Security Risk Management



Almost everyone can recognise the benefits of investments in security risk management when it comes to the basics of putting locks on the office door or the factory gate. Equally, the benefits of significant investments in security measures are obvious when an organisation wishes to operate in a high threat environment.


Almost everyone can recognise the benefits
of investments in security risk management when it comes to the basics
of putting locks on the office door or the factory gate.  Equally,
the benefits of significant investments in security measures are obvious
when an organisation wishes to operate in a high threat environment. 
Drilling for oil in the developing world for example, is a situation
where an organisation would invest readily in security measures in order
to achieve the potentially considerable rewards which can only be achieved
if protective measures are put in place. 

Understanding the risks involved is
no mean feat for humankind however.  We continue to over or underestimate
risks and to make a range of poor quality decisions.  In December
2001 David Myers, Professor of Psychology at Hope College postulated
that if Americans “now fly 20
percent less and instead drive half those unflown miles, we will spend
2 percent more time in motor vehicles.  This translates into 800
more people dying as passengers and pedestrians.  So, in just the
next year the terrorists may indirectly kill three times more people
on our highways than died on those four fated planes.”

As it turned out, domestic air travel
in the United States following the terrorist attacks of September 11
dropped more than 30% relative to the same period the previous year
and US motor vehicle fatalities were 1,085 higher in 2002 than in 2001.
This obviously does not show a cause and effect but it remains thought
provoking, particularly given that 2001 was actually on a slight downtrend
(931 less deaths than 2000).  To put it all in context in fact,
the same year that 3,000 people died in the 911 attacks and several
hundred billion dollars were allocated to counter-terrorism, 42,000
Americans died on US roads without much hue and cry at all. 

As Bruce Schneier points out, we can
calculate the risk of any number of security threats including murder,
mugging, identity theft, etc. After all, insurance companies do it all
the time.  The reality however, is that “security is also
a feeling, based not on probabilities and mathematical calculations,
but on your psychological reactions to both risks and countermeasures.
You might feel terribly afraid of terrorism, or you might feel like
it’s not something worth worrying about
.” [2]

The challenge for us as security professionals
is to understand the risks and apply an optimal balance of neither too
many nor too few resources to achieve an appropriate cost-effective

The business benefits for deploying

The ability to operate in a high threat
environment can offer competitive advantage to organisations which can
operate where their competitors may not be able to (or at least may
not be able to deploy as quickly).  The challenge of course is
that most organisations do not operate in either extremely low or extremely
high threat environments.  Most of us need to tailor the investment
in security protection to meet the appropriate threats and opportunities.

In this paper I would argue that most
organisations either a) take on more risk than they realise, b) over-engineer
their risk mitigation strategies thereby allocating resources inefficiently
or c) don’t take risks.    This paradigm of being risk
averse or unconsciously accepting unnecessary levels of risk would be
bad enough but when put into context that the Corporation is the dominant
entity of our time, it becomes an increasingly prevalent challenge for
modern society. 

The root cause of this inefficient
allocation of resources and/or management of risk is that as humans
we are the weak link in the equation (and equally so are potentially
the strongest link). We have evolved to manage risk in the emotional
centre of the brain – an adequate system when we lived in small Paleolithic
communities. The complexity of the modern world and the new security
trade-offs that come with it means that we need to apply more rational
and scientific approaches to risk management. 

Some scary things are not really as
risky as they seem, and others are better handled by staying in the
scary situation to set up a more advantageous future response. This
means that there’s an evolutionary advantage to being able to hold off
the fight-or-flight response while you work out a more sophisticated
analysis of the situation and your options.  We humans have a much
more sophisticated pathway to deal with analysis which is the neocortex,
a more advanced part of the brain that developed very recently, evolutionarily
speaking, and only appears in mammals.

The neocortex is intelligent and analytic.
It can reason. It can make more nuanced trade-offs. It’s also much slower. 
So here’s the first fundamental problem: we have two systems for reacting
to risk, a primitive intuitive system and a more advanced analytic system,
and they’re operating in parallel. And it’s hard for the neocortex to
contradict the amygdala.  Essentially, the neocortex, the part
of our brain that has to make security trade-offs, is still in beta

Of course, all that wouldn’t be such
a problem if we still lived in small village communities.  We have
any number of multi-national corporations that are more powerful than
most of the nations on this planet, all of which operate in an incredibly
complex world but a governed by human beings who to a large extent are
still governed by a Neolithic piece of technology.

