Risk and Security LLC

Risk Assessments, Training and More

This content shows Simple View

Emergency Preparedness

Threat Modeling is the Exciting, Sexy Part of Risk Assessment

As a risk assessment professional, when I get into a risk discussion, most security people want to talk about THREAT!  Threat is the most sexy and exciting part of doing a risk assessment.

Threats are exciting all by themselves.  Think about all the threats you can name:

All the natural disasters like Earthquakes, Tornadoes, Storms, Hurricanes, Tsunamis, Lightning, Floods

Crimes like Homicide, Assault, Rape, Burglary, Theft, Kidnapping, Blackmail, Extortion

Terrorism like Sabotage, Explosions, Mail Bombs, Suicide Bombs

All the IT Threats like Malicous Code, Disclosure, Data Breaches, Theft of Data

And about 50 more including Chem/Bio incidents, Magnetic waves, High Energy Bursts, Microbursts, Contamination and Reputation Damage.

Each of these threats could theoretically occur at any time, but we try to establish a pattern of how often they have occurred in the past, in this location, in this county, in this country, in the company, etc.   So NASA, for example, gets thousands of hacker attacks, but another company, like the local Salvation Army, gets 1 every 10 years.

Same model for natural disasters, although you might have to factor in climate change, it’s easy to get the threat incidents for hurricanes in Florida, snow storms in Cleveland, earthquakes in northern California, etc.

We also like to examine industry specific data to see if some threats are higher in a certain industry, like the high incidence of workplace violence incidents in hospitals and high risk retail establishments (like Wawa or 7-11).

Another factor we use in calculating threat likelihood is how the threat could actually affect different types of assets…. for example, would an earthquake damage a car?  Probably not. Would it cause damage to an old historical building – probably (unless it had been retrofitted).  Could it cause loss of life, or injuries (think Haiti).

So I use a multidimensional model that takes the threats list (I have a standard list of 75 threats that I use), and map it to each potential loss, based on the ‘asset’ that might be affected.

The more data you get, the better your model will be, and the more value it will have as a decision support tool!

 



How to Correctly Analyze 100-Year Threats for Risk Assessments

Starting a risk assessment in northern Virginia and going through the threat list they say, “You can take earthquakes out – we don’t have earthquakes here”!

Hey, Haiti didn’t have earthquakes!

Vermont didn’t have major floods!

Connecticut doesn’t have tornados!

Like Murphy’s Law, as soon as you discount a threat, and think, “it will never happen here”, it happens!   The earthquake in the mid-Atlantic in August was a wake-up call for those who that they would never have earthquake damage.

One of the reasons that security risk assessment is so highly valued as an analytical took, and why it’s required by so many governments is because it DOES take into account the 100-year flood, the 75-year drought, etc.

Natural disasters can be so overwhelming, and catastrophic, that they must be considered in any proper risk assessment.  This is why some areas are not suitable for building housing tracts, because they are in a 100-year flood plan.

Because human memories are short, just because YOU haven’t experience a flood
along a meandering creek, doesn’t mean it will never happen.  

Always check the long-term probabilities when you start a risk assessment and make the numbers work for you!



Does Being on TV Make Us Better World Citizens?

Does Being on TV Make Us Better World Citizens?

To quote the character in the 1995 movie, “To Die For” — “You’re not really anybody in America unless you’re on TV… ’cause what’s the point of doing anything worthwhile if there’s nobody watching?  So when people are watching, it makes you a better person.” So if everybody was on TV all the time, everybody would be better people.

A minor statistic – that the recent tsunami in #Japan got CNN its highest ratings since Obama’s inauguration!   What can beat the reality of earthquakes and rising water, followed almost immediately by nuclear power plants with seawater cannons blasting?   And then add the airstrikes over #Libya – all delivered in breathtaking color.

Does showing these images on TV make people more sympathetic to the plight of the rest of the world?   I think it probably does – and that it does make us better people for caring.

The social media has contributed greatly to this – working hand in glove with TV – expanding coverage to new audiences and flashing breaking news around the world.  The immediacy of Twitter and email make us seem empathetic because we are sending the news out to our social circles. 

