This document provides an overview of key concepts related to risk management, including definitions of risk, vulnerability, probability, and impact. It discusses approaches to assessing risk such as quantifying probability and impact, analyzing threats and vulnerabilities, and measuring the effectiveness of security controls. The document is authored by Phillip Banks and copyrighted by The Banks Group Inc., which provides risk consulting and security services. It references numerous standards and guidelines for risk and security management.
3. “If we don’t understand vulnerability we
won’t understand risk.”
Unknown
“Risk management is a systematic response
to uncertainty.”1
1CSE/RCMP Harmonized Threat and Risk Assessment Methodology, October 23rd, 2007
4. Risk
Is a person or situation
that poses a possible
threat to the security of
something.
The effect of
uncertainty on
objectives1.
Vulnerability
Is a weakness or gap in
a security protections,
control measures or
processes that can be
exploited by an
adversary to remove,
damage or destroy an
asset.
1Risk Management Principles and Guidelines, AS NZS ISO 31000:2009
5. Risk has three key characteristics1:
It looks ahead into the future;
There is an element of uncertainty e.g. a
condition or a situation exists that might
cause a problem for the project in the future;
It is related to the outcome.
1Project Complexity and Risk Assessment Tool, Version 1.4,. Treasury Board of Canada Secretariat
6.
7. Risk = P x I
Risk = P x I x V
Risk = PA (1 – PI) C
Risk = P x I x M
Risk = Probability x Impact
Security Controls
Risk = P X E (Exploitability of Protection)
11. Risk is never static.
Risk can be within or outside
our sphere of control.
Risk is affected by both the
adversary and the target.
A convertible asset requires
multi-stage “risk continuum”
consideration.
What can be done to positively
affect the “risk triangle”?
Corporate “Risk Appetite”?
Probability
12. Quantifiable Risk
Risk we can precisely measure
and record with numbers:
How many security controls are
present?
Is the control strength rated?
How many attacks per day do we
see?
How many times did this happen
in the past?
How many vulnerabilities exist?
etc.
Qualifiable Risk
Risk we have an idea about
but can't accurately measure
and is thus subjective:
How confident are we with the
code-base?
Do we think the project has had
sufficient review?
Do we think this control is
efficient?
etc.
13. Possibility – An event
that could occur.
Probability – The
likelihood of the event
occurring.
A “possibility” is any event which has a
“probability” of occurrence which is greater
than “0”.
14. A threat-event will take
place?
The threat-event will be
mitigated to some degree?
The adversary will be 100%
successful?
What probability?
Impossible?
Even Chance?
Certain?
16. Probability of a six being
on the upper surface of
one dice…?
Probability of two sixes
being on the upper
surface of two dice…?
Probability of three sixes
being on the upper
surface of three dice…?
17. A system with three
components fails if one
or more components fail.
The probability that any
given component will fail
is 1/10.
What is the probability
that the system will fail?
20. • R = Risk to the facility of an adversary gaining access to
assets (ranges from 0 to 1.0).
• PA = Probability of an adversary attack during a period of
time.
• PE = Probability of Preventing the Event.
• = P(I) INTERUPTION x P(N) NEUTRALIZATION
• C = Consequence Value.
Note: If PE is the probability of preventing the event then [1-PE] must be the
probability of the adversary being successful
R = PA * [1-(PE)] *C
* The Design and Evaluation of Physical Security Systems, Garcia, Mary Lynn, Butterworth-Heinemann, 2001
Risk = Probability Vulnerability Impact
27. Pareto Analysis
Pair-wise Comparison
Fault Tree Analysis
Attack Tree Analysis
Failure Mode & Effect Analysis
Failure Modes, Effects & Criticality
Analysis
C.A.R.V.E.R (modified)
Cause & Effect (Ishikawa)
Monte Carlo Simulation
_____________________?
Qualitative vs Quantitative
28. Fit-for-Purpose:
A protection/control measure which is
formally selected and mitigates the
known and reasonably foreseeable
threats.
State-of-Readiness:
A protection/control measure which is
implemented, operated, maintained and
demonstrably capable of mitigating
known or reasonably foreseeable
threats.
29. Rating
Fit-for-Purposes
Scoring Rationale
5
Protection selected based on
recognized standard or leading
practice. A formal performance
level was identified and is still
being met or exceeded.
3
Protection not specifically
appropriate for the threat,
operational or functional
environment or it is only nominally
achieving the required level of
performance.
1
Protection is inappropriate for
threat, operational or functional
environment or is not meeting a
required level of performance.
Rating
State-of-Readiness
Scoring Rationale
5
Protection is functioning as
designed and is operational in all
respects. There is little or no
down-time and there is no record
of it being compromised.
3
Protection is primarily functioning
as designed although there is
occasional down-time due to loss-
of-service or periodic break-
down.
1
Protection is not functioning or
not being in a State-of-Readiness
due to periodic loss-of-service or
break-down.
30. Fit-for-Purpose and State-of-Readiness ratings are
independent so the overall rating is the product of the
two.
