HB167 2006 PDF

Downloaded by Panjan Navaratnam on 14 Feb 2007. For internal use within SAI Group only.
See conditions of use for details.
HB
HB 167:2006
Security risk management
HB 167:2006
Handbook
Security risk management

Downloaded by Panjan Navaratnam on 14 Feb 2007. For internal use within SAI Group only. See conditions of use for details.
First published as HB 167:2006.
COPYRIGHT
© Standards Australia/Standards New Zealand
All rights are reserved. No part of this work may be reproduced or copied in any form or by
any means, electronic or mechanical, including photocopying, without the written
permission of the publisher.
Jointly published by Standards Australia, GPO Box 476, Sydney, NSW 2001 and Standards
New Zealand, Private Bag 2439, Wellington 6020
ISBN 0 7337 7899 2
HB 167:2006
Preface
This Handbook was prepared by the following authors for Standards
Australia Committee OB-007, Risk Management.
Dr Carl Gibson La Trobe University, Melbourne Australia
Mr Gavin Love International Association of Emergency
Managers
Mr Neil Fergus Intelligent Risk Pty Ltd, Sydney, Australia
Mr David Parsons Sydney Water, Sydney Australia
Mr Mike Tarrant Emergency Management Australia
Institute, Mt Macedon Australia
Insp Mathew Anderson Counter Terrorism Coordination Unit,
Victoria Police, Melbourne, Australia
Mr James Kilgour Canadian Centre for Emergency
Preparedness, Toronto, Canada
The authors would like to acknowledge the contributions of all the

people involved in the specialist peer review of the Handbook
(Appendix A).
The objective of this Handbook is to outline a broad framework and
core processes that should be included in a security risk
management process, project or program of work.
It is intended that this Handbook can be used by any size or type of
organisation—from large multinationals to small businesses,
government agencies and the not-for-profit sector—that has
identified the requirement for, and merit of, developing effective
security risk management processes. However, some
recommendations may be more appropriate to some organisation
types rather than others.
Many of the apparently technical terms used in security risk
management can have subtly different meanings in different
organisations. A glossary (Appendix B) has been included to provide
consistent definitions as they are used in this Handbook.
The field of security risk management is rapidly evolving and as such
this Handbook cannot cover all aspects and variant approaches to
security risk management. The authors have endeavoured to provide
an overview of both commonly accepted good practices and some
promising emerging thinking to inform the understanding (rather than
direct) the actions of readers. As such no warranty is provided or
implied as to the accuracy or practical applicability of the contents of
this Handbook to any organisation or individual.
The extent of the Handbook is based on the broad nature of the
security landscape. A range of other security-related Standards
Australia publications cover certain aspects at a level of detail
beyond the ability of this Handbook to cover, such as IT Security. As
such these areas are not considered in detail within this Handbook.
A list of other relevant security-related Standards and Handbooks is
provided in Appendix C.
2
HB 167:2006
This Handbook is consistent with the framework for risk management

outlined in AS/NZS 4360:2004, Risk Management. Security Risk
Management (SRM) plays a critical role as part of an organisation’s
risk management process in providing a fundamental assessment,
control and treatment process for certain types of risk.
Security risk management is a key and fundamental part of an
individual’s, organisation’s or community’s wider risk management
activities. In a fully integrated risk management system, security risk
management should be interlinked at each of its stages with all other
risk management activities being undertaken (e.g. financial, safety,
marketing, reputation, regulatory, etc). The only real differences are
the application of discipline specific knowledge that will occur in each
risk management activity – the overall process remains the same.
Although many of these activities may be conducted by identifiable
risk management functions, many may also be conducted as part of
the way that other business functions routinely conduct their
operations (e.g. employment risk management conducted as a
fundamental part of the human resources function).
Risk management provides a key support for decision making
providing the means of ensuring that strategy and operations are
more appropriately applied. It can, and should, provide an interface

between such decision making and the implementation of key
functions, processes and infrastructure, which are required to
achieve the key personal, organisational or community objectives.
Other risk management functions such as business continuity
management ensure that the required capability, resources and
knowledge are available and accessible to support the achievement
of these key objectives.
Security risk management requires fundamentally that the person
undertaking it has a thorough understanding of the principles and
practice of risk management first and foremost. This must be
accompanied by a thorough understanding of security. However, in
today’s environment, security within an organisation or community
cannot stand alone and isolated from all of the other processes and
systems.
In contemporary life, security should and must consider and
encompass issues such as strategy, governance, ethical conduct,
safety and organisational performance. For security risk
management to be successfully integrated into the fabric of
organisations and society it must become a fundamental aspect of
how we all routinely operate. It needs to become a fundamental part
of the manager’s and community leader’s ‘toolbag’, as much as
budget management, communication or decision making skills.
3
HB 167:2006
Contents
Page
1 Introduction
1.1 Security Risk Management—A new paradigm............ 6
1.2 Security Risk Management Approach......................... 7
1.3 Security risk management and its relationship with risk
management............................................................. 10
1.4 Security risk management ........................................ 11
2 Communicate and consult

2.1 Introduction............................................................... 13
2.2 Engagement ............................................................. 15
2.3 Perception ................................................................ 19
2.4 Information transfer .................................................. 21

2.5 Decision making ...................................................... 21
2.6 Developing the communications strategy ................. 24
3 Establish the context

3.1 Introduction............................................................... 28
3.2 The external context ................................................. 32
3.3 The internal context .................................................. 34
3.4 The security risk management context ..................... 35
3.5 Determine the process/program structure................. 36
3.6 Developing the evaluation criteria............................. 37
3.7 Developing the business case .................................. 38
4 Identify risk
4.1 Introduction............................................................... 40
4.2 Data and information sources ................................... 43
4.3 Conducting the criticality assessment....................... 46
4.4 Threat assessment ................................................... 49
4.5 Conducting the vulnerability analysis........................ 59
4.6 Mapping threat, vulnerability and criticality .............. 66
5 Analyse risk
5.1 Introduction............................................................... 69
5.2 Measuring risk .......................................................... 70
6 Evaluate risk
6.1 Introduction............................................................... 77
6.2 Tolerance of risk ....................................................... 77
4
HB 167:2006
Page
7 Treat risk
7.1 Introduction............................................................... 80
7.2 Developing a treatment plan ..................................... 80
7.3 Conformance vs. Performance ................................. 85
8 Monitor and review

8.1 Introduction............................................................... 87
8.2 The elements of ‘monitor and review’ ....................... 87
8.3 Monitoring and review practices ............................... 88
8.4 Triggering monitor and review processes ................. 89
8.5 Post-event analysis and reporting............................. 90
APPENDICES
A Acknowledgments..................................................... 91
B Definitions and glossary............................................ 92
C Security related standards and handbooks............... 95

D Sources of data and information for
establishing the context .......................................... 100
E Organisational reference sources for
establishing the context .......................................... 105
F Security risk management workbook ...................... 107
G The Admirality System............................................ 145
H Terroism definitions ................................................ 146
I Example vulnerability rating matrices ..................... 148
J Example components of a security control
environment............................................................ 156
K Community vulnerability assessment...................... 158
L Example questions for use in a vulnerability
assessment ............................................................ 161
M Some common approaches to annalysing
security risk ............................................................ 163
N Key reference sources............................................ 169
O URLs for example reference sources for
developing the context............................................ 171
5
HB 167:2006
1 Introduction
1.1 Security Risk Management—A new paradigm
'Everything is different', - but it’s just the same.
There is a prevailing perception that there have been dramatic and far
reaching changes in the nature of the business environment and in
society at large over recent years. In particular it has been said, almost
ad nauseum, that 'the world has changed since 9/11'. However, many of
these ‘new changes’ are merely highlighting issues that have presented
challenges to organisations and communities for many decades.
What is different is that this has resulted in a powerful imperative for
issues to be now considered that have not previously been part of the
collective consciousness. As a society we have been made aware of the
need for, and existence of ‘security’ measures. However, in certain
quarters, security has long been viewed as something that people in
uniform did whilst guarding something. Security belonged in the world of
the police, the military or James Bond! When security interfaced with
ordinary working lives, we often saw it as hindering our daily routine.
Attitudes have changed significantly in recent times, with a major focus
on, and acceptance of the need for, an increased attention to security.
However, this changed attitude is often driven by misinformed perception,
fuelled by an overly dramatic media. The result is that security investment
may be misdirected to where the ‘noise’ is, not where it is really required.
In recent years concepts of organisational risk management have also
evolved.
The move has been from the rather simplistic ‘risk is insurance mentality’
to a more comprehensive enterprise-wide concept that encompasses a
better reasoned understanding of the nature of uncertainty that we face.
An improved understanding of the nature of risk facilitates more informed
decision making, increases our abilities to exploit opportunities and
minimise harm.
Similarly, security risk management provides a means of better
understanding the nature of security threats and their interaction at an
individual, organisational, or community level. Traditionally, the security
industry and profession’s focus on risk has concentrated on risk
minimisation, with activities aimed at loss prevention without necessarily
thoroughly considering the nature and level of organisational risk.
Some of the key characteristics of this paradigm shift are presented as
major themes within this Handbook and are summarised in Table 1.1.
6 Copyright
HB 167:2006
Current practices in security risk management are now providing

organisations with the means of making educated decisions on the need
for security improvements and the most appropriate use of budget and
other resources for investment in security.
Table 1.1
Key characteristics of the emerging paradigm shift in security risk
management
From To
Physical security People, property and information
security
Technical activity Social/political process
One way dialogue (communicating to Two way dialogue (communicating
stakeholders) with stakeholders)
Tactical approach Long term strategic planning
Policing/paramilitary view and Holistic approach
approach
Conformance criteria Performance criteria
Worse case scenario Most credible worse case scenario

Threat and hazard focus Risk focus
No matter what embellishments or customisations that are applied to a

security risk management process, it should be firmly grounded on the
principles of AS/NZS 4360:2004.
1.2 Security Risk Management approach

This Handbook is not a Standard, rather it provides guidance material
based on the tried and proven risk management methodology of
AS/NZS 4360:2004. The aim of this Handbook is to generate an
improved understanding of how security risk management can be used
for a range of activities from developing a system for a ‘greenfield site’ to
enhancing existing well established security programs.
The Handbook introduces a number of terms that may be unfamiliar to
either the ‘risk management or security professions’ as well as using a
number of apparently familiar terms, but in a different context to common
use. A glossary of terms is provided in Appendix B.
At its most fundamental, security risk management should provide the
structure and means to determine the nature of threats, trace the
1
‘progress of vulnerability ’, understand potential consequences of future
events, and develop a more strategic approach to these activities.
This approach (as with other good practice risk management
approaches) should consider root causes, dynamic pressures and unsafe
conditions where:
• Root causes, in a security context may include such issues as:
1
Blaikie, P., Cannon, T., Davis, I. and Wisner, B. 1994. At risk: natural hazards,
people’s vulnerability, and disasters. Routledge, London.
Copyright 7
HB 167:2006
− limited access to political power, resources, infrastructure and

amenity of potentially disenfranchised groups,
− ideologies, based upon different political, economic and social
systems,
− denial of basic human rights and freedoms,
− increasing social unrest and discord.
• Dynamic pressures may include such issues as:
− lack of local social and government institutions, barriers to skills
development and employment opportunities, levels of
investment,
− macro forces such as regional changes in markets, economies,
and
• Unsafe conditions, may include such issues as:
− fragile physical environment, e.g.: dangerous locations,
unprotected buildings and infrastructure,
− fragile local economic conditions,
− lack of emergency management capability.
1.2.1 The structure of security risk management

The key stages of the security risk management approach (consistent
with the key stages of AS/NZS 4360:2004 as summarised in Figure 1.1)
are:
• Communicate and consult, including:
− communicating and consulting with internal and external
stakeholders within each of the security risk management
stages;
• Establish the context, including:
− the external context,
− the internal context,
− the security risk management context,
− structuring the security risk management activities,
− developing evaluation criteria;
• Identify risks, including:
− determining the threats,
2
− identifying critical organisational and community elements
under threat
− determining the vulnerability of those elements to the threats
identified,
2
Organisational and community elements include: people, information,
infrastructure and the processes that support them.
8 Copyright
HB 167:2006
− identifying specific events and scenarios that might affect

individuals, organisations, or communities, and their possible
consequences;
• Analyse risks, including:
− evaluating existing controls (security and emergency systems),
− determining the consequence should the risk eventuate,
− determining the likelihood of such a risk with that consequence
occurring,
− defining a level of risk based on a combination of consequence
and likelihood;
• Evaluate risk, including:
− determining the tolerance to individual risks,
− evaluating the need for any further treatment of those risks;
• Treat risks, including:
− developing recommendations and strategies for the treatment
of priority risks,
− assigning accountabilities, responsibilities and budget for risk

treatment activities; and
• Monitor and review, including:
− monitoring of the external and internal security environments to
detect change,
− review of the risks and their treatment strategies,
− monitoring and reviewing progress and outcomes of each of the
steps of the process.
Copyright 9
HB 167:2006
Establish the context
Communicate and consult

Identify risks
Monitor and review

Analyse the risks
Evaluate the risks

Treat the risks
3
FIGURE 1.1 SECURITY RISK MANAGEMENT PROCESS —
OVERVIEW
1.3 Security risk management and its relationship with

risk management
An organisation’s approach to risk management often focuses strongly on
financial, operational, market, employment, insurance and reputational
risks, with security risk often forgotten. However, security risk
management has become a powerful tool in assisting prevention and
management of the consequences of events that are often outside of an
‘organisation’s’ normal understanding and experience.
A risk based approach to security ensures improved corporate
governance and transparency of decision making through managing risks
that threaten the ongoing sustainability of the organisation. Such an
approach greatly assists in justifying the organisation’s or sponsor’s
investment in security.
3
Based on AS/NZS 4360:2004.
10 Copyright
HB 167:2006
The identification, assessment and treatment of security risks assist in

the overall management of organisational risk. Security risk management
is a vitally important part of a well founded organisational risk approach.
Security risk management is really a special application that should fit
within an organisation’s established risk management framework. It
introduces a new element, the concept of someone deliberately
introducing an exposure to potential harm and seeking actively to bypass
controls in place. However, the similarities between organisational and
security risk management far outweigh any differences.
It is also vitally important that appropriate accountabilities and
responsibilities are assigned at each and every step of the security risk
management process.
1.4 Security risk management

Security risk management is:
'the culture, processes and structures that are directed towards
maximising benefits and minimising disbenefits in security, consistent
with achieving business objectives'.
Where security is defined as:

‘the preparedness, protection and preservation of people, property and
information both tangible and intangible’.
The approach to security risk management described in this Handbook
can be applied at different levels of the organisation, from individual
projects or security improvement initiatives, up to whole-of-organisation
or community-wide security programs. It is also applicable across all
facets of an organisation’s functions, or community’s activities. The areas
where security risk management should be considered have been termed
the ‘security risk landscape’. Figure 1.2 provides an overview of
examples of types of threat and threat sources that need to be
considered for security risk management. However, some forms of
security risk are largely outside of the scope of this Handbook and are
dealt with in more detail in other Standards Australia publications (see
Appendix C). For example, see HB 231 Information security risk
management guidelines.
Copyright 11
HB 167:2006
People Assets Information
Capital
Integrity Confidentiality
• Recruitment • Physical access
• Termination • Integrity • Access
• Continuity • Control • Privacy
• Industrial relations • Classification
Employees
• OHS
Operating
• Process capability • Misuse / release
• Bullying / harassment • Disruption
• Workplace violence
• Diversion
• Trust / ethics / gover nance
• Disciplinary measures • Validation
• Evacuations • Verification
• Fraud and loss prevention • Gover nance • Escrow
and financial
Investment
• Prudential
• Holding and retention
Availability
• Access / site integrity • Access
Visitors
• Safety • Transactions
• Disclosure
• Violent / deranged individual • Funds transfer • Transmission /
• Fraud and loss prevention • Cash handling dispersal
• Tracking
Intangibles
and suppliers
Customers
• Interdependencies • Intellectual property • Border protection

• Conflict of interest
electronic
• Reputation • Access control
IT and
• Bribery / coercion • Goodwill • Intruder detection
• Fraud and loss prevention
• Escrow
• Continuity / recovery
• Encryption
• Financiers
stakeholders
• Regulators
Documents
Other
• Owners / shareholders • Storage

• Community • Retention
• Creditors • Disposal
• Fraud and loss prevention • Tracking
• Relationships
FIGURE 1.2 AN EXAMPLE SECURITY RISK LANDSCAPE FOR AN ORGANISATION
The effective management of security risk is a fundamental requirement

of the way in which organisations, individuals and those tasked with the
protection of our communities must now operate.
There are of course a wide range of sources of internal and external risks
to the organisation, individual or community that go beyond security
concerns. However, security risks represent a potentially significant
source of concern for governments, employers, employees, and citizens.
Security risk is not just a potential source of personal, corporate and
social loss (in terms of lives, wellbeing and assets) it is also a potential
source of reputational damage for all involved.
12 Copyright
HB 167:2006
2 Communicate and consult

2.1 Introduction
Communication and consultation are important at each step of security
risk management (Figure 2.1). They are essential ingredients of gathering
input, and of checking the validity and relevance of data and information.
They are also essential in improving awareness of, and commitment to
the range of security risk management activities being undertaken.
Communication and consultation involve a two-way dialogue with

4
stakeholders with efforts focused on sharing rather than on a one-way
information flow informing other parties on what has happened. It is
important to develop a communication plan for stakeholders at the
earliest stage of the process. Communication is the key first step in
‘getting buy in’ from stakeholders and hence it should begin at the earliest
possible stage.
People who work in an organisation often have very important information
about weaknesses in the system and without their participation, the most
sophisticated system will at best be suboptimal and at worst a waste of
resources and a potential threat in itself. Furthermore, even significant
budgetary investment in security can be of limited value unless
stakeholders believe that managing security risk is part of their normal
role.
2.1.1 Effective communication

A comprehensive coverage of effective communication is beyond the
scope of this handbook. However, a number of communication issues
that can have a profound effect on security risk management are covered
briefly in this section.
Effective communication is dependent upon the skills of the
communicator, the skills of the recipient and the nature and content of the
message. For communication to be effective there are a number of
issues that need to be considered in the way that communications are
developed and delivered, and the manner in which they are received by
their intended audience. These issues include:
4
Stakeholders: includes anyone with an interest or influence in the organisation
or community (or projects, issues associated with or parts thereof), this could
include (but not be limited to): the Board, management, employees, citizens,
local communities, unions, shareholders, families, media, lobby groups,
customers, suppliers, government, regulators, etc.
Copyright 13
HB 167:2006
• Engagement of the audience;

• Participation of the audience;
• Information transfer between parties;
• Perceptions of individual parties involved;
• Adequacy, comprehensiveness and clarity of information for making
decisions;
• Agreement between the parties involved on the expected
deliverables; and
• Delivery of the outcomes as agreed.

Strategic Organisational
context Security risk context
management
context
Threat Vulnerability Criticality

assessment assessment assessment
Identify the risks

Communicate and consult
What? When? Where? How? Who?
Monitor and review

Assess the risks
Likelihood Consequence
Evaluate the risks
Tolerance Acceptability
Treat the risks
Avoid Accept
Exploit
Share Reduce
FIGURE 2.1 SECURITY RISK MANAGEMENT PROCESS—DETAIL

14 Copyright
HB 167:2006
2.2 Engagement
One of the great challenges in communication is gaining the attention of
the audience to actually read or listen to the message. This challenge
often arises from the very basic premise of ‘it can’t happen to me’, so the
message cannot be relevant to me. One of the prime aims of the
communicator is to provide information to an audience in a manner in
which they will attach meaning similar to that of the communicator. To
assist in this the communication must successfully move the audience
from passive reception of the message, to active processing of the
information. The audience needs to become engaged with the
communication and communicator.
The psychology of engagement is a complex and ever-evolving field,
beyond the scope of this Handbook. However, attention to the following
three basic principles will greatly assist in achieving successful
engagement:
• Interest: The content, and both the manner and format in which the
communication is presented must be of interest, or create an interest,
in the intended audience. This interest may arise because:
− the subject matter directly relates to the audience’s recognised

needs,
− the subject matter relates to previously unrecognised
(subconscious) needs,
− the subject matter creates curiosity,
− the channel or approach taken in presenting the communication
grabs the attention of the audience (for example, it is unusual or
otherwise stands out from the normal);
• Emotion: A specific communication may elicit negative or positive
emotional responses in an individual. A single item of information
may elicit a whole spectrum of responses across the audience, so the
communicator must carefully consider the emotional response they
wish to elicit. It must also be recognised that the actual elicited
audience response may not be aligned with this desired response.
For example, where the desire is to create some anxiety in order to
drive behavioural change (for example, ‘smoking can damage your
health’), the actual response may make individuals so distressed that
they begin to avoid the information being presented. The emotional
response to a communication will therefore affect the way in which
individuals process its content. To engage the audience, the desired
emotional response and the actual triggered emotional response
must align as closely as possible; and
• Understanding: To become engaged the audience must be able to
understand the information presented or be capable of gaining an
understanding within the desired timeframe.
Copyright 15
HB 167:2006
TIPS AND TRAPS

It is vitally important that you understand the intended audience of the
communication. For example there would be limited value in using rail
security scenarios in communicating with the aviation industry if they
were unable to relate to it. It is equally important that the audience will
be ‘turned-off’ by communications that may be perceived as overly
technical, patronising, or unrealistic. Communications must offer
something to the intended audience, such as providing additional
information that fills gaps in their current knowledge base.
2.2.1 Participation
Effective communication is also very dependent upon having the
participation of each of the parties involved. Attaining engagement and
facilitating understanding is a key aspect of gaining participation along
with the following attributes:
• Need fulfilment: participating in the communication must be
recognised as meeting the needs of the parties involved;
• Ability and capability: the parties involved must have the ability
and capability to become involved;

• Opportunity: the parties must be provided with and be able to
recognise the opportunity to become involved; and
• Trust: this must exist or, be developed, between the parties
involved. This extends to trust in:
− the source of the information,
− integrity and validity of the information itself,
− the recipient of the information,
− the way that the information will be used.
2.2.2 Engagement and participation of senior management

Developing or gaining the commitment of senior management is the
fundamental requirement for the successful delivery of any risk
management program or activity. This commitment is absolutely
necessary to a successful security risk management endeavour because:
• Security risk management will produce information (sometimes
unpalatable) that will require a management audience to find the time
to understand, consider, decide upon, resource and implement a
series of actions;
• Undertaking security risk management will make demands on the
time of individuals from other areas of the business. Outputs from the
process may impose constraints on previous modes of operation;
• There will be a cost involved, budgets must be sourced from
somewhere (e.g. CAPEX and OPEX) and there will often be internal
competition for limited available funding;
• There may be additional expertise that has to be resourced to
support the development and implementation of the security risk
management program or the outputs of the review; and
16 Copyright
HB 167:2006
• There will always be the need for a strong consistent message on

organisational priorities. Visible active support from senior
management for security risk management provides a powerful
message on its importance to the rest of the organisation.
Gaining the commitment of senior management means that powerful
advocates are created who will influence other stakeholders and continue
to drive increasing ownership by and integration throughout the
organisation.
In communicating with senior management it is important, for example,
that messages succinctly identify any gaps (vulnerabilities), the options
available to bridge these gaps, the costs associated with each option and
the projected increase in security capacity and capability.
TIPS & TRAPS

Gaining senior management commitment is not easy, even if the need
for security risk management is initially driven from the Executive.
Starting small and building credibility from quick achievements can
often be the most effective road to success. Identifying what is
important to a single member of the Executive team is a good start, pick
the low hanging (although probably less glamorous) fruit first. In one
example (from a public service organisation), ‘risk’ was not even

mentioned in the initial activities undertaken. The focus was entirely on
helping to fix issues that were keeping a particular senior executive
‘awake at night’. In another example, an overseas trip by the Chief
Executive provided an opportunity to deliver a real value added service
(above and beyond the routine travel threat assessment) and
subsequently raised the question 'well what else can you do for me?'
The provision of simple hands-on tools that make it easier for
management to understand or apply security risk management
requirements can not only initiate such commitment, but will provide
ongoing reinforcement for it. Such tools can be as uncomplicated as
credit card sized aide memoires (including flash cards, call out lists,
etc), simple spreadsheets for rapid risk assessment, etc.
2.2.3 Engagement and participation of staff

If security risk management is to become fully integrated within normal
business operations, then staff, at all levels, will need to become
increasingly engaged and involved in such activities throughout the life of
the project and/or organisation. For example, they will provide input to
identifying and assessing risks and must participate in risk treatment
strategies. Consideration needs to be given as to how:
• staff will provide input, particularly in risk assessment activities
(i.e. provide information to develop and maintain the security risk
management process);
• security risk information will be communicated to staff;
• staff can become involved in developing improvements to or
treatment of security risk exposures; and
• responsibilities and reporting lines will be established.
Copyright 17
HB 167:2006
TIPS & TRAPS

Successful engagement requires:
• Emotional involvement—if an issue touches upon the emotions
of individuals concerned, then engagement will be far stronger.
For example: security risk management activities concerning
aggressive customers will engender greater engagement with
employees if they have personally experienced threatening
behaviour in the past.
• An appreciation of the relevance of security risk management in
addressing existing concerns or issues.
• A recognition that security risk management is offering practical
solutions that can be feasibly implemented.
2.2.4 Engagement and participation of other stakeholders

Before even thinking about how to engage your other stakeholders, step
back and consider – 'do I know who my important stakeholders are?’ and
‘what should I be telling them?' From a security risk management
perspective you should certainly, at a minimum, be considering suppliers,
contractors and customers (internal and external). In many organisations
there will be significant exposures associated with dealing with these

stakeholders. However, don’t forget about the other stakeholders that
may need to be engaged with the process, including community groups,
industry groups or associations, academic institutions, even competitors.
Why engage such stakeholders and encourage their participation in a
security risk management program? Reasons include:
• The stakeholder may have a greater awareness or understanding of
some risk exposures than the organisation itself.
• Stakeholders will certainly look at risk exposures and their control
and treatment from a different perspective to the organisation.
• Any treatment or business improvements arising from the process
may have impact upon, or be constrained by one or more
stakeholders. Having their involvement early on will subsequently
facilitate a more successful implementation.
Participation is the first step towards developing partnerships and building
relationships based on trust. In times of actual emergency, when routine
processes are unable to address the consequences of an event, well-
developed partnerships and relationships improve the likelihood of a
timely, considered and measured response.
Intra/interrelationships need to be identified, acknowledged and
appropriate processes put in place. For example, staff and other
stakeholders may have multiple roles and responsibilities that could
contribute to security risk management. Because of the inherent
uncertainty and complexity in security risk management, it is important to
acknowledge that values and experience play a fundamental role in
people’s thinking and decision making. Stakeholders are likely to make
judgements on their tolerance to a risk based on their beliefs, perceptions
and ability to implement treatment strategies.
18 Copyright
HB 167:2006
Successful security risk management requires the effective engagement

of a diverse range of stakeholders. Engagement, particularly in the
development of a participative process requires the establishment of trust
in the interrelationships. The ongoing effective management of security
risk will depend very much on trust between key parties involved. Trust in
itself will depend upon the organisation’s or community’s abilities to
communicate with clarity and without conflicting messages being
received. Management of potential conflict or confusion in messages will
require an acknowledgement and understanding of both formal and
informal communications systems operating within the organisation.
Effective engagement with these stakeholders improves understanding of
uncertainty and better develops resilience amongst those involved. In this
respect security risk management goes far beyond being a technical
activity, it becomes a social and political process.
The engagement of stakeholders must be considered very carefully and
the information and knowledge gained from them must provide tangible
benefit to the security risk management process.
TIPS & TRAPS

