Description
Discussion Questions: Discuss and describe in detail the following risk management elements: assets, criticality, threat, probability, impact and frequency. Include a discussion of their relationship to one another. Discuss and describe the differences between qualitative and quantitative risk assessment methods and provide examples of both.
Unformatted Attachment Preview
Chapter 6
Risk Assessments
In this chapter . . .
Definition
Risk Assessments
Qualitative Risk Assessments
Quantitative Risk Assessments
Specialized Risk Assessment Methodologies
Risk Mitigation
Risk Assessment Report
TAG’s Risk Assessment Process®
Copyright © 2006. Elsevier Science & Technology. All rights reserved.
Asset
Identification
Policies &
Procedures
Current
Security
Measures
Physical
Security
Security
Personnel
Threat
Assessment
Vulnerability
Assessment
Crime
Analysis
Risk
Assessment
Cost
Benefit
Analysis
Report and
Recommendations
Figure 6-1
Strategic Risk Assessment Process, Copyright ©2007 by Threat Analysis Group,
LLC. Used by permission. Additional information available from Threat
Analysis Group, LLC via www.threatanalysis.com.
Definition
The risk management process involves assessing threats, vulnerabilities, and
risk, evaluating and selecting security measures to reduce identified risks, and
109
Vellani, Karim. Strategic Security Management : A Risk Assessment Guide for Decision Makers, Elsevier Science & Technology, 2006. ProQuest Ebook
Central, http://ebookcentral.proquest.com/lib/apus/detail.action?docID=282098.
Created from apus on 2024-03-04 19:37:27.
110
Strategic Security Management
implementing and monitoring the selected measures to ensure that the measures are effective. Risk management is truly a management process, whereas a
risk assessment is simply a component of that continual management process.
For many organizations, risk management involves much more than security
functions and also includes insurance and legal issues.
Risk is a function of threats and vulnerabilities. It is the possibility of asset
loss, damage, or destruction. Risk is the result of the likelihood that a specific
vulnerability of a particular asset will be exploited by an adversary to cause a
given consequence. A risk assessment is a quantitative, qualitative, or hybrid
assessment that seeks to determine the likelihood that an adversary will successfully exploit a vulnerability and the resulting impact (degree of consequence) to an asset. A risk assessment is the foundation for prioritizing risks
in order to effectively implement countermeasures.
No organization is without risk. The risk assessment and management
process seeks to reduce risk to a tolerable level. The risk assessment is the culmination of the previous steps discussed thus far beginning with identifying
assets, inventorying existing security measures, defining threats, and identifying vulnerabilities. The final step of the process is to calculate risks and make
recommendations to reduce them to a level acceptable to the organization.
Reducing risk involves identifying countermeasures that can mitigate vulnerabilities through the implementation of additional security measures or changing security measures. Cost estimates and cost-benefit analysis are key to
selecting effective and reasonable security measures. Once the proposed recommendations have been selected, risk is recalculated to determine whether
the risk has been reduced to an acceptable or tolerable level. Remember, no
organization is without risk.
Copyright © 2006. Elsevier Science & Technology. All rights reserved.
The first step in the risk management process is to acknowledge the
reality of risk. Denial is a common tactic that substitutes deliberate
ignorance for thoughtful planning.
—Charles Tremper
Recapping the risk assessment steps may be a good idea at this point. Identifying assets is the first step. This is the process of determining which assets
are critical to the mission of the organization. Assets include people, property,
and information. Critical assets are necessary for the organization to carry out
its mission, for without them, functions and processes will fail and cause the
mission to fail. The higher the consequence from the loss, damage, or destruction of an asset, the more critical it is. Each organization has different missioncritical assets; thus, no specific list is provided in this text. It is up to the risk
assessment team to identify the critical assets of a particular organization. Critical assets are typically determined through interviews and questionnaires of
the people charged with carrying out the organization’s mission. For the CocaCola Company, the formula for Coke is a critical asset as it gives Coca-Cola a
competitive advantage. For a litigator, his win-loss record is a critical asset. For
Vellani, Karim. Strategic Security Management : A Risk Assessment Guide for Decision Makers, Elsevier Science & Technology, 2006. ProQuest Ebook
Central, http://ebookcentral.proquest.com/lib/apus/detail.action?docID=282098.
