conducting security risk assessments (sra) in dynamic ...€¦ · 5.5 sra context 14 5.6...
TRANSCRIPT
Conducting security risk
assessments (SRA) in
dynamic threat environments
active resilient
Conducting security risk assessments 4
Contents
1. Introduction to security risk assessments (SRA) 5
2. Aim of this document 7
3. Ownership of security risk assessments 7
4. Security threat assessments 8
4.1 Threat assessment techniques 8
4.2 Threat intelligence 10
Table 1: Examples of security adversaries’ threats 11-12
5. Security risk assessments 13
5.1 Essential elements of security risk assessment 13
5.2 Fundamental questions that security risk assessments should answer 13
5.3 Applicability 13
5.4 Frequency 14
5.5 SRA context 14
5.6 Identifying the risk 15
5.7 Consequence analysis (Scenarios) 15
5.8 Risk analysis 16
5.9 Event analysis 16
5.10 Project life cycle phases 17
5.11 Vulnerability 17
5.12 Risk appetite 18
6. Assessment techniques most applicable to security 19
6.1 Characteristics that risk assessment techniques should have 19
6.2 The risk assessment techniques 19
Brainstorming 19
CARVER 20
Computer-based modelling 20
Delphi technique 20
(Swift) What-if? 20
Scenario analysis 20
Root cause analysis (RCA) 21
Fault tree analysis (FTA) 21
Cause and effect analysis 22
Bow tie analysis 22
6.3 Selection of risk assessment techniques 23
Conducting security risk assessments 5
1. Introduction to security risk
assessments (SRA) Most activities of an organization involve some level of risk, of which security risks
can be amongst the most dynamic.
Unlike HSE risks, which are essentially passive, security risks are by their very
nature active by design. There is invariably hostile human action/intention. Therefore,
security risk assessment (SRA) and HSE risk assessment definitions and processes
are fundamentally different – HSE risk assessment definitions and processes are not
appropriate in a security environment. A simple Probability × Impact matrix does
not sufficiently address the dynamic nature of the security threat.
Organizations operating in hostile environments cannot remove all of the possible
security threats they face, but they should strive to reduce, where possible, those
security risks within their control. Security threats and hostile adversaries are
constantly evolving, as recent and no doubt future events will demonstrate.
Security risk assessment is a fundamental part of overall security risk
management. Good organizations manage security risk by:
• identifying and analysing threats
• evaluating the specific risks that emanate from the threats
• evaluating the possibility of future events or circumstances (intended or
unintended) and their effects
• implementation of mitigation measures.
SRAs assist the management decision-making process on how potential security
incidents and resultant consequences should be addressed, and on deciding
whether further security countermeasures/mitigation measure should be
considered.
There are a number of ways by which a security risk assessment can be conducted
and by whom. Factors which may drive this decision are varied and may be
dependent on a number of different considerations. Irrespective of the method
used and the nature of the assessment, appropriate risk assessment should
always be undertaken so that potential risks and the measures necessary to
mitigate them are understood.
Security risk assessment should not only be regarded as a security product – it
should draw upon the operational expertise of a number of subject matter experts,
stakeholders and interested parties.
Conducting security risk assessments 6
Security definitions
Threat a person, thing or event with the potential to cause damage, loss or
danger
Risk the damage or disruption that could result in the realization of the
threat
Security the safety of a state or organization against criminal activity such as
terrorism or espionage
Vulnerability a condition that can be exploited by a threat.
Conducting security risk assessments 7
2. Aim of this document This document provides guidance and information which can assist a
security manager in carrying out a security risk assessment, as part of an
effective security risk management process.
By following this guidance, an organization should be able to implement a robust
security risk assessment that:
• addresses security threats and mitigate risk emanating from those threats to
an acceptable level
• assists in the protection of people, assets, operations, information, and
reputation
• improves operational resilience and response
• encourages management involvement
• effectively allocates and uses resources, based on risks
• establishes a basis for planning and decision-making
• improves organizational learning
• satisfies regulatory requirements (where applicable).
3. Ownership of security risk
assessments Any security risk assessment method used should be endorsed by the
management team, i.e. it should have top down validation.
