conducting security risk assessments (sra) in dynamic ...€¦ · 5.5 sra context 14 5.6...

Conducting security risk

assessments (SRA) in

dynamic threat environments

active resilient

Conducting security risk assessments 4

Contents

1. Introduction to security risk assessments (SRA) 5

2. Aim of this document 7

3. Ownership of security risk assessments 7

4. Security threat assessments 8

4.1 Threat assessment techniques 8

4.2 Threat intelligence 10

Table 1: Examples of security adversaries’ threats 11-12

5. Security risk assessments 13

5.1 Essential elements of security risk assessment 13

5.2 Fundamental questions that security risk assessments should answer 13

5.3 Applicability 13

5.4 Frequency 14

5.5 SRA context 14

5.6 Identifying the risk 15

5.7 Consequence analysis (Scenarios) 15

5.8 Risk analysis 16

5.9 Event analysis 16

5.10 Project life cycle phases 17

5.11 Vulnerability 17

5.12 Risk appetite 18

6. Assessment techniques most applicable to security 19

6.1 Characteristics that risk assessment techniques should have 19

6.2 The risk assessment techniques 19

Brainstorming 19

CARVER 20

Computer-based modelling 20

Delphi technique 20

(Swift) What-if? 20

Scenario analysis 20

Root cause analysis (RCA) 21

Fault tree analysis (FTA) 21

Cause and effect analysis 22

Bow tie analysis 22

6.3 Selection of risk assessment techniques 23


1. Introduction to security risk

assessments (SRA) Most activities of an organization involve some level of risk, of which security risks

can be amongst the most dynamic.

Unlike HSE risks, which are essentially passive, security risks are by their very

nature active by design. There is invariably hostile human action/intention. Therefore,

security risk assessment (SRA) and HSE risk assessment definitions and processes

are fundamentally different – HSE risk assessment definitions and processes are not

appropriate in a security environment. A simple Probability × Impact matrix does

not sufficiently address the dynamic nature of the security threat.

Organizations operating in hostile environments cannot remove all of the possible

security threats they face, but they should strive to reduce, where possible, those

security risks within their control. Security threats and hostile adversaries are

constantly evolving, as recent and no doubt future events will demonstrate.

Security risk assessment is a fundamental part of overall security risk

management. Good organizations manage security risk by:

• identifying and analysing threats

• evaluating the specific risks that emanate from the threats

• evaluating the possibility of future events or circumstances (intended or

unintended) and their effects

• implementation of mitigation measures.

SRAs assist the management decision-making process on how potential security

incidents and resultant consequences should be addressed, and on deciding

whether further security countermeasures/mitigation measure should be

considered.

There are a number of ways by which a security risk assessment can be conducted

and by whom. Factors which may drive this decision are varied and may be

dependent on a number of different considerations. Irrespective of the method

used and the nature of the assessment, appropriate risk assessment should

always be undertaken so that potential risks and the measures necessary to

mitigate them are understood.

Security risk assessment should not only be regarded as a security product – it

should draw upon the operational expertise of a number of subject matter experts,

stakeholders and interested parties.


Security definitions

Threat a person, thing or event with the potential to cause damage, loss or

danger

Risk the damage or disruption that could result in the realization of the

threat

Security the safety of a state or organization against criminal activity such as

terrorism or espionage

Vulnerability a condition that can be exploited by a threat.


2. Aim of this document This document provides guidance and information which can assist a

security manager in carrying out a security risk assessment, as part of an

effective security risk management process.

By following this guidance, an organization should be able to implement a robust

security risk assessment that:

• addresses security threats and mitigate risk emanating from those threats to

an acceptable level

• assists in the protection of people, assets, operations, information, and

reputation

• improves operational resilience and response

• encourages management involvement

• effectively allocates and uses resources, based on risks

• establishes a basis for planning and decision-making

• improves organizational learning

• satisfies regulatory requirements (where applicable).

3. Ownership of security risk

assessments Any security risk assessment method used should be endorsed by the

management team, i.e. it should have top down validation.

Inclusion and ownership of the risk assessment process and agreement of the

final outcome and report distribution is integral to its overall success. Failure to

ensure this necessary buy-in by the business at the outset can impact negatively

on the acceptance of the outcome and recommendations.

