Security's Role in Enterprise Risk Management

Oct. 27, 2008
What are your responsibilities in managing risk for the total enterprise?

My grandson Randy called me this morning to let me know that he and two of his buddies would be leaving later in the day to drive from Atlanta to Las Vegas. Randy's barely 21 and he's known to have done unwise things in his short life, so I told him to be careful because a long drive like that was risky. He assured me he would. When I hung up I pondered on the word "risky." The risk in this case is that the car could crash and that Randy could be injured or killed (God forbid).

In security-speak, Randy is the asset and a traffic crash is the threat. If Randy would let me, I'd manage this risk by keeping him home or canceling the trip. The first option, keeping him home, moves the asset out of harm's way. The second option, canceling the trip, eliminates the threat. Simply stated, risk is a function of two variables: asset and threat. Remove either or both, and risk disappears. Risk is determined by the dynamic relationship between asset and threat. The implication for the chief security officer of an enterprise is the need to adjust protective measures relative to risk. We can see the principle in action when DHS informs the nation (asset) of a possible terrorist act (threat).

Characteristics of the Asset
Risk assessment begins to get complicated when we characterize the asset. To do so, we ask a three-part question: If the asset were lost, damaged or destroyed, what would be the probable impact on human life, physical property and process? When the asset is life, we can count the number of people likely to be affected in certain ways. We can use dollars to determine probable impact because actuarial groups have calculated the dollar value of a life, as well as limbs and bodily functions.

As to the impact on physical property, we have a handle on the dollar cost of repair or replacement.

Determining probable impact on process is a bit more complicated. Process is a combination of work activities that perform a function. In a manufacturing setting, process can be a series of activities that construct a product on an assembly line; in an information technology environment, process can produce decision-related information by electronic manipulation of data.

Loss of process can be minor, such as a partial and temporary interruption, or major, such as total and permanent shutdown. The loss-of-process impact is measurable in the dollars spent returning the process to normal operation and the dollars lost in the meantime from sales not made.

Although disparate, the three impact characteristics of an asset are amenable to dollar conversion, a rough measuring stick that can help in estimating the magnitude of consequences should an adverse event take place. The measuring stick is also a decision-making tool. If Asset A has a greater value than Asset B, it stands to reason that the protective measures for A should be greater than those for B.

Characteristics of the Threat
Threats are two-dimensional. The first dimension is called the threat element, the entity that precipitates an adverse event. The threat element is like the sword held aloft by a single horsehair above the head of Damocles. If the horsehair breaks, the sword falls. In the real world, terrorists, criminals and Mother Nature are threat elements.

The second dimension is the threat occurrence. If the sword plunges into Damocles, we have a threat occurrence. Examples of occurrences in the real world are the explosion of a bomb planted by a terrorist, the theft of valuables by a criminal and the collapse of a building during an earthquake.

Criticality
Let's go down one more level in the examination of asset and threat. An asset can be either non-meaningful or meaningful. Non-meaningful assets are assets whose loss, damage or destruction would have no significant effect on the enterprise. In this category are office supplies, furniture and the like.

Meaningful assets would have a significant effect if lost, damaged or destroyed. Significance, however, can vary from small to large. An asset of small significance could be a server in an IT operation. If the server goes out of commission, a portion of an operation shuts down for a day or so. An asset of great significance would be the entire IT operation.

This brings us to the matter of criticality. A meaningful asset of great significance is not necessarily a critical asset. By its very nature, an entire IT operation has great significance. However, shutdown of an entire IT operation in one enterprise might cause inconvenience only; in another it could mean corporate death.

We naturally tend to equate criticality with dollars; if something costs a great deal, it must be critical. Because we think along that line we may fail to identify an extremely critical asset because it is inexpensive and therefore seemingly unimportant. To illustrate, a drug essential to the prevention and spread of a lethal virus is manufactured in a process that begins at Point A and ends at Point Z. A function at Point M is performed with a single device. Although small and inexpensive, the device is irreplaceable because a back-up is not on hand and the only company that manufactured it has gone out of business. If the device breaks down, the manufacturing line shuts down. This is called a single point of failure.

Identifying that single point occurs in the course of a vulnerability assessment (VA), a systematic method for determining a critical asset's vulnerability to a particular threat occurrence. The CSO, a member of the VA team conducting the assessment, most likely will not have a strong technical background in manufacturing operations, but someone else on the team will. A VA team is multidisciplinary; in this example at least one member of the team will be knowledgeable in manufacturing line operations. The specific job of that team member would be to discover potential breakdowns and determine potential consequences. Countermeasures would be taken immediately to remedy the situation-the company may obtain a replacement device, create one from in-house resources or alter manufacturing operations to eliminate the dependency.