Gaining engagement for security risk management activities is rarely

easy. In some organisations, just mention the word 'security' and people
will conjure up images of 'gorillas in uniform' leading them to push back
or resist any security initiative. A number of organisations avoid this
situation by rebadging initiatives such as security risk management
under a staff safety banner, for example ‘managing security risk is
about improving safety for our people’.
Engagement of third parties, such as suppliers, is eased if they receive
some tangible benefits from the relationship. For example one
organisation’s supplier of storage facilities receives a regular annual
free ‘consultancy’ in the form of a security risk assessment with security
improvement recommendations from one of their customers.
2.3 Perception
Many aspects of risk management are highly subjective and are greatly
influenced by the perceptions of information providers, analysts, and
users of the products of security risk management.
The way in which we perceive the information being relayed to us will
determine how we react. In the security risk management context, the
perception of events is often based on information provided by sources
that have sensationalised and distorted it (this is not always restricted to
just media sources). Similarly, blanket denials or deliberate limitations on
the release of information can significantly influence the perception of
risk.
Perception creates and reinforces bias in:
• Selecting data and information to be used or rejected;
• Determining the validity and accuracy of, and the trust in, sources of
data and information;
• Misunderstanding of processes/methodologies that drive outcomes.
• Differential weighting, or the importance of data during analysis;
Copyright 19
HB 167:2006
• Assessing the relevance, validity and acceptance of the products of

analysis;
• Decisions about the appropriate treatment of risk; and
• Decisions about the relevance of changing context, risk and
treatment performance during ongoing monitoring.
Perception can be driven and influenced by a wide variety of factors.
These include:
• Personal experience: where individuals have been previously
affected by events or their impacts. For example: someone who has
been the victim of a mugging will often perceive a higher level risk of
community violence compared with others without this experience.
• Perceived extremity of event: where extreme events, particularly
those with a high visual impact are experienced or observed. For
example, widespread destruction following a hurricane.
• Perceived likelihood of event: where there is an attitude of 'it can’t
happen to me'. For example the likelihood of being involved in a
serious road accident as often believed by drivers under the influence
of drugs or alcohol.
• Recognition: where there is little or no awareness that threat exists

or is possible. For example the status of many decision makers
regarding the potential use of hijacked domestic airliners as weapons
prior to 9/11.
• Degree of control: where individuals feel either in-control or out-of
control of their circumstances or environment. For example: drivers
who are overconfident of their skills whilst driving at excessive
speeds in poor weather and road conditions.
• Dread and fear: where the level of fear drives dread of an event
occurring and elevates perceptions of the risk beyond reasonable
norms. For example: the perceived risk of flying arising from a
general unease is greatly amplified following a spate of actual or
hoax aviation-related terrorist incidents.
• Proximity of impact: where events are seen to have a close
cultural, social or geographical relationship. For example: where
increasing numbers of physical assaults against hospital staff in one
town begin to increase the perceived risk for staff in an adjacent
town.
• Cueing: where flows of third party information create an elevated
awareness of, or sensitivity to the risk. This information includes:
− communicated perceptions of others: where significant
influence from peers occurs. For example: where the
continuing exposure to the fears of family members increases
the traveller’s perceptions of risk associated with overseas
travel on a ‘backpackers holiday’,
− media influence: where over-sensational, slanted or widespread
reporting on specific types of events occurs. For example: the
appearance of front page stories each day on attacks against
pensioners results in the elderly becoming too fearful to leave
their homes,
20 Copyright
HB 167:2006
− collective consciousness: where an accepted and embedded

view of risk occurs within a group or society: For example, a
common world-wide view that the Bronx and Harlem are
‘dangerous places’, and
• Beliefs, emotions and values: which directly influence our cognitive
processes and hence can directly alter our perceptions.
None of these factors exist in isolation. In any individual there will be
significant interplay amongst them, each driving other factors.
Equally the perception of events will determine the action taken to
manage and recover from a security incident. It is vitally important that
information is assessed and reviewed for its relevancy, accuracy and
credibility, so that rumour, invention and falsehoods are clearly
recognised and appropriately dealt with when making decisions. The
influence of perception therefore needs careful consideration. An all too
common failing is to specifically favour or select those factors or issues
that are consistent with our beliefs or biases, whilst those that do not fit
are ignored or disregarded.
2.4 Information transfer

Ultimately, the manner in which information is transferred will be
determined by the success of information push (dispersal or transmission
of information by the communicator) and the degree of the information
pull (the willingness and capability to receive the information) by the
audience. Success in these areas is governed by both hard (technical
and infrastructure) and soft (individual emotions, perception, capability)
factors.
Communication failures often occur because either ‘pull’ or ‘push’
dominates too much in the communication process. This is most often
seen by an overwhelming ‘push’ approach, where communications
continue to be transmitted—in ignorance, indifference or antagonism—
without reference to audience needs and capabilities. However,
overwhelming ‘pull’ demands can have an equally negative impact on
communications where the audience demands for information become a
nuisance to, or drain resources from the communicator.
2.5 Decision making

To be an effective communication, the information presented must be of
use to its audience in making decisions i.e. judgments about a range of
uncertain future outcomes. In general communication should provide
information to enable decisions that will promote desired actions,
activities or behavioural changes. Decision making, in all circumstances,
will be greatly influenced by the perception of individuals.
Too often the desired outcomes are not received from decision makers.
In the process, from crafting a message to implementing a decision, there
are a number of barriers that require understanding and management
(Figure 2.2).
Copyright 21
HB 167:2006
Communicator
Information adequacy Message development Cognitive capability
Accessibility Channel capability

Delivery
Source acceptance Channel acceptance
Interest Observation and visibility

Attention
Emotion / mood Competing information
Recipient attributes Understanding Message attributes
Recipient
Beliefs and values Threat context
Recipient capability Analysis and evaluation Information adequacy
Source credibility Cultural factors
Imperatives Competing issues

Decision making Org / env factors
T ime availability
Resource availability
Org capabilities
Action
Drive vs inertia Competence
FIGURE 2.2 BARRIERS TO EFFECTIVE COMMUNICATIONS
Key barriers include:

• Message development: The message needs to be developed with
the appropriate level of detail of information, in appropriate language
and within the appropriate time frame.
• Message delivery: There needs to be:
− source acceptance: to ensure that the message is successfully
delivered the source of the message needs to be acceptable to
the recipient. For example in some organisations the senior
executive may not be responsive to messages originating from
junior staff,
− channel acceptance: some decision makers may require their
communications to be delivered as a one-page brief. A thirty-
page report or an email may not even reach the stage where it
is read by the decision maker.
• Attention: Information needs to capture the attention of the decision
maker. It needs to gain their attention and raise their interest in the
midst of significant amounts of competing information. Information
that fails to gain attention will forever be pushed to the bottom of the
pile;
• Understanding: A range of attributes of both the information and the
recipient are critical to gaining understanding. For example, how
likely is it that a senior HR manager would have much understanding
of a detailed technical report full of electrical engineering terms?
• Analysis and acceptance: Capability to analyse the message
needs to exist and the output of that analysis needs to be accepted
by the decision maker. This includes:
22 Copyright
HB 167:2006
− recipient capability: the decision maker must have sufficient

experience, knowledge and skills to perform analysis on the
information,
− source credibility: the originator of the information must be
‘believable’ or respected by the decision maker,
− beliefs and values: information that directly conflicts with
existing beliefs or values will be less acceptable and more likely
to be disregarded,
− context: as contexts change, the information may be analysed
differently or its acceptability may change. Before 11
September, 2001 few managers would have regarded
information on suicidal hijacking of airliners as credible,
− cultural factors arising, for example, from social backgrounds,
ethnic origins or educational backgrounds, will influence how
information is analysed and how accepted the results of that
analysis will be,
− information adequacy: the information must be adequate for the
type and degree of analysis required of it.
• Decision making: Having analysed the information and accepted

the output of the analysis, a decision then needs to be made. Issues
that will influence the decision itself will include:
− imperatives: which may constitute organisational priorities (such
as ‘the decision is supported by clear corporate objectives and
outcomes’) or directional requirements (such as ‘a whole of
government requirement will drive our decision’),
− competing issues: for example where emerging issues become
of more importance for a short period of time,
− time availability: time available for making the decision (for
example, providing detailed information on a complex issue an
hour before a decision is required may not be advisable),
− resource availability: perceived future constraints on the
resourcing of the outputs that will influence the final decision,
− other organisational or environmental issues: that will influence
the decision making process (such as the practicalities of
installing a new generator within a building’s basement area),
− presence of predetermined triggers: that will direct decision
making in specific directions dependant upon the extent of
activation of the triggers.
• Action: Once a decision has been made there are a number of
issues that may constrain or prevent it from being actioned or
implemented, including:
− resource availability: what appeared to be financially feasible or
being capable of being resourced, in reality may not be,
− capabilities or competencies: required to implement the
decision may not be available or accessible,
− drive versus inertia: although the decision has been made, the
organisation or individual will to implement the decision may
evaporate.
Copyright 23
HB 167:2006
2.6 Developing the communications strategy

A critical element of any risk management process is to develop and
implement a communications strategy encompassing each of the security
risk management process elements. Generically there are a number of
key steps that need to be considered, including:
• Identifying key stakeholders where some form of communication may
be required;
• Determining the communication objectives, the information
requirements and the means of acquiring them. Such communication
approaches may include:
− information provision: detailing aspects of the security risk
management process, outputs, treatment strategies etc,
− information collation: gaining from stakeholders an improved
understanding of context, risk issues, treatment options,
changing imperatives, etc,
− consultation: two way dialogue on improving understanding of
issues, perspectives and concerns,
− consensus: achieving a mutually agreed position on direction or

actions;
• Developing and documenting the communications strategy, including
information channels;
• Implementing the communications strategy to provide appropriate
information flows at each of the stages of the security risk
management process; and
• Ensuring that the communications strategy not only facilitates the
monitoring and review part of the process, but that the monitoring
and review of the effectiveness of the communications strategy is
also built into the process.
The nature and timing of a security incident will dictate many of the
elements of a communication strategy. The following elements are
suggested (Table 2.1).
24 Copyright
HB 167:2006
Table 2.1
5
Communication strategy issues
Pre event During/post event

Ensure that the communication strategy Review stakeholders and interrelationships to
has considered stakeholders and ensure communication channels are appropriate
organisations with which there are and that strategies are in place to recognise and
relationships. work with emerging groups.
Stakeholder issues
Engage stakeholders (incl. community Monitor and review stakeholder and community
representatives, politicians, etc.). views.
Ensure briefing and debriefs of stakeholders.
Provide opportunities for stakeholders to Provide opportunities for stakeholders and
contribute appropriately. communities to express their views.
Establish a stakeholder management Avoid appearing devious or ‘high and mighty’.
plan and if appropriate develop a
Be open and honest.
community management plan.
Provide short and simple messages. Monitor spokesperson’s performance – beware of
unintended messages. Develop ‘holding lines’ and
‘talking points’.
Communicate and engage about the If event is potentially high profile, establish a media
6
Risk issues
nature of risk where appropriate. Don’t ‘centre’ – invite media to command centres,
build expectations that can’t be fulfilled. provide access, provide opportunities for good
vision etc.
7
Establish a media strategy , core Review communication assumptions.
messages, and materials.
Explain the context of the problem before Be aware of ‘technical truth’ versus ‘public fact’
proposing solutions. issues.
Media and public disclosure issues
Liaise and brief/educate media on issues. Brief own staff ASAP, ideally before the media.
Build relationships with media Understand the media agenda, develop appropriate
representatives as part of doing normal approaches (positive news, honesty, public interest,
business. etc.)
Be cautious with public meetings, use Analyse the issues from a variety of perspectives.
skilled and knowledgeable facilitators. Engage the media.
Ensure effective internal communications Ensure that internal communications carry the
are in place and operating. message before any media channels do.
Train spokespersons and have clear Use credible and articulate spokespersons
guidelines for staff (and for other relevant (‘talent’), this will often require specific training.
stakeholders) on who is allowed to speak
with the media or make other public
comment.
Be aware of legal constraints. Confirm what can be disclosed with interests such
Legal and
as police, security organisations, insurers, lawyers

regulator
Develop regulator/jurisdiction protocols.

issues
etc.
Implement regulator/jurisdiction protocols.
Recognise that a major event may result in control
being vested in another jurisdiction or authority.
5
Remember to formally document all proceedings, submissions and agreed
outcomes.
6
Note that inviting the media into control centres or other areas of an
organisation during an incident response needs to be carefully controlled under
very clear objectives of what is to be achieved through providing this access.
7
Where multiple organisations may be involved, developing a joint media
strategy can increase effectiveness.
Copyright 25
HB 167:2006
TIPS AND TRAPS

There is a useful tool – IRACI – that can be used to assist in
determining who needs to be involved in communications,
and/or decision making. For example, in developing a
communications strategy, developing a briefing paper, or
eliciting a decision on an issue, consider and document the
following:
• Intervention: the level of management, Board, or Ministerial
involvement that is likely to occur, or may be demanded
should the original decision or communication require
modifying, rescinding, defending or further investigating.
• Responsibility: the experience, expertise, and seniority/level
(classification) of the individual making the decision, or
approving action.
• Accountability: the experience, expertise, and seniority level
(classification) of the individual accountable for the decision/
authorisation/ sign-off etc.
• Consult: the individuals or groups that need to be consulted
during information gathering and in determining decision
options.
• Inform: the individuals or groups that need to be informed
about the decision making process, the options or final
decision.
In documenting the communications plan, the issues in Table 2.2 need to
be considered.
26 Copyright
HB 167:2006
Table 2.2
Documenting the communications plan
Communication
Considered issues Examples
requirement
• primary • to employees
Audience • secondary • to employee families
• opportunistic • to local community members
• simple • non-bureaucratic language

Content • technical or non-technical • appropriate terminology
• unambiguous and clear • free of spin or obfuscation
• social and societal • understood by socioeconomic group ‘X’

Assumptions
• religious and cultural • will not disenfranchise group ‘Y’
• sender • management of the organisation

Expectations • recipient • primary, secondary audience
• stakeholder • Board, Minister, shareholder
• political correctness • potential offensive to minorities

Sensitivities
• empathy • awareness of local/personal contexts
• direct-targeted • person to person, meetings, mail

Mode • broadcast • TV, radio, print media
• publication • internet, journals, books, pamphlets
• language • multilingual messaging

Accessibility • readability • use of colours, fonts (size and type)
• disability • visually/hearing impaired, colour blindness
• legal • regulatory requirements

• governance • approval, due diligence
• political • acceptability
• social • local values, customs
Boundaries,
• technical • capabilities, feasibilities
barriers and
constraints • business • policies, confidentiality
• reputational • public & stakeholder confidence
• obligations • moral, ethical, contractual, regulatory
obligations to stakeholders
• cost • cost-benefit of proposed actions
Performance • measurement and monitoring • key performance indicators, milestones
Copyright 27
HB 167:2006
3 Establish the context

3.1 Introduction
Security risk management needs to be conducted in a manner that is
appropriate to the organisation’s type, culture, operational issues and the
wider environment within which it operates. In particular, security risk
management needs to be appropriate to the prevailing and emerging risk
environment. Establishing the context is critical because it sets the basis
on which all subsequent security risk management activities are

conducted. Establishing the context is the principal activity in developing
the scope for security risk management.
The major elements in establishing the context in the security risk
management process are:
• Establish the external context within which the organisation
operates;
• Establish the internal context of the organisation;
• Establish the security risk management context for the
organisation:
− determine the goals and objectives for security risk
management,
− determine the process or program for the conduct of security
risk management,
− identify the key internal and external stakeholders, and
sources of data and information,
− define the structure and resourcing required for conducting
the risk management activities,
− decide upon the tools and techniques that will be used,
− assign accountabilities and responsibilities for activities,
− identify any constraints to the proposed activities,
− detail any assumptions being made,
− confirm the processes for monitoring and reviewing, including
the process for identifying and approving subsequent changes
to the context;
• Review the context and develop the evaluation criteria.
28 Copyright
HB 167:2006
These elements are illustrated in Figure 3.1. Typical questions that can
be asked to derive information on these elements are summarised in
Table 3.1.
Although described separately, the three ‘levels’ of the context are not
necessarily discrete. There will at times be significant overlap in issues,
usually because external issues will influence internal issues, which in
turn will drive security risk management issues.
TIPS & TRAPS

There is a trap for ‘young players’ in this. By separating out the context
into external, internal, and security risk management there is a danger
that the interdependencies and particularly the interfaces between the
‘different’ contexts are either paid insufficient attention or are ignored.
Remember—it is often at the interfaces that the biggest risks are hiding!
Copyright 29
HB 167:2006
Table 3.1
Typical questions relating to context
Context element Typical questions to ask

What are the key success drivers of:
• Senior management?
• Middle management?
Commitment • Staff?
How can better understanding and management of security risk
management complement or enhance these drivers?
How are security issues currently affecting management and staff
performance?
What are the goals and objectives of:
• The organisation?
• Business unit?
Goals and • Department?

objectives • Project?
• Individual?
• Community?
• Society?
Process or What constraints exist to adopting the chosen approach to security risk
program management?
What is the relevance of changing economic conditions?
What new legislation is on the books?
What are the prevailing/changing social conditions?
External context
In what activities are key competitors engaged?
What are the expectations of suppliers, customers, communities,
shareholders and other stakeholders?
What are the key programs, projects, activities identified in this year’s
business plan?
Internal context What resource limitations exist?

What are the key findings from internal audit reports?
What are recent trends in security and OHS near misses and incidents?
What security concerns/issues have been identified recently?
What are the objectives of the proposed security risk management
activities?
What decisions need to be made, and by whom?
Security risk What is the scope of the proposed security risk management activities?
management
context What critical assets, people, information, processes have been identified?
What general or specific threats have been made?
How are security issues currently affecting management and staff
performance?
What apparent vulnerabilities exist?
30 Copyright
HB 167:2006
Develop commitment
Identifying stakeholders
Business case development
Develop strategic context

Geo-political Data and information
Regulatory sources
Social • Inter nal reports
Economic • Media
Markets • Intelligence
Competition • Word of mouth
Community • Technical experts
• Management
• Staff
Develop organisational • Stakeholders
context Strategies • Inter net
Leadership • Annual reports
Structures • Business plans
Business models • Legislation
Review
Logistic chains • White papers

Operations • Subject matter pub’ns
Performance
Industrial relations
Data and information
Location
Media profile types

• Historical
Develop SRM • Trends
context Threats • Performance results
Critical assets • Balanced scorecard
• Crime statistics
Critical functions
Vulnerabilities • Intelligence analysis
Interdependencies • Audit findings
Evaluation criteria • Safety near miss
• Engineering performance
Tolerance levels
• Physical asset status
Scope / objectives
Determine SRM
goals and objectives Deliverables
T ime requirements
Outcomes
Stakeholder requirements
Determine process / program

structure Authority
Accountabilities
Responsibilities
Stakeholder involvement
Gover nance and reporting
FIGURE 3.1 ESTABLISH THE CONTEXT
Copyright 31
HB 167:2006
3.2 The external context

A number of terms have been employed by different organisations to
encompass the concepts of external context including: 'environmental',
'global', 'regional', 'strategic' and 'macro'. The term ‘external context’
refers to gaining an understanding of the external environment in which
the organisation is operating or may be operating in the future. In
developing the external context, the key objective is to identify and
characterise factors in the external environment that are going to have an
effect on the organisation or the manner in which it does business.
Ultimately, the focus will be on those factors which will either directly or
indirectly have security risk implications for the organisation. The
outcome should be an improved understanding of the nature of external
threats and opportunities that will affect security risk exposures, and the
degree of uncertainty associated with those factors.
Issues to consider in developing the external context (examples in
Appendix D) could include:
• Geopolitical;
• Regulatory;
• Social;
• Economic;
• Markets;
• Competition;
• Community; and
• External stakeholders.
TIPS & TRAPS

An examination of the external environment could end up being ‘bigger
than Ben Hur’, so it will be necessary to place some boundaries on the
exercise to ensure that it remains relevant to the security risk
management objectives. However, it is equally important to ensure that
the context is not too narrowly focussed on traditional security related
concepts. For example, if you are setting up operations in a new
location, unemployment trends and presence/absence of social
infrastructure could be just as a valid an indicator of future security risks
as would existing local crime trends.
• Geopolitical:
− What are the major current political issues that could affect the
organisation, community or individual?
− How politically stable are the areas/countries that we operate
in?
− How politically stable are the areas/countries that form part of
our supply or customer logistics chain?
− What terrorist or organised crime groups operate in the
areas/countries with which we have an interest?
• Regulatory:
− Could our operations be contravening local laws and
regulations?
32 Copyright
HB 167:2006
− Do local laws and regulations place constraints on our

operations?
− What legislative/regulatory changes are foreshadowed for the
immediate, mid term, long term future?
− Does the regulatory regime drive or counter a more orderly or
ethical culture?
• Social:
− How pervasive is corruption in the area/countries in which we
operate within or deal with?
− How prevalent are civil disturbances, riots, public
demonstrations?
− Are there national or local ethnic tensions?
− What is the level of government support and intervention for
social improvement and tackling ‘security issues’?
• Economic:
− What socio-economic groupings exist, particularly in the
communities around local operations?

• Markets:
− What are the principal markets?
− What are the peculiar characteristics of individual markets or
market segments?
− What position does the organisation occupy within the market
(e.g. market leader, follower, niche player, etc)?
• Competition:
− What other competitors are present? In close proximity?
Regional? Global?
− How aggressive or antagonistic is local competition?
• Community:
− What levels of antisocial behaviour does the local community
tolerate?
− What levels of social infrastructure exist: Medical services?
Sanitation? Emergency services? Law and order? Public
transport?
− What are local community crime figures and trends?
− What local natural hazards exist?
− What is the local community’s preparedness/capability to
manage disasters?
− Is the local area becoming ‘upwardly mobile’ or increasingly
‘downmarket’/’derelict’?
− What exposures are created by neighbouring organisations or
land uses? (e.g. presence of local amenities used as drug
‘shooting galleries’, major transport hubs, dangerous goods
facilities, public gathering areas, icons, other critical
infrastructure).
Copyright 33
HB 167:2006
• External stakeholders:
− Who are the key external stakeholders?
− Who are the new or emerging stakeholders?
− What is the nature of the relations with key stakeholders?
(e.g. unions, media, investors, local community)
− What significant changes in the influence of various stakeholder
groups may be occurring?
− What is the extent of interdependencies and redundancies
within and amongst the various stakeholder groups?
• How does each of the external context issues interact with the
organisation?
TIPS & TRAPS

Much of the data and information to develop the External Context will
probably already exist in a useable format within your organisation. If
you are really fortunate there may already exist a documented ‘External
Context’ (prepared by your risk management or strategic planning
people), that can be used by casting a ‘security risk lens’ across it.
However, the quality of your security risk management activities will be

greatly determined by the quality of your context preparations.
Improving the quality of the context product will need some wearing out
of shoe leather, and seeking reputable external and internal sources for
the information. Get out and talk to people in your organisation – ask
them questions. The answers may just surprise you!
3.3 The internal context

The focus of developing the internal context is to create an agreed
understanding of the organisation’s internal environment and issues that
may influence the nature of the security risk exposures or the activities
being undertaken to manage them.
The key elements of the internal context and areas around which
questions should be posed in its establishment include (see also
Appendices D and E):
• The organisation’s objectives;
• The organisation’s structure (hierarchical, reporting, functional);
• The business model;
• Key plans and strategies;
• Key business function and processes;
• The type, extent and interaction of operations;
• The existence of key control systems;
• The organisation’s physical and technological infrastructure, and
maintenance;
• Organisational culture and workforce ‘morale’;
• Industrial relations;
34 Copyright
HB 167:2006
• Resourcing issues, including any foreshadowed significant changes

(e.g. new site development, expansions, workforce downsizing);
• Historical crisis, disruption, disaster, emergency, safety and security
incident and trend information;
• Locations of business sites, accommodation, and other operations;
• Internal hazard locations (e.g. dangerous goods storage); and
• Presence of ‘sensitive targets’ (e.g. high profile individuals, sensitive
information, attractive assets, business critical assets, cash, etc).
Any security risk management activity must be conducted within the
parameters of the organisation’s context. The objectives for security risk
management must be aligned with the organisation’s objectives and be
supportive of the manner in which the organisation conducts itself.
3.4 The security risk management context

Developing the security risk management context provides the scope,
parameters and plan for undertaking the proposed security risk activities.
By the time that this stage is undertaken there should be a reasonable

level of understanding of the external and internal factors that are
interacting to influence the security environment for the organisation.
Issues that need to be considered in the security risk management
context include:
• The objectives for the security risk management activities:
• The security risk management scope to include;
− those specific external and internal issues that will affect or
influence the security risk management activity,
− identification of threats and vulnerabilities,
− organisational areas, functions, businesses, locations, etc., to
be included in the security risk management assessment,
− those areas of the organisation believed to be critical and likely
to be priorities for consideration in the security risk
management activities,
− specific exclusions – issues or areas not to be included,
− the identification of strategic, commercial and operational
interdependencies.
• Data and information sources for inputs into risk assessments, for
example strategies, plans, reports and other documentation for
internal audit, risk, emergency and business continuity management;
• Security risk management tools, and approaches to be utilised;
• Agreed responsibilities, accountabilities and resources to be
deployed;
• Reporting and records management requirements, including
deliverables, timelines and expected outcomes, including timelines
and delivery dates for outputs; and
Copyright 35
HB 167:2006
• Interdependencies with other areas/individuals of the organisation

and external entities.
TIPS & TRAPS

Two questions are commonly asked: 'how much time should I spend on
establishing the context?' and 'how long should the context statements
be?' Easy questions – tough answers. This is akin to asking 'how long
should a piece of string be'. It will all depend upon the circumstances to
which it is being applied.
For some security risk management activities, three simple paragraphs
could encompass a more than sufficient context analysis. For complex
or large projects, a lengthy detailed comprehensive context may be
required.
At the end of the day the decision must be made on a question of
balance, the need for information weighed against the time, cost and
ability to obtain it and make meaning of it. The investment needs to be
proportionate to the size and complexity of the task.
3.4.1 Finalising the goals and objectives for security risk management
It is highly likely that initial goals and objectives for the security risk
management activities will have been developed whilst engaging the

organisation and preparing the business case (see Section 3.7).
However, once the proposal has been approved it will be time to
objectively reassess the goals and objectives, including:
• Confirming with key sponsors and stakeholders their requirements
and expectations;
• Reaching agreement with key sponsors and/or stakeholders on the
deliverables from the activities, including outputs, timelines and
desired outcomes;
• Confirming the budget and other (e.g. staffing) resources required;
and
• Documenting these items and if appropriate obtaining final approval
and sign-off.
3.5 Determine the process/program structure

This step is really focused on determining the scope and nature of
activities to be conducted, the expertise, information and knowledge
required. This involves the development of an initial project plan,
including:
• Establishing detailed accountabilities and responsibilities for all key
deliverables, including roles of any steering committees, project
champions and the position identified for the ongoing management of
security risk (for example the Security Manager);
• Identifying the detailed activities and actions to be undertaken;
• Defining approaches and responsibilities for security risk
management activities;
• Deciding on how stakeholders will be involved in the activities;
• Establishing governance and reporting systems; and
36 Copyright
HB 167:2006
• The approach to establishing the context.