It is also important to understand that an SRA is not an audit, in that there are no

right and wrong answers.


4. Security threat assessments The first, and extremely important, step in the risk assessment process is the

identification of the threats to the asset, facility, operation, information, or

individual.

The purpose of the threat assessment is to understand the potential external

and internal adversaries, including their history and possible actions, capability,

motivation and intent.

The threat assessment is not a ‘one-time’ event – it is a process of the continuous

re-evaluation of the threats to ensure that the appropriate measures reflect its

changing nature. It is important to undertake a robust threat assessment at the

beginning of the program, and respond as the threats change and morph.

Hostile intent is a process as well as an act and does not occur in a vacuum.

Careful analysis of violent incidents shows that violent acts often are the

culmination of long-developing, identifiable trails of problems, conflicts, disputes,

and failures.

Comprehensive identification of all probable threats is critical, because a

threat that is not identified at this stage will not be included in the subsequent

risk assessment. Threat assessment is analysis and assessment, not the

measurement of the likelihood of confronting a specific threat.

4.1 Threat assessment techniques

To assist in deciding which security countermeasures would be the most effective,

five types of information should be focused on when assessing a threat:

1) type/nature of the threat

2) situation on which the threats are encountered

3) cause of the threats

4) consideration of the level of the threat

5) potential changes to the identified threats.

There are four main techniques that can be used to assess threats:

1) structured interviews

2) quantitative analysis of patterns and trends

3) information analysis

4) change indicators.


These four techniques for conducting a threat assessment should not be used in

isolation but as correlated steps in order to develop the most complete picture of

the threats.

Each technique has its strengths and limitations. It is therefore important that all

four are used (step by step) to assess the nature of the threat.

Technique 1: Structured interviews

The use of careful structured interviews can provide broad information of the

threats, from a wide variety of sources, and can provide a framework for focusing

on other techniques. Sources could range from embassies, intelligences agencies,

commercial security organizations, peer companies, newspaper reports, NGOs,

site managers and employees.

• Focus on key questions. Ask as many sources as possible the same type of

questions so as to get as broad a picture as possible.

• Be cognisant of the fact that often interviewees may have a particular interest

in giving a particular view.

• Include regional, local, site-specific and industry histories of security

incidents as part of the interview discussions.

Technique 2: Quantitative analysis of patterns and trends

An analysis of available quantitative information on past security incidents can

assist in identifying the most common features and potential patterns and possible

changes in trends.

• Identify patterns and trends.

• Display the data in a manner that makes it easy to interpret.

• Be cognisant that by focusing on past data, information and events, you may

be in danger of ‘fighting the last war’ rather than the next one. Look closely at

indicators which may signpost a change in threat.

• Do not confuse correlation with causation (e.g. “As ice cream sales increase,

the rate of drowning deaths increases sharply. Therefore, ice cream

consumption causes drowning”).

Technique 3: Information analysis

In most instances, you will not be able to draw definitive threat analysis

conclusions. A degree of qualitative assessment is necessary.

• Information may be incomplete or sketchy.

• There may be no consistent trends/patterns.

• Recent security or political changes may make previous data irrelevant

• Avoid, where possible, using a Low – Medium – High rating. Instead, generate

descriptions based on the threats and underlying factors.

• It may be useful to give rankings to the various threats:

Threat X = Ranking 5

Threat Y = Ranking 4

(e.g. Threats to people to people travelling in Nigeria could be:

Traffic accident = 5

Theft of vehicle = 4


Violent assault = 3

Hijack and kidnap = 2)

Threat identification methods can include:

• Evidence based methods, e.g. check-lists and reviews of historical data

• Systematic team approaches where a team of experts follow a systematic

process to identify risks by means of a structured set of prompts or questions

• Inductive reasoning techniques. Refers to reasoning that takes specific

information and makes a broader generalization that is considered feasible,

allowing for the fact that the conclusion may not be accurate. Example: “All

dogs that we have seen have been brown; therefore, all dogs are brown”.

