risk measurement - elsevier · risk measurement (quantification) is an essential element for later...

21

Risk Measurement Risk cannot always be eliminated. Properly identified, however,

it can usually be managed. —Risk Assessment Guidelines, General Security, ASIS International, 2003

Risk measurement (quantification) is an essential element for later use in determining the impact (cost) of an unfavorable event on any operation or enterprise. It can also aid in predicting how often such an event may occur in a given period of time. Two neces-sities for performing risk measurement and quantification are a quantitative means of expressing potential cost and a logical expression of frequency of occurrence. Both must consider low as well as high frequencies of event occurrence.

There is no better way to state the impact of an adverse circumstance (unfavorable event)—whether the damage or cost is actual or abstract, or the victim a person, a piece of machinery, or the entire facility—than to assign it a monetary value. Ascertaining the cost of any adverse event is the logical way to equate value in our society. For a company that is concerned with cost (and which are not?), it is the only way! Because budgets and other financial matters are normally organized on a yearly basis, a year is obviously the most suitable time period to use in expressing the frequency of occurrence of threats. Of course, some threats may occur only once in a period of years, such as the 100-year flood. Others may occur daily or many times a day, such as internal theft. Each, however, can be measured in dollars as well as in frequency of occurrence.

Cost Valuation and Frequency of Occurrence It is much more difficult to say that something happens every 1/73 of a year than that it happens, say, five times a day. It is also inconvenient to work with such fractions. For this reason, the transmutation of 1,000 days to 3 years, as shown below, has evolved. This method avoids unwieldy fractions yet maintains the flexibility of working with high-probability events in days and low-probability events in years.

In most cases, it is neither necessary nor desirable to make precise statements of impact and probability. The time needed for the analysis will be considerably reduced, and its usefulness will not be decreased, if impact (i) and frequency (f) correlations are given in factors of 10. It does not really matter to the overall estimation of threats whether the cost of the threat is valued at $110,000 or $130,000, or whether the anticipated fre-quency is 8 or 12 times a year. If at the time of deciding upon safeguards it becomes nec-essary to refine specific items, then by all means do so and end the argument! What is essential in the beginning is simplifying the measurement and quantification process, for

3

CH003.indd 21CH003.indd 21 11/28/2011 11:28:54 AM11/28/2011 11:28:54 AM

22 RISK ANALYSIS AND THE SECURITY SURVEY

reasons of efficiency and speed. This will facilitate the task by decreasing the amount of time spent on the analysis.

If the cost valuation (impact) of the event is:

$10, let i � 1 $100, let i � 2 $1,000, let i � 3 $10,000, let i � 4 $100,000, let i � 5 $1,000,000, let i � 6 $10,000,000, let i � 7 $100,000,000, let i � 8.

If the estimated frequency of occurrence is:

Once in 300 years, let f � 1 Once in 30 years, let f � 2 Once in 3 years, let f � 3 Once in 100 days, let f � 4 Once in 10 days, let f � 5 Once per day, let f � 6 Ten times per day, let f � 7 One hundred times per day, let f � 8.

Annual loss expectancy (ALE) is the product of impact and frequency. When using the values of f and i derived from the conversion tables (listed above), you can approximate the value of ALE by applying the following formula:

ALE /f i10 33( )

No weighting factors have been introduced into the formula; the change is only for the purpose of accommodating the converted values. An even faster way to determine ALE is to use the matrix shown in Table 3-1 , or alternatively, to develop one’s own matrix. It would be impossible to list all the undesirable events that could plague any given security project. Most projects involving facilities, whether high-technology, refinery, manufacturing, or ser-vice, have more things in common than one would suspect at first glance (for example, fires on a cruise liner versus terrorism on the high seas). These common-origin problems have to be spliced or woven into the matrix along with events or occurrences peculiar to the particu-lar analysis at hand. Terrorism and extortion on the high seas have, of late, become very seri-ous problems for many U.S. ship owners, especially off the North African coast.

