This document summarizes a presentation on security risk management and asset protection given at the 6th Regional Professional Security Conference in Kuala Lumpur, Malaysia on June 17-18, 2008. The presentation covers basic concepts in security risk management, including definitions, the typical steps in the security risk management process, and options for treating risks. It emphasizes that security risk management is increasingly important given today's complex and interconnected world, where threats and vulnerabilities are influenced by global social, political, economic and technological changes and emerging technologies can introduce new vulnerabilities for criminals to exploit.
To Create Your Own Wig Online To Create Your Own Wig Online
Srm And Asset Protection V1.0
1. Kuala Lumpur, June 17, 2008
Booz & Company
6th Regional Professional
Security Conference
17th & 18th June 2008
Kuala Lumpur, Malaysia
Security Risk Management &
Asset Protection
Better Practices
Presented by Paul Curwell
2. Learning Objectives
Understand the basic concepts involved in Security Risk Management and how they can be
applied to asset protection
Gain an appreciation of the range of methodologies available
Understand why and how specific methodologies are used
Understand the distinction between Security Risk Management activities conducted for systems
and processes versus organisations
Understand the relationships between Security Risk Management and Business Continuity
Management
Know where to go for further information
6th Regional Professional Security Conference, Kuala Lumpur
Booz & Company
1
SRM and Asset Protection v1.0.ppt
June 17, 2008
4. Introduction
6th Regional Professional Security Conference, Kuala Lumpur
Booz & Company
3
SRM and Asset Protection v1.0.ppt
June 17, 2008
5. Today, organisations face a new operating reality affecting the
safety, security and continuity of their business
Source: S. Sidoti, Booz & Company
6th Regional Professional Security Conference, Kuala Lumpur
Booz & Company
4
SRM and Asset Protection v1.0.ppt
June 17, 2008
6. Operational complexities have outpaced most operational risk
management practices
Source: S. Sidoti, Booz & Company
6th Regional Professional Security Conference, Kuala Lumpur
Booz & Company
5
SRM and Asset Protection v1.0.ppt
June 17, 2008
7. The result of these operational complexities, and the speed at
which they develop, can be referred to as the ‘resilience gap’
Source: S. Sidoti, Booz & Company
6th Regional Professional Security Conference, Kuala Lumpur
Booz & Company
6
SRM and Asset Protection v1.0.ppt
June 17, 2008
8. This resilience gap, and the move towards networked operating
models, presents new challenges for OpRisk management
Operational Risk Management involves numerous
techniques which address both loss reduction and event
avoidance
Basel Committee Operational Risk
Basel Committee Operational Risk
– Operational risks result from inadequate or failed internal Loss Event Groups 1
Loss Event Groups 1
processes, systems, people or from external events
1. Internal Fraud
1. Internal Fraud
– Examples of operational risks include technology risk,
2. External Fraud
2. External Fraud
legal risk, security risk and compliance risk
3. Employment practices and
3. Employment practices and
workplace safety
workplace safety
Operational Risk is characterised by unpredictable,
4. Clients, products and business
seemingly random events. 4. Clients, products and business
services
services
– This is because operational risks range from extremely
5. Damage to physical assets
5. Damage to physical assets
common, to extremely rare, such as 1:100 year and
6. Business disruption and system
6. Business disruption and system
1:1,000 year events
failures
failures
– For these types of risk, it is quite plausible that no data 7. Execution, delivery and
7. Execution, delivery and
exists to calculate their magnitude or impact management process
management process
1 Alvarez, G. (2002) “Operational Risk Event Classification”
6th Regional Professional Security Conference, Kuala Lumpur
Booz & Company
7
SRM and Asset Protection v1.0.ppt
June 17, 2008
9. Of particular concern in operational risk management is the
management of risks categorised as high impact, low probability
Figure 1: Four categories of
Because of their scarcity, high impact, low
‘Operational Risk Event”
probability operational risks typically lack data on
likelihood, detailed insights as to how they may
develop, and what the implications may be
Low impact, low probability and low impact, high
High Impact High Impact
probability risks are typically more manageable Low Probability High Probability
because of the availability of data, enabling
more informed risk-based decision making
Impact
Low Impact Low Impact
Low Probability
High Probability
Probability
6th Regional Professional Security Conference, Kuala Lumpur
Booz & Company
8
SRM and Asset Protection v1.0.ppt
June 17, 2008
10. Basic Principles
Definitions
Steps in Security Risk Management
Treating Security Risks
6th Regional Professional Security Conference, Kuala Lumpur
Booz & Company
9
SRM and Asset Protection v1.0.ppt
June 17, 2008
11. Security Risk Management Definitions
Risk: The chance of something happening that will have an impact upon objectives. Measured in
terms of likelihood and consequence.
