Security risk assessment – How to guide
Security risk assessment – how to guide – takes you through how to do a security risk assessment / threat assessment, step-by-step. A security risk assessment forms part of a businesses’ security plan, an essential exercise for any business that wants to protect its people, reputation, assets and revenue.
Video transcript: How to write a security risk assessment
Introduction to how to write a security risk assessment
I’m going to be taking you through the next six steps on how to write a security risk assessment.
Now you may be thinking before we get into this video whether or not it is for you. Well, it’s intended for you if you are novice or an experienced practitioner, looking after a small business or a large enterprise. The intention is this video to have some value for you.
The six steps that we follow need to be done in sequence. That means we need to go through each step before we begin the next step and the six steps are over there.
We look at:
- Assets,
- threats to those assets,
- the vulnerability of those assets to those threats which then gives us a calculation which we create as a
- risk status
- we then think about the impact of an event happening.
- finally we consider whether any measures, any countermeasures required to help mitigate or eliminate those risks all together.
1. Assets
So let’s start then by considering number one assets. What are our assets? Let’s identify them and list them down. Now I have been relatively helpful here by listing down some typical asset types. Number one in any organization I would say is people. And for me I would put me down at the top of the most important asset in any organization. Why wouldn’t you? So the first consideration is probably around people. Then we think about other asset types which are physical. These could be things like equipment or buildings. And then we have other assets which are intangible. Things like information and reputation.
2. Threats
Now let’s think about number two threats. Broadly speaking, assets have three different kinds of threats to the number one. Natural disasters. These could be anything from a tsunami to a flood. . . Cyber attacks. Things such as denial of service. And number three, physical attacks. And very often think people think about physical attacks as things such as terrorist incidents. So let’s then look at the. Idea of terrorist incidents and their impact on people, the asset type of people.
3. Vulnerability
And let’s give it some context. Let’s say we are running a public venue and we are considering the threat type of terrorism to our asset type people. That is our vulnerability. What is the vulnerability of our people to a terrorist attack in a public venue? Here we have an image of a public venue mock up and there are three different kinds of contexts we might want to think about in the public venue. Number one, who is in attendance? For example, if you have loyalty or some sort of VIP, the likelihood is they will attract a greater likelihood of a terrorist attack. Or it could be you just have a huge number of people in one place that makes it more attractive to a terrorist attack. Then we have the consideration of pedestrian access. How the people get in and get out of our public venue. And finally, we could well have a public venue which has access to public transport nearby. That could be trams, it could be buses, it could well be a rail.
Let’s drill down further then and look at the idea that we have a public venue. And let’s look at the vulnerability of people in a public transport venue. So let’s look at a railway station. What are the typical kind of vulnerabilities we could think about. They could be things like a drone attack. So a terrorist might use a drone to land on our railway station or they could actually launch a drone attack from the roof of the railway station. It could well be the access and egress points, particularly vulnerable to terrorist attacks. It could well be that we have large quantities of people gathering outside. The railway station or the railway station itself, the structure is particularly vulnerable or attractive to terrorist attacks.
4. Risk Status
Let’s consider then our risk status. We’ve thought about our assets we’ve thought about. It’s vulnerable they are to a terrorist attack. How do we come up with this concept of a risk status? Risk status is put simply vulnerability multiplied by threat. And we do this by giving each kind of vulnerability, asset vulnerability a weighting against a threat type which we also give a weighting.
So the lowest score we can give is number one which means for example something is highly resistant to a terrorist attack or perhaps we give it a level a score of number five which means it’s got really no resistance to a terrorist attack and equally we give a terrorist attack a weighting from one to five. Number one, no information indicates a terrorist attack at all. Number five then there is specific information of a terrorist attack.
