Risk and Threat Assessment

HITS-risk-and-threat-assessment-image

Before any organization can successfully implement a physical security program, they need to consider an overall risk management strategy. The National Infrastructure Protection Center (NIPC) defines risk management as “a systematic and analytical process by which an organization identifies, reduces, and controls its potential risks and losses.” Hiring a security firm without first understanding what threats the organization is exposed to, and the level of potential risk from these threats, is equivalent to hiring a wedding planner before you have met the bride. Corporate management must first develop a comprehensive risk management strategy. It is essential that a risk management team be set up from corporate executives and security management to evaluate and develop the risk management strategy.

To read more, click the image to download the article.

Posted in Physical Security, Security at July 16th, 2013. .

The PEEST Analysis

PEEST

When developing a security threat assessment, a good way to evaluate all of the potential threats is to conduct a PEEST analysis. The term PEEST is an acronym standing for the following five factors.

  • Political/Legal: Stability and capabilities of local government, laws and regulations, public utilities, fire resources and response time, medical resources, disaster assistance, and law enforcement capabilities
  • Environmental: Climate, weather, geological activity, site location, and building design
  • Economic: Financial stability and available resources
  • Social: Historical crime statistics, demographics, population analysis, and other trends
  • Technological: Transportation systems, power systems, or industrial plants

A PEEST analysis provides a framework of macro-conditions affecting an organization and their strategic implications on business operations.  These factors are often beyond an organization’s control and are therefore categorized as potential threats. The factors will vary in importance, based on the specific company, industry, and products/services provided by the organization.  For example, some companies will be greatly impacted by political factors.  Other companies may be more affected by environmental factors, such as a company located on the gulf coast of the United States facing potential disruption from hurricanes.  Each factor must be evaluated within the context of the specific business requirements.  The PEEST analysis allows the risk management team or security provider to evaluate threats on multiple scales, such as local, regional, national, or global.  An organization with branch offices in many different countries or regions of one country will need to conduct a PEEST analysis for each office, as the implication from each factor will change.

Many of these factors have a high level of uncertainty.  Therefore, security professionals may want to conduct scenario planning or modeling exercises to forecast future trends.  The PEEST analysis will need to recognize that many issues may combine to create complex and often surprising results.  Therefore, crafting scenarios and brainstorming outcomes can aid the process in coming up with unique solutions. External consultants are often helpful in developing a PEEST analysis, as they will have differing perspectives and a unique approach to understanding all of the potential threats an organization faces.

Posted in Physical Security, Security at July 16th, 2013. .

Risk Mitigation Measures

risk towards north indicated by compass

Risk mitigation measures can be classified as controls that are physical, technical, procedural, or compliance based. A physical control would be a fence, lock, or barrier.  A technical control might be alarms, cameras, or IT firewall software.  Procedural controls could be incident response processes or visitor access procedures. A compliance control could include having adequate insurance coverage or providing staff training.  Typically, an organization will use multiple controls in unison to create an in depth defense to thwart potential security risks.  These controls are designed to work proactively to deter potential man-made threats.  For example, a well-lit facility with prominent security patrols is often a deterrence to criminals who will look for an easier target.   The following is a simple list of potential risk mitigation measures:

  • —  Physical security (barriers, locks, fencing)
  • —  Electronic security systems (alarms, cameras, access control systems, IT security)
  • —  Visitor procedure (sign in sheet, badge requirement, escort policy)
  • —  Security officers (actively patrolling the facility)
  • —  Security officer training (CPO accredited)
  • —  Security procedures checklist (reviewed every shift)
  • —  Employee training and awareness (first aid, security policies)
  • —  Insurance
  • —  Business continuity and crisis preparedness plan
  • —  Training with local law enforcement and emergency responders
  • —  Corporate emergency response team (CERT)
  • —  Secure parking facility
  • —  Crisis communications plan
  • —  Proper facility maintenance
  • —  Incident response process

Once an organization has identified vulnerabilities to their security program, the necessary risk mitigation measures will be put in place to create multiple layers of security. These integrated security controls are designed to counteract, avoid, or minimize risks to the organization.

