Security professionals sometimes think they can't afford to protect assets against low-probability risks. But consequence analysis shows that they can't afford not to.
Access controls, intrusion detection, CCTVs—these tools all have their place. But unless the complete systems are designed and installed based on a proper risk analysis, they will result in little more than the illusion of protection. Real security can be achieved only when precious resources are carefully allocated to security’s most pressing needs. That’s a statement every security professional would immediately concur with, no doubt—but there’s a catch. How does one define “most pressing needs”? A typical corporate security department will probably look at a list of risks, ranging from internal theft to terrorism and natural or man-made disasters and decide that the most pressing need is to defend the company against theft, which is common, rather than against supposedly unlikely but devastating human attacks. That’s a potentially fatal mistake, as evidenced by the Oklahoma City bombing and many other acts of terrorism.
Rather than disregarding low-probability risks, security professionals should look at the consequences of the potential loss. This is known as consequence analysis. It asks: What would happen if I lost this asset? Whether it be the secret rocket fuel formula, the lives of children at the high school, the chief executive’s life, or the one-of-a-kind chemical processing plant, if the answer is “we can’t afford to lose this asset,” then you can’t afford not to protect it. Period.
It means the company can’t afford not to protect that asset against any real threat, even if the probability of its occurrence is low. Security professionals may view this as a lofty and impractical goal that could not be accomplished given limited budgets. But consequence planning need not cost more than the traditional approach to security if it is executed properly, as will be illustrated in the examples accompanying the discussion of the process that follows.
In consequence analysis, the relationship among threats, assets, the probability of loss, and the consequences of loss of that asset is examined to determine what resources should be used to protect the asset. If loss of an asset can be tolerated, even temporarily, or if risk can be transferred through insurance, the asset will not require as much protection. But if insurance or recovery actions will not provide for continued operations while the asset is replaced or repaired, it becomes necessary to consider how best to protect this asset. The four elements of this process are identifying threats, identifying critical assets, determining probability of attack, and determining consequences of loss.
Identifying threats. Each facility faces a spectrum of malevolent human threats that must be identified. Each threat must be considered in terms of class (outsider or insider), tactics (force, stealth, or deceit), goals (theft, sabotage, or extortion, for example), motivation (ideology, mental instability, or financial gain, for instance), and capability of the adversary (such as number of adversaries and access to weapons).
A good threat analysis describes a range of threats based on the assets to be protected. Threats change regularly, so periodic review of the threat spectrum must occur.
Identifying assets. Another step in consequence analysis is determining the assets that require protection. Most large facilities have a range of physical assets, including unique equipment, telecommunications lines, and computer networks, as well as information assets, such as marketing data, human resource databases, chemical formulas, and strategic planning information. Of course, the well-being of personnel, customers, and others is also an asset to be protected.
The key to deciding which assets require what levels of protection is the asset’s value, which must be ranked relative to other assets, with the primary factor being whether the company could continue to operate without it. It is not, however, always obvious which assets are most critical. Security professionals and corporate executives making these judgments should start by clearly stating corporate goals and objectives, after which, for each asset, one can ask: Can the goal be achieved without this function, process, material, or person?
Probability of attack. The next part of the equation is the likelihood of attack. Several approaches are available to determine the probability of attack, including examination of the site’s historical records as well as a look at statistics for other similar sites. Consultation with others in similar industries, professional associations, or law enforcement agencies is also advisable. Determining probability of attack can also be done by looking at statistics for similar sites.
Consequence of loss. Next, the consequence of loss should be determined, in terms of lost dollars, reputation, lives, and other factors. Consequence of loss should be expressed in terms of how it will affect the organization.
High-consequence events, even if they are relatively low probability, cannot be borne easily, so they must be prevented. For example, this approach might show that it is preferable to concentrate available resources on protecting trade secrets, preventing sabotage, or stopping workplace violence than on protecting employee cars from vandals. The latter, a low-consequence loss, might be better addressed through insurance rather than through security’s limited budget. (Although it is also possible that the end result of addressing the high-consequence loss will be to reduce the occurrences of low-consequence, higher-frequency problems such as vandalism.)
Putting it together. A consequence analysis is an effective way to show the relationship among threat, asset, and consequence. Specific threats can be plotted in a matrix , in which the vertical axis represents the relative consequence of the loss of the asset and the horizontal axis represents the probability of an attack by an adversary. The matrix shows which assets face the highest probability of attack and which attacks have the highest potential to stop operations. Using consequence analysis, unnecessary expense can be avoided by evaluating specific threats to each facility and implementing the solutions needed to prevent that sort of attack.
One of the most useful aspects of consequence analysis is its ability to convince senior executives and other decision makers to protect areas of highest exposure. It helps executives understand and reduce the security risk to the corporation or facility and enables the security organization to demonstrate its value to the corporate enterprise.
Only when the relationship among threats, assets, probability, and consequences is understood can security system design begin. For some threats, particularly low-consequence, low-probability threats, procedural changes may suffice. For others, manpower and technology will be necessary.
