Escolar Documentos
Profissional Documentos
Cultura Documentos
HB
HB 167:2006
Security risk management
HB 167:2006
Handbook
COPYRIGHT
© Standards Australia/Standards New Zealand
All rights are reserved. No part of this work may be reproduced or copied in any form or by
any means, electronic or mechanical, including photocopying, without the written
permission of the publisher.
Jointly published by Standards Australia, GPO Box 476, Sydney, NSW 2001 and Standards
New Zealand, Private Bag 2439, Wellington 6020
ISBN 0 7337 7899 2
HB 167:2006
Preface
This Handbook was prepared by the following authors for Standards
Australia Committee OB-007, Risk Management.
Dr Carl Gibson La Trobe University, Melbourne Australia
Mr Gavin Love International Association of Emergency
Managers
Mr Neil Fergus Intelligent Risk Pty Ltd, Sydney, Australia
Mr David Parsons Sydney Water, Sydney Australia
Mr Mike Tarrant Emergency Management Australia
Institute, Mt Macedon Australia
Insp Mathew Anderson Counter Terrorism Coordination Unit,
Victoria Police, Melbourne, Australia
Mr James Kilgour Canadian Centre for Emergency
Preparedness, Toronto, Canada
Downloaded by Panjan Navaratnam on 14 Feb 2007. For internal use within SAI Group only. See conditions of use for details.
2
HB 167:2006
3
HB 167:2006
Contents
Page
1 Introduction
1.1 Security Risk Management—A new paradigm............ 6
1.2 Security Risk Management Approach......................... 7
1.3 Security risk management and its relationship with risk
management............................................................. 10
1.4 Security risk management ........................................ 11
4 Identify risk
4.1 Introduction............................................................... 40
4.2 Data and information sources ................................... 43
4.3 Conducting the criticality assessment....................... 46
4.4 Threat assessment ................................................... 49
4.5 Conducting the vulnerability analysis........................ 59
4.6 Mapping threat, vulnerability and criticality .............. 66
5 Analyse risk
5.1 Introduction............................................................... 69
5.2 Measuring risk .......................................................... 70
6 Evaluate risk
6.1 Introduction............................................................... 77
6.2 Tolerance of risk ....................................................... 77
4
HB 167:2006
Page
7 Treat risk
7.1 Introduction............................................................... 80
7.2 Developing a treatment plan ..................................... 80
7.3 Conformance vs. Performance ................................. 85
APPENDICES
A Acknowledgments..................................................... 91
B Definitions and glossary............................................ 92
Downloaded by Panjan Navaratnam on 14 Feb 2007. For internal use within SAI Group only. See conditions of use for details.
5
HB 167:2006
1 Introduction
1.1 Security Risk Management—A new paradigm
'Everything is different', - but it’s just the same.
There is a prevailing perception that there have been dramatic and far
reaching changes in the nature of the business environment and in
society at large over recent years. In particular it has been said, almost
ad nauseum, that 'the world has changed since 9/11'. However, many of
Downloaded by Panjan Navaratnam on 14 Feb 2007. For internal use within SAI Group only. See conditions of use for details.
these ‘new changes’ are merely highlighting issues that have presented
challenges to organisations and communities for many decades.
What is different is that this has resulted in a powerful imperative for
issues to be now considered that have not previously been part of the
collective consciousness. As a society we have been made aware of the
need for, and existence of ‘security’ measures. However, in certain
quarters, security has long been viewed as something that people in
uniform did whilst guarding something. Security belonged in the world of
the police, the military or James Bond! When security interfaced with
ordinary working lives, we often saw it as hindering our daily routine.
Attitudes have changed significantly in recent times, with a major focus
on, and acceptance of the need for, an increased attention to security.
However, this changed attitude is often driven by misinformed perception,
fuelled by an overly dramatic media. The result is that security investment
may be misdirected to where the ‘noise’ is, not where it is really required.
In recent years concepts of organisational risk management have also
evolved.
The move has been from the rather simplistic ‘risk is insurance mentality’
to a more comprehensive enterprise-wide concept that encompasses a
better reasoned understanding of the nature of uncertainty that we face.
An improved understanding of the nature of risk facilitates more informed
decision making, increases our abilities to exploit opportunities and
minimise harm.
Similarly, security risk management provides a means of better
understanding the nature of security threats and their interaction at an
individual, organisational, or community level. Traditionally, the security
industry and profession’s focus on risk has concentrated on risk
minimisation, with activities aimed at loss prevention without necessarily
thoroughly considering the nature and level of organisational risk.
Some of the key characteristics of this paradigm shift are presented as
major themes within this Handbook and are summarised in Table 1.1.
6 Copyright
HB 167:2006
Table 1.1
Key characteristics of the emerging paradigm shift in security risk
management
From To
Physical security People, property and information
security
Technical activity Social/political process
One way dialogue (communicating to Two way dialogue (communicating
stakeholders) with stakeholders)
Tactical approach Long term strategic planning
Policing/paramilitary view and Holistic approach
approach
Conformance criteria Performance criteria
Downloaded by Panjan Navaratnam on 14 Feb 2007. For internal use within SAI Group only. See conditions of use for details.
1
Blaikie, P., Cannon, T., Davis, I. and Wisner, B. 1994. At risk: natural hazards,
people’s vulnerability, and disasters. Routledge, London.
Copyright 7
HB 167:2006
2
Organisational and community elements include: people, information,
infrastructure and the processes that support them.
8 Copyright
HB 167:2006
Copyright 9
HB 167:2006
3
FIGURE 1.1 SECURITY RISK MANAGEMENT PROCESS —
OVERVIEW
3
Based on AS/NZS 4360:2004.
10 Copyright
HB 167:2006
Copyright 11
HB 167:2006
Capital
Integrity Confidentiality
• Recruitment • Physical access
• Termination • Integrity • Access
• Continuity • Control • Privacy
• Industrial relations • Classification
Employees
• OHS
Operating
• Process capability • Misuse / release
• Bullying / harassment • Disruption
• Workplace violence
• Diversion
• Trust / ethics / gover nance
• Disciplinary measures • Validation
• Evacuations • Verification
• Fraud and loss prevention • Gover nance • Escrow
and financial
Investment
• Prudential
• Holding and retention
Availability
• Access / site integrity • Access
Visitors
• Safety • Transactions
• Disclosure
• Violent / deranged individual • Funds transfer • Transmission /
• Fraud and loss prevention • Cash handling dispersal
• Tracking
Intangibles
and suppliers
Customers
electronic
• Reputation • Access control
IT and
• Bribery / coercion • Goodwill • Intruder detection
• Fraud and loss prevention
• Escrow
Downloaded by Panjan Navaratnam on 14 Feb 2007. For internal use within SAI Group only. See conditions of use for details.
• Continuity / recovery
• Encryption
• Financiers
stakeholders
• Regulators
Documents
Other
12 Copyright
HB 167:2006
4
Stakeholders: includes anyone with an interest or influence in the organisation
or community (or projects, issues associated with or parts thereof), this could
include (but not be limited to): the Board, management, employees, citizens,
local communities, unions, shareholders, families, media, lobby groups,
customers, suppliers, government, regulators, etc.
Copyright 13
HB 167:2006
Likelihood Consequence
Tolerance Acceptability
Avoid Accept
Exploit
Share Reduce
2.2 Engagement
One of the great challenges in communication is gaining the attention of
the audience to actually read or listen to the message. This challenge
often arises from the very basic premise of ‘it can’t happen to me’, so the
message cannot be relevant to me. One of the prime aims of the
communicator is to provide information to an audience in a manner in
which they will attach meaning similar to that of the communicator. To
assist in this the communication must successfully move the audience
from passive reception of the message, to active processing of the
information. The audience needs to become engaged with the
communication and communicator.
The psychology of engagement is a complex and ever-evolving field,
beyond the scope of this Handbook. However, attention to the following
three basic principles will greatly assist in achieving successful
engagement:
• Interest: The content, and both the manner and format in which the
communication is presented must be of interest, or create an interest,
in the intended audience. This interest may arise because:
Downloaded by Panjan Navaratnam on 14 Feb 2007. For internal use within SAI Group only. See conditions of use for details.
Copyright 15
HB 167:2006
2.2.1 Participation
Effective communication is also very dependent upon having the
participation of each of the parties involved. Attaining engagement and
facilitating understanding is a key aspect of gaining participation along
with the following attributes:
• Need fulfilment: participating in the communication must be
recognised as meeting the needs of the parties involved;
• Ability and capability: the parties involved must have the ability
Downloaded by Panjan Navaratnam on 14 Feb 2007. For internal use within SAI Group only. See conditions of use for details.
16 Copyright
HB 167:2006
Copyright 17
HB 167:2006
18 Copyright
HB 167:2006
2.3 Perception
Many aspects of risk management are highly subjective and are greatly
influenced by the perceptions of information providers, analysts, and
users of the products of security risk management.
The way in which we perceive the information being relayed to us will
determine how we react. In the security risk management context, the
perception of events is often based on information provided by sources
that have sensationalised and distorted it (this is not always restricted to
just media sources). Similarly, blanket denials or deliberate limitations on
the release of information can significantly influence the perception of
risk.
Perception creates and reinforces bias in:
• Selecting data and information to be used or rejected;
• Determining the validity and accuracy of, and the trust in, sources of
data and information;
• Misunderstanding of processes/methodologies that drive outcomes.
• Differential weighting, or the importance of data during analysis;
Copyright 19
HB 167:2006
20 Copyright
HB 167:2006
Copyright 21
HB 167:2006
Communicator
Information adequacy Message development Cognitive capability
Recipient
Beliefs and values Threat context
Resource availability
Org capabilities
Action
Drive vs inertia Competence
Downloaded by Panjan Navaratnam on 14 Feb 2007. For internal use within SAI Group only. See conditions of use for details.
22 Copyright
HB 167:2006
Copyright 23
HB 167:2006
24 Copyright
HB 167:2006
Table 2.1
5
Communication strategy issues
Engage stakeholders (incl. community Monitor and review stakeholder and community
representatives, politicians, etc.). views.
Ensure briefing and debriefs of stakeholders.
Provide opportunities for stakeholders to Provide opportunities for stakeholders and
contribute appropriately. communities to express their views.
Establish a stakeholder management Avoid appearing devious or ‘high and mighty’.
plan and if appropriate develop a
Be open and honest.
community management plan.
