Twelve Steps To Assessing Vulnerability
Tom Allen, vice president of security systems for Johnson Controls Inc., Controls Group, Milwaukee, manages a subsidiary focused on large design-build security projects for government agencies and the nation’s transportation infrastructure. Allen previously was vice president of Scientech Inc.’s Security Division for seven years. He outlines the following 12-step process to assess security risk.
Identify and quantify assets. Assets take the form of facilities, personnel, property and information, and it is essential to estimate their value in terms of dollars. For each type of asset identified, assign a consequence rating (not serious, serious, very serious, catastrophic), depending on the total dollar value lost.
Identify threat events and existing protective measures. Determine what events could threaten the assets, and figure out what existing baseline security measures address those events.
Evaluate the likelihood of occurrence. Events should be identified as highly probable, probable or improbable.
Identify the risk level of each threat event. Using assigned consequence ratings and likelihood ratings, determine the risk rating for each asset/threat combination.
List the threat events in descending order by risk. Prioritize the threat events that need to be addressed.
Identify measures that could mitigate threat events. This could include increased access control, new surveillance equipment or security procedures. Also identify measures that could lessen consequences of an event (i.e. backup equipment, etc.).
Reassess the risks assuming each upgrade is implemented. This will illustrate the effectiveness of security improvements and consequence-reduction measures.
List proposed upgrades in descending order. Prioritize which measures are most important.
Gather information on the cost of the proposed upgrades. The security professional can greatly assist in this task. Take life cycle costs into account.
Perform a cost-benefit analysis. Use a simple ratio, where costs are stated in dollars and benefits are ranked on a scale of 1-5 or 1-10.
Rank the upgrades by cost-benefit level. Prioritize the upgrades according to the availability of funds.
Compare the prioritized upgrades against the available budget, and proceed with the highest rated upgrades until the budget is exhausted. This completes the process.
For more from Johnson Controls, visit http://www.johnsoncontrols.com/