This is a deliberatively iterative process and it will be usually necessary to
review and modify the project plan once the context has been
established.
3.6 Developing the evaluation criteria

In most applications of a security risk management process there will be
some relative ranking of risk, decisions made on the tolerability of risk, or
the need to treat the risk. To assist in a robust repeatable approach to
this, risks are evaluated against one or more criteria. Criteria for deciding
whether a risk needs to be treated and how to prioritise can be initially
developed at this stage. Once a number of risks have been assessed it
may become apparent that the criteria are not fully appropriate to the
task. The criteria can be reviewed and improved as required during the
process.
Criteria that need to be considered include:
• Consequence;
− the types of consequence that will be assessed, e.g. financial,

reputational, safety, people, community impacts,
− any quantification of the level of consequence that will be
applied.
• Likelihood;
− how likelihood will be determined, e.g. probability, frequency of
occurrence.
• How the relationship between consequence and likelihood will be
used to generate a measure or description of risk; and
• How particular levels of risk will used to determine acceptability,
tolerability, the need for treatment etc.
TIPS & TRAPS

It is perfectly acceptable (and quite usual) for you to apply different sets
of evaluation criteria to different security risk activities that you may be
called on to undertake in respect of different contexts. For example, a
dollar loss of $5,000 may be tolerable for a small business operation or
for a project team, whereas a loss of $50,000 may be catastrophic.
However, such a loss of $50,000 may be well within the tolerability for a
major corporate operating in new markets in a politically unstable
country.
The differing perspective of the sponsor, business owner, etc. is
something that must be taken into account in establishing your criteria.
This all harks back to the time and effort you spent on establishing the
external and internal context!
Copyright 37
HB 167:2006
3.7 Developing the business case

Developing the business case is a key engagement activity as part of
‘Communicate and Consult'. Although a business case may be one of the
first activities undertaken during this phase, it is likely that the business
case will need to be revisited and refined whilst 'establishing the context’.
Whether introducing a new security risk management program,
expanding an existing one, or undertaking a specific security project, the
preparation of a business case is a common requirement before approval
to proceed is given and resources allocated. Surprisingly it is also one of
the skills that is rarely covered in traditional ‘security risk management
school’. Individual organisations may have their own unique requirements
and formats for business cases, although many (see business case
template in the Workbook, Appendix F) will consider the following, in
some form or the other:
• Governance (of the security risk management process), including:
− clear identification of the basis for any assumptions made,
− identification of the project/business owner, senior management
sponsor, etc,
− defined accountabilities and responsibilities;

• Identification of the organisation/business needs for security risk
management including historical data of incidents occurring within the
organisation, community, industry location, area;
• The objectives, deliverables and outcomes of the proposed security
risk management activity;
• Alignment with corporate/organisational objectives and/or priorities;
• Proposed scope of activities, including:
− broad nature of security risks to be examined (e.g. a risk
assessment of fraud and revenue leakage exposures),
− business locations, functions etc,
− duration and timelines;
• Resources required:
− internal staff, skills etc,
− time demands on other areas of the organisation,
− external expertise,
− equipment,
− accommodation.
• Budget breakdown, including:
− salaries and oncosts,
− consultancy fees,
− software development or purchase,
− report production, publishing, etc,
− travel, accommodation and other incidental costs,
38 Copyright
HB 167:2006
− equipment and hardware (purchase or lease),

− overheads;
• Other costs to the organisation as a whole, including;
− any constraints or barriers that the proposed activities may
impose upon other parts of the organisation,
− critical interdependencies including the demands that will be
made on these interdependencies.
• Projected returns and benefits, including;
− tangible (e.g. financial) benefits (such as cost savings, for
example through reduced revenue leakage or vandalism). For
projects with extended duration or payback periods it may also
be appropriate to include net present values (NPV) into the
analysis; and
− intangible (non-financial) benefits (such as improved staff
safety, improved quality of decision making, or reduced risk of
unauthorised information disclosure).
TIPS & TRAPS

The strength of the argument for undertaking (or selling) the proposed
activity can be enhanced by including historical data (particularly any
significant losses or disruptions) concerning past security risks and
incidents. Brief case studies of the woes that have befallen others in
either your industry or geographical location can present a compelling
argument. However, be cautious, remember fact not fiction – no matter
how good the story!
Remember that the quality of your business case will be improved by
involving a selection of internal and external stakeholders in its
development.
Above all, be clear, simple and concise in preparing the business case
documentation.
Copyright 39
HB 167:2006
4 Identify risk
4.1 Introduction
Risk identification is concerned with creating a well thought out and
comprehensive determination of the sources of risks and potential events
that will have an impact upon the individual’s, organisation’s, or
community’s objectives. The identification of risk can be assisted by
considering the outputs of more traditional approaches such as threat,
criticality and vulnerability assessment as useful inputs into the

identification process. The process will usually be better informed when it
encapsulates such information, however, risk identification is more than
just the separate assessments of threat, criticality and vulnerability.
Although these three considerations will greatly influence the
identification (and the analysis) of security risks, the relationship is not a
simple and straightforward one (see Figure 4.2).
The words ‘threat’ and ‘risk’ are often used interchangeably. However,
risk is not a synonym of threat, although closely related, the two are
significantly different. In many circumstances a ‘threat’, or threats will
provide a source for one or more risks. It is the interaction between the
threat and someone or something, at a particular instance or over a
period of time that will create the risk. Threats may exist, but not pose a
risk. For example, a disturbed or enraged client may present a threat.
However, the risk only emerges if there is some chance (no matter how
small) that the threat will interact with something (structure, person, etc)
to cause an event resulting in certain consequences (assault, verbal
abuse, vandalism, fear, etc).
Examining the security risk management context and considering the
threat, criticality and vulnerability assessments will enable credible
potential risk events to be identified and described. Risk should be
described in as full a manner as possible, so that decision makers fully
understand the situation.
AS/NZS 4360:2004 defines risk as:
'The chance of something happening that will have an impact on
objectives'.
This is an important definition because it exposes the increasing maturity
in thinking about risk that has occurred over recent years. Applying the
definition within the security profession should start to move the thinking
away from a focus on threat alone to a more expansive consideration of
security risk.
40 Copyright
HB 167:2006
In undertaking risk identification, a list of security risks should be

developed by considering the following:
• How it could happen:
− A source of risk – for example a potential threat.
• Why it could happen:
− A cause: actions, incidents or other underlying factors that
create the source of risk,
− The presence (or absence) and effectiveness of controls (often
more narrowly referred to as ‘countermeasures’).
• What could happen:
− A potential event or incident, where the source of risk interacts
with some aspect of the entity,
− A consequence, resulting from the impact of the potential
event on the entity.
• Where it could happen:
− The physical locations where the event could occur or where
the consequences may be experienced (directly and indirectly),

− The key assets that may be associated with the risk.
• When it could happen:
− Specific times when the event is most likely to occur or the
consequences realised,
− Time periods over which the risk may be of particular concern.
• Who could be involved:
− Individuals or groups that may be associated with the threat,
− Individuals or groups that may be associated with the control of
the risk,
− Individuals or groups that may be impacted by the risk.
The presence of controls (such as physical barriers, the presence of a
security guard, or the interpersonal skills of the staff member) may modify
or prevent the interaction with the threat, thereby lowering or removing
the risk. Similarly in the current security environment, al-Qaeda terrorists
represent a threat, the risk is that an attack from such a group will result
in physical harm to an organisation’s people, property or indirectly cause
some other disruption (Figures 4.1(a) and 4.1(b)). In this example it can
be argued that:
• Root causes could relate to issues such as historical fundamentalist
views of Islam (such as Wahabism), perceptions of anti-muslim
international agendas, beliefs in the existence of ‘culture changing’
agendas of western democracies, perpetuation perceptions of
economic disadvantage;
• From these root causes then evolve a range of drivers such as the
generational inculcation of antagonism to western cultural values and
lifestyles, perceived injustices of social structures controlled by
apparently pro-western secular governments, feelings of impotence
in the face of dominant, overriding cultures, disenfranchisement and
social isolation of certain groups within society;
Copyright 41
HB 167:2006
• These factors then drive the creation of fundamental beliefs,

behaviours and structures that become threats or sources of risk to
other third parties. For example the creation of Islamist groups such
as al-Qaeda, or Jemaah Islamiayah, the establishment of the Intifada
in the Palestinian territories, the collapse of capable functioning
societies or of law and order in some parts of countries such as
Somalia, Sudan, Sierra Leone, Iraq, Afghanistan, Papua New
Guinea, Solomons, Congo, Colombia, Nepal;
• From these sources then arise risks, such as a targeted attack
aimed at immobilising a piece of critical infrastructure, random
attacks against the local populace creating mass fear and loss of
confidence in the government, attacks against a specific organisation
aimed at removing (by kidnap or murder) key members of the
management or technical teams. Each risk raises a range of
potential consequences;
• Should one of the identified risks actually occur – an event – then
one or more of the potential consequences may actually be realised.
Root Sources Consequences

Drivers Risk
causes of risk (potential)
Consequences
Event
(actual)
(a) relationship pathway
Islamist Terrorist’s Bombing of Potentially:

religio-plitics Al Qaeda
motivation, commuter • Mass casualties
affiliate
Racial hatred objectives etc. train • Service disruption
• Community dread
• Political instability
• Investment losses
Event Actually:
• Mass casualties
• Service disruption
• United community
(b) example of relationship pathway
FIGURE 4.1 THE RELATIONSHIP OF THREAT AND RISK

Identifying risk is therefore about understanding the nature of the threat
(the source of the risk), interacting with important elements such as the
community, organisational assets, etc (with importance expressed
through criticality) and in what manner the nature of these elements will
facilitate or inhibit this interaction (expressed through vulnerability) (see
Figure 4.2).
42 Copyright
HB 167:2006
Vulnerability
analysis RISK
Critical Criticality
elements analysis
Threat
Community
Organisation
Individual
Threat
analysis
FIGURE 4.2 IDENTIFYING RISK
4.2 Data and information sources

The context statements developed at the earlier stage of the process
provide an ideal starting point for identifying threat and risk. However,
these may not provide sufficient detail for a thorough identification and
analysis. Other more detailed research may therefore be required to
develop robust risk identification. It is important that the reliability and
accuracy of data and information sources be addressed and, where
appropriate, graded to provide the analysis and subsequent decision
making with suitable reference points and weighting. The Admiralty
System is one example of a framework that considers the integrity of the
information source and the quality or accuracy of the information provided
(see Appendix G).
Data and information sources that could provide further quality input
include:
• Organisational loss and incident data;
• Local incident/crime data;
• Industry loss and incident data;
• Open source information: media, internet, public reports;
• Intelligence:
Copyright 43
HB 167:2006
− formal: threat advisories; formal relationships with security

services/providers, law enforcement agencies, industry
associations; in house systems,
− informal: personal relationships, rumour mill;
• Comparative analysis with other organisations that may have
similarities in:
− size,
− culture,
− processes,
− operations,
− locations,
− industrial relations climate.
4.2.1 Retrieving data and information

Gathering accurate, adequate and reliable data will generally require
access to a variety of stakeholders – representing both expert and lay
viewpoints. The approach taken to retrieve data and information from

stakeholders will vary according to the context. However, any one or a
combination of a variety of approaches may prove to be useful, such as:
• one-on-one structured interviews;
• focus group discussions;
• group discussions, brainstorming sessions and workshops;
• incident/issue debriefs; and
• questionnaires.
4.2.2 Potential sources of risk

The Risk Arena (Figure 4.3) provides a useful guide for considering
internal (inner circle) and external (outer circle) sources of risk (note that
any or all external sources of risk may have relationships or interactions
with any or all internal sources of risk). Examples of sources of risk within
the broad headings in Figure 4.3 include:
• Economic: market growth, economic cycle, shares and interest
rates, capital movement, regional stability;
• Political and regulatory: legislation, investment, standards and
protocols, acceptable practices, intellectual property;
• Supply: components, outsourcing, contractors, quality assurance,
logistics;
• Technology: hardware, software, security, user interface, 3rd party
infrastructure;
• Competition: resources, skills, access, space;
• Community: social structure, demographics, participation,
reputation, content, ethics, partnerships, practices;
• Physical: natural events, geography, geology, environment, climate,
emissions/pollutants, built environment;
44 Copyright
HB 167:2006
• People: knowledge retention, skills, integrity, loyalty, industrial

relations, beliefs and values, health and well being, human error;
• Data/information: integrity, currency, relevance, access, storage,
adequacy, availability, accuracy;
• Strategy: robustness, flexibility, strategic fit, planning, capability,
implementation, realism, achievability;
• Stakeholder management: stakeholder needs, segmentation,
fulfilment, relationships, service proposition, customer focus;
• Leadership: vision, management capability, innovation, culture, trust,
ethics, governance;
• Process/product/services: robustness, capability, intellectual
property, life cycle, innovation, quality, timeliness, delivery, inventory,
capability, etc, including property and other infrastructure; and
• Business performance: business objectives, growth, sustainable
development, decision making processes, ability to implement,
monitoring.
l Su
ti ca pp
P oli ly
Strategy
Le
e t it io n
r
Phys
ad
er l de
sh e ho
ip ak
ical
St
Comp
Pro
ess nce Pro cess
sin a Se duct /
Bu form rvi
e r ce /
p s
n
tio
Pe
ma
Inf ta /
op
Te
le
or
ic
c
Da
hn
om
ol
on
og
Ec
y
Community
FIGURE 4.3 THE RISK ARENA: POTENTIAL SOURCES OF RISK
Gaining adequate data and information for risk identification may not just
be a simple exercise in data collection and collation. Some degree of
informed analysis will usually be required, in particular to determine
answers to the ‘who?’ ‘what?’ ‘why?’, ‘where?’, ‘when?’ and ‘how?’
questions. Three types of analysis, commonly conducted in security risk
assessments, can provide invaluable direction in this regard:
• The Criticality Assessment – ‘what’ and ‘where’ answers;
Copyright 45
HB 167:2006
• The Threat Assessment – ‘who’, ‘why’ and ‘when’ answers; and

• The Vulnerability Assessment – ‘how’ answers.
4.3 Conducting the criticality assessment

The criticality assessment (in some methodologies known as the ‘asset
assessment), involves the identification of the critical assets (people,
property, information and the processes that support them) that may be
exposed to, or harmed by the threat.
The criticality assessment is a vital step in the identification of risk as it
provides the starting point for a consideration of the pertinent threats, and
the organisation’s, community’s or individual’s vulnerability to those
threats. In many circumstances it would be difficult and costly to conduct
a thorough risk assessment for all assets, locations and people. The
criticality assessment allows the analysis to focus on those assets that
are of most importance to the organisation, community or individual.
The choice of assets to be assessed will be guided to a large extent by
the context developed for the risk management activity.
To estimate the criticality of an asset, consider a range of factors:

• The impacts of any threat against the asset, should the threat be
successful;
• The personal, organisational or social value of the asset (this
includes both tangible and non tangible values such as brand, social
standing, social amenity);
• The degree of redundancy that exists within an organisation; such as
multiple assets or facilities, multiskilled workforce, alternate
workarounds. When considering community impact, the degree of
redundancy within an industry or sector could also be considered (for
example multiple public transport providers or modes, alternate
power generators and transmission providers, etc);
• The capability and time taken to resume acceptable service levels,
recover capability, or resume normal operations.
Criteria developed for measuring the overall consequence of a risk
(Table 5.1) can be readily applied to measuring the criticality of an asset
(determined as the consequence should functionality of the asset be
lost). There are synergies of using similar criteria for criticality and
consequence. At times there may be a requirement for using different
criteria for criticality and for consequence. For example criticality of an
asset may need to be determined in the context of impact on a
community whilst the consequence of a security risk may need to be
determined in the context of an organisation’s wider risk environment.
However, in most circumstances the criticality assessment will inform the
identification of risk and its subsequent assessment.
An example of a simple alternate rating system for assessing the
criticality of assets is provided at Table 4.1.
46 Copyright
HB 167:2006
Whilst any combination of individual, organisational, or community

criticality could be used, depending upon context, an assessment will
often comprise the total criticality of these three elements combined.
However, the level of criticality may be at such a high level for one of
these elements (e.g. for the community) that the level of the other two are
insignificant in comparison and would therefore add little additional weight
to the overall criticality rating.
To assist in estimating the impact of ‘loss of critical asset’ it may be useful
to consider a number of potential ‘most credible worse case scenarios’
that could befall the asset. An example worksheet for use in conducting
the criticality assessment is provided in Appendix F.
TIPS & TRAPS

In conducting the criticality assessment, consider a range of potential
‘most credible worse case scenarios’, for example:
People
Asset – company President: loss of availability, loss of investor
confidence, loss of staff morale due to kidnap and ransom.
Asset – client officer: loss of availability, loss of key client
knowledge and service, loss of staff morale and confidence following

injuries arising from an assault.
Information
Asset – internet server: loss of availability following a denial of
service attack.
Asset – product specifications: competitive disadvantage following
unauthorised access to proprietary information
Property
Asset – shop front: loss of access due to fire damage
Asset – gas pipeline loss of availability due to intentional physical
damage
Copyright 47
HB 167:2006
Table 4.1
Example of a criticality rating scheme
Impact on groups Impact on individuals

Criticality Impact on organisation (e.g. stakeholders/ (e.g. employees, guests,
community) residents etc)
Loss of asset results in: Loss of asset results in: Loss of asset results in:
• complete cessation of all • severe prolonged loss of • catastrophic safety
functions. amenity (extending several incidents (multiple
months). serious casualties,
• no short term recovery
fatalities).
capability. • severe community outrage
Extreme at loss of service. • long term major
• serious prolonged
financial loss
reputational loss • extreme financial distress
(e.g. loss of
(extending for many (e.g. loss of >30% revenue
employment).
months). potential of businesses or
local government).
• Financial loss >30% of
8
NOPBT/EBITDA
• complete cessation of one • severe prolonged loss of • multiple serious
or more key functions. amenity (extending weeks). safety incidents
(several serious
• no short term recovery • Community outrage at loss
casualties, or a
capability. of service.
fatality).
High
• serious prolonged • >10% revenue potential of
• mid to long term
reputational loss businesses or local
major financial loss
(extending for weeks to government.
(e.g. prolonged stand
months).
down of employment
• Financial loss> 10% of – over several
NOPBT/EBITDA months).
• cessation of one or more • loss of amenity (extending • major safety incidents
key functions. days to weeks). (multiple injuries
requiring medical
• limited short term recovery • community upset at loss of
attention).
capability. service.
Significant • financial losses
• reputational loss on • >5% revenue potential of
extending over
specific operations of the businesses or local
several weeks
(extending for weeks to government.
(e.g. contracts put on
months).
hold).
• Financial loss> 5% of
NOPBT/EBITDA
• reduced effectiveness of • partial or temporary loss of • safety incidents
one or more key functions. amenity (days). requiring first aid
treatment.
• short term recovery • community disquiet at loss
Moderate capability is possible of service. • long term major
financial loss
• reputation loss (extending • >2% revenue potential of
(e.g. loss of
for days to weeks). businesses or local
employment).
government.
• Financial loss> 2% of
NOPBT/EBITDA
(continued)
8
NOPBT – net operating profit before taxes; EBITDA – earning before interest,
taxes, depreciation & amortisation
48 Copyright
HB 167:2006
Table 4.1 (continued)
• little impact on functions. • little loss of amenity. • insignificant safety
implications.
• recovery is possible • little negative reaction arising
immediately. from loss of service. • no appreciable
Low
financial loss.
• little measurable • <2% revenue potential of
reputational loss. businesses or local
government.
• Financial loss<2%
NOPBT/EBITDA
4.4 Threat assessment

The aim of the threat assessment is to clearly identify the range of
potential threats arising from the external and internal security
environments, and their relevance to the organisation. The threat
assessment is concerned with identifying those events, aggressors,
attackers or adversaries that can cause losses to organisational,
community or individual assets (as identified in the criticality assessment

above).
Traditionally, the security risk assessment has based its concept of threat
on the notion of an attacker or adversary. The level of threat is
traditionally thought of as along the lines of:
‘The intent and capability of an individual or group to undertake actions
that will result in harm or the expectation of harm to another individual,
group, organisation or community’.
As such ‘threat’ arises from within the parameters of the adversary or
attacker only, the threat can be influenced by perceived target
vulnerabilities and criticality. However, from a more holistic perspective a
threat is:
anything that has the potential to prevent or hinder the achievement
of objectives or disrupt the processes that support them.
A threat assessment involves consolidation of data and information
obtained during establishment of the context with a more detailed
examination focusing on areas of concern. This includes:
• identifying the range of potential threats to an individual, organisation
or community;
• examining the possible ways in which these threats may interact with
the critical asset, either directly or indirectly, and understanding the
specific impacts that could arise; and
• determining how likely these threats are to occur within a defined
time frame or locality.
Initially it is necessary to maintain a high level or strategic overview to
ensure that an expansive range of potential threat sources is canvassed
and that the potential interactions of threat sources with the organisation
are considered.
Copyright 49
HB 167:2006
There are two conflicting issues that need to be resolved:

• The need to think creatively about threat and not be bound by the
restrictions of individual experiences: to ‘think outside of the box’; and
• The realities of time and resource availability that will restrict the
extent of canvassing, combined with the need to identify the plausible
scenarios as a priority.
TIPS & TRAPS

Striking the right balance between ‘plausible’ threat scenarios and
‘absurd fantasy’ is not easy when you start out doing threat
assessments.
A consistent comment given by management during threat
assessments is ‘no one would have thought that an airliner could be
used as a weapon before 9/11’. However, this is not quite true. There
was sufficient evidence to suggest that this was a plausible scenario.
Suicide flights were used to great effect by Kamikaze pilots in WWII.
There have been numerous ‘accidental’ CFITs (controlled flights into
terrain) where buildings have been impacted with significant loss of life
and damage.
The specific use of commercial aircraft in an attack on New York and
Washington landmarks had been postulated in a report to the US

Congress in 1999, had featured in terrorist plans to attack the Eiffel
Tower in Paris, and had been speculated on by FBI agents prior to
9/11.
In the Columbine school massacre in 1999, analysis of journals and
videos left behind by Harris and Klebold revealed that the pair had
developed an elaborate plan for not only the school shooting, but also a
massacre in the neighbourhood and, if they were unable to escape from
the United States, a planned hijacking of an airplane which they would
then crash into New York City.
The take home message is that our preconceptions may be that
something is beyond the realms of consideration in a threat
assessment, but a little bit of research may provide some substantial
analysis to convince us otherwise.
4.4.1 Identifying the threat

Conducting a threat assessment involves firstly identifying possible types
and sources of threat that could affect the individual, organisation or
community. There are a variety of ways of classifying threats into
workable groupings to assist in identification and subsequent
assessment. Approaches could be based upon:
• Geographical influence;
• Threat source;
• Threat targeting; and
• Threat type.
(a) Geographical influence
Threats have often been classified according to their geographic
influence as:
• Global: for example, arising from the world-wide activities of
terrorist organisations like al-Qaeda, or international narcotics
networks.
50 Copyright
HB 167:2006
• Regional: for example, arising from the activities of terrorist

organisations such as Jemaah Islamyiah, or through illegal people
smuggling.
• Domestic and local: such as the activities of right wing radical
militias (e.g. in the US), criminals, or anti-social elements existing or
active in close geographical proximity to the organisation’s
operations.
However, in recent years these distinctions have become increasingly
blurred, for example by the merging of activities of terrorists and drug
cartels, people smuggling and organised crime gangs. It can be more
useful to consider the source or targeting of the threat.
(b) Threat source
Much of the focus of threat assessments conducted in recent years has
been on threats external to the organisation, such as terrorists,
fraudsters, vandals, etc. However, the threat sources with the knowledge
of critical elements of the organisation, the skills to perpetrate an ‘attack’,
and the opportunity to do so are always present internally within the
organisation. Internal threat sources that should be considered include
not just employees, but also contractors and consultants. This could also
be further extended to encompass any ‘trusted individuals’ who are

provided with access, such as: visitors, staff family members, certain
customers and suppliers. These internal sources of threat will often
consistently have capability and opportunity. Commonly, therefore, it is
changes in their intent that increase or decrease the threat.
TIPS & TRAPS

The weakest link is often overlooked. There are a significant number of
organisations that invest heavily in security to manage external threats
(IT security systems, physical barriers, CCTV, patrols, etc) and internal
threats (internal card access systems, pre-employment checks,
behavioural monitoring, drug testing, accounting and audit reviews).
However, many of these same organisations outsource non-core
operations (cleaning, maintenance, etc) and provide the contractors’
staff with unfettered out-of-hours access, often without requiring any
form of security assurance regarding these individuals.
We show such incredible trust to individuals that we so often have little
or no knowledge of!
(c) Threat targeting

It is important to consider those threats that may be targeted directly
9
against the subject of the assessment (specific or direct threats, such as
a burglary), as well as those that are not but may have collateral impacts
(general or indirect threats, e.g. a violent dispute involving an
organisation in an adjacent tenancy). Both specific and general threats
may have sources that are either internal (e.g. a disgruntled staff
member) or external to the organisation or community concerned
(e.g. political activists).
9
Specific threats, for example, may also be targeted against specific
geographical locations (e.g. city CBD), industries (e.g. gas supply), or definable
ethnic, religious or occupational groups (e.g. Sephardic Jews, paramedics) etc.
Copyright 51
HB 167:2006
It should also be borne in mind that in practical terms the definition of a

threat as ‘general’ or ‘specific’ may not be absolute and will often change
as the context changes. For example the nature of a threat can become
gradually more specific or general as more information becomes
available or our understanding of that information matures (see
Figure 4.4).
Brooklyn Transport New York Critical US Americans Wester ners

bridge network infrastructure mainland
Specific General
threat threat
10
FIGURE 4.4 EXAMPLE THREAT TARGETING GRADIENT
Similarly, the targeting of a threat may vary depending on the

understanding of the time frame involved, e.g. 'over the next few months',
'in the lead up to Christmas', ‘over the public holiday period’, 'next
Thursday', 'during rush hour'.
The Targeting-Source Matrix (Table 4.2) considers the combination of

threat targeting and threat source criteria to produce a simple tool for
identifying potential threats. Threats may therefore cause harm that is
targeted directly against specific assets, as a result of collateral damage
arising from attacks on other third parties, or as a result of negligence or
unintended consequences from both internal and external sources.
Table 4.2
11
Targeting-Source Matrix
External Internal
• Theft, fraud • Theft, fraud

• Sabotage, vandalism • Sabotage, vandalism
• Harassment/assault (e.g. from • Harassment/assault (from
Direct
client) staff/supervisor)
• Coercion • Coercion
• Terrorism • Information leak/misuse
• DOS/hacking attack • Data integrity
• Virus attack • Negligence
• •
Indirect
Infrastructure vandalism Pranks

• Random attack from deranged • Accidental unauthorised
person information disclosure
• Terrorism • Unauthorised asset use
10
Threats based on New York Times reports over the 2001–2003 period.
11
The Threat-type Matrix is an example only. Specific matrices will need to be
constructed depending upon the characteristics of the individual, organisation,
or community and the environment within which they operate.
52 Copyright
HB 167:2006
(d) Threat type

Threat type is influenced by the intent, the type of actions likely to be
undertaken and the nature of the potential impact that may arise. Some
threats may be considered as belonging uniquely to one threat type,
whilst other threats could be placed into multiple threat types. Four threat
types12 that are commonly considered are:
• Malicious threat: includes activities such as vandalism, sabotage,
unauthorised information disclosure, IT attacks, harassment, assault,
etc. A malicious act is usually a specific direct attack on the targeted
organisation and is often motivated by revenge, fame, association or
challenge. Sources include disgruntled or disturbed current or former
employees, contractors, customers, or community protestors. More
general threats such as circulating cyberparasites (viruses, Trojans,
worms, etc) are equally valid considerations.
• Opportunity/greed: is usually driven by personal gain and is
targeted at gaining control of attractive assets. This could include
fraud, theft, sabotage, extortion, kidnap and ransom.
• Terrorism threats: There is no internationally accepted definition of
terrorism. One comprehensive definition describes terrorism as: 'act
of terrorism means an act, including but not limited to the use of force
or violence on, or the threat thereof, of any person or group(s) of
persons, whether acting alone, or on behalf of or in connection with
the organisation(s) or government(s), which from its nature or context
is done for, or in connection with, political, religious, ideological,
ethnic or similar purposes or reasons, including the intention to
influence any government and/or to put the public, or any section of
the public, in fear'. (A more detailed examination of terrorism
definitions is provided in Appendix H.)
• Incidental threats are threats that result from potential actions or
events that are not intended to cause harm, but nevertheless present
a security threat. This could include threats arising from: natural
events (e.g. storm damage resulting in loss of power to barrier
protection systems), acts of negligence (inadvertently posting
sensitive information to an internet newsgroup) or pranks and
practical jokes that result in destruction of assets, injury to people, or
loss of physical or virtual integrity.
A useful tool to assist in identifying threats is the Threat Tree (Figure 4.5),
which allows a series of credible threats and consequences to be
developed which can then be expanded upon to provide more detailed
threat scenario statements if required. The threat tree is developed by
creating a relationship map of potential activities and outcomes that could
arise against critical elements of the organisation, community or
individual. The threat-tree is based upon identifying:
• Type: using one or more of the four threat types described above
(although any other suitable categorisation of threat can be
substituted).
12
Note that technically all terrorist acts and many malicious acts will at law
constitute criminal acts. In certain circumstances incidental actions could also
be regarded as criminal acts (e.g. wilful negligence).
Copyright 53
HB 167:2006
• Act: acts, actions or activities that could occur within each category
of threat.
• Event: the nature of the interaction between the act and the
organisation, community or individual.
• Impact: the effect of the event upon the organisation, community or
individual.
In identifying potential threats, the assessment needs to consider
reviewing:
• Past occurrences of threats and incidents;
• What is known to be happening currently; and
• What could plausibly happen into the future.
Consideration should also be given not only to those incidents that the
specific individual, organisation or community has experience with, but
also to experiences of other similar entities operating in similar
environments. There may also be some advantage in considering trends
emerging in other unrelated areas where this may indicate future
changes in more relevant security environments (increasing lunchtime
thefts of laptops in one city’s CBD office blocks, may forewarn of future
trends in a different city).
Type Act Event Impact
Contamination-raw materials
Arson Bushfire
Infrastructure damage
Equipment Loss of production, quality etc
Malicious Contamination
Vandalism damage
threat
Spray painting Loss of aesthetics
Degraded public image
Staff Staff safety, morale
Harassment
intimidation and efficiency
Laptop Financial loss
Theft
Criminal Compromised confidentiality
threat Fraud False Financial loss
invoicing Reputation loss
Facility damage Loss of life