Provide short and simple messages. Monitor spokesperson’s performance – beware of
unintended messages. Develop ‘holding lines’ and
‘talking points’.
Communicate and engage about the If event is potentially high profile, establish a media
Downloaded by Panjan Navaratnam on 14 Feb 2007. For internal use within SAI Group only. See conditions of use for details.
6
Risk issues
nature of risk where appropriate. Don’t ‘centre’ – invite media to command centres,
build expectations that can’t be fulfilled. provide access, provide opportunities for good
vision etc.
7
Establish a media strategy , core Review communication assumptions.
messages, and materials.
Explain the context of the problem before Be aware of ‘technical truth’ versus ‘public fact’
proposing solutions. issues.
Media and public disclosure issues
Liaise and brief/educate media on issues. Brief own staff ASAP, ideally before the media.
Build relationships with media Understand the media agenda, develop appropriate
representatives as part of doing normal approaches (positive news, honesty, public interest,
business. etc.)
Be cautious with public meetings, use Analyse the issues from a variety of perspectives.
skilled and knowledgeable facilitators. Engage the media.
Ensure effective internal communications Ensure that internal communications carry the
are in place and operating. message before any media channels do.
Train spokespersons and have clear Use credible and articulate spokespersons
guidelines for staff (and for other relevant (‘talent’), this will often require specific training.
stakeholders) on who is allowed to speak
with the media or make other public
comment.
Be aware of legal constraints. Confirm what can be disclosed with interests such
Legal and
etc.
Implement regulator/jurisdiction protocols.
Recognise that a major event may result in control
being vested in another jurisdiction or authority.
5
Remember to formally document all proceedings, submissions and agreed
outcomes.
6
Note that inviting the media into control centres or other areas of an
organisation during an incident response needs to be carefully controlled under
very clear objectives of what is to be achieved through providing this access.
7
Where multiple organisations may be involved, developing a joint media
strategy can increase effectiveness.
Copyright 25
HB 167:2006
options.
• Inform: the individuals or groups that need to be informed
about the decision making process, the options or final
decision.
In documenting the communications plan, the issues in Table 2.2 need to
be considered.
26 Copyright
HB 167:2006
Table 2.2
Documenting the communications plan
Communication
Considered issues Examples
requirement
• primary • to employees
Audience • secondary • to employee families
• opportunistic • to local community members
Copyright 27
HB 167:2006
28 Copyright
HB 167:2006
These elements are illustrated in Figure 3.1. Typical questions that can
be asked to derive information on these elements are summarised in
Table 3.1.
Although described separately, the three ‘levels’ of the context are not
necessarily discrete. There will at times be significant overlap in issues,
usually because external issues will influence internal issues, which in
turn will drive security risk management issues.
Copyright 29
HB 167:2006
Table 3.1
Typical questions relating to context
Commitment • Staff?
How can better understanding and management of security risk
management complement or enhance these drivers?
How are security issues currently affecting management and staff
performance?
What are the goals and objectives of:
• The organisation?
• Business unit?
• Community?
• Society?
Process or What constraints exist to adopting the chosen approach to security risk
program management?
What is the relevance of changing economic conditions?
What new legislation is on the books?
What are the prevailing/changing social conditions?
External context
In what activities are key competitors engaged?
What are the expectations of suppliers, customers, communities,
shareholders and other stakeholders?
What are the key programs, projects, activities identified in this year’s
business plan?
30 Copyright
HB 167:2006
Develop commitment
Identifying stakeholders
Business case development
Copyright 31
HB 167:2006
• Social;
• Economic;
• Markets;
• Competition;
• Community; and
• External stakeholders.
• Geopolitical:
− What are the major current political issues that could affect the
organisation, community or individual?
− How politically stable are the areas/countries that we operate
in?
− How politically stable are the areas/countries that form part of
our supply or customer logistics chain?
− What terrorist or organised crime groups operate in the
areas/countries with which we have an interest?
• Regulatory:
− Could our operations be contravening local laws and
regulations?
32 Copyright
HB 167:2006
• External stakeholders:
− Who are the key external stakeholders?
− Who are the new or emerging stakeholders?
− What is the nature of the relations with key stakeholders?
(e.g. unions, media, investors, local community)
− What significant changes in the influence of various stakeholder
groups may be occurring?
− What is the extent of interdependencies and redundancies
within and amongst the various stakeholder groups?
• How does each of the external context issues interact with the
organisation?
34 Copyright
HB 167:2006
Copyright 35
HB 167:2006
3.4.1 Finalising the goals and objectives for security risk management
It is highly likely that initial goals and objectives for the security risk
Downloaded by Panjan Navaratnam on 14 Feb 2007. For internal use within SAI Group only. See conditions of use for details.
36 Copyright
HB 167:2006
Copyright 37
HB 167:2006
38 Copyright
HB 167:2006
The strength of the argument for undertaking (or selling) the proposed
activity can be enhanced by including historical data (particularly any
significant losses or disruptions) concerning past security risks and
incidents. Brief case studies of the woes that have befallen others in
either your industry or geographical location can present a compelling
argument. However, be cautious, remember fact not fiction – no matter
how good the story!
Remember that the quality of your business case will be improved by
involving a selection of internal and external stakeholders in its
development.
Above all, be clear, simple and concise in preparing the business case
documentation.
Copyright 39
HB 167:2006
4 Identify risk
4.1 Introduction
Risk identification is concerned with creating a well thought out and
comprehensive determination of the sources of risks and potential events
that will have an impact upon the individual’s, organisation’s, or
community’s objectives. The identification of risk can be assisted by
considering the outputs of more traditional approaches such as threat,
Downloaded by Panjan Navaratnam on 14 Feb 2007. For internal use within SAI Group only. See conditions of use for details.
40 Copyright
HB 167:2006
Copyright 41
HB 167:2006
Consequences
Event
(actual)
Event Actually:
• Mass casualties
• Service disruption
• United community
Vulnerability
analysis RISK
Critical Criticality
elements analysis
Threat
Community
Organisation
Individual
Downloaded by Panjan Navaratnam on 14 Feb 2007. For internal use within SAI Group only. See conditions of use for details.
Threat
analysis
Copyright 43
HB 167:2006
44 Copyright
HB 167:2006
l Su
ti ca pp
P oli ly
Strategy
Le
e t it io n
r
Phys
ad
er l de
sh e ho
ip ak
ical
St
Comp
Pro
ess nce Pro cess
sin a Se duct /
Bu form rvi
e r ce /
p s
n
tio
Pe
ma
Inf ta /
op
Te
le
or
ic
c
Da
hn
om
ol
on
og
Ec
y
Community
Gaining adequate data and information for risk identification may not just
be a simple exercise in data collection and collation. Some degree of
informed analysis will usually be required, in particular to determine
answers to the ‘who?’ ‘what?’ ‘why?’, ‘where?’, ‘when?’ and ‘how?’
questions. Three types of analysis, commonly conducted in security risk
assessments, can provide invaluable direction in this regard:
• The Criticality Assessment – ‘what’ and ‘where’ answers;
Copyright 45
HB 167:2006
46 Copyright
HB 167:2006
Copyright 47
HB 167:2006
Table 4.1
Example of a criticality rating scheme
(several serious
• no short term recovery • Community outrage at loss
casualties, or a
capability. of service.
fatality).
High
• serious prolonged • >10% revenue potential of
• mid to long term
reputational loss businesses or local
major financial loss
(extending for weeks to government.
(e.g. prolonged stand
months).
down of employment
• Financial loss> 10% of – over several
NOPBT/EBITDA months).
Loss of asset results in: Loss of asset results in: Loss of asset results in:
• cessation of one or more • loss of amenity (extending • major safety incidents
key functions. days to weeks). (multiple injuries
requiring medical
• limited short term recovery • community upset at loss of
attention).
capability. service.
Significant • financial losses
• reputational loss on • >5% revenue potential of
extending over
specific operations of the businesses or local
several weeks
(extending for weeks to government.
(e.g. contracts put on
months).
hold).
• Financial loss> 5% of
NOPBT/EBITDA
Loss of asset results in: Loss of asset results in: Loss of asset results in:
• reduced effectiveness of • partial or temporary loss of • safety incidents
one or more key functions. amenity (days). requiring first aid
treatment.
• short term recovery • community disquiet at loss
Moderate capability is possible of service. • long term major
financial loss
• reputation loss (extending • >2% revenue potential of
(e.g. loss of
for days to weeks). businesses or local
employment).
government.
• Financial loss> 2% of
NOPBT/EBITDA
(continued)
8
NOPBT – net operating profit before taxes; EBITDA – earning before interest,
taxes, depreciation & amortisation
48 Copyright
HB 167:2006
Loss of asset results in: Loss of asset results in: Loss of asset results in:
• little impact on functions. • little loss of amenity. • insignificant safety
implications.
• recovery is possible • little negative reaction arising
immediately. from loss of service. • no appreciable
Low
financial loss.
• little measurable • <2% revenue potential of
reputational loss. businesses or local
government.
• Financial loss<2%
NOPBT/EBITDA
Copyright 49
HB 167:2006
9
Specific threats, for example, may also be targeted against specific
geographical locations (e.g. city CBD), industries (e.g. gas supply), or definable
ethnic, religious or occupational groups (e.g. Sephardic Jews, paramedics) etc.
Copyright 51
HB 167:2006
10
FIGURE 4.4 EXAMPLE THREAT TARGETING GRADIENT
Table 4.2
11
Targeting-Source Matrix
External Internal
client) staff/supervisor)
• Coercion • Coercion
• Terrorism • Information leak/misuse
• DOS/hacking attack • Data integrity
• Virus attack • Negligence
• •
Indirect
10
Threats based on New York Times reports over the 2001–2003 period.
11
The Threat-type Matrix is an example only. Specific matrices will need to be
constructed depending upon the characteristics of the individual, organisation,
or community and the environment within which they operate.
52 Copyright
HB 167:2006
of terrorism means an act, including but not limited to the use of force
or violence on, or the threat thereof, of any person or group(s) of
persons, whether acting alone, or on behalf of or in connection with
the organisation(s) or government(s), which from its nature or context
is done for, or in connection with, political, religious, ideological,
ethnic or similar purposes or reasons, including the intention to
influence any government and/or to put the public, or any section of
the public, in fear'. (A more detailed examination of terrorism
definitions is provided in Appendix H.)
