Access controls, intrusion detection, CCTVs—these tools all have their place. But unless the complete systems are designed and installed based on a proper risk analysis, they will result in little more than the illusion of protection. Real security can be achieved only when precious resources are carefully allocated to security’s most pressing needs. That’s a statement every security professional would immediately concur with, no doubt—but there’s a catch. How does one define “most pressing needs”? A typical corporate security department will probably look at a list of risks, ranging from internal theft to terrorism and natural or man-made disasters and decide that the most pressing need is to defend the company against theft, which is common, rather than against supposedly unlikely but devastating human attacks. That’s a potentially fatal mistake, as evidenced by the Oklahoma City bombing and many other acts of terrorism.
Rather than disregarding low-probability risks, security professionals should look at the consequences of the potential loss. This is known as consequence analysis. It asks: What would happen if I lost this asset? Whether it be the secret rocket fuel formula, the lives of children at the high school, the chief executive’s life, or the one-of-a-kind chemical processing plant, if the answer is “we can’t afford to lose this asset,” then you can’t afford not to protect it. Period.
It means the company can’t afford not to protect that asset against any real threat, even if the probability of its occurrence is low. Security professionals may view this as a lofty and impractical goal that could not be accomplished given limited budgets. But consequence planning need not cost more than the traditional approach to security if it is executed properly, as will be illustrated in the examples accompanying the discussion of the process that follows.