Terrorism (specific attack) Loss of capability / procution
Bombing
threat Interdependency
disruption Deterioration of logistic chain
(collateral) Loss of capability / production
Incidental Negligence Identity checks Unauthorised entry of media
threat not conducted into sensitive area
FIGURE 4.5 MATERIALS PROCESSING PLANT—THREAT TREE MATRIX
54 Copyright
HB 167:2006
4.4.2 Understanding the threat

A long accepted security definition for threat is:
13
Threat = Intent X Capability
Where intent and capability refer to characteristics of individuals or
groups that have the potential to do harm to another individual,
organisation or community.
Intent:
Intent is represented by the covert, implicit or expressed aims, goals,
objectives, desires, or directions of the threat. Major components of intent
comprise the motivational factors for such individuals or groups.
Traditional approaches to identifying motivational intent have focused
upon an analysis of issues such as political, social issue-oriented,
14
religious, ideological, economic, and revenge/retribution . Whilst
traditionally these motivations have been regarded as discrete issues,
recent international events (e.g. activities of al-Qaeda, role of
international criminal and terrorist groups in money laundering and
people smuggling) have demonstrated significant overlap and blurring
amongst many of these motivating factors.
The psychology of motivation is complex and outside of the scope of this

Handbook. However, some common forms of motivation derive from
either a need for some form of self advantage (personal benefit), or the
desire to create change or gain benefit for a group, community or society
at large (‘altruistic’ benefit). Some examples of commonly seen
motivating factors are summarised in Table 4.3.
Table 4.3
Common examples of threat motivation
Personal benefit Altruistic benefit

• Pecuniary advantage (self and close associates) • Achieve group/ community agenda
• Prevent harm or loss (self and close associates) • Gain attention on group messages
• Gain attention (self interest/ peer approval) • Influence 3rd party decisions
• Influence 3rd party decisions • Vengeance
15
• Seek vengeance • Punishment for perceived societal wrongs
16
• Seek self justification • Proxy atonement
• Pathological disorders • Influence change
• Prevent harm to a ‘weaker’ 3rd party
13
Some government agencies define threat as a combination of motivation (which
in many circumstances is synonymous with intent), capability and may also
include opportunity. Since the majority of ‘opportunity’ issues are under the
control of the target, this Handbook considers opportunity as an aspect of
vulnerability.
14
A summary of motivation, goal and targets can be found in Assessing Risks
from Threats to Process Plants: Threat and Vulnerability Analysis. P. Baybutt,
Process Safety Progress 21 (4), 269-275 December 2002.
15
Punish perceived societal wrongs, e.g. specific targeting of fur retailers by
animal rights organisations.
16
Proxy atonement, e.g. kidnapping and murder of bankers and industrialists by
Bader Meinhof (a German left wing insurgent organisation, 1970–1998) to atone
for the apparent ills of capitalist society.
Copyright 55
HB 167:2006
Capability:
Capability considers the following attributes of the ‘aggressor’:
• Skills;
• Knowledge;
• Access to equipment (e.g. weapons, specialist equipment), finances
and other resources;
• Numbers of attackers/adversaries;
• Access to support networks, time; and
• Access or opportunity that would allow the threat source (individual or
group) to perpetrate an ‘attack’ against the target if they had the
intent to do so (provision of this opportunity will also be significantly
influenced by the vulnerability of the target).
By considering the types of threat and motivation, a range of credible
threat scenarios can be created, and by additionally examining the threat
sources’ capability an initial estimate of the likelihood of the threat can be
made. Historical trend data, previous incidents, intelligence (from local
police crime advice/intelligence) can be used to inform the development
of these scenarios.
TIPS & TRAPS

Using the following scenario for a simple threat assessment:
A radical community action group, opposed to further industrial
development in the area, announce that they will sabotage critical plant
components if your organisation continues with its expansion plans.
and analysing the two primary components of threat:
Intent: Consider what their motivation for the action may be: Stop the
immediate development works? Force your organisation to stop any
further expansion? Gain publicity to influence local opinion and create
community outrage against your organisation? Gain access to
organisational decision makers to attempt a dialogue? Create sufficient
disruption that simple economics mean the project will be untenable?
Do their actions so far indicate that they are escalating beyond rhetoric
to direct action?
Therefore, is their intent to sabotage or is it some other objective?
Capability: If their intent is to sabotage; do they have the capability or
means to carry out the action? Have they sufficient knowledge of the
facility or equipment to understand where critical components are
located? Do they have sufficient skills and available equipment or other
resources to carry out an act of sabotage? Will they have the
opportunity to gain access?
The community action group may be so angered or frustrated that they
have a clear and real intent, but without the means of carrying out the
attack (lack of capability) there would be an appreciably lessened
threat.
4.4.3 Measuring the threat

Threat can be measured qualitatively or quantitatively based on an
understanding of the aggressors’ intent and capability (Table 4.4).
56 Copyright
HB 167:2006
Table 4.4
Example of a qualitative threat rating matrix
Intent
Little Expressed Determined
Extensive Medium High Extreme
Capability
Moderate Low Significant High
Low Low Medium Significant
4.4.4 Likelihood of a security threat

Estimating the likelihood of a security threat occurring carries with it a
large degree of uncertainty. The estimation can be guided by trend and
incident information from sources such as police reports, national
intelligence reports, internal incident reports, audit analysis, and through
benchmarking with other organisations. A commonly accepted approach
for measuring of the likelihood of the threat (LT) involves the
consideration of two factors:
• The likelihood of a threat occurring (LO).

• The likelihood that the threat (once it manifests) is successful in its
aims or causes the predicted degree of harm (LS).
Where L T = L O X LS
Depending upon the way in which likelihood is measured, it may be
appropriate to use either qualitative or quantitative analysis. The use of
‘X’ in the formula does not necessarily imply that a mathematical or
multiplicative analysis is always appropriate, but rather that it represents
a combination of the two factors. See Section 5 for a more detailed
discussion on the use of rating scales in analysing risk.
Visibility Image Other control

vulnerabilities
Intent
Successful Threat
Threat
Threat threat
likelihood level
likelihood
Capability
Environment Attractiveness Opportunities
FIGURE 4.6 DEVELOPMENT OF THREAT LIKELIHOOD
Copyright 57
HB 167:2006
Issues to consider in estimating the likelihood of a threat (Figure 4.6)

should be based upon:
17
• Evidence of the existence, capability, and intent of the individuals or
groups presenting the threat. For example, based upon their history
of previous successful attacks or penetration of security counter
measures, this could include an examination of the modus operandi
or tactics used in previous attacks (e.g. force majeure, covert or
stealth, deception, etc);
• The manner in which the organisation interrelates with the threat will
also be a major determinant of likelihood. For example high profile
organisations are more likely to become specific targets than are
those with low profiles. Organisational considerations that could
influence the likelihood of the threat include the:
− profile or public image of the organisation and the level of
support or disregard for it in the local community,
− organisation’s visible associations with other third parties that
may themselves have high level specific threat exposures,
− organisation’s relationships (both positive and negative) with
the media and the extent and tone of any recent media
coverage,
− organisation’s industrial relations history and its existing
relationships with its workforce,
− attractiveness of the organisation, community, individual, or
the assets that they control. Attractiveness refers to the extent
that an ‘attack’ on the target will achieve the threat source’s
aims. For example, to a skilled burglar a high class jeweller may
be more ‘attractive’ than an impoverished pawn shop. However,
depending upon context, a small back street jeweller may be
more attractive to a drug abuser hoping to make some quick
cash and a quick getaway. Similarly, an elite shopping mall may
provide an opportunity to cause mass casualties, generate
widespread fear and greater international publicity for a terrorist
group, than would a small street of shops in a regional town.
This also includes the concepts of the imagery effect, for
example a terrorist attack on a major international sporting
event. The target itself (the sports ground, teams or fans) have
little direct relevance to the terrorists per se. The imagery itself
(instant media coverage - broadcast world-wide) is the
attraction to the terrorists; and
• The environment within which the organisation is operating. Issues
that should be considered include:
− the frequency of other security incidents in the general area of
the site (for example facilities located in geographic areas with
high levels of illegal drug use, could reasonably expect a higher
threat of opportunistic burglaries),
17
Where capability is known or can be estimated.
58 Copyright
HB 167:2006
− the proximity of the organisation to other high risk entities, thus

increasing the likelihood of opportunistic exposure or of
collateral damage,
− the presence of known antisocial elements in areas where the
organisation operates (for example ‘tagging gangs’ committing
vandalism, or the presence of known sympathisers of political
extremists).
An example worksheet for conducting a threat assessment is included in
Appendix F.
4.5 Conducting the vulnerability analysis

4.5.1 Introduction
The first step in the vulnerability analysis considers how each of the
credible threats (from the threat assessment, Section 4.4) can be realised
against each of the critical assets (from the criticality assessment,
Section 4.3). This involves determining:
•
Potential means by which a successful ‘attack’ against the asset

could be carried out (e.g. how could a thief gain access to petty cash
during a lunchtime?); and
• The effectiveness of each of the layers of security (summarised in
Figure 4.7) in managing this ‘attack’ against the asset: people,
information or infrastructure. A security checklist can assist in this
process (an example physical security checklist is provided in
Appendix F).
Many security controls will exist in a ‘layered’ or ‘defence in depth’
structure. No matter how many layers are in place or how well
constructed they are, they cannot be one hundred percent effective for
one hundred percent of the time. Borrowing a safety model developed by
18
James Reason , each of the layers of security controls (or
countermeasures) will resemble a slice of Swiss cheese, with holes of
varying number and size through it. Under normal circumstances the
holes are covered by subsequent layers of controls. However, under
certain circumstances the holes in all layers will line up and all defences
can be penetrated. The aim of the vulnerability analysis must not only be
to identify and characterise holes in each of the layers. It must also
consider the potential for these holes to align.
18
Based on safety concepts discussed in Reason, J. Human error. Cambridge:
CUP, 1990.
Copyright 59
HB 167:2006
Deter the Detect the Delay the Respond to Recover from

‘Attack’ ‘Attack’ ‘Attack’ the ‘Attack’ the ‘Attack’
FIGURE 4.7 DETERMINING VULNERABILITY
There are a number of factors that will influence the vulnerability of an

individual, organisation, or community, which ultimately form a holistic
19
risk control ‘environment’ for the entity, (see Figure 4.8) including:
• Effectiveness of the physical, electronic/logical, process and people
security controls, that act as countermeasures directly with any
perceived threats;
• The degree of visibility: this includes issues such as public profile,
media coverage, public access to ‘insightful’ information (e.g. facility
plans, personal information, work patterns, daily routines, etc). The
entity will have in place a range of controls that will determine the
extent to which the organisation is visible; some controls will serve to
limit visibility, whilst other controls may actively promote some
aspects of visibility. An example is the potential conflict between
maintaining the CEO’s confidentiality and privacy versus the activities
of the PR department in promoting the ‘brand’ of the CEO;
• Iconic status: the level to which the public (and the threat source)
view an individual, organisation or community as representing
particular social, political, religious, sovereign or ethnic views, ideals,
operations or presence (for example London’s Metropolitan Police
HQ at New Scotland Yard has an international iconic status as a
symbol of the traditional principles of law and order). To some extent
the organisation will have some control (at least in part) of the
development of its iconic status. It should at least have an awareness
of how its iconic status may promote certain types of security risk;
• The degree of threat access: this is really a special subset of the
controls in that it consists of both real and perceived controls, which
reflect the degree of access (both real and perceived) of the threat to
a critical asset. This may involve in practice, controls influencing
factors such as: open public access vs. secured private property;
remote geographical locations vs. CBD locations; etc;
19
‘Control environment is used to determine all mechanisms by which the security
risk might be managed including policies, processes, behavioural, physical,
logical, electronic, and so on.
60 Copyright
HB 167:2006
• Collateral exposures: the presence of other third party high

vulnerability entities or ‘high threat targets’. This could include the
organisation being in close proximity to ‘attractive targets’ such as
embassies, churches, mosques, synagogues, military installations,
utility plants, transport hubs, (depending upon the nature of the
threat); or to other hazards (subject to malicious or incidental threats)
such as chemical storage facilities (accidental spill, explosion
threats), commercial, industrial or globalisation icons (e.g.
international food chain, mining conglomerates, companies
associated with third world child labour, etc). This may include
consideration of controls that determine the nature of the relationship
between the entity and the third party, and the controls developed by
the third party itself;
• Interdependency demand: the degree to which the individual,
organisation or community is dependent upon other entities for its:
− continued operations,
− security,
− safety,
− sustainability,
− survival,
− incident response capability,
− incident recovery capability; and
• Incident management capability: this includes consideration of
controls such as:
− emergency planning and response capability,
− security planning and response capability,
− business continuity planning and response capability,
− disaster recovery planning and response capability,
− business recovery and resumption planning and capability,
− critical incident management capability.
Copyright 61
HB 167:2006
Attractiveness Control environment

Visibility / Threat access
iconic status
Critical
elements
Response
Threat
Community
Interdependencies organisation
individual
Collateral
3rd parties exposures Control environment
FIGURE 4.8 THE INTERACTION OF VULNERABILITY ELEMENTS
The fundamental output of the vulnerability analysis is a better

understanding of the potential interaction of the threat with the critical

assets of the organisation, community, or individual. Such information will
inform both the subsequent identification and assessment of security risk.
At times some measurement of vulnerability may be required. A simple
approach for examining vulnerability can be based upon an assessment
of the effectiveness of the controls in managing the threat’s interaction
with the critical asset. It is important to remember that the concept of
vulnerability can extend well beyond the physical controls usually
considered in security. In this respect vulnerability needs to consider
controls in their widest definition, including issues such as access to
information, behaviour, perception, public profile, processes, procedures,
policies, and so on. It is also important to consider that a small change in
control effectiveness may have a substantially magnified effect on
vulnerability.
Example rating matrices for a number of these vulnerability issues are
included in Appendix I. An example of a simple generic vulnerability
rating matrix, based on the effectiveness of the security control
environment is provided at Table 4.5.
62 Copyright
HB 167:2006
Table 4.5
20
A generic vulnerability matrix
Vulnerability
Assessment criteria
level
• Controls are non-existent, critical and urgent improvements have been
identified.
Very high/ • It is almost certain that controls will be breached or fail.

extreme • There is recent evidence of widespread control failures.
• There are no contingencies in place, severe disruptions to the business
are likely.
• Controls are largely ineffective, significant areas for improvement are
identified.
• There is an increasingly likely probability of the controls being breached.
High • There is recent evidence of significant numbers of controls being
breached.
• Few contingencies are in place and significant disruptions to the business
are expected.
• The majority of controls are functioning, but a number of areas for
improvements are identified.

• There is a moderate probability of the controls being breached.
Moderate
• There is recent evidence of a small number of controls being breached.
• Contingencies are in place for only a few key areas of the business to
manage potential disruptions.
• Controls are effective, but small improvements could be made.
• There is a low probability of the controls being breached in the future.
• There are no recent examples of controls being breached.
Low
• Adequacy of the controls is assessed on a regular (minimum annual)
basis.
• Contingencies are in place for key areas of the business to manage
potential disruptions to the business.
• Controls are optimum and are sustainable.
• There is an extremely low probability of the controls being breached in the
future.
Very low • There are no previous incidents of the controls being breached.
• Adequacy of the controls is assessed on a regular and frequent basis.
• Comprehensive contingencies are in place to manage most potential
disruptions to the business.
4.5.2 Assessing the effectiveness of the controls

The key elements of security controls for an organisation, community or
individual are those components (Table 4.6) that contribute to the
management of the risk through their ability to:
21
• Deter an attack;
• Delay an attack, or the build-up of its immediate effects;
20
Source: Trident 2002; assignment to specific rating levels is based upon the
best fit of one or more of the assessment criteria.
21
‘Deter’ and ‘Delay’ encompass the concepts of ‘prevention’.
Copyright 63
HB 167:2006
• Detect an attack;
• Respond to the attack and its effects; and
• Recover from the attack and its effects.
22.
We have termed this particular approach the R2D3 model The ‘Deter’
elements will be visible preventative elements of security controls, or will
be suspected to exist by would-be adversaries. This visibility may extend
into components of each of the other types of controls to provide further
overt deterrence. However, to remain effective, key elements of the
security control environment must always be maintained covertly from
would be aggressors (Figure 4.9). Elements of the R2D3 model that are
planned for or implemented prior to any event form the preventative
controls for the organisation, community, or individual.
An example of its use in an assessment framework is provided in
Appendix J.
Deter Delay Detect Respond Recover

FIGURE 4.9 THE VISIBLE AND HIDDEN ELEMENTS OF R2D3
Table 4.6
23
Example security control elements
Visible security Barrier Security breach Repair and

Organisation CCTV
patrols fences response DRP
Physical Personal
Individual Behaviour Fight or flight Counselling
appearance awareness
Neighbourhood Built Community Intervention and Improved
Community
watch schemes environment vigilance police response street lighting
Controls within each of elements of the R2D3 model can include:

• Physical: barriers, checkpoints, signage, etc;
• People: behaviour, beliefs, capabilities, employment screening,
codes of conduct, training, experience, etc;
22
Gibson & Love 2007: Changing paradigms in security risk management
(manuscript in preparation).
23
Controls relevant to an identified threat, such as antisocial behaviour (e.g.
vandalism, common assault etc).
64 Copyright
HB 167:2006
• Cultural: ethics, community standards, values, etc;

• Technological: firewalls, access control systems, CCTV, biometrics,
database mining; and
• Administrative, including:
− procedural: for example: pre-employment screening, financial
reconciliation, intelligence assessments, risk assessments,
business continuity planning, internal audit, penetration tests,
identity verification,
− policy: regulations, codes of conduct, standards, organisational
policies.
TIPS & TRAPS

Before conducting the vulnerability assessment you need to understand
the threats against which the vulnerability of your property, people or
information is going to be assessed. This again will require that you
understand the context within which you are conducting the security risk
management exercises.
Some approaches ask that you consider the ‘worst case scenario’.
Quite frankly the worst case scenario will almost always result in mass
death and destruction. Instead consider the concept of ‘most credible

worst case scenario’.
For example in a worst case scenario, a paper cut to the finger will
result in infection, delirium, driving whilst medically impaired, a serious
accident involving collision with a dangerous goods transporter, with
multiple deaths resulting from the subsequent accident and spill. The
most credible worst case would result in the paper cut victim suffering
septicaemia and being hospitalised. It is all an issue of the
reasonableness of the scenario being developed. Otherwise we will all
be running around developing mitigations for the inevitable devastating
asteroid collision with Earth.
4.5.3 Approaches to assessment

There are a number of approaches to assessing the vulnerability. These
include:
• Estimation of the scope, coverage, efficiency and effectiveness of the
broad range of security controls, and determination of control
weaknesses to specific and general threats;
24
• Development of detailed ’red team’ scenarios, whereby the analysts
assume the ‘mantle’ of attackers trying to expose vulnerabilities in the
community or organisation security control capability. This is also
often referred to as a ‘target analysis’;
• The ‘community vulnerability analysis’ which considers issues
25
associated with critical infrastructure (see Table 4.7) ; and
24
Red team: adoption of the persona of a potential aggressor to provide scenario
based testing of the effectiveness of security controls and countermeasures.
25
The Sandia Laboratories community vulnerability analysis considers issues
such as: communications, power & electric, gas & oil, industry, water, banking
& financial, education, government, transportation, emergency services,
recreational venues, foreign represented governments, and special
classifications (see Appendix K).
Copyright 65
HB 167:2006
• Target analysis which considers the target attractiveness and

countermeasures to specific threat sources.
• US military ‘CARVER’ approach (‘Criticality’, ‘Accessibility’,
‘Recuperability’, ‘Vulnerability’, ‘Effect’, and ‘Recognisability’).
Table 4.7
26
Australian Government’s composition of critical infrastructure
Energy Gas, fuel, electricity

Water Supply, and waste management
Transport Air, road, sea, rail and inter-modal
Communications Telecommunications, mass and postal
Health Hospitals, public health, R&D
Food Production, storage and distribution
Finance Banking, insurance and trading exchanges
Defence, intelligence, parliament, departments,
Government services foreign missions, residences, emergency services
and nuclear facilities

National icons Buildings, cultural, sport and tourism
Essential manufacturing Defence industry, heavy industry and chemicals
A range of possible questions that can be asked during the vulnerability

assessment are summarised in Appendix L.
4.6 Mapping threat, vulnerability and criticality

In many cases there will be varying vulnerabilities to the same threat
across the range of different assets and a range of vulnerabilities to the
same assets arising from different threats.
Mapping of assessed vulnerabilities of each critical ‘asset’ against each
of the threats under consideration (see Figure 4.10) provides a useful
approach to summarising the outputs from the assessments by using a
prioritisation matrix. The prioritised threats and critical assets are listed on
the two axes of the matrix and the vulnerability of each asset to each
threat is listed within the body of the matrix.
26
Source: National Security Australia website, www.nationalsecurity.gov.au;
Trusted Information Sharing Network website, www.tisn.gov.au
66 Copyright
HB 167:2006
Threat assessment Criticality assessment
Prioritised threats Prioritised assets
Malicious threats: 1,2,..n

People assets: 1,2…n
Criminal threats: 1,2,..n
Property assets: 1,2..n
Terrorism threats: 1,2..n
Information assets: 1,2..n
Incidental threats: 1,2,..n
t1
se
t1
t2
t3
t1
as
se
se
se
se
as
as
as
n
io
as
ty
ty
ty
at
le
er
er
er
rm
op
op
op
op
fo
Pe
Pr
Pr
Pr
In
Malicious threat 1 H M M M M
Malicious threat 2 M H H H L Vulnerability
Malicious threat 3 L L L L L rating
Criminal threat 1 H M L H L
Terrorism threat 1 M M L L L
Incidental threat 1 L M M M H
FIGURE 4.10 MAPPING THREAT AND VULNERABILITY TO CRITICAL ASSETS
In identifying risk, the following information should be developed for each

risk:
• What can happen?
• When or how frequently can it happen?
• Where can it happen?
• Who could be involved in creating the risk?
• Who could be impacted by the risk?
• How or why could the risk arise?
• What measures are in place to prevent or manage the risk?
• How reliable is the data/information? (refer to the Admiralty system,
Appendix G).
Copyright 67
HB 167:2006
TIPS & TRAPS

In describing a risk, such that it will be understandable to others, ensure
that as much detail on the following elements is included in the
description:
Threat: who or what will potentially cause harm (informed by the threat
assessment);
Asset: what site, area, person, entity, process, or other assets will be
affected (informed by the criticality assessment);
Consequence: what will be the extent of harm resulting from the event;
Vulnerability: what security controls or other operational parameters
could be exploited (informed by the vulnerability assessment); and
Event: in what manner or circumstances will the harm be realised
(informed by considering threat, asset and vulnerability).
For example, the following description may be useful: ‘there is a risk
1 3 4 3 4
that local activists injure personnel and disrupt operations at head
4 5 2 5 6
office by a campaign of targeted letter bombs sent directly to
6
managers by courier '
Whereas: 'there is a risk that head office could be bombed' is of
significantly less use.
1 2 3 4 5
the threat source; the threat; the consequence; the assets; the
6
event, vulnerability,
68 Copyright
HB 167:2006
5 Analyse risk
5.1 Introduction
The aim of undertaking risk analysis is to:
• Determine the adequacy and appropriateness of existing controls to
manage identified priority risks;
• Prioritise risks for subsequent evaluation of tolerance or need for
further treatment (see Section 6 and 7); and

• Provide an improved understanding of the vulnerability of critical
assets to identified risks.
The output of this analysis should, through the evaluation step, provide
decision makers with sufficient information to make an informed decision
on the need for increasing or decreasing the investment being made for
protection across the spectrum of assets under consideration.
The risk analysis involves the consideration of the risk description,
developed in the previous identification step, along with the combined
outputs of those analyses (threat, criticality, and vulnerability analyses)
that contributed to its formulation. The risk analysis should examine how
these factors interact to determine an overall level of risk (Figure 5.1)
through a consideration of the consequences of the event occurring
combined with the likelihood of the event with that consequence.
Copyright 69
HB 167:2006

External context Internal context
Threat Criticality Informs

analysis analysis analysis
Informs
Vulnerability
identification
analysis
Identify the risks
Analyse the risks

Informs
Control effectiveness
analysis
Informs
Likelihood Consequence
analysis
Evaluate the risks
Treat the risks
FIGURE 5.1 USING THREAT, CRITICALITY AND VULNERABILITY TO

INFORM THE RISK ANALYSIS
5.2 Measuring risk

There have been, and continue to be numerous concepts about the
composition of security risk and numerous approaches to describing,
measuring and analysing it. There is no commonly accepted way of
undertaking a security risk analysis, although many involve some
consideration of the threat. Furthermore no model in current use can be
regarded as absolutely correct, all models have implicit flaws within them
to a larger or lesser extent. However, this does not mean that these
models do not have their uses. Also methodologies should not be
rejected out of hand because they appear to be overly simplistic. Some
highly sophisticated and complex mathematical models can, depending
upon the context, be of less utility than much simpler models.
Many approaches to measuring security risk fall into one or more
misconceptions, confusion or errors, such as:
• The misassumption that ‘threat’, ‘hazard’ and risk are each synonyms
of the other. Often a threat is being measured, but is being called a
risk;
• The misassumption that there is a direct one-to-one relationship in
the following:
− ‘Likelihood’ is always entirely composed of ‘threat’,
− ‘Consequence’ is always entirely composed ‘of criticality’,
70 Copyright
HB 167:2006
− ‘Vulnerability is always entirely composed of control

‘effectiveness’;
• The misbelief:
− that risk can be identified and measured without reference to an
appropriate context;
− that ‘context’ can be developed without reference to
o the organisation, community; or
o the wider external environment;
− in the absolute certainty and accuracy of any measurements
that use numbers;
− that because ‘numerical scales’ are used they can be added,
multiplied or otherwise manipulated without reference to the
‘type of scale’ they are; and
− that because an approach is ‘quantitative’ it confers more
validity than more qualitative approaches.
The majority of analytical approaches will only give an approximation of
the consequence, likelihood and risk. The applicability of any one

approach will be largely dependent upon the context in which it is being
used. The use of increasingly complex and quantitative methodologies
will only yield more accurate analysis if the availability and quality of the
inputs are appropriate to that type of analysis.
In many instances, the use of complex quantitative or semi-quantitative
models will provide a false sense of confidence in their outputs. If there is
large uncertainty in the inputs, there will still usually be large uncertainty
in the outputs. In such circumstances simpler models may provide
acceptable approximations, given the quality of data available on threat,
vulnerability and/or criticality. A summary of a range of alternative
approaches to measuring security risk is summarised in Appendix M.
Risk assessment is undertaken with an appreciation of the effectiveness
of current security controls in place - preventing the event, changing the
consequences, or changing the likelihood of them occurring. The
following elements should be present in measuring risk:
• A potential event that can be described;
• Consequences that will arise should that event occur; and
• The likelihood of that event occurring with those defined
consequences.
TIPS AND TRAPS

