Quantitative and qualitative risk analysis

Residential Estate Security Handbook 2016 - Vol 1 Residential Estate (Industry), Security Services & Risk Management

In order to recognise the value and purpose of a security risk analysis it is necessary to place it within the context of the wider discipline of security risk management, which in turn can be broadly be defined as the management of security threats by analysing risks, assessing the effectiveness of existing risk controls, determining the consequences of such risks and developing appropriate countermeasures for those risks.

Aaron Schnehage.
Aaron Schnehage.

It is therefore clear that in order to succeed in managing security risks one needs to identify such risks by means of an appropriate risk analysis methodology. Failure to do so would almost certainly result in ill-conceived countermeasures for vaguely defined risks ultimately constituting the foundation of a condemned security programme.

Still, many security practitioners consider the use of a generic checklist as the core of risk analysis without giving much thought to the four basic elements of any respectable risk analysis methodology, which is the consideration of threat/risk, probability, vulnerability and consequence. Checklists invariably focus on vulnerabilities, but more often than not miss those vulnerabilities which are not contained within that checklist and in doing so, itself becomes a vulnerability. Use a checklist to facilitate the administration of the assessment, but it may not be prescriptive and inflexible to the task at hand.

Combating contemporary security risks relies greatly upon the development of a security programme underscored by the application of a risk analysis methodology that is focused upon the examination of empirical data from which informed decisions can be made, rather than mere assumptions drawn from inferior checklists. As the function of risk analysis has become a specialised skill utilising a variety of tools such as formulae, quantitative and qualitative analysis, the facility or security manager should ensure the risk analysis being conducted should consist of the following steps:

• Asset characterisation: Categorise the facility or organisation’s assets. Is it people, machinery, immovable property etc.

• Risk or threat identification: Analyse the risks and threats there are against the facilities assets. For example, is the facility appealing to petty criminals and economic criminal alike and what risks do these threat actors pose?

• Consequence analysis: Analyse how essential such assets are to the facilities operations and what the consequences may be should a harmful event occur and those assets are somehow compromised.

• Vulnerability analysis: Develop scenarios of all possible harmful events that may occur at the facility. For example, would armed men be able to overpower the security guard at the entrance. And then consider the consequence or consequences thereof.

• Probability assessment: Understand how probable a threat or risk is likely to occur by the use of historical data such as crime stats. Here a basic risk formula can be applied to estimate probability: Risk = Probability x Vulnerability x Consequence.

• Risk estimation: Demonstrate the risk in the form of calculations by using spreadsheets and developing templates. For example, apportion a value ranging from 1 to 5, with five being the most severe, of the criticality of a particular risk such as the theft of records of the accounting system of an organisation.

• Risk prioritisation: Limited budgets almost always dictate, therefore the most important risks must be mitigated first and the least, last.

• Risk management: Research, budget and provide recommendations for countermeasures to mitigate the risks.

By following these steps the analyst shall be applying two critical skills in conducting assessments; quantitative and qualitative analysis. And these in fact, represent the two main schools of risk analysis reporting. Quite simply put, quantitative analysis concerns the interpretation of numbers from data and estimates, such as in the case of allocating a value from 1 to 5 in estimating the criticality of a particular risk as discussed above.

Various matrices could be developed to express certain aspects in numbers. For example, by developing a Vulnerability Matrix using a spreadsheet, one could numerically estimate the vulnerability of a facility by considering the level of difficulty in accessing the facility, what physical security measures are currently in place, what electronic measures are used and so forth. The same rings true for developing a Consequence Matrix in response to the Consequence Analysis step listed above.

Qualitative analysis, on the other hand, represents the interpretation of interviews and descriptions of characteristics, features or values of the subject under consideration. It relies heavily on the skill of the analyst’s research, analysis and interpretation of data collected since conclusions and recommendations are drawn from this.

Considering the specialisation of risk analysis it is posited that the application of both methods will produce a much more thorough result. Similarly, the quality of the analysis will rely heavily of the analyst’s ability to be critical during the assessment and to avoid prejudices and pre-conceived ideas of what the analysis will entail.

What used to be a clipboard approach with a long checklist has evolved into what may seem to be an overwhelming and convoluted process. On the contrary, a methodical, well researched and critical analysis will mitigate and hopefully prevent a harmful event from taking place. The security management environment changes rapidly and is locked in a constant campaign to appropriately respond to the ingenuities of criminals who always seem to be one step ahead. Failing to develop a compelling response founded upon a scientifically based risk analysis, is surely an exercise in futility.