The following two examples depict consequence analysis in planning as performed by a consulting team of security specialists at Sandia National Laboratories. The locations represent two specific sites, but certain details have been modified to protect the identities of the sites. The examples are not meant to be prescriptive. The basic idea is that there is a relationship among threat, asset, probability of attack, and consequence of loss. The process is always the same, even though individual facilities may have different threats, assets, and other characteristics. Using the matrix helps graphically relate these issues and helps determine how to allocate resources, after which system design can be determined.
This case involved a major semiconductor manufacturing plant whose security consisted of standard locks and a limited electronic access control system, which were not well maintained. There was also a guard sitting in the front lobby checking the photo identification of entering employees.
Wishing to improve security, the company retained a vendor/consultant that recommended the installation of hundreds of CCTV cameras. The company was also considering a perimeter fence system with motion detectors attached.
Sandia was introduced to the manufacturer’s plight serendipitously, having been working with a proposed consortium of chip manufacturers of which that specific manufacturer was a member. That company happened to be in the middle of a security review at the time, and a representative asked Sandia to help the company.
When the Sandia team helped the plant perform consequence analysis as a component of a security evaluation, it noted that neither the company nor the vendor had analyzed the risks before determining what should be done. The company simply said it wanted to beef up access controls and intrusion detection. The design was not goals driven; it was not focused on what would need to be protected.
Sandia, therefore, examined the company’s assets and threat profile, assessing probabilities and consequences of loss for each type of threat or asset. It also looked at existing security and considered the proposed camera and intrusion systems and how those would address the threat exposures.
Assessment. One of the biggest (highest consequence) threats facing the company was theft of proprietary information. For example, because of the highly competitive nature of the semiconductor industry, the loss of formulas and other proprietary information could be devastating. This was clearly a high-consequence threat, though one viewed as low-probability. Another significant threat was workplace violence, an increasing possibility given the company’s imminent layoffs at the time of the assessment.
Sabotage of production equipment was also placed in the high-consequence category. Specifically, sabotage of production equipment by employees and contractors, especially activity that would take down the facility for more than 48 hours, was determined to be of high consequence and medium probability.
The team identified and assessed this risk by looking through several years of incident reports for the facility, noting a recurring problem with ex-employees and contractors trying to sabotage equipment. Before the consequence analysis, this risk had been largely ignored.
In addition, the consequence analysis identified several potential targets of sabotage that had not previously been considered. For example, a water processing facility located outside of the main plant proved to be a vulnerable target, as did a critical-component storage area, the manufacturing control room, and the fiber-optic communication system.
Political demonstration by environmental activists was deemed a low-consequence, low-probability threat. Although concerns about the plant’s use of water in a water-scarce environment raised the prospect of environmental protests outside the gates of the facility, the plant had a generally good relationship in the city in which it was located,. Protests, if they did occur, might slow employee movement in and out of the building, and possibly inhibit delivery of goods to the receiving area, but they were unlikely to be serious enough that they could threaten operations or profits.
Theft of personal property and of company tools and equipment was common, but with little overall loss to corporate profitability, so it was assessed as low consequence, high probability. In both of these low-consequence threat cases, it was determined, the company’s limited security resources could be better applied elsewhere.
Exposure. The protection elements of the facility were input into a computer modeling program and an analysis of the ten most vulnerable paths was conducted. The analysis found that the manufacturer had only a 19 percent chance of interrupting a sabotage attack along the most vulnerable path.
Recommendation. To address the company’s specific high-consequence threats, Sandia made a series of recommendations. They included such basic access control measures as locking exterior doors, getting staff to stop propping open doors, limiting who could enter the control center, and adding PIN numbers to the limited card reader system at the facility, none of which entailed big budget expenses. Sandia also recommended better maintenance and testing of systems already in place. For example, tamper switches were present at junction boxes but were never tested. (It should be noted that at least part of the solution for any company is to implement good policies and to enforce good employee behavior, without which the expensive equipment won’t work.)
With regard to equipment, Sandia recommended upgrading the alarm system, because the current setup was inefficient. It was solely text-based, and it mixed security and safety events, making it hard for operators to quickly differentiate between a security alarm and accidents. In conjunction with upgrading the alarm system, Sandia also recommended having the life safety and security systems operate independently, so an operator could more easily spot important security events.
With regard to cameras, Sandia recommended fewer cameras that would be more strategically placed and tied to sensors, so that activity would trigger an alarm. (The original plan had not called for the cameras to be tied to sensors.) Sandia further recommended that the company not have the perimeter fence built, because the facility already had adequate detection capability.
By not investing in the perimeter fencing and extra CCTV cameras, sensors, and lighting, the facility saved about $600,000. A reanalysis using the computer model and incorporating recommended changes showed that the same sabotage path now had a 92 percent chance of being interrupted. Thus, consequence analysis yielded a solution that was both more effective and less expensive.
The Sandia team was asked to assess security at a 1,200-student high school in an ethnically diverse middle-class neighborhood in a medium-sized Midwest city. Traditionally, administrators had given little specific thought to school security. The closest thing to an analysis of threats was awareness among the school’s administrators of problems that affected other schools, such as shootings, theft, and graffiti. The only discernible security measures in place were such procedural mechanisms as faculty/administrative oversight of students via hall monitoring and other means.