Vulnerability: Any weakness that can be exploited by an aggressor to make an asset susceptible
to change.
Threat: Anything that has the potential to prevent or hinder the achievement of objectives or
disrupt the processes that support them; a source of, or potential for harm to occur; a source of
risk.
Consequence: The outcome of an event expressed qualitatively or quantitatively, being a loss,
injury, disadvantage or gain. There may be a range of possible outcomes associated with an
event.
Likelihood: Used as a general description of chance, probability or frequency of an event
occurring.
Source: HB167:2006 ‘Security Risk Management’, Standards Australia
6th Regional Professional Security Conference, Kuala Lumpur
Booz & Company
10
SRM and Asset Protection v1.0.ppt
June 17, 2008
12. Step 1 in Security Risk Management process is developing a
comprehensive understanding of the business and its environment
Establish Context
The objective of establishing the context is to
develop a comprehensive understanding of the Understand the organisational structure
business and its drivers
What are the key earnings drivers?
– This is critical to the identification, analysis,
– Does a large proportion of the business
evaluation and treatment of risks revenue result from a small number of
business activities?
Think across the business, considering:
Understand, and preferably map process
– Physical interactions (i.e. business to
flows within the organisation
business, business to customer etc)
– Interactions which occur via an ICT interface Identify and map critical interdependencies
Understand the organisations strategic and
operational objectives
Understand, and preferably map, the
organisations external networks and
interdependencies
– This includes supply and distribution chains
6th Regional Professional Security Conference, Kuala Lumpur
Booz & Company
11
SRM and Asset Protection v1.0.ppt
June 17, 2008
13. Step 2, Risk Identification, aims to generate comprehensive
insights into risks facing the organisation
How could the risk happen? Risk Identification Methods include:
– Sources of risk
Checklists
Why could the risk happen?
– Causes of risk Professional Judgement
– Presence or absence of risk treatments or controls designed to
mitigate the risk Flowcharts
What could happen and what might the associated Brainstorming
consequences be?
Systems Analysis
Where could the risk happen?
– Physical location Scenario Analysis
When could the risk happen? Groups of experts
– E.g. can the risk only occur at specific times?
Modelling and simulation
Who could / must be involved in the specific risk event?
Fault tree analysis
– E.g. individuals, business units, etc
Event tree analysis
6th Regional Professional Security Conference, Kuala Lumpur
Booz & Company
12
SRM and Asset Protection v1.0.ppt
June 17, 2008
14. Step 3: Risk Analysis uses available information to determine an
event’s probability and the magnitude of its consequences (1/2)
Security Risk Analysis starts with an evaluation
of a threat against a specific vulnerability. This
evaluation is informed by two activities: A Threat Assessment is concerned
with identifying those events,
– Threat Assessment; and,
aggressors, attackers or adversaries
– Vulnerability Assessment that can cause losses to organisational,
community or individual assets1.
The approach used to perform a risk analysis is
dependent upon the type of activity concerned.
– Security Risk Assessments on organisations
typically utilise approaches which have a A Vulnerability Assessment
basis in security intelligence considers how each of the credible
threats (identified in the Threat
– Security Risk Assessments on products or Assessment) can be realised against
services (e.g. credit cards, pharmaceuticals, each critical asset2.
welfare payments) typically utilise systems
and processes which lend themselves to
system or process engineering risk
methodologies 1
HB167:2006 Security Risk Management
2
Ibid
6th Regional Professional Security Conference, Kuala Lumpur
Booz & Company
13
SRM and Asset Protection v1.0.ppt
June 17, 2008
15. Step 3: Risk Analysis uses available information to determine an
event’s probability and the magnitude of its consequences (2/2)
There are numerous risk assessment
Selecting the Risk Analysis Methodology
methodologies available.