Created from apus on 2024-03-04 19:37:27.
Copyright © 2006. Elsevier Science & Technology. All rights reserved.
Risk Assessments
111
an athlete, her strength, agility, and energy are critical assets. For the security
consultant, his integrity is a critical asset.
When determining the criticality of an asset, it is important to consider the
time and money needed to replace the asset. Reputations may be a critical asset
and take a considerable time to develop and replace after negative publicity. A
company whose critical assets include their computer network may be able to
replace the functionality of that asset rather quickly but with considerable
expense. A homeowner whose house is destroyed by fire may be covered financially by insurance (risk transfer), but the time to build or buy a new house
may be problematic. A manufacturing firm whose equipment is damaged may
suffer downtime until the equipment is restored or replaced. The airport whose
metal detectors unknowingly malfunction, though not a terrible development
in and of itself, can be detrimental to homeland defense through cascading
effects. Here again, asset criticality can be categorized quantitatively by value,
replacement cost, and so on, or qualitatively by low, medium, high, or some
other relative scale.
The second step of the risk assessment process is to inventory existing security measures designed to protect assets. The measures may include policies and
procedures, physical security equipment, security personnel, or some combination of these measures. It is important to remember that security measures
should not be assumed to be effective in protecting the assets. There are two
effective methods for inventorying current security measures: inside-out or
outside-in. In the outside-in approach, the assessment team begins at the facility’s perimeter and works its way in toward the asset through each line of
defense. The inside-out approach is the opposite with the team starting at the
asset and working its way out to the perimeter. In addition to these methods,
the inventory process should also include reviewing any available security
documentation, including security plans, policies and procedures, the security
officer’s post orders, and physical protection system documentation.
The third step in the risk assessment process is the threat assessment,
whereby threats are identified, characterized and rated on either a qualitative
or quantitative scale. Threats are an act or condition that seeks to obtain,
damage, or destroy an asset. The most common form of threat assessment is
crime analysis. Adversaries can include insiders, outsiders, or a combination of
insiders and outsiders. Adversarial capability and motivation should be assessed
based on the adversaries’ ability to steal, damage or destroy critical assets. The
adversaries’ past methods, equipment, skills, and training should be clearly
articulated in the assessment report. Target attractiveness is a key component
of the threat assessment.
The fourth step of the risk assessment process is the vulnerability assessment
wherein weaknesses in the security program are identified via the vulnerability
assessment’s primary tool, the security survey. Vulnerabilities are opportunities.
They are weaknesses or gaps in a security program that can be exploited
by threats to gain unauthorized access to an asset. Vulnerabilities may be
Vellani, Karim. Strategic Security Management : A Risk Assessment Guide for Decision Makers, Elsevier Science & Technology, 2006. ProQuest Ebook
Central, http://ebookcentral.proquest.com/lib/apus/detail.action?docID=282098.
Created from apus on 2024-03-04 19:37:27.
112
Strategic Security Management
structural, procedural, electronic, and human and provide opportunities to
attack assets. Existing security measures may or may not address the security
program’s weaknesses. Vulnerabilities may also be classified quantitatively or
qualitatively.
Risk assessment, including the cost-benefit analysis and report with recommendations, is the fifth and final step in the risk assessment process.
Risk Assessments
Copyright © 2006. Elsevier Science & Technology. All rights reserved.