A protection which is both fully Fit-for-Purpose and in
a complete State-of-Readiness should achieve a score
of 25.
If the assessor believes Fit-for-Purpose = 5 but the
State-of-Readiness = 3 then the overall rating of the
protection is 15 or 60% effective and it has a
vulnerability level of 40%.
31. 1. Develop the protection design to meet
DBT.
2. Identify appropriateelements of the
design.
3. Identify how protection system will be
evaluated for effectiveness over time.
32. Characteristic Insider Criminal Organized Crime
Objective Steal assets such as tools, parts. Steal large quantity of valuable assets. Steal large quantities of finished product.
Motivation Personal gain, revenge. Personal gain. Large gain for criminal organization.
Base Enhanced Base Enhanced Base Enhanced
Planning/System
Knowledge
Good depending on
position.
Significant. Some, opportunistic.
Significant if in
collusion with
insider.
Good to high level.
Extensive
information and
level of access.
Weapons None Edged weapons Edged weapons
Hand guns, shot
guns
Unlikely
Wide array of
weapons
Tools and Equipment
Access keys or
credentials.
Access keys,
credentials &
combinations.
Hand tools or readily
available tools at the
facility.
Hand and power
tools.
Hand tools or
readily available
tools at the facility.
Access keys,
credentials and
combinations. Hand
and power tools.
Contaminants N/A N/A N/A N/A N/A N/A
IMPACT (damage) to
Asset(s)
Minimal Notable Notable Significant
Notable to
Significant
Significant to Critical
Injury to Persons No
Possible but
unintentional
Possible but
unintentional
Possible
Possible but
unintentional
Possible and
intentional
Fatalities No No No
Possible but
unintentional
Possible but
unintentional
Possible and
intentional
33.
34. 1The Design and Evaluation of Physical Protection Systems, Mary Lynn Garcia, Sandia National Laboratories, Albuquerque, New Mexico, Butterworth- Heinemann, 2001
35. Define the Context – Measuring What?
Identify all contributing security
element(s).
Use known or reasonably foreseeable
threat(s).
Step through the process and assign
scores – Does it make sense?
Team approach/peer review.
39. PROBABILITY
IMPACT
VULNERABILITY
1. Collecting, recording and analyzing
information and data to develop security
intelligence.
2. Networking and contact development.
3. Modeling and threat forecasting
1. Business impact analysis.
2. Identification of critical structures,
operations and people.
3. Implementation and maintenance of
organizational resilience.
1. Criticality analysis.
2. Threat and threat event identification.
3. Vulnerability analysis e.g. Pareto, CARVER
& Monte Carlo Simulation etc.
4. Vulnerability assessment and reduction.
40. Practice risk management or become
very good at crisis management.
Your choice…..
Risk
Management
Crisis
Management?
42. Protection of Assets Manual, ASIS International
Industry Guidelines on a Framework for Risk Related Decision Support, UKOOA, 1999
GRiP – A flexible approach for calculating risk as- a function of consequence, vulnerability and Threat, R.G. Whitfield, W.A.
Beuhring and G.W. Bassett, Argon National Laboratory, ANL/DIS -113, Decision and Information Services Division, January 2011.
Maturity Framework for Assuring Resiliency Under Stress, Carnegie-Mellon University, Don O’Neill, 2008
Pareto-Optimal Situation Analysis for Selection of Security Measures, Andres Ojamaa, Enn Tyugu, Jyri Kivimaa, IEEE, 2008
Concept of Vulnerability in Chemical Plants, Journal of Chemical & Pharmaceutical Research, 6(7); 1448-1454, Dongfen Zhao, Su
Hu, Cong An, Shuang Chen, Yifei Meng - 2004
Quantified Risk is a Weak Hypothesis, “A critical survey of results and assumptions”, Vilhelm Verendel, Chalmers University, 2009
General Security Risk Assessment Guideline, ASIS International Guidelines Committee, 2003
Indicators and criteria for measuring vulnerability: Theoretical Basis and Requirements, Jӧrn Birkmann, 2006
Defining and assessing quantifying security risk measures using vulnerability lifecycle and CVSS metrics, Hyun Chul Jon and
Yashwant K. Malaiya, Colorado State University, Fort Collins, Colorado, USA, 2011
Risk Analysis and the Security Survey, Third Edition, James F. Broder, CPP, Butterworth-Heinemann, 2006
AS/NZS ISO 31000:2009 Standard, Risk Management Principles and Guidelines (Superseding AS/NZS4360:2004)
AS/NZS HB 167:2006 Security Risk Management Standard Handbook
The Design and Evaluation of Physical Protection Systems, Mary-Lynn Garcia, Sandia National Laboratories, 2001
Risk Assessment and Management for Critical Asset Protection (RAM-CAP), ASME Innovative Technologies Institute LLC,
Washington, DC, 2004
Business Risk Assessment, David McNamee, The Institute of Internal Auditors, 1998
w3.epa.gov, Defining Risk Characterization
http://www.algebra.com/algebra/homework/Probability-and-statistics/Probability-and-statistics.faq.question.419808.html