Risk Analysis and Security Countermeasure Selection

By Thomas L. Norman, CPP, PSP


*****Risk Analysis and Security Countermeasure Selection. By Thomas L. Norman, CPP, PSP, CSC (Certified Security Consultant); published by Taylor & Francis Group/CRC Press, available from ASIS, item #1878, 703/519-6200,; 422 pages; $59 (ASIS members) $65 (nonmembers).
A thorough risk analysis forms the basis of any comprehensive security program. Because such analyses are complex and time-consuming, various software programs are available to assist in the effort. But author Thomas L. Norman asserts that by following the guidance laid out in this detailed book, security managers can do it themselves with software that’s probably already on their office computers: Microsoft Excel.
The tradeoff is time for money. What you save in dollars you will have to spend in building the solution from the ground up. In other words, this book is indeed for the do-it-yourselfer. Understanding the entire process as laid out by the author, creating the various spreadsheets, then working through them takes a considerable amount of time.
There is no doubt that Norman himself spent considerable time devising the process, which he presents in the book. He provides step-by-step lists for building various matrices, but the reader will still have to devote several hours to creating and fully exploiting them.
The book bears room for improvement in some critical areas. There are a few technical errors, and the matrix process is based on the 2003 version of Excel. If you are unfamiliar with it or use another spreadsheet application, you may experience difficulty following the process. It would be of great benefit if sample matrices were provided in a few instances.
The layout of the book is also occasionally confusing. Summaries clarify some issues, but at times they simply repeat information in considerable detail, defeating their purpose. Some summaries get so technical that the point of the discussion is easily lost.
This is definitely a book for the advanced security practitioner. Despite problems, it outlined an excellent methodology and is well worth the effort required to read it and work through the process outlined by the author.

Reviewer: Glen Kitteringham, CPP, is a 20-year security industry veteran and president of Kitteringham Security Group Inc. providing security consulting services globally. He holds a master’s degree in security and crime risk management and is ASIS International regional vice president for Canada.


An Excellent Resource for Security Professionals

I have known Tom Norman for many years, and I do not know anyone that can match him for the depth of knowledge and experience he has in the security profession. He has a gift for understanding and communicating the essence of something: he can tell you not only what is important, but why it is important, and how it relates to other components within an overall security system. I consider his books to be essential toolbox works, destined to be dog-eared, annotated, and bristling with Post-It Notes. They don't belong on the bookshelf, but in the field or on the desk, where you can reach them easily. 

Risk Analysis and Security Countermeasure Selection does not disappoint. It is rich in detail, filled with how-to information that will guide the reader through the risk analysis process from the beginning to the end. The section on selection of methodologies provides the reader with information on what is available and their strengths and weaknesses. The author contributes one that he developed from studying al Qaeda: the KSM-Asset Target Value for Terrorism Matrix. Named for Khalid Shaihk Mohammed, it provides a methodology for asset target valuation that closely mirrors the apparent priorities of the foremost terrorist network in the world today, giving security professionals insight into the relative value their assets may have to a terrorist adversary. 

There is also a short (6-page) section on how to build your own criticality/consequence matrix in Excel, if you don't have or want to purchase a commercially-available package.

The premise of this book is that security is a seamless process that connects threat to analysis to behavior to countermeasures to metrics and finally reporting. The author covers each topic in great detail, explaining concepts, discussing competing theories, ultimately assisting the reader in making the decision of what will work for his or her organization. The author guides, but does not preach. 

This book contains excellent material on security management as well. It describes the role of security policies and how they fit the security management framework. This book takes the correct but often overlooked view that security policies are a part of the chain connecting risk analysis with the selection and implementation of appropriate countermeasures. 

The chapter called 'Countermeasure Selection and Budgeting Tools' is detailed, comprehensive, and in my opinion, worth the price of the book in itself. Mr. Norman has a tremendous background in security technology, and that really shines through in this part. He explains how countermeasures work, how they fit into a security plan, and how to measure their performance. For example, most of us have heard that the role of security measures is to deter, detect, deny, and delay an adversary's attack.  To this list, Mr. Norman adds 'help security forces assess the attack', 'respond to the attack', and 'collect evidence of the attack', and then differentiates which types of security measures are effective against criminal threats and which are effective against terrorist threats.  He also shows how to create a decision matrix that will help you to assess alternatives and decide on a course of action.

There is material in this book for all levels of security professional - from the beginner all the way through to the experienced practitioner. It would also make an excellent textbook for any course on security management, risk analysis, security policy development, or countermeasure planning.  I personally use the book when preparing threat response plans for terrorist and criminal scenarios, and when teaching antiterrorism planning concepts, and I strongly recommend it.


Ross Johnson, CPP

View Recent News (by day)


Beyond Print

SM Online

See all the latest links and resources that supplement the current issue of Security Management magazine.