Risk assessments are comprehensive and rational reviews that offer a logical
and defensible method for security professionals to make decisions about security expenditures and to select cost-effective security measures that will protect
critical assets and reduce risk to an acceptable level. Assessing risk is a dynamic
process that involves continuous evaluation of assets, threats, and vulnerabilities. Risk assessments are typically a staged process whereby critical assets are
identified, current countermeasures are enumerated, threats are identified, vulnerabilities are defined, and prioritized recommendations are made to protect
critical assets based on probabilities of attack.
Risk assessments can be both quantitative and qualitative, or a hybrid. Qualitative assessments are based on the data available and on the skills of the
assessment team, while quantitative assessments utilize numeric data to evaluate risk. Hybrid risk assessments utilize quantitative data where available and
qualitative where metrics are not readily available or insufficient. While assessing risk is more art than science, the risk assessment methodology should be
structured so that the results and recommendations can be replicable given a
different assessment team. Risk assessments should generally be quantitative to
the extent possible, recommendations for additional security measures should
be the result of a cost-benefit analysis, and measures should be benchmarked
against industry standards.
Qualitative Risk Assessments
Qualitative assessments are normally used when the assets in need of protection are of lower value or when data is not available. Qualitative risk assessments may also be used when insufficient historical information or metric data
exists, precluding a quantitative approach. The results of qualitative assessments depend on the assessment skills of the people involved in the assessment.
Risk levels are normally given in abstract values such as high, medium, or low,
or color coded like the Homeland Security Advisory System. The American
Society for Industrial Security—International released a security guideline
entitled “General Security Risk Assessment” in 2003 which outlined one
approach to qualitative risk assessments. The full qualitative approach is
included at the end of this chapter.
Vellani, Karim. Strategic Security Management : A Risk Assessment Guide for Decision Makers, Elsevier Science & Technology, 2006. ProQuest Ebook
Central, http://ebookcentral.proquest.com/lib/apus/detail.action?docID=282098.
Created from apus on 2024-03-04 19:37:27.
Risk Assessments
113
Copyright © 2006. Elsevier Science & Technology. All rights reserved.
Quantitative Risk Assessments
Quantitative assessments, on the other hand, are metric based and assign
numeric values to the risk level. Overall risk levels are derived from all available security metrics. In physical protection systems, for example, the metrics
used in determining the risk level include the threat level, probability of detection, delay times, and response force times. Quantitative assessments are commonly used for the protection of business critical or high-value assets. It should
be recognized that security risks are notoriously hard to measure quantitatively
because they involve human actions.
The general methodology for quantitative risk assessment is to consider the
probability of an attack and the expected impact on each critical asset. The
probability of attack is based on the adversary’s motivation, capability, and
intent. Depending on the type of facility or assets being protected, historical
data may also be considered, but a lack of history should not be indicative
of a low or nonexistent threat level. One reason a lack of history cannot be
used is evident in the September 11 attacks. Had history been the only factor
considered, the threat level would have been zero since no similar attack had
occurred previously in the United States or anywhere else in the world. Vulnerabilities are calculated using the probability that each specific vulnerability
will be exploited by an adversary. Based on the threat and vulnerability calculations, the overall risk level is calculated. In most situations, especially during
an initial risk assessment, the risk level will not be acceptable. Thus, security
measures must be identified, cost-benefit analyses performed, and the risk
recalculated based on the theoretical implementation of these countermeasures. Only after a security mix has been identified and brings the risk level to
an acceptable level will the actual implementation begin. In some cases, a
phased approach may be used wherein the security decision maker implements
certain security measures, allows some time to pass, and then conducts another
assessment to see if the measures are effective in reality. If they are not, the
next phase of measures is deployed and reassessed. This is similar to the
pretest/posttest method used in the scientific and research communities.
The American Society for Industrial Security—International includes a
quantitative approach to risk assessments in its General Security Risk Assessment guideline. (The quantitative approach is included at the end of this
chapter in its entirety.)
