Plan Ahead and Cut Your Losses

How to perform a site security survey and build a vulnerability/impact/risk matrix

Make sure to number and photograph vehicle and people entrances. This will be useful in developing later recommendations or in making changes of security camera locations and their views. Grade each access and security video point.

- "A" is for those functioning properly.
- "B" functions properly but has cosmetic issues.
- "C" is for doors and cameras that require maintenance or changes in positioning.
- "D" indicates that a defective or ineffective item needs to be replaced or upgraded.
- "F" indicates a need for a camera or, in the case of door controls, a code violation, which will require a new installation or product replacement.

Put matrix numbers to the test

The next step of the site security survey is appreciating the threats and vulnerabilities associated with the site. Different than a site security survey, a threat assessment considers the full spectrum of threats (i.e., natural, man-made, accidental) for a facility, location or camera point. The assessment adds supporting information to evaluate the likelihood of occurrence for each threat and how vulnerable the site is (see chart to left).

Post the general threats previously identified:

- Accidents involving employees and visitors
- Natural disasters
- Data loss
- Fraud
- Intellectual espionage
- Vandalism
- Threats to people
- Physical theft
- Brand and reputation attacks

Then, rank the potential impact on the business for each. Impact of loss is the degree to which the mission of the business is impaired by a successful attack from the given threat. A key component of the vulnerability assessment is properly defining the ratings for impact of loss and vulnerability.

Devastating: The facility or the enterprise's reputation is damaged or contaminated beyond near-term use or value. Most items or assets are lost, destroyed or damaged beyond repair and restoration. A violent incident may close the facility or a crucial part of it for a significant number of days. The number of visitors to the facility and others in the organization may be reduced by up to 75 percent for a period of time. An example would be an earthquake.

Severe: The facility or the enterprise's reputation is partially damaged or contaminated. Examples include partial structure breach resulting in weather/water or a severe criminal incident, smoke, workplace violence, major fraud or fire damage to some areas. Some items or assets in the facility are damaged beyond repair but the facility remains mostly intact. The entire facility may be closed for a shorter period of time. The number of visitors to the facility and others in the organization may be reduced by up to 50 percent for a limited period of time. An example is a workplace violence incident that includes multiple loss of life and national media coverage.

Noticeable: The facility is temporarily closed or unable to operate but can continue without an interruption of more than one day. A limited number of assets may be damaged but the majority of the facility is not affected. The number of visitors to the facility and others in the organization may be reduced by up to 25 percent for a limited period of time. Air conditioning was disabled.

Minor: The facility experiences no significant impact on operations (downtime is less than four hours) and there is no loss of major assets. The parking garage wall suffers graffiti. Vulnerability is often a combination of the attractiveness of a facility as a target and the level of deterrence or defense provided by existing counter-measures that can include policies, procedures, products and services. Target attractiveness is a measure of the asset, reputation or facility in the eyes of an aggressor and is influenced by the function and/or symbolic importance of the facility. Sample definitions for vulnerability ratings include very high, high, moderate and low.

A combination of the impact of loss rating and the vulnerability rating can be used to evaluate the potential risk to the facility from a given threat. A vulnerability/impact/risk matrix can display overall elements or drill down to specific locations such as the perimeter, parking garage, entrance and exit doors, hallways, computer center and security command and control. Indeed, there is a need to fill in the matrix based on specific threats linked to specific locations and their existing security measures.

The overall assessment