In consequence analysis, the relationship among threats, assets, the probability of loss, and the consequences of loss of that asset is examined to determine what resources should be used to protect the asset. If loss of an asset can be tolerated, even temporarily, or if risk can be transferred through insurance, the asset will not require as much protection. But if insurance or recovery actions will not provide for continued operations while the asset is replaced or repaired, it becomes necessary to consider how best to protect this asset. The four elements of this process are identifying threats, identifying critical assets, determining probability of attack, and determining consequences of loss.
Identifying threats. Each facility faces a spectrum of malevolent human threats that must be identified. Each threat must be considered in terms of class (outsider or insider), tactics (force, stealth, or deceit), goals (theft, sabotage, or extortion, for example), motivation (ideology, mental instability, or financial gain, for instance), and capability of the adversary (such as number of adversaries and access to weapons).
A good threat analysis describes a range of threats based on the assets to be protected. Threats change regularly, so periodic review of the threat spectrum must occur.
Identifying assets. Another step in consequence analysis is determining the assets that require protection. Most large facilities have a range of physical assets, including unique equipment, telecommunications lines, and computer networks, as well as information assets, such as marketing data, human resource databases, chemical formulas, and strategic planning information. Of course, the well-being of personnel, customers, and others is also an asset to be protected.
The key to deciding which assets require what levels of protection is the asset’s value, which must be ranked relative to other assets, with the primary factor being whether the company could continue to operate without it. It is not, however, always obvious which assets are most critical. Security professionals and corporate executives making these judgments should start by clearly stating corporate goals and objectives, after which, for each asset, one can ask: Can the goal be achieved without this function, process, material, or person?
Probability of attack. The next part of the equation is the likelihood of attack. Several approaches are available to determine the probability of attack, including examination of the site’s historical records as well as a look at statistics for other similar sites. Consultation with others in similar industries, professional associations, or law enforcement agencies is also advisable. Determining probability of attack can also be done by looking at statistics for similar sites.
Consequence of loss. Next, the consequence of loss should be determined, in terms of lost dollars, reputation, lives, and other factors. Consequence of loss should be expressed in terms of how it will affect the organization.
High-consequence events, even if they are relatively low probability, cannot be borne easily, so they must be prevented. For example, this approach might show that it is preferable to concentrate available resources on protecting trade secrets, preventing sabotage, or stopping workplace violence than on protecting employee cars from vandals. The latter, a low-consequence loss, might be better addressed through insurance rather than through security’s limited budget. (Although it is also possible that the end result of addressing the high-consequence loss will be to reduce the occurrences of low-consequence, higher-frequency problems such as vandalism.)
Putting it together. A consequence analysis is an effective way to show the relationship among threat, asset, and consequence. Specific threats can be plotted in a matrix , in which the vertical axis represents the relative consequence of the loss of the asset and the horizontal axis represents the probability of an attack by an adversary. The matrix shows which assets face the highest probability of attack and which attacks have the highest potential to stop operations. Using consequence analysis, unnecessary expense can be avoided by evaluating specific threats to each facility and implementing the solutions needed to prevent that sort of attack.
One of the most useful aspects of consequence analysis is its ability to convince senior executives and other decision makers to protect areas of highest exposure. It helps executives understand and reduce the security risk to the corporation or facility and enables the security organization to demonstrate its value to the corporate enterprise.
Only when the relationship among threats, assets, probability, and consequences is understood can security system design begin. For some threats, particularly low-consequence, low-probability threats, procedural changes may suffice. For others, manpower and technology will be necessary.
The following two examples depict consequence analysis in planning as performed by a consulting team of security specialists at Sandia National Laboratories. The locations represent two specific sites, but certain details have been modified to protect the identities of the sites. The examples are not meant to be prescriptive. The basic idea is that there is a relationship among threat, asset, probability of attack, and consequence of loss. The process is always the same, even though individual facilities may have different threats, assets, and other characteristics. Using the matrix helps graphically relate these issues and helps determine how to allocate resources, after which system design can be determined.