Just to add to the complexity of the
situation, there is no simple correct answer to how much should be invested
in security for any given scenario.  Even if there was, it would
vary depending on the organisation.  For example, a low risk operation
such as a stationary manufacturer would reasonably expect to spend much
less on security than might the bank or oil refinery next door. 
If they were allocating similar resources to mitigating security threats,
their shareholders might have good reason to query the appropriateness
of one of more of the organisations security measures.

Any number of coronial inquiries and
post-incident investigations have shown an inappropriate allocation
of security measures and the reasons for this are many and varied. 
Shareholder financial expectations, management agendas, management competence,
technology, political events and more can be found at the root of these
but there are perhaps two main issues worthy of further investigation:

  1. Managers lack structured
    cost-benefit methods to evaluate and compare alternative security solutions
  2. Business cases for security
    risk management (if they are used at all) often fail to identify the
    ultimate ‘problem’ that they are attempting to resolve (be that
    realising and opportunity or mitigating a threat)

Defining a structured cost-benefit
framework for security is worthy of several PhD’s and therefore beyond
the scope of this presentation but much can be found in management and
financial literature on this topic.  One key area which can be
relatively easily managed is in terms of context setting within the
development phase of a business case for investments in SRM. HB167
the Security Risk Management Handbook to AS/NZS4360 Risk Management
Standard provides solid guidance in this area.  Indeed, there are
any number of methodologies for this but one of the simplest is the
one most commonly overlooked.  What is the problem that we are
attempting to address?  The eight step problem solving process
below is one method of initiating development (or review) of a robust
business case:

  1. What is the problem?
  2. Why is it a problem?
  3. What causes the problem?
  4. What are the possible fixes?
  5. What is the best fix (or
  6. Why is it the best fix?
  7. What action do we recommend
    to implement it? I.e. What are we proposing?
  8. What are the possible questions
    that our managers might ask and what are the answers to those questions?

As simple as these questions are, the
fact that they went unasked and unanswered, often lies at the heart
of an over or underinvestment in security risk management measures. 
In many cases this is a reflection of the maturity of the organisation
in terms of SRM management systems.

Maturity levels
of organisations in their approach to SRM?

Little research has been conducted
in the area of maturity levels of organisations for enterprise security
risk management, however it is safe to say that it is extremely variable. 
Australia in many respects is a model of world class performance in
this area.  The development of AS/NZS 4360 Risk Management Standard
has helped Australian organisations develop leading edge practices. 
This standard is currently the basis for development of an international
standard for risk management (ISO31000) and it is a tribute to Australia
that the ISO committee selected an Australian (Kevin Knight who was
instrumental in developing 4360) as its Chairperson.  Similarly
documents such as HB167 Security Risk Management Handbook, the Commonwealth
Government Protective Security Manual, etc together with a strong well
developed SRM training and education sector have ensured that Australians
and Australian organisations are well regarded internationally for (among
other things) their SRM capabilities.

In order to put this in some sort of
framework however, it is worth perhaps considering what an SRM maturity
model might look like.  Fully developed capability maturity models
have proven effective in a number of disciplines in understanding the
degree of sophistication of a business management system as well as
it’s reliability and effectiveness in meeting objectives.  A
number of risk management capability maturity models have been proposed
including by Hillson[3], Hopkinson[4] and Chapman[5]
and these have been adapted in the Security Risk Management Body of
Knowledge (SRMBOK) to provide guidance on a Security Risk Management
Capability Maturity Model based on four levels:

Level 1

The Level 1 organisation has limited
understanding of the benefits of security risk management.  SRM
practices are ad hoc, reactive and unstructured typically showing minimal
or excessive security measures implemented after incidents and unlikely
to reflect the actual risks.  Usually there is little attempt to
learn from the past or to prepare for future uncertainties.

Level 2

Risk Controllers

The Level 2 organisation is experimenting
with the application of security risk management usually through a small
number of nominated individuals but has no formal or structured management
systems in place. This organisation has not yet effectively implemented
SRM processes and is focussed on threat mitigation, largely unaware
of the potential opportunities of SRM.

