Security risk assessment – How to guide

Security risk assessment – how to guide – takes you through how to do a security risk assessment / threat assessment, step-by-step.  A security risk assessment forms part of a businesses’ security plan, an essential exercise for any business that wants to protect its people, reputation, assets and revenue. 

A security risk assessment is likely to be a requirement of Martyn’s Law which will need an enhanced terrorism risk assessment. For demonstration purposes we’re going to focus our security risk assessment on terrorism. However, the UK government have more risk management templates and examples.

Security risk assessment - How to guide

Security risk assessment step 1 Assets

List assets you want to protect. For example, people, buildings, equipment etc.

Security risk assessment step 2 Threats

List threats to those assets. For example, natural, cyber and human-made attacks and incidents.

Rate each threat with a likelihood score from 1 to 5. 1 is very low and 5 is very high.

Security risk assessment step 3 vulnerabilities

What makes your assets vulnerable to these attacks / incidents. For example, a building (asset) on a floodplain (threat) may have good water protection and therefore be invulnerable.

Rate vulnerability from 1 to 5.

Security risk assessment step 4 Risk status

Multiply each threat by vulnerability. For example, if the threat of flood is very high (5), but the building vulnerability is very low (1) then the risk status = 5

Security risk assessment step 5 Impact

List the impact of these risks on the business. Some risks are tolerable, others can threaten the viability of the business.

Security risk assessment step 6 Measures

Suggest security counter measures for those risks the business cannot accept / tolerate. Add a rough budget for each counter measure. For example, CCTV £100k.

1. Assets

The first step in building a security risk assessment it to identify your assets. An asset has value or a use. Assets can be categorised as:

  • People
  • Site/facility
  • Vehicles
  • Information

In addition, one may consider intangible assets such as, reputation. However, because our focus is a terrorist security risk assessment we’ll only consider people as our asset.  

2. Threats

Threats can be categorised under three headings. 

Natural disasters, for example:

  • Flood
  • Heatwave
  • Landslide

Cyber attacks. for example:

  • Denial of service
  • Ransomware

Physical attacks, for example:

  • Breaches
  • Unauthorised visitors
  • Theft

Terrorist threats

For our risk assessment, we can use the Protect UK website to identify the most likely types of terrorist attack on people, these are:

  1. Marauding attacker (carrying a firearm, blade or other weapon)
  2. Vehicle as a weapon (primarily road vehicles but could be rail, shipping, aircraft such as drones)
  3. Improvised Explosive Devices (which can be carried, placed, posted, vehicle borne)
  4. Fire as a weapon
  5. Chemical, biological or radiological attacks (poisoning or other harm by chemical, biological or radiological means)
  6. Cyber-attack (when used to harm people, through controlling or disabling equipment or other devices and endangering safety).

3. Vulnerability

Step three considers an asset’s vulnerability to a threat. This can be driven by many different factors. For example, its profile, value and symbolism. In addition, we need to consider vulnerabilities not just in a location but around it, in the vicinity.

A good way to get a fix on threats in a vicinity is to use publicly available data, such as crime statistics. There’s some free websites (and SIRV) that can help with this, to find these check out our crime data ultimate guide for risk managers.

Vulnerability to a terrorist attack

Our terrorist security risk assessment looks at terrorist threats to people. And, people’s vulnerability to threats changes according to where they are. For example:

  • People in attendance
  • Pedestrian access
  • Public transport

We’ve taken each of these headings and gone into some detail on people’s vulnerability of people to a terrorist attack at a public space.

Security risk assessment template in Excel

Example: Vulnerability of people to a terrorist attack at a public space

Pedestrian access

Congestion (possible person-borne IED, active shooter incidents)
Attack from surrounding structures

People in attendance

Specific event and presence of VIPs
Size of facility / public space
Adjacent public spaces
Importance (consequences if the public space is attacked)
Site symbolism (for example cultural, religious, ideological, historical, economic)
Access road congestion
Access to large / heavy vehicles
Accessibility (free, access control, pedestrian, vehicles etc.)
Alternative access / exit roads
Entry flows (tunnels, shuttles, narrow lanes)
Parking and transport facilities
Vicinity of parking / transport to the public space

Public transport

Types of public transport
Crowds vulnerability to attacks outside the protected perimeter
Crowds at entry and exit points outside of the public space
Open access to public places to re-channel crowd flow
Electronically operated equipment (lifts, mobile barriers, etc.)
Emergency exits
Entry / exit points
Position of access control to deter crowds
Access control breach
Other buildings/structures in proximity
Structural resilience
Possibile fragments from collpase of structures
Protection form drone attacks
Shelter from a possible shooting / vehicle ramming attack

4. Risk status in security risk assessment

Risk status is a result of both threat and vulnerability. In other words, we find the risk status by rating threats and vulnerabilities and then multiplying them together. For example, when we drive a car, a crash with another car is a threat. If we consider a crash highly likely we give it a threat score of 5 out of 5 (5 highest, 1 lowest). But if we drive a super tough, invulnerable car, we give it a vulnerability score of 1 out of 5. Therefore, the risk of a car crash is 5 (threat) x 1 (vulnerability) = 5.