• Incidental threats are threats that result from potential actions or
events that are not intended to cause harm, but nevertheless present
a security threat. This could include threats arising from: natural
events (e.g. storm damage resulting in loss of power to barrier
protection systems), acts of negligence (inadvertently posting
sensitive information to an internet newsgroup) or pranks and
practical jokes that result in destruction of assets, injury to people, or
loss of physical or virtual integrity.
A useful tool to assist in identifying threats is the Threat Tree (Figure 4.5),
which allows a series of credible threats and consequences to be
developed which can then be expanded upon to provide more detailed
threat scenario statements if required. The threat tree is developed by
creating a relationship map of potential activities and outcomes that could
arise against critical elements of the organisation, community or
individual. The threat-tree is based upon identifying:
• Type: using one or more of the four threat types described above
(although any other suitable categorisation of threat can be
substituted).
12
Note that technically all terrorist acts and many malicious acts will at law
constitute criminal acts. In certain circumstances incidental actions could also
be regarded as criminal acts (e.g. wilful negligence).
Copyright 53
HB 167:2006
• Act: acts, actions or activities that could occur within each category
of threat.
• Event: the nature of the interaction between the act and the
organisation, community or individual.
• Impact: the effect of the event upon the organisation, community or
individual.
In identifying potential threats, the assessment needs to consider
reviewing:
• Past occurrences of threats and incidents;
• What is known to be happening currently; and
• What could plausibly happen into the future.
Consideration should also be given not only to those incidents that the
specific individual, organisation or community has experience with, but
also to experiences of other similar entities operating in similar
environments. There may also be some advantage in considering trends
emerging in other unrelated areas where this may indicate future
changes in more relevant security environments (increasing lunchtime
Downloaded by Panjan Navaratnam on 14 Feb 2007. For internal use within SAI Group only. See conditions of use for details.
thefts of laptops in one city’s CBD office blocks, may forewarn of future
trends in a different city).
Contamination-raw materials
Arson Bushfire
Infrastructure damage
Equipment Loss of production, quality etc
Malicious Contamination
Vandalism damage
threat
Spray painting Loss of aesthetics
Degraded public image
Staff Staff safety, morale
Harassment
intimidation and efficiency
Laptop Financial loss
Theft
Criminal Compromised confidentiality
threat Fraud False Financial loss
invoicing Reputation loss
54 Copyright
HB 167:2006
13
Some government agencies define threat as a combination of motivation (which
in many circumstances is synonymous with intent), capability and may also
include opportunity. Since the majority of ‘opportunity’ issues are under the
control of the target, this Handbook considers opportunity as an aspect of
vulnerability.
14
A summary of motivation, goal and targets can be found in Assessing Risks
from Threats to Process Plants: Threat and Vulnerability Analysis. P. Baybutt,
Process Safety Progress 21 (4), 269-275 December 2002.
15
Punish perceived societal wrongs, e.g. specific targeting of fur retailers by
animal rights organisations.
16
Proxy atonement, e.g. kidnapping and murder of bankers and industrialists by
Bader Meinhof (a German left wing insurgent organisation, 1970–1998) to atone
for the apparent ills of capitalist society.
Copyright 55
HB 167:2006
Capability:
Capability considers the following attributes of the ‘aggressor’:
• Skills;
• Knowledge;
• Access to equipment (e.g. weapons, specialist equipment), finances
and other resources;
• Numbers of attackers/adversaries;
• Access to support networks, time; and
• Access or opportunity that would allow the threat source (individual or
group) to perpetrate an ‘attack’ against the target if they had the
intent to do so (provision of this opportunity will also be significantly
influenced by the vulnerability of the target).
By considering the types of threat and motivation, a range of credible
threat scenarios can be created, and by additionally examining the threat
sources’ capability an initial estimate of the likelihood of the threat can be
made. Historical trend data, previous incidents, intelligence (from local
police crime advice/intelligence) can be used to inform the development
Downloaded by Panjan Navaratnam on 14 Feb 2007. For internal use within SAI Group only. See conditions of use for details.
of these scenarios.
56 Copyright
HB 167:2006
Table 4.4
Example of a qualitative threat rating matrix
Intent
Capability
Moderate Low Significant High
Intent
Successful Threat
Threat
Threat threat
likelihood level
likelihood
Capability
Copyright 57
HB 167:2006
the media and the extent and tone of any recent media
coverage,
− organisation’s industrial relations history and its existing
relationships with its workforce,
− attractiveness of the organisation, community, individual, or
the assets that they control. Attractiveness refers to the extent
that an ‘attack’ on the target will achieve the threat source’s
aims. For example, to a skilled burglar a high class jeweller may
be more ‘attractive’ than an impoverished pawn shop. However,
depending upon context, a small back street jeweller may be
more attractive to a drug abuser hoping to make some quick
cash and a quick getaway. Similarly, an elite shopping mall may
provide an opportunity to cause mass casualties, generate
widespread fear and greater international publicity for a terrorist
group, than would a small street of shops in a regional town.
This also includes the concepts of the imagery effect, for
example a terrorist attack on a major international sporting
event. The target itself (the sports ground, teams or fans) have
little direct relevance to the terrorists per se. The imagery itself
(instant media coverage - broadcast world-wide) is the
attraction to the terrorists; and
• The environment within which the organisation is operating. Issues
that should be considered include:
− the frequency of other security incidents in the general area of
the site (for example facilities located in geographic areas with
high levels of illegal drug use, could reasonably expect a higher
threat of opportunistic burglaries),
17
Where capability is known or can be estimated.
58 Copyright
HB 167:2006
18
Based on safety concepts discussed in Reason, J. Human error. Cambridge:
CUP, 1990.
Copyright 59
HB 167:2006
risk control ‘environment’ for the entity, (see Figure 4.8) including:
• Effectiveness of the physical, electronic/logical, process and people
security controls, that act as countermeasures directly with any
perceived threats;
• The degree of visibility: this includes issues such as public profile,
media coverage, public access to ‘insightful’ information (e.g. facility
plans, personal information, work patterns, daily routines, etc). The
entity will have in place a range of controls that will determine the
extent to which the organisation is visible; some controls will serve to
limit visibility, whilst other controls may actively promote some
aspects of visibility. An example is the potential conflict between
maintaining the CEO’s confidentiality and privacy versus the activities
of the PR department in promoting the ‘brand’ of the CEO;
• Iconic status: the level to which the public (and the threat source)
view an individual, organisation or community as representing
particular social, political, religious, sovereign or ethnic views, ideals,
operations or presence (for example London’s Metropolitan Police
HQ at New Scotland Yard has an international iconic status as a
symbol of the traditional principles of law and order). To some extent
the organisation will have some control (at least in part) of the
development of its iconic status. It should at least have an awareness
of how its iconic status may promote certain types of security risk;
• The degree of threat access: this is really a special subset of the
controls in that it consists of both real and perceived controls, which
reflect the degree of access (both real and perceived) of the threat to
a critical asset. This may involve in practice, controls influencing
factors such as: open public access vs. secured private property;
remote geographical locations vs. CBD locations; etc;
19
‘Control environment is used to determine all mechanisms by which the security
risk might be managed including policies, processes, behavioural, physical,
logical, electronic, and so on.
60 Copyright
HB 167:2006
− sustainability,
− survival,
− incident response capability,
− incident recovery capability; and
• Incident management capability: this includes consideration of
controls such as:
− emergency planning and response capability,
− security planning and response capability,
− business continuity planning and response capability,
− disaster recovery planning and response capability,
− business recovery and resumption planning and capability,
− critical incident management capability.
Copyright 61
HB 167:2006
Response
Threat
Community
Interdependencies organisation
individual
Collateral
3rd parties exposures Control environment
62 Copyright
HB 167:2006
Table 4.5
20
A generic vulnerability matrix
Vulnerability
Assessment criteria
level
• Controls are non-existent, critical and urgent improvements have been
identified.
20
Source: Trident 2002; assignment to specific rating levels is based upon the
best fit of one or more of the assessment criteria.
21
‘Deter’ and ‘Delay’ encompass the concepts of ‘prevention’.
Copyright 63
HB 167:2006
• Detect an attack;
• Respond to the attack and its effects; and
• Recover from the attack and its effects.
22.
We have termed this particular approach the R2D3 model The ‘Deter’
elements will be visible preventative elements of security controls, or will
be suspected to exist by would-be adversaries. This visibility may extend
into components of each of the other types of controls to provide further
overt deterrence. However, to remain effective, key elements of the
security control environment must always be maintained covertly from
would be aggressors (Figure 4.9). Elements of the R2D3 model that are
planned for or implemented prior to any event form the preventative
controls for the organisation, community, or individual.
An example of its use in an assessment framework is provided in
Appendix J.
Table 4.6
23
Example security control elements
22
Gibson & Love 2007: Changing paradigms in security risk management
(manuscript in preparation).
23
Controls relevant to an identified threat, such as antisocial behaviour (e.g.
vandalism, common assault etc).
64 Copyright
HB 167:2006
24
Red team: adoption of the persona of a potential aggressor to provide scenario
based testing of the effectiveness of security controls and countermeasures.
25
The Sandia Laboratories community vulnerability analysis considers issues
such as: communications, power & electric, gas & oil, industry, water, banking
& financial, education, government, transportation, emergency services,
recreational venues, foreign represented governments, and special
classifications (see Appendix K).
Copyright 65
HB 167:2006
Table 4.7
26
Australian Government’s composition of critical infrastructure
26
Source: National Security Australia website, www.nationalsecurity.gov.au;
Trusted Information Sharing Network website, www.tisn.gov.au
66 Copyright
HB 167:2006
t1
se
t1
t2
t3
t1
as
se
se
se
se
as
as
as
n
io
as
ty
ty
ty
at
le
er
er
er
rm
op
op
op
op
fo
Pe
Pr
Pr
Pr
In
Malicious threat 1 H M M M M
Malicious threat 2 M H H H L Vulnerability
Malicious threat 3 L L L L L rating
Criminal threat 1 H M L H L
Downloaded by Panjan Navaratnam on 14 Feb 2007. For internal use within SAI Group only. See conditions of use for details.