Level 3

Risk Enhancers

The Level 3 organisation has built
SRM management systems into routine business processes in alignment
with other management systems.  Policies, procedures and guidance
exists for most threats and the organisation is aware of and pursuing
opportunity realisation through the SRM process however at this level
it is likely to remain focused on loss mitigation.  Generic security
processes are formalised and widespread although they may not yet be
consistently applied.

Level 4

Risk Transformers

Level 4 organisations exhibit a culture
where security risk management, resilience and opportunity realisation
are embedded and practiced at all levels.  The organisation has
a proactive approach to SRM and actively uses it to improve capability,
business processes and competitive advantage.  Security risk management
is proactive, continually refined and consistently used to manage opportunities
as well as threats.

The relative focus on threat mitigation
versus opportunity realisation can be illustrated in
Figure 1
below with ‘Level 1’ not shown on this graphic due to the ad hoc
implementation and limited focus on both threat and opportunity.

1: Security Risk Management Maturity Journey



Table 1: SRM Maturity Model





OVERVIEW Compliance only

Risk appetite not defined

No framework developed

No senior management support

No use of SRM to inform decision making

SRM established
for loss prevention

Shared but poorly articulated SRM tolerance

SRM implemented at lower levels

Few Policies & Procedures

SRM built into routine
business processes and management systems

Comprehensive SRM Policy and Procedures

Benefits recognised at all levels of
the organisation

SRM considered critical
to competitive advantage and achievement of objectives

Security risk appetite and approach
is documented and promulgated to all levels of the organisation

SRM management systems demonstrate
continuous improvement

SRM proactive & focused on opportunity

CULTURE SRM implemented to meet minimum legislated
SRM exposure defined

Roles & responsibilities defined

Basic SRM decision making mechanisms

Proactive approach to SRM

Support for SRM at all levels of the

High level security risks reviewed
by senior management

SRM culture is lead by the Chief Executive

SRM information is used in decision

SRM roles and responsibilities included
in inductions, job descriptions and performance appraisals

SYSTEMS SRM strategy and management systems
non-existent or ad hoc
SRM framework under development

BCM & resilience not addressed

Poor data collection and analysis

Strategy & management systems
documented and consistently applied

SRM framework in place and partially
integrated with BCM

SRM framework and management systems
are defined and benchmarked against best practice

Continuous improvement is evident at
all levels

EXPERIENCE Very limited understanding of SRM
systems or terminology
Limited to small number of security
In-house core of experienced individuals,
systems and modelling
Organisation has a depth of experience
at all levels and experiences are analysed as part of normal management
TRAINING Training implemented only to the level
required by legislation
Training undertaken only by security
Organisational training needs analysed
and met

Security training provided to staff
at all levels

Training and education programs are
based on robust and up to date training needs analysis

Relevant training is provided to all

MANAGEMENT Management practices focused on meeting
legislated requirements

Response to critical incidents is the
prime initiator for SRM

SRM practices based on organisational
management systems

Majority of SRM is reactive

Security systems reviewed on ad hoc

Guidance for SRM provided to all levels
of management

Resource allocation commensurate with

Security plans reviewed at least annually

Guidance on SRM implementation is
provided to all levels

Benchmarks are established and monitored

Resource allocation is monitored and

BCM & SRM are integrated &
plans are reviewed and tested at least annually

Collaboration between senior management,
IT and risk departments

Security Risk Management has in the
main, grown out of the 3G’s of Guns, Guards, Gates or information
technology.  Only comparatively recently has the role of Chief
Security Officer been created with the main focus (as it needs to be)
on business integration, enterprise security and value creation.

The integration of security with standard
management systems including financial systems, OHS and human resources
is a key element of success in this area.  Using existing platforms
such as ISO9000 or Balance ScoreCard is one way to demonstrate alignment
with the business are key elements of the process.

Establishing an integrated security
risk management function means setting up the corporate “infrastructure”
for risk management that is designed to enhance understanding and communication
of risk issues internally, to provide clear direction and demonstrate
senior management support. To be effective, this security risk management
framework needs to be aligned with the organisations overall objectives,
corporate focus, strategic direction, operating practices and internal
culture. Additionally, in order to ensure security risk management
is a consideration in priority setting and budget allocation, it needs
to be integrated within existing governance and decision-making structures
at the operational and strategic levels.