The middle east uprisings are possible not because of just the media, but because people around the world weigh in and give political support to the protesters.  They know the world is watching and because they know they are not alone anymore, they are empowered to stick with their protests. 

And look at the payoff – the rebels in Libya make their case and the world comes to their aid.  Obviously there are other critical factors at play here, but the TV makes it all possible. 

Just five years ago, people were wondering when the One World concept would finally catch hold and we would collectively realize that we’re really all people on this tiny planet – Pax Humana, aka World Peace. 

It looks like that day has come – not because of highideals or harmonic convergence, or universal values, but because we can tweet pictures to our friends about other people on the other side of the world.  This is true reality TV and it’s going to be a game changer for businesses and governments everywhere.



What do they want? #egypt

#EGYPT –

Watching events play out on CNN, a saw a commentator ask, “What Do They Want?”, meaning what do these protestors want?   

I know what they want. I know because I have been working with people all over the world for years – both in person and online, by blog, by email, by phone.

Everyone wants the same thing – personal dignity and the chance for a better life for themselves and for their children. The desire for upward mobility is built into our DNA. It is built into the idea of evolution. It is why animals compete for the best perch, the best cave, the best tree, the best nest, the best plumage, the best mate……

You can apply all the slogans you want and make a list of the emotions people everywhere want to feel:

Dignity
Pride
Relevance
Happiness
Secure
Stable
SAFE

And what that means, as I see it, is that they want:
Choices
A better life for their children
To be able to Laugh
To fall in love and have a family
Better education
Stable food supply
Basic healthcare
Affordable basics – like food and housing and energy
 Jobs
Freedom to be themselves.

The internet is sort of like God, without all the judgement. In many ways – the internet is THE GREAT EQUALIZER. That’s why the 60-year old man can hide and pretend to be 27 again on a dating site – or even pretend to be a woman!   When you communicate on the internet, all the external things that people use to stereotype, pigeonhole and judge people are eliminated because of the way the message is communicated. (Remember – the MEDIUM IS THE MESSAGE….)

So it doesn’t matter what you look like on the internet – it doesn’t matter about your religion, race, sex, formal education, job – nothing. The only things that matters are your words – what you choose to tell the world about yourself.

That creates GREAT freedom and the way the internet lets you search and research and look around – so that a person in Cambodia living on one dollar a day can get online and see that amazon has 50 million different things to buy.   And look at those things – and see how much a bag of crackers cost in the US.

So these events in the middle East are earth-shaking for a lot of reasons, but mostly because this yearning for equal opportunity and the yearning to make your own life better is the irresistible siren call. It cannot be stopped. It cannot be silenced and just because it is starting in Egypt, doesn’t mean it is going to take over the world. Because I think it is.



Workplace Terror in Manchester, Connecticut

Yesterday a tragic story unfolded in Manchester,  Connecticut.   You probably already know that nine people were killed when an employee who was being fired, came back in with his hand gun,  started shooting and, after calling his mother, killed himself. 

This incident is part of a bigger and growing trend to more workplace violence incidents – not only in companies in general, but in hospitals to an even greater degree.  The Manchester incident also illustrates again some of the basic tenets of preventing workplace violence incidents. 

Patrick Fiel, Public Safety Advisor for ADT Security, commented, “The industry standard is to not  terminate employees in open areas where other individuals may be working.   Firings are always touchy situations and should be conducted in an isolated areas, even off-site, away from the work areas.”  

“Many companies have crisis plans in place, and also conduct security risk assessments annually  to prevent this kind of incident.   A comprehensive security assessment  might have saved nine lives by setting up procedures for the termination; and additionally, by making sure employees knew what to do when he did draw his gun.” 

I have been reviewing workplace violence incidents in healthcare and find that they have skyrocketed since the recession started.   Violence against supervisors, managers and also nurses and other healthcare workers has spiked significantly.

 It is surprising to read the following statement on the osha.gov web site:

There are currently no specific standards for workplace violence. However, this page highlights Federal Registers (rules, proposed rules, and notices) and standard interpretations (official letters of interpretation of the standards) related to workplace violence.