– The analyst must determine which Considerations for deciding which risk
methodology is most appropriate assessment methodology to use can
– The most appropriate model could be a hybrid include:
which combines elements from different – Whether an organisation, process or
methodologies system is under evaluation
– Desired outcomes or objectives
Remember that no two risk assessment – Analyst familiarity with the techniques
activities will be identical.
– Regulatory requirements
– The most important consideration when – Existing practices within the organisation
designing and/or selecting a risk assessment
– Cost-benefit analysis
methodology is being able to justify the
– Availability of data (i.e. qualitative versus
approach
quantitative)
– The approach must be reasonable and
– Available timeframe to conduct the
sufficiently robust to address potential legal assessment activity
issues, such as negligence and liability, in the
– Technical depth of the topic concerned
event that a risk event arises
6th Regional Professional Security Conference, Kuala Lumpur
Booz & Company
14
SRM and Asset Protection v1.0.ppt
June 17, 2008
16. The Security Risk Management ‘equation’ illustrates how each
component combines to generate a risk, which is then treated1
Risk Residual
Risk Residual
Risk - =
Risk Treatment Risk
Treatment Risk
Likelihood Consequence
Likelihood Consequence
x
Criticality
Assessment
+
Probability Exposure
Probability Exposure
Threat Vulnerability
x
Threat Vulnerability
+
Intent Capability
Intent Capability
+ + +
Desire Expectations Knowledge Resources Skills
Desire Expectations Knowledge Resources Skills
1
HB167:2006 ‘Security Risk Management’, Standards Australia
6th Regional Professional Security Conference, Kuala Lumpur
Booz & Company
15
SRM and Asset Protection v1.0.ppt
June 17, 2008
17. Step 4: Risk analysis concludes with each risk being rated so that
decisions can be made about risk treatment priorities
The purpose of risk evaluation is to
group risks into three broad categories:
– Broadly Acceptable
– Tolerable (As Low As Reasonably
Practicable)
– Intolerable (i.e. catastrophic risks)
The ALARP framework (right) can help
with deciding which risks require
treatment, which can be ignored (left
untreated) and to what extent.
Source: Security Risk Management Body of Knowledge
6th Regional Professional Security Conference, Kuala Lumpur
Booz & Company
16
SRM and Asset Protection v1.0.ppt
June 17, 2008
18. Example: A business’ annual revenue projections for the year are
$850K, and it has approximately $2.2m in owners equity1
IIlllu
ust
strra
attiiv
vee
• How many low impact losses might a company be able to
tolerate?
• What impact might a serious of loss event have on the
business’ operating position for the next financial year?
Likelihood
Risk Acceptance
and Financing: Risk events resulting in losses over $3m
Risks up to $850K cause a catastrophic loss (cannot be
can be retained (i.e. absorbed by firm)
Risk Acceptance and Financing:
not transferred;
Risks resulting in losses over $850K,
financed
but under $2.2m, can be retained (losses can be
through earnings)
absorbed by Capital)
0
$4.5m
$0 $2.25m
$750K $1.5m $3m $3.75m
Total losses over a one year period (consequence)
1
Adapted from Bank of International Settlements (2003). “Operational Risk Transfer across the Financial Sectors”
6th Regional Professional Security Conference, Kuala Lumpur
Booz & Company
17
SRM and Asset Protection v1.0.ppt
June 17, 2008
19. Step 5: Once an acceptable level of risk for the organisation has
been determined, four options are available to treat risk
Risk Reduction: Optimum level of resourcing
Ultimately, the cost of security measures used to
means balancing Cost of Security against Cost of Loss1
manage risk exposure should not exceed the cost of
the loss resulting from an event, or combination of
critical events
Cost of security
$
Reduce the risk:
– Introduce controls to reduce the consequence or
likelihood of the risk
Optimum level
Avoid the risk: x
of security
resourcing
– Cease or change the activities which create the
exposure to risk
Share the risk:
– Transfer part of the risk to a 3rd party, such as an
insurer
Cost of loss
Accept the risk
Time
1
Source: Protection of Assets Manual – Security Vulnerability
6th Regional Professional Security Conference, Kuala Lumpur
Booz & Company
18
SRM and Asset Protection v1.0.ppt
June 17, 2008
20. Relevance
6th Regional Professional Security Conference, Kuala Lumpur
Booz & Company
19
SRM and Asset Protection v1.0.ppt
June 17, 2008
21. In our increasingly complex and interconnected world, security, and
by necessity security risk management, has never been so important
The dynamic nature of criminal activity poses significant challenges to both private industry and Law
Enforcement in terms of keeping pace with change.
