Securing a Security Budget: Probable Threats vs. Describable Threats

One of the greatest challenges for any security professional is to convince management to provide an adequate budget to protect corporate assets. One of the more recent trends in the industry is to provide management with a calculated return on security investment based on various formulas that are currently being circulated. Proponents of this concept feel that security threats and risks can be quantified, allowing security professionals to provide hard figures to justify security expenditures. Naysayers feel there are too many variables present that prevent the ability to accurately quantify risks and threats.

Although some formulas can be helpful in showing how security investments may impact the bottom line, there are other methods that can be beneficial as well. One method that can prove helpful is to focus on the probable threats to a business instead of the describable threats. Attending a security conference of any size would frighten any executive management team. Presentations are provided on all possible threats and risks to businesses in every industry. From the material provided, it would appear that all is lost-businesses are under attack constantly and from all directions. From a management perspective, the threats are overwhelming and confusing.

Instead of describing all possible threats to a business, it is prudent to present the probable or most likely threats to a particular business or industry. If a management team is approached in this manner, they are more likely to free up resources for security implementations, since they can see they are protecting themselves from specific threats.

The Disney Probable Threat Model
One good example for dealing with a probable threat is the preparation of a business or community that lies in the direct path of a hurricane. Unlike a tornado, a hurricane's path can be determined with a fair amount of certainty, allowing ample time to prepare for the storm. I had the unique opportunity of watching preparations for Hurricane Charley while vacationing in Florida this past August. Although I would not recommend placing your family in the path of a hurricane as part of your vacation plans, it is an experience that is not easily forgotten. I had taken my family to Orlando for what my children determined was a long-overdue trip to the Disney theme parks. On Thursday, August 12, it was apparent that Hurricane Charley was going to hit the southwest Florida coast the next day. I began wondering whether the hurricane would threaten my family. It initially appeared that the hurricane would hit Tampa and proceed northeast, missing Orlando. However, upon waking on Friday, we saw a report that the hurricane would in fact make landfall near Punta Gorda, about 100 miles south of Tampa. With its northeasterly route, it looked as if we were directly in the path of a powerful hurricane. The management at Disney thought that the threat was so probable that they opened only three of their four parks that day, and closed them all at 1:00 pm. When we arrived at Epcot Center, preparations were underway for the impending storm. The vendor carts were not in use and were being secured in place using strong straps that were bolted to the concrete. Chairs and other furniture were being stacked and secured. Many cloth awnings were being removed. There was a great deal of activity, little of which had to do with the guests' entertainment. By the time we left for the day, the ticket booths were wrapped with plastic to protect the windows.