SECURITY RISK ASSESSMENTWITH

Paul Mercer – Security Risk Consultant

Part 1 – An intro to SRA – 15 minsPart 2 – Security Risk Assessment

Methodology – 1 hrPart 3 – What is HawkSight? - 15 minsPart 4 – Security Threat Analysis using

HawkSight – 1 hr

PART 1 AN INTRODUCTION TO SECURITY

RISK ASSESSMENT

WHAT IS A SECURITY RISK ASSESSMENT (SRA)?

A Security Risk Assessment offers a structured means of

determining the Threats to, and

Vulnerabilities of an Organisation, Community or

Individual” SRMBOK:2008

WHY DO WE NEED TO CONDUCT A SRA?

To reduce uncertainty…. “A risk based approach to

security ensures improved corporate governance and transparency of decision making through managing risk that threaten the on-going sustainability of the organisation” AS/NZ 4360:2004

“To shape operational activities and optimise the allocation of resources” SRMBOK:2008

HOW DO WE CONDUCT A SRA?Security Risk M

anagement H

B167En

terp

rise

Risk

Man

agem

ent

ISO

310

00

PART 2SECURITY RISK ASSESSMENT METHODOLOGY

SECURITY RISK ASSESSMENT METHODOLOGYSecurity Risk M

anagement H

B167En

terp

rise

Risk

Man

agem

ent

ISO

310

00

WHY?

“To gain an understanding of what our client does and how they do it in order we can recommend security

controls that match the needs of the client, the physical and regulatory

environment in which they operate, as well as meeting international

standards and best practice”

STRATEGIC CONTEXT

“Allows us to “gain an understanding of the external environment in which the

organisation is operating or may be operating [in the future in order to] identify any factors that may have an effect on the organisation or the way it does business”

HB 167:2006

OPERATIONAL CONTEXT

“To agree an understanding of the organisation itself, and any issues that may influence its exposure to security risk or the

activities undertaken to manage them. In other words, what do they do and how do

they do it.”

PROJECT CONTEXT - CONSEQUENCE?“The consequences of any security event are assessed

with reference to the potential damage to the client should the Risk occur and may be defined in terms of

effect on the achievement of client’s objectives, or possible impact on meeting defined business, financial,

management, operational, safety, security and environmental requirements, in terms of the legal and

regulatory framework or impact to reputation” “In analysis the consequence against likelihood the

approach adopted for security risks in this assessment reflects international best practice (HB 167) and is to

take the most probable worst case scenario”

PROJECT CONTEXT – SECURITY RISK MANAGEMENT (SRM)

How does the client currently manage Security Risk?

How do they Identify, Assess, Evaluate and Treat Security related Risk?

Understanding the Security Risk Management Context provides the scope, parameters and plan for undertaking the

proposed Security Risk activities.

SRM – RISK TOLERANCE

Editing the Risk Matrix Edited Matrix Showing Greater Risk Tolerance

SRM - RISK RESPONSE LEVELS

SECURITY RISK ASSESSMENT METHODOLOGYSecurity Risk M

anagement H

B167En

terp

rise

Risk

Man

agem

ent

ISO

310

00

VULNERABILITY ASSESSMENT – TARGET ATTRACTIVENESS

VULNERABILITY ASSESSMENT – CONTROL LEVEL EFFECTIVENESS

What are Security Controls?

“Process, Policy, Device or other action that acts to minimise negative risk or enhance positive

opportunities”

AS/NZ4360:2004 Risk Management Standard p 342

SECURITY CONTROL TRIANGLE

Policy & Procedure

Physical &

Manpower Technology

VULNERABILITY ASSESSMENT – BUSINESS RESILIENCE

“Business Resilience, or Post Incident Vulnerability (V2), is the robustness and ability of the asset, facility or system to

withstand attack and / or maintain service in the event of damage or disruption”

SECURITY RISK ASSESSMENT METHODOLOGYSecurity Risk M

anagement H

B167En

terp

rise

Risk

Man

agem

ent

ISO

310

00

WHAT IS A CRITICAL ASSET ASSESSMENT?

“The Criticality Assessment attempts to prioritise organisational infrastructure, asset or elements by

relative importance or dependence on that element”

SRMBOK2008. p 154

WHAT ARE CRITICAL ASSETS?

Critical Assets are characterised as:

People Physical Property Information Information &

Communication Technologies (ICT)

HOW CAN WE DEFINE PROJECT ASSETS?