RISK = THREAT + VULNERABILITY
Specialized Risk Assessment Methodologies
A number of specialized risk assessments exist that address the needs of
particular industries or specific threats or types of critical assets. Among these
specialized risk assessments are:
Vellani, Karim. Strategic Security Management : A Risk Assessment Guide for Decision Makers, Elsevier Science & Technology, 2006. ProQuest Ebook
Central, http://ebookcentral.proquest.com/lib/apus/detail.action?docID=282098.
Created from apus on 2024-03-04 19:37:27.
114
Strategic Security Management
The American Petroleum Institute’s Security Vulnerability Assessment
Methodology for the Petroleum and Petrochemical Industries
The National Institute of Justice’s A Method to Assess the Vulnerability of U.S. Chemical Facilities
Sandia National Laboratories Security Risk Assessment Methodology
for Water Utilities (RAM-WTM), for Chemical Facilities (RAM-CFTM),
for Communities (RAM-CTM), for Transmission (RAM-TTM), for
Prisons (RAM-PTM), and for Dams (RAM-DTM)
The American Society for Industrial Security—International’s General
Security Risk Assessment Guideline
The Federal Emergency Management Agency’s Reference Manual to
Mitigate Potential Terrorist Attacks against Buildings
The Center for Chemical Process Safety’s Guidelines for Analyzing and
Managing the Security Vulnerabilities of Fixed Chemical Sites
The National Institute of Standards and Technology’s Risk Management Guide for Information Technology Systems
Microsoft’s Security Risk Management Guide
Threat Analysis Group’s Risk Assessment Methodology
The National Fire Protection Association’s Guide for Premises Security (NFPA 730)
Sandia National Laboratories’ Risk Assessment Method—Property
Analysis and Ranking Tool (RAMPART)
The Illuminating Engineering Society of North America’s Guideline
for Security Lighting for People, Property, and Public Spaces (IESNA
G-1-03)
The United States military’s CARVER Methodology (Criticality, Accessibility, Recoverability, Vulnerability, Effect, Recognizability)
The United States Air Force’s DSHARP Methodology (Demographics,
Symbology, Historical, Accessibility, Recuperability, Population)
Copyright © 2006. Elsevier Science & Technology. All rights reserved.
Take calculated risks. That is quite different from being rash.
—General George Patton
Risk Mitigation
Risk management is the process of anticipating future losses and using risk
mitigation strategies for reducing or eliminating that risk. Generally, five strategies may be employed to deal with risk: avoidance, reduction, spreading, transfer, and acceptance. Risk avoidance is an extreme measure since it hampers
business. An example may be a department store that chooses not to stock a
Vellani, Karim. Strategic Security Management : A Risk Assessment Guide for Decision Makers, Elsevier Science & Technology, 2006. ProQuest Ebook
Central, http://ebookcentral.proquest.com/lib/apus/detail.action?docID=282098.
Created from apus on 2024-03-04 19:37:27.
Copyright © 2006. Elsevier Science & Technology. All rights reserved.
Risk Assessments
115
particular brand or style of basketball shoes which are stolen with great frequency. Risk reduction is typically the driving force for security departments
whose role it is to provide protection for assets. Risk spreading is a strategy
used in moving assets to different geographic areas so that if one area is
attacked, the consequence is limited to that area. In today’s business climate,
critical documents and information are commonly available electronically.
Many companies store these electronic information documents in multiple
locations so that if an attack were to occur, a backup of the information would
exist. Risk transfer is a strategy used to remove the risk from the owner to a
third party. Insurance is the best example of risk transfer in that the business
hires the insurance company to assume the risk for a fee. Risk acceptance is
another strategy used in mitigating risk. As the name implies, risk acceptance
is simply where an organization assumes the risk to an asset.
