Enterprise Security Risk Assessments. What Are We trying to Protect And Why?

By Don Williams.

Executives and managers understand the need to protect the assets of the organisation, and to do this they engage guards and security managers/supervisors at the local level. An enterprise security risk assessment (ESRA) is about looking at security in a different, broader way – supporting organisational capability.

An enterprise security risk assessment is an assurance tool utilised at the highest level possible to assess if the assets and functions of the organisation are protected. It can also be used to consider the security of future activities.

This article outlines the concept and value of the enterprise security risk assessment and is based on enterprise-wide security risk assessments conducted for a range of government and corporate clients.

Enterprise Security Risk Assessment

To gain an oversight of what is encompassed by the concept of ESRA, it is of benefit to review each element of Enterprise – Security – Risk Assessment, in reverse order.

Risk Assessment

As per ISO 31000 and the earlier, AS 4360, a risk is. An event that could occur, the results of which may be beneficial or harmful. Risk Assessment is a methodology for defining what could happen, why and when, the effects of such an occurrence and to identify mitigation treatments to reduce unwanted risks to the lowest reasonable level. An assessment of the risks lead to the ability to manage the risks.

The usual matrix-based methodology requires the identification of the context, the identification of assets and threats, the definition of the risks, the determination of likelihood and consequence and their alignment on an agreed matrix to determine the risk rating. The resultant rating provides the basis for priority of treatment.

The risk is mitigated by either reducing the likelihood of the event occurring (by fixing some or all of the exposures identified in the Likelihood part of the assessment) or reducing the Consequences should the risk be realised. In all cases, the proposed risk mitigation treatments must be related to the observations in the assessment.

Once the mitigation treatments have been identified, the residual risk, should the proposed treatments be implemented, can be calculated, based on the reduced likelihood and/or consequences.

An enterprise security risk assessment uses a similar approach but differs primarily in the breadth of the assets and functions considered, and of the existing and potential mitigation treatments reviewed. The enterprise security risk assessment seeks to ensure the entire organisation is protected from all reasonable security threat vectors.

Security

The definition of the term, security, as used here, is protection from deliberate, malicious human action or Human Initiated Threat (HIT). Other management disciplines protect against human error, mechanical failure and alternate sources of damage and loss to the organisation as shown in Figure 1.

 

 

Figure 1 Threat – Asset Relationship

 

 

 

 

An organisation can use a number of tools to assess its security:

  • Risk Assessments
  • Compliance checks
  • Threat assessments
  • Vulnerability assessments
  • Loss estimates

These are all elements of an enterprise security risk analysis.

Enterprise

An enterprise-wide assessment requires looking at issues from the organisational perspective: What are we trying to protect and why? The what are the key assets and functions that support the business. The why is to align security to the strategic goals of the organisation.

At the tactical (guards) and operational (supervisor/manager) levels, security measures relate to the assets and threats in the immediate area of responsibility. Enterprise thinking requires a broader view. It requires the consideration of:

  • The organisation’s aims, goals and image.
  • Not only assets, but the functions protecting what we do as well as what we have.
  • An understanding of other skills/disciplines and how they relate to security. For example:
  • Emergency management,
  • Workplace health and safety,
  • Human resources such as post-incident counselling,
  • Facility management,
  • Business continuity/resilience planning,
  • Media management and
  • Environmental management.

Once an ESRA has been completed for the entire organisation, the same methodology and mindset can be used to assess each main business unit (BU) by asking:

  • Does the individual BU, because of its assets, functions and threats, have all of the enterprise risks identified for the organisation? If not, which do not apply?
  • Does the individual BU have additional key risks not identified for the organisation? If so, what are they? (Perhaps there is a particular asset that only exists within this BU, or overseas staff, or within particular compliance requirements?)
  • Does the BU have particular mitigation measures that alter the organisational risk rating in their particular context? Or, are they limited after applying some of the organisational mitigation measures?

Examples include the differences between a BU that conducts bulk storage and one that has retail activities, or the considerations for a corporate headquarters, as opposed to a mining or manufacturing BU.

Enterprise can also relate to a new opportunity or endeavour. When the organisation looks to take on new activities or assets, it is of benefit to conduct an assessment to determine what security exposures will be generated and what new threats may result. New locations, new business processes, new relationships, all deserve a security assessment.

Another case for an enterprise security risk assessment is to pre-plan for an event that might occur where the specifics of the event cannot be known but the general nature of the threat can be predicted. An enterprise security risk assessment can provide general guidance as to what protective and response measures may be required. The specific details of the measures can be further determined if the event becomes more likely and the location can be identified. The security considerations for an organisational response to a natural disaster might fall into this category.

Definition Of ESRA

If enterprise security is ensuring the organisation is free to meet its goals protected from deliberate, malicious human action, then the purpose of an enterprise security-risk assessment is assurance.

