Why you should fine-tune your security assessments

Oct. 14, 2015
5 ways to make your assessment program more effective and easier to perform

Many of today’s organizations are undergoing a very high degree of change, while at the same time the overall pace of business continues to increase. The risk picture of most organizations is changing as a result. This is why security and risk management professionals need to “up their game” when it comes to risk assessment. This article presents five ways to make your assessment program more effective and at the same time easier to perform.

New Standard

Fortunately, a new ANSI Risk Assessment standard has just been released, a collaborative effort by ASIS International and the Risk and Insurance Management Society. The 37 working group members who crafted this document form a list of highly experienced risk assessors, whose real-world experience is reflected in the well-organized and highly valuable material that you will find in the standard.

Download an executive summary of the standard here. Purchase your copy (free for ASIS members) here. Its official title is: ANSI/ASIS/RIMS RA.1-2015, Risk Assessment.

The standard provides guidance on developing and sustaining a coherent and effective risk assessment program. It covers key assessment principles, managing an overall risk assessment program, and performing individual risk assessments. This material applies to the performance of risk assessments for the disciplines of risk, resilience, security, crisis, business continuity, and recovery management. It is consistent with ISO 31000:2009 Risk management - Principles and guidelines, as well as the Committee of Sponsoring Organizations of the Treadway Commission (COSO) Enterprise Risk Management framework.

Be Encouraged!

Don’t let the paragraph above discourage you in any way! Many practitioners have found earlier assessment standards and methods to be burdensome in execution, and difficult to apply given organizational resource constraints and time pressures. This is one reason to fine-tune your assessments and develop an assessment program that is doable within whatever resource constraints you have.

The following two extracts from the assessment standard show the degree to which the standard supports realistic assessment efforts, while at the same time maintaining the integrity of the assessment process and its results. 

Stay Within Your Organization’s Capabilities

“When choosing a risk assessment methodology, care should be given to remaining within the organization's capabilities. The methodology should follow a logical process by which the inputs into an assessment are evaluated to produce the outputs that inform the decision-making processes. When trying to determine the methodology, previous assessments or an industry accepted approach may be a good starting point, but should be reevaluated for appropriateness and tailored to the current circumstances. Choice of methodology should also consider, data availability, and resource constraints.” (From section 5.5.5 Identifying Risk Assessment Methods.)

Keep It Simple

“There is no single methodology that is appropriate for measuring the likelihood and consequences of various risks. Each methodology requires independent judgment regarding its design. In some cases, it may not even be possible, or necessary, to explicitly determine likelihood and consequence. As a general rule, simple methodologies are less prone to errors and are easier for stakeholders to understand, as well as more likely to fulfill the principles of transparency and practicality. The methodology that best meets the decision-maker's needs is generally the best choice, whether quantitative or qualitative.” (From section 5.5.5 Identifying Risk Assessment Methods.)

Albert Einstein is attributed to have said, “Everything should be made as simple as possible, but no simpler.” Risk assessments can benefit from the application of that principle.

Note that this assessment standard takes into account the important fact that there are assessment stakeholders who need to:

  • Understand enough about the assessment to support its approval
  • Know enough to help facilitate the gathering of data
  • Review and understand the assessment results
  • Assist in getting the recommended improvements implemented

A risk assessment is of little value to the organization if its recommendations are not implemented.

Decision Support

The basic purpose for a risk assessment is to provide an understanding of risks and risk treatment options so that management can make effective risk management decisions. Providing a list of recommended actions without providing an understandable rationale for them undermines the decision-making process, and fails to fully enable management to take appropriate action. Remember that there is competition for organizational resources. Executives usually don’t have the same understanding of the organization’s risk picture that risk practitioners do. Other aspects of the business are clearer in their minds than most risk factors. Proposed business improvements can often seem more important than proposed risk reduction measures. Sometimes an apparent high tolerance for risk is based on a lack of insight into the risk factors. Risk assessment reports should be educational in the sense that they provide risk picture insights to the assessment stakeholders.

Why Fine-Tune Your Security Risk Assessments?