Given a specific threat, many specific risk mitigation strategies are available
to the security decision maker. Cost effectiveness is a key component in selecting the best one for the protection of assets. A thorough risk assessment allows
security decision makers to prioritize risk reduction activities and adapt to
changing and emerging threats. Risk mitigation is a security strategy that is
accomplished by decreasing the threat level by eliminating or intercepting
adversaries before they attack, blocking opportunities through enhanced security, or reducing the consequences if an attack should occur. Without question,
the best strategy for mitigating risk is a combination of all three elements:
decreasing threats, blocking opportunities, and reducing consequences. This is
the homeland defense strategy used by the United States government and many
other governments across the globe in the War on Terror. The United States’
homeland security strategy may be characterized as the three P’s: Prevent,
Protect, and Prepare. The Department of Homeland Security’s strategy is to
reduce the threat by way of cutting terror funding, destroying terrorist training camps, and capturing terrorists; to block opportunities through enhanced
security measures such as increased airport and maritime security; and to
reduce the consequences through target-hardening efforts that minimize
damage such as window glazing and through shortening response and recovery times.
For the security decision maker, specific countermeasures are available for
each P. Prevention measures can include psychological measures designed to
deter criminals from perpetrating their acts on a given property by increasing
the risk of detection and capture. Protection measures include security personnel and vaults. Preparation measures include alarm system monitoring
services that respond to alarms. More than one security measure may exist to
protect a given asset. As such, for each potential security measure, the risk
reduction benefit should also be assessed quantitatively or qualitatively. The
measure selected may not necessarily be the most effective; rather, it is preferable to select a cost-effective measure that brings the risk down to a tolerable
Vellani, Karim. Strategic Security Management : A Risk Assessment Guide for Decision Makers, Elsevier Science & Technology, 2006. ProQuest Ebook
Central, http://ebookcentral.proquest.com/lib/apus/detail.action?docID=282098.
Created from apus on 2024-03-04 19:37:27.
116
Strategic Security Management
level. As is often the case with security measures, the sum is greater than the
parts in that multiple security measures working in conjunction with one
another can reduce risk to an acceptable level. Similarly, one security measure
may protect more than one asset. In either case, the overall effectiveness of security measures should be assessed to determine their net effect.
As defined above, security measures that provide maximum protection often
come at a high price. While maximum protection may be warranted in certain
critical infrastructures, it is not the standard for most industries. The typical
standard is reasonable. Defining a reasonable level of protection to provide for
the protection of people, property, and information is the primary task of most
security decision makers. The problem with this standard, however, is that
reasonable minds may disagree. Another security strategy is the concept of
balanced protection, which simply means that no matter how an adversary
attempts to reach the asset, security measures that deter, detect, or delay his
advance will be encountered. Balanced protection is accomplished through yet
another security strategy called protection in depth. Protection in depth is also
known as security layering wherein the asset is behind multiple layers of security measures, each requiring penetration in sequence to reach the asset.
Regardless of whether maximum or reasonable protection is required, the
cost of each security measure must be determined. Security equipment costs
include initial costs, training costs, and ongoing maintenance and repair costs.
Security personnel costs include background checks, training and continuing
education, uniforms, equipment, and licensing. The rule of thumb for the
selection of security measures is that their total cost should not exceed the cost
to replace or repair the asset being protected. Another strategy used in the protection of assets is to provide protection only for critical assets, with the anticipation that other assets will be secured through a diffusion of benefits.
Diffusion of benefits will be discussed in detail in the prevention chapter.
Copyright © 2006. Elsevier Science & Technology. All rights reserved.
Risk Assessment Report
The risk assessment report is a comprehensive written document that incorporates all elements of the risk assessment methodology. Typical components
of a full-scale risk assessment report include a listing of major assets, critical
assets, and the facility characterization, a summary of existing security measures, the threat assessment report including supporting documentation with
crime analysis charts and graphs, major elements of the vulnerability assessment report with the security survey included as an appendix, and recommendations for security modifications with the cost-benefit analysis. The goal
of the report is to highlight the findings of the risk assessment so that those
who hold the purse strings are able to make educated risk mitigation decisions
that may include one or more of the five risk mitigation strategies (avoidance,
reduction, spreading, transfer, and acceptance). The following suggested format
builds upon the format used for the risk assessment report.
