*****Risk Analysis and Security Countermeasure Selection. By Thomas L. Norman, CPP, PSP, CSC (Certified Security Consultant); published by Taylor & Francis Group/CRC Press, available from ASIS, item #1878, 703/519-6200, www.asisonline.org; 422 pages; $59 (ASIS members) $65 (nonmembers).
A thorough risk analysis forms the basis of any comprehensive security program. Because such analyses are complex and time-consuming, various software programs are available to assist in the effort. But author Thomas L. Norman asserts that by following the guidance laid out in this detailed book, security managers can do it themselves with software that’s probably already on their office computers: Microsoft Excel.
The tradeoff is time for money. What you save in dollars you will have to spend in building the solution from the ground up. In other words, this book is indeed for the do-it-yourselfer. Understanding the entire process as laid out by the author, creating the various spreadsheets, then working through them takes a considerable amount of time.
There is no doubt that Norman himself spent considerable time devising the process, which he presents in the book. He provides step-by-step lists for building various matrices, but the reader will still have to devote several hours to creating and fully exploiting them.
The book bears room for improvement in some critical areas. There are a few technical errors, and the matrix process is based on the 2003 version of Excel. If you are unfamiliar with it or use another spreadsheet application, you may experience difficulty following the process. It would be of great benefit if sample matrices were provided in a few instances.
The layout of the book is also occasionally confusing. Summaries clarify some issues, but at times they simply repeat information in considerable detail, defeating their purpose. Some summaries get so technical that the point of the discussion is easily lost.
This is definitely a book for the advanced security practitioner. Despite problems, it outlined an excellent methodology and is well worth the effort required to read it and work through the process outlined by the author.
Reviewer: Glen Kitteringham, CPP, is a 20-year security industry veteran and president of Kitteringham Security Group Inc. providing security consulting services globally. He holds a master’s degree in security and crime risk management and is ASIS International regional vice president for Canada.