Security Risk Assessment-The Methodology

INTRODUCTION

Security Audit and Risk Assessment is one of the method of risk management process with regard to the security aspect of a business, enterprises and its installations. It is a systematic process of security auditing and assessment which comprises of several steps followed by the security professionals with the objectives of assessing the threats to any facility, areas or businesses, the level of vulnerability based on the existing security measures, analyzing the impact of the security incidents, and lastly proposing recommendation on mitigation action and the necessary security counter measures. Security Audit and Risk Assessment should be carried out on a continuous and periodical basis as there might be changes of threats to the facility or businesses over time. Moreover, the infrastructure and security system of a an installation or facility also might change over time that will impact to the current risk level at site[i].  For example, a change in the access control system of a facility from manual recording through punch card system to biometric system will definitely give rise to the threat of high tech fraud such as database intrusion, digital tampering and others.

PHYSICAL SECURITY MEASURES-BUILDING SECURITY SYSTEM 

Before a security professional carry out Security Audit and Risk Assessment, apart from the risk assessment skills, a considerable understanding on the current concept of “Building Security System’ need to be grasped. This is important as the security professionals need to produce a good, practical and abreast findings and recommendations to the interested party such as the management toward the end of the process. Gone already the time where the security professionals giving out a vague, generalized findings that will result on the recommendations given rejected by the management.[ii]

Building Security System[iii] is a system which integrates together three aspects of security that are Access Control requirements such as pass card system, usage of air gate; surveillance system requirement such as CCTV and visitor management requirement.

SECURITY RISK-THE COMPONENTS AND MEASUREMENT

Security Risk assessment is prepared and conducted in accordance to an internationally accepted risk assessment process. It is a basis for the management to take up preventive measures and security risk is a product of calculation of three components; Threat, Vulnerability and Impact. The calculation formula of security risk is as below:-

Threat x Vulnerability x Impact

Threat is one of the component in security risk where it is defined as a source for possible danger or harm which includes a situation with the potential to cause commercial loss[iv]. For security risk assessment process, it refers to only security threats, not other forms of threats such as natural disasters or global economic downturns, which are not related to security incidents. The probability of an incident occurring for each threat scenario is assessed on the following numerical scale: –

3 – High            

2 – Medium

1 – Low

The assessment should compare current risk and the effect of proposed security measures to reduce the risk probability.

While vulnerability does mean the susceptibility and vulnerability of the potential threat and in term of measurement, threat may be assessed as follows: –

4 = No existing security measures or existing security measures are not effective (e.g. unrestricted access to target, target not monitored, personnel untrained, target easily damaged), or it is not feasible to provide security measures due to resource constraints, location, expense of protective measures exceed value of target.

3 = Minimal security measures (e.g. restricted areas not clearly identified, inadequate access control procedures, sporadic monitoring, no formal security training program, target susceptible to certain of damage), or resource constraints permit limited short-term protection only.

2 = Satisfactory security measures (e.g. restricted areas clearly identified and access is controlled; formal security training program; adequate monitoring and threat awareness; target not easily damaged); or resource constraints allow only partial protection.

1 = Fully effective security measures (e.g. all of ”2” and in addition, capable of promptly scaling to higher security level as needed; target difficult to damage or has sufficient redundancy to prevent disruption if certain functions are damaged); or would not benefit from the provision of additional security measures.

Lastly, in term of impact, it shows the magnitude of the consequence of each potential incident on the potential target and port should it occur and the numerical value attached to it is as below:-

5 = Detrimental to security and safety (likely to cause loss of life, serious injuries and/or create widespread danger to public health and safety).

4 = Detrimental to public safety and/or national prestige (likely to cause significant environmental damage and/or localized public health and safety).

3 = Detrimental to the environment and/or economic function of the port (likely to cause sustained port-wide disruption and/or significant economic loss and/or damage to national prestige).

2 = Detrimental to assets, infrastructure, utility and cargo security (likely to cause limited disruption to an individual asset, infrastructure or organization).

1 = Detrimental to customer/port community confidence.

ACTION PRIORITY

In carrying the risk assessment process, the security professionals will be required to be on scene in order to appreciate the surrounding environment, to interview the key personnel, to observe on the security measures implementation that takes place at site.

Upon the ground survey conducted and calculations derived, an action priority based on the findings will be able to be formulated and the action  priority scale can be termed as below:-

Mitigate (M) –   means that mitigation strategies should be developed to reduce risk for that target/scenario combination. A security plan should contain the scenario evaluated, the result of the evaluation and the mitigation measures.

Consider (C) – means that the target/scenario combination should be considered and mitigation strategies should be developed on a case-by-case basis.

Document (D) – means that the target/scenario combination does not need mitigation measure at this time and therefore need only to be documented.

Apart from the above, a necessary security counter measures and also recommendations will be tabled out to the management for the purpose of increasing the security measures in place as well as protecting the live of staff and the asset of the businesses from imminent security risk at site.

CONCLUSION

To conclude, many people tend to be negative on security risk assessment as they are of the opinion that security measures are tantamount to additional amount of the company’s money that need to be spent, but it should be noted that most of security incident will create a catastrophic impact and through effective security audit and risk assessment, the tendency of the management to overdo in protecting their business interest will be minimized.


PAK WAN