Security Audits and Risk Management

The Risk Management Philosophy

All security solutions are simply the interplay of time, effort and money that is available and the willingness of the management to accept known risks to run their operations.

The Pathology of Risk

Most of the time, when the perception of security doesn’t match the reality of security, it’s because the perception of the risk doesn’t match the reality of the risk. We worry about the wrong things: paying too much attention to minor risks and not enough attention to major ones. There are 5 areas where perception can diverge from reality:

  • The severity of the risk
  • The probability of the risk
  • The magnitude of the costs
  • How effective the countermeasure is at mitigating the risk
  • The trade-off-itself

Opportunity

Risk is directly proportional to the vulnerability of the environment and opportunity that it makes available for the intruder to exploit this vulnerability and access the assets. Opportunities give rise to the probability(s) of occurrence.

Vulnerability

Classical risk analysis is principally concerned with investigating the risks surrounding physical area/plant (or some other object), its design and operations. Such analyses tend to focus on causes and the direct consequences for the studied object.

Vulnerability analyses

Vulnerability analyses, on the other hand, focus both on consequences for the object itself and on primary and secondary consequences for the surrounding environment. It also concerns itself with the possibilities of reducing such consequences and of improving the capacity to manage future incidents. In general, a vulnerability analysis serves to categorize key assets and drive the risk management process.

Given a specific threat, there are five risk mitigation strategies available to the security decision maker. Generally, the five strategies for managing risk include avoidance, reduction, spreading, transfer, and acceptance.

Risk avoidance requires the removal of the target (asset) from the equation. Avoidance is an extreme measure since it can hamper the organization’s operations.

Reducing risk involves the deployment of security measures to reduce risk to an acceptable level. Risk reduction is the driving force for a organization’s security department whose role it is to provide protection for assets.

Risk spreading is a strategy to move assets to different geographic areas so if one area is attacked; the consequence is limited to that area. Storing necessary equipment and other critical raw materials, supplies and assets off site is good way to spread the risk, thus if an area of a organization is attacked or damaged by natural disasters, there is another supply available elsewhere.

Risk transfer is a strategy used to remove the risk from the owner to a third party. Insurance is the best example of risk transfer whereby the insurance company assumes the risk for a fee.

Risk acceptance is another strategy for mitigating risk. As the name implies, risk acceptance is simply where the organization assumes the risk to an asset, typically after reducing the risk level to an acceptable level.

In summary, assessing risk is a dynamic process that involves continuous evaluation of assets, threats, and vulnerabilities. Reducing the risk to the organization is accomplished by decreasing the threat level, blocking vulnerabilities and opportunities through enhanced security, or reducing the consequences if a security event should occur.

Without question, the best strategy for mitigating risk is a combination of all three elements, decreasing threats, blocking opportunities and reducing consequences. Remember, no organization is without risk and some risks can be acceptable. Security is a carefully orchestrated balancing act that ensures an open, functional environment of care that effectively protects assets.

Assets

Asset value is determined by considering the following three elements:

  • The criticality of the asset for its user and/or others.
  • How easily the asset can be replaced.
  • Some measure of the asset’s relative value.

Assets are anything that can be destroyed, damaged or stolen. The risk-analysis procedure is used to identify assets – everything from the building itself to hazardous materials, equipment, supplies, furniture, computers and, of course, people.

Area Security Analysis & Report (ASAR)

This analysis is for a large area or a large office/residential/manufacturing/ storage complex (s) spread over a large geographical area (and could be multi-location).

Using our proprietary methodologies and checklists, our experienced security consultants will do a thorough analysis of the security profile (already existing or yet to be implemented) and give a detailed report that will bring out.

  • The Asset classification Value
  • The Vulnerability Index
  • The Risk Rating

And based on these findings the report will also give the recommended mitigation and remediation measures.

Point Security Analysis & Report (PSAR)

This analysis is for a specific area – commercial or residential. Using our proprietary methodologies and checklists, our experienced security consultants will do a thorough analysis of the security profile (already existing or yet to be implemented) and give a detailed report that will bring out.

  • The Asset Classification Value
  • The Vulnerability Index
  • The Risk Rating

And based on these findings the report will also give the recommended mitigation and remediation measures.