Magazine article Security Management

Are Companies Properly Addressing Threats?

Magazine article Security Management

Are Companies Properly Addressing Threats?

Article excerpt

Threat assessment is only one aspect of the much larger and more complex process of risk analysis.

The question of how or whether to deal with low-probability, high-consequence threats is a fundamental issue that every company must address. My company has faced this question in countless risk analyses and security design projects. Our experiences have taught us several lessons. The first is that a threat is not necessarily a risk. The second is the importance of considering the corporate and societal culture. A third consideration is the importance of making sure that security strategies keep pace with changing technology.

Threats versus risks. Threat assessment is only one aspect of the much larger and more complex process of risk analysis. Too many security managers focus on threat analyses rather than the more probability-oriented and business-oriented risk analysis.

Nothing is more central to the security profession than the terms threat and risk. Unless one has a clear understanding of today's business security environment and the cultural differences between a security threat and a business risk, it is easy to vault to the conclusion that "most security departments, short on funds, clearly do essentially disregard low-probability, high-consequence threats like terrorism," as noted in the Security Management "Editor's Note" (May).

First, let's clear up the threat versus risk dilemma that ultimately leads most informed security managers to discount low-probability, high-impact external threats. In general terms, a threat is a source of harm or loss, while a risk is the quantification of the likelihood of that source of harm occurring and its potential impact on a business if it does occur.

Risk analysis is a combination of determining asset attractiveness (asset value, prior similar events, relative exposure, and opportunity) and an adversary profile (categories/capabilities), culminating in a determination of attack likelihood (highly unlikely up to highly likely) before assessing one's own vulnerabilities. A prominent commercial building may be attractive to certain threat sources, such as criminals, disgruntled employees, and protesters. On the other band, this same environment may be significantly less attractive to terrorists and subversives.

If an attack from any one of the identified design basis threat (DBT) sources is considered possible, probable, likely, or highly likely, that DBT source is included in the subsequent vulnerability (asset exposure/potential loss) and business security risk analyses. (These are called DBTs because they are the threats on which a security program design will be based.) If an attack source is considered highly unlikely, that DBT source is typically excluded from further consideration unless there is a focus on what is termed "consequence analysis" in design.

Designing to low-probability, high-impact threat sources has a tendency to skew the ultimate design of any security plan to more costly countermeasures. It also tends to affect daily operations negatively by making it more difficult to conduct business within a restrictive security envelope. Employees are quick to recognize overreactive security programs, which actually increases the likelihood of potential losses in a company.

Once the DBT has been established, the continuing business risk analysis leads to smarter and more informed decisions regarding the applications of security capital. This type of analysis is keyed to specific commercial asset exposures, vulnerabilities, and loss potential dependent on the likelihood and severity of an adversary attack within the realm of the DBT. Here, one determines the actual scope, impact, and probability of a potential loss event in such terms, for example, as human resources loss, direct and indirect financial loss, information compromise, or image loss. The commercial loss event probability is then categorized as "attack not probable" up to "attack certain. …

Search by... Author
Show... All Results Primary Sources Peer-reviewed

Oops!

An unknown error has occurred. Please click the button below to reload the page. If the problem persists, please try again in a little while.