2nd Edition
Risk Analysis and Security Countermeasure Selection
This new edition of Risk Analysis and Security Countermeasure Selection presents updated case studies and introduces existing and new methodologies and technologies for addressing existing and future threats. It covers risk analysis methodologies approved by the U.S. Department of Homeland Security and shows how to apply them to other organizations, public and private. It also helps the reader understand which methodologies are best to use for a particular facility and demonstrates how to develop an efficient security system.
Drawing on over 35 years of experience in the security industry, Thomas L. Norman provides a single, comprehensive reference manual for risk analysis, countermeasure selection, and security program development. The security industry has a number of practitioners and consultants who lack appropriate training in risk analysis and whose services sometimes suffer from conflicts of interest that waste organizations’ money and time. Norman seeks to fill the void in risk analysis training for those security consultants, thereby reducing organizations’ wasting of resources and potential vulnerability. This book helps you find ways to minimize cost and time spent in analyzing and countering security threats.
Risk Analysis and Security Countermeasure Selection, Second Edition gives invaluable insight into the risk analysis process while showing how to use analyses to identify and create the most cost efficient countermeasures. It leads you from a basic to an advanced level of understanding of the risk analysis process. The case studies illustrate how to put each theory into practice, including how to choose and implement countermeasures and how to create budgets that allow you to prioritize assets according to their relative risk and select appropriate countermeasures according to their cost effectiveness.
Preface
Acknowledgments
Author
Risk Analysis: The Basis for Appropriate and Economical Countermeasures
For Students Using This Book in an Academic Environment
Introduction
Critical Thinking
Qualitative versus Quantitative Analysis
Theory, Practice, and Tools
Organization
Summary
References
Q&A
Risk Analysis Basics and DHS-Approved Risk Analysis Methods
Introduction
U.S. Department of Homeland Security Concerns
Risk Analysis for Facilities and Structures
Many Interested Stakeholders and Agendas
Commercially Available Software Tools
Risk Analysis Basics
Risk Assessment Steps
Which Methodology to Use?
Summary
References
Q&A
Risk Analysis Skills and Tools
Introduction
Security Risk Analysis Skills
Security Risk Analysis Tools
Summary
References
Q&A
Critical Thinking and the Risk Analysis Process
Introduction
Overview of Critical Thinking
Importance of Critical Thinking
Analysis Requires Critical Thinking
The Eight Elements That Make Up the Thinking Process
The Concepts, Goals, Principles, and Elements of Critical Thinking
Summary
References
Q&A
Asset Characterization and Identification
Introduction
Theory
Practice
Tools
Summary
Reference
Q&A
Criticality and Consequence Analysis
Introduction
Twofold Approach
Criticality versus Consequence
Criticality
Visualization
Consequence Analysis
Building Your Own Criticality/Consequences Matrix
Criticality/Consequence Matrix Instructions
Summary
Q&A
Threat Analysis
Introduction
Theory
Practice
Tools
Predictive Threat Assessment
Inductive versus Deductive Reasoning
Predictive Risk Example
Summary
References
Q&A
Assessing Vulnerability
Introduction
Review of Vulnerability Assessment Model
Define Scenarios and Evaluate Specific Consequences
Evaluate Vulnerability
Summary
References
Q&A
Estimating Probability
Introduction
Resources for Likelihood
Criminal versus Terrorism Likelihood Resources
Criminal Incident Likelihood Estimates
Summary
References
Q&A
Risk Analysis Process
Introduction
Objective
Complete Risk Analysis Process
Risk Analysis Process
Diagram Analysis
Asset Target Value Matrixes
Probability Summary Matrix
Vulnerability Components
Summary
Q&A
Prioritizing Risk
Introduction
Prioritization Criteria
Natural Prioritization (Prioritizing by Formula)
Prioritization of Risk
Communicating Priorities Effectively
Best Practices: Ranking Risk Results
Summary
Q&A
Security Policy Introduction
Introduction
Hierarchy of Security Program Development
What are Policies, Standards, Guidelines, and Procedures?
Summary
Q&A
Security Policy and Countermeasure Goals
Introduction
Theory
Role of Policies in the Security Program
Role of Countermeasures in the Security Program
Why Should Policies Precede Countermeasures?
Security Policy Goals
Security Countermeasure Goals
Policy Support for Countermeasures
Key Policies
Summary
Q&A
Developing Effective Security Policies
Introduction
Process for Developing and Introducing Security Policies
Policy Requirements
Basic Security Policies
Security Policy Implementation Guidelines
Regulation-Driven Policies
Non-Regulation-Driven Policies
Summary
Q&A
Countermeasure Goals and Strategies
Introduction
Countermeasure Objectives, Goals, and Strategies
Access Control
Deterrence
Detection
Assessment
Response
Evidence Gathering
Comply With The Business Culture of the Organization
Minimize Impediments to Normal Business Operations
Safe and Secure Environment
Design Programs to Mitigate Possible Harm from Hazards and Threat Actors
Summary
Reference
Q&A
Types of Countermeasures
Introduction
Baseline Security Program
Specific Countermeasures
Countermeasure Selection Basics
Summary
References
Q&A
Countermeasure Selection and Budgeting Tools
Introduction
The Challenge
Countermeasure Effectiveness
Functions of Countermeasures
Countermeasure Effectiveness Metrics
Helping Decision Makers Reach Consensus on Countermeasure Alternatives
Summary
Q&A
Security Effectiveness Metrics
Introduction
Theory
Sandia Model
A Useful Commercial Model
What King of Information Do We Need to Evaluate to Determine Security Program Effectiveness?
What Kind of Metrics Can Help Us Analyze Security Program Effectiveness?
Summary
References
Q&A
Cost Effectiveness Metrics
Introduction
What are the Limitations of Cost-Effectiveness Metrics?
What Metrics Can Be Used to Determine Cost Effectiveness?
Communicating Priorities Effectively
Complete Cost Effectiveness Matrix
Complete Cost Effectiveness Matrix Elements
Summary
Q&A
Writing Effective Reports
Introduction
Comprehensive Risk Analysis Report
Summary
Q&A
Biography
Thomas L. Norman, CPP/PSP/CSC, is an internationally acclaimed security risk management consultant with more than 35 years of experience working in the United States, the Middle East, Europe, Africa, and Asia. He is the author of the industry reference manual on integrated security system design. He has developed formulas and processes that are used by the entire security industry to calculate the effectiveness of security programs and overall security program cost-effectiveness. His published works have been quoted and referenced by organizations such as the Cato Institute, the National Broadcasting Company, and Security Management.
Winner of the ASIS Security Industry Book of the Year award in 2016.
"This book, like its predecessor, will become a desk reference used by security professionals everywhere. Like any great reference work, it will be dog-eared, feathered with Post-It Notes, with handwriting scrawled in the margins."—Ross Johnson
Praise for the First Edition:
"Thomas L. Norman’s Risk Analysis and Security Countermeasure Selection is a relentlessly practical book intended to aid security consultants."—Jim Harper, The CATO Institute, US Counter-Terrorism Strategy and al-Qaeda, 2010
"… by following the guidance laid out in this detailed book, security managers can do it themselves with software that’s probably already on their office computers… There is no doubt that Norman himself spent considerable time devising the process, which he presents in the book. He provides step-by-step lists for building various matrices … definitely a book for the advanced security practitioner. … it outlines an excellent methodology and is well worth the effort required to read it and work through the process outlined by the author."— Glen Kitteringham, CPP, President of Kitteringham Security Group Inc., in Security Management, January 2011