Technique 4: Change indicators

Look for indicators that could signal changes in the threat environment:

• Changes in the political, crime, reporting, policing and military environment

that could indicate a change in the future threat level. These can only suggest

a possible change in the threat environment

• Situational awareness. Continually look for recent events that may change/

impact the threats. Ask: What has changed since last time?

• Short to mid-term changes. Look for new socio-economic changes and

trends that may impact on the threat

• Imminent confrontation. Examples of these could include marches,

demonstrations, political rallies and external political incidents

• Peer experience. What has been impacting on peer companies and similar

assets?

4.2 Threat intelligence

The use of information/intelligence in assessing both the threats and the risks is

indispensable.

• Available intelligence. It is rare that specific threat information is available

and can be relied upon. More often, judgements about the threat is based

on a wide range of fragmentary information, including the level and nature

of current threat activity, comparison with events in other countries and

previous attacks. Intelligence is only ever likely to reveal part of the picture.

• Capability. An examination of what is known about the capabilities of the

threat in question and the method they may use based on previous attacks or

from intelligence. This would also assist in analysing the potential scale of

any possible the attack.

• Intentions. Using intelligence and publicly available information to examine

the overall aims of the threat actor, their stated goals, and the ways they

might achieve them including what sort of targets they would consider

attacking.

• Timescale. The threat level expresses the prospect of an attack over a

period of time. We know from past incidents that some attacks take years to

plan, while others are put together more quickly. In the absence of specific

intelligence, a judgement will need to be made about how close an attack

might be to fruition. Threat levels do not have any set expiry date but are

regularly subject to review in order to ensure that they remain current.


Table 1: Examples of security adversaries’ threats

Example of security adversaries’ threats include but are not limited to:

Violent crime

Petty crime

Organized crime

Piracy

Murder

Assassinations

Hijacking

Kidnapping/abduction

Assault

Rape

Harassment

Workplace violence

Robbery

Theft

Burglary

Home invasion

Trespassing/

unauthorized access

Sabotage

Vandalism

Vigilantism

Drug-related crime

Narcotrafficking

Alcohol-related crime

Gambling

Prostitution

Suspicious Activity

Trafficking

Pornography-related

crime

Extortion

Bribery

Fraud

Corruption

Political terrorism

Economic terrorism

Religious terrorism

Ecoterrorism

Narcoterrorism

State Terrorism

Piracy

Guerrilla

warfare Violent

cults

Anarchists

Vehicle Borne

Improvised Explosive

Device (VBIED)

Person Borne

Improvised Explosive

Device (PBIED)

Delivered Explosive

Devices

Emplaced Explosive

Devices

Indirect Weapons Fire

Direct Weapons Fire

Electronic Attack

Personnel

Chemical, Biological

& Radiological (CBR)

Environmental

activism

Animal rights

activism

Human rights

activism

Native rights

activism

Anti-capitalism/

corporation activism

Political activism

Social activism

Economic activism

Anti-Government

activism

National activism

Pro-transparency

activism

Hacktivism

Labour activism

Anarchists

Internal conflict

External conflict

Insurgency

Sectarian discord

Tribal/ethnic discord

Political discord/

dissidence

Political violence

Government

instability

Contested elections

Coups

Deaths of key

political figures

Assassinations

Political kidnappings

Demonstrations/

protests

Rioting

Strikes

Boycotts

Blockades

Sit-ins

Sieges

Civil disobedience

Vigilantism

Government

corruption

Ineffective judiciary

Displacement

Human rights

violations

Unstable economy

Unstable financial

institutions

Unemployment

Income disparity

Inflation

Fluctuation of food/

energy prices

Crime Terrorism/

militancy Activism

Political/civil

instability

Economic

instability


Table 1: Examples of security adversaries’ threats (concluded)

Military operations

Police operations

Other security force

operations Effectiveness of

State-sponsored

espionage

Industrial espionage

Espionage by

competitors

Public sector

infrastructure/

services reliability

Private sector

infrastructure

Frequency of

natural disasters

(earthquakes,

blizzards, floods,

severe winds,

Partner/JV reliability

Vendor reliability

Supply chain security

Corruption Non-compliance

security forces Espionage by reliability avalanches,

Intelligence

operations

activists

Espionage by

terrorists

Transportation

safety and reliability Road closures/

wildfires, hurricanes,

tsunamis, volcanic

eruptions, storms,

FCPA violations

Espionage

accidents/disruptions droughts, landslides,

Industrial espionage Espionage by heat waves)

Physical

surveillance

Technical

surveillance

Unexploded

ordinance (ERW)

Security reforms

organized crime

Cyber espionage

Hacking

Hactivism

Malware (viruses,

worms, Trojan

horses, spyware, etc.)