Risk Status and railway station
Let’s briefly revisit our railway station and focus on one particular vulnerability which is structure. So let’s consider our structure at the railway station and let’s say The structure is super tough and it’s very high resistance and there is no information whatsoever out there suggesting that a terrorist attack is likely on our structure. We would then do a bit of math and give ourselves this formula. High resistance, therefore the number one, no information whatsoever about a terrorist attack. Therefore give that a value of number one. One times one gives us one. So this then means that a structure at our railway station has a super low likelihood and a risk status of really low number one.
And we then think about that in this context. We have all of a different possibilities and we would say that the structure sits there in the very low stability bracket category low zero to five. An attack is highly unlikely on our structure. And you see here how we would then moderate and increase and graduate as the risk increases. We give it all of these different statuses. So for example severe and critical substantial depending on the risk appetite of the organisation they may want to do something about those particular risks.
Okay so far so good we have gone through assets we’ve gone through threats we’ve looked at vulnerabilities we’ve looked at risk status. We only have two more steps to go. That is to look at the impact what if an attack such a terrorist attack did happen and finally what measures could we put in place to counter the likelihood of that attack.
5. Impact
Let’s look then at impact. We would need to list down what would be the impact of an event occurring. So a really easy way of doing that is to consider the impact on our:
- Operations,
- the legal impact
- financial impact
- strategic impact and
- reputation impact of any event occurring.
Things such as terrorist events have obviously a very big impact on reputation and the impact could be quite minor; as far as operationally it could be just a lone wolf stabbing somebody which is obviously a terrible thing to happen but nonetheless operationally this is lots less severe than perhaps a building being blown up. But you might find that the reputation of your organization is so damaged it has an impact on the operational viability of your venue because nobody turns up any more to visit your venue.
So one really easy way to consider impact is to go through these five different steps.
6. Counter measures
Finally we think about countermeasures. It might well be that some of our risk statuses are high and therefore we need to put in place some countermeasures. Typical countermeasures that people may put in place:
- Anti drone
- security officers
- CCTV
- SIRV
- Barriers perhaps to stop crowds gathering in certain areas or being exposed to the railway line et cetera.
That is countermeasures. And that is all six steps that we need to go through to be able to put together a security risk assessment.
If you have found this particular video sure to leave a comment and possibly get in touch and remember that one of the things that we do here at SIRV is bring together and bring to life. So in other words, on a day to day basis the threats and the assets can be changed and it means you have a dynamic security risk assessment in place. If you’ve got this far well done and thank you for watching. All Goodbye.
A security risk assessment is likely to be a requirement of Martyn’s Law which will need an enhanced terrorism risk assessment. For demonstration purposes we’re going to focus our security risk assessment on terrorism. However, the UK government have more risk management templates and examples.
Security risk assessment’s 6 steps
A security risk assessment / threat assessment, should consider:
- Assets
- Threats – to those assets
- Vulnerabilities – of those assets
- Risk status
- Impact on business of those risks
- Measures – Need for security counter measures to address those risks
List assets you want to protect. For example, people, buildings, equipment etc.
List threats to those assets. For example, natural, cyber and human-made attacks and incidents.
Rate each threat with a likelihood score from 1 to 5. 1 is very low and 5 is very high.
What makes your assets vulnerable to these attacks / incidents. For example, a building (asset) on a floodplain (threat) may have good water protection and therefore be invulnerable.
Rate vulnerability from 1 to 5.
Multiply each threat by vulnerability. For example, if the threat of flood is very high (5), but the building vulnerability is very low (1) then the risk status = 5
List the impact of these risks on the business. Some risks are tolerable, others can threaten the viability of the business.
Suggest security counter measures for those risks the business cannot accept / tolerate. Add a rough budget for each counter measure. For example, CCTV £100k.
1. Assets
The first step in building a security risk assessment it to identify your assets. An asset has value or a use. Assets can be categorised as:
- People
- Site/facility
- Vehicles
- Information
In addition, one may consider intangible assets such as, reputation. However, because our focus is a terrorist security risk assessment we’ll only consider people as our asset.
2. Threats
Threats can be categorised under three headings.
