Phillip Banks P. Eng. CPP © The Banks Group Inc. - 2016
Phillip Banks P. Eng. CPP© The Banks Group Inc. - 2016
“If we don’t understand vulnerability we won’t understand risk.”
Unknown
“Risk management is a systematic response to uncertainty.”1
1CSE/RCMP Harmonized Threat and Risk Assessment Methodology, October 23rd, 2007
RiskIs a person or situation that poses a possible threat to the security of something.The effect of uncertainty on objectives1.
VulnerabilityIs a weakness or gap in a security protections, control measures or processes that can be exploited by an adversary to remove, damage or destroy an asset.
1Risk Management Principles and Guidelines, AS NZS ISO 31000:2009
Risk has three key characteristics1:It looks ahead into the future;There is an element of uncertainty e.g. a condition or a situation exists that mightcause a problem for the project in the future;It is related to the outcome.
1Project Complexity and Risk Assessment Tool, Version 1.4,. Treasury Board of Canada Secretariat
Risk = P x I
Risk = P x I x V
Risk = PA (1 – PI) C
Risk = P x I x M
Risk = Probability x Impact Security Controls
Risk = P X E (Exploitability of Protection)
Adversary? Threat(s)?
Adversary Objectives?
Capabilities and Strengths?
Adversary Determination?
Knowledge, Training and Experience?
Timeline?
???????
© The Banks Group Inc. - 2016
Risk is never staticRisk can be within or outside our sphere of controlRisk is affected by both the adversary and the targetA convertible asset requires multi-stage “risk continuum” considerationWhat can be done to positively affect the “risk triangle”?Corporate “Risk Appetite”? Probability
Quantifiable riskRisk we can precisely measure and record with numbers: How many security controls are present? Is the control strength rated? How many attacks per day do we see? How many times did this happen in the past? How many vulnerabilities exist? etc.
Qualifiable riskRisk we have an idea about but can't accurately measure and is thus subjective. How confident are we with the code-base? Do we think the project has had sufficient review? Do we think this control is efficient? etc.
Possibility – An event that could occur.
Probability – The likelihood of the event occurring.
A “possibility” is any event which has a “probability” of occurrence which is greater than “0”.
A threat-event will take place?The threat-event will be mitigated to some degree?The adversary will be 100% successful?What probability?
Impossible?Even Chance?Certain?
13/46
• Historical Record• Anecdotal Info• Police Sources• Industry Sources• Networking• Credible Intelligence• Security technology
inputs• Industry Experience• …………………….?
Probability of a six being on the upper surface of one dice………?
Probability of two sixes being on the upper surface of two dice………?
Probability of three sixes being on the upper surface of three dice…..?
A system with three components fails if one or more components fail. The probability that any given component will fail is 1/10. What is the probability that the system will fail?
• Business Impact Analysis• S.W.O.T Analysis• Past Experience• Risk Manager• In-house counsel• Public relations• Employees • Etc……….
ProbabilityIm
pact
Critical
Medium
Low
High
• R = Risk to the facility of an adversary gaining access to assets (ranges from 0 to 1.0)
• PA = Probability of an adversary attack during a period of time
• PE = Probability of Preventing the Event• = P(I) INTERUPTION x P(N) NEUTRALIZATION• C = Consequence Value
Note: If PE is the probability of preventing the event then [1-PE] must be the probability of the adversary being successful
R = PA * [1-(PE)] *C
* The Design and Evaluation of Physical Security Systems, Garcia, Mary Lynn, Butterworth-Heinemann, 2001
Risk = Probability Vulnerability Impact
Vulnerabilities are always present?Vulnerabilities are not staticVulnerabilities become transparent if not treatedVulnerabilities are measurable
Protections
Vuln
erab
ility Parameters?
What is vulnerable?
Why is it vulnerable?
What makes it vulnerable?
Is the vulnerability easily exercised?
Can the vulnerability be mitigated?
Management and Measurement
Identify vulnerabilitiesEstablish parametersIdentify optionsImplement optionsMeasure outcomeRemediate as requiredMonitor and reportVulnerability Register
Vulnerability VulnerabilityType
ThreatRelationship
Dependency?
Remediation
WHAT IS IT? P, P or T
Tailgating People Daily Operations
Access Management
Protocol
Education and Awareness,
Signage, Anti-Passback
Pareto AnalysisPair-wise ComparisonFault Tree AnalysisAttack Tree AnalysisFailure Mode & Effect AnalysisFailure Modes, Effects & Criticality AnalysisC.A.R.V.E.R (modified)Cause & Effect (Ishikawa)Monte Carlo Simulation_____________________?Qualitative vs Quantitative
Fit-for-Purpose:A protection/control measure which is formally selected and mitigates the known and reasonably foreseeable threats.
State-of-Readiness:A protection/control measure which is implemented, operated, maintained and demonstrably capable of mitigating known or reasonably foreseeable threats.
Rating Fit-for-Purposes Scoring Rationale
5 Protection selected based on recognized standard or leading practice. A formal performance level was identified and is still being met or exceeded.
3 Protection not specifically appropriate for the threat, operational or functional environment or it is only nominally achieving the required level of performance.
1 Protection is inappropriate for threat, operational or functional environment or is not meeting a required level of performance.
Rating State-of-ReadinessScoring Rationale
5 Protection is functioning as designed and is operational in all respects. There is little or no down-time and there is no record of it being compromised.