Insider threats

(disgruntled

employees, malicious

actors, plants,

inadvertent actors,

controlled actors)

Social engineering

Identity theft

Aviation/rail/ship

safety and reliability

Airport closures/

disruptions

Port closures/

disruptions

Strikes by

transportation

employees

Medical infrastructure

reliability

Energy reliability

(power outages,

shortages, gas leaks)

Reliability of basic

goods/services

availability and

delivery

Supply chain security

Disease outbreaks/

epidemics/pandemics

Food/water/energy

shortages

Environmental

degradation

State activity Information

protection issues

Infrastructure

reliability

Environmental/

health Issues Business issues


5. Security risk assessments

5.1 Essential elements of security risk assessment

Risk assessments should contain the following essential elements:

• identification of the probable threats

• establishing the operational and environmental context

• understanding ownership of the various elements and processes

• identifying stakeholders (this need to include contractors and, if appropriate,

JV partners)

• clear communication and consultation

• risk assessment (comprising risk identification, risk analysis and risk

evaluation)

• risk treatment/mitigation

• assessment of the residual risk

• monitoring and review.

5.2 Fundamental questions that security risk

assessments should answer

Security risk assessment should attempt to answer the following fundamental

questions:

• What are the likely threats/threat indicators?

• What can happen and why will it happen?

• What are the possible consequences should it occur?

• What is the prospect of an occurrence? (often difficult to assess)

• Are there any current control factors that mitigate the consequence of the

risk or that reduce the probability of the risk, or improve response and

recovery times?

• What additional control measures need to be implemented?

• Is the residual risk acceptable, or does it need additional treatment?

5.3 Applicability

All sites, assets, actions or activities that can be impacted by a security incident

should be subject to a security risk assessment. The nature or complexity of

the threat will directly influence the nature and complexity of the assessment. It

should be noted that some threats may only impact on certain activities or have

specific implications.


All companies are subject to financial constraints and access to limited resources

and have diverse portfolios. Therefore, it is often prudent to rank company assets

which ensures that resources are allocated appropriately.

Ranking criteria could include:

• role of the asset

• criticality of the asset

• threat environment

• potential impact if the asset is damaged or destroyed.

• loss of life or injury.

5.4 Frequency

The risk assessment process should not be a stand-alone activity. It should be a

continuous process.

The frequency of the risk assessment will depend on a number of factors such as

the nature of the asset and the changing threat environment.

The earlier the risk assessment process is applied in the operation/business cycle,

the more effective the security program will be.

5.5 SRA context

Establishing context involves an understanding of the operating environment which

is an important element of the risk assessment.

Contextual elements can include:

• cultural

• geographical

• political

• legal

• regulatory

• financial

• economic.


Figure 1: Security risk management process

5.6 Identifying the risk

Identification of risk is the process of identifying what situations/incidents

might occur that could impact on the security of people, assets, operations, and

information. See Table 1 (Examples of security adversaries’ threats).

This will generate a comprehensive list of security threats that can impact on the

organization.

Risk identification should identify the possible sources and causes of the risk and

from what threat the risks are derived from.

Various supporting techniques can be used to improve accuracy and completeness

in risk identification. Examples of assessment techniques particularly suitable for

security are outlined in section 6.

5.7 Consequence analysis (Scenarios)

Consequence analysis defines the type and nature of impact that could occur if

a particular event were to take place. An incident/event could have a range of

impacts and could affect a range of objectives and stakeholders. Consequence

analysis can vary from a simple description of outcomes to detailed modelling.

Impacts might have a low consequence but high probability of occurring or have

a high impact and low probability. In some cases, it may be appropriate to focus

on risks that have potentially the largest impacts as these or often of greatest

concern. It is also important not to neglect low-impact (or chronic) problems that

have large cumulative or long-term effects.

