement, strategy, procedures and
implementation.
COST OF LOSS CALCULATION
• Taking the worst-case position and analyzing each security vulnerability in light of the
probable maximum loss for single loss occurrence of the risk event that should occur under
typical circumstances, we can use the following equation
• K=(Cp+Ct+Cr+Ci)-(I-a)
Communicate and
consult
ANALYSE RISKS
EVALUATE RISKS
CONTROL RISKS
Process mapping