  • Assurance that adequate levels of protection are in place.
  • Assurance that appropriate response measures are in place.
  • Assurance that future activities and assets will be protected.

What Are Enterprise Security Risks?

Defining the risk is often the most difficult part of the risk assessment process. Often risks are (incorrectly) expressed in terms of the threats, such as terrorists, which is actually a source of risk. Or, in terms of consequence, such as tools are stolen from the workplace. This is not the risk but a consequence of a risk, such as a failure to protect tools.

Risk should be expressed in relation to the asset or function being protected. Enterprise risks relate to the entire organisation, or at least a complete business unit. It is suggested that Enterprise risks may include:

  • Failure to protect people.
  • Failure to protect information.
  • Failure to protect equipment.
  • Failure to protect reputation (Collectively referred to as PIER)
  • (Each of the above is in the highest grouping that can effectively be assessed).
  • Failure to identify a security incident.
  • Failure to respond appropriately to a security incident.
  • Failure to comply with (specific security-related requirements).

Figure 2 shows a potential breakdown of People as an asset at the highest levels possible for a security risk assessment. In this case, the environment is a judicial court system where four distinct populations have been identified, with each having its own threats, exposures and vulnerabilities. To enable an accurate assessment, two of the populations are further refined due to their movements, locations and specific security considerations.

 

 

Figure 2 Example of Asset (People) grouped at the highest level suitable for assessment

ESRA Process:

The process for an enterprise security risk assessment is:

  • Identify the organisation’s goals and aims.
  • Define the scope: Inclusions/exclusions.
  • Define the physical, temporal and organisational boundaries.
  • Agree on definitions for: Likelihood, consequences, risk ratings.
  • Identify the key assets and functions.
  • Identify threats.
  • Define enterprise risks in terms of key assets and functions.

For each defined enterprise risk:

  • Assess the effectiveness of existing (or proposed) protective measures on a systems basis.
  • Assess the effectiveness of existing (or proposed) consequence mitigation measures on a systems basis.
  • Define the likelihood of risk occurring, and the consequences should risk be realised.
  • Rate the risk.
  • Identify and recommend treatments to mitigate likelihood and consequences.
  • Rate the residual risk if treatments are implemented.
  • Draft risk management plan to implement recommended treatments.

While the above elements may be considered part of any matrix-based risk assessment, an enterprise security risk assessment specifically includes:

  • Emphasis on policies, procedures and processes.
  • Assessing treatment measures as systems rather than individual components.
  • The identification and recognition of inter- and intra-organisational relationships, responsibilities and protocols.
  • Considering the effect of other managerial disciplines on the security of the organisation’s assets and functions.
  • Considering the implications of treatments on the organisation’s goals and image when developing recommendations.

An enterprise review does not assess individual, technical or other measures; it reviews the system that includes the particular technology or process. Rather than checking if cameras are used, the question should be, are the cameras effective? For example, in relation to CCTV, the following could be assessed:

  • Has the intended purpose of the cameras been stated?
  • Is the equipment being used suitable for the stated purpose?
  • Are the sight lines and lighting correct?
  • What are the monitoring capabilities procedures/training/qualifications?
  • What recording and evidentiary capabilities are provided?
  • What are the response measures and how are they verified?
  • What maintenance and repair contracts are in place, and what are the associated maximum downtimes?
  • What other CCTV systems overlap areas of interest, and are arrangements in place to access their recordings?

Many security systems are based on deterrence and detection. A key consideration is, “What will happen when we find that for which we are looking?” For each detection capability, there needs to be associated response measures to ensure that the event is recorded, reported, contained and controlled with the minimum possible disruption to the organisation’s goals. Those goals may include maintaining its reputation for providing a safe and secure environment.

Likelihood

Given that there are assets or functions that are important, there may be those who wish to take or damage them. Threat is related to motive – why would they want to do this? It could be for financial gain, for business advantage, political reasons, personal gratification, or other reasons. The question is whether those who may wish to do us harm (the intent) have the capability. And this relates to whether we encourage them to attack by exposing our vulnerabilities.

While a local or tactical security risk assessment must be aware of the various threats and threat vectors (i.e. how each threat source may attack), an enterprise security risk review can adopt more of an all hazards approach. Rather than trying to identify a protective measure for each potential attack, an all hazards approach ensures that the asset is protected from all reasonable vectors, regardless of motive.  If appropriate measures are in place to protect the item from the known and identified threats, then they (usually) will deter or detect attacks from other threat sources that are less easy to identify or quantify.

The preventative measures in place, both physical and procedural, should be reviewed to determine if they are effective barriers to the threat vectors. An enterprise review should be an honest and objective assessment of the entire system, not just a compliance check.

A security risk assessment will review available data and statistics, noting that security often deals with low likelihood/high consequence events and therefore a statistical basis for likelihood calculations may not exist and the likelihood rating may rely on qualitative rather than quantitative assessments. Exceptions to this generalisation may include events such as retail theft and graffiti. Statistics will indicate how many events have been recorded, not where the vulnerabilities are or which events were not detected or reported.