3 Protection is primarily functioning as designed although there is occasional down-time due to loss-of-service or periodic break-down.
1 Protection is not functioning or its is not in a State-of-Readiness due to periodic loss-of-service or break-down.
Fit-for-Purpose and State-of-Readiness ratings are independent so the overall rating is the product of the two.A protection which is both fully Fit-for-Purpose and in a complete State-of-Readiness should achieve a score of 25.If the assessor believes Fit-for-Purpose = 5 but the State-of-Readiness = 3 then the overall rating of the protection is 15 or 60% effective and it has a vulnerability level of 40%.
1. Develop the protection design to meet DBT.
2. Identify appropriate elements of the design.
3. Identify how protection system will be evaluated for effectiveness over time.
Characteristic Insider Criminal Organized CrimeObjective Steal assets such as tools, parts Steal large quantity of valuable assets Steal large quantities of finished
product.Motivation Personal gain, revenge Personal gain Large gain for criminal organization
Base Enhanced Base Enhanced Base EnhancedPlanning/System Knowledge
Good depending on position
Significant Some, opportunistic
Significant if in collusion with insider
Good to high level
Extensive information and level of access
Weapons None Edged weapons Edged weapons Hand guns, shot guns
Unlikely Wide array of weapons
Tools and Equipment Access keys or credentials
Access keys, credentials & combinations
Hand tools or readily available tools at the facility
Hand and power tools
Hand tools or readily available tools at the facility
Access keys, credentials and combinations. Hand and power tools.
Contaminants N/A N/A N/A N/A N/A N/AIMPACT (damage) to Asset(s)
Minimal Notable Notable Significant Notable to Significant
Significant to Critical
Injury to Persons No Possible but unintentional
Possible but unintentional
Possible Possible but unintentional
Possible and intentional
Fatalities No No No Possible but unintentional
Possible but unintentional
Possible and intentional
1The Design and Evaluation of Physical Protection Systems, Mary Lynn Garcia, Sandia National Laboratories, Albuquerque, New Mexico, Butterworth- Heinemann, 2001
Define the Context – Measuring What?
Identify all contributing security element(s)
Use known or reasonably foreseeable threat(s)
Step through the process and assign scores – Does it make sense?
Team approach/peer review
Protection Deter Deny Detect Delay Respond ProtectionScore
% Cont.
Comments
Fence 3 3 0 3 0 9 11
Bldg Const. 5 5 0 5 0 15 19
AM & IDS 1 3 5 3 3 15 19
CCTV 3 1 5 0 5 14 18
Sec Guards 5 3 3 3 5 19 24
Employees 1 0 3 0 3 7 9
18 15 16 14 16
Actual Score = 79
Possible Score = 115
Overall Effectiveness = 69%
Practice risk management or become very good at crisis management. Your choice…..
Risk Management
Crisis Management?
Phillip Banks PE, CPPThe Banks Group Inc.
5158 – 48th Ave
Suite #387
Delta, British Columbia
Canada
V4K 5B6
604.948.0165
[email protected] www.thebanksgroup.ca
© The Banks Group Inc. - 2016
Protection of Assets Manual, ASIS InternationalIndustry Guidelines on a Framework for Risk Related Decision Support, UKOOA, 1999GRiP – A flexible approach for calculating risk as- a function of consequence, vulnerability and Threat, R.G. Whitfield, W.A. Beuhring and G.W. Bassett, Argon National Laboratory, ANL/DIS -113, Decision and Information Services Division, January 2011.Maturity Framework for Assuring Resiliency Under Stress, Carnegie-Mellon University, Don O’Neill, 2008Pareto-Optimal Situation Analysis for Selection of Security Measures, Andres Ojamaa, Enn Tyugu, Jyri Kivimaa, IEEE, 2008Concept of Vulnerability in Chemical Plants, Journal of Chemical & Pharmaceutical Research, 6(7); 1448-1454, Dongfen Zhao, Su Hu, Cong An, Shuang Chen, Yifei Meng - 2004Quantified Risk is a Weak Hypothesis, “A critical survey of results and assumptions”, Vilhelm Verendel, Chalmers University, 2009General Security Risk Assessment Guideline, ASIS International Guidelines Committee, 2003Indicators and criteria for measuring vulnerability: Theoretical Basis and Requirements, Jӧrn Birkmann, 2006Defining and assessing quantifying security risk measures using vulnerability lifecycle and CVSS metrics, Hyun Chul Jon and Yashwant K. Malaiya, Colorado State University, Fort Collins, Colorado, USA, 2011Risk Analysis and the Security Survey, Third Edition, James F. Broder, CPP, Butterworth-Heinemann, 2006 AS/NZS ISO 31000:2009 Standard, Risk Management Principles and Guidelines (Superseding AS/NZS 4360:2004) AS/NZS HB 167:2006 Security Risk Management Standard HandbookThe Design and Evaluation of Physical Protection Systems, Mary-Lynn Garcia, Sandia National Laboratories, 2001Risk Assessment and Management for Critical Asset Protection (RAM-CAP), ASME Innovative Technologies Institute LLC, Washington, DC, 2004Business Risk Assessment, David McNamee, The Institute of Internal Auditors, 1998w3.epa.gov, Defining Risk Characterization http://www.algebra.com/algebra/homework/Probability-and-statistics/Probability-and-statistics.faq.question.419808.html