30/6/2010

By Hugh Jones

Introduction
This article is based on two case studies. The first explores the methodology used to survey an organization with a number of facilities spread across a wide geographical area. The second demonstrated the use of Failure Mode Effects Criticality Analysis (FMECA) and Fault Tree/Event Tree Analysis in security related incidents.

We examine core elements of the risk survey process (SRA), Survey Methodology, factors influencing risk, survey process and system design. The paper emphasises that a SRA requires detailed examination.

An effective SRA must take a holistic view of the organisation and its operations, be multi-disciplinary and include:
• Senior Management, Financial and Administrative resources
• The organisation’s culture, subcultures
• External influences.

Case Studies
The Niger Delta is a hostile environment. Attacks include:
• Armed assault, kidnapping and extortion;
• Major incidences of theft, sabotage, murder and piracy;
• Attacks on pipelines and convoys.
Militant activity occurs daily from numerous militant groups. The most prominent is the Movement for the Emancipation of the Niger Delta.

Case Study 1
The organisation is involved in the oil industry. Personnel include expatriates and Nigerians, each having distinct cultural foundations. The employee base has direct implications for risk perception and management. The organisation has 18 operational sites in six states with different risk profiles. .

Case Study 2
This study uses two incidents to explore the application of engineering principles of FMECA and Fault/Event Tree analysis in the SRA process. The site includes the Expatriate camp, hospital, and a landing strip, using security personnel from the Nigerian Police and Joint Task Force (JTF). The complex has an extensive security infra structure which includes perimeter protection, CCTV, access control and lighting. Ownership of these components is divided between Security, Information Technology and Human Resources.

What is Risk?
Risks originate from natural and man-made hazards. Security counter-measures are designed to protect assets, including people, from malevolent threats although there will always be a residual risk factor. Risks must be managed at different levels and kept ‘As Low as Reasonably Possible’ (ALARP) . Garcia cites five methods of managing risk: Avoiding; Reducing; Spreading, Transferring; and Accepting.

Types of Risk
There are two primary risks:
• Speculative Risk - (loss/gain)
• Pure risk – (no gain).

Risk Perception
Risk perception is fundamental in an SRA. No two people or organisations perceive risk or circumstances in the same way, having the same consequence or probability. The influences include: Political; Environmental; Sociological; and Technological.

For an SRA to be valid the risk analyst must always analyse it from a neutral perspective. SRA’s must include those people who will develop a holistic, multi-disciplined evaluation of asset risk profiles, probability of risk exposure, criticality, vulnerability, and mitigation priority.

Survey Methodology
There are two approaches in the methodology: an ‘outside – in’ approach, and an ‘inside – out’ approach.

Risk assessments should answer three questions,
• What can go wrong?
• What is the likelihood it will go wrong?
• What are the consequences?’
These questions help:
• Identify risk;
• Its probability;
• Its consequences.
Four other asset elements must be considered : Identification of the Loss Event Probability (LEF); Loss Event Profile (LEP); Loss Event Criticality (LEC); and Asset Vulnerability (VA).
The implications of risk consequence must assess financial implications and how to manage the consequences.
This paper describes how to build an analytical security analysis based on: in-depth analysis, risks, and vulnerabilities.
This methodology has six stages, creates accurate, practical reports used to mitigate risk cost-effectively and implement counter-measures, in diverse locations and conditions .

Planning
When planning a SRA consider:
• The lead analyst must be experienced in Risk Analysis with appropriate education and training;
• Members of the survey team must understand the facility and it’s operations;
• The plan must identify the areas to be covered.
• The team must use a checklist for the analysis otherwise it may not assess all influences in the risk profile.

Obtaining
The team must get a written mandate and necessary authority from senior management to investigate the security risks for the scope of the SRA. All employees should be informed so that the team’s credibility can’t be disputed.

Data used in defining the LEP, LEF and LEC must be accumulated. Data may be drawn from historical events, media reports, and interviews.

