Home » Magazine Archives » July 2005
Security Technology Executive
Most Read
Most Emailed
E-mail Article
Print Article
Security's Role in Enterprise Risk Management
What are your responsibilities in managing risk for the total enterprise?The Latest from SIW
Mace to launch dealer program, acquire central station Basics of establishing an employee ID badging system The security week that was: 1/02/09 The top 40 security stories of 2008 Homemade bombs force evacuations in Aspen, Colo. Toronto wraps up municipal surveillance pilot project
By John Fay
My grandson Randy called me this morning to let me know that he and two of his buddies would be leaving later in the day to drive from Atlanta to Las Vegas. Randy's barely 21 and he's known to have done unwise things in his short life, so I told him to be careful because a long drive like that was risky. He assured me he would. When I hung up I pondered on the word "risky." The risk in this case is that the car could crash and that Randy could be injured or killed (God forbid).
In security-speak, Randy is the asset and a traffic crash is the threat. If Randy would let me, I'd manage this risk by keeping him home or canceling the trip. The first option, keeping him home, moves the asset out of harm's way. The second option, canceling the trip, eliminates the threat. Simply stated, risk is a function of two variables: asset and threat. Remove either or both, and risk disappears. Risk is determined by the dynamic relationship between asset and threat. The implication for the chief security officer of an enterprise is the need to adjust protective measures relative to risk. We can see the principle in action when DHS informs the nation (asset) of a possible terrorist act (threat).
Characteristics of the Asset
Risk assessment begins to get complicated when we characterize the asset. To do so, we ask a three-part question: If the asset were lost, damaged or destroyed, what would be the probable impact on human life, physical property and process? When the asset is life, we can count the number of people likely to be affected in certain ways. We can use dollars to determine probable impact because actuarial groups have calculated the dollar value of a life, as well as limbs and bodily functions.
As to the impact on physical property, we have a handle on the dollar cost of repair or replacement.
Determining probable impact on process is a bit more complicated. Process is a combination of work activities that perform a function. In a manufacturing setting, process can be a series of activities that construct a product on an assembly line; in an information technology environment, process can produce decision-related information by electronic manipulation of data.
Loss of process can be minor, such as a partial and temporary interruption, or major, such as total and permanent shutdown. The loss-of-process impact is measurable in the dollars spent returning the process to normal operation and the dollars lost in the meantime from sales not made.
Although disparate, the three impact characteristics of an asset are amenable to dollar conversion, a rough measuring stick that can help in estimating the magnitude of consequences should an adverse event take place. The measuring stick is also a decision-making tool. If Asset A has a greater value than Asset B, it stands to reason that the protective measures for A should be greater than those for B.