Inclusion and ownership of the risk assessment process and agreement of the
final outcome and report distribution is integral to its overall success. Failure to
ensure this necessary buy-in by the business at the outset can impact negatively
on the acceptance of the outcome and recommendations.
It is also important to understand that an SRA is not an audit, in that there are no
right and wrong answers.
Conducting security risk assessments 8
4. Security threat assessments The first, and extremely important, step in the risk assessment process is the
identification of the threats to the asset, facility, operation, information, or
individual.
The purpose of the threat assessment is to understand the potential external
and internal adversaries, including their history and possible actions, capability,
motivation and intent.
The threat assessment is not a ‘one-time’ event – it is a process of the continuous
re-evaluation of the threats to ensure that the appropriate measures reflect its
changing nature. It is important to undertake a robust threat assessment at the
beginning of the program, and respond as the threats change and morph.
Hostile intent is a process as well as an act and does not occur in a vacuum.
Careful analysis of violent incidents shows that violent acts often are the
culmination of long-developing, identifiable trails of problems, conflicts, disputes,
and failures.
Comprehensive identification of all probable threats is critical, because a
threat that is not identified at this stage will not be included in the subsequent
risk assessment. Threat assessment is analysis and assessment, not the
measurement of the likelihood of confronting a specific threat.
4.1 Threat assessment techniques
To assist in deciding which security countermeasures would be the most effective,
five types of information should be focused on when assessing a threat:
1) type/nature of the threat
2) situation on which the threats are encountered
3) cause of the threats
4) consideration of the level of the threat
5) potential changes to the identified threats.
There are four main techniques that can be used to assess threats:
1) structured interviews
2) quantitative analysis of patterns and trends
3) information analysis
4) change indicators.
Conducting security risk assessments 9
These four techniques for conducting a threat assessment should not be used in
isolation but as correlated steps in order to develop the most complete picture of
the threats.
Each technique has its strengths and limitations. It is therefore important that all
four are used (step by step) to assess the nature of the threat.
Technique 1: Structured interviews
The use of careful structured interviews can provide broad information of the
threats, from a wide variety of sources, and can provide a framework for focusing
on other techniques. Sources could range from embassies, intelligences agencies,
commercial security organizations, peer companies, newspaper reports, NGOs,
site managers and employees.
• Focus on key questions. Ask as many sources as possible the same type of
questions so as to get as broad a picture as possible.
• Be cognisant of the fact that often interviewees may have a particular interest
in giving a particular view.
• Include regional, local, site-specific and industry histories of security
incidents as part of the interview discussions.
Technique 2: Quantitative analysis of patterns and trends
An analysis of available quantitative information on past security incidents can
assist in identifying the most common features and potential patterns and possible
changes in trends.
• Identify patterns and trends.
• Display the data in a manner that makes it easy to interpret.
• Be cognisant that by focusing on past data, information and events, you may
be in danger of ‘fighting the last war’ rather than the next one. Look closely at
indicators which may signpost a change in threat.
• Do not confuse correlation with causation (e.g. “As ice cream sales increase,
the rate of drowning deaths increases sharply. Therefore, ice cream
consumption causes drowning”).
Technique 3: Information analysis
In most instances, you will not be able to draw definitive threat analysis
conclusions. A degree of qualitative assessment is necessary.
• Information may be incomplete or sketchy.
• There may be no consistent trends/patterns.
• Recent security or political changes may make previous data irrelevant
• Avoid, where possible, using a Low – Medium – High rating. Instead, generate
descriptions based on the threats and underlying factors.
• It may be useful to give rankings to the various threats:
Threat X = Ranking 5
Threat Y = Ranking 4
(e.g. Threats to people to people travelling in Nigeria could be:
Traffic accident = 5
Theft of vehicle = 4
Conducting security risk assessments 10
Violent assault = 3
Hijack and kidnap = 2)
Threat identification methods can include:
• Evidence based methods, e.g. check-lists and reviews of historical data
• Systematic team approaches where a team of experts follow a systematic
process to identify risks by means of a structured set of prompts or questions
• Inductive reasoning techniques. Refers to reasoning that takes specific
information and makes a broader generalization that is considered feasible,
allowing for the fact that the conclusion may not be accurate. Example: “All
dogs that we have seen have been brown; therefore, all dogs are brown”.
