Book Excerpt: The Science and Art of Security Risk Assessment
Please enjoy this excerpt from The Science and Art of Security Risk Assessment by Dr. Glen Kitteringham, M.Sc., CPP, now available in the ASIS Store.
Chapter 4: Challenges with Risk Assessments
People typically don’t like complicated. They want simple problems with simple solutions. They want to be able to explain an issue in as simple a way as possible to ensure understanding. Additionally, there are senior management or owners who should make decisions about how to manage risk when it is presented to them. This puts the onus on the security manager to be knowledgeable in a variety of areas and to be able to communicate both complex risk issues and potentially complex solutions all the while worrying about their credibility and desire to obtain the financial support to purchase and implement these solutions. In addition to this, putting together a security program with its many elements is complicated. This will be discussed later in the chapter.
The reality of the risk matrix, and by extension the risk profile of an organization, is that it is a two-dimensional diagram of a complex multi-dimensional issue. Risk is complex with many elements to it. These include properly quantifying the probability of a threat materializing in the first place. Second is determining the impact. Third, it is determining how vulnerabilities will impact probability and criticality.
One single event can have vastly different outcomes. Take a trashcan fire. There is a trashcan sitting in an office. Someone can walk by it and flick a cigarette butt into it. If left alone, it has the potential to turn an entire facility into a raging inferno (if a number of conditions are concurrently met). Alternatively, the trashcan starts to smolder and a person walking by sees it and dumps their cup of coffee onto it, thereby extinguishing it. The same event can have two vastly different outcomes.
Using this simple example, the question that should be asked is how does one quantify the impact of an event? After all, every risk event if allowed to unfold has the potential to impact the organization at a severe level. One of the ways in which this can be done is by following the adage that that best predictor of the future is the past. This is where collecting good data is key (more on this in Chapter 5). Therefore, the best way to determine the probability and criticality of an event is based on what the site as well as other sites have experienced in the past. This is not to say that a worst-case scenario should not be considered but then part of the issue is determining probability and criticality both prior to and post to implementation of countermeasures. This is where vulnerability also comes into play.
Using again the example of fire in a facility, this threat does have the ability to destroy a facility. However, there are countermeasures in place including construction material which is usually made of nonflammable materials (at least in the commercial environment); the fire alarm system which is spread out like a central nervous system with all manner of heat, smoke and water movement sensors in place; and firefighting components including sprinklers, extinguishers, and hoses. Additionally, a facility would have an OH&S program of good housekeeping, work authorization permit process, hot work permit as well as general security patrols and fire watches detailed in the standard operating procedures.
These have all gone a long way in dramatically reducing both the probability and criticality of a fire breaking out. On top of this, the local fire department and rules and regulations, detailed in local, regional, or national fire codes should be accounted for. All these security countermeasures lead to a reduction in the probability of a fire occurring. Vulnerabilities have the potential to increase the probability of a fire occurring. The fire alarm system may not be in top operating condition. Staff operating it may not appropriate training. Fire extinguishing equipment may malfunction. The list can go on and on.
A complex example of risk is resolving the issue of security dealing with the homeless and vulnerable population harassing tenants and customers in a shopping mall in the downtown core of a city already suffering economic hardships when a pandemic arrives. There are many issues within this problem that are simply outside the realm of the security manager to be able to influence.
First is the issue of homelessness, an issue that governments all over the world have spent years tackling with untold billions spent on it, with limited success. Second, the economy overall is something that governments at all levels work on all the time and are impacted by domestic and international conditions. Third, brick and mortar shopping malls are struggling with the growth of online retailers. As more shoppers migrate online for lower priced merchandise which can be delivered to their home, shoppers are avoiding the malls.
Fourth, a global pandemic occurs which shuts down the economy for an extended period of time forcing people to isolate at home, leaving the downtown cores of many cities wide open for the homeless to spread out.The lack of office workers and other customers, which in many cases acted as a natural braking system on some of the more outrageous behaviour of the homeless is now missing. In some cases, the homeless and vulnerable have become more aggressive.
Five, there is a growing vocal group of homeless advocates chastising property owners and by extension, security personnel for confronting the more outrageous behaviour of the homeless and vulnerable population, many of whom are legitimately suffering from mental and physical health issues along with addiction (Anonymous, 2016/2017: Enright, 2019: Hu, 2019; Lo, 2017).
