The Essentials of a Physical Security Systems Risk Assessment
Created by the Security Executive Council
WHAT ARE YOUR SECURITY GOALS?Before you begin an assessment of your security systems, you need to know your security goals. All your security activities should support these goals. If you don't have a clear understanding of your goals, you will not be able to implement a cost-effective system that meets your needs.
A clear statement of your security goals is usually built on answers to questions like the following:
ASSESSING THE NEEDS OF YOUR BUSINESSPhysical security must make sense within the context of your business operations. To build a security system that works for any business, the needs of that business must first be assessed.
At the core of this assessment are the following operational issues:
We recommend a security assessment as the first step in assessing the needs of your business. This helps you arrive at an overall assessment of the security issues relating to your business operations—your people, information, property, product, and the corporation's reputation.
In order to use a security assessment properly, you first need to understand three fundamental elements of security: probability, criticality, and vulnerability. The next section describes how an effective security assessment is based on these three concepts.
ELEMENTS OF SECURITYAn effective security assessment applies an understanding of the fundamental elements of security to a particular location or area within the business. As you look at each area, you must consider the following questions:
Answers to these questions help you to arrive at an assessment of the level of security risk associated with a particular area of your business.
ELEMENT 1: PROBABILITYProbability is the likelihood that a security incident will occur, independent of any effort you may make to avoid the incident. Probability is affected by factors such as your location and environment, your product, the personnel at your site, and other factors that are essentially beyond your control.
For example, if your facility is in a high-density area of a large city, the probability of parking lot incidents and vandalism is much greater than if your facility is in a small rural town. Or, if you use a proprietary process or have proprietary information that has a high market value, you are more likely to have theft attempts than if you don't use such a process or possess such information.
As you perform a security assessment, keep in mind that each area of your business must be evaluated in terms of the probability that security incidents will occur there. As you assess each area of your business, make a list of the most frequent incidents that have occurred in your building, at your location, and in the surrounding area or neighborhood.
ELEMENT 2: CRITICALITYThe criticality of a security incident is the degree to which it affects your ability to do business. An incident with high criticality is one that:
As you assess each area of your business, make a list of the security incidents that could have a high degree of criticality.
ELEMENT 3: VULNERABILITYVulnerability is a measure of your ability to prevent a security incident. Your current security system and procedures represent the active steps you've taken to decrease your vulnerability.
Vulnerability is a dynamic concept. It changes whenever your environment, operations, personnel, business and/or systems change. Each time a substantive security-related change occurs in an area of your business, you need to reconsider your vulnerability in that area.
As you assess your business, keep track of the things that make it easier to reduce the likelihood that an incident will occur, as well as the ones that make it more difficult.
COMBINING THE THREE ELEMENTS OF SECURITY TO ARRIVE AT AN ASSESSMENT OF RISKThe most cost-effective security systems consider all three elements of security simultaneously to arrive at an assessment of the risk associated with a particular area.
You can gauge the overall security risk for an area by determining the degree to which the area has high values for probability, criticality, and vulnerability.
It makes most sense to concentrate your resources on areas that have the greatest degree of security risk. Highest priority should be given to those areas that have high values for probability, criticality, and vulnerability.
When the values for a particular area add up to an unacceptable level of risk, it is vital that you lower one or more of them by implementing security measures. On the other hand, areas that have a uniform set of low values should not be using security resources that could be better spent in other areas of your business.
For more information on this topic see Risk-Based Security: Risk Assessment
Watch our 3-minute video to learn about how the SEC works with security leaders. Contact us at: contact @secleader.com.
Copyright Security Executive Council. Last Updated: July 17, 2018
You can download a PDF of this resource below.