Vellani, Karim. Strategic Security Management : A Risk Assessment Guide for Decision Makers, Elsevier Science & Technology, 2006. ProQuest Ebook
Central, http://ebookcentral.proquest.com/lib/apus/detail.action?docID=282098.
Created from apus on 2024-03-04 19:37:27.
Risk Assessments
117
Table of Contents
The table of contents in a risk assessment report should identify each major
section and subsection and be identified by page number.
Executive Summary
Similar to the vulnerability assessment report, the executive summary of a
risk assessment report is an overview document used to provide a condensed
version of the entire report and highlights key issues for decision makers who
do not have the time to read the full report. The executive summary should
not be longer than 10 percent of the full report and is often much shorter and
should suffice as a stand-alone document. The executive summary should list
the major assets and critical assets, and should include the facility characterization. It should also summarize the existing security measures, the threats
posed to the assets including the relevant information from the crime analysis, and the major vulnerabilities. The executive summary should conclude with
the recommendations and a call for action.
Background and Methodology
Copyright © 2006. Elsevier Science & Technology. All rights reserved.
The background and methodology section of the risk assessment report
outlines the scope of the risk assessment and defines the methodology.
The methodology may be specific to the facility or organization, an industryspecific methodology, or a general methodology. Assessment team members
should also be identified along with their credentials in this section of the
report. The facility characterization and security inventory are discussed along
with the security philosophy of the organization, if one exists. Historical attacks
will also be included in this section, along with a general threat overview.
Vulnerabilities uncovered during the security survey are outlined, along with
any interim remedial measures designed to deter, detect, or delay immediate
threats.
Assets and Critical Assets
This section outlines the facility’s assets and critical assets, with special attention to defining the extent to which assets are necessary for critical functions
or which assets are of a mission-oriented nature.
Existing Security Measures
This section of the risk assessment report contains a discussion of the
current security policies and procedures, the existence of any security manuals
and post orders, types of physical security measures in use at the facility, and
documentation concerning the use of armed and unarmed security officers or
Vellani, Karim. Strategic Security Management : A Risk Assessment Guide for Decision Makers, Elsevier Science & Technology, 2006. ProQuest Ebook
Central, http://ebookcentral.proquest.com/lib/apus/detail.action?docID=282098.
Created from apus on 2024-03-04 19:37:27.
118
Strategic Security Management
off-duty police officers. The scheduling practices are of utmost importance
in the security personnel discussion, along with hiring standards, background
investigation procedures, post orders and training provided, patrol practices,
security incident reporting procedures, and equipment and uniform standards.
Threat Assessment and Crime Analysis
The threat assessment section’s major component is a review of historical
crime data or an in-depth crime analysis. The crime analysis includes spatial
and temporal trends, average and mean crime levels, descriptions of the specific types of crime that have occurred, crime totals, violent crime rates, and
forecasts or mathematical projections of future crime. The threat assessment
may also include a discussion of crime problems in the area and other known
threats to the facility.
Vulnerability Assessment
The vulnerability assessment section of the risk assessment report outlines
the results of the security survey and identifies any opportunities for adversaries to attack. Weaknesses and deficiencies in the security program should
be described in sufficient detail to assist in identifying and selecting effective
countermeasures.
Copyright © 2006. Elsevier Science & Technology. All rights reserved.
Risk Assessment and Recommendations
This section is the pinnacle of the risk assessment report, representing the
culmination of a lengthy, comprehensive process. The beginning of this section
presents a discussion of the current risks to the facility and to its assets based
on the threats and vulnerabilities previously identified during the respective
assessments. These risks may be described quantitatively and/or qualitatively.
