In our security consulting practice we are often asked to conduct security surveys. We are also asked to do security audits. Some clients ask for vulnerability assessments. Others ask for risk analyses. Some of these clients do not realize they are asking for different things. Each of these tools can be used to determine the "Why?" of a client's security program, before moving along to the "How?" It is important to know the difference when contracting for a security consultation.
A security survey consists essentially of mapping existing systems or programs. Surveys involve visiting a site or evaluating a process for obvious risks. There are pencil and paper checklists, some simple, some complex. There are automated tools, most of them expensive. Some surveys are published by professional organizations; others are intuitive assessments that draw upon a lifetime of professional experience. In short, there are as many security surveys as there are persons or firms willing to do them. Be certain you are paying for the survey you require.
A security audit is a means of measuring or testing existing programs against client documentation or expectation. A common sort of audit is an access control study, where a person tests the effectiveness of lobby visitor controls and the willingness of employees to violate a building's access controls by granting access to strangers. Audits can also take the form of documentation reviews or evaluation of security officer knowledge and competence.
A vulnerability assessment determines the threat posed to critical assets, usually without regard to the probability that an attack against the assets will occur. This can be a useful tool when determining how to apply protection to assets we cannot afford to have damaged even though the likelihood of an attack is low. Used by itself, sometimes a vulnerability assessment can result in rather aggressive, or unrealistically expensive, security recommendations, since risk is not taken into account. We are all equally vulnerable to the effects of a mile-wide asteroid striking Earth. The likelihood it will happen is determined by risk analysis.
The classic risk analysis equation calls for a loss prevention survey and the identification of vulnerabilities. Then one determines the probability, frequency and cost of loss. The product of this calculation is the annual loss expectancy (ALE). This works better across a large population-nationwide car theft rates, for example-or where losses are frequent, such as in the case of shoplifting. An ALE calculation does not do us much good when we're trying to determine whether we should worry about someone trying to blow up the Hoover Dam with a truckload of stolen fertilizer. The reported rate of such attacks is zero, which results in an ALE of zero.
Sandia National Laboratories Risk Assessment Methodology
Sandia National Laboratories, long a defender of high-value assets for the U.S government and other nations, has lately turned its sights on protecting critical public infrastructure such as water treatment facilities, dams, power transmission and chemical facilities. Their Community Vulnerability Assessment Methodology is used to assess and reduce risk to public venues. Sandia has reduced the risk analysis problem to an equation: R = PA(1-PE)C. The probability of attack (PA) evaluates the existence of a threatening organization, its capabilities, it history or expressed intention to harm similar clients or organizations, and whether the threat is targeting a specific client. System effectiveness (PE) is tested using detailed adversary sequence diagrams to determine the ability of the current protection and operating systems to detect, assess, delay and neutralize its attackers. The consequence of an attack (C) calls for a facility characterization using tools such as fault tree analysis and consequence tables to rank critical assets and the real- life harm that will occur if an attack is successful.
Risk Management Strategies
Most clients end up requesting a blend of the services described above. The result is usually a prioritized list of concerns. Once you understand your risks, what can be done about them? There are several risk management strategies: avoidance, transfer, abatement, spreading and assumption.
Avoidance means simply removing the target. Sometimes this is a reasonable approach, such as stocking only the absolute minimum of high-risk inventory items, or having items drop-shipped from the manufacturer directly to the end user. Sometimes-such as when a firm decides not to do business in a certain neighborhood-it can constitute inappropriate, and even illegal "red lining," which threatens to deny constituencies needed services.
Transfer is a term that in this context means insurance. We find, through insurance firms or brokers, institutions willing to bet we will not suffer a loss. In exchange for being the beneficiary of this bet, we pay an annual fee, our insurance premium. Most organizations use insurance to mitigate risk. Most insurance companies or brokers insist their clients reduce the risk of loss through abatement.
Abatement, also called loss prevention or mitigation, is where most security professionals ply their trade. Risk is reduced through the thoughtful, timely and cost-effective application of security architecture, systems, personnel, programs and employee involvement. Once you have determined your risks, you may decide to develop or enhance your security policy and procedures.
New programs may need to be developed to protect new initiatives. Crime prevention through environmental design (CPTED) uses the built environment to enhance security for the intended users of a space while increasing feelings of insecurity on the part of unwanted visitors. The integrated implementation of security systems has a role to play in many properties. At some sites, security personnel carry out security policy, procedures and programs. The final and most important test of all security precautions is the degree to which employees are aware of and support the program.
Spreading means distributing your assets to multiple locations where they cannot all be attacked at once. This does not work for all businesses, but is an option for some. Assumption is also called self insurance. Risk is dynamic. There is a trade off between the risk of failure and the rewards of success. At some point, most businesses agree that risk has been reduced sufficiently and that the remainder is accepted by the enterprise as the cost of doing business. Business executives are frequently more comfortable with this concept than are most security professionals.
You Get What You Pay For
You will certainly pay for your security consultation one way or another. Some security guarding providers or security system integrators offer "free" consultation, but rest assured their time is paid for from their overhead. There are some very good people working for these firms, but be careful about asking a guard company whether you need guards, or asking a systems installer how many security cameras you need. A brand- and vendor-independent consultant has no product to sell, other than professional advice. Independent consultants sink or swim based upon the value of the information they provide and the quality of the projects they manage.
Choosing Your Consultant
What experience does your consultant have? A career in law enforcement may, or may not, translate into the ability to provide effective security consultation. Who are your prospective consultant's references? What are your consultant's qualifications, certifications, and credentials?
If fraud is the primary threat to your enterprise, a certified fraud examiner credentialed by the Association of Certified Fraud Examiners (www.cfenet.com) may be right for you. If the security of your information systems is at the top of your list, there are professionals who have attained the Certified Information Systems Security Professional certification, a credential granted by the International Information System Security Certifications Consortium (www.isc2.org), also known as (ISC)2. If you need a security generalist, a certified protection professional-CPP- board certified in security management by ASIS International (www.asisonline.org) may be what you are looking for. ASIS International recently added two new certifications. The Professional Certified Investigator credential is for experienced investigators. The Physical Security Professional is a certification for physical security professionals.
A Final Word
Security is a process used to manage risk. If you have carefully determined your risk, the effectiveness of your security program's response to it can be measured. Security has a real cost. Prepare to spend your security dollar wisely; conduct a risk analysis before you begin to change your security program.
Michael Brady, CPP, ABCP, is a senior consultant at SecuriCo Inc. (www.securico.com), a consulting, system design and project management firm. He has more than two decades of experience in corporate security and safety. Mr. Brady has completed the Sandia National Laboratories Risk Assessment Methodology-Water Utilities and Community Vulnerability Assessment programs. He is a member of the International Association of Professional Security Consultants (www.iapsc.org) and has served as an instructor for the University of California Santa Cruz Extension Security Management Certificate program.