Risk Analysis and Security Countermeasure Selection

When properly conducted, risk analysis enlightens, informs, and illuminates, helping management organize their thinking into properly prioritized, cost-effective action. Poor analysis, on the other hand, usually results in vague programs with no clear direction and no metrics for measurement. Although there is plenty of information on risk analysis, it is rare to find a book that explains this highly complex subject with such startling clarity. Very few, if any, focus on the art of critical thinking and how to best apply it to the task of risk analysis. The first comprehensive resource to explain how to evaluate the appropriateness of countermeasures, from a cost-effectiveness perspective, Risk Analysis and Security Countermeasure Selection details the entire risk analysis process in language that is easy to understand. It guides readers from basic principles to complex processes in a step-by-step fashion, evaluating DHS–approved risk assessment methods, including CARVER, API/NPRA, RAMCAP, and various Sandia methodologies. Using numerous case illustrations, the text clearly explains the five core principles of the risk analysis lifecycle—determining assets, threats, vulnerabilities, risks, and countermeasures. It also supplies readers with a completely adaptable graphic risk analysis tool that is simple to use, can be applied in public or private industries, and works with all DHS–approved methods. This reader-friendly guide provides the tools and insight needed to effectively analyze risks and secure facilities in a broad range of industries, including DHS designated critical infrastructure in the chemical, transportation, energy, telecommunications, and public health sectors.

Table of Contents:
SECTION I: RISK ANALYSIS Risk Analysis—The Basis for Appropriate and Economical Countermeasures Critical Thinking Qualitative versus Quantitative Analysis Theory, Practice, and Tools Organization Risk Analysis Basics and the Department of Homeland Security–Approved Risk Analysis Methods Risk Analysis for Facilities and Structures Many Interested Stakeholders and Agendas Commercially Available Software Tools Risk Analysis Basics Risk Assessment Steps Which Methodology to Use? Risk Analysis Skills and Tools Skill #1: Gathering Data Skill #2: Research and Evidence Gathering Skill #3: Critical Thinking in the Risk Analysis Process Skill #4: Quantitative Analysis Skill #5: Qualitative Analysis Skill #6: Countermeasures Selection Skill #7: Report Writing Critical Thinking and the Risk Analysis Process Overview of Critical Thinking The Importance of Critical Thinking Analysis Requires Critical Thinking The Eight Elements that make up the Thinking Process The Concepts, Goals, Principles, and Elements of Critical Thinking Pseudo-Critical Thinking Intellectual Traits The Importance of Integrating Critical Thinking into Everyday Thinking Applying Critical Thinking to Risk Analysis More about Critical Thinking The Root of Problems Asset Characterization and Identification Theory Practice Tools Criticality and Consequence Analysis Twofold Approach Criticality Consequence Analysis Building your Own Criticality/Consequences Matrix Criticality/Consequence Matrix Instructions Threat Analysis Theory Practice Tools Assessing Vulnerability Review of Vulnerability Assessment Model Define Scenarios and Evaluate Specific Consequences Evaluate Vulnerability Estimating Probability Resources for Likelihood Criminal versus Terrorism Likelihood Resources Criminal Incident Likelihood Estimates The Risk Analysis Process Diagram Analysis Asset Target Value Matrices Probability Summary Matrix Vulnerability Components Prioritizing Risk Prioritization Criteria Natural Prioritization (Prioritizing By Formula) Prioritization of Risk Communicating Priorities Effectively Best Practices Ranking Risk Results SECTION II: POLICY DEVELOPMENT BEFORE COUNTERMEASURES Security Policy Introduction The Hierarchy of Security Program Development What are Policies, Standards, Guidelines, and Procedures? Security Policy and Countermeasure Goals Theory The Role of Policies in the Security Program The Role of Countermeasures in the Security Program Why Should Policies Precede Countermeasures? Security Policy Goals Security Countermeasure Goals Policy Support for Countermeasures Key Policies Developing Effective Security Policies Process for Developing and Introducing Security Policies Policy Requirements Basic Security Policies Security Policy Implementation Guidelines Regulatory-Driven Policies Nonregulatory-Driven Policies SECTION III: COUNTERMEASURE SELECTION Countermeasure Goals and Strategies Countermeasure Objectives, Goals, and Strategies Access Control Deterrence Detection Assessment Response (Including Delay) Evidence Gathering Comply with the Business Culture of the Organization Minimize Impediments to Normal Business Operations Safe and Secure Environment Design Programs to Mitigate possible Harm from Hazards and Threat Actors Types of Countermeasures Baseline Security Program Specific Countermeasures Countermeasures Selection Basics No-Tech Elements Countermeasure Selection and Budgeting Tools The Challenge Countermeasure Effectiveness Functions of Countermeasures Countermeasure Effectiveness Metrics Helping Decision Makers Reach Consensus on Countermeasure Alternatives Helping Decision Makers Reach Consensus on Countermeasure Alternatives Security Effectiveness Metrics Theory Sandia Model A Useful Commercial Model What kind of Information Do We Need to Evaluate to Determine Security Program Effectiveness? What Kind of Metrics Can Help Us Analyze Security Program Effectiveness? Cost-Effectiveness Metrics What Are the Limitations of Cost-Effectiveness Metrics? What Metrics Can Be Used to Determine Cost-Effectiveness? Communicating Priorities Effectively Basis of Argument Complete Cost-Effectiveness Matrix Complete Cost-Effectiveness Matrix Elements Writing Effective Reports The Comprehensive Risk Analysis Report Countermeasures Report Supplements Each chapter begins with an "Introduction" and ends with a "Summary"

About the Author :
Protection Partners International, Houston, TX USA & Beirut, Lebanon

Review :
! by following the guidance laid out in this detailed book, security managers can do it themselves with software that's probably already on their office computers: Microsoft Excel. ! There is no doubt that Norman himself spent considerable time devising the process, which he presents in the book. He provides step-by-step lists for building various matrices ! definitely a book for the advanced security practitioner. ! it outlined an excellent methodology and is well worth the effort required to read it and work through the process outlined by the author. -- Glen Kitteringham, CPP, President of Kitteringham Security Group Inc., in Security Management, January 2011