Communication

and consultation

Threat Assessment


5.8 Risk analysis

Risk analysis focuses on the understanding of the identified risks. In very broad

terms, it focuses on the consequence if the event occurs combined with the threat

indicators and existing controls.

Methods used in analysing risks can be broadly grouped in to three areas:

• Qualitative: this usually assigns risks in to groups such as Low, Medium,

High or Extreme

• Semi-quantitative: this usually uses numbers rather than narrative, the scale

being often linear or matrix in construction

• Quantitative: a type of information based in quantities or else quantifiable

data (objective), as opposed to qualitative information which deals with

apparent qualities (subjective).

If any part of the quantitative assessment is at all subjective, it cannot be regarded

as quantitative. This is a common mistake when carrying out a risk assessment.

It is difficult to envisage any security assessment that would rely purely upon a

quantitative approach, because of the absence of reliable, replicable data.

5.9 Event analysis

The three most common general approaches used to estimate the prospect of an

event occurring are listed below. These may be used individually or jointly.

Historical

Using relevant historical data to identify events or situations that have occurred

in the past. From this data, it is possible to look at potential correlations to future

events. It should be noted that historical events have no direct influence over the

probability of future events. Whilst there may be a correlation, there is no direct

causation. The previous spin of the roulette wheel does not directly influence the

next spin.

Correlations are useful because they can indicate a predictive relationship that can

be exploited in practice.

If, historically, there is a very low frequency of occurrence, as often occurs with

high impact security events, then any estimate of probability will be very uncertain.

This applies especially for zero occurrences, when one cannot assume the

event, situation or circumstance will not occur in the future. In this instance, it

is often judicious to focus on impact and consequence rather than probability of

occurrence.

Predictive

Probability forecasts often use predictive techniques such as fault tree and event

tree analysis.

When using predictive techniques, it is important to ensure that due allowance

has been made in the analysis for the possibility of common mode failures which

assumes the coincidental failure of a number of different parts or components

within the system arising from the same cause: in effect, two or more low

probability event happening simultaneously.


Expert opinion1

Expert opinion can be used in a systematic and structured process to estimate

likelihood. Expert judgements should draw upon all relevant available information.

There are a number of formal methods for eliciting expert judgement which

provide an aid to the formulation of appropriate questions.

Often there is insufficient data to assess with any degree of certainty regarding the

probability of an event of occurring. In this case, it is often better to focus on the

impact of the possible event rather than to dwell on trying to assess the probability

when insufficient data is not available to make a suitable assessment.

1 Impact-focused/intelligence-driven assessment.

5.10 Project life cycle phases

Many activities and projects can be considered to have a life cycle, starting from

initial concept and definition, through realization, to a final completion which might

include decommissioning and disposal.

Risk assessments should be applied at all stages of the life cycle and should be

applied at various times with different levels of detail to assist in the decisions that

need to be made at each phase.

Often a threat that can have the ability to impact on one stage of the life cycle

process will not have the ability to impact on another.

An example would be the threat of theft at the beginning of a construction project

might be very low but rise at the end of the project to very high. Therefore, the

measures employed to prevent the occurrence of theft would be significantly less

than the measure employed at the end of the project.

5.11 Vulnerability

Vulnerability is an assessment of susceptibility of assets and processes to the

previously identified threats. This is done by testing the existing capabilities

mitigation and resilience.

A generally accepted model used to describe the best methods of assessing

resilience and vulnerabilities is the five Ds:

Deter

The objective of deter is to project an appearance of resilience thereby deterring

the aggressor and preventing the attack for happening in the first place.

Detect

Detection or early warning of an attack, by either electronic or human means, will

allow the facility to respond to the incident in a timelier fashion and will likely

lesson the potential consequences and in place and exercised.

Delay

The delay objective is to slow down an active intrusion enough to force the intruder

to give up or allow the security team to respond.


Deny

The objective of deny is essentially to keep unauthorized persons out, while

allowing authorized persons to enter.

Defend/Respond

Defend strand is the security personnel response to the incident. This often

includes the involvement of law enforcement or a military response.