Terrorism threat 1 M M L L L
Incidental threat 1 L M M M H
Copyright 67
HB 167:2006
1 2 3 4 5
the threat source; the threat; the consequence; the assets; the
6
event, vulnerability,
68 Copyright
HB 167:2006
5 Analyse risk
5.1 Introduction
The aim of undertaking risk analysis is to:
• Determine the adequacy and appropriateness of existing controls to
manage identified priority risks;
• Prioritise risks for subsequent evaluation of tolerance or need for
Downloaded by Panjan Navaratnam on 14 Feb 2007. For internal use within SAI Group only. See conditions of use for details.
Copyright 69
HB 167:2006
Informs
Vulnerability
identification
analysis
Informs
Likelihood Consequence
analysis
Downloaded by Panjan Navaratnam on 14 Feb 2007. For internal use within SAI Group only. See conditions of use for details.
70 Copyright
HB 167:2006
Copyright 71
HB 167:2006
5.2.1 Consequence
Any risk will demonstrate a range of potential consequences, each of
which will be associated with different likelihoods (consequence –
likelihood pairs). This distribution of different consequences (with their
likelihoods) may show different trends for different types of risk. Some
risks may demonstrate normal distributions, whilst others may
demonstrate widely differing skews (see Figure 5.2).
L i ke l i h o o d
L i ke l i h o o d
L i ke l i h o o d
L i ke l i h o o d
Consequence Consequence Consequence Consequence
72 Copyright
HB 167:2006
5.2.2 Likelihood
The likelihood refers to the chance or probability of a security incident or
event occurring that would result in the particular consequence
determined according to Section 5.2.1. The likelihood can be estimated
as an absolute probability (e.g. occurring with a probability of between 0
and 1), as the chance that something will occur over a defined period
(e.g. 'over the next two years') or as a percentage chance of occurrence.
Downloaded by Panjan Navaratnam on 14 Feb 2007. For internal use within SAI Group only. See conditions of use for details.
Copyright 73
HB 167:2006
Remember, there are just some things you cannot do with some types
of scales, if you do the products could be nothing short of nonsense.
74 Copyright
Downloaded by Panjan Navaratnam on 14 Feb 2007. For internal use within SAI Group only. See conditions of use for details.
Copyright
Table 5.1
Security risk consequence (illustrative example only)
HB 167:2006
Consequence Financial
27 Reputational consequence Project/business consequence
rating consequence
28
> $100,000,000 Extreme negative coverage causing public outcry appearing Serious process breakdown that prevents the achievement of
Catastrophic 29 consistently over weeks mission critical objectives
(> $5,000,000)
Majority of stakeholders severely disadvantaged (months) Multiple severe injuries, including fatalities
$5,000,000 - Negative significant coverage, appearing consistently over Serious process breakdown that substantially impedes the
$100,000,000 weeks achievement of a core objective
Major
(< $5,000,000) Multiple stakeholders severely disadvantaged (weeks - Multiple severe injuries, or a single fatality
months)
$50,000 - $5,000,000 Negative coverage lasting for several days, and/or frequent re- Process breakdown that impedes the achievement of an
occurrence for several weeks important objective or causes extensive inefficiencies in key
Moderate (< $50,000)
processes
Multiple stakeholders experience significant disadvantage
(weeks) Multiple casualties requiring hospital attention
$2,000 – $50,000) Minor negative coverage, limited circulation for one day Process breakdown that impedes the achievement of one or
Minor more objectives or some inefficiencies in key processes
(< $10,000) Minority of stakeholders experience disadvantage (days -
weeks) Minor injuries requiring medical attention
< $2000 Isolated brief coverage, single media outlet Process breakdown or inefficiencies that have a limited impact
Minimal on the achievement of an objective
(< $1000) Stakeholders experience minimal disadvantage (days)
Minor injury requiring first aid only
27
Cumulative impact of all such occurrences of security incidences over a defined time period.
28
Values represent corporate impacts.
29
75
Values (in parentheses) represent local (e.g. regional office) impacts.
HB 167:2006
Table 5.2
Security risk likelihood (illustrative example only)
Likelihood Criteria
30
• Over 99% probability , or
Almost certain • ‘happens often’, or
• could occur within ‘days to weeks’
• >50% probability, or
Likely • ‘could easily happen’, or
• could occur within ‘weeks to months’
• >10% probability, or
Possible • ‘could happen, has occurred before’, or
• could occur within ‘a year or so’
• >1% probability, or
Unlikely • ‘has not happened yet, but could’, or
• could occur ‘after several years’
•
Downloaded by Panjan Navaratnam on 14 Feb 2007. For internal use within SAI Group only. See conditions of use for details.
<1% probability
• ‘conceivable but only in extreme circumstances’
Rare
• exceptionally unlikely, even in the long term future
• a ‘100 year event’ or greater
Table 5.3
31
Risk rating matrix (illustrative example only)
Consequence
Minimal Minor Moderate Major Catastrophic
Almost
Medium Significant High Extreme Extreme
certain
Likelihood
30
Use of probability needs to be carefully defined in each case that it is used,
e.g. probability of an armed robbery occurring over a defined number of
armoured car journeys.
31
Yes! This is different to the matrix included in HB 436. The structure of the
rating matrix (even the use of a 3x3, 7x7 or 15x15 matrix) will very much
depend on the need of the risk assessment and the context within which it is
being conducted. It will be determined to a large extent by the development of
the evaluation criteria (explained in Section 3.6).
76 Copyright
HB 167:2006
6 Evaluate risk
6.1 Introduction
Evaluating security risk involves determining which risks are tolerable,
and which risks require further attention (e.g. treatment). Criteria for
determining tolerability should originally have been developed whilst
establishing the 'context', and will usually include defining appropriate
consequence and likelihood tables and establishing levels where different
Downloaded by Panjan Navaratnam on 14 Feb 2007. For internal use within SAI Group only. See conditions of use for details.
Copyright 77
HB 167:2006
Intolerable
Tolerable
Increasing risk
decreasing capacity to manage the risk will influence the decision on risk
tolerance. This in turn will tend to create decision making which is not
either/or (treat/not treat) but rather a question of when (treat now/treat
later) when risk levels in between the two extremes are considered.
Intolerable
Treat immediately
Incapacity
Treat in the longer term to manage
Monitor
Tolerable
Increasing risk
The other issue to consider in evaluation is that it is often not the time
scale of treatment but the degree of security applied. In risk evaluation it
is also important to recognise that applying additional layers of security
may have disadvantages or inhibit opportunities and that this may not be
acceptable for lower risks.
78 Copyright
HB 167:2006
32
Another approach to viewing tolerability to risk is based on the ALARP
approach (‘As Low as Reasonably Practical’, Figure 6.3), which is
commonly seen in fields such as health, safety and environment. This
approach recognises the concept of a gradient of tolerability but divides
the gradient up into three broad bands based upon a:
• Broadly acceptable region, where risk reduction is not likely to be
required as any benefits realised are likely to be outweighed by
costs;
• Tolerable region (the ALARP region) where the risk is regarded as
tolerable only if further risk reduction is impracticable (for example
because of cost benefit considerations or an absence of a feasible
solution); and
• Broadly unacceptable region where risk cannot be justified, except in
extraordinary circumstances.
Magnitude of risk
Downloaded by Panjan Navaratnam on 14 Feb 2007. For internal use within SAI Group only. See conditions of use for details.
Broadly unacceptable
region
Broadly acceptable
region
32
ALARP = As Low As Reasonably Practicable.
Copyright 79
HB 167:2006
7 Treat risk
7.1 Introduction
Where a security risk has been determined as intolerable (during the
evaluation step, see Section 6), some form of treatment may be required
to manage the risk. It will never be possible to completely remove all
forms of security risk. The aim is to manage the level of risk to a tolerable
level.
Downloaded by Panjan Navaratnam on 14 Feb 2007. For internal use within SAI Group only. See conditions of use for details.
80 Copyright
HB 167:2006
Understand:
• Context, causes and sources of risk
• Potential events
• Analysis of risks
Downloaded by Panjan Navaratnam on 14 Feb 2007. For internal use within SAI Group only. See conditions of use for details.
Exploit
Avoid Share
Reduce
Retain
Cost Benefit
Decision making
Copyright 81
HB 167:2006
33
Industrial and special risks
82 Copyright
HB 167:2006
conducted. All too often risk management, and the treatment step in
particular, deals with each risk in isolation. In particular, insufficient
attention is given to the causal factors of risk and their interaction. This in
turn tends to produce treatment options that are focused on managing
individual risks, with an inadequate consideration of how other risks will
be affected. Thus the treatment of one risk in one area, may significantly
increase the exposure to risk in another area; for example, the
introduction of more rigorous access and egress controls may prevent an
effective emergency evacuation from a building.
A more holistic view therefore needs to be taken when evaluating
treatment options. The ‘what if’ question needs to be asked for each and
every option under consideration before implementation, preferably as
part of a cost-benefit analysis.
The cost benefit analysis
When selecting the most appropriate options for the treatment of risk,
ensuring compatibility with key objectives (e.g. corporate, government,
community objectives) and with the evaluation criteria developed
previously, conducting a cost benefit analysis provides an objective
process for prioritising feasible treatment options and for disregarding
those that are not. A cost benefit analysis can be conducted either as a
formal or informal process and should consider as wide a range of issues
as possible, not just be restricted to financial considerations. The analysis
34
should consider (see Figure 7.2).
• Direct issues, such as:
− benefits, arising from reduction in the likelihood or harmful
consequences of the security risk,
− costs, of implementing the proposed treatment and/or that could
arise if the risk eventuates (e.g. loss of an asset); and
34
Consideration of costs and benefits should not be limited to just the entity
concerned. It may also be necessary to examine wider market, industry and
social costs and benefits.
Copyright 83
HB 167:2006
Objectives
$
Performance
Processes
Stakeholders
Reputation
Indirect Direct Indirect Direct
Safety
Benefits Inter nal Costs
Exter nal
Downloaded by Panjan Navaratnam on 14 Feb 2007. For internal use within SAI Group only. See conditions of use for details.
Treatment
People
Property
Information
84 Copyright
HB 167:2006
used such that the ‘general reader’ within the organisation is able to
gain an appropriate level of understanding;
• Treatment objectives and expected outcomes;
• Detailed actions, activities and processes that will be required in
developing and implementing the treatment;
• A clear ‘map’ for the implementation of the treatment;
• Resources required including budgets, personnel, equipment,
interdependencies, responsibilities and accountabilities;
• Key performance indicators and the monitoring and reporting
mechanisms that will be employed; and
• A communications plan that identifies the key stakeholders,
messages, channels, constraints, etc (see Section 2 for guidance on
the development of a communications plan).