Posted in Physical Security, Security at July 16th, 2013. .

Risk Matrix

13710239

When developing a risk assessment, a simple way to evaluate risk is to visualize the various risk levels by creating a risk matrix.  A risk matrix is a graphical representation categorizing risk as negligible, low, moderate, or high — based on the criteria of consequences and likelihood of occurrence.  The more likely a risk is to occur, the higher the ranking.  Additionally, the greater the consequences on business operations, the higher the risk will rank.  The risk matrix will have anywhere from four to sixteen boxes depending on the ranking scale.  The result will be a prioritizing of risk, based on quantitative measures.  A risk matrix can also be color coded to add additional emphasis to certain levels of risk within the ranking.

A risk matrix can be easily created using a spreadsheet software program.  For each risk that is being evaluated, a detailed description of the risk is necessary.  Then, a careful discussion with your risk management team is necessary to rank the risk within the matrix.  Some organizations may want to include a monetary value from the financial impact of a risk. This will be included in the risk description and used to better quantify the consequences of the risk.

One critical issue when developing a risk matrix is the discussion of organizational tolerance for certain levels of risk.  Without this discussion, the risk matrix may indicate tolerability much different than what the organization as a whole desires.  This is where a good risk management team is crucial to discuss these issues in depth.  Having outside consultants or industry experts included in these discussions is a good idea to evaluate risk from multiple angles.

riskmatrix    Risk Matrix

 

Posted in Physical Security, Security at July 16th, 2013. .

Vulnerability Checklist

venn diagram defenition of risk

A vulnerability check list provides a simple process for evaluating the strengths and weaknesses of an organization’s security program.  The check list walks the user through the building and site, as well as evaluates the existence of certain policies and procedures.  Each item on the checklist will require documentation to determine where vulnerabilities exist.  For example, if an evaluation of the site lighting reveals burned out bulbs, then a note regarding this vulnerability should be documented.  The vulnerability check list must be evaluated in context of a larger risk and threat assessment conducted by the risk management team.  The types of threats facing an organization and the level of risk for each threat will determine how vulnerable a structure is.  If there have been numerous assaults in the local area, then a burned out street lamp is more problematic.  The following is an example of a vulnerability checklist:

  • Site Perimeter
    • Fencing
    • Lighting (site perimeter)
    • Parking
    • Traffic flow
    • Landscaping
    • Unoccupied structures
    • Camera system (site perimeter)
  • Building Perimeter
    • Lighting
    • Architectural design/Envelope
    • Windows
    • Exterior doors
    • Landscaping
    • Utilities
    • Roof
  • Building Interior
    • Interior Doors
    • Interior Lighting
    • Utility Systems (plumbing, gas, water)
    • Mechanical Systems
    • Electrical Systems
    • Access Control
    • Camera System
    • Alarm System
    • Communications/IT Systems
  • Miscellaneous Information
    • Visitors policy
    • Cash handling
    • Key control
    • Security guards
    • Security education
    • Security Policy/Procedures

A more detailed building vulnerability check list can be found in “Primer for Design Safe Schools Projects in Case of Terrorist Attacks” (FEMA 428) from the Federal Emergency Management Agency (FEMA) website.

 

Posted in Physical Security, Security, Uncategorized at July 16th, 2013. .

Security Patrol Communications

Security Patrol Communications

Security Patrol CommunicationsHow do your roving security patrols communicate with your security base? What about retail loss prevention specialists or your special event security officers? Do your security professionals have a fallback plan? And, importantly, has the fallback plan been tested?

Training in Action

Recently in New York City, a man fell onto the tracks in an underground station. A transit worker, Danny Hay, recognized the seriousness of the situation. Danny attempted to contact the control center — both via radio and through the person in the stations booth.