– Threats and vulnerabilities are a product of our global environment - social, political, economic,
cultural and technological
Emerging technologies typically have a radical impact on our environment.
– They introduce additional complexity, making it hard to identify and manage vulnerabilities.
– They provide new avenues for criminals to exploit, and typically present a low risk, high reward
opportunity due to delayed detection and response.
Many organizations fail to integrate security elements into new product development teams, meaning
security is typically ‘added on’ rather than integrated into initial design concepts.
– This approach typically increases the cost of implementing security whilst decreasing its
effectiveness
– This approach can also expose the organisation to unnecessary reputational risk
6th Regional Professional Security Conference, Kuala Lumpur
Booz & Company
20
SRM and Asset Protection v1.0.ppt
June 17, 2008
22. Security risks rapidly translate into catastrophic business
continuity risks, threatening an organisation’s future viability
Organisations are increasingly becoming
Security and Business Continuity Risks1
interlinked, so one organisation’s vulnerability
flows on to others in the value chain. IL
LU
ST
– Many organizations fail to embed security risk RA
management approaches across their Incident Losses TI
VE
business (horizontally and vertically) and 1982 - Johnson & Johnson $150m
throughout the supply chain. – Product tampering (Tylenol I)
– Where security risk management approaches 1986 - Johnson & Johnson $150m
are implemented, there are often inconsistent – Product tampering (Tylenol II)
levels of protection 1986 - Sandoz $85m
– Fire and Pollution
Factors such as increased technological 1988 - Norco $706m
– Explosion and fire
innovation, competition, consumer demand,
1988 - Pan Am $652m
outsourcing and offshoring help accelerate the
–Terrorism
speed of business, impacting upon the
1992 - Commercial Union $2,170m
timeframe companies have to identify and –Terrorism
manage security risks
1
Knight and Pretty (2002). “Impact of Catastrophes on
Shareholder Value”, Sedgwick Oxford.
6th Regional Professional Security Conference, Kuala Lumpur
Booz & Company
21
SRM and Asset Protection v1.0.ppt
June 17, 2008
23. Case Studies
Case Study 1: Security Risk in Electronic Banking
Case Study 2: Security Risk Management in a Biotech Company
Case Study 3: Strategic Security Risk Management in Banking
6th Regional Professional Security Conference, Kuala Lumpur
Booz & Company
22
SRM and Asset Protection v1.0.ppt
June 17, 2008
24. Case Study: Security Risk in Electronic Banking
“Money Mules” are intermediaries, working between criminals who obtain funds illegitimately from
bank customers (victims). Money mules are an essential element in the criminal transfer of money,
including money laundering, with respect to the proceeds of online banking crime.
Money mules are typically recruited through Using analytical and GIS mapping
seemingly legitimate employment techniques, we profiled the typical ‘mule’ in
opportunities. People typically work as Australia. These profiles could then be
money mules for secondary employment. integrated into fraud detection systems,
Characteristically, one mule will recruit providing additional monitoring for ‘high risk’
others from within their social network. individuals (potential mules).
Mules must open bank accounts in their
country of origin to transfer stolen funds to
overseas criminal syndicates. Key Consideration:
Money mules are a critical enabler as they Approaches to Security Risk Management
are required to perpetrate online banking should not be limited to published standards.
crimes across international borders. Often, complex risks cannot be addressed
through ‘normal’ approaches.
6th Regional Professional Security Conference, Kuala Lumpur
Booz & Company
23
SRM and Asset Protection v1.0.ppt
June 17, 2008
25. Case Study: Security Risk Management in a Biotech Company
As knowledge-creating businesses, the majority of assets in a biotech company are intangible and
therefore difficult to identify and protect. Many biotechnology companies are heavily engaged in
R&D and also engage extensively with third parties through activities such as Joint Ventures.