A thorough understanding of the elements that may affect frequency estimation is one of the keys to risk measurement. The following are some common elements that deserve consideration:


Chapter 3 ● Risk Measurement 23

● Access—Is access difficult, limited, or open? Can an intruder gain access easily, or is it difficult? Can any employee do the same? What are the access criteria?

● Natural disasters—What kinds of natural disasters might realistically occur? To what degree would damage occur? How would it affect processing, storage, or supplies? How would loss of power or other utilities affect the entity?

● Environmental hazards—What special hazards are inherent in the operation? What is nearby? Are there any explosives, gasoline, or flammable objects in the area? Unused buildings next door? What can be the aftermath of fire? Water damage? Loss of stock, material? Proximity of fire and police departments?

● Facility housing—What protective devices are installed or can be installed? Anti-intrusion alarm systems, electronic access control systems? How is the building constructed? Type of roof? Sprinklers? What kind of flooring? What is flammable?

● Work environment—What is the relationship between personnel and management? (Loyal? Suspicious?) What are the aggravations of employees? Past labor history? How well do supervisors know employees? What is management’s attitude toward employee dishonesty? (Condone? OK within bounds? Dismissal?) How open are lines of communication between employees and supervisors? Supervisors and upper management?

● Value—How much can an intruder profit? How much damage could result in the worst-case scenario? How much can a dishonest employee gain? How long before an intrusion will be detected? What is security response capability, time?

Principles of Probability At this point, some statements about the nature of risk must be explained and considered. What we have stated so far is a simple approach to identifying and measuring risk. Risk is the possible happening of an undesirable event. An event is something that can occur, a definable occurrence. When an event happens, it can be described. Security counter-measures are designed to protect against harmful events occurring. For this reason, the

Table 3-1 Determination of Annual Loss Expectancy � ALE

Value of f

Value of i 1 2 3 4 5 6 7 8

1 $300 $3 K $30 K $30 K $300 K 2 $300 3 K 30 K 300 K 300 K 3 M 3 $300 3 K 30 K 300 K 3 M 3 M 30 M 4 $300 3 K 30 K 300 K 3 M 30 M 30 M 300 M 5 $300 3 K 30 K 300 K 3 M 30 M 300 M 6 3 K 30 K 300 K 3 M 30 M 300 M 7 30 K 300 K 3 M 30 M 300 M



question, “Is a system secure?” is meaningless. What should be asked is, “Is the system protected against all identified problems and incidents believed to be harmful?”

Any event can be described in at least two ways: it may be described in terms of the damage it will present if it occurs; or, it may be considered in terms of the probability of its occurrence. An identified risk, however, should be described in terms of its possibility of occurrence and its capacity for potential loss.

The study of the possibility of occurrence is known as probability . The principles that follow are based on philosophical (rather than mathematical) proofs derived in 1792 by the Marquis de Laplace in his Théorie Analytique des Probabilités . Excerpts from this clas-sical treatise are reprinted below, in part. Laplace established 10 principles of probability, as quoted below.

1. Probability is defined as the ratio of the number of favorable cases to all possible cases.

2. If the cases are not equally possible, then the probability is the sum of the possibilities of each favorable case.

3. When the events are independent of each other, the probability of their simultaneous occurrence is the product of their separate probabilities.

4. If two events are dependent on each other, then the probability of the combined event is the product of the probability of the occurrence of the first event and the probability that the second event will occur given the occurrence of the first event.

5. If the probability of a combined event of the first phase and that of the second phase is determined, then the second probability divided by the first is the probability of the expected event drawn from an observed event.

6. When an observed event is linked to a cause, the probability of the existence of the cause is the probability of the event resulting from the cause divided by the sum of the probabilities of all causes.

7. The probability that the possibility of an event falls within given limits is the sum of the fractions [#6 above] falling within these limits.