Copyright 85
HB 167:2006
86 Copyright
HB 167:2006
Performance Understanding
Monitor
and review
Assurance
Copyright 87
HB 167:2006
The monitor and review step has the objectives of achieving improved:
• Understanding, through:
− continuing awareness of changing contexts,
− continuing awareness of changing demands,
− learning from experience,
− learning from others;
• Performance, through:
− managing stakeholder expectations,
− measurement/review of effectiveness of process elements,
− measurement/review of effectiveness of management of risks,
− identifying and implementing improvements,
− enhancing integration with interdependencies; and
• Assurance, through ensuring and confirming compliance with:
− strategic requirements,
Downloaded by Panjan Navaratnam on 14 Feb 2007. For internal use within SAI Group only. See conditions of use for details.
− policy requirements,
− operational requirements,
− regulatory requirements.
The concept of ‘monitor and review’ is based around the need to:
• Continuously examine the external and internal environments and
reconsider the context and its effect on security risk management;
• Redevelop the analytical outputs of the security risk management
process to reflect the changing context;
• Assess the efficiency and effectiveness of treatment plans in
mitigating the risks identified;
• Re-evaluate the appropriateness of treatment activities to manage a
dynamically changing risk environment;
• Measure the effectiveness and success of communications and
consultation activities undertaken;
• Ensure that timely and adequate improvements are implemented;
• Continuously examine the conduct of the security risk management
process and to adjust it to meet changing organisational needs and
capability;
• Ensure appropriate governance through reporting to appropriate
authorities, regulators, boards, stakeholders, management and staff
as required; and
• Focus on both conformance and performance measurement.
88 Copyright
HB 167:2006
Copyright 89
HB 167:2006
conducted to:
• Ensure that the incident and its aftermath were appropriately
managed;
• Identify any learnings from the response to, and recovery from, the
event and ensure that they are captured and used in subsequent
improvement activities;
• Review to what extent the risk profile may have changed;
• Determine the effectiveness of the current control framework and
existing treatment strategies and determine any additional treatment
improvements that need to be made;
• Investigate and identify, where relevant, the perpetrators of the event
and pursue them via administrative, civil or criminal process; and
• To communicate an improved understanding of security risk and its
management to staff, stakeholders, citizens, etc, where appropriate.
90 Copyright
HB 167:2006
A Acknowledgments
The authors of the Handbook wish to acknowledge the following
individuals for challenging us with their considered wisdom and for their
encouragement during the development of this Handbook. We would also
like to extent our thanks to the many others who through their questions
and suggestions allowed us to eventually see the light.
Copyright 91
HB 167:2006
92 Copyright
HB 167:2006
Copyright 93
HB 167:2006
35
Definition from FEMA 452: Risk Assessment, A How to Guide to Mitigate
Potential Terrorist Attacks Against Buildings, 2005.
94 Copyright
HB 167:2006
Number Title
AS/NZS 4360:2004 Risk management
AS 4485.1—1997 Security for health care facilities—General requirements
Downloaded by Panjan Navaratnam on 14 Feb 2007. For internal use within SAI Group only. See conditions of use for details.
Number Title
AS 1725—2003 Chain-link fabric security fencing and gates
AS 2201.1—1998 Intruder alarm systems—Systems installed in client's premises
AS 2201.2—2001 Intruder alarm systems—Monitoring centres
AS 2201.31991 Intruder alarm systems—Detection devices for internal use
AS 2201.4—1990 Intruder alarm systems—Wire-free systems installed in client's premises
AS 2201.5—1992 Intruder alarm systems—Alarm transmission systems
AS/NZS 2343:1997 Bullet-resistant panels and elements
AS/NZS 3016:2002 Electrical installations—Electric security fences
Building elements—Testing and rating for intruder resistance—Intruder resistant
AS 3555.1—2003
panels
Copyright 95
HB 167:2006
Number Title
AS/NZS 3749.1:2003 Intruder alarm systems—Road vehicles—Performance requirements
AS/NZS 3749.2:1997 Intruder alarm systems—Road vehicles—Installation and maintenance
AS/NZS 3809:1998 Safes and strong rooms
AS/NZS 3810.1:1998 Safes and strong rooms—Methods of test—Test for physical attack
AS/NZS 3810.2:1998 Safes and strong rooms—Methods of test—Test for anchoring strength
AS/NZS 3810.3:1998 Safes and strong rooms—Methods of test—Test for explosive resistance
AS 4145.1—1993 Locksets—Glossary of terms
AS 4145.2—1993 Locksets—Mechanical locksets for doors in buildings
AS 4145.3—2001 Locksets—Mechanical locksets for windows in buildings
AS 4145.4—2002 Locksets—Padlocks
AS 4421—1996 Guards and patrols
AS/NZS 4601:1999 Vehicle immobilizes
AS 5040—2003 Installation of security screen doors and window grilles
AS 5041—2003 Methods of test—Security screen doors and window grilles
AS 5039—2003 Security screen doors and security window grilles
Downloaded by Panjan Navaratnam on 14 Feb 2007. For internal use within SAI Group only. See conditions of use for details.
96 Copyright
HB 167:2006
Number Title
AS 4289—1995 Oxygen and acetylene gas reticulation systems
AS 4332—2004 The storage and handling of gases in cylinders
AS/NZS 4681:2000 The storage and handling of Class 9 (miscellaneous) dangerous goods and articles
Supervisory control and data acquisition (SCADA)—Generic telecommunications
AS 4418.1—1996
interface and protocol—General
Supervisory control and data acquisition (SCADA)—Generic telecommunications and
AS 4418.2—2000
interface protocol—Fire alarm systems
AS 4509.1—1999 Stand-alone power systems—Safety requirements
AS 4509.2—2002 Stand-alone power systems—System design guidelines
AS 4509.3—1999 Stand-alone power systems—Installation and maintenance
AS IEC 60300.3.1— Dependability management—Application guide—Analysis techniques for
2003 dependability—Guide on methodology
AS 60870.1.1—1998 Telecontrol equipment and systems—General considerations—General principles
Telecontrol equipment and systems—General considerations—Guide for
AS 60870.1.2—1998
specifications
AS 60870.1.3—1998 Telecontrol equipment and systems—General considerations—Glossary
Downloaded by Panjan Navaratnam on 14 Feb 2007. For internal use within SAI Group only. See conditions of use for details.
Number Title
AS 2805.1—1997 Electronic funds transfer—Requirements for interfaces—Communications
AS 2805.2—2000 Electronic funds transfer—Requirements for interfaces—Message
Electronic funds transfer—Requirements for interfaces—PIN management and
AS 2805.3—2000
security
AS 2805.4.1—2001 Electronic funds transfer—Requirements for interfaces—Message authentication
Electronic funds transfer—Requirements for interfaces—Ciphers—Data
AS 2805.5.1—1992
encipherment algorithm 1 (DEA 1)
Electronic funds transfer—Requirements for interfaces—Ciphers—Modes of
AS 2805.5.2—1992
operation for an n-bit block cipher algorithm
Copyright 97
HB 167:2006
Number Title
Electronic funds transfer—Requirements for interfaces—Ciphers—Data
AS 2805.5.3—2004
encipherment algorithm 2 (DEA 2)
Electronic funds transfer—Requirements for interfaces ciphers—Data
AS 2805.5.4—2000
encipherment algorithm 3 (DEA 3) and related techniques
Electronic funds transfer—Requirements for interfaces—Key management—
AS 2805.6.1—2002
Principles
Electronic funds transfer—Requirements for interfaces—Key management—
AS 2805.6.2—2002
Transaction keys
Electronic funds transfer—Requirements for interfaces—Key management—
AS 2805.6.3—2000
Session keys—Node to node
Electronic funds transfer—Requirements for interfaces—Key management—
AS 2805.6.4—2001
Session keys—Terminal to acquirer
AS 2805.6.5.1—2000 Electronic funds transfer—Requirements for interfaces—Key management
Electronic funds transfer—Requirements for interfaces—Key management TCU
AS 2805.6.5.2—2000
initialization Symmetric
Electronic funds transfer—Requirements for interfaces—File transfer integrity
AS 2805.10—2004
validation
Downloaded by Panjan Navaratnam on 14 Feb 2007. For internal use within SAI Group only. See conditions of use for details.
98 Copyright
HB 167:2006
Number Title
AS ISO/IEC 15947 Information technology – Security techniques – IT intrusion detection framework
AS ISO/IEC 18028 (all parts) Information Technology – Security techniques – Network Security
AS ISO/IEC 18033 (all parts) Information Technology – Security techniques – Encryption Algorithms
Information technology – Security techniques – Information Security Incident
AS ISO/IEC 18044
Management
Information Technology – Security techniques – Security requirements for
AS ISO/IEC 19790
cryptographic modules
HB 74: 1996 X.400 Security Implementation Guide
HB 171:2003 Guidelines for the Management of IT Evidence
HB 174:2003 Information Security Management—Implementation Guide for the Health Sector
HB 220:2000 Safety Issues for software
Organizational experiences in implementing information security management
HB 248:2001
systems
Strategies for the implementation of a Public Key Authentication Framework
MP 75:1996
(PKAF) in Australia
Downloaded by Panjan Navaratnam on 14 Feb 2007. For internal use within SAI Group only. See conditions of use for details.
Copyright 99
HB 167:2006
100 Copyright
HB 167:2006
Corruption levels and culture CIA World Factbook, AsiaLink, international online media, World
Economic Forum, World Bank, OECD
Internal groups: government liaison, o/seas general managers, strategy
and policy, operational areas, security managers, safety, community
relations.
i,
Disease outbreaks and trends (e.g. World Health Organisation Centers for Disease Control and Prevention
AIDS, SARS, Foot and Mouth
Internal groups: safety, overseas general managers.
Disease, etc)
Social order and stability (including CIA World Factbook, local online media, DFAT website (travel
social unrest, civil disobedience, advisories), US State Department website (travel advisories), UK Foreign
crime levels) Office Website (travel advisories), local police department and justice
department websites, national/federal law enforcement sites.
Internal groups: government liaison, o/seas general managers, security
managers, investment, treasury.