To ensure that risk management is integrated
in a rational, systematic and proactive manner, and organisation needs
to achieve three related outcomes:

  • DIRECTION. The organisations
    direction on all matters including security risk management must be
    communicated, understood and applied -vision, policies, operating principles.
  • SYSTEMS.  The approach
    to operationalise integrated security risk management must be implemented
    through existing decision-making structures: governance, clear roles
    and responsibilities, and performance reporting.
  • EXECUTION.  Building
    capacity – learning plans and tools are developed for use throughout
    the organisation.

2: Relationship of Direction, Systems and Execution

Barriers, guiding principles and
applications for proactive SRM

Effective implementation of security
risk management processes into organisations and projects is not common. 
Organisations which have tried to integrate risk management into their
business processes have reported differing degrees of success and some
have given up the attempt without achieving the potential benefits. 

Research conducted by the Risk Management
Research and Development Program Collaboration[7] suggests
that unrealistic expectations and lack of a clear vision regarding what
implementation would involve or how it should be managed were the cause
of many of the unsuccessful implementations.  Organisations attempting
to implement a formal structured approach to risk management need to
treat the implementation itself as a project requiring clear objectives
and success criteria, proper planning and resourcing and effective monitoring
and control.

One of the critical success factors
behind any enterprise risk management implementation involves a supportive
organisational culture.  In this respect there is much to learn
from a range of other disciplines, not least of all from the disciplines
of behavioural psychology and occupational health and safety.

The US Department of Defence (DoD)
conducted significant research and development in the area of aviation
safety based on the work of James Reason[8] which lead to development
of the Human Factors Analysis and Classification System (HFACS)[9]
which has been adapted by the United States Department of Defence into
a taxonomy involving four layers of:

  • Errors (perception based,
    competency, etc), Inappropriate behaviours or deliberate acts
  • Pre-Conditions such as fatigue,
    physical environment, inattention, etc
  • Supervision or inadequate
    oversight such as leadership, inappropriate operations, failure to correct
    known problems
  • Organisational influences
    such as culture, organisational climate, resources/procurement

HFACS asserts that research indicates
human error is a causal factor in 80 to 90 percent of incidents and
present in another 50 to 60 percent.  Although limited empirical
data and research exists regarding Human Factors Analysis in the SRM
field, anecdotal evidence and results of incident investigations suggest
that similar percentages would apply.

High Reliability Organisations

Further research in the area of enterprise
risk management comes from research into high reliability organisations
(HRO’s) such as nuclear power plants, aircraft carriers and air traffic

High reliability institutions are notable,
according to Rochlin[10] because “these
organizations have not just failed to fail; they have actively managed
to avoid failures in an environment rich with the potential for error
That ability to actively and reliably manage to reduce the chances of
mistakes occurring, rather than to avoid the hazards, has been the distinguishing
hallmark of most HRO’s and their experience offers many lessons for
the application of security risk management at the enterprise level.

Work by Karl Weick and Kathleen Sutcliffe[11]
into this area suggests that five key elements contribute to what he
describes as a state of ‘mindfulness’:

  1. Preoccupation with failure
  2. Reluctance to simplify interpretations
  3. Sensitivity to operations
  4. Commitment to resilience
  5. Deference to expertise

At first many of these processes appear
to be self-defeating on multiple levels.  But, as Weick further
explains why these processes are necessary if a high reliability organization
is to be successful their validity becomes increasingly more apparent.

Preoccupation with failure

HRO’s like most organisations, celebrate
their successes but Weick also notes that “a chronic worry in HROs
is that analytic error is embedded in ongoing activities and that unexpected
failure modes and limitations of foresight may amplify those analytic

Reluctance to simplify interpretations

Most organisations are happy to handle
complex issues by simplifying them and categorising them, thus ignoring
certain aspects. HROs, however take nothing for granted and support
cultures which attempt to suppress simplification because it limits
their ability to envision all possible undesirable effects as well as
the precautions necessary to avoid these effects.  HROs pay attention
to detail and actively seek to know what they don’t know.  They
endeavour to uncover those things that might disconfirm their intuitions
despite being unpleasant, uncertain or disputed. Scepticism is also
deemed necessary to counteract the complacency that many typical organisational
management systems foster.