8. The definition of mathematical hope is the product of the potential gain and the probability of obtaining it.

9. In a series of probable events, of which some produce a benefit and the others a loss, we shall have the advantage that results from it by making a sum of the products of the probability of each favorable event by the benefit that it procures, and subtracting from this sum that of the products of the probability of each unfavorable event by the loss that is attached to it. If the second sum is greater than the first, the benefit becomes a loss and hope is changed to fear.

10. Moral hope is defined as the relation between its absolute value divided by the total assets of the involved entity. This principle deals with the relation of potential gain to potential loss and describes the basis for not exposing all assets to the same risk.

Readers and students of this text have asked me to explain Laplace’s theory in words of one syllable. Unfortunately, I am not astute enough to do so. The theory is merely set



forth here for those readers who may desire a more precise methodology by which to arrive at probability determination in their unique environment or studies. For our pur-poses, however, the simpler the application, the better. Excessive refinement of the risk measurement process, in our opinion, would only serve to further delay the outcome of the project, without adding much benefit to the ultimate solution.

Probability, Risk, and Security When security is defined as the implementation of a set of acceptable practices, procedures, and principles that, when taken as a whole, have the effect of altering the ratio of undesirable events to total events, the first principle and the importance of the probability theory become self-evident. The problem that security must constantly deal with is that all undesirable events are breaches of security! The goal of security design is to decrease the ratio of unfavorable events to total events. Obviously, some events are more likely to occur than others in the same environment. The risk of a flood that inun-dates a city would seem less likely than a transient power failure (tell this to the people of New Orleans, LA, and Nashville, TN). Both are undesirable events. Both can affect the operation of businesses. When the probability of each case is different, the ratios of favor-able to unfavorable cases are altered accordingly.

Two events that have no relation to each other are considered to be independent events. If they are not linked in any way, the probability of their simultaneous occur-rence is the product of their respective probabilities. An example: What is the probability of lightning striking a second time in the same spot? It is the same as the probability of lightning striking the first time: the two events are independent of each other and thus the probability ratio remains the same. In security, the penetration of a system and the simultaneous failure of the security system from causes other than penetration may be expressed as the product of the probabilities of the independent events. This fits the condition of Laplace’s principle #3, above. Many security (and safety) systems, such as those employed at nuclear power facilities, are based on redundancy, such that if mul-tiple failures occur, the redundant systems do not become operational until the preced-ing systems have failed. Principle #4 expresses the relation between dependent events: the probability of the first event is multiplied by the probability of the second event if the second event can happen only after the first event has occurred. Breaking and entering followed by theft, to produce a burglary, is an example of this theory.

The probability of security system failure may be expressed in terms of the lower-risk multiple or backup systems. As happens when two events are combined, principle #5 expresses the idea that when dealing with events, the past does not affect the future. If we assume the risk of a security breach is a given value and that it has occurred, we may not assume that it will not occur again. Probabilities of events are not guarantees. If an event has a probability of 1 in 100, the probability of that event happening again is still 1 in 100. For example, tossing a coin for heads or tails is a 50–50 proposition; that is, 1 time out of 2 it should come up heads. A coin toss could come up heads 10 times in succession;



however, as the past cannot affect the present or the future, the chance of heads coming up each time is still 50–50, and it will remain so on every toss of the coin.

Principle #6 deals with the attribution of causes to effects. It describes the relation between all causes and probable causes. This is effectively the expression of circumstan-tial evidence, as a probability leading to a conclusion but one less convincing than the conclusion reached using direct evidence. Principle #7 involves the basis of confidence limits. To illustrate, if a random sample of 100 variables is taken and is found to have a mean of 40 and a standard deviation of 11, it will not be possible to determine a precise mean. The best that can be established is limits within which the mean will fall with a specified probability or confidence, usually taken as 95 percent. Again we need to ask ourselves the question, “How precise a measurement do we need?” Security is, after all, an art and not a science.