Moreover, a well-developed risk analysis is the cornerstone of any security plan from which countermeasures are advanced and standard operating procedures are formulated to support such countermeasures. Poor identification and treatment of risks will inevitably lead to the misallocation of budget on risk measures that are inappropriate and ineffectual.

The international security association, the American Society for Industrial Security, better known as ASIS, has developed several standards and guidelines for best practice in risk analysis and several books by ASIS members have been written on the subject. These resources provide a wealth of information on the subject and address the whole spectrum of risk analysis from Department of Homeland Security approved methodologies right down to small facilities and organisations. It is therefore possible and quite frankly incumbent on the responsible facility manager or security practitioner to become aware and avail them of the importance of risk analysis to any security programme.

References

1. Risk Analysis and the Security Survey: 4th Edition (James F. Broder; Eugene Tucker);

2. Risk Assessment (ASIS Commission on Standards and Guidelines);

3. General Security Risk Assessment Guideline (ASIS International Guidelines Commission).

For more information contact Aaron Schnehage, Definitive Risk Services, +27 (0)11 476 1895, www.definitive.co.za





Share this article:
Share via emailShare via LinkedInPrint this page



Further reading:

SMARTpod talks to The Risk Management Forum
SMART Security Solutions Editor's Choice News & Events Security Services & Risk Management Videos Training & Education
SMART Security Solutions recently released its first SMARTpod podcast, discussing the upcoming Risk Management Forum Conference 2024, which will be held on 26 September 2024 at the Indaba Conference Centre in Fourways, Johannesburg.

Read more...
There is a SaaS for everything, but at what cost, especially to SMEs?
Editor's Choice Information Security Security Services & Risk Management
Relying on SaaS platforms presents significant cybersecurity risks as the number of providers in your landscape increases, expanding your attack surface. It is important to assess the strength of the SaaS providers in your chain.

Read more...
Innovation and security go hand in hand
Technews Publishing Facilities & Building Management Security Services & Risk Management
In a world where the demand for tech innovation is matched only by the acceleration of cybersecurity threats, businesses face the challenge of balancing new product development and robust security measures.

Read more...
Bomb threat landscape in South Africa
Editor's Choice Security Services & Risk Management
Over the past 25 years, South Africa has faced thousands of bomb threats and explosive incidents annually, imposing a significant economic burden on the nation, costing billions of rand.

Read more...
Integrations to protect what matters most
Residential Estate (Industry)
From Command Centre’s single platform, you can see everything happening across your network, physical and virtual servers, endpoints, and applications. With powerful analytics and reporting, you can quickly identify threats and trends before they become serious problems.

Read more...
Intrusion detection for wide areas
OPTEX Perimeter Security, Alarms & Intruder Detection Residential Estate (Industry)
Securing wide outdoor areas presents several challenges that differ significantly from those faced in smaller, more confined environments. The key to safeguarding these spaces is dependent on choosing the right intrusion detection technology.

Read more...
Natural catastrophes and fire risks top concerns
Security Services & Risk Management Asset Management Residential Estate (Industry)
Natural disasters are the highest risk in the real estate industry, followed by fire and explosions, and then business interruption. Estates must prioritise risk management and take proactive measures to safeguard their assets, employees, and reputation.

Read more...
Navigating the evolving tech landscape in 2024 and beyond
Residential Estate (Industry) Infrastructure
Progress in the fields of AI, VR and social media is to be expected, but what is not, is our fundamental relationship with how we deploy solutions in our business and how it integrates with greater organisational strategies and goals.

Read more...
New ransomware using BitLocker to encrypt data
Technews Publishing Information Security Residential Estate (Industry)
Kaspersky has identified ransomware attacks using Microsoft’s BitLocker to attempt encryption of corporate files. It can detect specific Windows versions and enable BitLocker according to those versions.

Read more...
Bespoke access for prime office space
Paxton Access Control & Identity Management Residential Estate (Industry)
Nicol Corner is home to a six-star fitness club, prime office space, and an award-winning rooftop restaurant. It is also the first building in South Africa to have its glass façade fully incorporate fritted glazing, saving 35% on energy consumption.

Read more...