3 Steps:1. Gain an overall understanding of what

the project objectives2. Breakdown the processes involved in

achieving these objectives (Process Mapping)

3. Identify the People, Physical Property, Information and ICT that are needed to support these objectives

ESTABLISHING CRITICALITY

We must consider the impact of the loss of functionality of the asset and the associated impact on the relevant process. Loss of the asset is assessed in terms of: Cessation of critical process Short term recovery capability Serious or prolonged reputation

damage

ESTABLISHING CRITICALITY

Criticality is Assessed as:

Extreme High

SignificantModerate

Low

SECURITY RISK ASSESSMENT METHODOLOGYSecurity Risk M

anagement H

B167En

terp

rise

Risk

Man

agem

ent

ISO

310

00

UNDERSTANDING SECURITY RISK AND SECURITY THREAT

Security Threat is defined as any Threat originating from both a human and natural or non-human source that might negatively affect the sentiment of security and quality of life of individuals, and the interests and choices available to organizations and governments.

Security Risk is defined as the effect of disruption on the objectives caused by risks originating from Security Threats identified.

SECURITY THREAT SOURCE

The Source of a Security Threat is defined as is the

origin at which the Threat emanates be

that a human or non human source

which may be external or internal to the project under

review.

ASSIGNING CONSEQUENCE OF A THREAT TO AN ASSET

SECURITY RISK ASSESSMENT METHODOLOGYSecurity Risk M

anagement H

B167En

terp

rise

Risk

Man

agem

ent

ISO

310

00

WHAT IS SECURITY RISK ANALYSIS?

Defining the Impact and Likelihood of each relevant Threat against each Critical Asset defines the

Security Risk Level

WHAT IS SECURITY RISK ANALYSIS

A 4 stage process to inter relate the data gathered so far:

Consequence Level Risk Tolerance Risk Response Level Target Attractiveness Level Business Resilience Level Threat Level Critical Asset Level Control Level Effectiveness Level

STEP 1 –DEFINING PRE-INCIDENT VULNERABILITY (V1)

Target Attractiveness

ControlLevel

Effectiveness

  Low Medium Significant High Extreme

Unsatisfactory 6 7 8 9 10

Weak 5 6 7 8 9

Satisfactory 4 5 6 7 8

Good 3 4 5 6 7

Excellent 2 3 4 5 6

STEP 2 –DEFINING LIKELIHOOD

Threat Level

Pre Incident Vulnera

bility (V1)

  Low Medium Significant High Extreme

Unsatisfactory 6 7 8 9 10

Weak 5 6 7 8 9

Satisfactory 4 5 6 7 8

Good 3 4 5 6 7

Excellent 2 3 4 5 6

STEP 3 –ASSESSING IMPACT

Consequence Level

Business

Resilience

Level

  Minimal Minor Moderate MajorCata

strophic

Unsatisfactory 6 7 8 9 10

Weak 5 6 7 8 9

Satisfactory 4 5 6 7 8

Good 3 4 5 6 7

Excellent 2 3 4 5 6

STEP 4 –DEFINING RISK LEVEL

SECURITY RISK ASSESSMENT METHODOLOGYSecurity Risk M

anagement H

B167En

terp

rise

Risk

Man

agem

ent

ISO

310

00

EVALUATING RISK

Tolerate the Risk- if, after controls are put in place, the remaining risk is deemed acceptable to the organisation, the risk can be retained. Transfer the Risk - this involves another party bearing or sharing some part of the risk by the use of contracts, insurance, outsourcing, joint ventures or partnerships etc.Terminate the Risk - decide not to proceed with the activity likely to generate the risk.Treat the Risk – through implementation of preventative controls measures, policies & procedures, contingency planning, disaster recovery & business continuity plans

EVALUATING IDENTIFIED SECURITY RISKS

SECURITY RISK ASSESSMENT METHODOLOGYSecurity Risk M

anagement H

B167En

terp

rise

Risk

Man

agem

ent

ISO

310

00

AS LOW AS REASONABLY PRACTICABLE(ALARP)

SECURITY RISK TREATMENT

Security in Depth Corporate Security Functions

Hierarchy of Controls Swiss Cheese Model

PART 3WHAT IS HAWKSIGHT ?

WHAT IS HAWK SIGHT ?