After considering all these factors, now task the security manager with resolving it. How realistic is that? The question is then, how is such a complex issue to be detailed in a risk matrix that the can be conveyed to others which makes sense to both the risk assessor and others?
Solving a risk, or more realistically, reducing it to an acceptable level is even more complex. This has much to do with the expertise of the person in charge of the risk program (security manager) as well as their level of energy and enthusiasm in implementing a comprehensive security management program. It takes a tremendous amount of work to create, install, and maintain a security program. Some feathers may be ruffled. Staff may be alienated. Some staff and management simply do not want to follow the rules for a variety of reasons.
In addition, an important element is how well the organization that the security manager works for embraces the security program. The reality is that organizations get the kind of security program they deserve. Some organizations pretend that they care about security and they simply go through the motions.
Security protocols create barriers for both legitimate and illegitimate users alike. On top of this, if you have an organization where senior management or owners are arrogant, smug, think they are smarter than everyone else in the organization and look down upon those within the security department than implementing a security program is going to be tough. And given that the risk assessment is the foundation for the security program then it is up to the security manager to make sure they have chosen the proper risk assessment methodology, have the proper data by doing their homework and can and will present these complex issues to senior managers.
The Difference Between Theory and Reality
Most elements of managing a security program are easy to say and hard to do. For example, it is easy to say, “install a camera here,” “put in a new access control system,” or “have security staff start to search everyone.” The reality is far different.
Installing a camera system requires a considerable amount of knowledge in several areas. If the decision to install cameras and by extension this can mean a video surveillance (VS) system is made then this will also include all the requisite equipment including cameras, means of transmission and receiving, monitoring, and storage. Video surveillance should only be installed if a risk assessment has been conducted by a qualified risk assessor and it has been recommended that such a system is required.
A video surveillance project requires input from many individuals including IT specialists, multiple vendors to compare quotes, and an honest conversation with the individual who will manage the system to ensure they understand the complex requirements of managing it. The asset owner also needs to understand the pros and cons of video surveillance, the development of standard operating procedures around monitoring and response, a maintenance program, training, location of equipment, and the decision to purchase outright or lease and data protection. The list of project requirements is extensive and must be considered otherwise the organization considering the video surveillance will make an extensive decision that may or more likely not turn out to have value.
In addition to simply installing a video surveillance system, one must consider why the system is going in. Security cameras generally serve at least one or more of five purposes.
- It should deter criminal activity. However, there is mixed evidence to support the contention that video surveillance deters criminal activity (Biale, 2008; Piza, Welsh, Farrington & Thomas, 2019).
- The second reason to install surveillance equipment is to extend the surveillance capabilities of whoever is conducting surveillance to detect activity warranting assessment and follow up. However, surveillance operators will not be exclusively focusing on watching camera monitors waiting for something to happen so they can call another employee or law enforcement. Camera operators usually carry out a number of other activities and watching video monitors tends not to occupy much of their time.
- This leads to the third use of cameras, which is to create a record of activities that are caught on camera for after-the-fact investigations. This is effective as long as there is a camera to capture the activity. However, cameras are generally not installed simply for this reason due to the high cost.
- The fourth reason for installing cameras is to use them during real time to manage events. This generally requires an interface or communication link between the camera operator and field personnel.
- The fifth reason is the “feel-good” factor. Some people install them or wish them to be installed to feel safe. This is not necessarily a bad reason unless people are carrying out activities in unsafe areas, as the cameras themselves will not provide safety but simply a recording of events.
Video surveillance cameras do work when planned for. They simply require clear thought regarding their installation and usage. End users should not expect them to work without such. The issues discussed around the installation of cameras can be applied to most, if not all other countermeasures. They can all work; they just require knowledge and hard work to apply them.
The same can said about conducting risk assessment. They simply require clear thought regarding their selection and usage. And they work; they just require knowledge and hard work to apply them.
The first risk assessment a person conducts will likely be time consuming and difficult. However, it is like everything else, the more a person conducts them, the easier they become, notwithstanding the challenges that have been laid out here. At the very best, a completed risk assessment will provide guidance to the organization in managing their security program and ultimately their risk profile.
The theory is that a risk assessment methodology is chosen, that all data, both subjective and objective data is gathered, captured, and interpreted correctly.