This article will demystify security risk assessments by defining what a security risk assessment is and explaining some basic concepts in risk assessment in common language. Some of the main values and benefits of a security risk assessment will also be interwoven into the discussion. This will provide small business owners, corporate managers, and security professionals, insight on how they can use a security risk assessment to make informed and cost-effective security decisions that are commensurate with risks.
Use any search engine to search the term Security Risk Assessment and you will discover tomes of literature written on the subject. Much of the literature is technical in nature and focuses on various methodologies, models, and complicated matrixes used in conducting security risk assessments. Often, security risk assessments are expressed in mathematical equations such as: “Risk = PA * (1 – PE) * C, PA is the likelihood of adversary attack, PE is security system effectiveness, 1 – PE is adversary success, and C is consequence of loss to the attack.”
Risk assessment has become increasingly complex and unless you are a security professional specifically in the business of conducting security risk assessments for Fortune 500 type corporations, you might be asking yourself: What the heck does this all mean?
Security Risk Assessment Defined and Explained.
In the business world, a security risk assessment is used to provide a calculated method of protecting assets based upon the predicted frequency of the event and the value of the asset to the business. It can be simply defined as a systematic inspection and evaluation of the policies, procedures, practices, and equipment a company uses to protect personnel, equipment, and property against foreseeable threats. Threats can be environmental or criminal in nature like earthquakes and fires and can include everything from robbery, burglary, theft, and vandalism, to bomb blasts, and unauthorized intrusions into computer networks.
Qualitative and Quantitative Risk Assessments.
At the heart of risk assessments are two assessment models: Qualitative and Quantitative.
Volumes of books have been written on the various aspects of qualitative and quantitative risk assessments and doctorial degrees can even be earned from universities on the subject. These two models can sometimes be confusing as they are separate ways of assessing risk, but they are also interconnected in that a quantitative risk assessment includes aspects of a qualitative assessment. Often a blending of the two models will produce the most accurate and comprehensive risk assessment.
For this article it is suffice to say that with both types of analysis the overarching goal is to determine the amount of risk a given business takes based upon a specific event.
Qualitative Risk Assessment:
In brief, a qualitative risk assessment is the simplest to conduct and focuses on discovering vulnerabilities that exist in a particular asset. An asset can be anything of value from employees, an office building, warehouse, storage room, or even something less tangible such as a computer system. A qualitative risk does not attempt to determine numeric values for each asset or calculate a cost benefit analysis but it is also not just a listing or description of vulnerabilities. A properly conducted qualitative risk assessment also includes some conclusions about the probability of an event occurring and should include recommendations on mitigation strategies.
For example: If a business is located along a major fault line in California or the Pacific Northwest, is it vulnerable to the possibility of a major earthquake? The answer is a definite YES. After this, a qualitative analysis would try to assess how likely it is that a major earthquake will occur within the next 20 years. How about within the next 40 years? Then, a qualitative analysis would assess as accurately as possible, if an earthquake occurs, how much damage is it likely to cause to the company building, personnel, equipment, and business continuity?
Finally, a qualitative analysis would attempt to determine what actions the business could take to lessen the expected losses. Mitigation recommendations might include moving the business into a more modern building designed to better withstand earthquakes or reinforcing the existing building, providing earthquake preparedness training to personnel, or spreading out business operations over a larger geographical area so that if an earthquake occurs not all the of the buildings personnel, and equipment would be located at the epicenter of the earthquake.
Quantitative Risk Assessment:
In brief, a quantitative risk assessment approach places a numerical value to the probability of a single event occurring in any given year. Once this figure is calculated, a quantitative risk assessment involves calculating the Annualized Rate of Occurrence (ARO). In simple terms, the ARO is the probability that a risk will occur within any given year. For example: if historical data indicates that it is probable that a major flood, sufficient to flood the business, will occur once every 25 years; then the ARO is 1/25 =.04.
After the ARO is calculated, a quantitative risk assessment involves calculating the Annualized Loss Expectancy (ALE). In simple terms, this is the monetary loss caused when the event occurs. These figures allow a business owner, security manager, or other management partner, the ability to objectively compare the risk of any specific event against a benchmark of acceptable risk.
Risk Assessment Benefits.
Simply put, security – whether it is physical security like gates, locks, guards and alarm systems, or firewalls for computer networks, costs money. Good business dictates that a company should not spend money on security when they do not know what they are going to get for their money. Risk assessments provide an objective mechanism for businesses to identify and quantify risks. This allows businesses to develop measures to eliminate or reduce their security vulnerabilities and prioritize mitigation strategies.
In any business or government entity, assessment of security risks is essential for the safety of personnel and for operational continuity. Both qualitative and quantitative methods of identifying and evaluating security risks can be used and both methods are often combined to provide a more comprehensive assessment.
Security risk assessments have become increasingly technically demanding and often sophisticated computer software programs are used to collate large amounts of data and synthesize risk factors and threat vectors. Because of this complexity, large scale security risk assessments are best conducted by professionals. Properly conducted, security risk assessments are a valuable business tool and can help security professionals make cost-effective security decisions that are commensurate with risks.