Societal infrastructure, welfare and CIA World Factbook, government websites (e.g. health and social
support security sites), online media reports and commentary, OECD.
Internal groups: government liaison, o/seas general managers, strategy
and policy, operational areas, security managers, safety, investment,
treasury.
Religious influences, including CIA World Factbook, local online media, DFAT website, US State
presence and local acceptability of Department website, UK Foreign Office Website.
fundamentalism
Internal groups: government liaison, o/seas general managers, strategy
and policy, operational areas, security, safety.
Stability of supply (e.g. food water, CIA World Factbook, local online media, DFAT website, US State
utilities, etc). Department website, UK Foreign Office Website, WHO website, World
Economic Forum, OECD.
Internal groups: government liaison, o/seas general managers, strategy
and policy, operational areas, business continuity.
Copyright 101
HB 167:2006
102 Copyright
HB 167:2006
Copyright 103
HB 167:2006
104 Copyright
HB 167:2006
E Organisational reference
sources for establishing
the context
In developing the context there will be significant quantities of useful
information documented and generally readily available, including:
• Site plans, identifying:
Downloaded by Panjan Navaratnam on 14 Feb 2007. For internal use within SAI Group only. See conditions of use for details.
− general layout,
− property borders,
− critical infrastructure, utilities, services, etc,
− site boundaries and borders,
− routes into and out of the site,
− some existing physical security controls (e.g. locations of CCTV
units, checkpoints, fences),
− location of sensitive operations, individuals,
− public and restricted access areas,
− Emergency equipment (fire fighting, first aid, breathing
apparatus).
• Street maps, providing information on:
− external approaches,
− collateral exposures (e.g. neighbours, crowd areas, proximity to
other higher risk activities or infrastructure),
− visibility and accessibility of the site,
− surveillance and overwatch vulnerabilities.
• Policy and procedure documents.
• Legislation.
• Strategic and business plans.
• Internal audit reports.
• Business continuity plans, and test and exercise reviews.
• Risk management reviews.
• Management and Board reports.
• Security breach reports.
Copyright 105
HB 167:2006
106 Copyright
HB 167:2006
F Security
workbook
risk management
36
a particular project.
The business case can then be used to develop a specific project plan
(see below).
Table F1
Business case template
36
The worksheets within this Workbook are provided as examples only.
Copyright 107
HB 167:2006
Table F1 (continued)
Consultation
List the people and/or organisations that have been consulted while developing the
business case and the project.
Deliverables and outcomes
What are the practical deliverables from the project?
Projected returns and benefits, including:
• Tangible (financial) benefits (such as cost savings, for example through reduced
revenue leakage or vandalism). For projects with extended duration or payback periods
it may also be appropriate to include net present values into the analysis.
• Intangible (non-financial) benefits (such as improved staff safety. Improved quality of
decision making, reduced risk of unauthorised information disclosure).
Scope of activities (overview)
What is going to be done as part of the security risk management project?
Broad nature of security risks to be examined,
Suggested method to examine identified issues.
Methods to complete the project (How will the project be conducted)
Downloaded by Panjan Navaratnam on 14 Feb 2007. For internal use within SAI Group only. See conditions of use for details.
Alternative methods to complete the project and meet the stated aims and objectives. For
each option explain how the method will be conducted, the advantages and disadvantages
for using it.
The preferred option should be identified and an explanation prepared on why the option
has been selected.
Detailed overview of preferred option
A detailed explanation of how the security risk management project will be conducted. A
detailed analysis of security risks to be examined (e.g. a risk assessment of fraud and
revenue leakage exposures).
Define accountabilities and responsibilities.
Identify project/ business owner, senior management sponsor.
Business locations, functions.
Critical interdependencies, including the demands that will be made on these
interdependencies.
Duration and timelines for the project.
Resources required:
• internal,
• external.
Time demands on other areas of the organisation.
External expertise.
Equipment.
Accommodation.
Budget breakdown
Budget breakdown, including:
• salaries and on-costs,
• consultancy fees,
• software development or purchase,
• report production, publishing, etc,
• travel cost,
• equipment and hardware (purchase or lease),
• overheads.
(continued)
108 Copyright
HB 167:2006
Table F1 (continued)
2 Business objectives
2.1 Objectives of the project • Detailed objectives and outcomes of the major steps
below.
3 Requirements specification
3.1 General requirements • Project Sponsor.
• Project Manager.
• Business unit involvement.
3.2 Contracting considerations (if expert • Primary contractors.
contractors are engaged)
• Intellectual property.
• Project reporting.
• Variations to cost.
• Warranty.
• Rights.
3.3 Phase (for each phase of the project) • Objective of the phase.
• The steps involved.
• The outcomes of the phase.
• Organisational resources that will be allocated to the
project team.
• The project team’s roles and responsibilities.
• Reporting requirements for the phase.
4 Project deliverables and milestones
4.1 Project reporting • How will the project team report to the
Organisation?
• What information the project team will provide.
• Status of the project.
37
Based on the Project Initiation Section in the Australian National Audit Office,
Business Continuity Management—Keeping the Wheels in Motion Workbook,
2000.
Copyright 109
HB 167:2006
F2 (continued)
Plan heading Comment
• Percentage completed.
• Expected deliverables.
• Issues for note or action.
4.2 Deliverables and milestones • Tables listing the deliverables and receivables that
are required to meet the objectives of the project.
5 Project budget and administration
5.1 Budget • Staff resources.
• Contract resources.
• Sources of funds.
5.2 Administration • Change control.
• Resources and payment plan linked to deliverables.
• Resource constraints.
• Critical success factors.
6 Roles and responsibilities
6.1 Responsibilities • Approvals for budget.
Downloaded by Panjan Navaratnam on 14 Feb 2007. For internal use within SAI Group only. See conditions of use for details.
110 Copyright
Downloaded by Panjan Navaratnam on 14 Feb 2007. For internal use within SAI Group only. See conditions of use for details.
Copyright
HB 167:2006
111
Downloaded by Panjan Navaratnam on 14 Feb 2007. For internal use within SAI Group only. See conditions of use for details.
112
HB 167:2006
F3 (continued)
Copyright
F3 (continued)
HB 167:2006
113
Downloaded by Panjan Navaratnam on 14 Feb 2007. For internal use within SAI Group only. See conditions of use for details.
114
HB 167:2006
F4 Information collection worksheet
The description of the information that you have identified as a gap in your information should be entered into this table. The
Information Collection Worksheet is then used to determine who can provide the information required, when it is required by and
in what format. To ensure that you obtain the correct information, you should pose your information requirements as a question.
The questions should be started with—Who, What, When, Where, Why and How.
38
Based on the Admiralty Scale where the reliability and accuracy of information is judged. The information that is received to complete the
security risk management process should be assessed using the Admiralty Scale, so misleading or false information can be discounted or
assessed as to why it was provided.
Copyright
Downloaded by Panjan Navaratnam on 14 Feb 2007. For internal use within SAI Group only. See conditions of use for details.
Copyright
HB 167:2006
39
Refer to criticality and vulnerability rating tables in Appendix I.
115
Downloaded by Panjan Navaratnam on 14 Feb 2007. For internal use within SAI Group only. See conditions of use for details.
116
F5 (continued)
HB 167:2006
39
Asset Location and Risk Criticality Criticality Vulnerability Vulnerability Overall
owner scenario ranking
description rating description rating
To individual Extreme
5+ worker deaths.
10 + hospitalised.
Overall rating is
EXTREME
40
Details taken from information obtained when developing the Context—strategic, operational and security.
Copyright
Downloaded by Panjan Navaratnam on 14 Feb 2007. For internal use within SAI Group only. See conditions of use for details.
Copyright
E.g. international/
national
communications
node
41
Prioritised critical assets as identified in the criticality assessment.
42
Based on the Admiralty Scale where the reliability and accuracy of information is judged. The information that is received to complete the
HB 167:2006
security risk management process should be assessed using the Admiralty Scale, so misleading or false information can be discounted or
assessed as to why it was provided.
117
Downloaded by Panjan Navaratnam on 14 Feb 2007. For internal use within SAI Group only. See conditions of use for details.
118
HB 167:2006
F8 Security risk assessment worksheet
Threat:
45
Risk 43 44
Control effectiveness Risk
Consequence Likelihood
(Full description) Deter Delay Detect Respond Recover rating
43
The consequence of a security risk can usually be expressed as measure of financial loss, stakeholder/community impact, reputational
damage, loss of operational capability, or health and safety implications.
44
The likelihood refers to the chance or probability of a security incident occurring that would result in the particular consequence determined.
45
Should be assessed using the concepts of Deter, Delay, Detect, Respond and Recover.
Copyright
Downloaded by Panjan Navaratnam on 14 Feb 2007. For internal use within SAI Group only. See conditions of use for details.
Copyright
General
Strategy/ Resource
Outcomes Stakeholders Timetable Reporting/Monitoring Performance
Objectives allocation/
Actions mechanism indicators
responsibility
E.g. to ensure
management
commitment to the
policies and
principles of good
security risk
management
practices
HB 167:2006
119
Downloaded by Panjan Navaratnam on 14 Feb 2007. For internal use within SAI Group only. See conditions of use for details.
120
HB 167:2006
F9 (continued)
People
Objectives Resource
Strategy/ Reporting/Monitoring Performance
Outcomes Stakeholders allocation/ Timetable
Actions mechanism indicators
responsibility
E.g. To raise staff
and contractor
awareness of the
security risk
management
practices
Property
Resource
Strategy/ Reporting/Monitoring Performance
Objectives Outcomes Stakeholders allocation/ Timetable
Actions mechanism indicators
responsibility
E.g. to provide
staff and
contractors with
a safe and
secure working
environment
E.g. ensure that
an extensive and
up to date
Business
Continuity Plan
is developed and
maintained
Copyright
Downloaded by Panjan Navaratnam on 14 Feb 2007. For internal use within SAI Group only. See conditions of use for details.
F9 (continued)
Copyright
Information
Resource
Strategy/ Reporting/monitoring Performance
Objectives Outcomes Stakeholders allocation/ Timetable
Actions mechanism indicators
responsibility
E.g. to ensure
the access,
storage and
integrity of
information
(hardcopy and
electronic) is in
accordance with
policies and
procedures
HB 167:2006
121
Downloaded by Panjan Navaratnam on 14 Feb 2007. For internal use within SAI Group only. See conditions of use for details.