Meanwhile, two subway patrons went onto the track to assist the fallen man. Upon his return, Danny saw the three people on the track. He knew the third rail was still electrified. He could feel the rush of air from an approaching train.

What was Danny’s last line of communications? He used a flashlight to warn the oncoming train. The full story is in this article of why training is so important over at Urgent Communications.

Communications in the Security Training Plan

In today’s connected world, it is easy to become complacent using a radio for communications and using a cell phone in case there is a problem with the radio. When a real-world incident occurs, it is not uncommon that emergency communications networks become overloaded. When reviewing the security emergency communications plan, include the ‘worst-case’ scenario.

The security plan may be a fine looking document, but exercising the plan is critical to find ‘assumptions’ that should be factored into the projected operating environment. In the above scenario, it may have been reasonable for the transit system to rely upon radios. Surely they purchased more radios than they expected to field at once. The transit system probably has more batteries than radios. None of that helped Ray; he went directly to the backup man in the booth. Certainly the man in the booth talks with the central station many times during a shift; most likely the man in the booth has the central station’s land-line number on a yellow sticky. Again, no help to Ray.

Fortunately Ray’s training kicked in, and he reverted to hand signals, which have been in use since the times when ‘trains’ were powered by horses and mules.

Online Security Training

High Impact Training Solutions offers many online courses supporting physical security protection, retail loss prevention  and public events security. Courses are available individually to security professionals or as part of a customized online training library.

High-Value Asset Protection

Security professionals responsible for protecting high-value assets need to frequently re-evaluate their measures and procedures. Not only from an “actual versus planned security posture” standpoint, but also from a “how would I defeat our security posture?” mindset. Security processes and procedures that are not evolving are out of date — and are therefore targets for exploitation.

Although this article from CNN.com discusses a diamond theft in Belgium, it can serve as the basis for a case study to evaluate your own high-value assets.

High Impact Training Solutions offers many online courses supporting retail loss prevention and physical security protection. These courses are available individually to security professionals or as part of a customized online training library.

Posted in Physical Security, Retail Loss Prevention, Security at March 12th, 2013. .

Myths of Stairwell Reentry

Lori Greene (@LoriGreeneAHC) the manager of Codes & Resources for Ingersoll Rand Security Technologies, wrote an excellent article over at securityinfowatch.com (@SecInfoWatch) regarding stairwell reentry code requirements.

Before you jump to the article, test yourself first. For this assessment each statement is either a myth or not:

  • Only high-rise buildings are required to comply with stairwell reentry requirements.
  • The door to every x-th floor must be unlocked, but the doors to the rest of the floors can be locked.
  • A fail safe electric strike can be used on a stair door to provide reentry.
  • The stairwell reentry requirements state that stair doors must unlock automatically upon fire alarm.
  • Both sides of a stair door can be locked as long as the door unlocks upon fire alarm.
  • Stair discharge doors opening to the exterior must unlock automatically upon fire alarm to allow firefighter access to the stair.

Lori’s blog site contains a plethora of information regarding door, hardware, and code questions.

Posted in Access Control, Security at March 12th, 2013. .

Hogan’s Heroes and the Security Patrol

Defense Media Network has a very interesting post (http://bit.ly/sec-N00Ngc) on how the U.S. Coast Guard and academia have partnered to increase security at U.S. ports.

Obviously Coast Guard security forces cannot be everywhere all the time; their only option is to conduct patrols. Opposing them is an almost invisible and patient enemy seeking to carry out asymmetric attacks when and where they can. Against such a threat, the last thing the service can afford is to patrol like the German guards in Hogan’s Heroes in predictable and therefore easily exploitable patterns.

If roving, or mobile, patrols are a significant part of your security posture how random are your patrols?

Posted in Physical Security, Security at November 2nd, 2012. .

Smart Horizons The Smart Choice for Innovative Training Solutions
© 2011 Smart Horizons - All rights reserved. | Terms of Service | Privacy Policy