Technique 4: Change indicators
Look for indicators that could signal changes in the threat environment:
• Changes in the political, crime, reporting, policing and military environment
that could indicate a change in the future threat level. These can only suggest
a possible change in the threat environment
• Situational awareness. Continually look for recent events that may change/
impact the threats. Ask: What has changed since last time?
• Short to mid-term changes. Look for new socio-economic changes and
trends that may impact on the threat
• Imminent confrontation. Examples of these could include marches,
demonstrations, political rallies and external political incidents
• Peer experience. What has been impacting on peer companies and similar
assets?
4.2 Threat intelligence
The use of information/intelligence in assessing both the threats and the risks is
indispensable.
• Available intelligence. It is rare that specific threat information is available
and can be relied upon. More often, judgements about the threat is based
on a wide range of fragmentary information, including the level and nature
of current threat activity, comparison with events in other countries and
previous attacks. Intelligence is only ever likely to reveal part of the picture.
• Capability. An examination of what is known about the capabilities of the
threat in question and the method they may use based on previous attacks or
from intelligence. This would also assist in analysing the potential scale of
any possible the attack.
• Intentions. Using intelligence and publicly available information to examine
the overall aims of the threat actor, their stated goals, and the ways they
might achieve them including what sort of targets they would consider
attacking.
• Timescale. The threat level expresses the prospect of an attack over a
period of time. We know from past incidents that some attacks take years to
plan, while others are put together more quickly. In the absence of specific
intelligence, a judgement will need to be made about how close an attack
might be to fruition. Threat levels do not have any set expiry date but are
regularly subject to review in order to ensure that they remain current.
Conducting security risk assessments 11
Table 1: Examples of security adversaries’ threats
Example of security adversaries’ threats include but are not limited to:
Violent crime
Petty crime
Organized crime
Piracy
Murder
Assassinations
Hijacking
Kidnapping/abduction
Assault
Rape
Harassment
Workplace violence
Robbery
Theft
Burglary
Home invasion
Trespassing/
unauthorized access
Sabotage
Vandalism
Vigilantism
Drug-related crime
Narcotrafficking
Alcohol-related crime
Gambling
Prostitution
Suspicious Activity
Trafficking
Pornography-related
crime
Extortion
Bribery
Fraud
Corruption
Political terrorism
Economic terrorism
Religious terrorism
Ecoterrorism
Narcoterrorism
State Terrorism
Piracy
Guerrilla
warfare Violent
cults
Anarchists
Vehicle Borne
Improvised Explosive
Device (VBIED)
Person Borne
Improvised Explosive
Device (PBIED)
Delivered Explosive
Devices
Emplaced Explosive
Devices
Indirect Weapons Fire
Direct Weapons Fire
Electronic Attack
Personnel
Chemical, Biological
& Radiological (CBR)
Environmental
activism
Animal rights
activism
Human rights
activism
Native rights
activism
Anti-capitalism/
corporation activism
Political activism
Social activism
Economic activism
Anti-Government
activism
National activism
Pro-transparency
activism
Hacktivism
Labour activism
Anarchists
Internal conflict
External conflict
Insurgency
Sectarian discord
Tribal/ethnic discord
Political discord/
dissidence
Political violence
Government
instability
Contested elections
Coups
Deaths of key
political figures
Assassinations
Political kidnappings
Demonstrations/
protests
Rioting
Strikes
Boycotts
Blockades
Sit-ins
Sieges
Civil disobedience
Vigilantism
Government
corruption
Ineffective judiciary
Displacement
Human rights
violations
Unstable economy
Unstable financial
institutions
Unemployment
Income disparity
Inflation
Fluctuation of food/
energy prices
Crime Terrorism/
militancy Activism
Political/civil
instability
Economic
instability
Conducting security risk assessments 12
Table 1: Examples of security adversaries’ threats (concluded)
Military operations
Police operations
Other security force
operations Effectiveness of
State-sponsored
espionage
Industrial espionage
Espionage by
competitors
Public sector
infrastructure/
services reliability
Private sector
infrastructure
Frequency of
natural disasters
(earthquakes,
blizzards, floods,
severe winds,
Partner/JV reliability
Vendor reliability
Supply chain security
Corruption Non-compliance
security forces Espionage by reliability avalanches,
Intelligence
operations
activists
Espionage by
terrorists
Transportation
safety and reliability Road closures/
wildfires, hurricanes,
tsunamis, volcanic
eruptions, storms,
FCPA violations
Espionage
accidents/disruptions droughts, landslides,
Industrial espionage Espionage by heat waves)
Physical
surveillance
Technical
surveillance
Unexploded
ordinance (ERW)
Security reforms
organized crime
Cyber espionage
Hacking
Hactivism
Malware (viruses,
worms, Trojan
horses, spyware, etc.)