Natural disasters, for example:
- Flood
- Heatwave
- Landslide
Cyber attacks. for example:
- Denial of service
- Ransomware
Physical attacks, for example:
- Breaches
- Unauthorised visitors
- Theft
Terrorist threats
For our risk assessment, we can use the Protect UK website to identify the most likely types of terrorist attack on people, these are:
- Marauding attacker (carrying a firearm, blade or other weapon)
- Vehicle as a weapon (primarily road vehicles but could be rail, shipping, aircraft such as drones)
- Improvised Explosive Devices (which can be carried, placed, posted, vehicle borne)
- Fire as a weapon
- Chemical, biological or radiological attacks (poisoning or other harm by chemical, biological or radiological means)
- Cyber-attack (when used to harm people, through controlling or disabling equipment or other devices and endangering safety).
3. Vulnerability
Step three considers an asset’s vulnerability to a threat. This can be driven by many different factors. For example, its profile, value and symbolism. In addition, we need to consider vulnerabilities not just in a location but around it, in the vicinity.
A good way to get a fix on threats in a vicinity is to use publicly available data, such as crime statistics. There’s some free websites (and SIRV) that can help with this, to find these check out our crime data ultimate guide for risk managers.
Vulnerability to a terrorist attack
Our terrorist security risk assessment looks at terrorist threats to people. And, people’s vulnerability to threats changes according to where they are. For example:
- People in attendance
- Pedestrian access
- Public transport
We’ve taken each of these headings and gone into some detail on people’s vulnerability of people to a terrorist attack at a public space.
Security risk assessment template in Excel
Example: Vulnerability of people to a terrorist attack at a public space |
Pedestrian access |
Congestion (possible person-borne IED, active shooter incidents) |
Attack from surrounding structures |
People in attendance |
Specific event and presence of VIPs |
Size of facility / public space |
Adjacent public spaces |
Importance (consequences if the public space is attacked) |
Site symbolism (for example cultural, religious, ideological, historical, economic) |
Access road congestion |
Access to large / heavy vehicles |
Accessibility (free, access control, pedestrian, vehicles etc.) |
Alternative access / exit roads |
Entry flows (tunnels, shuttles, narrow lanes) |
Parking and transport facilities |
Vicinity of parking / transport to the public space |
Public transport |
Types of public transport |
Crowds vulnerability to attacks outside the protected perimeter |
Crowds at entry and exit points outside of the public space |
Open access to public places to re-channel crowd flow |
Electronically operated equipment (lifts, mobile barriers, etc.) |
Emergency exits |
Entry / exit points |
Position of access control to deter crowds |
Access control breach |
Other buildings/structures in proximity |
Structural resilience |
Possibile fragments from collpase of structures |
Protection form drone attacks |
Shelter from a possible shooting / vehicle ramming attack |
4. Risk status in security risk assessment
Risk status is a result of both threat and vulnerability. In other words, we find the risk status by rating threats and vulnerabilities and then multiplying them together. For example, when we drive a car, a crash with another car is a threat. If we consider a crash highly likely we give it a threat score of 5 out of 5 (5 highest, 1 lowest). But if we drive a super tough, invulnerable car, we give it a vulnerability score of 1 out of 5. Therefore, the risk of a car crash is 5 (threat) x 1 (vulnerability) = 5.
For our purposes, a terrorist attack on people in a public space, we may use the following ratings:
Vulnerability rating
Threat rating
Threat x Vulnerability: Example
Next, we make our risk impact calculation. In our terrorist security risk assessment example we will consider the size of the public space and presence of very important people (VIP). For example, lets consider the location is a small theatre with a capacity of only 200 people. But, assume there will be very high profile VIPs in attendance.