122
HB 167:2006
F10 Security risk management controls assessment checklist46 (Example 1)
Control
Security measure Description Vulnerabilities Proposed security improvements
rating
Management
46
The checklist provides examples of criteria to be examined. This checklist will need to be customised to meet different contexts. The use of
additional criteria should be considered for each assessment.
Copyright
Downloaded by Panjan Navaratnam on 14 Feb 2007. For internal use within SAI Group only. See conditions of use for details.
F10 (continued)
Copyright
Control
Security measure Description Vulnerabilities Proposed security improvements
rating
Property
HB 167:2006
123
Downloaded by Panjan Navaratnam on 14 Feb 2007. For internal use within SAI Group only. See conditions of use for details.
124
F10 (continued)
HB 167:2006
Control
Security measure Description Vulnerabilities Proposed security improvements
rating
Perimeter lighting
Internal lighting
Emergency lighting
Visitor sign-in
Visitor identification
Visitor escort
Reception set up
Contractors
Public access
Copyright
Downloaded by Panjan Navaratnam on 14 Feb 2007. For internal use within SAI Group only. See conditions of use for details.
F10 (continued)
Copyright
Control
Security measure Description Vulnerabilities Proposed security improvements
rating
On call security
Stranger challenge
HB 167:2006
125
Downloaded by Panjan Navaratnam on 14 Feb 2007. For internal use within SAI Group only. See conditions of use for details.
126
F10 (continued)
HB 167:2006
Security measure Description Control rating Vulnerabilities Proposed security improvements
Asset security
Asset identification
Maintenance schedule
Backup systems
Copyright
Downloaded by Panjan Navaratnam on 14 Feb 2007. For internal use within SAI Group only. See conditions of use for details.
F10 (continued)
Copyright
Hygiene matters
Neighbouring premises
Transport systems
HB 167:2006
127
Downloaded by Panjan Navaratnam on 14 Feb 2007. For internal use within SAI Group only. See conditions of use for details.
128
F10 (continued)
HB 167:2006
Security measure Description Control rating Vulnerabilities Proposed security improvements
Personnel security
Training in crisis/emergency
management
Disciplinary policies
F10 (continued)
Copyright
Security awareness
47
Local information security
HB 167:2006
47
A more comprehensive list is contained within HB 231:2004 Information security risk management guidelines
129
Downloaded by Panjan Navaratnam on 14 Feb 2007. For internal use within SAI Group only. See conditions of use for details.
130
F10 (continued)
HB 167:2006
Security measure Description Control rating Vulnerabilities Proposed security improvements
F10 (continued)
Copyright
48
Consolidated Summary of security measures
HB 167:2006
48
The review should be used to ensure that there is a layered approach to the components of security risk management—people, property and
information.
131
HB 167:2006
132 Copyright
Downloaded by Panjan Navaratnam on 14 Feb 2007. For internal use within SAI Group only. See conditions of use for details.
Copyright
Telephone:
Facsimile:
Facility owner
Facility name
Type of facility
Postal address
HB 167:2006
metropolitan, suburbia)
133
Downloaded by Panjan Navaratnam on 14 Feb 2007. For internal use within SAI Group only. See conditions of use for details.
134
HB 167:2006
F11 (continued)
Own personnel
Security personnel
Security company
Other
Security patrols
Security passes
Access control
Electronic systems
Visitor control
Copyright
Downloaded by Panjan Navaratnam on 14 Feb 2007. For internal use within SAI Group only. See conditions of use for details.
F11 (continued)
Copyright
Fence type
Condition
Outer fencing
Gates
Fence type
Condition
Inner fencing
Gates
Type
Lighting
Number
(This should include security
lighting, perimeter lighting and
Location
other specialist lighting)
Adequacy
Type
Number
Intruder alarm systems
Location
Adequacy
HB 167:2006
135
Downloaded by Panjan Navaratnam on 14 Feb 2007. For internal use within SAI Group only. See conditions of use for details.
136
HB 167:2006
F11 (continued)
Types of keys
Number of keys
Key security
Location of keys
Key management
Location of servers
49
A more comprehensive list is contained within HB 231:2004 Information security risk management guidelines
Copyright
Downloaded by Panjan Navaratnam on 14 Feb 2007. For internal use within SAI Group only. See conditions of use for details.
F11 (continued)
Copyright
Permanent
(Roles and responsibilities)
Staff Casual
Contractors
(long term and short term)
Cleaners
Location of facility(ies)
HB 167:2006
137
Downloaded by Panjan Navaratnam on 14 Feb 2007. For internal use within SAI Group only. See conditions of use for details.
138
F11 (continued)
HB 167:2006
Current security Yes No Details
Telephone
Switchboard
Police
Fire
Armed forces
Other
Copyright
Downloaded by Panjan Navaratnam on 14 Feb 2007. For internal use within SAI Group only. See conditions of use for details.
F11 (continued)
Copyright
HB 167:2006
139
Downloaded by Panjan Navaratnam on 14 Feb 2007. For internal use within SAI Group only. See conditions of use for details.
140
F11 (continued)
HB 167:2006
Current security Details
Information technology
Transport
Emergency services
Copyright
F11 (continued)
Asset assessment
HB 167:2006
141
Downloaded by Panjan Navaratnam on 14 Feb 2007. For internal use within SAI Group only. See conditions of use for details.
142
HB 167:2006
F11 (continued)
Asset assessment
Copyright
th
Date of risk review 27 July 200x
Treatment planning
Jane Doe, Deputy General Manager Plant B Date 17 August 200x
approved by
Risk Treatment Options Cost benefit Treatment strategy Completion by Interdependencies Responsibility for
objectives analysis with other risks and implementation
(in priority (preferred options in (date)
treatment plans
order) bold) (accept/ reject)
Vandalism Reduce likelihood Repair existing Accept Engage contractors to Within 4 weeks Nil Simon Templar,
resulting of fence breach fencing repair perimeter Maintenance
from fence fences Manager
Improve likelihood Replace with heavy Reject
breach
of detection of gauge fencing Engage security Within 2 months IT server room Will Gaytes, IT&T
breach consultant to identify introduction of CCTV Manager
Introduce motion Reject
CCTV technical monitoring
detectors
requirements, siting
Introduce CCTV on Accept and solutions
fence lines
Increase frequency of Accept
security patrols
HB 167:2006
143
Downloaded by Panjan Navaratnam on 14 Feb 2007. For internal use within SAI Group only. See conditions of use for details.
144
F12 (continued)
HB 167:2006
Part 2: Detailed treatment action plan
Reliability Accuracy
A Completely reliable 1 Confirmed by other sources
B Usually reliable 2 Probably true and accurate
C Fairly reliable 3 Possible true and accurate
D Not usually reliable 4 Doubtful
E Unreliable 5 Improbable
F Cannot be judged or assessed 6 Cannot be judged or assessed
Copyright 145
HB 167:2006
H Terrorism definitions
Terrorism has proven to be very difficult to define. The adage ‘one
man’s terrorist is another’s freedom fighter’ still holds true. A number
of different accepted definitions of terrorism are given below:
‘premeditated, politically motivated violence perpetrated against non-
combatant targets by sub-national groups or clandestine agents,
50
usually intended to influence an audience’.
‘the unlawful use of force or violence against persons or property to
intimidate or coerce a government, the civilian population, or any
51
segment thereof, in furtherance of political or social objectives’.
Downloaded by Panjan Navaratnam on 14 Feb 2007. For internal use within SAI Group only. See conditions of use for details.
‘the unlawful use of, or threatened use of, force or violence against
individuals or property to coerce or intimidate government or
societies, often to achieve political, religious, or ideological
52
objectives’.
An analysis of the key words used in 109 definitions of terrorism
(based on work conducted by Schmid, 1988, quoted in Hoffman,
1998) illustrate the wide variety of views on the composition of
terrorism.
50
US State Department.
51
US Federal Bureau of Investigation.
52
US Department of Defense.
146 Copyright
Downloaded by Panjan Navaratnam on 14 Feb 2007. For internal use within SAI Group only. See conditions of use for details.
Copyright
FREQUENCY, (%)
0
10
20
30
40
50
60
70
80
90
Violence / force
Political
Fear
Threat
Effects and reactions
Victim / target
Purposive
Modus
Extranormality
Coercion / extortion
Publicity
Randomness
Civilian victims
Repetitive violence
Criminal
Demands made
HB 167:2006
147
HB 167:2006
I Example vulnerability
rating matrices
I1 Visibility rating
Vulnerability 53
Individual Organisation Community
(Visibility) level
Very high • Regular heavily • Internationally • Highly vocal and
publicised public recognised brand or activist
Downloaded by Panjan Navaratnam on 14 Feb 2007. For internal use within SAI Group only. See conditions of use for details.
53
Includes elements or parts of organisations, including buildings,
infrastructure, branded vehicles, monumental structures etc.
148 Copyright
HB 167:2006
I1 (continued)
Vulnerability 53
Individual Organisation Community
(Visibility) level
High • Regular public • Recognised nationally • Significantly vocal
appearances to or within all major and active
broad general population centres, community.
audiences. regarded as one of
• Attract regular
the leaders in its
• Regular media interest.
industry or group.
appearances in the
• Recognised as an
media. • Actively and
influential
continuously
• Is well known community of its
promotes brand.
across local type.
community. • Regarded as a
• Location of the
national or state icon.
community is
• Name and images fairly well known
used regularly (e.g. nationally.
weekly) by national
• Community is
media outlets,
held as an icon by
occasional
some groups
international
nationally.
references.
• Operation’s locations
Downloaded by Panjan Navaratnam on 14 Feb 2007. For internal use within SAI Group only. See conditions of use for details.
Copyright 149
HB 167:2006
I1 (continued)
Vulnerability 53
Individual Organisation Community
(Visibility) level
Low • Has almost no • Largely unknown • Rarely vocal
public profile. outside of the local community.
geographic area, has
• Some personal • Rarely attracts
some recognition
details available via media or public
within in its industry or
public database interest.
group.
search.
• Largely
• Occasional promotion
• Is recognised with unregarded or
of brand.
organisation or unknown by
community, but little • Has little iconic similar
information known. status. communities of its
type.