Likelihood is usually expressed in terms of how frequently the event may occur within a given period of time. It is essential the temporal boundaries be defined. For instance, over what period of time is the risk being rated? At an enterprise-level, this is more likely to be over a longer period. For example, over the expected life of a facility or activity. An enterprise review can also be used to validate detailed, integrated planning for a specific short-term event, such as a shareholder meeting.

Consequence

The consequences, should the risk be realised, must be identified, based on what will be lost and usually expressed in terms of people, financial value, time and reputation. This can be altered depending on the business under review.

Response to a security event may rely on management areas outside security personnel and processes. An understanding of the related skills and disciplines and how they relate to security is an essential element of an enterprise security risk assessment, including emergency management, workplace health and safety and facility management. Each of these, as well as being able to assist security, may also present security vulnerabilities that need analysis.

For example, how is the site to be secured once it has been evacuated? Also, in relation to the courts environment (as shown in Figure 2), it is essential that the judiciary, witnesses, juries and prisoners all be considered in the evacuation plan to ensure they are separated and controlled. If not, the security of prisoners may be reduced, witnesses and juries may come into contact with each other and they may be exposed to those who would seek to influence them. In all cases, the trial or hearing will most likely be compromised because of a lack of security input to an emergency management plan.

For all organisations, how they manage the after-event media will be critical as an expected consequence will be a drop in business activity as clients migrate to competitors. Even for organisations where there is less competition, such as government departments and international airports, there may still be a reduced confidence in the capability to protect assets and functions and increased disruption due to investigations and inquiries.

Risk Rating

By comparing the likelihood and the consequence, the Risk Rating can be determined. The risk rating indicates the importance of the risk, the priority with which it must be reduced, who will be responsible for reducing the risk and who will monitor the risk reduction. For an enterprise review, the level of responsibility is likely to be higher than for a tactical security risk assessment.

Enterprise Risk Mitigation

In an enterprise assessment, the mitigation treatment measures may be directed to management areas other than security. Potential enterprise security mitigation recommendations might include:

  • HR revising its ability to provide post-incident counselling;
  • Contract management considerations for lighting, cleaning, chemical storage;
  • Inclusions or exclusions in staff induction training;
  • Alterations to business continuity and resilience plans;
  • Facility management and environmental considerations that affect how long staff and visitors can be held on the site during an external event; or
  • Revision of emergency plans to provide security during and after an evacuation.

Treatments have to be cost-effective (i.e. cost less than the assets they are protecting) and fit within the image and operating environment of the organisation.

  • The following are generic observations on risk mitigation treatments but are particularly pertinent to an enterprise review.
  • Each risk will usually require a number of treatments.
  • One treatment may address a number of risks (e.g. appropriate access control procedures/polices/practices/training/hardware may treat the likelihood element of a number of risks).
  • It is usually easier to reduce the likelihood. That is,. to prevent access to the asset than to mitigate the consequence once the event has occurred.
  • At the tactical level, it may not be possible to reduce the consequences: if the event occurs this will happen. But, at the enterprise level, reducing the consequences may be possible through the application of other resources, such as media management, legal support, HR and counselling support, and BCP.

Observations On The methodology:

The traditional matrix-based methodology, while effective in assessing assets, is not particularly useful when assessing risks related to processes. That is, what happens if we do more or less of an activity? What if we put in too much or too little or the wrong element into the flow? What if we slow, stop or speed up the process? Risks related to processes may be better assessed using different methodologies.

The matrix methodology also has difficulty expressing extremely low likelihood/very high consequence risks such as those (usually) posed by terrorism. Based purely on statistics, it would hardly seem cost-effective to employ some of the current preventative measures. But, it is understood that if existing protective measures are reduced, the likelihood of such attacks will increase and the consequences of even one successful attack will be horrendous. Therefore, risks of extremely low likelihood can be assessed by considering the threat (the intent and capability of the perpetrator) and the exposures to the assets – usually related to weaknesses in the physical and procedural security measures.

Summary

ESRA is an assurance tool to provide those responsible for governance with a snapshot of whether the key assets and functions of the organisation are, or will be, protected from deliberate human action.

ESRA can be used to assess the security implications of future activities.

ESRA is not a check of locks and doors but more of a corporate assurance tool that not only protects but also supports the organisation’s goals and image.

Don Williams CPP holds qualifications in Security Management and Security Risk Management as well as Project and Resource Management and is a Certified Protection Professional. Don has provided professional managerial advice on security and strategic security analysis for over 25 years. Don has led enterprise-wide security risk assessments for a wide variety of private and public sector clients. He is the secretary of the Australasian Council of Security Professionals. Don can be contacted at donwilliams@dswconsulting.com.au.