Sensitivity to operations

Weick describes sensitivity to operations
as pointing to “an ongoing concern with the unexpected.  Unexpected
events usually originate in ‘latent failures’ which are loopholes
in the system’s defenses, barriers and safeguards who’s potential
existed for some time prior to the onset of the accident sequence, though
usually without any obvious bad effect

Management focus at all levels to managing
normal operations offers opportunities to learn about deficiencies that
which could signal the development of undesirable or unexpected events
before they become an incident.  HRO’s recognise each potential
near-miss or ‘out of course’ event as offering a ‘window on the
health of the system’ – if the organisation is sensitive to its
own operations.

Commitment to resilience

HRO’s develop capabilities to detect,
contain, and bounce back from those inevitable errors that are a part
of an indeterminate world.  The hallmark of an HRO is not that
it does not experience incidents but that those incidents don’t disable
it.  Resilience involves a process of improvising workarounds
that keep the system functioning and of keeping errors small in the
first place. 

Deference to expertise

HRO’s put a premium on experts; personnel
with deep experience, skills of recombination, and training.  They
cultivate diversity, not just because it helps them notice more in complex
environments, but also because rigid hierarchies have their own special
vulnerability to error.  As highlighted by the work of James Reason
and HFACs, errors at higher levels tend to pick up and combine with
errors at lower levels, exposing an organisation to further escalation.

HRO’s consciously evoke the fundamental
principle of risk management – that ‘risk should be managed at the
point at which it occurs’.  This is where you will find the expertise
and experience to make the required decisions quickly and correctly,
regardless of rank or title.

Other lessons from HRO’s

Other lessons from HROs include the
strong support and reward for reporting of errors based on recognition
that the value of remaining fully informed and aware far outweighs whatever
satisfaction that might be gained from identifying and punishing an

The Icarus Paradox

Many experiments have shown that people
who succeed on tasks are less able to change their approaches even after
circumstances change.  (The hammer and the nail syndrome). 
Weick quotes Starbuck and Milliken in their analysis of the Challenger
disaster: “Success breeds confidence and fantasy.  When an
organization succeeds, its managers usually attribute success to themselves
or at least to their organization, rather than to luck.  The organization’s
members grow more confident of their own abilities, of their manager’s
skills, and of their organization’s existing programs and procedures. 
They trust the procedures to keep them appraised of developing problems,
in the belief that these procedures focus on the most important events
and ignore the least significant ones.
[14] This level
of complacency is a breeding ground for inadequate or ineffective organisational
security risk management.

Another contributor to this ineffective
management systems is that human beings are inclined to show a level
of ingratitude when warned about anything abstract.  By definition
of course, anything that did not happen is ‘abstract’.


On the occasions when our organisational
security risk management systems fail, it is often not because we lack
the tools, will or imagination to mitigate risk.  Very often it
is because our perceptions of the threat have failed us. To a large
extent this failure of perception is because the changes in our ability
to perceive and manage risk have not kept up with our changing environment. 
In short, situations that exist in the world of 2007, but didn’t in
the world of 100,000 BC. Like a possum whose predator-evasion techniques
fail when confronted with a car, or a magpie who finds that evolution
prepared him to survive the hawk but not the shotgun, our innate capabilities
to deal with risk can fail when confronted with such things as modern
technology, large faceless human societies, and the media. Worst of
all our risk management systems can be made to fail by others – terrorists,
organised crime, email scammers, and so on, who may attempt exploit
our natural failures for their gain.

Ultimately, security professionals
must trade off various elements, applying resources to risk exposures
towards an acceptable level of organisational risk and to agreed quality
requirements.  These four elements can be considered the ‘quadruple
constraints’ which a we must trade-off and balance in order to achieve
an optimal outcome for the circumstances.  Any change in one will
result in a corresponding increase or decrease in one or more of the
other elements.  The first step in our managing our risks involves
understanding our own inherent risk management limitations.

3: SRM Quadruple Constraints

In managing security risk management
for the enterprise we have a responsibility which goes far beyond the
immediate.  With the corporation as the dominant entity of our
time our actions as security professionals, managers and Board members
have far greater ramifications than we can readily appreciate. 
Similarly, security risks, being abstract concepts do not fit well into
our emotional reptilian fight-or-flight risk management programming. 

We have some inherent limitations in
regard to managing the abstract concepts of things which have not yet
(and may never happen) but we can do something about it.  By learning
the lessons from other disciplines we can establish and maintain a level
of ‘mindfulness’, to help decision makers understand the real problem(s)
and/or benefit(s) as well as the appropriate security measures to address