SECURITY RISK

MANAGEMENT
CHAPTER 5
 CONCEPT OF RISK MANAGEMENT

Risk Management is a field of management focusing on risk reduction

and analysis, using different methods and techniques of risk
prevention that eliminate existing or future factors which may
increase risks.
It is a systematic, repetitive set of interconnected activities aimed at
managing potential risks, i.e. reduce the likelihood of their
occurrence or reduce their impact.

The purpose of risk management is to avoid problems and negative

phenomena, avoid the need for crisis management and to avoid
PHASES OF RISK MANAGEMENT

Risk management consists of four interrelated

phases, namely:
• Risk Identification,
• Risk Assessment,
• Risk Reduction and Mitigation, and
• Risk Monitoring and Control.
 01
RISK
IDENTIFICATI
ON
 RISK IDENTIFICATION
Risk identification is the process of listing potential
risks and their characteristics.

Risk Identification Essentials

Risk identification is the first step towards risk
minimization and understanding. If a risk is not
discovered in the first phase, it may be found and
included later due to the nature of risk
identification.
Identification is a process of brainstorming. It isn’t an
exact science and should involve continuous
implementation as new phases, experiences, and
viewpoints are introduced. Being vital to the management
process, there are some essentials to risk identification
that guarantee maximum results, as follows:
1. Team Participation
2. Repetition
3. Approach
 4. Documentation
5. Roots and Symptoms
6. Project Definition Rating Index
7. Event Trees

TYPE OF SECURITY RISK

Security risks is a term that indicates the risks
associated with the security of people, assets and
information. These include the following risk groups:
1. Personal security property damage, health and life,
protection personal data

2. Physical security- equipment damage disruption

security equipment of objects and systems

3. Information security breach of data security , network

or information system, data abuse of corruption
 Types of Risks Sources
Types of risks are defined in terms of their severity in
the field of risk management, there are distinguished
sources of risks:
1. Exposure
2. Failure
3. Crisis
4. Disaster
5. Opportunity
6. Attack
7. Human Stupidity
 Risk Identification Tools and Techniques

1. Documentation Reviews – The standard practice is

to identify risks is reviewing project related
documents such as lessons learned, articles,
organizational process assets, etc.

2. Information Gathering Techniques – The given

techniques are similar to the techniques used to
collect requirements. This includes:
a. Brainstorming e. SWOT Analysis
b. Delphi Technique f. Checklist Analysis
c. Interviewing g. Assumption Analysis
d. Root Cause Analysis h. Risk Register
 RISK ASSESSMENT

Security Risk Assessment is the process

assessing, and implementing key of identifying,
security controls in applications. It focuses on
preventing application security defects and
vulnerabilities.
* SECURITY RISK ASSESSMENT PROCEDURE
1. Understand the 4. Determine the Impact of
Organization and the Events
Identify 5. Develop options to
2. Specify Loss Events/ Mitigate Risk
Vulnerabilities 6. Study Feasibility pf
3. Establish Probability Implementing Options
of Loss Risk and 7. Perform Loss and Benefit
Frequency pf Events Analysis
* SECURITY RISK ASSESSMENT TOOLS
1. Probability and Impact Matrix
2. Risk Data Quality Assessment
3. Probability and Impact
Analysis 4. Monte Carlo Analysis
( Stimulation Technique)
5. Decision Tree
6. Risk Register Updates
 Risk Probability Factors

Probability factors are conditions and sets of conditions

that will worsen or increase asset exposure to risk of loss
can be divided into the following major categories:

1. Physical environment such as construction, location,

composition, and configuration

2. Social environment such as demographics and

population dynamics
3. Political environment – such as the type and stability
of government, and local law enforcement resources

4. Historical experience such as the type and frequency

of prior loss events
5. Procedures and processes such as how the asset be
used, stored, and secured

6. Criminal state-of-art such as the type and

effectiveness of tools of aggression
 * Risk Assessment Matrix

Risk assessment matrix is made in the form of a

simple table where the risks are grouped based
on their likelihood and the extent of damages
their or the kind of consequences that the risks
can result in. It provides the project team with a
quick view of the risks and the priority with
which each of these risks needs to be handled.
 The matrix based on two criteria:

1. Likelihood the probability of a risk

2. Consequences the severity of the impact or the extent

of damage caused by the risk.