The definition of mathematical hope is essential to the design of a secure system. This concept relates the potential gain to the probability of obtaining the gain. Principle #8 allows the utility of a procedure to be expressed in both monetary and probabilis-tic terms. If the potential gain from a security system was $1,000 and the probability of achieving this gain was 1 in 500, a value of 2 (in arbitrary units) could be assigned. Equivalent values could be assigned to other combinations to allow comparison among alternatives. But why go to all this trouble for so little gain?

Principle #9 allows for the fact that any solution to a problem introduces risk. Risk management solutions may fail, and this must be considered in the design stage. A backup system to provide redundancy is certainly to be considered, as well as the cost/benefit ratio for doing so. This principle is extensively used in the manufacture of commercial aircraft and the space shuttle, for obvious reasons. The cost of providing redundancy in a security system is generally more cost effective than buying an insurance policy to cover a failure.

The condition to be considered last is the situation in which one of the alternatives to positive action is simply to do nothing. In some cases the risks, upon analysis, become insignificant; the decision may be to accept the possibility of loss because the poten-tial loss will not have a substantial effect on the client’s assets. Principle #10 relates the amount and potential of risk to the wealth of the protected entity. A very profitable com-pany may well afford to risk assets to maximize gains in profitability. The potential losses might be too great, however, for a less prosperous company, one that may be in greater need of relief from a catastrophe, such as a major hurricane or even an oil spill from a tanker at sea. In some instances, then, the most cost-effective security is simply not to implement a plan or solution; in some others, the most practical solution might be to cover the potential loss with some form of insurance.

To summarize, risk can be expressed in terms of probability of occurrence. The goal of security system design is to improve the ratio of favorable events to total events, or to reduce the ratio of unfavorable events. The basic technique used is to rate risks based upon their probability of occurrence and to establish economic values for potential risks and potential solutions. When possible (and cost-effective), redundant or backup sys-tems may be designed to provide an added dimension of protection. Risk probability



determination is not a guarantee that, because an event has a low probability and has occurred only one time, that it will not occur again or perhaps multiple times in the future.

Statistical analysis as it is used in many fields—astronomy, agriculture, engineering, or insurance—is approached by using the same procedures enumerated above.

Again, a word of caution: No statistical procedure can, in itself, ensure there will be no mistakes, inaccuracies, faulty reasoning, or incorrect conclusions. The data must be accurate, the methods properly applied, and the results interpreted by someone with a thorough understanding of the field in which the information obtained is being applied. That, after all, is the hallmark of the professional.

Estimating Frequency of Occurrence When experience (history) has provided an adequate database, loss expectancy can be projected with a satisfactory degree of confidence. For example, if one leaves the keys in the ignition of an unlocked car on a downtown street in a high-crime area, it is just a question of time until the car is stolen. Likewise, if the same bank is robbed on numer-ous occasions, the chances that it will continue to be robbed again and again is easy to predict.

In new situations, however, or in situations in which data have not been or cannot be collected, we have insufficient knowledge on which to base our projections. An example would be the kidnapping of a high-risk-profile businessperson in the absence of any prior threats or other indications that he had been targeted for kidnapping. In such instances, quantification of risk tends to be nothing more than educated guessing. It is in cases such as this that the services of an experienced security professional are needed to reduce sub-jectivity to an absolute minimum and to deal with the data available, limited though it may be, in a calm, objective manner. This is also true of international and domestic terrorism and, to a lesser degree, workplace violence. Amateurs may become emotional—that is to say, less objective—when faced with unfamiliar and often dangerous situations. The ser-vices of an outside consultant or a security professional experienced in such matters are essential in cases of this type, to ensure objective and proper analysis from the outset. Another example is in dealing with the threat of terrorism. Terrorists engage in seemingly random acts of violence. It is difficult, if not impossible, to estimate the frequency of occur-rence of random acts of violence. By their very nature, they are highly unpredictable. So, we are left with the nagging thought that “risk analysis” is not an exact science, but an art, and we still have many challenges ahead of us, especially in dealing with the activities of terrorists.


risk measurement - elsevier · risk measurement (quantification) is an essential element for later...

Documents