• Name and images
used occasionally by • Location of the
local media outlets. community is only
known within the
• Operation’s locations
local geographic
are well known to a
area.
proportion of the local
community, largely • Community has
unknown outside of little iconic status.
the local geographic
Downloaded by Panjan Navaratnam on 14 Feb 2007. For internal use within SAI Group only. See conditions of use for details.
area.
Very low • Details, role and • Largely unknown • Community has
identity unknown to within the local no public voice.
the public. geographic area, little
• Has no public or
recognition within its
• Personal details media profile.
industry or group.
completely
• Community’s
unknown to third • Little promotion of
existence and
parties. brand.
location is
• Has very low profile • Has no iconic status. unknown.
within organisation,
• Unknown to local • Community has
majority of staff
media. no iconic status.
would be unaware
of existence. • Little public
knowledge of location
of the organisation.
150 Copyright
HB 167:2006
Copyright 151
HB 167:2006
Visitors by appointment.
• Movement within sites controlled.
• Active and passive monitoring of most key points.
• There is limited geographic access (remote location, limited transport
options, etc).
Very low • Public excluded from locality.
• Visitors require clearance.
• Movement within sites on as needs basis.
• Active and passive monitoring of all key points.
• There is restricted geographic access (very isolated location, transport by
special charter only, etc).
152 Copyright
HB 167:2006
Copyright 153
HB 167:2006
to weeks).
• Limited number of local alternate providers.
Low • Limited dependencies through to long term, acceptable capability
continues.
• Significant disruption only likely in long term (months).
• Recovery from loss achievable in short term.
• Alternate providers accessible locally.
Very low • Loss of interdependencies has little effect on capability.
• Significant disruption unlikely in long term (months).
• Recovery from loss achievable almost immediately.
• Plentiful alternate providers accessible locally.
54
Interdependencies could include critical suppliers of utilities or inventory,
skilled contractors, transport and logistics systems, information providers,
emergency service organisations, etc.
154 Copyright
HB 167:2006
Copyright 155
HB 167:2006
J Example components of
a security control
environment 55
56
Deter Delay Detect Respond Recover
Signage Yes No No No No
Perimeter barriers Yes Yes No No No
Downloaded by Panjan Navaratnam on 14 Feb 2007. For internal use within SAI Group only. See conditions of use for details.
Employee termination
No No No Yes No
procedure
Staff training No Yes Yes Yes Yes
Personnel movement Yes Yes Yes Partial No
Ethical frameworks and
Yes Partial Yes No No
monitoring
55
Note: These are selected examples only, the list will need to be
customised to meet different contexts. The use of additional controls
should be considered for each assessment.
56
If the capability is visible, e.g. overt CCTV.
156 Copyright
HB 167:2006
56
Deter Delay Detect Respond Recover
Identity cards Partial No Yes No No
Law enforcement response Partial No No Yes No
Management supervision Yes Yes Yes No No
57
Risk management Partial Partial Partial Partial Partial
Inventory control systems Yes Yes Yes No No
Internal audit and other
Partial Partial Partial Partial Partial
assurance practices
Lock-key practices No Yes No No No
Housekeeping No Partial Yes Partial No
Evacuation plans No No No Yes No
Policy and process controls
planning
Business continuity
No No No Yes Yes
management
Corporate governance Yes Yes Yes Partial Partial
Document control No Yes Partial Partial No
Communications and public
No No Partial No No
affairs policies and practices
Prior publicised responses to
Yes No No No No
security breaches
58
Security access systems Yes Yes Partial No No
Intrusion detection and alarms Yes No Yes No No
Technology controls
57
Will provide the means to identify exposures and treatment/improvement
actions for each area of security measures.
58
If monitoring is in place.
Copyright 157
HB 167:2006
K Community
assessment
vulnerability
The Sandia National Laboratories community vulnerability
59
assessment considers issues such as:
• Communications:
− telephone switching stations,
− computers,
−
Downloaded by Panjan Navaratnam on 14 Feb 2007. For internal use within SAI Group only. See conditions of use for details.
TV stations,
− radio stations,
− communication towers,
− power sources.
• Power and electric:
− substations,
− lines,
− generators (dams and nuclear power stations),
− backup systems.
• Gas and oil:
− refineries,
− storage,
− delivery systems.
• Industry:
− resources,
− services,
− products,
− facilities.
• Water:
− delivery systems,
− storage,
− sewage treatment plants.
59
Blaikie, P., Cannon, T., Davis, I. and Wisner, B. 1994. At risk: natural
hazards, people’s vulnerability, and disasters. Routledge, London.
158 Copyright
HB 167:2006
− highways,
− railways,
− terminals,
− bus stations,
− pipelines,
− waterways,
− marine ports,
− airports,
− storage area of fleet (aircraft, train, bus, ship, etc).
• Emergency:
− hospitals,
− first responder locations,
− shelters.
• Foreign based governments:
− embassies,
− consulates,
− designated residences of foreign officials,
− businesses.
• Recreational venues:
− parks,
− museums,
− auditoriums,
− tourist attractions.
• Special classification:
Copyright 159
Downloaded by Panjan Navaratnam on 14 Feb 2007. For internal use within SAI Group only. See conditions of use for details.
160
HB 167:2006
−
−
−
−
other.
churches,
synagogues,
abortion clinics,
Copyright
HB 167:2006
162 Copyright
HB 167:2006
M Some common
approaches to analysing
security risk
Some common approaches to analysing risk are summarised
60
below . Note that these have been expressed in the form of
'parameter (a)' X 'parameter (b)', as is the usual practice in many of
the applications. However, this does not necessarily imply that these
terms should or could be mathematically combined in this manner.
Downloaded by Panjan Navaratnam on 14 Feb 2007. For internal use within SAI Group only. See conditions of use for details.
1.1) Risk = TL × I
Where
Risk = the security risk.
TL = the likelihood of the threat occurring.
I = the impact of the threat occurring.
1.2) Risk = S × LA
Where
Risk = the risk of an attack.
S = the severity of an attack.
LA = the likelihood of an attack.
60
Many of these formula have been so widely used that an accurate
attribution to their original source cannot be made with certainty.
Copyright 163
HB 167:2006
61
Severity is calculated on the basis of loss of human life, revenue, assets
and capabilities.
62
Homeland Security Framework, SAND 2002-0877, April 2002, Sandia
National Laboratories.
63
Consequence can be measured by loss of life, economic impact, loss of
public confidence or other metrics.
64
Threats are characterised by their means and likelihood of occurrence.
164 Copyright
HB 167:2006
2.3) Risk = Cr × L × V
Where
Cr = the impact on an asset at that criticality level.
the likelihood of the risk occurring with that criticality level
L =
impact.
Downloaded by Panjan Navaratnam on 14 Feb 2007. For internal use within SAI Group only. See conditions of use for details.
V = the vulnerability.
2.4) Risk = (T x V) x Cr
Where
T = the threat.
V = the vulnerability.
Cr = the criticality.
2.5) Risk = TL x V x Cr
Where
TL = threat likelihood comprising:
general threat likelihood + specific threat likelihood
65
V = vulnerability comprising:
V = VG + VS + VR
where
VG = vulnerability to the general threat.
VS = vulnerability to the specific threat.
VR = vulnerability to the specific and general threats.
Cr = Criticality comprising:
Cr = CS + CP + CO
where
CS = social criticality.
CP = personnel criticality.
CO = organisational criticality.
65
VG = general (deter+ detect + delay) vulnerabilities.
VS = specific (deter+ detect + delay) vulnerabilities.
VR = general+ specific (respond, recover) vulnerabilities.
Copyright 165
HB 167:2006
66
The Critical Infrastructure Protection Risk Management Framework
combines vulnerability and threat measures to provide an estimate of
likelihood in a rating matrix with a consequence measure to produce
a risk rating level.
Table M1.1
Comparison of security risk analytical approaches
66
Australian Commonwealth Attorney General 2003.
166 Copyright
HB 167:2006
Table M1.1 (continued)
Copyright 167
HB 167:2006
R = T x H
R = TL x l Establish
R = S x LA the context
R = S x L A x (1-E)
R = C x V x T
R = C x L x (1-E)
R = C x L x V
R = Cr x L x V
Approximates
Identify R = T x V x Cr
R = S x (L A +L AS ) x (1-E)
the risks R = T L x VCr
Analyse
R = CxL R = CxL
the risks
Evaluate
the risks
Downloaded by Panjan Navaratnam on 14 Feb 2007. For internal use within SAI Group only. See conditions of use for details.
Treat
the risks
LEGEND:
= Informs
= Approximates
= Basis of
168 Copyright
HB 167:2006
Copyright 169
HB 167:2006
170 Copyright
HB 167:2006
ASX: www.asx.com.au
AUSAID: www.ausaid.gov.au
Australian Bureau of Statistics (ABS): www.abs.gov.au
Centers for Disease Control & Prevention: www.cdc.gov
CIA World Factbook:
www.ODCI.Gov/Cia/Publications/Factbook/Index.
Department of Foreign Affairs and Trade (DFAT): www.dfat.gov.au/
Intelcenter: www.intelcenter.com
London Financial Times: www.ft.com
Organisation for Economic Cooperation and Development (OECD):
www.oecd.org
Rand Corporation: www.rand.org
Terrorism Research Centre: www.terrorism.com
The Economist: www.economist.com
UK Foreign & Commonwealth Office: www.fco.gov.uk
UN Department of Economic and Social Affairs: www.un.org/esa/
UN statistics: http://unstats.un.org/unsd/methods/inter-
natlinks/sd_intstat.htm
United Nations: www.un.org
US State Department ‘Patterns of Global Terrorism’:
www.state.gov/s/ct/rls/pgtrpt/
US State Department: www.state.gov
World Bank: www.worldbank.org
World Economic Forum: www.weforum.org
Copyright 171
Downloaded by Panjan Navaratnam on 14 Feb 2007. For internal use within SAI Group only. See conditions of use for details.
NOTES
ISBN 0 7337 7899 2 3TANDARDS $EVELOPMENT 3ALES AND $ISTRIBUTION
Standards Australia SAI Global
GPO Box 476 Phone: 13 12 42
Sydney NSW 2001 Fax: 1300 65 49 49
Phone: 02 8206 6000 Email: sales@sai-global.com
Fax: 02 8206 6001
Email: mail@standards.org.au
Internet: www.standards.org.au
Downloaded by Panjan Navaratnam on 14 Feb 2007. For internal use within SAI Group only. See conditions of use for details.