# Assessing Security Risks

04/01/2004 |

## A Quantitative Approach to Calculating Probability and Criticality

In response to a concerted need for guidelines regarding security issues in the United States, Alexandria, VA-based ASIS International established a Commission on Guidelines in 2001. One of the many resources available from this commission is ASIS' General Security Risk Assessment Guideline, which details a very systematic approach to assessing your security risks. As a facilities professional, this step-by-step reference is applicable in any environment where people and/or assets are at risk for a security-related incident or event. Following is an excerpt from the reference's Appendix II to help you, the facilities professional, take a quantitative approach in calculating probability and criticality.

There is more than one methodology for conducting risk assessments; the Guideline also offers a "Qualitative Approach." The entire guideline can be downloaded at no cost at (www.asisonline.org/guidelines/guidelines.pdf) - an important reference tool that is only briefly excerpted here.

Loss Event Profile
Forecasting individual loss events that may occur is the first step in dealing with risk assessment. It requires clear ideas about the kinds of loss events or risks, as well as about the conditions, circumstances, objects, activities, and relationships that can produce them. A security countermeasure can be planned if the loss event has the following characteristics:

• The event will produce an actual loss, measurable in some standard medium, such as money.
• The loss is not the result of a speculative risk in that non-occurrence of the event would not result in a gain.

The kinds of events that are loss-only oriented and which involve so-called "pure risks" include crime, natural catastrophe, industrial disaster, civil disturbance, war or insurrection, terrorism, accident, conflicts of interest, and maliciously willful or negligent personal conduct. The recognition of even obvious risks implies some estimate of the probability that the risk actually will produce a loss. To the extent that the risk itself is concealed, the task of estimating probability of occurrence is more difficult.

Loss Event Probability or Frequency
Probability can be formulated as the number of ways in which a particular event can result from a large number of experiments which could produce that event, divided by the number of those experiments. Stated as an equation, this is:

P = f / n

where:
P = the probability that a given event will occur
f = the number of actual occurrences of that event
n = the total number of experiments seeking that event

E.g., the probability of shoplifting at a given location during a given year is determined as: p (probability) = the number of days on which actual shoplifting events occurred during the year divided by 365. Although this simple statement illustrates a direct way to calculate probability mathematically, it is not enough for practical application to security loss situations, because while some events will occur more than once, other events will occur only once, and the reaction will so change the environment that the theoretically probable further occurrences will be prevented. As a basic concept, the more ways a particular event can occur in given circumstances, the greater the probability that it will occur. For effective assessment of probability, as many as possible of those circumstances that could produce the loss must be known and recognized.

Probability Factors/Factor Analyses Application
Conditions and sets of conditions - probability factors - that will worsen or increase asset exposure to risk of loss can be divided into the following major categories:
1) Physical environment (construction, location, composition, configuration).
2) Social environment (demographics, population dynamics).
3) Political environment (type and stability of government, local law enforcement resources).
4) Historical experience (type and frequency of prior loss events).
5) Procedures and processes (how the asset is used, stored, secured).
6) Criminal state-of-art (type and effectiveness of tools of aggression).

The practical value of loss risk analysis depends upon the skill and thoroughness with which the basic risks to an enterprise are identified. This is the first and most important step in the entire process. Every aspect of the enterprise or facility under review must be examined to isolate those conditions, activities, and relationships that can produce a loss. For an effective analysis, the observer must take into account the dynamic nature of the enterprise on each shift and between daylight and darkness. The daily routine must be understood, because the loss-producing causes can vary from hour to hour.

Risk Matrix
After analysis has identified the specific threats or risks, the details that make occurrence of each event more or less probable can be recorded. The method suggested is a grid or matrix arranged either by asset or by type of risk, setting forth all the factual elements relevant to probability. Matrices describe a particular situation with respect to each of the risks identified in the general fact gathering. The frequent absence or scarcity of historical occurrence data often makes it impossible to calculate probability on a purely quantitative basis and requires some degree of qualitative assessment.

Probability Ratings
After all the available data concerning each risk and its factual circumstances have been gathered, a probability rating can be assigned to that risk. Ratings will not consider any precaution or countermeasure that may later be taken to reduce or eliminate the risk. A primary purpose of such unconditional ratings is to allow for later priority scheduling in the selection of countermeasures. It may be enough to be able to say one event is more probable than another. To say this about entire series or categories of events, it must be possible to assign each to some class that can then be compared with other classes to arrive at a conclusion of "more likely" or "less likely." Five categories of probability can establish useful distinctions among events, as follows:

(A) Virtually Certain. Given no changes, the event will occur. For example, given no changes, a closed intake valve on a sprinkler riser will prevent water flow in event of fire.
(B) Highly Probable. The likelihood of occurrence is much greater than that of non-occurrence. For example, unprotected currency lying visible on a counter is very likely to be taken.
(C) Moderately Probable. The event is more likely to occur than not to occur.
(D) Less Probable. The event is less likely to occur than not to occur. This does not imply impossibility, merely improbability.
(E) Probability Unknown. Insufficient data are available for an evaluation.

This approximate system of ratings contains wide latitude for variation. Two observers could assign different probabilities to the same risk, based upon different evaluations of the circumstances. But an advantage of this technique is that absolute precision is not important. If the correct general label can be attached, it doesn't matter that a highly probable risk might have a ratio of 0.751 or 0.853. What is important is to be able to segregate all risks of virtually certain probability from all others, and to make similar distinctions for each other general class. Even competent professionals may disagree on what is highly probable and what is moderately probable. To compensate for inexactness, if a rating is in doubt after all available information has been gathered and evaluated, then the higher of two possible ratings should be assigned.

Loss Event Criticality
Highly probable risks may not require countermeasures attention if the net damage they would produce is small. But even moderately probable risks require attention if the size of the loss they could produce is great. The correlative of probability of occurrence is severity or criticality of occurrence. Assessing criticality is the third step in risk assessment. Criticality is first considered on a single event or occurrence basis. For events with established frequency or high recurrence probability, criticality also must be considered cumulatively. The criticality or loss impact can be measured in a variety of ways. One is effect on employee morale; another is effect on community relations. But the most useful measure overall is financial cost. Because the money measure is common to all ventures, even government and not-for-profit enterprises, the seriousness of security vulnerability can be grasped most easily if stated in monetary terms.

Due to space constraints, Buildings is unable to provide a complete excerpt of the Appendix II to ASIS' General Security Risk Assessment Guideline. It is extremely important, therefore, for facilities professionals reading this article to access the complete document, which offers in-depth information on how to take this Risk Assessment to its optimum level. Buildings thanks ASIS International for its permission in excerpting part of this valuable resource. © ASIS International, General Security Risk Assessment Guideline.

ASIS International (ASIS) is the preeminent organization for security professionals, with more than 33,000 members worldwide. Founded in 1955, ASIS is dedicated to increasing the effectiveness and productivity of security professionals by developing educational programs and materials that address broad security interests, such as the ASIS Annual Seminar and Exhibits, as well as specific security topics. ASIS also advocates the role and value of the security management professional to business, the media, government entities, and the public. By providing members and the security community with access to a full range of programs and services, and by publishing the security industry's No. 1 magazine - Security Management - ASIS leads the way for advanced and improved security performance.

From a facilities professional's point of view,this brief look at ASIS' General Security Risk Assessment Guideline is just a glimpse into a broad topic, which ASIS International admirably addresses. Find out more by accessing: (www.asisonline.org).