There have been a wide range of different methodologies proposed
(and in use) for measuring the level of risk. Many of them attempt to
take some of the traditional security concepts and bend them into a
more recently held concept of risk. For many applications, these
approaches may in fact provide an approximation of risk. However, be
aware of their limitations, in particular if using definitions of risk
consistent with AS/NZS 4360. Concepts such as ‘threat’, ‘criticality’ and
‘vulnerability’ are useful parameters in their own right and are certainly
essential inputs into the analytical step. However, they will not equate to
‘risk’ in each and every circumstance.
Copyright 71
HB 167:2006
5.2.1 Consequence
Any risk will demonstrate a range of potential consequences, each of
which will be associated with different likelihoods (consequence –
likelihood pairs). This distribution of different consequences (with their
likelihoods) may show different trends for different types of risk. Some
risks may demonstrate normal distributions, whilst others may
demonstrate widely differing skews (see Figure 5.2).
L i ke l i h o o d
L i ke l i h o o d
L i ke l i h o o d
L i ke l i h o o d
Consequence Consequence Consequence Consequence
FIGURE 5.2 EXAMPLES OF HYPOTHETICAL CONSEQUENCE;

LIKLIEHOOD DISTRIBUTIONS
One common approach is to select the most likely consequence (the

peak of the distribution), whilst another often seen approach is to take the
upper and lower bound consequences (with their likelihoods) to provide a
range of possible risk outcomes. In security risk assessment (particularly
when focused on national security issues) the consequence of the worst
case scenario is often adopted. It is important to remember that for any
risk a number of different consequence—likelihood pairs may be equally
valid.
The ultimate worst case scenario of any security risk could potentially be
a catastrophic loss to any organisation, community or organisation.
However, such extreme worst case scenarios are not those that are
experienced by the vast majority of organisations that are the victims of
such security incidents. Therefore, it is usually appropriate in looking at
high consequence (and usually low likelihood) events to use available
historical precedent to determine realistic worst case losses that could be
expected from a particular security risk (hence the ‘most credible’
scenario).
The obvious danger in overtly focusing on high consequence (low
likelihood) events is that the far more likely lower consequence events
can be missed or given insufficient attention. There is also an inherent
difficulty in conceptualising these high consequence–low likelihood
events. By their very nature they are outside of the experience of the
majority of people (even most security specialists); they are difficult to
subjectively analyse, should they occur they can rapidly overwhelm most
coping mechanisms. Also human perception being what it is, these types
of events either receive unwarranted attention or fall outside of usual
consideration processes.
The consequence of a security risk can usually be expressed as measure
of financial loss, stakeholder/community impact, reputational damage,
loss of operational capability, or health and safety implications. Impacts
derived as part of the criticality assessment are used to inform the
determination of overall risk consequence.
72 Copyright
HB 167:2006
In some practical applications it will be very difficult to gain an accurate

estimation of the level of consequence arising from a security risk. This
will be particularly the case for low probability, high consequence events,
where their very nature is of high complexity and uncertainty and outside
of the common experience of the majority of management. The ‘issue’ is
further compounded by the widely differing perceptions on the nature of
risk and its consequences that will exist within most organisations. The
over-dramatisation of events by the media can further distort perceptions
and misinform otherwise rational analysis.
An illustrative example of generic criteria for assessing the consequences
of security risk is given in Table 5.1. Consequence is assessed on the
basis of the effectiveness of existing security controls and vulnerabilities.
5.2.2 Likelihood
The likelihood refers to the chance or probability of a security incident or
event occurring that would result in the particular consequence
determined according to Section 5.2.1. The likelihood can be estimated
as an absolute probability (e.g. occurring with a probability of between 0
and 1), as the chance that something will occur over a defined period
(e.g. 'over the next two years') or as a percentage chance of occurrence.
An example of one approach to measuring likelihood is provided in

Table 5.2.
5.2.3 Risk rating

The overall level of risk or 'risk rating' is determined through combining
the consequence and likelihood estimations. Table 5.3 provides one
example of a matrix approach for estimating a risk rating. Risk rating in
this manner allows the security risk to be prioritised in order of decreasing
relative risk level from 'Extreme' to 'Low'. It also provides an aid to
decision making regarding the tolerability of risk examined in the
evaluation step outlined in Section 6.
Copyright 73
HB 167:2006
TIPS AND TRAPS

A cautionary note on the use of scales in the measurement of risk:
A number of methodologies attempt to perform feats of quantitative
analysis that are mathematically unsound, because of the very nature of
the rating scales that they are trying to use. There are certain
mathematical things that you just cannot do with certain types of scales:
Nominal scale: data is assigned into categories, for example in type
specific lists: no mathematical operation can be performed.
Ordinal scale: data is sorted into comparative scales (‘High’, ‘Medium’
and ‘Low’ or where numbers – 1,2 3,4,5 etc – are assigned for relativity
but not magnitude) mathematical treatment is likely to be arbitrary in the
absence of zero points.
Interval scale: where there is a constant interval between numbers (but
where the zero point may be arbitrary) for example the Fahrenheit
temperature scale: numbers can be added and subtracted but cannot
be multiplied/divided: e.g. 20°F is not twice as hot as 10°F.
Ratio scale: measures magnitude of the value and establishes a zero
point, for example the time taken to cut through differing thickness of
steel – numbers can be added/subtracted and multiplied/divided, e.g.
4 minutes is twice as long as 2 minutes.
Remember, there are just some things you cannot do with some types
of scales, if you do the products could be nothing short of nonsense.
74 Copyright
Copyright
Table 5.1
Security risk consequence (illustrative example only)
HB 167:2006
Consequence Financial
27 Reputational consequence Project/business consequence
rating consequence
28
> $100,000,000 Extreme negative coverage causing public outcry appearing Serious process breakdown that prevents the achievement of
Catastrophic 29 consistently over weeks mission critical objectives
(> $5,000,000)
Majority of stakeholders severely disadvantaged (months) Multiple severe injuries, including fatalities
$5,000,000 - Negative significant coverage, appearing consistently over Serious process breakdown that substantially impedes the
$100,000,000 weeks achievement of a core objective
Major
(< $5,000,000) Multiple stakeholders severely disadvantaged (weeks - Multiple severe injuries, or a single fatality
months)
$50,000 - $5,000,000 Negative coverage lasting for several days, and/or frequent re- Process breakdown that impedes the achievement of an
occurrence for several weeks important objective or causes extensive inefficiencies in key
Moderate (< $50,000)
processes
Multiple stakeholders experience significant disadvantage
(weeks) Multiple casualties requiring hospital attention
$2,000 – $50,000) Minor negative coverage, limited circulation for one day Process breakdown that impedes the achievement of one or
Minor more objectives or some inefficiencies in key processes
(< $10,000) Minority of stakeholders experience disadvantage (days -
weeks) Minor injuries requiring medical attention
< $2000 Isolated brief coverage, single media outlet Process breakdown or inefficiencies that have a limited impact
Minimal on the achievement of an objective
(< $1000) Stakeholders experience minimal disadvantage (days)
Minor injury requiring first aid only
27
Cumulative impact of all such occurrences of security incidences over a defined time period.
28
Values represent corporate impacts.
29
75
Values (in parentheses) represent local (e.g. regional office) impacts.
HB 167:2006
Table 5.2
Security risk likelihood (illustrative example only)
Likelihood Criteria
30
• Over 99% probability , or
Almost certain • ‘happens often’, or
• could occur within ‘days to weeks’
• >50% probability, or
Likely • ‘could easily happen’, or
• could occur within ‘weeks to months’
Possible • ‘could happen, has occurred before’, or
• could occur within ‘a year or so’
Unlikely • ‘has not happened yet, but could’, or
• could occur ‘after several years’
•
<1% probability
• ‘conceivable but only in extreme circumstances’
Rare
• exceptionally unlikely, even in the long term future
• a ‘100 year event’ or greater
Table 5.3
31
Risk rating matrix (illustrative example only)
Consequence
Minimal Minor Moderate Major Catastrophic
Almost
Medium Significant High Extreme Extreme
certain
Likelihood
Likely Medium Medium Significant High Extreme

Possible Low Medium Significant High High
Unlikely Low Low Medium Significant High
Rare Low Low Medium Significant Significant
30
Use of probability needs to be carefully defined in each case that it is used,
e.g. probability of an armed robbery occurring over a defined number of
armoured car journeys.
31
Yes! This is different to the matrix included in HB 436. The structure of the
rating matrix (even the use of a 3x3, 7x7 or 15x15 matrix) will very much
depend on the need of the risk assessment and the context within which it is
being conducted. It will be determined to a large extent by the development of
the evaluation criteria (explained in Section 3.6).
76 Copyright
HB 167:2006
6 Evaluate risk
6.1 Introduction
Evaluating security risk involves determining which risks are tolerable,
and which risks require further attention (e.g. treatment). Criteria for
determining tolerability should originally have been developed whilst
establishing the 'context', and will usually include defining appropriate
consequence and likelihood tables and establishing levels where different
actions may be required. Before commencing with the evaluation, these

criteria should be confirmed in the light of any issues arising from the risk
analysis or where the context may have changed.
Evaluation criteria could vary depending upon, for example:
• Prevailing political, stakeholder or community sensitivities and
expectations;
• The nature or types of the security incident involved;
• Existing or emerging security incident trends;
• Strategic or business priorities;
• Resource availability for treatment; and
• The ability of the organisation, community or individual to absorb
losses.
6.2 Tolerance of risk

Decisions on the tolerability of risk could for example be based upon
single level decision criteria (Figure 6.1) that divide security risks that
require treatment (intolerable) from those that do not (tolerable) for
example:
• All security risk of 'High' or 'Extreme' ratings – must receive
immediate attention, with reporting to the Chief Executive and/or the
Board;
• All security risk of 'High' rating must receive attention within 24 hours;
• Security risk above 'Significant' where controls are less than
'Effective' – is intolerable; or
• Any security risk with potential safety or reputational consequences
above 'Moderate' is intolerable, where controls are less than
effective.
Copyright 77
HB 167:2006
Intolerable
Tolerance cut off Incapacity

to manage
Tolerable
Increasing risk
FIGURE 6.1 HYPOTHETICAL SINGLE LEVEL TOLERANCE

CRITERIA
In reality, tolerance is more likely to be exhibited as a gradient, where the

risk may become increasingly less tolerable as the risk level is elevated
(Figure 6.2) and where a range of other contextual factors, such as a
decreasing capacity to manage the risk will influence the decision on risk
tolerance. This in turn will tend to create decision making which is not
either/or (treat/not treat) but rather a question of when (treat now/treat
later) when risk levels in between the two extremes are considered.
Intolerable
Treat immediately
Treat in the near future
Incapacity
Treat in the longer term to manage
Monitor
Tolerable
Increasing risk
FIGURE 6.2 A HYPOTHETICAL GRADIENT OF TOLERANCE
The other issue to consider in evaluation is that it is often not the time
scale of treatment but the degree of security applied. In risk evaluation it
is also important to recognise that applying additional layers of security
may have disadvantages or inhibit opportunities and that this may not be
acceptable for lower risks.
78 Copyright
HB 167:2006
32
Another approach to viewing tolerability to risk is based on the ALARP
approach (‘As Low as Reasonably Practical’, Figure 6.3), which is
commonly seen in fields such as health, safety and environment. This
approach recognises the concept of a gradient of tolerability but divides
the gradient up into three broad bands based upon a:
• Broadly acceptable region, where risk reduction is not likely to be
required as any benefits realised are likely to be outweighed by
costs;
• Tolerable region (the ALARP region) where the risk is regarded as
tolerable only if further risk reduction is impracticable (for example
because of cost benefit considerations or an absence of a feasible
solution); and
• Broadly unacceptable region where risk cannot be justified, except in
extraordinary circumstances.
Magnitude of risk
Broadly unacceptable
region
ALARP region Increasing individual

risks and societal
concer n
Broadly acceptable
region
FIGURE 6.3 THE ALARP APPROACH
32
ALARP = As Low As Reasonably Practicable.
Copyright 79
HB 167:2006
7 Treat risk
7.1 Introduction
Where a security risk has been determined as intolerable (during the
evaluation step, see Section 6), some form of treatment may be required
to manage the risk. It will never be possible to completely remove all
forms of security risk. The aim is to manage the level of risk to a tolerable
level.
Such treatment will usually involve some form of improvements to

security controls already in place, or the introduction of new security
controls.
In the security environment, risk treatment is also often termed
‘countermeasures’. However, use of the term ‘countermeasures’ may
force a paradigm whereby there may be an unhealthy focus on physical
security controls, to the exclusion of other types of control.
The ‘treating risk’ step requires that:
• The vulnerabilities (see Section 5) to the specific intolerable risks
(see Section 6) are confirmed, and the key vulnerabilities that require
management are identified and prioritised;
• Options for the treatment of these key vulnerabilities are developed;
and
• A cost benefit analysis is conducted to determine the feasibility and
desirability of each of the options, and allow options to be prioritised if
required.
The key stages of treating risk are summarised in Figure 7.1.
7.2 Developing a treatment plan

7.2.1 Establish treatment objectives
The purpose of establishing treatment objectives is to ensure that the
subsequent development of treatment options meets organisational
needs, will effectively manage the risk and will be sustainable. This
involves:
• Ensuring that the risk and its sources are fully understood (by
referring back to the outputs of the analysis step – see Section 5);
• Ensuring that the type and nature of potential events are recognised
and considered;
80 Copyright
HB 167:2006
• Using the knowledge of risk, sources and events combined with a

review of the vulnerabilities and controls (see Section 4), to develop a
gap analysis from which treatment requirements can be developed;
and
• Determining the required outputs and performance outcomes from
undertaking treatment - the treatment objectives.
Priority intolerable risks
Establish treatment objectives
Understand:
• Context, causes and sources of risk
• Potential events
• Analysis of risks
Determine control gaps
Determine required outputs

and performance
Identify and develop treatment options
Change likelihood Change consequence
Exploit
Avoid Share
Reduce
Retain
Evaluate treatment options
Cost Benefit
Decision making
Detailed design and review of chosen options
Communication and implementation
FIGURE 7.1 THE KEY STAGES OF TREATING RISK
Copyright 81
HB 167:2006
7.2.2 Identify and develop treatment options

A number of possible treatment options should be identified that may
need some initial degree of development before their feasibility can be
appropriately assessed. Broadly speaking, options for the treatment of
security risk will involve one or a combination of the following treatment
strategies:
• Reduce: control improvements or new controls (treatments) are
introduced that are aimed at reducing the consequence or likelihood
of the risk, e.g. to improve:
− deterrence of the threat,
− delay of an event,
− detection and investigation of the event,
− response to the event or its consequence,
− recovery from the event and its consequences,
− prosecution of individuals or groups involved in perpetrating the
event;
• Avoid: the likelihood of security risk is reduced or removed by

ceasing the individual’s, organisation’s or community’s activities that
create an exposure (e.g. prevention of personal safety risk by not
undertaking overseas travel to a specific location at that time).
• Share: the management of the security risk is ‘shared’ with a third
33
party reducing the consequences of the risk (e.g. Police, ISR
insurance, outsourcing to a private security company). Some
practitioners refer to the ‘transfer’ of risk to third parties. In reality only
part of the responsibility for managing the risk can be transferred,
some responsibility and all accountability for the risk remains with the
first party;
• Tolerate, retain and monitor: The risk is tolerable and retention of
the risk is determined as a potential treatment strategy. Alternatively,
the risk may be acknowledged as intolerable, but at the current time,
capability or resources are unavailable, or treatment is not cost-
effective. Therefore the only option may be to retain the risk and to
continue to monitor it until circumstances change and action can be
taken. After treatments have been implemented there will usually be
some degree of residual risk. The decision will have to made as to
whether this residual risk is tolerable and can be retained, or if further
treatment is required.
33
Industrial and special risks
82 Copyright
HB 167:2006
TIPS & TRAPS

There is often confusion over the terms ‘controls’, ‘treatments’ and
‘countermeasures’. Whilst often used synonymously, it is sometimes
useful considering using them in different contexts. All factors that may
increase or decrease a risk can be regarded as controls (e.g. from
physical controls such as razor wire fences, to management controls
such as internal audit reviews). In evaluating risk, ‘controls’ are used to
specifically describe those factors already present and factored into the
risk analysis. ‘Treatments’ are those controls that are to be introduced
to improve the management of the risk subsequent to the risk
assessment
The term ‘countermeasures’ could be used to describe both ‘controls’
and ‘treatments’. It should be used with caution as it can provoke a
mindset of only considering those controls that are traditionally seen as
relating to security.
7.2.3 Evaluate treatment objectives

Too many times treatment strategies are doomed to be ineffective even
before they enter a detailed design stage. A common cause of failure or
ineffectiveness is the manner in which the treatment evaluation phase is
conducted. All too often risk management, and the treatment step in
particular, deals with each risk in isolation. In particular, insufficient
attention is given to the causal factors of risk and their interaction. This in
turn tends to produce treatment options that are focused on managing
individual risks, with an inadequate consideration of how other risks will
be affected. Thus the treatment of one risk in one area, may significantly
increase the exposure to risk in another area; for example, the
introduction of more rigorous access and egress controls may prevent an
effective emergency evacuation from a building.
A more holistic view therefore needs to be taken when evaluating
treatment options. The ‘what if’ question needs to be asked for each and
every option under consideration before implementation, preferably as
part of a cost-benefit analysis.
The cost benefit analysis
When selecting the most appropriate options for the treatment of risk,
ensuring compatibility with key objectives (e.g. corporate, government,
community objectives) and with the evaluation criteria developed
previously, conducting a cost benefit analysis provides an objective
process for prioritising feasible treatment options and for disregarding
those that are not. A cost benefit analysis can be conducted either as a
formal or informal process and should consider as wide a range of issues
as possible, not just be restricted to financial considerations. The analysis
34
should consider (see Figure 7.2).
• Direct issues, such as:
− benefits, arising from reduction in the likelihood or harmful
consequences of the security risk,
− costs, of implementing the proposed treatment and/or that could
arise if the risk eventuates (e.g. loss of an asset); and
34
Consideration of costs and benefits should not be limited to just the entity
concerned. It may also be necessary to examine wider market, industry and
social costs and benefits.
Copyright 83
HB 167:2006
• Indirect issues, such as:

− benefits, arising from collateral effects of the treatment such as
reduced insurance premiums, improved management and staff
confidence, enhanced reputation,
− costs, arising from the loss of productivity, business disruption,
diversion of management attention, loss of reputation or brand
value.
Objectives
$
Performance
Processes
Stakeholders
Reputation
Indirect Direct Indirect Direct
Safety
Benefits Inter nal Costs
Exter nal
Treatment
People
Property
Information
FIGURE 7.2 COST BENEFIT ANALYSIS
7.2.4 Detailed design

Once an appropriate treatment option or options have been selected, it
will be necessary to undertake a detailed design. One of the most
effective ways to do this is to involve those individuals who will be
involved in their implementation or end use. There can be significant
benefits in actively involving key stakeholders (including suppliers and
customers) in the detailed design phase. The design phase should
always be conducted with the agreed treatment objectives in mind.
7.2.5 Design review

The purpose of the design review is to ensure that the detailed design of
the treatment options are ‘fit for purpose’ prior to implementation
commencing. This process can range from a simple checking procedure
to a formal structured multidisciplinary review. The choice of the most
appropriate procedure will depend upon the nature of the risk, the type
and complexity of the treatment options and the resources available. As a
minimum the design review process should ensure that the design of the
treatment options:
• Will satisfy the requirements documented in the treatment objectives;
84 Copyright
HB 167:2006
• Can be practically implemented in the current and/or anticipated

operating environments (including with resources available);
• Provides for sustainability or maintenance for the required life span of
the treatment;
• Will allow required monitoring to be practically undertaken; and
• Does not introduce new collateral risk.
7.2.6 Communicating and implementing

Prior to undertaking communication about the chosen treatments, it will
usually be necessary to document a treatment plan (a Treatment Plan
template is provided in Appendix F). Successful implementation of
treatment will depend to a great extent upon the success of the
communications undertaken prior to, and during the implementation. A
documented treatment plan, can in itself, prove to be a powerful
communication tool for the implementation process. Documentation of
treatment plans should consider the following issues:
• Clear and concise identification of the risks for which treatments have
been designed. Where possible a description of the risk should be
used such that the ‘general reader’ within the organisation is able to
gain an appropriate level of understanding;
• Treatment objectives and expected outcomes;
• Detailed actions, activities and processes that will be required in
developing and implementing the treatment;
• A clear ‘map’ for the implementation of the treatment;
• Resources required including budgets, personnel, equipment,
interdependencies, responsibilities and accountabilities;
• Key performance indicators and the monitoring and reporting
mechanisms that will be employed; and
• A communications plan that identifies the key stakeholders,
messages, channels, constraints, etc (see Section 2 for guidance on
the development of a communications plan).
7.3 Conformance vs. Performance

A significant amount of security risk treatment has focused historically on
preventive measures and on compliance activities such as ensuring that
regulations, industry standards and organisational policies are complied
with appropriately. Thus security has traditionally focused on
conformance by answering the question 'what must I do?' Hopefully,
following a security breach, the question 'what else can I do to prevent
this happening again?' is asked, beginning a focus on performance. Far
too many organisations have ended their journey into performance –
based security management at this point.
Copyright 85
HB 167:2006
The risk-based approach to security enables management to consider

more performance-based decisions relating to their activities and
investment in security. Through monitoring the risks and adapting
security strategies relevant to those risks, the capability to continuously
improve security controls effectively in relation to changing environments
becomes achievable. Furthermore, by ensuring that the security risk
management process is closely aligned with other risk activities (e.g.
community emergency risk management, corporate risk management)
there are real opportunities to leverage security treatments with other
improvement activities occurring elsewhere in the organisation or
community.
86 Copyright
HB 167:2006
8 Monitor and review

8.1 Introduction
The security risk environment is not constant. Organisations,
communities and individuals are also in continual flux, sometimes
discretely, often dramatically over short periods of time. Monitoring of risk
provides the capability to respond effectively to changing environments.
The concepts of monitor and review therefore become of critical
importance to the conduct of security risk management.

Many, far too many, security risk management activities finish with the
monitor and review step, then that’s it until the next time security risk is
examined (in twelve months time if one is lucky). Now is a good time to
look again at Figure 1.1. Firstly, it is a continuing cycle, it never ends.
Secondly, at each and every step there is a requirement to monitor and
review.
8.2 The elements of ‘monitor and review’

The key elements of monitor and review are based upon the three
considerations of: ‘understanding’, ‘performance’, and ‘assurance’
(Figure 8.1).
Performance Understanding
Monitor
and review
Assurance
FIGURE 8.1 THE MONITOR AND REVIEW MODEL
Copyright 87
HB 167:2006
The monitor and review step has the objectives of achieving improved:
• Understanding, through:
− continuing awareness of changing contexts,
− continuing awareness of changing demands,
− learning from experience,
− learning from others;
• Performance, through:
− managing stakeholder expectations,
− measurement/review of effectiveness of process elements,
− measurement/review of effectiveness of management of risks,
− identifying and implementing improvements,
− enhancing integration with interdependencies; and
• Assurance, through ensuring and confirming compliance with:
− strategic requirements,
− policy requirements,
− operational requirements,
− regulatory requirements.
The concept of ‘monitor and review’ is based around the need to:
• Continuously examine the external and internal environments and
reconsider the context and its effect on security risk management;
• Redevelop the analytical outputs of the security risk management
process to reflect the changing context;
• Assess the efficiency and effectiveness of treatment plans in
mitigating the risks identified;
• Re-evaluate the appropriateness of treatment activities to manage a
dynamically changing risk environment;
• Measure the effectiveness and success of communications and
consultation activities undertaken;
• Ensure that timely and adequate improvements are implemented;
• Continuously examine the conduct of the security risk management
process and to adjust it to meet changing organisational needs and
capability;
• Ensure appropriate governance through reporting to appropriate
authorities, regulators, boards, stakeholders, management and staff
as required; and
• Focus on both conformance and performance measurement.
8.3 Monitoring and review practices

Broadly speaking, there are four levels of monitoring practices that are
routinely observed:
88 Copyright
HB 167:2006
• Continuous monitoring: that is undertaken on a frequent or

ongoing basis, and involves routine checking by the process
operators of changes in risk level, control breakdowns, incident
occurrence, or established indicators of these (e.g. alarm monitoring).
The aim is to ensure that implemented treatments and controls
remain effective and that new risks are not being created. This
process will also provide input into maintaining the currency of any
security risk registers that have been developed;
• Line management reviews: periodic reviews of processes, policies,
practices and systems, their risks and treatments. These reviews are
often targeted at specific higher or changing risk issues (including
assurance activities such as control self assessments, etc). The aim
is to ensure that treatment and control strategies continue to be
relevant, efficient and effective;
• Centralised reviews: by internal or external audit capability (e.g.
financial transaction audits). The aim is usually to ensure compliance
with internal and externally mandated requirements so these reviews
are highly selective in their focus. Reviews such as simulation
exercises and penetration testing also provide awareness and
training opportunities beyond the monitoring objectives; and
• Scanning: reviewing the internal and external environments for

changing or emerging risk. The aim is to provide an early
appreciation of emerging issues to allow sufficient time to act upon
them. Although virtually sine qua non at a strategic level, it should be
adopted as a monitoring practice at all levels of the organisation.
8.4 Triggering monitor and review processes

The organisation should ensure that a review of security risk is
undertaken when:
• Significant structural or layout changes are made to the
organisation’s tenancy, shared public/ body corporate areas, or
neighbouring premises;
• Significant changes to critical assets occur (e.g. new types of
equipment purchased, changes in the confidential nature of
information being used/stored, departure of staff with knowledge of
access to potential vulnerabilities);
• Significant changes occur in the local security environment (e.g.
increase in local office or domestic dwelling burglaries);
• The national security threat changes significantly;
• Management responsibilities change significantly (e.g. appointment
of a new CFO);
• New suppliers are appointed;
• Availability and utility of security related technology changes;
• There are significant changes in the nature of security risk within
similar industries, markets, etc;
• Mergers and acquisitions are occurring; and
Copyright 89
HB 167:2006
• Significant new product lines are developed or the organisation

enters new markets.
Continual monitoring and review of the following aspects should be
occurring at all stages of security risk assessment:
• The changing strategic, organisational and security risk contexts for
changes that may impact upon the nature or level of risk to the
individual, organisation or individual;
• The incidence, nature, types and impacts of security risk;
• The changing acceptability or tolerance of risk by the individual,
organisation, community, or by their stakeholders;
• The effectiveness of security risk controls; and
• The effectiveness of security awareness programs and other
communications initiatives.
8.5 Post-event analysis and reporting

Following any security risk-related event, a post-event analysis should be
conducted to:
• Ensure that the incident and its aftermath were appropriately
managed;
• Identify any learnings from the response to, and recovery from, the
event and ensure that they are captured and used in subsequent
improvement activities;
• Review to what extent the risk profile may have changed;
• Determine the effectiveness of the current control framework and
existing treatment strategies and determine any additional treatment
improvements that need to be made;
• Investigate and identify, where relevant, the perpetrators of the event
and pursue them via administrative, civil or criminal process; and
• To communicate an improved understanding of security risk and its
management to staff, stakeholders, citizens, etc, where appropriate.
90 Copyright
HB 167:2006
A Acknowledgments
The authors of the Handbook wish to acknowledge the following
individuals for challenging us with their considered wisdom and for their
encouragement during the development of this Handbook. We would also
like to extent our thanks to the many others who through their questions
and suggestions allowed us to eventually see the light.
Reviewer Organisation Country

Pearse Healy Transport Accident Commission Victoria, Australia
Doug Nelson Continuity Partners California, USA
Robert Bartlett Cabinet Office London, UK
Grant Purdy Broadleaf Capital International Pty Ltd Victoria, Australia
Jean Cross University of New South Wales NSW, Australia
Mike Tarrant Emergency Management Australia Victoria, Australia

Institute
Jim Gifford Department of the Premier and South Australia
Cabinet
Panjan Standards Australia Sydney Australia
Navaratnam
Mike Rothery Critical Infrastructure Protection Canberra
Branch, Attorney General’s Australia
Department
David Sadlier National Centre for Security Canberra,
Standards Australia
Geraint Air New Zealand Auckland, New
Bermingham Zealand
Peter Power Visor Consultants London, UK
Ged Griffin Victoria Police Melbourne

Australia
Copyright 91
HB 167:2006
B Definitions and glossary

A rating system for intelligence information based on the quality and validity
Admiralty scale
of the information and its source.
Relates to how the threat source views the asset in terms of the activity that
they want to undertake. For example, the attractiveness of an asset to a
graffiti vandal, where a major consideration would be that many people see
Asset attractiveness the graffiti, is different to the attractiveness of an asset for a person wanting
to commit extortion or sabotage. You would expect the saboteur or
extortionist to have a greater understanding of the operation of a facility or
asset than the vandal.
An item or process that an individual, community or Government values and

Asset is important to supporting the expectations of those people’s, organisations’
or Government’s outcomes and objectives.
A usually documented proposal outlining an intended course of action and
Business case identifying costs and benefits. Generally seeks an approval and/or budget
allocation.
Business Continuity Management provides for the availability of processes
Business Continuity
and resources in order to ensure the continued achievement of critical
Management
objectives.
The ability, experience and knowledge of a person, process or information to
Capability undertake the stated or claimed activity. This is commonly used in relation
to the capability of a threat source.
Threat or risk exposure arising out of a proximal relationship with the victim
Collateral exposure
of a security breach.
A group of people with a commonality of association and generally defined
Community
by location, shared experience or function.
The outcome of an event expressed qualitatively or quantitatively, being a
Consequence loss, injury, disadvantage or gain. There may be a range of possible
outcomes associated with an event.
A summary of the key internal and external issues that could influence the
Context
risks under examination or decisions about those risks.
Conformance A compliance approach to monitoring.
Any existing physical, behavioural, institutional, or cultural mechanism by
Control
which a risk is managed (compare with ‘treatment’ definition).
A system by which an organisation is directed and controlled. Corporate
Corporate governance governance activities are represented as four principal components:
direction, executive action, supervision and accountability.
Counter measure A control applicable to specified threats.
The importance or dependence that an organisation has on a person,
Criticality
function, process, item or infrastructure or specific facility.
The policies, plans, structures and processes by which the response to
Critical incident management
abnormal conditions is commanded, coordinated and controlled.
92 Copyright
HB 167:2006
Infrastructure which, if destroyed, degraded, or rendered unavailable for an

Critical infrastructure extended period, will impact on social or economic wellbeing or affect
national security or defence.
An individual, organisation or other body that derives a benefit from an
Customer
asset. Customers may be internal or external.
The process by which information is analysed, options formulated and a
preferred option(s) identified for subsequent action. Typically decision
Decision making
making is informed (makes use of available information) or uninformed
(makes use of ‘gut feel’).
Social, community, market and organisational forces that act upon root
Dynamic pressures
causes allowing or increasing their potential to become threats or hazards.
Risk management associated with low probability, extreme consequence
Emergency risk management
events.
Criteria such as risk consequence and likelihood levels that are used to
Evaluation criteria
determine risk tolerance, appetite and the need to treat or not.
Event Occurrence of a particular set of circumstances.
Facility Any physical infrastructure.
The environmental, physical, emotional, economic, social, political and other
Harm intangible consequences that could result from a real or potential occurrence
of the security threat being considered.