Recommendations developed by the risk assessment teams are then included
along with the cost-benefit analysis for each security measure or security mix.
Anticipated risk levels after the deployment of the initial or only phase of security measures are then described. Subsequent security deployment phases are
then discussed along with further risk reductions expected. The recommendations should be prioritized based on quantitative or qualitative risk ratings for
each asset.
Appendices
Appendices should be included in the risk assessment report and should
specifically include asset listings and descriptions; existing security inventory
documentation; facility and area photographs, blueprints, site diagrams and
floor plans; threat assessment and crime analysis information; the security
survey instrument or checklist; and cost-benefit worksheets.
Vellani, Karim. Strategic Security Management : A Risk Assessment Guide for Decision Makers, Elsevier Science & Technology, 2006. ProQuest Ebook
Central, http://ebookcentral.proquest.com/lib/apus/detail.action?docID=282098.
Created from apus on 2024-03-04 19:37:27.
Risk Assessments
Copyright © 2006. Elsevier Science & Technology. All rights reserved.
Risk Assessment Report Outline
I. Table of Contents
II. Executive Summary
III. Background and Methodology
A. Risk Assessment Methodology
B. Assessment Scope and Objectives
C. Team Composition and Qualifications
D. Facility Characterization
IV. Assets
A. Major Assets and Functions
B. Critical Assets and Functions
V. Existing Security Inventory
A. Policies and Procedures
B. Physical Security Measures
C. Security Personnel
VI. Threat Assessment
A. Site-Specific Crime Analysis
B. Historical Attacks against Similar Facilities
VII. Vulnerability Assessment
A. Security Survey Process
B. Major Vulnerabilities
C. Other Vulnerabilities
VIII. Risk Assessment
A. Current Risks
B. Risk Ratings
C. Mitigation Strategies
D. Prioritized Recommendations
E. Cost-Benefit Analysis
F. Revised Risk Estimates
G. Call for Action
IX. Appendices
A. Facility and Area Photographs
B. Blueprints, Site Diagrams, and Floor Plans
C. Facility Personnel Interview Questions
D. Complete Asset List and Descriptions
E. Existing Security Inventory
F. Threat Assessment and Crime Analysis Documentation
G. Security Survey Instrument or Checklist
H. Cost-Benefit Analysis Worksheets
Vellani, Karim. Strategic Security Management : A Risk Assessment Guide for Decision Makers, Elsevier Science & Technology, 2006. ProQuest Ebook
Central, http://ebookcentral.proquest.com/lib/apus/detail.action?docID=282098.
Created from apus on 2024-03-04 19:37:27.
119
Appendix
ASIS International
General Security Risk
Assessment Guideline—
Qualitative and
Quantitative Risk
Assessments
ASIS General Security Risk Assessment Guidelines
Copyright © 2006. Elsevier Science & Technology. All rights reserved.
The following examples of quantitative and qualitative risk assessment
approaches are from the General Security Risk Assessment Guideline, Copyright (c) 2003 by ASIS International. Used by permission.The complete guideline is available from ASIS International, 1625 Prince Street, Alexandria,
Virginia 22314 or at http://www.asisonline.org/guidelines/guidelines.htm.
120
Vellani, Karim. Strategic Security Management : A Risk Assessment Guide for Decision Makers, Elsevier Science & Technology, 2006. ProQuest Ebook
Central, http://ebookcentral.proquest.com/lib/apus/detail.action?docID=282098.
Created from apus on 2024-03-04 19:37:27.
Appendix I
Qualitative Approach
Each step of the following seven-step practice advisory includes examples and other
relevant information to guide the practitioner in developing a better understanding of
the underlying principles to be applied in the assessment.
PRACTICE ADVISORY #1
Understand the organization and identify the people and assets at risk.
Copyright © 2006. Elsevier Science & Technology. All rights reserved.
COMMENTARY—“Understand the organization.”
The first task of the security practitioner is to develop an understa