Likelihood of Occurrence

Based on the likelihood of the occurrence of a risk the

risks can be classified under one of the five categories:
LIKELIHOOD CONSEQUENCES
OCCURRENCE

1. Definite 1. Insignificant
2. Likely 2. Marginal
3. Occasional 3. Moderate
4. Seldom 4. Critical
5. Unlikely 5. Catastrophic
 * Using the Risk Assessment Matrix

Once the risks have been placed in the matrix, in

cells corresponding to the appropriate likelihood
and consequences, it becomes visibly clear as to
which risks must be handled at what priority.
Each of the risks placed in the table will fall under
one of the categories, for which different colors
have been used in the sample risk assessment
template provided with this article
 Here are some details on each of the categories:

1. Extreme the risks that fall in the cells marked with ‘E’
(red color), are the risks that are most critical and that
must be addressed on a high priority basis. The project
team should gear up for immediate action, so as to
eliminate the risk completely.

2. High Risk Denoted with H’ with a pink background in

the risk assessment template, also call for immediate
action or risk management strategies.
3. Medium if a risk falls in one of the orange cells marked
as ‘M’, it is best to take some reasonable steps and
develop risk management strategies in time, even though
there is no hurry to have such risks sorted out early.
4. Low Risk the risks that fall in the green cells marked
with L’, can be ignored as they usually do not pose any
significant problem.
 RISK REDUCTION AND MITIGATION
Risk reduction is identifying ways to eliminate risk, while
risk mitigation is identifying ways to execute a strategy
with less risk. Risk mitigation implies that you are
proceeding with an activity but want to find ways to
make it less risky. Risk reduction includes the
possibility that you avoid an activity altogether
because it’s too risky. Risk reduction encompasses
both risk mitigation and risk avoidance.
 Risk reduction and mitigation strategies includes:

1. Contingency planning
2. Hazard prevention
3. Likelihood reduction
4. Risk Avoidance
5. Risk transfer
6. Risk Spreading
7. Risk Transfer
8. Risk Acceptance
 *Risk Reduction and Mitigation Components

Solutions for the of security: A logical mitigation strategy

ties asset to threats and vulnerabilities to identify
risks. Physical/Electronic identified risks typically
enhance three facets Policies, Procedures and
Training, Security Systems; and Security Personnel
1. Threat Assessments

- a threat assessment is a logical process used to

determine likelihood of adverse events impacting your
assets and to validate security levels. It utilizes a number
of different data sources to assess real, perceived, and
conceptual threats
2. Vulnerability Assessments
- assessment, sometimes referred to as a security
vulnerability assessment, is the analysis of security
weaknesses and opportunities. The fundamental method
for assessing vulnerabilities is the security survey, which is a
tool for collecting information about the facility. The goal of
a vulnerability assessment is to identify and block
opportunities for attacks against assets. By effectively bloc
blocking opportunities, security decision makers can
mitigate threats and reduce risk.
3. Crime Prevention through Environmental Design
(CPTED)

– since there are no two facilities that are exactly alike, a

customized security survey, to identify the unique
security posture for each facility, assessment. with Cr can
be made. During a vulnerability assessment include
assessment pf compliance with Crime Prevention
through Environmental Design (CPTED)
 CPTED in a security concept that attempts to influence
offender decisions that precede criminal acts, through
elements of the built environment.

CPTED is based upon the theory that the proper design

and effective use of the built environment can reduce
crime, reduce the fear of crime, and improve the he
quality of life. Strategies used in support of this concept
include natural surveillance, natural access control, and
natural territorial reinforcement.
 CPTED considers variables that can be risk predictors
such as: past crimes and threats, Facility characteristics,
current security measures, existing vulnerabilities, and
liability analysis.
 RISK MONITORING CONTROL
Risk monitoring and control is required in order
to ensure the execution of the risk plans and
evaluate their effectiveness in reducing risk. It
Keep It Keep track of the identified risks,
including the watch list. It monitors trigger
conditions for contingencies and monitor
residual risks and identify new risks arising
during project execution. It also updates the
organizational process assets.
 * Purposes of Risk Monitoring

To determine if:

a. risk responses have been implemented as planned

b. risk response actions are as effective as expected or
if new responses should be developed
c. project assumptions are still valid., Risk exposure
has changed from its prior state, with analysis of
trends.
d. A risk trigger has occurred.
e. proper policies and procedures are followed. have
occurred that New risks previously identified.

*Inputs to Risk Monitoring and Control

1. Risk management plan

2. Risk Register Contains outputs of the other
processes: identified risks and owners, risk pre
responses, triggers and warning signs
 3. Approved Change Requests approved changes
include modifications such as to scope, schedule,
method of work, or contract terms. This may often
require new risk analysis to consider impact on
existing plan and identifying new risks and
corresponding responses

4. Work Performance Information project status and

performance reports are necessary for risk
monitoring and control of risks.
 * Output of Risk Monitor and Control

1. Risk Register Updates - risk register is updated

to include: a) outcomes of risk reassessments,
audits, and risk reviews. Update may affect risk
probability, impact, rank, response, etc. b) actual
outcome of risks, and of risk responses that
becomes part of the project file to be utilized on
future projects.
2. Corrective Action corrective action consists of
performing the contingency plan or workaround.
Workarounds are previously unplanned to emerging
risks. Workarounds must responses be properly
documented and incorporated into the project plan
and risk response plan.