A potential source of harm. The term hazard can be qualified in order to
Hazard
define its origin or the nature of the expected harm.
A position of significant prestige, esteem and widespread recognition of an
Iconic status
entity as ‘one of a kind’.
Impact The outcome following the occurrence of an event.
The manner in which information is transferred from one party to another.
Information transfer Typically in communications these are seen as ‘push’ (information dispersal),
‘pull’ (information gathering) or ‘push-pull’ (dialogue).
The confidence to carry out the stated or postured claim and the desire to
Intent
carry out the action or activities.
Interdependency The nature of a relationship between two parties.
Used as a general description of chance, probability or frequency of an
Likelihood
event occurring.
A company, firm, organisation, association, group or other legal entity or part
Organisation thereof, whether incorporated or not, public or private, that has its own
function(s) and administration.
An individual’s interpretation of sensory information received.
Perception The process of selecting, acquiring, interpreting, analysing, and organising
sensory information.
The likelihood of a specific event or outcome, measured by the ratio of
specific events or outcomes to the total number of possible events or
Probability
outcomes. Probability is expressed as a number between 0 and 1 with 0 an
impossible event or outcome and 1 indicating an event or outcome is certain.
Resilience The ability or capacity to recover from harm.
The chance of something happening that will have an impact upon
Risk
objectives. It is measured in terms of consequence and likelihood.
The culture, processes, and structures that are directed towards the effective
Risk management
management of potential opportunities and adverse effects.
The preparedness, protection and preservation of people, property and
Security
information, both tangible and intangible’
Copyright 93
HB 167:2006
A ‘security incident’ is regarded as any event or circumstance involving or

affecting the individual, community or organisation that causes or is likely to
Security incident cause a loss (physical or otherwise), disruption, or fear arising from the
deliberate activities of other parties. Where impacts are, or could potentially
be realised against people, property or information.
A map of potential security exposures and/ or their sources, of an individual,
Security risk landscape
community or organisation.
Underlying conditions that may give rise to threats, hazards and other
sources of risk. Within a security context this may include factors such as
Root causes
social and economic conditions (poverty, injustice, political aspirations,
alienation, etc)
Those people and organisations who may affect, be affected by, or perceive
themselves to be affected by, a decision, activity, or event.
Stakeholders: includes anyone with an interest or influence in the
Stakeholders organisation or community (or projects, issues associated with or parts
thereof), this could include (but not be limited to): the Board, management,
employees, citizens, local communities, unions, shareholders, families,
media, lobby groups, customers, suppliers, government, regulators, etc.
Susceptibility The likelihood and consequence of harm to a threat.
Anything that has the potential to prevent or hinder the achievement of
objectives or disrupt the processes that support them.

Threat
A source of, or potential for harm to occur.
A threat can be a source of risk.
Threat access The degree (actual or perceived) to which a threat can interact with a target.
A list of potential sources that could cause harm to an organisation. For
Threat source example, a vandal, a disgruntled former employee, a criminal, stakeholders,
customers, or a terrorist.
Unsafe conditions Conditions that allow hazards/threats to manifest.
‘Any weakness that can be exploited by an aggressor to make an asset
Vulnerability 35
susceptible to change’
35
Definition from FEMA 452: Risk Assessment, A How to Guide to Mitigate
Potential Terrorist Attacks Against Buildings, 2005.
94 Copyright
HB 167:2006
C Security related standards

and handbooks
Management related Standards and Handbooks
Number Title
AS/NZS 4360:2004 Risk management
AS 4485.1—1997 Security for health care facilities—General requirements
AS 4485.2—1997 Security for health care facilities—Procedures guide

AS 8000—2003 Corporate governance—Good governance principles
AS 8001—2003 Corporate governance—Fraud and corruption control
AS 8002—2003 Corporate governance—Organizational codes of conduct
AS 8003—2003 Corporate governance—Corporate social responsibility
AS 8004—2003 Corporate governance—Whistleblower protection programs for entities
Information technology - Security techniques – Information security
AS/NZS ISO/IEC 27001—2005
management systems – Requirements
AS/NZS ISO/IEC 17799:2005 Information technology -- Code of practice for information security management
HB 141:1999 Risk financing guidelines
HB 221:2003 Business Continuity Management
HB 231:2004 Information Security Risk Management
HB 240:2000 Guidelines for managing risk in outsourcing utilizing the AS/NZS 4360 process
HB 254:2005 Governance, risk management and control assurance
HB 436:2004 Risk Management Guidelines Companion to AS/NZS 4360:2004
Infrastructure and related Standards and Handbooks
Number Title
AS 1725—2003 Chain-link fabric security fencing and gates
AS 2201.1—1998 Intruder alarm systems—Systems installed in client's premises
AS 2201.2—2001 Intruder alarm systems—Monitoring centres
AS 2201.31991 Intruder alarm systems—Detection devices for internal use
AS 2201.4—1990 Intruder alarm systems—Wire-free systems installed in client's premises
AS 2201.5—1992 Intruder alarm systems—Alarm transmission systems
AS/NZS 2343:1997 Bullet-resistant panels and elements
AS/NZS 3016:2002 Electrical installations—Electric security fences
Building elements—Testing and rating for intruder resistance—Intruder resistant
AS 3555.1—2003
panels
Copyright 95
HB 167:2006
Number Title
AS/NZS 3749.1:2003 Intruder alarm systems—Road vehicles—Performance requirements
AS/NZS 3749.2:1997 Intruder alarm systems—Road vehicles—Installation and maintenance
AS/NZS 3809:1998 Safes and strong rooms
AS/NZS 3810.1:1998 Safes and strong rooms—Methods of test—Test for physical attack
AS/NZS 3810.2:1998 Safes and strong rooms—Methods of test—Test for anchoring strength
AS/NZS 3810.3:1998 Safes and strong rooms—Methods of test—Test for explosive resistance
AS 4145.1—1993 Locksets—Glossary of terms
AS 4145.2—1993 Locksets—Mechanical locksets for doors in buildings
AS 4145.3—2001 Locksets—Mechanical locksets for windows in buildings
AS 4145.4—2002 Locksets—Padlocks
AS 4421—1996 Guards and patrols
AS/NZS 4601:1999 Vehicle immobilizes
AS 5040—2003 Installation of security screen doors and window grilles
AS 5041—2003 Methods of test—Security screen doors and window grilles
AS 5039—2003 Security screen doors and security window grilles
Fire detection, warning, control and intercom systems—System design, installation

AS 1670.1—2004
and commissioning—Fire
AS 1670.2—1997
and commissioning—Local fire
Fire detection, warning control and intercom systems—System, design, installation
AS 1670.3—2004
and commissioning—Monitoring network performance
AS 1670.6—1997
and commissioning—Smoke alarms
AS 1851.1—2005 Maintenance of fire protection systems and equipment
AS 1940—2004 The storage and handling of flammable and combustible liquids
Emergency warning and intercommunication systems in buildings—Equipment design
AS 2220.1—1989
and manufacture
Emergency warning and intercommunication systems in buildings—System design,
AS 2220.2—1989
installation and commissioning
Emergency escape lighting and exit signs for buildings—System design, installation
AS 2293.1—2005
and operation
AS/NZS 2293.2:1995 Emergency evacuation lighting for buildings—Inspection and maintenance
Emergency escape lighting and exit signs for buildings—Emergency escape
AS 2293.3—2005
luminaires and exit signs
AS 2507—1998 The storage and handling of agricultural and veterinary chemicals
The storage and handling of hazardous chemical materials—Class 5.2 substances
AS 2714—1993
(organic peroxides)
Emergency control organization and procedures for buildings, structures and
AS 3745—2002
workplaces
AS 3780—1994 The storage and handling of corrosive substances
AS 3846—2005 The handling and transport of dangerous cargoes in port areas
The storage and handling of mixed classes of dangerous goods in packages and
AS/NZS 3833:1998
intermediate bulk containers
AS 4086.1—1993 Secondary batteries for use with stand-alone power systems—General requirements
Secondary batteries for use with stand-alone power systems—Installation and
AS 4086.2—1997
maintenance
96 Copyright
HB 167:2006
Number Title
AS 4289—1995 Oxygen and acetylene gas reticulation systems
AS 4332—2004 The storage and handling of gases in cylinders
AS/NZS 4681:2000 The storage and handling of Class 9 (miscellaneous) dangerous goods and articles
Supervisory control and data acquisition (SCADA)—Generic telecommunications
AS 4418.1—1996
interface and protocol—General
Supervisory control and data acquisition (SCADA)—Generic telecommunications and
AS 4418.2—2000
interface protocol—Fire alarm systems
AS 4509.1—1999 Stand-alone power systems—Safety requirements
AS 4509.2—2002 Stand-alone power systems—System design guidelines
AS 4509.3—1999 Stand-alone power systems—Installation and maintenance
AS IEC 60300.3.1— Dependability management—Application guide—Analysis techniques for
2003 dependability—Guide on methodology
AS 60870.1.1—1998 Telecontrol equipment and systems—General considerations—General principles
Telecontrol equipment and systems—General considerations—Guide for
AS 60870.1.2—1998
specifications
AS 60870.1.3—1998 Telecontrol equipment and systems—General considerations—Glossary
Telecontrol equipment and systems—General considerations—Basic aspects of

AS 60870.1.4—1998 telecontrol data transmission and organization of Standards IEC 60870-5 and IEC
60870-6
Telecontrol equipment and systems—Operating conditions—Power supply and
AS 60870.2.1—1998
electromagnetic compatibility
AS 60870.3—1998 Telecontrol equipment and systems—Interfaces (electrical characteristics)
AS 60870.4—1998 Telecontrol equipment and systems—Performance requirements
Telecontrol equipment and systems—Transmission protocols—Transmission frame
AS 60870.5.1—1998
formats
Telecontrol equipment and systems—Transmission protocols—Link transmission
AS 60870.5.2—1998
procedures
Telecontrol equipment and systems—Transmission protocols—General structure of
AS 60870.5.3—1998
application data
Telecontrol equipment and systems—Transmission protocols—Definition and coding
AS 60870.5.4—1998
of application information elements
Telecontrol equipment and systems—Transmission protocols—Basic application
AS 60870.5.5—1998
functions
IT related security Standards and Handbooks
Number Title
AS 2805.1—1997 Electronic funds transfer—Requirements for interfaces—Communications
AS 2805.2—2000 Electronic funds transfer—Requirements for interfaces—Message
Electronic funds transfer—Requirements for interfaces—PIN management and
AS 2805.3—2000
security
AS 2805.4.1—2001 Electronic funds transfer—Requirements for interfaces—Message authentication
Electronic funds transfer—Requirements for interfaces—Ciphers—Data
AS 2805.5.1—1992
encipherment algorithm 1 (DEA 1)
Electronic funds transfer—Requirements for interfaces—Ciphers—Modes of
AS 2805.5.2—1992
operation for an n-bit block cipher algorithm
Copyright 97
HB 167:2006
Number Title
Electronic funds transfer—Requirements for interfaces—Ciphers—Data
AS 2805.5.3—2004
encipherment algorithm 2 (DEA 2)
Electronic funds transfer—Requirements for interfaces ciphers—Data
AS 2805.5.4—2000
encipherment algorithm 3 (DEA 3) and related techniques
Electronic funds transfer—Requirements for interfaces—Key management—
AS 2805.6.1—2002
Principles
AS 2805.6.2—2002
Transaction keys
AS 2805.6.3—2000
Session keys—Node to node
AS 2805.6.4—2001
Session keys—Terminal to acquirer
AS 2805.6.5.1—2000 Electronic funds transfer—Requirements for interfaces—Key management
Electronic funds transfer—Requirements for interfaces—Key management TCU
AS 2805.6.5.2—2000
initialization Symmetric
Electronic funds transfer—Requirements for interfaces—File transfer integrity
AS 2805.10—2004
validation
Electronic funds transfer—Requirements for interfaces—Secure file transfer

AS 2805.10.2—2003
(retail)
AS 2805.11—2000 Electronic funds transfer—Requirements for interfaces—Card parameter table

Electronic funds transfer—Requirements for interfaces—Message content—
AS 2805.12.1—2004
Structure and format
AS 2805.12.2—1999
Codes
AS 2805.12.3—1999
Maintenance of codes
Electronic funds transfer—Requirements for interfaces—Secure hash
AS 2805.13.1—2000
functions—General
AS 2805.13.2—2000 Electronic funds transfer—Requirements for interfaces—Secure hash functions
AS 2805.13.3—2000 Electronic funds transfer—Requirements for interfaces—Secure hash functions
Electronic funds transfer—Requirements for interfaces—Secure cryptographic
AS 2805.14.1—2000
devices (retail)
Electronic funds transfer—Requirements for interfaces—Secure cryptographic
AS 2805.14.2—2003 devices (retail)—Security compliance checklists for devices used in magnetic
stripe card systems
AS/NZS 3931:1998 Risk analysis of technological systems—Application guide
AS ISO/IEC 9798 (all parts) Information Technology - Security techniques – Entity authentication
As ISO/IEC 10118 (all parts) Information technology -- Security techniques -- Hash-functions
AS ISO/IEC 11770 (all parts) Information technology -- Security techniques -- Key management
AS ISO/IEC 13335 (all parts) Information technology -- Guidelines for the management of IT Security
Information technology - Security techniques - Guidelines for the use and
AS ISO/IEC 14516
management of Trusted Third Party services
AS ISO/IEC 15408 (all parts) Information technology -- Security techniques -- Evaluation criteria for IT security
Information Technology – Security Techniques – A framework for IT security
AS ISO/IEC 15443 (all parts)
assurance
Information technology – Security techniques – Specification of TTP services to
AS 5045 ISO/IEC 15945
support the application of digital signatures
98 Copyright
HB 167:2006
Number Title
AS ISO/IEC 15947 Information technology – Security techniques – IT intrusion detection framework
AS ISO/IEC 18028 (all parts) Information Technology – Security techniques – Network Security
AS ISO/IEC 18033 (all parts) Information Technology – Security techniques – Encryption Algorithms
Information technology – Security techniques – Information Security Incident
AS ISO/IEC 18044
Management
Information Technology – Security techniques – Security requirements for
AS ISO/IEC 19790
cryptographic modules
HB 74: 1996 X.400 Security Implementation Guide
HB 171:2003 Guidelines for the Management of IT Evidence
HB 174:2003 Information Security Management—Implementation Guide for the Health Sector
HB 220:2000 Safety Issues for software
Organizational experiences in implementing information security management
HB 248:2001
systems
Strategies for the implementation of a Public Key Authentication Framework
MP 75:1996
(PKAF) in Australia
Copyright 99
HB 167:2006
D Sources of data and

information for establishing
the context
Contextual issue Example data and information sources
Geopolitical
Political structures (e.g. dictatorship Government web sites, CIA World Factbook, Asia Pacific Foundation.
vs. liberal democracy)
Internal groups: government liaison, o/seas general managers, strategy

and policy.
Political and legal institutions (e.g. Government websites, CIA World Factbook, online newspapers, Asia
development of the rule of law) Pacific Foundation.
and policy, security managers.
Regional and national stability DFAT website, US State Department website, UK Foreign Office
Website, Asia Pacific Foundation.
and policy, security managers, investment, treasury.
,
Governance systems World Economic Forum website United Nations’ Website, World Bank
,
website international publications (Economist London Financial Times,
, .
Asia Links etc), Asia Pacific Foundation, OECD
and policy, security managers, investment, treasury.
Government sponsored and other CIA World Factbook, Rand Corporation Intelcenter, Asia Pacific
political violence Foundation, Terrorism Research Centre, US State Department ‘Patterns
of Global Terrorism’.
Internal groups: government liaison, o/seas general managers, security.
International relations (including World Economic Forum website, United Nations’ Website, World Bank
participation in trading and military website, international publications (Economist, London Financial Times,
blocs, stands on cooperation vs. Asia Links, etc), Asia Pacific Foundation, OECD.
confrontation, etc).
and policy, investment, treasury.
100 Copyright
HB 167:2006

Regulatory
Effectiveness of regulatory regimes Media analysis (e.g. Australian, Financial Review), political lobbyists,
regulators.
and policy, operational areas, security managers, safety, investment,
treasury, taxation.
Existing constraints imposed by External legal counsel, corporate counsel, organisation’s government
existing regulatory regimes liaison specialists.
treasury, taxation.
Impacts of changing regulatory External legal counsel, corporate counsel, organisation’s government
regimes liaison specialists, government notices, gazettes, regulatory impact
statements.
treasury, taxation.
Social
Corruption levels and culture CIA World Factbook, AsiaLink, international online media, World
Economic Forum, World Bank, OECD
and policy, operational areas, security managers, safety, community
relations.
i,
Disease outbreaks and trends (e.g. World Health Organisation Centers for Disease Control and Prevention
AIDS, SARS, Foot and Mouth
Internal groups: safety, overseas general managers.
Disease, etc)
Social order and stability (including CIA World Factbook, local online media, DFAT website (travel
social unrest, civil disobedience, advisories), US State Department website (travel advisories), UK Foreign
crime levels) Office Website (travel advisories), local police department and justice
department websites, national/federal law enforcement sites.
Internal groups: government liaison, o/seas general managers, security
managers, investment, treasury.
Societal infrastructure, welfare and CIA World Factbook, government websites (e.g. health and social
support security sites), online media reports and commentary, OECD.
treasury.
Religious influences, including CIA World Factbook, local online media, DFAT website, US State
presence and local acceptability of Department website, UK Foreign Office Website.
fundamentalism
and policy, operational areas, security, safety.
Stability of supply (e.g. food water, CIA World Factbook, local online media, DFAT website, US State
utilities, etc). Department website, UK Foreign Office Website, WHO website, World
Economic Forum, OECD.
and policy, operational areas, business continuity.
Copyright 101
HB 167:2006

Economic
Economic boom vs. recession trends OECD, Economist, local online media, AsiaLink, ABS, UN Statistics¸ UN
Department of Economic and Social Affairs.
and policy, investment, treasury, commercial, marketing.
National and regional development OECD, economist, AsiaLink, UN Department of Economic and Social
Affairs.
Debt levels OECD, World Bank, World Economic Forum
Productivity, OECD, Economist, local online media, AsiaLink, ABS, AUSAID, UN
Department of Economic and Social Affairs.
Foreign aid
and policy, operational areas, investment, treasury.
Markets
Capital availability UN Department of Economic and Social Affairs, financial media

Internal groups: o/seas general managers, strategy and policy,
investment, treasury.
Price movements Financial media.
commercial, investment, treasury.
Emerging customer driven trends Financial media, industry publications.
commercial, investment, marketing.
Buyer and supplier power Financial media, industry publications.
Market stability UN Department of Economic and Social Affairs, financial media, industry
publications.
commercial, investment, treasury, marketing.
Competition
Existing competitors Financial media, industry publications, ASX website, ASIC website.
New entrants Financial media, industry publications, ASX website, ASIC website
Resource competition Financial media, industry publications, ASX website, ASIC website
Acquisitions and mergers Financial media, industry publications, ASX website, ASIC website
102 Copyright
HB 167:2006

Competitive positioning (including Financial media, industry publications, ASX website, ASIC website
alliances, partnerships)
Industrial espionage Financial media, industry publications
Internal groups: o/seas general managers, commercial, security
Community
Local community issues Local media, local government, local community and business
associations, local libraries.
Internal groups: o/seas general managers, operational, government
liaison, corporate/public affairs.
Lobby and pressure groups Local media, local government, local community and business
liaison, corporate/public affairs, security.
Local planning regimes Local media, local government, local community and business

Local business development Local media, local government, local business associations, local
strategies libraries.
Internal groups: o/seas general managers, operational, commercial,
government liaison, corporate/public affairs.
Local public and private infrastructure Local media, local government, local libraries.
liaison, corporate/public affairs, building/site management.
Language and ethnic issues Local government, local libraries.
Land use patterns and industrial Local government, local libraries.
development
liaison, commercial.
Sites of significance Local government, local emergency services, local libraries.
liaison, commercial.
Natural environment Local government, government environment, wildlife, agriculture and
natural resources’ offices, local media.
liaison, building/site management.
Transport and communications Local government, government transport and roads offices, government
networks and private telecommunications providers.
liaison, building/site management.
Copyright 103
HB 167:2006

External stakeholders
Unions Internal groups: Industrial relations, human resources.
Shareholders Internal groups: Investment/investor relations.
Major customers/clients Internal groups: Commercial, operational.
Suppliers and contractors Internal groups: commercial, operational, finance.
Government regulators Internal groups: government liaison, compliance management,
operational, safety, building services.
Strategic partners and alliances Internal groups: investment, commercial, strategy and policy.
Media Internal groups: public affairs, operational.
104 Copyright
HB 167:2006
E Organisational reference
sources for establishing
the context
In developing the context there will be significant quantities of useful
information documented and generally readily available, including:
• Site plans, identifying:
− general layout,
− property borders,
− critical infrastructure, utilities, services, etc,
− site boundaries and borders,
− routes into and out of the site,
− some existing physical security controls (e.g. locations of CCTV
units, checkpoints, fences),
− location of sensitive operations, individuals,
− public and restricted access areas,
− Emergency equipment (fire fighting, first aid, breathing
apparatus).
• Street maps, providing information on:
− external approaches,
− collateral exposures (e.g. neighbours, crowd areas, proximity to
other higher risk activities or infrastructure),
− visibility and accessibility of the site,
− surveillance and overwatch vulnerabilities.
• Policy and procedure documents.
• Legislation.
• Strategic and business plans.
• Internal audit reports.
• Business continuity plans, and test and exercise reviews.
• Risk management reviews.
• Management and Board reports.
• Security breach reports.
Copyright 105
HB 167:2006
• Industry peer security records.

• Broad incident trend data and intelligence from police and national
security agencies.
106 Copyright
HB 167:2006
F Security
workbook
risk management
36
F1 Business case template

Table F1 provides an example of a template that can be used to develop
a business case for a security risk management project. It is for
illustrative purposes only. It should be remembered that all parts of the
template do not have to be used – the template should be modified to suit
a particular project.
The business case can then be used to develop a specific project plan
(see below).
Table F1
Business case template
Background (Reason for business case)

Outline why the project has to be undertaken. Identify the reasons for the request being put
forward – e.g. increase in the number of security incidents at a particular facility or business
unit, shrinkage issue with goods, a review as a result of an incident at a competitor or
partner.
Aims and objectives
What are the aims for the security risk management project?
What are the objectives for the security risk management project?
Link to corporate goals and objectives
The aims and objectives for the security risk management project need to correspond with
the corporate goals and objectives.
What corporate goals and objectives are being met or enhanced by undertaking the security
risk management project?
Assumptions
Detail any assumptions that have been made as part of developing the business case and/
or project.
Include resources supplied by business units, start date, commitment by senior
management to undertake the project.
Clearly identify the basis for any assumptions made
(continued)
36
The worksheets within this Workbook are provided as examples only.
Copyright 107
HB 167:2006
Table F1 (continued)
Consultation
List the people and/or organisations that have been consulted while developing the
business case and the project.
Deliverables and outcomes
What are the practical deliverables from the project?
Projected returns and benefits, including:
• Tangible (financial) benefits (such as cost savings, for example through reduced
revenue leakage or vandalism). For projects with extended duration or payback periods
it may also be appropriate to include net present values into the analysis.
• Intangible (non-financial) benefits (such as improved staff safety. Improved quality of
decision making, reduced risk of unauthorised information disclosure).
Scope of activities (overview)
What is going to be done as part of the security risk management project?
Broad nature of security risks to be examined,
Suggested method to examine identified issues.
Methods to complete the project (How will the project be conducted)
Alternative methods to complete the project and meet the stated aims and objectives. For
each option explain how the method will be conducted, the advantages and disadvantages
for using it.
The preferred option should be identified and an explanation prepared on why the option
has been selected.
Detailed overview of preferred option
A detailed explanation of how the security risk management project will be conducted. A
detailed analysis of security risks to be examined (e.g. a risk assessment of fraud and
revenue leakage exposures).
Define accountabilities and responsibilities.
Identify project/ business owner, senior management sponsor.
Business locations, functions.
Critical interdependencies, including the demands that will be made on these
interdependencies.
Duration and timelines for the project.
Resources required:
• internal,
• external.
Time demands on other areas of the organisation.
External expertise.
Equipment.
Accommodation.
Budget breakdown
Budget breakdown, including:
• salaries and on-costs,
• consultancy fees,
• software development or purchase,
• report production, publishing, etc,
• travel cost,
• equipment and hardware (purchase or lease),
• overheads.
(continued)
108 Copyright
HB 167:2006
Table F1 (continued)
Other organisation costs

Barriers or constraints to other areas of the business.
Environmental.
Technology.
Policy implications.
Legal implications.
Insurance.
Recommendation
Provide a recommendation to decision maker that they endorse the preferred option, with
the scope and estimated costs as indicated in the sections above.
F2 SRM Project management template37

Plan heading Comment
1 Introduction
1.1 Background/ Introductions • Why is the project being conducted?
2 Business objectives
2.1 Objectives of the project • Detailed objectives and outcomes of the major steps
below.
3 Requirements specification
3.1 General requirements • Project Sponsor.
• Project Manager.
• Business unit involvement.
3.2 Contracting considerations (if expert • Primary contractors.
contractors are engaged)
• Intellectual property.
• Project reporting.
• Variations to cost.
• Warranty.
• Rights.
3.3 Phase (for each phase of the project) • Objective of the phase.
• The steps involved.
• The outcomes of the phase.
• Organisational resources that will be allocated to the
project team.
• The project team’s roles and responsibilities.
• Reporting requirements for the phase.
4 Project deliverables and milestones
4.1 Project reporting • How will the project team report to the
Organisation?
• What information the project team will provide.
• Status of the project.
37
Based on the Project Initiation Section in the Australian National Audit Office,
Business Continuity Management—Keeping the Wheels in Motion Workbook,
2000.
Copyright 109
HB 167:2006
F2 (continued)
Plan heading Comment
• Percentage completed.
• Expected deliverables.
• Issues for note or action.
4.2 Deliverables and milestones • Tables listing the deliverables and receivables that
are required to meet the objectives of the project.
5 Project budget and administration
5.1 Budget • Staff resources.
• Contract resources.
• Sources of funds.
5.2 Administration • Change control.
• Resources and payment plan linked to deliverables.
• Resource constraints.
• Critical success factors.
6 Roles and responsibilities
6.1 Responsibilities • Approvals for budget.
• Sign off phases.

