Security Risk Assessment And Control

by msecadm4921

Author: Tony Burns-Howell, Pierre Cordier and Therese Eriksson

ISBN No:

Review date: 29/02/2024

No of pages: 0

Publisher: Perpetuity Press, hardback, 101 pages, ISBN 1 899287 66 3. Ring 0116 221 7778, visit www.perpetuitypress.com

Publisher URL:

Year of publication: 11/09/2012

Brief:

The man who behind the scenes is playing rather a crucial role in the future of the private security industry is among the authors of a new guide to risk.

Sometimes it’s much harder to write a short book than a long one. So let’s applaud Tony Burns-Howell and his co-authors for guiding us through the potentially treacle-like Security Risk Assessment and Control in a few dozen pages. Dr Burns-Howell is one of quite a rare breed of Britons equally at home in the police (a former Commander in the Met), private security (as a retail security director), academia (his doctorate is in crime and risk management) and consultancy (at Perpetuity Research and Consultancy International). He has worked with PRCI founder Prof Martin Gill on a sector skills strategy for the Security Industry Authority. All this makes Dr Burns-Howell a highly influential man. He draws on wide influences - his fellow authors are Pierre Cordier, a security consultant based in France, and Therese Eriksson, a social worker based in Sweden. He does not blind with science. Assessing risk, he repeats, should be done clearly and simply. He is practical. Assessing risk should underpin the business - whether to make a profit, or deliver a service. Hence there may be an ‘acceptable risk’ - depending on your organisation’s appetite for accepting risks, you may weigh the costs of protecting an asset as more than the cost of damage or loss. Hence, as the authors put it: “Security is no longer a ‘grudge purchase’; it makes a real and perceived contribution to the bottom line.”

Measurement contradiction

The authors do run up against a contradiction. They write: “It is a fundamental of this book that it is possible to use measurement during risk assessment and control. Thus, threats to specific vulnerabilities can be evaluated in terms of the severity or frequency of an attack being made.” However, the book then speaks of an evaluation - of access to an IT system - in terms of (among other things) motivation of an attacker, and his expertise and equipment. A hacker having a laugh poses a different threat to one out for blackmail. But how can you tell?

Assets check-lists

The book is good and short on how managers can check-list assets and set priorities. Keep it simple, the book stresses - give assets a rating of low (‘little impact’), medium, high or critical (‘lasting financial harm’) value. Yet some assets are easier to measure than others - how you put a value on your brand reputation? This is not to criticise the book but to point (as the book does!) to the limit of our abilities. Information will be incomplete; the future is uncertain. However well managers brain-storm, the danger seems to be of letting the sheer number of risks overwhelm any multi-national’s risk assessment. How do you agree on the value of disposal of waste across countries? The risk of power cuts, civil unrest holding up deliveries? As the book says, you have to retain focus. Be realistic. Bother more about protecting your mainframe computer (critical) than the risk of some dictator nationalising one of your contractors. The authors are also alive to the real business world. Yes, use scenarios of how for instance laptops could be stolen - “however: if significant weaknesses are identified and publicised, the discussion becomes a blueprint for crime.” To get your counter-measure approved, and in the budget, you need cost-benefit analysis. The authors say: “It is most generally accepted that the cost of controlling any risk should not exceed the maximum loss associated with that risk.” An example given is of a ratio of spend to potential loss (sum assured) of 1:10, while for capital investment the return on investment is sought within five years, or three years with electronic technology. The security manager then has the choice of removing risk (changing the way you do things), sharing or passing on risk (with suppliers or insurers) or controlling, even accepting risk (guards will fall asleep). The book goes into some detail with a case study of a night-club suffering from fighting and disorder outside. Did the owner pay police £1,000 a week (£100 an hour for two officers and one police van), install CCTV, move the exit onto the main road to increase natural surveillance, or train door staff in ways to reduce violence? Or some or all? The owner had to balance profits against the nuisance and keeping police and the council on side.

Relevant read

The book could very easily have been so heavy as to endanger feet if dropped. The British Standard 7799 for information security management - that usefully does include IT affairs as well as physical security measures such as access control - is mentioned in two sentences when it could have taken up a chapter. This is a relevant read for those with security or risk in their titles - or on their plates - a guide for the inexperienced, and an aid to memory for the experienced, who can skip through it in, say, half an hour. At the risk of sounding like a broken record, like previous Perpetuity Press books this one’s price is rather steep - £25 for basically 62 pages plus a dozen pages of sample check-lists.

Newsletter

Subscribe to our weekly newsletter to stay on top of security news and events.

© 2024 Professional Security Magazine. All rights reserved.

Website by MSEC Marketing