3. Recommended Preventive Actions used to direct

project towards compliance with the project
management plan.
 4. Project Change Requests implementing contingency
plans or workarounds frequently results in a requirement to
change the project plan to respond to risks. Ks. The result is
issuance of a change request that change control. In
managed by overall

5. Organizational Process Assets information gained

through the risk management processes are collected by
Updates and kept for use future projects. This includes
templates for risk management plan, probability-impact
matrix. Risk register, and lessons learned.
6.Project Management Plan Updates to the project
management plan as a result of approval of requested
change.

*Risk Monitoring Tools and Techniques

1. Risk Reassessment
2. Risk Audits
3. Variance And Trend Analysis
4. Reserve Analysis
5. Status Meetings
 * SECURITY RISK EDUCATION

Security Risk Education is conducted to develop

awareness employees if the company security cover all
employees, regardless of rank or position.

> Objectives of Security Risk Education

1. Guidance for all supervisory and executive levels of the

organization
 2. A mandatory indoctrination security for new personnel
before their assignment to their respective jobs
3. Development of a high degree of security consciousness
among the selected supervisors and other key personnel in
a program that should be continuing and supported by top
management.
4. A down-the-line security program aimed at instilling
consciousness and dedication through various methods of
instructions such as through demonstration, lectures,
motivations suggestion, suggestions.
5. To let all employees, force informed that they all belong to
the organization and that non- awareness to the security
program is tantamount to disloyalty.

6. That the program is also to develop discipline, portar

loyalty and belongingness.
*Phases of Security Risk Education
1.Initial Interview

2. Orientation and Training

3. Refresher Conference

4. Security Reminders

5. Security Promotion
 * SECURITY SURVEY AND INSPECTION

The information pertaining to one of the most

important security services offered to a head
of office is the conduct of security surveys and
security inspections. Every unit chief desire a
security system that will reduce to an absolute
minimum the possibility of espionage,
sabotage and compromise of classified
information on his office or unit.
 * SECURITY SURVEY

Security survey is an estimate of the security

standards of a unit and is conducted to enable the
responsible officer to recognize and evaluate
security hazards and determine protective
measures necessary to the prevention of
sabotage, espionage, subversive activities and
other criminal acts, towards t to prevention of
interest and/or mission of the unit and/or
 *Purpose of Security Survey

The security survey will be used by the senior facility

manager or industrial planners in the type and extent
of security controls for the facility of areas. Each type
of physical security survey will include the
determination of the security level of the facility and a
security evaluation (threat assessment), which
addresses the criticality of operations, the
vulnerability of the facility or area, and the probability
of compromise of the personnel or property contained
therein.
 Requirements in a Security Survey

As a standard rule, no survey is considered complete

until all three of the factors below have been given
full consideration and weight:

1. Critically
2. Vulnerability
3. Probability
 * Stages of Security Survey

1. Initial Survey the in initial physical security survey

is conducted before constructing, leasing, acquiring,
modifying, or occupying a facility or area.
2. Follow-up Survey when recommendations are
made in the initial physical security survey. a follow-
up survey is conducted to ensure the completion of
modifications. This survey should be conducted
before acceptance of the property or occupancy.
 3. Supplemental Survey is conducted when changes in
the organization, mission, facility, or the threat level of
the facility alter or affect the security posture of the
facility or area. This survey is conducted at the discretion
of either the facility manager or senior security officer.
4. Special Survey - the special survey is conducted to
examine or resolve a specific issue, such as when there is
a request for a Sensitive Compartmented Information
(SCI) accredited facility or there is a need to investigate
or assess damage resulting from an incident
 * SECURITY INSPECTION

Security inspection is a check of how well existing

security measures and regulations are being carried out
within a command. A security inspection may also
include an investigation of alleged or violations.
Physical security is suspected security concerned with
forces entrances and exits, guards, traffic control,
lighting, control, and with such other physical
measures, which, fire if properly established and
maintained, will deny access to, unauthorized persons.
 * SECURITY INSPECTION

Security inspection is a check of how well existing

security measures and regulations are being carried out
within a command. A security inspection may also
include an investigation of alleged or violations.
Physical security is suspected security concerned with
forces entrances and exits, guards, traffic control,
lighting, control, and with such other physical
measures, which, fire if properly established and
maintained, will deny access to, unauthorized persons.