• Acceptance and implementation of
recommendations.
6.2 Project hierarchy • Chief Executive.
• Project Steering Committee.
• Project Manager.
• Project Team(s) reporting to the Project Manager.
6.3 Service provider/contractor • Expectations and deliverables of the service
responsibilities provider.
110 Copyright
Copyright
F3 Developing the context template (with some examples)

Known Unknown Information needs
Strategic context
(What do I know?) (What do I not know?) (What do I need to know?)
Political (international, national E.g. The current political environment in the E.g. Changes in the hierarchy of the E.g. Determine the structure of the
and regional) region we are operating in is stable. Most opposition parties. political parties and the people with direct
countries have a stable political structure and, influence on my activities.
have a dominant party(s). The major political
parties are….
Economic E.g. X country was heavily influenced by XXX.
There is a strong affiliation with X – still using the
Franc as its currency.
Geographical E.g. The geographical conditions that the
organisation is operating in. Access to
transportation routes, shipping, airfields.
Geographical conditions to undertake operations
– soil conditions, terrain, location of
infrastructure, communities, etc.
Cultural E.g. There are X number of ethnic groups within
the country. They are …..
Competition E.g. There are two other XXX companies
operating in the country. They are located…
Community
Regulatory/Legislative
Stakeholders
HB 167:2006
111
112
HB 167:2006
F3 (continued)
Operational context Known Unknown Information needs

Organisational objective for
operations in the current
location
Organisational ‘risk
management’ frameworks
Organisational structure in the
location being assessed
Corporate structure to support
security risk management
process
Interdependencies and
dependencies of the business
process
Organisational culture
Industrial relations
Organisational goals and
objectives
Copyright
Copyright
F3 (continued)
Security risk context Known Unknown Information needs

Threat levels (national,
regional, local or
organisational)
Previous security incidents
(e.g. vandalism, sabotage,
theft, malicious damage,
hacking)
Current security incidents
(e.g. vandalism, sabotage,
theft, malicious damage,
hacking)
Current security measures in
use (people, property and
information)
Location of people
Location of sites
Criticality of what the
organisation is doing
Resources used to provide
current security
Areas excluded from the
review
Time constraints for security
risk management review to be
completed
HB 167:2006
113
114
HB 167:2006
F4 Information collection worksheet
The description of the information that you have identified as a gap in your information should be entered into this table. The
Information Collection Worksheet is then used to determine who can provide the information required, when it is required by and
in what format. To ensure that you obtain the correct information, you should pose your information requirements as a question.
The questions should be started with—Who, What, When, Where, Why and How.
Information requirement for:

Information needs Information request Information provider Reliability and Information
accuracy of required by
(What I need to Know?) (The question I need to ask) (Who can provide the
information
information?) 38
provided
E.g. determine the structure of the • What is the current hierarchy of the political • Political party. information B3 23 June
political parties and the people with parties in country/ region X? XXXX
• Newspapers.
direct influence on my activities.
• Who are the major members of the parties?
• Politicians.
• What are the major political statements made
• Diplomats.
that could impact on my organisation and its
activities? • Industry associations.
E.g. determine the financial, legal and • What is the current financial solvency of
operational viability of Company X as Company X?
part of the due diligence process.
• When was Company X established?
• Who has financial/ non-financial interests in
Company X?
• What is Company X’s history with similar
contracts?
38
Based on the Admiralty Scale where the reliability and accuracy of information is judged. The information that is received to complete the
security risk management process should be assessed using the Admiralty Scale, so misleading or false information can be discounted or
assessed as to why it was provided.
Copyright
Copyright
F5 Criticality and vulnerability assessment worksheet

39
Asset Location and Risk Criticality Criticality Vulnerability Vulnerability Overall
owner scenario ranking
description rating description rating
Information asset Engineering plant 4, Unauthorised To organisation High To organisation Moderate
COO office safe. release to
Component Loss of competitive Operation’s locations are
competitor
supply contracts Chief Operating advantage circa $15m well known to local
Owner over 4 years in market. communities and are
identifiable from within the
Loss of 4 supply
local geographic area.
contracts, immediate $6m.
To community Negligible To community Moderate
Nil Attracts occasional media
interest.
To individual Negligible To individual Negligible
Nil Nil
Overall rating is Overall rating is MEDIUM
HIGH MODERATE
Property asset Northern Chemicals Accidental or To organisation Moderate
storage warehouse malicious
Dangerous goods Loss of production
release to
inventory Vice President capability for 1 week
atmosphere of
Manufacturing
stored chlorine Loss of site access for 48
(South East Region)
gas hrs
Loss of $1m inventory
To community Extreme
Evacuation of 5000+
homes
10+ deaths
200+ hospitalised
HB 167:2006
39
Refer to criticality and vulnerability rating tables in Appendix I.
115
116
F5 (continued)
HB 167:2006
39
Asset Location and Risk Criticality Criticality Vulnerability Vulnerability Overall
owner scenario ranking
description rating description rating
To individual Extreme
5+ worker deaths.
10 + hospitalised.
Overall rating is
EXTREME
F6 Threat sources identification and assessment40

Threat source
(External or internal, general or Act Event Impact
specific need to be identified)
E.g. disaffected employee (current or E.g. malicious damage, sabotage, E.g. key manufacturing plant equipment E.g. loss of production quality or quantity,
former), contractors vandalism, arson damaged. Fires lit in stores area. contamination, asset damage
E.g. competitor E.g. industrial sabotage, targeted hiring E.g. intellectual property stolen and used E.g. loss of market share, financial loss
of key staff to outbid organisation in competitive
tender for government services.
E.g. community, activist groups E.g. selective acts of malicious damage E.g. perimeter fences cut, access gained E.g. nuisance value, increased media
to exterior of main buildings. Slogan attention and some potential for
graffiti sprayed on walls, minor vandalism moderate reputational harm
to external structure.
40
Details taken from information obtained when developing the Context—strategic, operational and security.
Copyright
Copyright
F7 Threat assessment worksheet

41
Critical asset Threat source Threat scenario Intent Capability Threat Data and
level information
(What does the threat want to (Can the threat do what
reliability and
achieve?) they say?) 42
accuracy
E.g. animal Malicious After hours break-in, General threat: Public manifesto Group known to have active HIGH A5
breeding facility release and removal of of intent to halt operations of presence and significant
Animal rights
breeding stocks, facilities of these types. support base in surrounding
activist group
vandalism of facility communities.
Specific threats: letters to
shareholders promoting future Possess experience and
direct action against the equipment to affect forced
company. Weekly vandalism by entry (evidence by history of
group against company assets. previous attacks on similar
facilities in region).
Level: HIGH
Level: HIGH
E.g. implementation
manager for
software application
E.g. international/
national
communications
node
41
Prioritised critical assets as identified in the criticality assessment.
42
Based on the Admiralty Scale where the reliability and accuracy of information is judged. The information that is received to complete the
HB 167:2006
security risk management process should be assessed using the Admiralty Scale, so misleading or false information can be discounted or
assessed as to why it was provided.
117
118
HB 167:2006
F8 Security risk assessment worksheet
Threat:
45
Risk 43 44
Control effectiveness Risk
Consequence Likelihood
(Full description) Deter Delay Detect Respond Recover rating
43
The consequence of a security risk can usually be expressed as measure of financial loss, stakeholder/community impact, reputational
damage, loss of operational capability, or health and safety implications.
44
The likelihood refers to the chance or probability of a security incident occurring that would result in the particular consequence determined.
45
Should be assessed using the concepts of Deter, Delay, Detect, Respond and Recover.
Copyright
Copyright
F9 Strategic security risk management activities plan
General
Strategy/ Resource
Outcomes Stakeholders Timetable Reporting/Monitoring Performance
Objectives allocation/
Actions mechanism indicators
responsibility
E.g. to ensure
management
commitment to the
policies and
principles of good
security risk
management
practices
HB 167:2006
119
120
HB 167:2006
F9 (continued)
People
Objectives Resource
Strategy/ Reporting/Monitoring Performance
Outcomes Stakeholders allocation/ Timetable
responsibility
E.g. To raise staff
and contractor
awareness of the
security risk
management
practices
Property
Resource
Strategy/ Reporting/Monitoring Performance
Objectives Outcomes Stakeholders allocation/ Timetable
responsibility
E.g. to provide
staff and
contractors with
a safe and
secure working
environment
E.g. ensure that
an extensive and
up to date
Business
Continuity Plan
is developed and
maintained
Copyright
F9 (continued)
Copyright
Information
Resource
Strategy/ Reporting/monitoring Performance
Objectives Outcomes Stakeholders allocation/ Timetable
responsibility
E.g. to ensure
the access,
storage and
integrity of
information
(hardcopy and
electronic) is in
accordance with
policies and
procedures
HB 167:2006
121
122
HB 167:2006
F10 Security risk management controls assessment checklist46 (Example 1)
Facility name Location

Contact details Date of review Date of next review
Organisation/ asset/ facility information

Critical assets People Property Information
Control
Security measure Description Vulnerabilities Proposed security improvements
rating
Management
Visible management support for

security
Relationships with local emergency

services
Relationships with other business

functions and security
Responsibility for facility security
46
The checklist provides examples of criteria to be examined. This checklist will need to be customised to meet different contexts. The use of
additional criteria should be considered for each assessment.
Copyright
F10 (continued)
Copyright
Control
rating
Incident reporting and analysis
Property
Perimeter barriers and fencing
Precinct entry and exit points
Tenancy entry and exit points
Emergency exit points
Internal access controls
Access to building systems controls
Window entry points
Ventilation/air conditioning systems

control
Car park arrangements
Sensitive area access restrictions
HB 167:2006
123
124
F10 (continued)
HB 167:2006
Control
rating
Perimeter lighting
External precinct lighting
Internal lighting
Emergency lighting
Line of sight occlusions – external

approaches
Visitor sign-in
Visitor identification
Visitor escort
Reception set up
Contractors
Public access
Copyright
F10 (continued)
Copyright
Control
rating
Surveillance and monitoring
External surveillance and monitoring

systems
Internal surveillance and monitoring

systems
UPS or backup power supplies
Mobile security patrol
Standing security patrol
On call security
Documented guard post/ patrol orders

and processes
Essential communications equipment
Security hotline availability
Stranger challenge
HB 167:2006
125
126
F10 (continued)
HB 167:2006
Security measure Description Control rating Vulnerabilities Proposed security improvements
Asset security
Asset identification
Secure storage of assets
Asset movement control
Asset retirement control
Financial – cash handling systems
Off site management of assets
Building maintenance and repair
State of external repair
State of internal repair
Maintenance schedule
Backup systems
Copyright
F10 (continued)
Copyright
Fire detection and suppression

systems
Hygiene matters
Access to plans, technical drawings,

etc
Building: proximity exposures
Neighbouring premises
Transport systems
Special hazards (dangerous goods,

flammable storage etc)
Review and audit
Access record review
Conduct of threat and security

assessments
Periodic review of access

authorisations
Periodic review of IT user

authorisations
HB 167:2006
127
128
F10 (continued)
HB 167:2006
Personnel security
Conduct of background checks on

employees
Conduct of background checks on

contractors
Employee awareness of security

issues
Defined responsibilities for security

issues
Awareness of violence in the

workplace indicators and
management
Capability for intervention
management for potential violence in
the workplace
Provision of security advisories to

staff
Training in crisis/emergency
management
Disciplinary policies
Identification policies and procedures
Staff exit procedures

Copyright
F10 (continued)
Copyright
Security awareness
On site attendance monitoring
Use of travel threat assessments
47
Local information security
Secure document control and storage
Use of information security

classification
Clean desk policy and practice
Document disposal and destruction
IT systems password protection
Information release authorisation
Off site storage of information
HB 167:2006
47
A more comprehensive list is contained within HB 231:2004 Information security risk management guidelines
129
130
F10 (continued)
HB 167:2006
Policy and procedure controls
General security policies and

procedures
Key control policies and procedures
Access control policies and

procedures
Incident response policies and

procedures
Incident and issue reporting policies

and procedures
Identification card loss and reporting

policies and procedures
Emergency evacuation policies and

procedures
Security test and audit procedures
Policies and procedures for managing

unlawful incidents
Visitor policy and procedures
Mail handling procedures and

controls
Copyright
F10 (continued)
Copyright
Bomb threat policies and procedures
Intruder/trespasser policies and

procedures
48
Consolidated Summary of security measures
People Property Information Deficiencies

Defensive factors
People factors
Local environment factors
Organisational factors
Socio-political factors
HB 167:2006
48
The review should be used to ensure that there is a layered approach to the components of security risk management—people, property and
information.
131
HB 167:2006
Security control effectiveness ratings
Control rating Symbol used Description

Excellent All key security risks are efficiently and effectively managed

Controls are optimal to meet the level of security risk
Good Majority of key security risks are effectively managed

Small improvements in controls are possible
Adequate Priority security risks are managed effectively

Control improvements are recommended
Long term Security risks are managed currently, but sustainable effectiveness
requirement — is questionable in the long term
Significant control improvements are needed in the long term
Immediate Poor management of security risks is occurring
requirement X Controls fail repeatedly, or imminent failure is likely, significant
improvement is required in the near future
Non-existent No effective management of security risks is occurring
XX
Controls are incapable, introduction of controls required immediately
Indicates that further validation is required before rating can be

?
provided
132 Copyright
Copyright
F11 Security survey worksheet (Example 2)

The aim of the survey is to provide a method of determining what are the critical assets, functions or processes within a site or
facility that may require additional security control measures being implemented. Remember, the site should be reviewed from
the beginning of its process to its completion point.
The Sections marked ‘Yes’ and ‘No’ should be used to assist in identifying what assets or functions are currently available at the
site. If ‘Yes’ is marked, provide more detailed information. If any supporting information is available (photos, map, plans,
diagrams) include them in a folder to support the information obtained during the survey.
General and site information
Date of survey
Person conducting survey
Telephone:
Person contact details Mobile:
Facsimile:
Facility owner
Facility name
Type of facility
Description / function of facility
Latitude and longitude
Street map reference.

Location
Physical address
Postal address
Description of location and

environment Areas adjacent to boundaries of
(visibility, rural, regional, the facility
HB 167:2006
metropolitan, suburbia)
133
134
HB 167:2006
F11 (continued)
Current security Yes No Details
Existing security, SOP or contingency

plans
(Reference to plans should be listed
or attached as separate document)
Entry points into facility

(Main and secondary entry points
Present state of security should be listed and related to map of
facility/site)
Other means of entering facility

(What other ways can the facility/site
be entered or exited)
Security manager/ management
Own personnel
Security personnel
Security company
Other
Security patrols
Security passes
Access control
Electronic systems
Visitor control
Copyright
F11 (continued)
Copyright
Fence type
Condition
Outer fencing
Gates
Gate locking mechanisms
Fence type
Condition
Inner fencing
Gates
Gate locking mechanisms
Type
Lighting
Number
(This should include security
lighting, perimeter lighting and
Location
other specialist lighting)
Adequacy
Type
Number
Intruder alarm systems
Location
Adequacy
HB 167:2006
135
136
HB 167:2006
F11 (continued)
Types of keys
Number of keys
Key security
Location of keys
Key management
Other security measures
Location of servers
Location of data centre(s)
External and internal security

measures
49
Information technology Critical IT equipment and processes
Entry and exit points of data lines to

facility
Number of desktops and ancillary
equipment
Disaster recovery plans (developed,
reviewed and tested)
49
A more comprehensive list is contained within HB 231:2004 Information security risk management guidelines
Copyright
F11 (continued)
Copyright
Own people access to systems

Information technology
Contractor access to systems
Permanent
(Roles and responsibilities)
Part time staff
Staff Casual
Contractors
(long term and short term)
Cleaners
Type of dangerous items

(chemical, explosive, biological, etc)
Location of facility(ies)
Amount of dangerous items

Storage of critical items or
dangerous items
Description of storage facility
Security measures used to protect

dangerous items
Date of last inspection of dangerous
items and storage facility
HB 167:2006
137
138
F11 (continued)
HB 167:2006
Telephone
Switchboard
Communications used at Radio

facility
Other (microwave, HF, VHF, satellite,
etc)
Entry and exit point of
telecommunications cable into facility
Police
Fire
Contact details for emergency Ambulance

services
Emergency services
Armed forces
Other
Copyright
F11 (continued)
Copyright
Current security Details
Current security issues (including graffiti, vandalism, etc)
Future development of adjacent sites
HB 167:2006
139
140
F11 (continued)
HB 167:2006
Current security Details
Supporting resources Yes No Details
Dependence on, and

interdependence with, Water
essential services,
including:
• name of provider Electricity
• entry and exit point

to site
Gas
• size of cabling
• major road names,
etc… Telecommunications
Information technology
Transport
Emergency services
Other inputs to and outputs

from asset, facility or network
Other businesses operating

from the environs of the facility
or site
Copyright
Copyright
F11 (continued)
Asset assessment
List the function(s) of the identified asset
Location of the asset
Critical assets Impact of the loss of the asset

(those assets that are vital to
the overall operation of the
facility or site)
How long can the asset be out of operation
Where are alternates located
How long before an alternate is available and operational
Supporting assets Impact of the loss of the asset

(those assets that are
important to the overall
operation of the facility or site) How long can the asset be out of operation
How long before an alternate is available and operational
HB 167:2006
141
142
HB 167:2006
F11 (continued)
Asset assessment
Impact of the loss of the asset
Other assets How long can the asset be out of operation
How long before an alternate is available

and operational
Copyright
Copyright
F12 Example treatment plan template

Business unit/function Manufacturing Location Plant B, 2140 Main Street
th
Date of risk review 27 July 200x
Treatment planning John Jones, Senior Manager, Component

Date 15 August 200x
conducting by Manufacturing
Treatment planning
Jane Doe, Deputy General Manager Plant B Date 17 August 200x
approved by
Part 1: Treatment selection
Risk Treatment Options Cost benefit Treatment strategy Completion by Interdependencies Responsibility for
objectives analysis with other risks and implementation
(in priority (preferred options in (date)
treatment plans
order) bold) (accept/ reject)
Vandalism Reduce likelihood Repair existing Accept Engage contractors to Within 4 weeks Nil Simon Templar,
resulting of fence breach fencing repair perimeter Maintenance
from fence fences Manager
Improve likelihood Replace with heavy Reject
breach
of detection of gauge fencing Engage security Within 2 months IT server room Will Gaytes, IT&T
breach consultant to identify introduction of CCTV Manager
Introduce motion Reject
CCTV technical monitoring
detectors
requirements, siting
Introduce CCTV on Accept and solutions
fence lines
Increase frequency of Accept
security patrols
HB 167:2006
143
144
F12 (continued)
HB 167:2006
Part 2: Detailed treatment action plan
Business unit/function Manufacturing Location Plant B, 2140 Main Street
Risk Vandalism resulting from fence breach
Treatment strategy Introduce CCTV monitoring of perimeter fence
Milestones and key performance

Actions Resources Dependencies Implementation responsibility
indicators
1. Select and appoint security Consultant selected within 2 weeks Purchasing officer to undertake Nil Alice-ann Vonerlind, Manager
consultant selection, (availability for 4 hrs x Purchasing
5 days)
2. Review of CCTV requirements Review completed and report delivered by $x,000 budget for consultancy Action 1 Will Gaytes, IT&T Manager
undertaken week 4
3. Recommendations to Plant B Recommendations delivered and agreed by 6 hrs for preparation and Action 2 Will Gaytes, IT&T Manager
management end of week 4 meeting by IT&T Manager
4. Appoint provider for Provider appointed by end of week 5 Purchasing officer to undertake Action 3 Alice-ann Vonerlind, Manager
implementation of CCTV selection, (availability for 4 hrs x Purchasing
recommendations 5 days)
5. Install and commission CCTV Commissioning completed by end of week IT technician to supervise Action 4 Will Gaytes, IT&T Manager
8 contract 2 hrs X 15 days
$x,000 for contract
6. Report to Plant B management Reports provided to management team by: 1 hour: Purchasing Manager Action 1 Alice-ann Vonerlind, Manager
team Purchasing
End of week 2 – consultant appointment 1 hour: IT&T Manager Actions 2 and 3
Will Gaytes, IT&T Manager
End of week 4 – CCTV recommendations 1 hour: Purchasing Manager Action 4
Alice-ann Vonerlind, Manager
End of week 5 – provider recommendations 1 hour: Purchasing Manager Action 5
Purchasing
Week 9 – project completion assessment
Will Gaytes, IT&T Manager
Copyright
HB 167:2006
G The Admiralty System

The Admiralty System provides a means of rating the validity and
veracity (and hence usefulness) of information being used for
security risk assessment. It is in common use in one form or another
in the majority of western intelligence and security services, and is a
useful tool for more routine use in public and private sector security
risk management.
The system uses a grading approach where key information is

assigned an alphanumeric grading based upon the reliability of the
information source (‘Reliability’) and the accuracy of the information
presented (‘Accuracy’). The ‘reliability’ is assessed on criteria such

as the previous quality of information supplied by the source, the
situation, location and access of the source at the time that the
information was collected. The ‘accuracy’ is assessed on actual or
perceived relative measurement of each item of information
received. This can be based upon a comparison of the supplied
information with other confirmed facts or other previously (but not
necessarily confirmed) information, or with trends or patterns of other
events or threats.
Reliability Accuracy
A Completely reliable 1 Confirmed by other sources
B Usually reliable 2 Probably true and accurate
C Fairly reliable 3 Possible true and accurate
D Not usually reliable 4 Doubtful
E Unreliable 5 Improbable
F Cannot be judged or assessed 6 Cannot be judged or assessed
Copyright 145
HB 167:2006
H Terrorism definitions
Terrorism has proven to be very difficult to define. The adage ‘one
man’s terrorist is another’s freedom fighter’ still holds true. A number
of different accepted definitions of terrorism are given below:
‘premeditated, politically motivated violence perpetrated against non-
combatant targets by sub-national groups or clandestine agents,
50
usually intended to influence an audience’.
‘the unlawful use of force or violence against persons or property to
intimidate or coerce a government, the civilian population, or any
51
segment thereof, in furtherance of political or social objectives’.
‘the unlawful use of, or threatened use of, force or violence against
individuals or property to coerce or intimidate government or
societies, often to achieve political, religious, or ideological
52
objectives’.
An analysis of the key words used in 109 definitions of terrorism
(based on work conducted by Schmid, 1988, quoted in Hoffman,
1998) illustrate the wide variety of views on the composition of
terrorism.
50
US State Department.
51
US Federal Bureau of Investigation.
52
US Department of Defense.
146 Copyright
Copyright
FREQUENCY, (%)
0
10
20
30
40
50
60
70
80
90
Violence / force
Political
Fear
Threat
Effects and reactions
Victim / target
Purposive
Modus
Extranormality
Coercion / extortion
Publicity
Randomness
Civilian victims
DEFINITIONAL ELEMENTS Intimidation

Innocence of victims
Group organisation
Symbolic
Unpredictability
Clandestine
FIGURE H1 COMMON DEFINITIONAL ELEMENTS OF TERRORISM
Repetitive violence
Criminal
Demands made
HB 167:2006
147
HB 167:2006
I Example vulnerability
rating matrices
I1 Visibility rating
Vulnerability 53
Individual Organisation Community
(Visibility) level
Very high • Regular heavily • Internationally • Highly vocal and
publicised public recognised brand or activist
appearances. image, regarded as community.

the international
• Constant high • Attracts
leader or archetype of
profile media continuous
its industry or group.
presence. significant media
• Aggressively and interest.
• Well known across
continuously
multiple • Recognised as
promotes brand.
communities. the most
• Regarded as iconic influential
• Is readily
internationally. community of its
recognisable
type.
nationally/ • Name and images
internationally. used daily by wide • Location of the
variety of media community is well
outlets, including known
internationally. internationally.
• Operation’s locations • Community has
are instantly an international
recognisable (e.g. by iconic status.
significant high profile
advertising) and well
known to the majority
of the population.
• Detailed information
on the organisation is
available from a wide
variety of sources
(books, internet,
press, etc).
53
Includes elements or parts of organisations, including buildings,
infrastructure, branded vehicles, monumental structures etc.
148 Copyright
HB 167:2006
I1 (continued)
Vulnerability 53
(Visibility) level
High • Regular public • Recognised nationally • Significantly vocal
appearances to or within all major and active
broad general population centres, community.
audiences. regarded as one of
• Attract regular
the leaders in its
• Regular media interest.
industry or group.
appearances in the
• Recognised as an
media. • Actively and
influential
continuously
• Is well known community of its
promotes brand.
across local type.
community. • Regarded as a
• Location of the
national or state icon.
community is
• Name and images fairly well known
used regularly (e.g. nationally.
weekly) by national
• Community is
media outlets,
held as an icon by
occasional
some groups
international
nationally.
references.
• Operation’s locations
are well known

publicly, and are
easily identifiable.
Moderate • Occasional public • Passing recognition • Occasionally
appearances to within some major vocal and active
specialist audiences population centres, community.
(e.g. conferences). regarded as one of
• Attracts
Occasional media the ‘players’ in its
occasional media
coverage. industry or group.
interest.
• Professional • Regularly promotes
• Locally
associations are brand.
recognised as an
available in the
• Regarded as a local influential
public domain.
icon. community of its
• Is well known within type.
• Name and images
a number of areas
used regularly by • Existence and
of the organisation/
local media outlets, location of the
community.
occasional national community is
references. fairly well known
locally.
are well known to • Community is
local communities held as an icon by
and are identifiable some groups
from within the local nationally.
geographic area.
Copyright 149
HB 167:2006
I1 (continued)
Vulnerability 53
(Visibility) level
Low • Has almost no • Largely unknown • Rarely vocal
public profile. outside of the local community.
geographic area, has
• Some personal • Rarely attracts
some recognition
details available via media or public
within in its industry or
public database interest.
group.
search.
• Largely
• Occasional promotion
• Is recognised with unregarded or
of brand.
organisation or unknown by
community, but little • Has little iconic similar
information known. status. communities of its
type.
• Name and images
used occasionally by • Location of the
local media outlets. community is only
known within the
local geographic
are well known to a
area.
proportion of the local
community, largely • Community has
unknown outside of little iconic status.
the local geographic
area.
Very low • Details, role and • Largely unknown • Community has
identity unknown to within the local no public voice.
the public. geographic area, little
• Has no public or
recognition within its
• Personal details media profile.
industry or group.
completely
• Community’s
unknown to third • Little promotion of
existence and
parties. brand.
location is
• Has very low profile • Has no iconic status. unknown.
within organisation,
• Unknown to local • Community has
majority of staff
media. no iconic status.
would be unaware
of existence. • Little public
knowledge of location
of the organisation.
150 Copyright
HB 167:2006
I2 Vulnerability: Iconic status

Vulnerability Individual, organisation, or community
Very high • Has high profile celebrity status.
• Recognised internationally as the world leader or archetype.
• Acknowledged internationally as typifying a particular national, ethical,
commercial, social, political, or religious standing.
• Name association creates an instant image world wide.
High • Has some international/national celebrity status.
• Recognised nationally as a major leader or archetype.
• Acknowledged as typifying a particular national, ethical, commercial,
social, political, or religious standing.
• Name association creates an instant image nationally.
Moderate • Has some local celebrity status.
• Recognised locally as a major leader or archetype.
• Acknowledged locally as typifying a particular national, ethical,
commercial, social, political, or religious standing.
•
Image could be identified by a proportion of the population nationally.