Insider threats
(disgruntled
employees, malicious
actors, plants,
inadvertent actors,
controlled actors)
Social engineering
Identity theft
Aviation/rail/ship
safety and reliability
Airport closures/
disruptions
Port closures/
disruptions
Strikes by
transportation
employees
Medical infrastructure
reliability
Energy reliability
(power outages,
shortages, gas leaks)
Reliability of basic
goods/services
availability and
delivery
Supply chain security
Disease outbreaks/
epidemics/pandemics
Food/water/energy
shortages
Environmental
degradation
State activity Information
protection issues
Infrastructure
reliability
Environmental/
health Issues Business issues
Conducting security risk assessments 13
5. Security risk assessments
5.1 Essential elements of security risk assessment
Risk assessments should contain the following essential elements:
• identification of the probable threats
• establishing the operational and environmental context
• understanding ownership of the various elements and processes
• identifying stakeholders (this need to include contractors and, if appropriate,
JV partners)
• clear communication and consultation
• risk assessment (comprising risk identification, risk analysis and risk
evaluation)
• risk treatment/mitigation
• assessment of the residual risk
• monitoring and review.
5.2 Fundamental questions that security risk
assessments should answer
Security risk assessment should attempt to answer the following fundamental
questions:
• What are the likely threats/threat indicators?
• What can happen and why will it happen?
• What are the possible consequences should it occur?
• What is the prospect of an occurrence? (often difficult to assess)
• Are there any current control factors that mitigate the consequence of the
risk or that reduce the probability of the risk, or improve response and
recovery times?
• What additional control measures need to be implemented?
• Is the residual risk acceptable, or does it need additional treatment?
5.3 Applicability
All sites, assets, actions or activities that can be impacted by a security incident
should be subject to a security risk assessment. The nature or complexity of
the threat will directly influence the nature and complexity of the assessment. It
should be noted that some threats may only impact on certain activities or have
specific implications.
Conducting security risk assessments 14
All companies are subject to financial constraints and access to limited resources
and have diverse portfolios. Therefore, it is often prudent to rank company assets
which ensures that resources are allocated appropriately.
Ranking criteria could include:
• role of the asset
• criticality of the asset
• threat environment
• potential impact if the asset is damaged or destroyed.
• loss of life or injury.
5.4 Frequency
The risk assessment process should not be a stand-alone activity. It should be a
continuous process.
The frequency of the risk assessment will depend on a number of factors such as
the nature of the asset and the changing threat environment.
The earlier the risk assessment process is applied in the operation/business cycle,
the more effective the security program will be.
5.5 SRA context
Establishing context involves an understanding of the operating environment which
is an important element of the risk assessment.
Contextual elements can include:
• cultural
• geographical
• political
• legal
• regulatory
• financial
• economic.
Conducting security risk assessments 15
Figure 1: Security risk management process
5.6 Identifying the risk
Identification of risk is the process of identifying what situations/incidents
might occur that could impact on the security of people, assets, operations, and
information. See Table 1 (Examples of security adversaries’ threats).
This will generate a comprehensive list of security threats that can impact on the
organization.
Risk identification should identify the possible sources and causes of the risk and
from what threat the risks are derived from.
Various supporting techniques can be used to improve accuracy and completeness
in risk identification. Examples of assessment techniques particularly suitable for
security are outlined in section 6.
5.7 Consequence analysis (Scenarios)
Consequence analysis defines the type and nature of impact that could occur if
a particular event were to take place. An incident/event could have a range of
impacts and could affect a range of objectives and stakeholders. Consequence
analysis can vary from a simple description of outcomes to detailed modelling.
Impacts might have a low consequence but high probability of occurring or have
a high impact and low probability. In some cases, it may be appropriate to focus
on risks that have potentially the largest impacts as these or often of greatest
concern. It is also important not to neglect low-impact (or chronic) problems that
have large cumulative or long-term effects.