Reasons for fine-tuning your security risk assessments include:

  • Make your assessments easier to execute.
  • Improve management support of your effort.
  • Enable management to more effectively support improvements in security, business continuity, crisis management and organizational resilience.
  • Make your assessment approach a better fit to your organization’s risk picture.

Five Ways to Fine-Tune Your Risk Assessments

  1. Establish an assessment program context. In the “old days” practitioners would aim to perform facility security assessments, information security assessments, and other types of assessments at three-year or five-year intervals. The rate of business change today warrants much shorter intervals, plus the ability to update the risk picture as the business or the business environment change. Determine the true assessment needs of your organization; briefly outline a program to accomplish them; make a list of the program’s benefits; identify the key stakeholders; and in one-on-one discussions present the concept. Since everything can’t be assessed at once, ask for feedback from the stakeholders on what parts of the risk picture they would have the most interest in. Once their thinking is primed by the initial conversation, subsequent discussions will be even more productive.  
  2. Assess and expand your resources. The extent of resources goes beyond the time, money and assessors available for the assessment. The support of senior management and of the heads of functional areas is a key resource. A little advance educational work, like socializing the assessment program context, can go along ways to building support from key executives and managers. An overall senior sponsor who will visibly and vocally support the assessment program is usually a missing resource that is worth taking the time to establish. Use the Stakeholder Ladder of Involvement tool (described in the book Security Education, Awareness and Training by Roper, Fisher and Grau) to rate the assessment stakeholders and set realistic objectives for their level of involvement. You may be surprised as to how this simple step can make extending your influence easier and also more effective.
  3. Find out how well-aligned your function is within the organization. It is common for a certain amount of separation to occur within organizations, because each functional area is busy concentrating on getting their particular part of the work done. Silos can develop between which there is little interaction, and little understanding. Use the Relationship and Allies Worksheet from the Rate Your Security Program set of tools, to get valuable insight into your function’s relationships with other business functions.
  4. Simplify the assessment effort. Set the scope of the next assessment to be as narrow and simple as possible and still provide a worthwhile result. Keep in mind that the first assessment a stakeholder experiences can have a significantly positive educational impact. To the greatest extent possible, use plain language in explaining and discussing the key concepts and assessment steps. Keep the business culture in mind; learn and follow collaborative approaches that work best in your organization. For example, consider using the simple assessment provided by the Insider Threat Micro Assessment Template, an easy-to-perform action that rates your organization’s insider-threat mitigation measures against 19 insider-threat mitigation best practices. It is very enlightening to the folks in HR, Legal, IT, Security, management and various other information protection stakeholders. Usually, the first assessment that stakeholders gain an understanding of raises their risk awareness significantly and prompts discussions about risk that take place on their own initiative. This makes your assessment follow-up work easier.
  5. Share the credit. In your assessment report, acknowledge the stakeholder contributions. Based upon how things are done (or should be done) within your organization, perform appropriate acknowledgements not just for the assessment contributors, but for those who implement and/or maintain the resulting improvements. A personally written thank you letter, with a copy to the stakeholder’s higher-ups and HR, is an important step that is often overlooked. Whether such a letter comes from you or from the senior assessment sponsor, it will foster invaluable good will and helps to further “get the word out” about the value of risk assessments. Furthermore, when subsequent re-assessments show that risk mitigation measures continue to be effective, remember to acknowledge the ongoing efforts that maintain those measures.

Strength Over Time 

Fine-tuning your assessment program is not an overnight action. However, you can easily make orderly progress by taking steps at periodic intervals, much to the benefit of your position and your organization’s risk posture.

About the Author

Ray Bernard, PSP, CHS-III

Ray Bernard, PSP CHS-III, is the principal consultant for Ray Bernard Consulting Services (www.go-rbcs.com), a firm that provides security consulting services for public and private facilities. He has been a frequent contributor to Security Business, SecurityInfoWatch and STE magazine for decades. He is the author of the Elsevier book Security Technology Convergence Insights, available on Amazon. Mr. Bernard is an active member of the ASIS member councils for Physical Security and IT Security, and is a member of the Subject Matter Expert Faculty of the Security Executive Council (www.SecurityExecutiveCouncil.com).

Follow him on LinkedIn: www.linkedin.com/in/raybernard

Follow him on Twitter: @RayBernardRBCS.