Low • Has limited celebrity status.
• Is sometimes recognised locally as having some importance.
• Acknowledged by specific local elements as typifying a particular
national, ethical, commercial, social, political, or religious standing.
• Image could be identified by a proportion of the local population.
Very low • Has no celebrity status.
• Is largely unrecognised.
• There is little or no acknowledgment as typifying a particular national,
ethical, commercial, social, political, or religious standing.
• Image cannot be identified by the local population.
Copyright 151
HB 167:2006
I3 Vulnerability: Threat access

Very high • There is free and unrestricted public access to all areas with no active or
passive monitoring undertaken.
• Movement patterns, activity schedules, are openly publicised.
• There is excellent geographic access (e.g. central city location).
High • There is unrestricted public access to most areas, there is only limited
monitoring and this is restricted to entry points only.
• There is good geographic access (e.g. close to population centres).
Moderate • Public access has certain restrictions placed upon it.
• Public access to highly sensitive areas is prevented.
• Some monitoring of all public areas is undertaken.
• There is reasonable geographic access (rural areas with good road
infrastructure).
Low • No public access.
•
Visitors by appointment.
• Movement within sites controlled.
• Active and passive monitoring of most key points.
• There is limited geographic access (remote location, limited transport
options, etc).
Very low • Public excluded from locality.
• Visitors require clearance.
• Movement within sites on as needs basis.
• Active and passive monitoring of all key points.
• There is restricted geographic access (very isolated location, transport by
special charter only, etc).
152 Copyright
HB 167:2006
I4 Vulnerability: Collateral exposures

Very high Co-located on same site as:
• highly attractive terrorist target (e.g. foreign embassy).
• highly attractive criminal target (e.g. diamond warehouse).
• dangerous goods storage or manufacturing.
• ‘unruly crowd attractant’ (e.g. ‘shooting gallery’, notorious entertainment
venue)
High In close proximity to, or sharing some facilities with:
venue)
Moderate In the same immediate local area as:

venue)
Low Distant to:
venue)
Very low Nowhere near:
venue)
Copyright 153
HB 167:2006
I5 Vulnerability: Interdependency demand54

Very high • Survival is totally dependent upon the interdependency.
• Loss of interdependency results in serious disruption within seconds to
hours.
• Recovery from loss of interdependency would be difficult to impossible.
• Absolutely no alternate provider.
High • Short term operations are totally dependent upon the interdependency.
• Loss of interdependency results in serious disruption within days.
• Recovery from loss of interdependency would be prolonged and
complicated, possible only in the long term.
• Alternate providers not available locally.
Moderate • Mid to long term operations are totally dependent upon the
interdependency, short term capability remains.
• Loss of interdependency results in serious disruption within weeks.
• Recovery from loss of interdependency is simple but requires time (days
to weeks).
• Limited number of local alternate providers.
Low • Limited dependencies through to long term, acceptable capability
continues.
• Significant disruption only likely in long term (months).
• Recovery from loss achievable in short term.
• Alternate providers accessible locally.
Very low • Loss of interdependencies has little effect on capability.
• Significant disruption unlikely in long term (months).
• Recovery from loss achievable almost immediately.
• Plentiful alternate providers accessible locally.
54
Interdependencies could include critical suppliers of utilities or inventory,
skilled contractors, transport and logistics systems, information providers,
emergency service organisations, etc.
154 Copyright
HB 167:2006
I6 Critical incident management

Very high • Response plans do not exist.
• No testing of any continuity arrangements is conducted.
• Does not regularly consider continuity issues.
• Management are unaware of any critical incident coordination
responsibilities.
High • Response plans do not cover all critical functions, incomplete information
provided.
• Plans are not regularly tested.
• Testing when conducted is superficial.
• Plans are not updated regularly or after testing.
• Management coordination responsibilities are incompletely defined.
Moderate • Response plans for top priority critical functions, facilities, processes, etc,
detail key information requirements.
• Plans subjected to annual testing.
• Testing considers key interdependency interactions.

• Plans are subjected to at least annual maintenance and updates.
• Some key management responsibilities for critical incident management
and coordination assigned, annual awareness conducted. Awareness
training conducted on induction.
Low • Response plans for all critical functions, facilities, processes, etc, detail
majority of requirements.
• Plans subjected to annual testing, involving combinations of desk top and
scenario based approaches.
• Testing seeks input from key interdependencies.
• Plans are subjected to at least annual maintenance and updates, and in
particular following major organisational or operational change.
• Key management responsibilities for critical incident management and
coordination assigned, annual awareness conducted.
Very low • Comprehensive response plans for all critical and supporting functions,
facilities, processes, etc.
• Plans subjected to frequent regular testing, involving combinations of
desk top and scenario based approaches.
• Testing includes involvement of key interdependencies
• Plans are subjected to regular maintenance and updates.
• Trained critical incident management teams and robust structure in place
with stand-in/deputy positions involved. Regular command training
conducted.
Copyright 155
HB 167:2006
J Example components of
a security control
environment 55
56
Signage Yes No No No No
Perimeter barriers Yes Yes No No No
Uniformed security patrols Yes Yes Yes Yes No

Covert security patrols Partial Yes Yes Yes No
Projectile shields Yes Delay Partial No No
Proximity to local traffic
Yes Partial Partial Partial No
(pedestrian and vehicle)
Physical controls
Open lines of sight (absence

Yes No Yes No No
of building or terrain cover)
Area lighting conditions Yes No Yes No No
Perimeter barriers Yes Yes No No No
56
Gating systems Yes Yes Partial No No
Building materials Partial Yes No No No
Vehicle control points Yes Yes Yes No No
Buffer zones Partial Yes No Yes No
Construction codes Partial Yes No No No
Personnel screening Partial No Yes No No
Employee awareness program No No Yes No No
Entry searches Yes No Yes No No
People controls
Employee termination
No No No Yes No
procedure
Staff training No Yes Yes Yes Yes
Personnel movement Yes Yes Yes Partial No
Ethical frameworks and
Yes Partial Yes No No
monitoring
55
Note: These are selected examples only, the list will need to be
customised to meet different contexts. The use of additional controls
should be considered for each assessment.
56
If the capability is visible, e.g. overt CCTV.
156 Copyright
HB 167:2006
56
Identity cards Partial No Yes No No
Law enforcement response Partial No No Yes No
Management supervision Yes Yes Yes No No
57
Risk management Partial Partial Partial Partial Partial
Inventory control systems Yes Yes Yes No No
Internal audit and other
Partial Partial Partial Partial Partial
assurance practices
Lock-key practices No Yes No No No
Housekeeping No Partial Yes Partial No
Evacuation plans No No No Yes No
Policy and process controls
Process design Yes Yes Yes Yes Yes

Authorisation and delegation
Yes Yes Yes No No
governance
Policy framework Partial Partial Partial Partial Partial
Emergency management
No No No Yes Partial
planning
Business continuity
No No No Yes Yes
management
Corporate governance Yes Yes Yes Partial Partial
Document control No Yes Partial Partial No
Communications and public
No No Partial No No
affairs policies and practices
Prior publicised responses to
Yes No No No No
security breaches
58
Security access systems Yes Yes Partial No No
Intrusion detection and alarms Yes No Yes No No
Technology controls
Password and encryption keys Yes Yes No No No

58
Firewalls Yes Yes Partial No No
Mail screening No No Yes No No
Surveillance capability Yes No Yes No No
Systems penetration testing No Yes Yes Yes No
Panic alarms No No No Yes No
57
Will provide the means to identify exposures and treatment/improvement
actions for each area of security measures.
58
If monitoring is in place.
Copyright 157
HB 167:2006
K Community
assessment
vulnerability
The Sandia National Laboratories community vulnerability
59
assessment considers issues such as:
• Communications:
− telephone switching stations,
− computers,
−
TV stations,
− radio stations,
− communication towers,
− power sources.
• Power and electric:
− substations,
− lines,
− generators (dams and nuclear power stations),
− backup systems.
• Gas and oil:
− refineries,
− storage,
− delivery systems.
• Industry:
− resources,
− services,
− products,
− facilities.
• Water:
− delivery systems,
− storage,
− sewage treatment plants.
59
Blaikie, P., Cannon, T., Davis, I. and Wisner, B. 1994. At risk: natural
hazards, people’s vulnerability, and disasters. Routledge, London.
158 Copyright
HB 167:2006
• Banking and financial:

− computer,
− money supply and distribution.
• Education:
− schools,
− universities,
− other.
• Government:
− federal, military installations,
− high profile (court houses, law enforcement locations),
− services (postal, etc),
− state,
− local.
• Transportation:
− highways,
− railways,
− terminals,
− bus stations,
− pipelines,
− waterways,
− marine ports,
− airports,
− storage area of fleet (aircraft, train, bus, ship, etc).
• Emergency:
− hospitals,
− first responder locations,
− shelters.
• Foreign based governments:
− embassies,
− consulates,
− designated residences of foreign officials,
− businesses.
• Recreational venues:
− parks,
− museums,
− auditoriums,
− tourist attractions.
• Special classification:
Copyright 159
160
HB 167:2006
−
−
−
−
other.
churches,
synagogues,
abortion clinics,
Copyright
HB 167:2006
L Example questions for

use in a vulnerability
assessment
1 Where is the asset/ facility/ process located?
2 What is the asset/ facility/ process located near?
3 What other icon, critical infrastructure is located near the asset/
facility/ process?
4 What natural and/or man-made hazards are located near the

asset/ facility or process?
5 What does the organisation, asset/ facility/ process rely on to
perform its function(s)?
6 What and who does the organisation, asset/ facility/ process rely
on to ensure its security?
7 How visible is the asset/ facility/ process from a road, railway
line, local community, etc?
8 How is the asset/ facility/ process currently protected?
9 What security measures have been implemented in the last 6 –
12 months?
(a) Physical.
(b) People.
(c) Cultural.
(d) Technological.
(e) Governance.
10 How many incidents have occurred at the asset/ facility/ process
during the last:
(a) month;
(b) 3 months;
(c) 6 months;
(d) 12 months.
11 What have been the natures of the incidents?
12 What were the outcomes from any debriefs of the incidents?
13 What are the methods used to management the asset/ facility/
process?
Copyright 161
HB 167:2006
14 Has there been any media coverage of the asset/ facility/

process during the last:
(a) month;
(b) 3 months;
(c) 6 months;
(d) 12 months.
15 What was the nature of the media coverage?
16 What access to information regarding the asset/ facility/ process
is available to the general public?
17 What is the profile of the organisation and the asset/ facility/
process in the local, regional, national and/ or international
community?
18 What are the policies and procedures for access to the asset/
facility/ process?
19 When was the last review of the asset/ facility/ process
conducted?
(a) What were the results of the review?

(b) Have the actions been implemented?
20 Is the asset/ facility/process seen to be an icon by the
community, business or government sectors?
(a) If so, for what reason?
21 What are the current emergency response and management
procedures used at the asset/ facility/ process?
22 What are the business continuity (continuity of operations)
procedures and processes for the asset/ facility/ process?
23 What is the organisation culture and understanding of security?
162 Copyright
HB 167:2006
M Some common
approaches to analysing
security risk
Some common approaches to analysing risk are summarised
60
below . Note that these have been expressed in the form of
'parameter (a)' X 'parameter (b)', as is the usual practice in many of
the applications. However, this does not necessarily imply that these
terms should or could be mathematically combined in this manner.
Often the basis of the measurements themselves will prevent any

meaningful mathematical treatment of this nature (see the ‘TIPS &
TRICKS’ insert box under Section 5.2.3 for further details). In such
circumstances the use of the multiplication symbol (×) could be read
as either a quantitative or qualitative combination of the parameters
employed. A summary comparison of some of the benefits and
problems with each of these approaches is presented in Table M1.1.
1.0) Risk = Threat × Harm

Where
Risk = the security risk.
a qualitative or semi-quantitative measurement of the ‘level’
Threat =
of threat (e.g. rated from ‘Low’ to ‘High’).
Harm = the resulting impact when the threat occurs.
1.1) Risk = TL × I
Where
Risk = the security risk.
TL = the likelihood of the threat occurring.
I = the impact of the threat occurring.
1.2) Risk = S × LA
Where
Risk = the risk of an attack.
S = the severity of an attack.
LA = the likelihood of an attack.
60
Many of these formula have been so widely used that an accurate
attribution to their original source cannot be made with certainty.
Copyright 163
HB 167:2006
1.3) Risk = S × LA × (1-E)

Where
61
S = severity of the attack.
LA = likelihood of an attack.
E = Effectiveness of the security system or controls.
1.4) Risk = S × (LA × LAS) × (1-E)

Where
S = severity of the attack.
LA = likelihood of an attack being launched.
LAS = likelihood of the attack being successful.
E = effectiveness of the security system or controls.
1.5) Risk = C×T×V

62
Where
risk associated with an adversary attack and/or
Risk =
system/asset failure.
63
consequence(s) , the negative outcomes associated with
C =
degradation or failure of the system or asset.
64
threat , the probability or likelihood that a given attack
T = scenario with the potential to disrupt systems or assets and
cause undesirable consequences will occur.
V = the vulnerability of the asset, system to the attack or failure.
2.0) Risk = Consequence × Likelihood

Where
the risk of an event occurring with a definable
Risk =
consequence.
C = the consequences should the event occur.
the likelihood of the event occurring with those
L =
consequences.
2.1) Risk = C × L × (1-E)

Where
61
Severity is calculated on the basis of loss of human life, revenue, assets
and capabilities.
62
Homeland Security Framework, SAND 2002-0877, April 2002, Sandia
National Laboratories.
63
Consequence can be measured by loss of life, economic impact, loss of
public confidence or other metrics.
64
Threats are characterised by their means and likelihood of occurrence.
164 Copyright
HB 167:2006
C = the consequences of the security risk event.

the likelihood of the event occurring with the defined
L =
consequences.
E = effectiveness of the security control environment.
2.2) Risk = C×L×V

Where
C = the consequences of the security risk event.
the likelihood of the event occurring with the defined
L =
consequences.
the vulnerability of the asset/individual,
V =
organisation/community to the risk.
2.3) Risk = Cr × L × V
Where
Cr = the impact on an asset at that criticality level.
the likelihood of the risk occurring with that criticality level
L =
impact.
V = the vulnerability.
2.4) Risk = (T x V) x Cr
Where
T = the threat.
V = the vulnerability.
Cr = the criticality.
2.5) Risk = TL x V x Cr
Where
TL = threat likelihood comprising:
general threat likelihood + specific threat likelihood
65
V = vulnerability comprising:
V = VG + VS + VR
where
VG = vulnerability to the general threat.
VS = vulnerability to the specific threat.
VR = vulnerability to the specific and general threats.
Cr = Criticality comprising:
Cr = CS + CP + CO
where
CS = social criticality.
CP = personnel criticality.
CO = organisational criticality.
65
VG = general (deter+ detect + delay) vulnerabilities.
VS = specific (deter+ detect + delay) vulnerabilities.
VR = general+ specific (respond, recover) vulnerabilities.
Copyright 165
HB 167:2006
66
The Critical Infrastructure Protection Risk Management Framework
combines vulnerability and threat measures to provide an estimate of
likelihood in a rating matrix with a consequence measure to produce
a risk rating level.
Table M1.1
Comparison of security risk analytical approaches
Approach Benefits Points to consider

1.0) Risk = Threat × Harm Simple – requires Linkage between a level of
examination of only two threat and ‘harm’ is not
values. necessarily emphasised or
direct.
Threat is assumed to equate to
likelihood. In this approach it
does not equate to the likelihood
of the harm.
Requires the control framework
to be considered implicitly in
determining ‘threat’ and ‘harm’
to even approximate risk.
1.2) Risk = TL × I Begins to introduce the Is still not adequately

concept of a potential event approximating the likelihood of
through the introduction of the risk.
the likelihood of the threat Not necessarily a direct
occurring. relationship between threat
likelihood and impact.
Requires consideration of the
control framework to provide an
approximate risk.
1.3) Risk = S × LA As above. As above.
1.4) Risk = S × LA x (1–E) Requires the consideration The likelihood remains ‘the
of the effectiveness of the likelihood of the attack’ and not
control environment. The (1- necessarily ‘the likelihood of a
E) notation attempts to bring successful attack.’
in concepts of vulnerability.
1.5) Risk = S × (LA × LAS) × (1–E) Considers the likelihood of The likelihood is not a
the attack being successful. consideration of the likelihood of
Improving the approximation the consequences (severity) of
of risk. the risk.
Considers the effectiveness
of control framework.
1.6) Risk = C × T × V Begins to consider the May still be considering the
relationship between some likelihood of the threat and not
of the key factors in security necessarily the likelihood of the
risk. consequences.
2.0) Risk = Consequence × The standard definition of Does not necessarily address
Likelihood risk management. how concepts of threat and
Considers the consequence vulnerability are factored into the
of an event and the analysis.
likelihood of the event
occurring with those
consequences.
66
Australian Commonwealth Attorney General 2003.
166 Copyright
HB 167:2006
Table M1.1 (continued)
Approach Benefits Points to consider

2.1) Risk = C × L × (1–E) Begins to introduce the May require a subjective
concepts of vulnerability consideration of threat,
through examining shortfalls vulnerability and criticality in
in the control effectiveness. assessing consequence and
likelihood.
2.2) Risk = C × L × V Considers the impact of May require a subjective
vulnerability on the risk. consideration of threat and
criticality in assessing
consequence and likelihood.
Does not attempt to assign
vulnerability to just a likelihood
or consequence concept.
Introduces the concept of Assumes that there is a direct
criticality. proportional relationship
2.3) Risk = Cr × L × V between consequence and
criticality, which may not be
present.
As above. Assumes that there is a direct
proportional relationship
between consequence and
criticality, which may not be

present.
Assumes that likelihood is a
2.4) Risk = (T × V) × Cr product of threat × vulnerability,
which may be an incorrect
assumption.
Ignores the prospect that key
elements of vulnerability will
modify the consequence not
necessarily the likelihood.
Allows for the overall impact Assumes that criticality is
of vulnerability over directly proportional to
likelihood and consequence. consequence, which may not
always be the situation.
2.5) Risk = TL × V × Cr
Assumes that threat likelihood is
equivalent to risk likelihood,
which may be an incorrect
assumption.
Some approaches can be used to directly analyse and measure risk

(these form the ‘basis of the analysis’ in Figure M1.1). Other
approaches, under certain circumstances (context specific), can
provide approximates of analysis and measurement of risk. Other
approaches are best used to inform the analytical methodology.
Copyright 167
HB 167:2006
R = T x H
R = TL x l Establish
R = S x LA the context
R = S x L A x (1-E)
R = C x V x T
R = C x L x (1-E)
R = C x L x V
R = Cr x L x V
Approximates
Identify R = T x V x Cr
R = S x (L A +L AS ) x (1-E)
the risks R = T L x VCr
Analyse
R = CxL R = CxL
the risks
Evaluate
the risks
Treat
the risks
LEGEND:
= Informs
= Approximates
= Basis of
FIGURE M1.1 APPLICATION OF DIFFERENT METHODOLOGIES
168 Copyright
HB 167:2006
N Key reference sources

American Chemistry Council—Implementation Guide for
Responsible Care Security Code of Management Practice—
Site Security and Verification, July 2002.
Attorney General’s Department, Commonwealth Protective Security
Manual, Canberra, Commonwealth of Australia, 2000.
Australian National Audit Office. Business Continuity Management:
Keeping the Wheels in Motion. Canberra. Australian Federal
Government, 2000.
Australian National Audit Office. Corporate Governance in
Commonwealth Authorities and Companies. Discussion

Paper. Canberra. Australian Federal Government, 1999.
Blaikie, P., Cannon, T., Davis, I., and Wisner, B. 1994. At risk:
natural hazards, people’s vulnerability, and disasters.
Routledge, London.
Business Continuity Institute, Business Continuity Management—
Good Practice Guide, Business Continuity Institute, 2002.
Department of Transport and Regional Services, Maritime Security
Assessments—Interim Guidance Paper, Draft, Canberra,
Commonwealth of Australia, September 2003.
Emergency Management Australia. Non Stop Service: Continuity
Management for Public Sector Agencies, Canberra,
Commonwealth of Australia, 1997.
Emergency Management Australia. Emergency Risk Management—
Applications Guide, Canberra, Commonwealth of Australia,
2000.
Emergency Management Australia. Critical Infrastructure Emergency
Risk Management and Assurance Handbook, Canberra,
Commonwealth of Australia 2003.
Gibson C.A. and Love G. HB 292:2006, Practitioner’s Guide to
Business Continuity Management, Standards Australia,
2006.
Gibson C.A. and Love G. HB 293:2006, Executive Guide to Business
Continuity Management, Standards Australia, 2006.
Hoffman, B. Inside Terrorism, Columbia University Press, 1998.
International Organisation for Standardization, Guide 73, Risk
Management—Vocabulary—Guidelines for use in Standards,
2002.
Knight, R.F. and Pretty, D.J. The Impact of Catastrophes on
Shareholder Value. Oxford Executive Research Briefing, 1996.
National Counter Terrorism Committee—Principles For A National
Counter Terrorism Strategy For Critical Infrastructure.
Copyright 169
HB 167:2006
National Fire Protection Association, NFPA 1600 Standard on

Disaster/ Emergency Management and Business Continuity
Programs, Quincy MA, USA 2004.
Northern Territory Government, Interim Workplace Security
Handbook, Northern Territory Government, Darwin, 2002.
Standards Australia, AS 4811—2006 Employment Screening.
Standards Australia, AS/NZS 4360:2004, Risk Management.
Standards Australia, 2004.
Standards Australia, AS/NZS HB 221:2003, Business Continuity
Management, Standards Australia, 2003.
Schmid, A.P, Jongman A.J., et al. Political Terrorism: A New Guide
to Actors, Authors, Concepts, Data Bases, Theories and
Literature, New Brunswick, Transaction Books, 1988.
TRIDENT—The Facilities and Business Security Risk Assessment
Tool, Executive Impact, Australia 2002.
United States Military Field Manual, US Department of Defence.
United States National Institute of Justice—A Method to Assess the
Vulnerability of U.S. Chemical Facilities, U.S. Department of
Justice—Office of Justice Programs, November 2002.
U.S. National Infrastructure Protection Centre. Risk Management: An

Essential Guide to Protecting Critical Assets, November 2002.
Victorian Metropolitan Water Industry, Security Vulnerability Risk
Assessment Guideline, Victoria, 2003.
170 Copyright
HB 167:2006
O URLs for example

reference sources for
developing the context
Asia Links (formerly the Asia Pacific Review): www.asialinks.com
Asia Pacific Foundation: www.asiapacificfoundation.org
ASIC: www.asic.gov.au
ASX: www.asx.com.au
AUSAID: www.ausaid.gov.au
Australian Bureau of Statistics (ABS): www.abs.gov.au
Centers for Disease Control & Prevention: www.cdc.gov
CIA World Factbook:
www.ODCI.Gov/Cia/Publications/Factbook/Index.
Department of Foreign Affairs and Trade (DFAT): www.dfat.gov.au/
Intelcenter: www.intelcenter.com
London Financial Times: www.ft.com
Organisation for Economic Cooperation and Development (OECD):
www.oecd.org
Rand Corporation: www.rand.org
Terrorism Research Centre: www.terrorism.com
The Economist: www.economist.com
UK Foreign & Commonwealth Office: www.fco.gov.uk
UN Department of Economic and Social Affairs: www.un.org/esa/
UN statistics: http://unstats.un.org/unsd/methods/inter-
natlinks/sd_intstat.htm
United Nations: www.un.org
US State Department ‘Patterns of Global Terrorism’:
www.state.gov/s/ct/rls/pgtrpt/
US State Department: www.state.gov
World Bank: www.worldbank.org
World Economic Forum: www.weforum.org
Copyright 171
NOTES
ISBN 0 7337 7899 2 3TANDARDS$EVELOPMENT 3ALESAND$ISTRIBUTION
Standards Australia SAI Global
GPO Box 476 Phone: 13 12 42
Sydney NSW 2001 Fax: 1300 65 49 49
Phone: 02 8206 6000 Email: sales@sai-global.com
Fax: 02 8206 6001
Email: mail@standards.org.au
Internet: www.standards.org.au

HB167 2006 PDF

Enviado por

Dados do documento

Título original

Direitos autorais

Formatos disponíveis

Compartilhar este documento

Compartilhar ou incorporar documento

Opções de compartilhamento

Você considera este documento útil?

Este conteúdo é inapropriado?

Direitos autorais:

Formatos disponíveis

HB167 2006 PDF

Enviado por

Direitos autorais:

Formatos disponíveis

Downloaded by Panjan Navaratnam on 14 Feb 2007. For internal use within SAI Group only.

See conditions of use for details.

Security risk management

First published as HB 167:2006.

The authors would like to acknowledge the contributions of all the

This Handbook is consistent with the framework for risk management

more appropriately applied. It can, and should, provide an interface

2 Communicate and consult

2.4 Information transfer .................................................. 21

3 Establish the context

8 Monitor and review

C Security related standards and handbooks............... 95

Current practices in security risk management are now providing

Worse case scenario Most credible worse case scenario

No matter what embellishments or customisations that are applied to a

1.2 Security Risk Management approach

− limited access to political power, resources, infrastructure and

− lack of emergency management capability.

1.2.1 The structure of security risk management

− identifying specific events and scenarios that might affect

− assigning accountabilities, responsibilities and budget for risk

Establish the context

Communicate and consult

Monitor and review

Evaluate the risks

Treat the risks

1.3 Security risk management and its relationship with

The identification, assessment and treatment of security risks assist in

1.4 Security risk management

Where security is defined as:

People Assets Information

• Interdependencies • Intellectual property • Border protection

• Owners / shareholders • Storage

FIGURE 1.2 AN EXAMPLE SECURITY RISK LANDSCAPE FOR AN ORGANISATION

The effective management of security risk is a fundamental requirement

2 Communicate and consult

Communication and consultation involve a two-way dialogue with

2.1.1 Effective communication

• Engagement of the audience;

Establish the context

Threat Vulnerability Criticality

Identify the risks

What? When? Where? How? Who?

Monitor and review

Evaluate the risks

Treat the risks

FIGURE 2.1 SECURITY RISK MANAGEMENT PROCESS—DETAIL

− the subject matter directly relates to the audience’s recognised

TIPS AND TRAPS

and capability to become involved;

2.2.2 Engagement and participation of senior management

• There will always be the need for a strong consistent message on

TIPS & TRAPS

example (from a public service organisation), ‘risk’ was not even

2.2.3 Engagement and participation of staff

TIPS & TRAPS

2.2.4 Engagement and participation of other stakeholders

there will be significant exposures associated with dealing with these

Successful security risk management requires the effective engagement

TIPS & TRAPS

Gaining engagement for security risk management activities is rarely

• Assessing the relevance, validity and acceptance of the products of

• Recognition: where there is little or no awareness that threat exists