Phillip Banks P. Eng. CPP

Phillip Banks P. Eng. CPP© The Banks Group Inc. - 2016

“If we don’t understand vulnerability we won’t understand risk.”

Unknown

“Risk management is a systematic response to uncertainty.”1

1CSE/RCMP Harmonized Threat and Risk Assessment Methodology, October 23rd, 2007

RiskIs a person or situation that poses a possible threat to the security of something.The effect of uncertainty on objectives1.

VulnerabilityIs a weakness or gap in a security protections, control measures or processes that can be exploited by an adversary to remove, damage or destroy an asset.

1Risk Management Principles and Guidelines, AS NZS ISO 31000:2009

Risk has three key characteristics1:It looks ahead into the future;There is an element of uncertainty e.g. a condition or a situation exists that mightcause a problem for the project in the future;It is related to the outcome.

1Project Complexity and Risk Assessment Tool, Version 1.4,. Treasury Board of Canada Secretariat

Risk = P x I

Risk = P x I x V

Risk = PA (1 – PI) C

Risk = P x I x M

Risk = Probability x Impact Security Controls

Risk = P X E (Exploitability of Protection)

Adversary? Threat(s)?

Adversary Objectives?

Capabilities and Strengths?

Adversary Determination?

Knowledge, Training and Experience?

Timeline?

???????

© The Banks Group Inc. - 2016

Risk is never staticRisk can be within or outside our sphere of controlRisk is affected by both the adversary and the targetA convertible asset requires multi-stage “risk continuum” considerationWhat can be done to positively affect the “risk triangle”?Corporate “Risk Appetite”? Probability

Quantifiable riskRisk we can precisely measure and record with numbers: How many security controls are present? Is the control strength rated? How many attacks per day do we see? How many times did this happen in the past? How many vulnerabilities exist? etc.

Qualifiable riskRisk we have an idea about but can't accurately measure and is thus subjective. How confident are we with the code-base? Do we think the project has had sufficient review? Do we think this control is efficient? etc.

Possibility – An event that could occur.

Probability – The likelihood of the event occurring.

A “possibility” is any event which has a “probability” of occurrence which is greater than “0”.

A threat-event will take place?The threat-event will be mitigated to some degree?The adversary will be 100% successful?What probability?

Impossible?Even Chance?Certain?

13/46

• Historical Record• Anecdotal Info• Police Sources• Industry Sources• Networking• Credible Intelligence• Security technology

inputs• Industry Experience• …………………….?

Probability of a six being on the upper surface of one dice………?

Probability of two sixes being on the upper surface of two dice………?

Probability of three sixes being on the upper surface of three dice…..?

A system with three components fails if one or more components fail. The probability that any given component will fail is 1/10. What is the probability that the system will fail?

• Business Impact Analysis• S.W.O.T Analysis• Past Experience• Risk Manager• In-house counsel• Public relations• Employees • Etc……….

ProbabilityIm

pact

Critical

Medium

Low

High

• R = Risk to the facility of an adversary gaining access to assets (ranges from 0 to 1.0)

• PA = Probability of an adversary attack during a period of time

• PE = Probability of Preventing the Event• = P(I) INTERUPTION x P(N) NEUTRALIZATION• C = Consequence Value

Note: If PE is the probability of preventing the event then [1-PE] must be the probability of the adversary being successful

R = PA * [1-(PE)] *C

* The Design and Evaluation of Physical Security Systems, Garcia, Mary Lynn, Butterworth-Heinemann, 2001

Risk = Probability Vulnerability Impact

Vulnerabilities are always present?Vulnerabilities are not staticVulnerabilities become transparent if not treatedVulnerabilities are measurable

Protections

Vuln

erab

ility Parameters?

What is vulnerable?

Why is it vulnerable?

What makes it vulnerable?

Is the vulnerability easily exercised?

Can the vulnerability be mitigated?

Management and Measurement

Identify vulnerabilitiesEstablish parametersIdentify optionsImplement optionsMeasure outcomeRemediate as requiredMonitor and reportVulnerability Register

Vulnerability VulnerabilityType

ThreatRelationship

Dependency?

Remediation

WHAT IS IT? P, P or T

Tailgating People Daily Operations

Access Management

Protocol

Education and Awareness,

Signage, Anti-Passback

Pareto AnalysisPair-wise ComparisonFault Tree AnalysisAttack Tree AnalysisFailure Mode & Effect AnalysisFailure Modes, Effects & Criticality AnalysisC.A.R.V.E.R (modified)Cause & Effect (Ishikawa)Monte Carlo Simulation_____________________?Qualitative vs Quantitative

Fit-for-Purpose:A protection/control measure which is formally selected and mitigates the known and reasonably foreseeable threats.

State-of-Readiness:A protection/control measure which is implemented, operated, maintained and demonstrably capable of mitigating known or reasonably foreseeable threats.

Rating Fit-for-Purposes Scoring Rationale

5 Protection selected based on recognized standard or leading practice. A formal performance level was identified and is still being met or exceeded.

3 Protection not specifically appropriate for the threat, operational or functional environment or it is only nominally achieving the required level of performance.

1 Protection is inappropriate for threat, operational or functional environment or is not meeting a required level of performance.

Rating State-of-ReadinessScoring Rationale

5 Protection is functioning as designed and is operational in all respects. There is little or no down-time and there is no record of it being compromised.