Communication
and consultation
Threat Assessment
Conducting security risk assessments 16
5.8 Risk analysis
Risk analysis focuses on the understanding of the identified risks. In very broad
terms, it focuses on the consequence if the event occurs combined with the threat
indicators and existing controls.
Methods used in analysing risks can be broadly grouped in to three areas:
• Qualitative: this usually assigns risks in to groups such as Low, Medium,
High or Extreme
• Semi-quantitative: this usually uses numbers rather than narrative, the scale
being often linear or matrix in construction
• Quantitative: a type of information based in quantities or else quantifiable
data (objective), as opposed to qualitative information which deals with
apparent qualities (subjective).
If any part of the quantitative assessment is at all subjective, it cannot be regarded
as quantitative. This is a common mistake when carrying out a risk assessment.
It is difficult to envisage any security assessment that would rely purely upon a
quantitative approach, because of the absence of reliable, replicable data.
5.9 Event analysis
The three most common general approaches used to estimate the prospect of an
event occurring are listed below. These may be used individually or jointly.
Historical
Using relevant historical data to identify events or situations that have occurred
in the past. From this data, it is possible to look at potential correlations to future
events. It should be noted that historical events have no direct influence over the
probability of future events. Whilst there may be a correlation, there is no direct
causation. The previous spin of the roulette wheel does not directly influence the
next spin.
Correlations are useful because they can indicate a predictive relationship that can
be exploited in practice.
If, historically, there is a very low frequency of occurrence, as often occurs with
high impact security events, then any estimate of probability will be very uncertain.
This applies especially for zero occurrences, when one cannot assume the
event, situation or circumstance will not occur in the future. In this instance, it
is often judicious to focus on impact and consequence rather than probability of
occurrence.
Predictive
Probability forecasts often use predictive techniques such as fault tree and event
tree analysis.
When using predictive techniques, it is important to ensure that due allowance
has been made in the analysis for the possibility of common mode failures which
assumes the coincidental failure of a number of different parts or components
within the system arising from the same cause: in effect, two or more low
probability event happening simultaneously.
Conducting security risk assessments 17
Expert opinion1
Expert opinion can be used in a systematic and structured process to estimate
likelihood. Expert judgements should draw upon all relevant available information.
There are a number of formal methods for eliciting expert judgement which
provide an aid to the formulation of appropriate questions.
Often there is insufficient data to assess with any degree of certainty regarding the
probability of an event of occurring. In this case, it is often better to focus on the
impact of the possible event rather than to dwell on trying to assess the probability
when insufficient data is not available to make a suitable assessment.
1 Impact-focused/intelligence-driven assessment.
5.10 Project life cycle phases
Many activities and projects can be considered to have a life cycle, starting from
initial concept and definition, through realization, to a final completion which might
include decommissioning and disposal.
Risk assessments should be applied at all stages of the life cycle and should be
applied at various times with different levels of detail to assist in the decisions that
need to be made at each phase.
Often a threat that can have the ability to impact on one stage of the life cycle
process will not have the ability to impact on another.
An example would be the threat of theft at the beginning of a construction project
might be very low but rise at the end of the project to very high. Therefore, the
measures employed to prevent the occurrence of theft would be significantly less
than the measure employed at the end of the project.
5.11 Vulnerability
Vulnerability is an assessment of susceptibility of assets and processes to the
previously identified threats. This is done by testing the existing capabilities
mitigation and resilience.
A generally accepted model used to describe the best methods of assessing
resilience and vulnerabilities is the five Ds:
Deter
The objective of deter is to project an appearance of resilience thereby deterring
the aggressor and preventing the attack for happening in the first place.
Detect
Detection or early warning of an attack, by either electronic or human means, will
allow the facility to respond to the incident in a timelier fashion and will likely
lesson the potential consequences and in place and exercised.
Delay
The delay objective is to slow down an active intrusion enough to force the intruder
to give up or allow the security team to respond.
Conducting security risk assessments 18
Deny
The objective of deny is essentially to keep unauthorized persons out, while
allowing authorized persons to enter.
Defend/Respond
Defend strand is the security personnel response to the incident. This often
includes the involvement of law enforcement or a military response.
