Risk Analysis and the Security Survey Fourth Edition James F. Broder Eugene Tucker ELSEVIER AMSTERDAM BOSTON HEIDELBERG LONDON NEWYORK OXFORD PARIS SAN DIEGO SAN FRANCISCO SINGAPORE SYDNEY TOKYO Butterworth-Heinemann is an imprint of Elsevier
Contents About the Authors xv Acknowledgments xvii Introduction xix Part 1. The Treatment and Analysis of Risk 1 1. Risk 3 What Is Risk? 3 What Is Risk Analysis? 4 Risk Assessment 4 Risk Exposure Assessment 6 2. Vulnerability and Threat Identification 9 Risk Identification 9 Examples of the Problems of Identification 11 Security Checklist 12 3. Risk Measurement 21 Cost Valuation and Frequency of Occurrence 21 Principles of Probability 23 Probability, Risk, and Security 25 Estimating Frequency of Occurrence 27 4. Quantifying and Prioritizing Loss Potential 29 Assessing Criticality or Severity 30 The Decision Matrix 31
x CONTENTS 5. Cost/Benefit Analysis 33 System Design Engineering 33 Building Redundancy into the System 36 A Security Countermeasure 37 6. Other Risk Analysis Methodologies 39 National Infrastructure Protection Plan, 40 Review 44 7. The Security Survey: An Overview 45 Why Are Security Surveys Needed? 45 Who Needs Security Surveys? 46 Attitude of Business Toward Security 48 What Can a Security Survey Accomplish? 49 Why the Need for a Security Professional? 50 How Do You Sell Security? 50 8. Management Audit Techniques and the Preliminary Survey 53 Audit Guide and Procedures 53 The Preliminary Survey 58 Summary 63 9. The Survey Report 69 "I Must Write, Therefore I Shall" 69 Five Criteria of Good Reporting 72 Format 75 Summary 78 10. Crime Prediction 79 Analysis of Internal Crime 80 Analysis of External Crime 81 Inadequate Security 85
CONTENTS xi How to Establish Notice 87 Review 89 11. Determining Insurance Requirements 91 Risk Management Defined 91 Risk Control 92 Crime Insurance 92 K & R (Kidnap and Ransom) Coverage 94 Part 2. Emergency Management and Business Continuity Planning 99 12. Emergency Management - A Brief Introduction 101 Comprehensive Emergency Management 101 Standards 103 Private Sector Preparedness Accreditation and Certification Program 104 National Incident Management System (NIMS) 104 The Incident Command System (ICS) 104 Unified Command 109 Emergency Operations Center 110 Summary 112 13. Mitigation and Preparedness 113 Mitigation 113 Preparedness 130 Summary 133 14. Response Planning 135 Emergency Response Planning and Response Plans 136 Emergency Response Team 139
xii CONTENTS Emergency Procedures 141 Summary 199 15. Business Impact Analysis 201 Risk Analysis versus Business Impact Analysis 203 Business Impact Analysis Methodology 204 Other Questions for the Impact Analysis 214 Resource Questionnaires and Forms 215 Summary 221 16. Business Continuity Planning 223 Why Plan? 224 The Planning Process 225 Project Management 226 Summary 245 17. Plan Documentation 247 Required Elements of the Plan 247 Multihazard Functional Planning 248 Plan Organization and Structure 249 Summary 257 18. Crisis Management Planning for Kidnap, Ransom, and Extortion 259 Threat Identification 261 Plan Documentation 262 Plan Activation 263 Crisis Management Team 264 Handling the Initial Contact 266 Ransom Considerations 267
CONTENTS xiii Preventive Security 268 Suggestions for Kidnapped Individuals 269 Media Control 270 Summary 271 Bibliography 271 19. Monitoring Safeguards 273 Monitoring or Testing the Existing System 273 The Scientific Method 274 Five Basic Types of Testing 274 Avoid Predictable Failure 275 Some Audit Guidelines 276 Develop a Plan of Action 277 20. The Security Consultant 279 In-House versus Outside Advice 279 Why Use Outside Security Consultants? 281 Security Proposals (Writing and Costing) 283 Summary 288 Evaluation of Proposals and Reports 288 Appendices 289 Appendix A Security Survey Work Sheets 291 General Questions before Starting a Survey 291 Number of Employees 291 Cafeteria 292 Credit Union 292 Custodial Service 292 Company Store 292
xiv CONTENTS Petty Cash or Funds on Hand 293 Classified Operations 293 Theft Experience 293 Some Reference Materials 303 Annex A: Hospital Surveys 303 Annex B: University and College Surveys 306 Appendix B Sample Kidnap and Ransom Contingency Plan 309 I. Introduction 309 II. Basic Plan 309 Appendix C Security Systems Specifications 323 Introduction 323 Example: Requirements Specification for an Integrated Electronic Security System 325 Conclusion 327 Index 329