Analysing
Data analysis is fundamental to the SRA allowing the LEP of assets to be determined along with the LEF, LEC, and VA with assets ranked according to its LEF and LEC.
The American Society for Industrial Security (ASIS) suggests that the LEF be ranked from ‘A’ – Virtually Certain, to ‘E’ – Probability Unknown.
The LEC rankings are ‘1’ (Fatal to the Enterprise) to ‘5’ (Seriousness unknown) .
If an asset provides an LEF of ‘E’ or an LEC of ‘5’ it should be seen as a temporary in the absence of more accurate data.
The cost implications of LEF are determined when the data is analysed and ASIS identifies three forms: Real Costs (including permanent, replacement and lost income costs); Direct Costs (money and information); and Indirect Costs, (reputation and staff morale).
Once the LEF and LEC are completed a Vulnerability Assessment (VA) should be conducted for each asset. The sum of the VA’s will determine a global VA.
The principles of Risk Engineering may be applied during this analysis so the SRA team has the tools to investigate and evaluate risk and assess vulnerability.

Fault Tree and Event Tree analysis in LEP, LEF and LEC analysis
Background
An expatriate buys a car and employs a local driver. Following corporate policy he tells the Human Resources department he has employed the person and provided an access card. Some time later the driver’s employment is terminated. HR and IT are not informed. The access card is not returned. The driver has access to the facility and is known to the police. He returns and steals his former employer’s car.

Fault Tree/Event Tree analysis of Incident
In analyzing these events it was possible to develop a detailed LEP, LEF, and LEC analysis.
The Fault Tree defined the direction for investigation and helped develop a risk mitigation strategy including operational policies and procedures to defend assets and establish the Risk/Criticality of these.
An Event Tree analysis evolved from the Fault Tree analysis identified other assets at risk.
The causal influences of physical security, corporate policy and procedures, and fragmented ownership of security systems components contributed to the loss. Through the Fault/Event Tree analysis it was possible to change policies and procedures, in three operational divisions. This had a direct effect on asset and facility security.

Devise
Once the data analysis is completed, the asset profiles identified and allocated using the risk matrix the SRA must design counter-measures to mitigate the risks. These include: Physical security systems; Policies, procedures and processes; or a combination of the two.

Implement
Implementation of the SRA is vital and all staff must be told why and when the system is being implemented. Poor communication creates resistance and undermines acceptance of systems.

A project manager should manage the process and its costs. The system design must be comprehensive so that few, if any, changes are made.

Evaluate
The evaluation phase must: Address the vulnerability and reduce the risks, be cost effective; and deliver a return on investment (RoI).
The system design should be standardised using equipment from a single supplier, apply leverage principles (meet multiple needs) and fulfil the protection criteria. The stage is constant because risks are dynamic.

Case Study Two
The electrical power supply is unreliable and power generators are widely used. The residential complex has a security system that includes CCTV, Access Control, Perimeter Alarms, and Lighting. However, power failures and spikes mean system components consistently need to be repaired or replaced. CCTV and lighting components are most vulnerable. The unreliable power supply created further security vulnerabilities.
Based on cost calculations and reduced risks an alternative power supply was justified to reduce operational and risks costs.

Factors
There are three primary areas of security: Personnel; Information; Physical.
Each aspect was analysed and the scope and mandate of the SRA was determined alongside additional security measures.

Personnel Security
People are an organisations’ most precious asset but may be its greatest risk. Steps such as pre-employment screening, re-screening for promotion, lifestyle analysis, a record of substance abuse or violent behaviour should form part of the pre-employment analysis.

Information Security
Information security is wider than the computer infrastructure. People are a threat to information security. When managing information security, physical and network security work together to define security of proprietary information.

Physical Security
Physical security includes electronic systems, staff screening, company policies and procedures, physical barriers, proper lighting and basic asset protection.

Influence on Risk
Risks originate inside and outside the organisation and are: Political; Environmental; Sociological; and Technological.

In Case Study 1 an Environmental Impact Analysis was commissioned and identified various risks. However, it failed to consider the political and sociological implications of implementing the plan. A road had to be built to get drilling equipment, mobile housing and power generators to the extraction site. Its route traversed a sacred forest and during construction, crews met resistance from residents. The road had to be rerouted, delaying drilling.

At another site, exploration using a floating drilling platform was planned. The organisation secured the site by deploying members of the police and JTF. This created disharmony and conflict between the organisation and local communities. Moreover, traditional fishing grounds were disturbed so communities demanded compensation amid threats of sabotage. The communities also feared they’d be caught in crossfire between militant groups and the army.

Areas to be addressed during Risk Analysis
Once a comprehensive survey is done, mitigation strategies must be designed and implemented. These include:
• Physical security - Fire Processes, Policies, Procedures; Communications and Information;
• Contingency/continuity planning;
• Journey management (with identification of safe havens , attack response, rules of engagement, communications);
• Logistical support and Supply Chain management,

What is a Security system?
Blanchard and Fabrycky (1998) define a system as ‘…A collection of interacting components, …integrated and organised to react to an input and produce a predictable output.’ Rogers (2006: 67) states that ‘…A complex system is defined as a diverse system of sub-systems working together towards a common goal.’ Thus the design must be practical, realistic and cost effective. It should also be layered using a single technology to address multiple risks.