A biotechnology company had entered into a Research documentation has a significant
joint venture with a vendor to commence impact on the ability to obtain a patent,
trials on a new diagnostic test, with a view to which is the best way of recovering these
taking the diagnostic to market. types of investments on R&D. This
precluded the biotech from commercialising
Recognising the value of the potential the diagnostic, pending a court hearing.
opportunity, the vendor made a lucrative
offer to hire the research team, unbeknownst
to the research team’s employer.
Key Consideration:
In the absence of any controls, the research
team only partially documented their Security risks are often industry, and
research outcomes. Less than three weeks organisation specific. Unless identified early,
after resigning, the research team had filed potentially catastrophic risks can easily be
three separate patent applications. overlooked.
6th Regional Professional Security Conference, Kuala Lumpur
Booz & Company
24
SRM and Asset Protection v1.0.ppt
June 17, 2008
26. Case Study: Quantifying Strategic Security Risk in Banking
Financial Institutions, their customers and merchants represent lucrative targets for criminals.
Conversely, law enforcement is typically required to provide a response to attacks against banks
with little forewarning and inadequate time to understand the complex systems and environment.
Australia’s banks and law enforcement By applying strategic intelligence techniques
agencies wanted to identified potential global to a selection of key data indicators and
technology-enabled financial crime [TEFC] using a scored and weighted algorithm, we
(e.g. online banking fraud) hotspots. were able to quantitatively rank every
country in the world with respect to its TEFC
Early warning of potential high-risk countries risk status.
would enable the implementation of more
stringent controls around banking platforms.
This information could also be used by law
enforcement with respect to international Key Consideration:
cooperation and training activities, especially
in developing countries. Common security risk management
methodologies are not always suitable.
No previous attempts had been made to Innovative or hybrid approaches may be
rank TEFC security risks in this manner. utilised provided they are defensible.
6th Regional Professional Security Conference, Kuala Lumpur
Booz & Company
25
SRM and Asset Protection v1.0.ppt
June 17, 2008
28. Publicly available Security Risk Management resources include
standards, manuals, handbooks and other useful references
Standards
– AS/NZS 4360:2004 Risk Management
– BS7799 Information Security Management (ISO17799 and ISO27001)
– Malaysian Standard ICS 03.100 Business Continuity Management
– ISO/DIS 31000: Risk Management – Principles and guidelines on implementation (DRAFT)
Manuals, Handbooks and Guidelines
– Standards Australia - HB167:2006 Security Risk Management
– RMIA - Security Risk Management Body of Knowledge
– ASIS International Protection of Assets Manual
– US Coast Guard - Risk Based Decisions Manual (2nd Edition)
– ASIS International - General Guideline for Security Risk Assessment
Books
– Risk Analysis and the Security Survey (3rd Edition)
6th Regional Professional Security Conference, Kuala Lumpur
Booz & Company
27
SRM and Asset Protection v1.0.ppt
June 17, 2008
29. Numerous examples of Security Risk Management activities are
publicly available which can be used to tailor your approach
IL
LU
US Department of Energy - Vulnerability Assessment Methodology ST
RA
TI
VE
US Department of Homeland Security - Vulnerability Assessment Methodologies Report 2003
BASF Security Vulnerability Assessment (SVA) Methodology & Enhanced Security
Implementation Management
US Critical Infrastructure Assurance Office - Vulnerability Assessment Framework (1998)
UK Serious Organised Crime Agency - Threat Assessment of Serious / Organised Crime 2006/07
EU Organised Crime Threat Assessment 2007
6th Regional Professional Security Conference, Kuala Lumpur
Booz & Company
28
SRM and Asset Protection v1.0.ppt
June 17, 2008
30. Thank you for your participation.
Questions?
Paul Curwell
Booz & Company (Australia) Ltd.
Level 7, 12 Moore St
Canberra City ACT 2601
Australia
Tel +61 2 6279 1966
Mob +61 413 593 074
Fax +61 2 6279 1990
Paul.Curwell@booz.com
6th Regional Professional Security Conference, Kuala Lumpur
Booz & Company
29
SRM and Asset Protection v1.0.ppt
June 17, 2008