The five Ds in effect represent ‘barriers’ designed to protect the asset prior to and
during an incident
5.12 Risk appetite
Evaluation of risk is highly dependent upon the risk appetite – or tolerance to risk
– of the company, group or individual. This risk appetite will decide upon future
actions and mitigation measures.
Residual risk should also be assessed to see if the risk has been reduced to an
acceptable level.
Conducting security risk assessments 19
6. Assessment techniques most
applicable to security
6.1 Characteristics that risk assessment techniques
should have
Risk assessment techniques that are particularly applicable to the security
environment are described here.
Any risk assessment technique applied should exhibit the following general
characteristics.
• It should be justifiable and appropriate to the situation or organization.
• It should deliver results that give a better understanding as to the nature of
the risk and how risks should be mitigated.
• Where possible, it should be repeatable and verifiable.
• Ownership: it should be possible to demonstrate that the decisions and
measures taken by the team were inclusive.
Additional methods and more detailed descriptions of risk assessment techniques
can be found in IEC/ISO 31010, Risk Management – Risk assessment techniques.
Additional information on a specific European Union policy on the protection of
critical infrastructure can be found in A Reference Security Management Plan for
Energy Infrastructure, prepared by the Harnser Group.2
6.2 The risk assessment techniques
Brainstorming
Brainstorming involves the participation of a group of knowledgeable people who
have a broad understanding of the security threats and the operational process,
involved in stimulating conversation designed to identify potential threats, issues,
hazards, risks, and mitigation measures.
Effective facilitation is very important to ensure that the process and discussion
is both wide ranging and effective. The facilitator is also necessary to capture the
important points of the discussion.
2 A Reference Security Management Plan for Energy Infrastructure. Harnser (UK) Ltd. Norwich, Summer 2010.
Available from http://www.harnsergroup.com/about-us
Conducting security risk assessments 20
CARVER
The CARVER matrix was developed by the United States special operations forces
during the Vietnam War.
CARVER is an acronym that stands for Criticality, Accessibility, Recoverability,
Vulnerability, Effect and Recognizability.
A CARVER matrix can help identify targets that are vulnerable to attack and
consequently can be used for planning and for defensive purposes.
The CARVER matrix can indicate High Risk or vulnerable targets that might require
additional security assets allotted to them to prevent their degradation by hostile
action.
Computer-based modelling
The American Petroleum Institute (API) have a number of approved computer-
based security risk assessment methodologies which are internationally
recognized.
Their Security Risk Assessment (SRA) process is a systematic process that
evaluates the likelihood that a threat against a facility will be successful and
considers the potential severity of consequences to the facility itself, to the
surrounding community and on the energy supply chain.
Their Security Vulnerability Assessment (SVA) process is a team-based approach
that combines the multiple skills and knowledge of the various subject matter
expert’s and employees to provide a complete picture of the facility and its
operations.
Delphi technique
The Delphi technique is very similar to brainstorming. An essential feature of
the Delphi technique is that experts involved express their opinions individually
and anonymously while having access to the other experts’ views as the process
progresses.
(Swift) What-if?
Swift is a systematic, team-based method that utilizes a set of prompt words or
phrases to stimulate participants to identify the possible risks.
The use of what-if type phrases in combination with the prompts helps to
understand how an operation, procedure process or system will be affected by
deviations from normal operations and behaviour or incidents.
Scenario analysis
Scenario analysis focuses on descriptive models of how future events might turn
out. It is used to identify risks by considering possible future developments and
assessing their possible implications.
Scenarios reflecting, e.g. best case, worst case and expected case are used to
analyse potential consequences and their probabilities.
Conducting security risk assessments 21
Root cause analysis (RCA)
Root cause analysis is usually a retroactive process used after a major loss or
incident with the view of preventing its reoccurrence. It attempts to identify the
root or original causes of the incident instead of dealing only with the immediately
obvious causation and impact.
RCA is most often applied to the evaluation of a major incident but may also
be used to analyse incidents more generally to determine where holistic
improvements can be made.
When the need for an RCA is identified, a group of experts should be appointed to
carry out the analysis and make recommendations. The type of expert will mostly
be dependent on the specific expertise needed to analyse the failure/incident.
