When Risk Becomes Reality

By Michael Dever

Before considering what will/could/should/may happen after a major incident, definitional issues need to be considered. How is a ‘security-related atrocity’ or a ‘major event’ defined? In this context, what is being looked at is high-consequence, low-probability and low-frequency attacks causing a major incident and the appropriate reasoned and logical response to the incident in the post-event stage.

This article seeks to offer further insights into contemporary security risk management methodologies and the design and management of physical security systems. It is not intended to discuss possible responses to specific major events, but rather to focus more on the process side of security risk assessments that are used to provide decision makers with appropriate advice about any protective security measures that may be required.

Security risk management (SRM) is closely linked with emergency management (EM) and business continuity/recovery planning. There should be a continuum between each of the pre-event (SRM, EM planning) and post-event (incident response, recovery) phases.

Security risks become security incidents if the probability parameter of the risk equation being used becomes 1. Testing the amount of uncertainty in the security risk assessment (if done properly) can also be used as a tool to plan for incidents by artificially adjusting risk parameters to see ‘what if’.

Every trade and profession has its own vocabulary which is well known to its practitioners. Protective security is no different. Understanding words and their meaning is very important to a complete understanding of contemporary security risk assessment and management issues.

The Oxford English dictionary defines atrocity (noun) as, “An extremely wicked or cruel act, typically one involving physical violence or injury.” There is no mention in this definition about the number of people involved as victims of actual physical violence. By this logic, an atrocity can be committed against an individual.

Atrocity can also have a humorous meaning, such as mocking people by referring to their fashion atrocities or even ‘security-related atrocities’. Security advisers are constantly bombarded with security-related atrocities represented by the many inadequate (and therefore ineffective) physical security measures deployed to protect assets in the built environment. However, security professionals now have at their disposal various well thought out methodologies and tools to support modelling of physical security systems and their resilience to attack.

At the other end of the spectrum is what can only be described as ‘over the top’ (OTT) measures. OTT measures can even sometimes introduce their own security risks, particularly if humans are involved. Unless there is regular system testing, human complacency can set in and even heavily guarded facilities can be compromised by determined or delusional adversaries. At the very least, these OTT measures represent a potential wastage of resources that could be better used elsewhere.

The Australian Institute for Disaster Resilience provides this guiding definition for a major incident from an emergency management perspective, “An event which requires response by police, emergency services and the community which may affect a wider area over a longer period of time but is not a declared disaster.” Note: there is also no mention of numbers affected in this definition.

Australians enjoy the protection of professional intelligence agencies, police, fire and rescue, ambulance and emergency response agencies. Nevertheless, no government can guarantee the safety of individuals or the public in all circumstances. All individuals bear a non-transferrable responsibility to care for their own safety and those they cherish and to mitigate the risks they face. If the collective has any responsibilities, then it should be to make its citizens aware of the realistic threats based on facts without creating even the perception of fear in the community.

Every now and then a major incident will occur, which causes society much reflection and reaction, especially if the number of people killed or injured rises much above whatever society’s risk tolerance level is for unacceptable death.

The recent tragic events in Melbourne have demonstrated how a population reacts to an attack on public safety itself. After all, Australians enjoy freedom and are meant to be able to walk the streets of their cities in relative safety without fear. It would be of interest to consider the reasons why certain types of attacks seem to attract more reaction, and how they relate directly to the human consequences of the apparent randomness of the event.

The Melbourne attack was not deemed to be a terrorist act. Terrorist act offences are contained in the Criminal Code Act 1995.

In the immediate aftermath of this major incident there were understandable emotional responses to the uncertainty caused by the attack. Society demands that a solution be found to the perceived ‘problem’ of public safety. In many cases, unless there is strong clear leadership from governments, there may be a loss of perspective about the real risks people face as they go about their daily lives and, consequently, faulty decisions are made regarding solutions to the problem, if indeed it is a problem.

As professional advisers, security personnel need to keep a calm head, even if others around them are not. Public safety decisions should be based on rigorous risk management practices and not knee-jerk reactions. As security professionals, the overall goal should be to reduce uncertainty for decision makers by improving security risk assessment methodologies.

It is fair to say that considerable intellectual effort has been applied globally to increase the international body of knowledge regarding security risk quantification and assessment methodologies for physical security over the past two decades. The goal of improving methodologies and the accuracy of outcomes from any assessment (threat, vulnerability, or risk) is not a case of iterating a flawed or inaccurate methodology. The goal should be to analyse the security risk assessment processes being used to improve the reliability of the assessment and reducing uncertainty by gaining insights from experience and qualified subject matter experts.

Risk-based approaches to security and public safety problems have been adopted by many governments and private sector organisations around the world with varying degrees of adoption, implementation, success and failure. Australian governments were early adopters of the risk-based approach to the many security challenges they are confronted with. The Commonwealth Government went from a prescriptive approach to protective security as defined in the now obsolete Protective Security Manual to the risk-based Protective Security Policy Framework (PSPF).

The Commonwealth Government now requires that departments and agencies prepare security plans based on security risk assessments in accordance with AS/NZS ISO 31000:2009 Risk management – Principles and guidelines and Standards Australia HB 167:2006 Security risk management.

ISO 31000 defines risk as “the effect of uncertainty on objectives”. Readers are immediately reminded by the Standard that risk is related to uncertainty. How many organisations mention uncertainty in their current security risk assessments?

The US Department of Homeland Security (DHS) Risk Lexicon defines uncertainty as: “[The] degree to which a calculated, estimated, or observed value may deviate from the true value.”

Uncertainty in security risk assessments has now been recognised by the US DHS as an issue worth considering. The DHS has created a separate branch for integrated security management, called risk analytics, as part of the evolution of risk assessment standards and processes to reduce uncertainty.

The Commonwealth PSPF defines physical security as, “The part of protective security concerned with the provision and maintenance of a safe and secure environment for the protection of agency employees and clients as well as physical measures designed to prevent unauthorised access to official resources and to detect and respond to intruders.”

From this definition and other PSPF documents, the Commonwealth’s asset protection objective is to deter or defeat an adversary who is attacking Australians by using a layered (zoned) physical security system with all the components of deterrence, detection, delay and response based on a security risk assessment. When implementing physical security measures, it is critical to ensure that each component is effective and the tactical response, as well as recovery efforts and business continuity measures, should be tested to provide greater assurance about the measures deployed.

Internationally recognised best practices for critical infrastructure security suggests that the risk-based approach to physical security is based on the interplay of consequences, threats and vulnerabilities. Any security risk assessment will start with a comprehensive view of the threats faced by the organisation. Every organisation faces multiple threats from natural, technological and human sources (malicious or inadvertent).

An important stage of a security risk assessment, which is often overlooked, is the vulnerability assessment of existing protective measures. Threats and vulnerability are often confused by stakeholders. Vulnerability assessments are designed to quantify (or even test) the effectiveness of existing physical security measures to inform the security risk assessment.

One of the benefits of using a risk-based approach to design of physical security measures is that it provides security professionals the ability to scale the protection requirements and the ability to apply metrics, such as measuring the effectiveness of a physical security system.

Organisations are increasingly taking a strategic security risk management approach to physical security planning. Asset protection objectives are determined by security risk assessments regarding various laws and compliance standards. The risk-based approach provides a reasoned method to provide decision makers with vital information about the selection of physical security measures to improve the use of scarce resources and to measure success.

What are you going to do when the probability of the security risk becomes 1?

Michael Dever CPP PSP RSecP RSA is a respected, highly qualified and experienced security professional. He can be contacted via email dca@bigpond.net.au