For our purposes, a terrorist attack on people in a public space, we may use the following ratings:

Vulnerability rating

Security risk assessment - Risk matrix vulnerability: 1 High resistant and robust against threat 2 Resistant and robust to identified threat(s) 3 Resistant to threats but with some weakness 4Limited resistance to the threats 5 Little or no resistance to threats

Threat rating

Security risk assessment - Risk Matrix Threat 1:No information available indicates this is likely 2.No information available indicates there are individuals likely to commit this kind of attack / crime / event. There is nothing to suggest the UK or this site may be a target for this kind of attack / crime / event 3. Information is available to indicate individuals may commit this kind of attack / crime / event. Limited information suggests the UK or site may be a target for this kind of attack / crime / event 4. Information is available to indicate there are current lone actors / groups willing and able to commit this kind of attack / crime / event. There is general information to suggest the UK or site may be a target for this kind of attack / crime / event 5. Information is available to indicate there are current lone actors / groups willing and able to commit this kind of attack type / crime / event. There is specific information to suggest the UK or site may be a target for this kind of attack / crime / event

Threat x Vulnerability: Example

Next, we make our risk impact calculation. In our terrorist security risk assessment example we will consider the size of the public space and presence of very important people (VIP). For example, lets consider the location is a small theatre with a capacity of only 200 people. But, assume there will be very high profile VIPs in attendance.

Threats

We consider the first five terrorist attack types are applicable:

  1. Marauding attacker (carrying a firearm, blade or other weapon)
  2. Vehicle as a weapon (primarily road vehicles but could be rail, shipping, aircraft such as drones)
  3. Improvised Explosive Devices (which can be carried, placed, posted, vehicle borne)
  4. Fire as a weapon
  5. CBRN: Chemical, biological or radiological attacks (poisoning or other harm by chemical, biological or radiological means)

How may these impact a small venue? Lets say no information available indicates any of the above attacks are likely. Therefore, threat rating is 1.

How do these impact VIPs in attendance? Lets say specific information indicates these people may be a target for an attack using all the above attack types but CBRN. Therefore, threat rating is 5.

Vulnerability

How vulnerable is the small venue?  Very high resistance and robust against threats. Therefore, vulnerability rating is 1.

How vulnerable are the VIPs? Very high resistance and robust against threats (personal security detail in attendance). Therefore, vulnerability rating is 1.

Overall, our risk status is:

VIPs 5 x 1 = 5 out of a possible 25. Therefore, the risk status is very low.

Size of facility 1 x 1 = 5 out of a possible 25. Therefore, the risk status is very low.

This is how our risk status calculation would look:

Risk impact for terrorist attack: Threat rating

5. Impact of those risks on business

The impact of risks on a business should be carefully considered and discussed. Risks can impact businesses in different ways and sometimes in ways we cannot foretell. For example, in 1991 the founder of Ratners, a multi-billion dollar jewellery chain gave a speech at the Institute of Directors and said his product was ‘crap’. As a result, by 1992 the business as we knew it had gone bust. This is a great example of an intangible risk with an impact on reputation, which no one foretold.

Impact of terrorism on business in security risk assessment

There are multiple examples of terrorism impacting business. From the financial impact to brand change. In our example, we consider the risk of an attack to VIPs to be 5 out of a possible 25 and therefore very low. However, if an attack were to take place then we should note any possible business impact. 

6. Need for security counter measure to address those risks

The need for security counter measures to address risks needs to be seen in the context of the site’s resources. It’s possible a site has some risks that it cannot afford to address with expensive security counter measures. In which case, it’s likely some other low cost measures may be necessary.

Typical security counter measures for physical risks may include:

  • Gates
  • Bollards
  • Locks
  • Alarms
  • Fences
  • CCTV cameras
  • Anti-drone measures
  • Access control system
  • Security guards
  • Visitor control
  • Parking control
  • Training
  • Policies and procedures

Terrorism counter measures

For our terrorist example, if we follow Martyn’s Law’s requirement for an enhanced terrorism risk assessment, then the below counter measures may meet Martyn’s Law requirements.

Training:

  • Terrorism awareness
  • Suspicious activity recognition
  • Emergency response procedure
  • First Aid and trauma response
  • Communication protocols
  • Use of security equipment
  • De-escalation techniques
  • Legal and compliance aspects

Public awareness and communication:

i) Communication before an incident

  • Public awareness: For example, signs about safe escape routes.
  • Security culture promotion: For example, encourage the public to report suspicious activity (read about how 2017 Manchester Arena bombing attacker was challenged).
  • Broadcast information: For example, use various channels like social media, websites, brochures and mass communication systems.

ii. Communication during an incident

  • Clear and timely Information: For example, prompt messages about type of incident with regular updates, 
  • Use multiple channels such as, social media, text alerts and public address systems
  • Coordination with authorities such as emergency services and local council

iii. Communication after an incident

  • Update the public about the situation, areas to avoid and when it is safe to return to normal activities.
  • Support and resources available such as counselling or assistance centres.
  • Feedback and learning with the public to gather feedback on the effectiveness of the communication and the overall response.

Procedures:

  • Alert the emergency services;
  • Alert persons at, or in the immediate vicinity of, the premises or event;
  • Evacuation of persons from the premises or event, where it is safe and appropriate to do so;
  • Bring persons in the immediate vicinity of the premises or event into the premises or event, where it is safe and appropriate to do so;
  • Secure the premises or event, where it is safe and appropriate to do so.

To help manage all these counter measures situation awareness software may be a good option.

Summary

A security risk assessment is an important risk reduction exercise which risk managers are expected to have as a core competency. If you would like to take your security risk assessment to the next level and make it dynamic and daily, get in touch.   

css.php