The criticality label is automatically and deservedly attached to assets that if compromised could significantly damage the public's health and safety. Weapons-grade uranium, the smallpox virus and chemical nerve agents come to mind. Of particular concern is the possibility that such assets would fall into the wrong hands and be used as weapons against the enterprise and the public at large. A critical asset can be almost anything, and size does not matter. A criminal target can be cash in a teller's drawer, jewelry in a display case, personal identity information in a database or a business executive targeted for ransom. A terrorist target can be school children, a 911 center or the Lincoln Monument-or it might be the whole school, or the whole emergency center, or all of Washington, DC.

The Terrorist Threat Element
As mentioned previously, threat has two components: threat element and threat occurrence. In light of the times, let's choose the terrorist threat for discussion. The threat element in terrorism consists mainly of groups. We can evaluate a terrorist group by its history, tactics, capability and intentions. A group with a history of attacking foreign corporations can be expected to continue along those lines. If the group has attacked on a certain symbolic date, the enterprise should be in a state of enhanced readiness on that date. If the group's preferred tactic is bombing with the use of a vehicle, the enterprise should take steps to protect against that tactic.

What are the capabilities of the group? Does it have weapons? What kind? Are group members trained, experienced and dedicated? Does the group have a well thought-out plan? Is the group funded at a level sufficient to meet the costs of carrying out a plan? Answers to these questions, even partial answers, can assist in helping us understand the nature of the threat.

Intentions can be revealing. If an enterprise is named as a target in the pronouncements of a group leader, the enterprise would do well to set up prevention and mitigation measures. Intention is revealed also when a terrorist group adds weapons to its arsenal, trains its attack cadre, deploys a surveillance team and conducts dry runs.

Assessing threat factors is not easy and doesn't always produce accurate information. We can see the truth of this in the sketchy results of the assessment activities conducted by intelligence and law enforcement agencies at all levels of government. A business enterprise can hardly do better-but it can try. The CSO can study and evaluates media reports, warnings sent to business corporations by the State Department's Overseas Advisory Council, State Department travel advisories, and alerts broadcast by the FBI and the Department of Homeland Security. Through networking, the CSO can communicate with contacts in embassies, law enforcement and intelligence agencies, and with industry peers. Risk consulting firms, such as Kroll, can be commissioned to learn of and assess threats to an enterprise's overseas operations. Another source is the judgment and intuition of an experienced CSO.

Probability and Severity
A threat occurrence is evaluated by probability and severity. Given everything known about a terrorist group, what is the probability of an occurrence? Is the probability low, medium or high? What are the likely consequences of an occurrence? Will the protected asset be destroyed or damaged? What effect will that have upon continuing operations? Will people be killed? Will there be collateral damage? Other occurrences can be instructive. If an attack is made on a company's pipelines running through the Andes, other companies in that area and line of business need to tread cautiously.

Probability is difficult to assess and often determined by educated guesswork. In assessing the probable actions of a terrorist group, the maxim might be: The best indicator of future behavior is previous behavior. Severity, on the other hand, is amenable to fairly accurate assessment when the threat occurrence can be postulated fairly accurately. The resulting loss of life, injury, property damage and so forth can be estimated in dollars, and is therefore measurable.

Mitigation and Countermeasures
This brings us to a discussion of mitigation and counter measures. Mitigation is a collection of measures set up beforehand to lessen the impact of a threat occurrence. They can include placing into readiness first aid supplies, protective personnel gear, respirators, defibrillators, stretchers, triage tent, flashlights, walkie-talkies, bullhorns and like items.

To counter a threat occurrence is to prevent it, and if prevention does not succeed, minimize it. Countermeasures can include mundane actions, such as fixing a hole in a fence, or serious actions, such as installing an electronic access control system.

Vulnerability Assessment
An enterprise determines the type and extent of mitigation and countermeasures needed through skillful application of a vulnerability assessment. A VA moves in a step-by-step process to:

  • Identify critical assets.
  • Identify potential threat elements.
  • Estimate the severity of threat occurrences.
  • Identify the enterprise's current capability to mitigate and counter threat occurrences.
  • Identify the absence of measures that are needed to mitigate and counter threat occurrences. (Note: Vulnerabilities are exposures that result from missing measures.)
  • Formulate a scheme for integrating the acquired countermeasures with existing countermeasures.

Enterprise management steps in when the VA is completed and a final report submitted. Ideally, management will accept the VA's findings, institute the formulated scheme, train and equip people, test the scheme, and revise in light of lessons learned.

A distinction needs to be made between a vulnerability assessment and a security vulnerability assessment (SVA). The SVA is focused on one particular critical asset-the security system. Compared to a VA, the SVA is less complex and far-reaching, can be done in a shorter period of time, and is usually conducted by the chief security officer and/or outside persons familiar with security.

Assessment of risk, while fraught with uncertainties, is a straightforward process for identifying an enterprise's security-related exposures.

John Fay welcomes your comments at [email protected].