Threats
We consider the first five terrorist attack types are applicable:
- Marauding attacker (carrying a firearm, blade or other weapon)
- Vehicle as a weapon (primarily road vehicles but could be rail, shipping, aircraft such as drones)
- Improvised Explosive Devices (which can be carried, placed, posted, vehicle borne)
- Fire as a weapon
- CBRN: Chemical, biological or radiological attacks (poisoning or other harm by chemical, biological or radiological means)
How may these impact a small venue? Lets say no information available indicates any of the above attacks are likely. Therefore, threat rating is 1.
How do these impact VIPs in attendance? Lets say specific information indicates these people may be a target for an attack using all the above attack types but CBRN. Therefore, threat rating is 5.
Vulnerability
How vulnerable is the small venue? Very high resistance and robust against threats. Therefore, vulnerability rating is 1.
How vulnerable are the VIPs? Very high resistance and robust against threats (personal security detail in attendance). Therefore, vulnerability rating is 1.
Overall, our risk status is:
VIPs 5 x 1 = 5 out of a possible 25. Therefore, the risk status is very low.
Size of facility 1 x 1 = 5 out of a possible 25. Therefore, the risk status is very low.
This is how our risk status calculation would look:
5. Impact of those risks on business
The impact of risks on a business should be carefully considered and discussed. Risks can impact businesses in different ways and sometimes in ways we cannot foretell. For example, in 1991 the founder of Ratners, a multi-billion dollar jewellery chain gave a speech at the Institute of Directors and said his product was ‘crap’. As a result, by 1992 the business as we knew it had gone bust. This is a great example of an intangible risk with an impact on reputation, which no one foretold.
Impact of terrorism on business in security risk assessment
There are multiple examples of terrorism impacting business. From the financial impact to brand change. In our example, we consider the risk of an attack to VIPs to be 5 out of a possible 25 and therefore very low. However, if an attack were to take place then we should note any possible business impact.
6. Need for security counter measure to address those risks
The need for security counter measures to address risks needs to be seen in the context of the site’s resources. It’s possible a site has some risks that it cannot afford to address with expensive security counter measures. In which case, it’s likely some other low cost measures may be necessary.
Typical security counter measures for physical risks may include:
- Gates
- Bollards
- Locks
- Alarms
- Fences
- CCTV cameras
- Anti-drone measures
- Access control system
- Security guards
- Visitor control
- Parking control
- Training
- Policies and procedures
Terrorism counter measures
For our terrorist example, if we follow Martyn’s Law’s requirement for an enhanced terrorism risk assessment, then the below counter measures may meet Martyn’s Law requirements.
Training:
- Terrorism awareness
- Suspicious activity recognition
- Emergency response procedure
- First Aid and trauma response
- Communication protocols
- Use of security equipment
- De-escalation techniques
- Legal and compliance aspects
Public awareness and communication:
i) Communication before an incident
- Public awareness: For example, signs about safe escape routes.
- Security culture promotion: For example, encourage the public to report suspicious activity (read about how 2017 Manchester Arena bombing attacker was challenged).
- Broadcast information: For example, use various channels like social media, websites, brochures and mass communication systems.
ii. Communication during an incident
- Clear and timely Information: For example, prompt messages about type of incident with regular updates,
- Use multiple channels such as, social media, text alerts and public address systems
- Coordination with authorities such as emergency services and local council
iii. Communication after an incident
- Update the public about the situation, areas to avoid and when it is safe to return to normal activities.
- Support and resources available such as counselling or assistance centres.
- Feedback and learning with the public to gather feedback on the effectiveness of the communication and the overall response.
Procedures:
- Alert the emergency services;
- Alert persons at, or in the immediate vicinity of, the premises or event;
- Evacuation of persons from the premises or event, where it is safe and appropriate to do so;
- Bring persons in the immediate vicinity of the premises or event into the premises or event, where it is safe and appropriate to do so;
- Secure the premises or event, where it is safe and appropriate to do so.
To help manage all these counter measures situation awareness software may be a good option.
Summary
A security risk assessment is an important risk reduction exercise which risk managers are expected to have as a core competency. If you would like to take your security risk assessment to the next level and make it dynamic and daily, get in touch.