The five Ds in effect represent ‘barriers’ designed to protect the asset prior to and

during an incident

5.12 Risk appetite

Evaluation of risk is highly dependent upon the risk appetite – or tolerance to risk

– of the company, group or individual. This risk appetite will decide upon future

actions and mitigation measures.

Residual risk should also be assessed to see if the risk has been reduced to an

acceptable level.


6. Assessment techniques most

applicable to security

6.1 Characteristics that risk assessment techniques

should have

Risk assessment techniques that are particularly applicable to the security

environment are described here.

Any risk assessment technique applied should exhibit the following general

characteristics.

• It should be justifiable and appropriate to the situation or organization.

• It should deliver results that give a better understanding as to the nature of

the risk and how risks should be mitigated.

• Where possible, it should be repeatable and verifiable.

• Ownership: it should be possible to demonstrate that the decisions and

measures taken by the team were inclusive.

Additional methods and more detailed descriptions of risk assessment techniques

can be found in IEC/ISO 31010, Risk Management – Risk assessment techniques.

Additional information on a specific European Union policy on the protection of

critical infrastructure can be found in A Reference Security Management Plan for

Energy Infrastructure, prepared by the Harnser Group.2

6.2 The risk assessment techniques

Brainstorming

Brainstorming involves the participation of a group of knowledgeable people who

have a broad understanding of the security threats and the operational process,

involved in stimulating conversation designed to identify potential threats, issues,

hazards, risks, and mitigation measures.

Effective facilitation is very important to ensure that the process and discussion

is both wide ranging and effective. The facilitator is also necessary to capture the

important points of the discussion.

2 A Reference Security Management Plan for Energy Infrastructure. Harnser (UK) Ltd. Norwich, Summer 2010.

Available from http://www.harnsergroup.com/about-us

http://www.harnsergroup.com/about-us


CARVER

The CARVER matrix was developed by the United States special operations forces

during the Vietnam War.

CARVER is an acronym that stands for Criticality, Accessibility, Recoverability,

Vulnerability, Effect and Recognizability.

A CARVER matrix can help identify targets that are vulnerable to attack and

consequently can be used for planning and for defensive purposes.

The CARVER matrix can indicate High Risk or vulnerable targets that might require

additional security assets allotted to them to prevent their degradation by hostile

action.

Computer-based modelling

The American Petroleum Institute (API) have a number of approved computer-

based security risk assessment methodologies which are internationally

recognized.

Their Security Risk Assessment (SRA) process is a systematic process that

evaluates the likelihood that a threat against a facility will be successful and

considers the potential severity of consequences to the facility itself, to the

surrounding community and on the energy supply chain.

Their Security Vulnerability Assessment (SVA) process is a team-based approach

that combines the multiple skills and knowledge of the various subject matter

expert’s and employees to provide a complete picture of the facility and its

operations.

Delphi technique

The Delphi technique is very similar to brainstorming. An essential feature of

the Delphi technique is that experts involved express their opinions individually

and anonymously while having access to the other experts’ views as the process

progresses.

(Swift) What-if?

Swift is a systematic, team-based method that utilizes a set of prompt words or

phrases to stimulate participants to identify the possible risks.

The use of what-if type phrases in combination with the prompts helps to

understand how an operation, procedure process or system will be affected by

deviations from normal operations and behaviour or incidents.

Scenario analysis

Scenario analysis focuses on descriptive models of how future events might turn

out. It is used to identify risks by considering possible future developments and

assessing their possible implications.

Scenarios reflecting, e.g. best case, worst case and expected case are used to

analyse potential consequences and their probabilities.


Root cause analysis (RCA)

Root cause analysis is usually a retroactive process used after a major loss or

incident with the view of preventing its reoccurrence. It attempts to identify the

root or original causes of the incident instead of dealing only with the immediately

obvious causation and impact.

RCA is most often applied to the evaluation of a major incident but may also

be used to analyse incidents more generally to determine where holistic

improvements can be made.

When the need for an RCA is identified, a group of experts should be appointed to

carry out the analysis and make recommendations. The type of expert will mostly

be dependent on the specific expertise needed to analyse the failure/incident.

The evaluation of causes often progresses from initially evident physical causes, to

human-related process-driven causes, and finally to underlying management or

fundamental causes.

