Risk Analysis and Security Surveys

The flashcards below were created by user GalacticChaos on FreezingBlue Flashcards.

  1. TERM:  Risk Management
    A method to identify precisely, the risks and all probably effects that those risks will have on the person/organization being protected...
  2. Risk cannot be eliminated but it can be ______________.
  3. Three Categories of Risk:
    • Personnel (Human Assets)
    • Property (Material Assets)
    • Liabililty (Legalities)
  4. Common risks for the business industry include:
    • Natural Catastrophe
    • Industrial Disasters
    • Civil Disturbances
    • International and Domestic Terrorism
    • Criminality
    • Conflict of Interests
    • Major Plant Disasters
  5. Types of Risk Management:
    • Rick avoidance (elimination of risks)
    • Risk Assumption (organization liable for loss)
    • Risk Reduction (Taking action to reduce loss)
    • Risk Spreading (Multiple Sites/Asset Distribution)
    • Risk Transfer (Insurance)

    *Any combination of above risks
  6. Steps to follow in Risk Management:
    • Identification of risk and vulnerabitilities
    • Analysis and Study of risks (degree of danger)
    • Optimizing risk management alternatives
    • Ongoing study of security programs
  7. I-
    TERM:  Risk Analysis
    Management tool used to proceed logically through a process that allows management to identiy what it will accept in terms of actual loss.
  8. The Six steps of Risk Analysis (in specific order):
    • Identify Assets
    • Identify Threats and Risks
    • Quantify Probablities of an Event
    • Determine Impact of an Event
    • Mitigation Measures
    • Repeat Process
  9. II-
    Risk Analysis
    • Uses a Rational and Orderly approach
    • Provides comprehensive solutions to problem identification/probability determination
    • Estimates potential loss
    • Must be peformed periodically
    • Should be incorporated into the design of the facility
    • Is typically more costly the first time conducted
    • Must have resources availabe to accomplish the task (on notice)
  10. III-
    Role of Management on Risk Analysis
    • Must support and communicate support
    • Must delineate purpose and define scope
    • Must select a qualified team
    • Review findings
    • Prioritize recommendations for implementation
    • Determine when risk analysis should be repeated (in the future)
  11. Two components when measuring risk must include:
    • 1- Expressing frequency of occurrence or probability
    • 2- Expressing potential cost
  12. TERM:  Probability
    Study of the possibility of occurence
  13. Sources to determine probability:
    • Historical Data
    • Intelligence analysis and sharing
    • News media
    • Industry associations and societies
    • Observation and personal experience
    • Commercial tools
  14. Crimes requiring a specific measurement of risk:
    • Homicide
    • Rape
    • Robbery
    • Aggravated Assault
    • Burglary
    • Larceny
    • Car Theft
  15. TERM:  ALE
    • Annual
    • Loss
    • Expectancy
  16. Risk Equation
    • R=  Risk to the facility of an adversary gaining access to assets
    • PA= Probability of an Adversary attack during a period of time
    • PE= Probability of System Effectiveness
  17. Countermeasures VS Threats
    Countermeasures determined by adversary and threat
  18. Consequence Matrix:
    • More often expressed in Qualitative" manners such as HIGH, MEDIUM and LOW ratehr than Quantitative terms. 
    • (1-3 Low, 4-6 Medium, 7-10 High)
  19. During a cost analysis, "criticality" must be assessed.  Three methods to assess criticality include:
    • Prevention
    • Control
    • Recovery
  20. Cost Benefit Summary:
    • Cost (Aquisition, Operational and Replacement Cost)
    • Reliability (Demonstration, Inspection, Installation, Final Payment)
    • Delay (How long to take before full operational readiness)
  21. Decision Matrix:
    • Simplified technique using high, medium and low calculations
    • Considers frequency and severity
    • Provides a general picture (not detailed)
  22. TERM:  VSAT
    Vulnerability Self Assessment Tool
  23. The Vulnerability Self Assessment Tool (VSAT) has 11 Steps:
    • 1-    Identify Assets
    • 2-    Identify Threats
    • 3-    Determin criticality
    • 4-    Identify existing countermeasures
    • 5-    Determine risk levels
    • 6-    Determine probability of failure
    • 7-    Assign vulnerability
    • 8-    Determine if risk is acceptable
    • 9-    Develop new countermeasures
    • 10-  Perform risk-cost analysis
    • 11-  Develope a business continuity plan
  24. TERM:  CARVER Method

    (Attackers point of view)
    • Criticality
    • Accessibility
    • Recoverability
    • Vulnerability
    • Effects
    • Recognizability
  25. TERM:  CARVER + Shock Method

    (Attackers point of view)
    • Criticality
    • Accessibility
    • Recoverability
    • Vulnerability
    • Effects
    • Recognizability
    • +
    • PSychological Effects
  26. The Goal of RISK MANAGEMENT
    Spend the least amount of money possible
  27. The goal of RISK MANAGEMENT is:
    To  help decision makers spend the available funds most effectively.
  28. What is a "Security Survey"?
    Documents used to identify risk.
  29. What are the purposes for a "Security Survey"?
    • 1-  Identify factors affecting premises/operations
    • 2-  Provide recommendations to mitigate risk or improve security
  30. What are come benefits with conducting a "Security Survey"?
    • Access Control policies and procedures
    • Lock and Key Control
    • Guard or Response Force capabilities
    • Security technology review
    • Workplace violence policies
    • Personnel security controls
    • Emergency disaster and recovery plans
  31. What is checked during a "Preliminary Security Survey"?
    • What is the operation?
    • Who/What is responsible for the operation?
    • Why is it done?
    • How is the operation accomplished?
  32. The initial interview in a "Security Survey" should include:
    Major Problem Areas

    What will the survey accomplish in regards to these Major Problem Areas
  33. What does "Field Work" determine?
    • What is
    • VS
    • What should be
  34. "Field Work" normally takes the form of:
    • Observing
    • Questioning
    • Analyzing
    • Verifying
    • Investigating
    • Evaluating
  35. Security surveys should not include...?
Card Set
Risk Analysis and Security Surveys
Understand the physical security process and identify vulnerabilities
Show Answers