Hawk Sight is a Security Risk Assessment Calculator. It speeds up the analysis process by automating the

risk analysis methodology, thereby significantly reducing the time required to produce the Security Risk Assessment report.

Used by a trained Security Risk Consultant it will facilitate standardised, ISO 31000 compliant Security Risk Assessments, and ensures continuity in the Security Risk Assessment process, allowing like for like comparison across all Security Risk Assessments, regardless of organisation type or country of operation.

INTERNATIONAL RISK STANDARDS

LOGIN PAGE

Sign in at http://maxwelllucas.digitalpilgrims.co.uk using your designated username and password.

CLIENT VAULT PAGE

SECURITY RISK REGISTER

HAWKSIGHT SIMULTATOR

HAWKSIGHT SIMULTATOR

HAWKSIGHT SIMULTATOR

REPORT WRITE UP

WORD TEMPLATE

PART 4SECURITY THREAT ANALYSIS USING

UNDERSTANDING SECURITY RISK AND SECURITY THREAT

Security Threat is defined as any Threat originating from both a human and natural or non-human source that might negatively affect the sentiment of security and quality of life of individuals, and the interests and choices available to organizations and governments.

Security Risk is defined as the effect of disruption on the objectives caused by risks originating from Security Threats identified.

SECURITY THREAT SOURCE

The Source of a Security Threat is defined as is the

origin at which the Threat emanates be

that a human or non human source

which may be external or internal to the project under

review.

THREAT SOURCE

Threat sources may be categorised as follows: Military Threats to Security from Other States Security Threats from Non State Actors Economic Threats to Security Criminal Threats to Security Social and Religious Threats to Security Health Threats to Security Natural Threats to Security Environmental Threats to Security Accidentally Occurring Threats to Security

THREAT DRIVER

The motivation of a human source or the non human trigger event for a threat to

occur.

DEFINING THE LEVEL OF THREAT

Human Threat Intent refers to covert, implicit, or expressed

aims, goals, objectives, desires or directions of a human threat source, as identified in historical trend data, similar previous incidents and collected intelligence.

Capability refers to the attributes of a human threat source that enable a human Threat to occur, such as skills and knowledge, access to material and financial resources, time and supporters.

INTENT

Determined Threat Source has acted in the last 2 years Drivers/motivational factors still exist

Expressed Threat Source has not been active in the past 5

years Driver/motivational factors still exist

Little Threat Source has not been active for more than 5

years No known driver or motivational factors exist

CAPABILITY

Extensive Potential protagonist has proven capability and

the means to implement the threat effectively against the asset type.

Moderate Potential protagonist has limited proven capability

and resources to implement the threat effectively against the asset type.

Low Potential protagonist has no proven capability and

no resources to act against the asset.

NATURAL OR NON-HUMAN THREAT

Potential refers to the incidence of a non-human Threat and the circumstantial, climate and geographic factors that can trigger it or increase its propensity to occur, as identified in historical trend data, past events and scientific estimates.

Capacity refers to the ability of a non-human Threat to do harm and the factors that can amplify its damage potential, calculated from similar previous incidents and scientific estimates.

POTENTIAL

Likely Threat Source has been active itself in the last 2 years Conditions still exist that might trigger activity

Possible Threat Source has not been active in the past 5 years Conditions still exist that might trigger activity

Improbable Threat Source has not been active for more than 5

years Conditions do not exist that might trigger activity

CAPACITY

Extensive Source of threat has proven capacity to cause multiple

human fatalities and total disruption of business operations.

Moderate Source of threat has proven capacity to cause multiple

injuries to personnel and significant disruption of business operations.

Low Source of threat has no proven capacity to cause

significant injuries to personnel or significantly affect any business operations.

CALCULATING THREAT LEVEL

  Intent/Potential

  Little/

Improbable

Expressed/

Probable

Determined/

Likely

Capability/Capacity

Extensive Moderate High Extreme

Moderate Low Significant High

Low Low Moderate Significant

ENTERING THREAT DATA INTO HAWK SIGHT

There are 2 ways to enter Threat Data into your project: Adding/Editing Threats Manually to the

Hawk Sight database Selecting pre entered Threats from the

Hawk Sight database

ENTERING THREAT DATA INTO HAWK SIGHT

THREAT DATA PAGE

ADDING/EDITING THREATS MANUALLY

USING PRE ENTERED THREATS FROM THE DATABASE

THREAT DATA PAGE

THREAT DATA SELECTION