In light of a series of school shootings and other violence throughout the country—which has taken place in all sorts of towns and cities in school districts in various socioeconomic strata—the school decided it was time for improved security measures. Working with a supplier, the administration decided to install many new cameras throughout the campus, from corridors to stairwells to parking lots. Live monitoring of video was not feasible, but the cameras were to be recorded in a secure central room. The thinking was that the cameras were a broadbrush solution to preventing a wide array of crimes.
Before actually going through with the camera installation as recommended by the supplier, the school asked Sandia to look at its security. When the Sandia team visited the school, it found that the school’s plan to add cameras was not based on any coherent analysis of the threats, assets, and possible consequences at the particular school. In fact, the school had not considered at all how the system would accomplish the school’s security goals.
Sandia then sat down with administrators and conducted a risk assessment and consequence analysis. This involved touring the property and interviewing administrators about the types of problems they had had and solutions tried in the past. The team asked many other open-ended questions about policies and procedures at the facility.
Sandia then helped the school rank several threats in terms of probability and consequence. For example, discussions with the school administration showed that a student-precipitated shooting incident would be a high-consequence but low-probability event. By contrast, student drug use, which was on the rise, was rated as high consequence and medium probability. Theft of valuable school property, such as musical instruments, by students and outsiders was rated as a medium-consequence, but low probability.
The administration also knew of cases in which noncustodial parents had come to the school to pick up their children without the custodial parent’s permission, a form of abduction. This risk was ranked as a medium-consequence, medium-probability (it was ranked only as medium-consequence because the parents had no intention of harming the child, just regaining custody).
At the lowest consequence level were theft of personal property, which was medium-probability, and incidents of graffiti and vandalism, which were fairly common at the school and were rated high-probability. As low-consequence events, the latter two threats, though likely, would receive the least of security’s precious resources.
The analysis showed that by far the most significant threats, though not the most likely ones, were school shootings and student drug use, followed by kidnapping. These types of incidents, if they occurred, would pose a risk for the school’s most valuable assets: its students and staff.
With this matrix in place, a plan was developed that would reduce the risk from these high-consequence events (shootings, drug use, and kidnappings), while likely also making it harder for the more common, but lower risk threats, such as vandalism to occur. The plan included targeted camera placement, tighter access controls, and security identification. For drug use, counseling was favored over security.
Camera placement. The camera placements were reevaluated. The original plan had called for placing perhaps 100 cameras in doorways, hallways, and other high-volume areas. It was decided that the now-clearly focused protection goals could be achieved more effectively and at a lower total cost by placing fewer cameras more strategically. Cameras were placed in “high-expectation” areas such as the band room, where expensive musical instruments were kept.
At the same time, Sandia suggested less coverage at places with less pressing needs, such as in doorways and inside the auditorium, where the main risk was low-consequence vandalism.
Access control. Clearly, limiting who could enter the building and what they could bring onto the property would go a long way toward reducing the likelihood of a shooting. It would also reduce other threats, like theft. Sandia recommended such measures as restricting entry to the school to a single doorway, placing a metal detector there, and securing all remaining doors as well as all of the windows. Just having pictures of the shooters would not prevent the loss of life, so cameras clearly could play only a limited role.
Identification. Both as a corollary to general access control and for the more specific concern about the potential for noncustodial parent abductions of students, Sandia recommended that the school consider two levels of ID. For the general population, it was suggested that students be required to wear photo IDs. While badges can be counterfeited, they allow for a quick way for staff and faculty to determine whether a person is authorized to be on school grounds. The school is now weighing the advantages and disadvantages of this and other recommendations.
With regard to the potential risk of kidnapping, the school’s proposed solution before bringing in Sandia had been to have a system in which custodial parents would deliver signed notes to the school if permission was to be given for a noncustodial parent or other person to pick the child up. Because that solution can be easily defeated, the Sandia team recommended a more formal identification mechanism, such as the use of a biometric ID device. A parent with custody would have anyone eligible to pick up his or her children enter biometric information through a hand geometry reader. Only persons authorized by the parent could pick up the child from inside the school, and their hand geometry would have to match a template on file for them. (The school is considering these recommendations.)
Counseling and awareness. The consequence analysis also showed that the school would have to do more to prevent the emerging problem of student drug use. While the school is still investigating how to do so, on the recommendation of the Sandia team it is focusing more on identifying at-risk students and providing counseling to them. The administration is also calling student attention to its drug policies and encouraging awareness of the problem.
Organizations often implement security measures without considering what is most important to protect. As a result, expensive security systems are put in and yet critical assets remain vulnerable. Instead, security professionals must begin to design protection systems that allocate resources in alignment with the consequence of the loss, not just the probability of the threat. The consequences of doing otherwise are high.
Mary Lynn Garcia, CPP, is a senior member of the technical staff at Sandia National Laboratories, Albuquerque, New Mexico. She is a member of ASIS.