Security system design
It must be practical and cost effective, multi-layered and integrated, meeting operational requirements. A complex system may be too difficult to implement and manage and not meet organisational requirements. Security systems are often over-designed and not used because of its complexity.
Systems must be integrated and easily managed: A security system protects information, equipment and people and integration and convergence of systems provides layered security enabling management to control costs and efficiency.

Good security systems deter, delay, detect and deploy response personnel.

Conclusion
This paper summarises the SRA process, methodology, factors influencing the organisation, risk analysis, and design. The security function is not an orphan inside an organised community but rather a component of the organisational family, providing development, sustainability and achievement of pre-defined goals.


References and suggested reading
ASIS, (2004), Security Vulnerability, ASIS Protection of Assets Manual Volume 1, Chapter 2 Part 1. Accessed at http://www.asisonline.org. p 2-1-1 – 2-1-B1.
ASIS, (2004), Crime Prevention Through Environmental Design, ASIS Protection of Assets Manual Volume 3, Chapter 19 Part 8. Accessed at http://www.asisonline.org. p 2-1-1 – 2-1-B1.
Douglas, M. (1982), Essays in the Sociology of Perception, London: Routledge and Kegan Paul.
Farrell, G. and Pease, K. (2006), Criminology and Security in M. Gill (Ed), The Handbook of Security, Hampshire: Palgrave MacMillan p 509 – 531.
Fennelly, L. (2004), Handbook of Loss Prevention and Crime Prevention 4th ed. New York: Butterworth-Heinemann.
Fischer, R., Halibozek, E. and Green, G. (2008), Risk Analysis, Security Surveys, and Insurance, Introduction to Security 8th ed. New York: Butterworth-Heinemann p147 – 172.
Frosdick, S. (1997), The techniques of risk analysis are insufficient in themselves, Disaster Prevention and Management Vol.6 Number 3 p 165-177, University of Leicester supplied reading: MSc Security and Risk Management Module 3 unit 4.
Garcia, M. (2006), Risk Management in M Gill (Ed), The Handbook of Security, Hampshire: Palgrave MacMillan p 509 – 531.
Garcia, M. (2008), The Design and evaluation of Physical Protection Systems 2nd ed. New York: Butterworth-Heinemann.
Mars, G. (1982), Cheats at Work: An Anthropology of Workplace Crime, London: George Allen and Unwin Publishers.
Morgan, G. (2006), Images of Organisation. London: Sage Publications.
Mullins, L. (2007), Organisation Structure and Design, Management and Organisational Behaviour 8th Edition. Essex: Pearson Education Limited.
Papura, P. (2008), Security and Loss Prevention 5th ed., Burlington: Butterworth-Heinemann.
Pidgeon, N. (1992), The Psychology of Risk in D. I. Blockley (ed.), Engineering Safety, Maidenhead: McGraw Hill.
Rogers, B. (2006), Engineering Principles for Security Managers
Schneider, R. (2006), Contributions of Environmental Studies to Security in M. Gill (ed), The Handbook of Security, Hampshire: Palgrave MacMillan 90 - 115.
Sennewald, C. (2003), Effective Security Management 4th ed. Burlington: Elsevier.
Toft, B. and Reynolds, S. (2005), The Management of Risk, learning from disasters, 3rd Ed. Hampshire: Palgrave MacMillan.
US Department of state, (2000), Voluntary Principles on Security and Human Rights,
the Bureau of Democracy, Human Rights, and Labour U.S. Department of State, December, 2000.
Whitman, M. and Mattord, J. (2008), Information Security 2nd ed. Canada: Course Technology, Cengage Learning.

Other stories you may find of interest:

IUA chief outlines challenges for 2010
Two of the London Market's biggest challenges for 2010 - modernisation and Solvency II - will be closely linked and interdependent, predicts the International Underwriting Association (IUA).

Business failures data offers encouragement
New data on business failures lend encouragement to hopes that businesses are emerging from the depths of recession.

Flash floods model 'will assist insurers'
Insurer Aviva says it has jointly developed a model to more accurately estimate the impact of flash floods on homes and businesses.