Security 500 conference     

 Don’t miss the networking event of the year for security executives!
Register today for the Security 500 Conference.

Integrated Systems: Life Without Insurance

August 1, 2006
/ Print / Reprints /
ShareMore
/ Text Size+


Athough the chance of a truck bombing or other major terrorist attack occurring at your enterprise is small, the consequences can be totally devastating in terms of loss of life, property and operations. With the federal government’s Terrorism Risk Insurance Act program (TRIA) expiring at the end of 2007, businesses will be exposed to potentially catastrophic losses and insurance companies are expected to absorb only a modest amount of this risk.

Some knee-jerk reactions to this situation may include ignoring the terrorist threat or adding ad hoc security measures. Ignoring the threat by assuming that there is nothing that you can do is a highly risky decision. It places the long-term health of your business in jeopardy. While implementing security measures without performing a comprehensive risk assessment may calm nervous CEOs in the short-term, ultimately impulsive, non-expert measures may actually not be effective. Or worse, the countermeasures may even increase the risk due to unintended consequences. How can this unquantifiable threat be managed in an effective way?

Managing risk

Traditionally, risk is managed through a combination of transfer, mitigation and retention.

A portion of the risk is transferred through insurance or alternatives, such as captives, hedge funds or securitization. Another part of the risk may be mitigated through effective countermeasures involving building structure, perimeter design, people flow or security detection systems. The remainder is retained through the use of cash, credit and assets to recover after an attack.

These three options may be optimized through a comprehensive risk assessment, which quantifies the overall risk as a Return on Investment (ROI) which may be directly compared to the ROI for other capital expenditures associated with the risk of natural hazards or other threats to business continuity. Some other benefits of a financially-based risk assessment include:
  • reducing insurance premiums
  • due diligence in support of the sale of a property
  • support for loan requests from banks or government entities
  • funding prioritization for risk mitigation measures.

There are many ways that businesses may reduce the chances of attack by making the property a less attractive target. This can be done by making it more difficult to effectively execute an attack.

Options include limiting access to the property by increasing the distance between the building and public roads or parking areas, or making the location of a critical asset less obvious. Further you would want to avoid placing VIPs in architecturally distinct areas of the building or announcing the location of critical areas through unnecessary signage.

Reducing the effect of an attack is not an all or nothing proposition.

Anti-terrorism experts can quantify the effectiveness of countermeasures, providing assessments of the potential damage to buildings and the associated injuries most likely to impact the people inside them. Although placing anti-ram barriers along a curb that is very close to a building may not seem very effective, a secured setback may mean the difference between a building collapsing or surviving a major truck bombing.

Likewise, many might place anti-shatter film on a building’s lower story windows to protect the people inside from injuries caused by a truck bomb attack. However, such injuries are most effectively reduced by placing anti-shatter film on all windows, with the greatest benefit to those furthest away from the explosion. Another solution requiring caution is the installation of blast resistant windows, which may impede firefighter emergency access.

In conclusion, by having a professional financial risk assessment of your property and operations, the risk associated with a major terrorist attack can be mitigated, enabling businesses to gain control of the terrorist threat.

SIDEBAR: Other Risk Analysis Methodologies

According to James F. Broder and Eugene Tucker, CPP, CFE, CBCP, in their book Risk Analysis and the Security Survey, 3rd Edition, Butterworth-Heinemann, a division of Elsevier, before Sept. 11, 2001, President Bill Clinton signed Presidential Directive 63, the Policy on Critical Infrastructure Protection. It identified eight (now 11) sectors of the economy considered critical to national security. Included are telecommunications, transportation, water supply, oil and gas production, banking and finance, electrical generation, emergency services and essential government functions. This directive, along with the Bio-terrorism Act and other implementing policies, assigned oversight of each function to a separate governmental agency. The protection of the water supply is the responsibility of the Environmental Protection Agency; the protection of the food supply is the responsibility of the Food and Drug Administration. These agencies are assigned the task of developing risk assessment and security protocols for the protection of the assets under their purview, with many using a different risk assessment methodology.

Many risk and vulnerability analysis methods exist. Although similar in nature, security professionals should be aware of the basics of these differing methodologies even if they are not involved directly in the function they assess.

VSAT

VSAT is an acronym for the “Vulnerability Self Assessment Tool,” and is both a methodology and software tool used to develop security systems capable of protecting specific targets from the acts of specific adversaries. As such, it can be considered a qualitatively based (asset-based) methodology. Its stated goals are to assess vulnerabilities, develop priorities based on the cost and feasibility of remediation, and determine potential solutions for the prioritized vulnerabilities. Although developed for water and wastewater systems, it can be used for assessing the vulnerability of other process-intensive systems. The software produces standardized reports and organizes the vulnerabilities into a color-coded threat matrix. The software also contains a library of typical water system assets, security threats, and countermeasures to help non-security professionals complete the analysis. It allows the user to modify and define additional threats and countermeasures.
  1. Identify assets
  2. Identify threats
  3. Determine criticality
  4. Identify existing countermeasures
  5. Determine risk level
  6. Determine the probability of failure
  7. Assign vulnerability
  8. Determine whether risk is acceptable
  9. Develop new countermeasures
  10. Perform risk-cost analysis
  11. Develop a business continuity plan

Did you enjoy this article? Click here to subscribe to Security Magazine. 

You must login or register in order to post a comment.

Multimedia

Videos

Image Galleries

ASIS 2013 Product Preview

ASIS International 59th Annual Seminar and Exhibits, September 24-27 in Chicago, Illinois, will include an exhibit hall packed with innovative security solutions. Here are some of the products that will be shown at ASIS this year.

Podcasts

Virtualization and Data Center Security: What You Need to Know for 2014

Data centers are increasingly becoming the center of the enterprise, and data center and cyber security is following the same path for security departments. According to Justin Flynn, a consultant at the Burwood Group, the virtualization of data centers allows enterprises to scale more easily and faster, with a smaller footprint.

However, hosting enterprise data in the cloud can make intrusion detection more difficult – how can enterprise security leaders team up with other departments to keep aware of cyber risks and traffic, and physical and data compliance during the virtual transition? How can CISOs and CSOs discuss cyber threats with the C-Suite to get the resources they need? And how can the proper infrastructure test and verify possible malicious attacks? 

More Podcasts

Security Magazine

Security Magazine 2014 September cover

2014 October

Security takes a look at safety and preparedness for the harshest of weather phenomena in this October 2014 edition of the magazine. Also, we investigate supply chain security and the many benefits of PSIM. 

Table Of Contents Subscribe

Travel & the Ebola Risk

Are you and your enterprise restricting travel due to Ebola risks?
View Results Poll Archive

THE SECURITY STORE

comptiahighriseproductphoto
CompTIA Security+ Certification Study Guide
CompTIA's Security+ certification is a globally-recognized, vendor neutral exam that has helped over 60,000 IT professionals reach further and higher in their careers. The current Security+ exam (SY0-201) focuses more on being able to deal with security issues rather than just identifying them.
More Products

Clear Seas Research

Clear Seas ResearchWith access to over one million professionals and more than 60 industry-specific publications,Clear Seas Research offers relevant insights from those who know your industry best. Let us customize a market research solution that exceeds your marketing goals.

STAY CONNECTED

Facebook 40px 2-12-13 Twitter logo 40px 2-12-13  YouTube  LinkedIn logo 40px 2-12-13Google+

Vertical Sector Focus: Critical Infrastructures

criticalhomepagethumbFrom terrorism to vandalism, it’s preparedness, response, training and partnerships. Learn about some of the critical security issues facing this sector.

Visit the Critical Infrastructure page to read more.