3 Protection is primarily functioning as designed although there is occasional down-time due to loss-of-service or periodic break-down.

1 Protection is not functioning or its is not in a State-of-Readiness due to periodic loss-of-service or break-down.

Fit-for-Purpose and State-of-Readiness ratings are independent so the overall rating is the product of the two.A protection which is both fully Fit-for-Purpose and in a complete State-of-Readiness should achieve a score of 25.If the assessor believes Fit-for-Purpose = 5 but the State-of-Readiness = 3 then the overall rating of the protection is 15 or 60% effective and it has a vulnerability level of 40%.

1. Develop the protection design to meet DBT.

2. Identify appropriate elements of the design.

3. Identify how protection system will be evaluated for effectiveness over time.

Characteristic Insider Criminal Organized CrimeObjective Steal assets such as tools, parts Steal large quantity of valuable assets Steal large quantities of finished

product.Motivation Personal gain, revenge Personal gain Large gain for criminal organization

Base Enhanced Base Enhanced Base EnhancedPlanning/System Knowledge

Good depending on position

Significant Some, opportunistic

Significant if in collusion with insider

Good to high level

Extensive information and level of access

Weapons None Edged weapons Edged weapons Hand guns, shot guns

Unlikely Wide array of weapons

Tools and Equipment Access keys or credentials

Access keys, credentials & combinations

Hand tools or readily available tools at the facility

Hand and power tools

Hand tools or readily available tools at the facility

Access keys, credentials and combinations. Hand and power tools.

Contaminants N/A N/A N/A N/A N/A N/AIMPACT (damage) to Asset(s)

Minimal Notable Notable Significant Notable to Significant

Significant to Critical

Injury to Persons No Possible but unintentional

Possible but unintentional

Possible Possible but unintentional

Possible and intentional

Fatalities No No No Possible but unintentional

Possible but unintentional

Possible and intentional

1The Design and Evaluation of Physical Protection Systems, Mary Lynn Garcia, Sandia National Laboratories, Albuquerque, New Mexico, Butterworth- Heinemann, 2001

Define the Context – Measuring What?

Identify all contributing security element(s)

Use known or reasonably foreseeable threat(s)

Step through the process and assign scores – Does it make sense?

Team approach/peer review

Protection Deter Deny Detect Delay Respond ProtectionScore

% Cont.

Comments

Fence 3 3 0 3 0 9 11

Bldg Const. 5 5 0 5 0 15 19

AM & IDS 1 3 5 3 3 15 19

CCTV 3 1 5 0 5 14 18

Sec Guards 5 3 3 3 5 19 24

Employees 1 0 3 0 3 7 9

18 15 16 14 16

Actual Score = 79

Possible Score = 115

Overall Effectiveness = 69%

Practice risk management or become very good at crisis management. Your choice…..

Risk Management

Crisis Management?

Phillip Banks PE, CPPThe Banks Group Inc.

5158 – 48th Ave

Suite #387

Delta, British Columbia

Canada

V4K 5B6

604.948.0165

[email protected] www.thebanksgroup.ca

© The Banks Group Inc. - 2016

Protection of Assets Manual, ASIS InternationalIndustry Guidelines on a Framework for Risk Related Decision Support, UKOOA, 1999GRiP – A flexible approach for calculating risk as- a function of consequence, vulnerability and Threat, R.G. Whitfield, W.A. Beuhring and G.W. Bassett, Argon National Laboratory, ANL/DIS -113, Decision and Information Services Division, January 2011.Maturity Framework for Assuring Resiliency Under Stress, Carnegie-Mellon University, Don O’Neill, 2008Pareto-Optimal Situation Analysis for Selection of Security Measures, Andres Ojamaa, Enn Tyugu, Jyri Kivimaa, IEEE, 2008Concept of Vulnerability in Chemical Plants, Journal of Chemical & Pharmaceutical Research, 6(7); 1448-1454, Dongfen Zhao, Su Hu, Cong An, Shuang Chen, Yifei Meng - 2004Quantified Risk is a Weak Hypothesis, “A critical survey of results and assumptions”, Vilhelm Verendel, Chalmers University, 2009General Security Risk Assessment Guideline, ASIS International Guidelines Committee, 2003Indicators and criteria for measuring vulnerability: Theoretical Basis and Requirements, Jӧrn Birkmann, 2006Defining and assessing quantifying security risk measures using vulnerability lifecycle and CVSS metrics, Hyun Chul Jon and Yashwant K. Malaiya, Colorado State University, Fort Collins, Colorado, USA, 2011Risk Analysis and the Security Survey, Third Edition, James F. Broder, CPP, Butterworth-Heinemann, 2006 AS/NZS ISO 31000:2009 Standard, Risk Management Principles and Guidelines (Superseding AS/NZS 4360:2004) AS/NZS HB 167:2006 Security Risk Management Standard HandbookThe Design and Evaluation of Physical Protection Systems, Mary-Lynn Garcia, Sandia National Laboratories, 2001Risk Assessment and Management for Critical Asset Protection (RAM-CAP), ASME Innovative Technologies Institute LLC, Washington, DC, 2004Business Risk Assessment, David McNamee, The Institute of Internal Auditors, 1998w3.epa.gov, Defining Risk Characterization http://www.algebra.com/algebra/homework/Probability-and-statistics/Probability-and-statistics.faq.question.419808.html