The evaluation of causes often progresses from initially evident physical causes, to
human-related process-driven causes, and finally to underlying management or
fundamental causes.
Fault tree analysis (FTA)
Fault tree analysis is a technique for identifying and analysing factors that can
contribute to a specified undesired event taking place – the top event.
Factors that could cause the top event to take place are identified, organized logically,
and represented pictorially in a fault tree diagram that shows possible causal factors
and their logical relationship to the top event. (Figure 2 shows an example.)
The fault tree is used qualitatively to identify potential causes and pathways to a
failure (the top event) or calculate the probability of the top event, given knowledge
of the probabilities of causal events.
The factors identified in the tree can be events that are associated with system
failures, human errors or any other pertinent deliberate events that lead to the
undesired event.
Figure 2: A fault tree
Failure of PIDS Perimeter Monitoring Failure
lig
er
alarms
Conducting security risk assessments 22
Cause and effect analysis
Cause and effect analysis look at identifying possible causes of an event
or incident and then each of the possible effects. It organizes the possible
contributory factors into broad categories so that all probable hypotheses can be
considered.
This analysis can be used to display a list of causes of a specific event or incident.
This is used to assess all possible likely scenarios and causes. It is most valuable
at the beginning of an analysis as it broadens thinking about possible causes and
potential hypotheses.
Figure 3: Cause and effect
Sabotage of Substation
Conducting security risk assessments 23
Bow tie analysis
Bow tie analysis is a simple diagrammatic way of describing and analysing the
pathways of risk from causes to consequences.
It can be considered as a derivative/amalgamation of the fault tree analysis, the
cause of an event (the knot of a bow tie) and an event tree which analyses the
consequences.
The focus of the bow tie is on the preventive measures between the causes and the
risk, and the risk and consequences.
Bow tie analysis is often easier to understand than fault or event trees, and
therefore can also be a useful communication tool.
Figure 4: A bow tie diagram
6.3 Selection of risk assessment techniques
Risk assessment may be undertaken in varying degrees of depth and detail and
using a number of methods ranging from simple to complex.
It may sometimes be necessary to employ more than one method of risk
assessment. The potential impact, the decision on the depth to which risk
assessment is carried out should reflect the perception of possible consequences
and the degree of expertise, human and other resources needed.
A simple assessment, well done, may provide better results than a more
sophisticated procedure poorly carried out, as long as it meets the objectives and
scope. The effort put into the assessment should be consistent with the potential
level of risk being analysed. In addition, there should be a clear process to follow in
tracking recommendation to closure.
Considerable benefit can be derived by simply showing that a replicable process
has been followed.
Assessment techniques should be chosen with regard to relevance and suitability.
Once the decision has been made to carry out a risk assessment and the
objectives and scope have been defined, the techniques should be selected, based
on factors such as:
• nature of the threat
Conducting security risk assessments 24
• the objectives of the risk assessment will have a direct bearing on the
techniques used
• in some cases, a high level of detail is needed to make a good decision, in
others a more general understanding is sufficient
• the type and range of risks being analysed
• the availability of information and data. Some techniques require more
information and data than others; the need for modification/updating of the
risk assessment. The assessment may need to be modified/updated in future
and some techniques are more amendable than others in this regard
• regulatory and contractual requirements. Various factors influence the
selection of an approach to risk assessment such as the availability of
resources, the nature and degree of uncertainty in the data and information
available, and the complexity of the application. There may be regulatory
requirement which mandate you to use a specific method or techniques.
Chosen techniques should exhibit the following characteristics:
• should be justifiable and appropriate to the situation or organization under
consideration
• should provide results in a form which enhances understanding of the nature
of the risk and how it can be mitigated
• should be capable of use in a manner that is traceable, repeatable and
verifiable.
This document provides guidance and
information which can assist a security
manager in carrying out a security risk
assessment, as part of an effective
security risk management process.
By following this guidance, an organization should
be able to implement a robust security risk
assessment that:
• addresses security threats and mitigate risk
emanating from those threats to an
acceptable level
• assists in the protection of people, assets,
operations, information, and reputation
• improves operational resilience and
response
• encourages management involvement
• effectively allocates and uses
resources, based on risks
• establishes a basis for planning and
decision-making
• improves organizational learning
• satisfies regulatory requirements.