Fault tree analysis (FTA)

Fault tree analysis is a technique for identifying and analysing factors that can

contribute to a specified undesired event taking place – the top event.

Factors that could cause the top event to take place are identified, organized logically,

and represented pictorially in a fault tree diagram that shows possible causal factors

and their logical relationship to the top event. (Figure 2 shows an example.)

The fault tree is used qualitatively to identify potential causes and pathways to a

failure (the top event) or calculate the probability of the top event, given knowledge

of the probabilities of causal events.

The factors identified in the tree can be events that are associated with system

failures, human errors or any other pertinent deliberate events that lead to the

undesired event.

Figure 2: A fault tree

Failure of PIDS Perimeter Monitoring Failure

lig

er

alarms


Cause and effect analysis

Cause and effect analysis look at identifying possible causes of an event

or incident and then each of the possible effects. It organizes the possible

contributory factors into broad categories so that all probable hypotheses can be

considered.

This analysis can be used to display a list of causes of a specific event or incident.

This is used to assess all possible likely scenarios and causes. It is most valuable

at the beginning of an analysis as it broadens thinking about possible causes and

potential hypotheses.

Figure 3: Cause and effect

Sabotage of Substation


Bow tie analysis

Bow tie analysis is a simple diagrammatic way of describing and analysing the

pathways of risk from causes to consequences.

It can be considered as a derivative/amalgamation of the fault tree analysis, the

cause of an event (the knot of a bow tie) and an event tree which analyses the

consequences.

The focus of the bow tie is on the preventive measures between the causes and the

risk, and the risk and consequences.

Bow tie analysis is often easier to understand than fault or event trees, and

therefore can also be a useful communication tool.

Figure 4: A bow tie diagram

6.3 Selection of risk assessment techniques

Risk assessment may be undertaken in varying degrees of depth and detail and

using a number of methods ranging from simple to complex.

It may sometimes be necessary to employ more than one method of risk

assessment. The potential impact, the decision on the depth to which risk

assessment is carried out should reflect the perception of possible consequences

and the degree of expertise, human and other resources needed.

A simple assessment, well done, may provide better results than a more

sophisticated procedure poorly carried out, as long as it meets the objectives and

scope. The effort put into the assessment should be consistent with the potential

level of risk being analysed. In addition, there should be a clear process to follow in

tracking recommendation to closure.

Considerable benefit can be derived by simply showing that a replicable process

has been followed.

Assessment techniques should be chosen with regard to relevance and suitability.

Once the decision has been made to carry out a risk assessment and the

objectives and scope have been defined, the techniques should be selected, based

on factors such as:

• nature of the threat


• the objectives of the risk assessment will have a direct bearing on the

techniques used

• in some cases, a high level of detail is needed to make a good decision, in

others a more general understanding is sufficient

• the type and range of risks being analysed

• the availability of information and data. Some techniques require more

information and data than others; the need for modification/updating of the

risk assessment. The assessment may need to be modified/updated in future

and some techniques are more amendable than others in this regard

• regulatory and contractual requirements. Various factors influence the

selection of an approach to risk assessment such as the availability of

resources, the nature and degree of uncertainty in the data and information

available, and the complexity of the application. There may be regulatory

requirement which mandate you to use a specific method or techniques.

Chosen techniques should exhibit the following characteristics:

• should be justifiable and appropriate to the situation or organization under

consideration

• should provide results in a form which enhances understanding of the nature

of the risk and how it can be mitigated

• should be capable of use in a manner that is traceable, repeatable and

verifiable.

This document provides guidance and

information which can assist a security

manager in carrying out a security risk

assessment, as part of an effective

security risk management process.

By following this guidance, an organization should

be able to implement a robust security risk

assessment that:

• addresses security threats and mitigate risk

emanating from those threats to an

acceptable level

• assists in the protection of people, assets,

operations, information, and reputation

• improves operational resilience and

response

• encourages management involvement

• effectively allocates and uses

resources, based on risks

• establishes a basis for planning and

decision-making

• improves organizational learning

• satisfies regulatory requirements.

conducting security risk assessments (sra) in dynamic ...€¦ · 5.5 sra context 14 5.6...

Documents