Metrics and Methods for Security Risk Management Carl S. Young ELSEVIER AMSTERDAM BOSTON HEIDELBERG LONDON NEW YORK OXFORD PARIS SAN DIEGO SAN FRANCISCO SINGAPORE SYDNEY TOKYO Syngress is an imprint of Elsevier SYNGRESS.
Table of Contents About the Author Foreword Preface Acknowledgments xi xiii xv xix PART I THE STRUCTURE OF SECURITY RISK CHAPTER 1 Security Threats and Risk 3 1.1 Introduction to Security Risk or Tales of the Psychotic Squirrel and the Sociable Shark 3 1.2 The Fundamental Expression of Security Risk 9 1.3 Introduction to Security Risk Models and Security Risk Mitigation 14 1.4 Summary 17 CHAPTER 2 The Fundamentals of Security Risk Measurements 19 2.1 Introduction : 19 2.2 Linearity and Non-linearity 19 2.3 Exponents, Logarithms and Sensitivity to Change 25 2.4 The Exponential Function e x 27 2.5 The Decibel (db) 28 2.6 Security Risk and the Concept of Scale 31 2.7 Some Common Physical Models in Security Risk 33 2.8 Visualizing Security Risk 37 2.9 An Example: Guarding Costs 42 2.10 Summary, 43 CHAPTER 3 Risk Measurements and Security Programs 45 3.1 Introduction 45 3.2 The Security Risk Assessment Process 47 3.2.1 Unique Threats 47 3.2.2 Motivating Security Risk Mitigation: The Five Commandments of Corporate Security 48 3.2.3 Security Risk Models 49 3.3 Managing Security Risk 54 3.3.1 The Security Risk Mitigation Process 54 3.3.2 Security Risk Standards 58 vii
viii Table of Contents PART II 3.4 Security Risk Audits 70 3.5 Security Risk Program Frameworks 73 3.6 Summary 73 MEASURING AND MITIGATING SECURITY RISK CHAPTER 4 Measuring the Likelihood Component of Security Risk 81 4.1 Introduction 81 4.2 Likelihood or Potential for Risk? 82 4.3 Estimating the Likelihood of Randomly Occurring Security Incidents 85 4.4 Estimating The Potential for Biased Security Incidents 88 4.5 Averages and Deviations 91 4.6 Actuarial Approaches to Security Risk 97 4.7 Randomness, Loss, and Expectation Value 99 4.8 Financial Risk 106 4.9 Summary 107 CHAPTER 5 Measuring the Vulnerability Component of Security Risk 109 5.1 Introduction 109 5.2 Vulnerability to Information Loss through Unauthorized Signal Detection 110 5.2.1 Energy, Waves and Information Ill 5.2.2 Introduction to Acoustic Energy and Audible Information 115 5.2.3 Transmission of Audible Information and Vulnerability to Conversation-Level Overhears 117 5.2.4 Audible Information and the Effects of Intervening Structures '. 120 5.2.5 Introduction to Electromagnetic Energy and Vulnerability to Signal Detection 126 5.2.6 Electromagnetic Energy and the Effects of Intervening Structures 132 5.2.7 Vulnerability to Information Loss through Unauthorized Signal Detection: A Checklist 135 5.3 Vulnerability to Explosive Threats 136 5.3.1 Explosive Parameters 136 5.3.2 Confidence Limits and Explosive Vulnerability 142 5.4 A Theory of Vulnerability to Computer Network Infections 146 5.5 Biological, Chemical and Radiological Weapons 151 5.5.1 Introduction 151
Table of Contents ix 5.5.2 Vulnerability to Radiological Dispersion Devices 152 5.5.3 Vulnerability to Biological Threats 162 5.5.4 Vulnerability to External Contaminants; Bypassing Building Filtration 168 5.5.5 Vulnerability to Chemical Threats 172 5.6 The Visual Compromise of Information 173 5.7 Summary 175 CHAPTER 6 Mitigating Security Risk: Reducing Vulnerability 179 6.1 Introduction 179 6.2 Audible Signals 180 6.2.1 Acoustic Barriers 182 6.2.2 Sound Reflection 184 6.2.3 Sound Absorption 185 6.3 Electromagnetic Signals 187 6.3.1 Electromagnetic Shielding 187 6.3.2 Intra-Building Electromagnetic Signal Propagation 191 6.3.3 Inter-Building Electromagnetic Signal Propagation 194 6.3.4 Non-Point Source Electromagnetic Radiation 195 6.4 Vehicle-borne Explosive Threats: Barriers and Bollards 198 6.5 Explosive Threats 203 6.6 Radiological Threats 206 6.7 Biological Threats 210 6.7.1 Paniculate Filtering 210 6.7.2 Ultraviolet Germicidal Irradiation (UVGI) 212 6.7.3 Combining UVGI with Particulate Filtering 214 6.7.4 More Risk Mitigation for Biological Threats 216 6.7.5 Relative Effectiveness of Influenza Mitigation 217 6.8 Mitigating the Risk of Chemical Threats (briefly noted) 222 6.9 Guidelines on Reducing the Vulnerability to Non-Traditional Threats in Commercial Facilities 224 6.10 Commercial Technical Surveillance Countermeasures (TSCM) 225 6.11 Electromagnetic Pulse (EMP) Weapons 234 6.12 Summary 238 Epilogue 243 Appendix A 245 Appendix B 247 Appendix C 249
x Table of Contents Appendix D 251 Appendix E 253 Appendix F 255 Appendix G 257 Appendix H 259 Index 261