Section 5(a)(1) of the OSHA Act, often referred to as the General Duty Clause, requires employers to “furnish to each of his employees employment and a place of employment which are free from recognized hazards that are causing or are likely to cause death or serious physical harm to his employees”. Section 5(a)(2) requires employers to “comply with occupational safety and health standards promulgated under this Act”.”

It might be time for OSHA to develop some workplace violence prevention standards.  Many of the ones we use in our risk assessments are related to standard security safeguards – such as having a written termination policy; making sure that if  worker at one location is fired, that all other locations are notified so he can’t just go to another office and cause an incident. 

Much of the statistical data we found on the OSHA website were at least six years out of date, which makes it harder to track current trends in workplace incidents, unless you catalog the media-reported events and run an analysis on them.  The U.S. Bureau of Labor Statistics reported  “Mass shootings receive a great deal of coverage in the media, as we saw with the Orlando, Fla. office shootings in November 2009 and in the shootings at the manufacturing plant in Albuquerque, N.M. in July 2010.  Out of 421 workplace shootings recorded in 2008 (8 percent of total fatal injuries),  99 (24 percent) occurred in retail trade.  Workplace shootings in manufacturing were less common, with 17 shootings reported in 2008.  Workplace shooting events account for only a small portion of nonfatal workplace injuries.” from http://www.bls.gov/iif/.

It makes me wonder if the workplace violence statistics from 2008 until now may be such a large increase, that has been either underreported or even held from publication!

According to a report by the National Institute for Occupational Safety and Health — “State of the Sector/Healthcare and Social Assistance” — published in 2009, health care workers are more than three times as likely as workers in other industries to be injured by acts of violence.

“Health care workers are at risk for verbal, psychological and physical violence,” the report says. “Violent acts occur during interactions with patients, family, visitors, coworkers and supervisors. “Working with volatile people or people under heightened stress, long wait times for service, understaffing, patients or visitors under the influence of drugs or alcohol, access to weapons, inadequate security, and poor environmen­tal design, are among the risk factors for violence,” the report continues.

In the current economic environment, the physical security (facility) risk assessment can be used as an important tool in making sure that basic industry standards for preventing workplace violence incidents; or limiting the damage they can do – especially for making sure the staff are protected from violent incidents by their co-workers.

The security assessment can be followed by the creation of specific, detailed crisis plans that make sure people know what to do when the unthinkable happens at work.  One of the reasons that workplace violence incidents are so upsetting to all of us is because the person KNEW the people he was killing.  He probably knew their spouses and met their children at a company picnic.  It makes the violence more personal and scary, a whole different thing than falling off a ladder.   And it reminds us all that it COULD happen here!



The Oil Rig Disaster and Risk Assessment — And Accountability Issues with Politicians

“Drill, baby, drill.”   We have heard that before – being from California and being a tree-hugger, I didn’t think that was a great idea, especially since I know our oceans are already struggling, but I did not expect something this bad to happen.

The politicians who were so busy expanding oil leases and the profit-rich oil companies who are raking in billions,  don’t spend much time on assessing the potential risks AND the potential losses for a catastrophic oil spill.

Maybe we should require them to do REAL risk assessments on the total possible impact of an oil disaster.    It would not be an environmental impact statement, which downplays the risk by putting in lots of scientific jargon and ASSUMES that proper safety controls and contingency plans are in place.  But obviously that either was not done;  or it was not accurate, or it was done and burned so no newsperson would ever see the smoking document (or should I say, the oily document).

If we go back to the classic risk model – we are by listing the assets at risk:

  1. The Cost of the Original Rig and Drill Equipment – $500,000,000
  2. The Value of the Lives of the 11 workers who died –    25,000,000
  3. The Value of the Oil itself, with replacement value
    (5 million gallons at  $2.00 per gallon = $10 million dollars)
  4. BP’s Reputation as a good company – $2 million
  5. Gulf Fishing and Shrimp Industries Value – $2.5 billion dollars for

Just Louisiana – add in Alabama, Mississippi and Florida and quickly     the bill runs up to $10 billion dollars.

  1. Value of Summer Beach Tourist Business in the Gulf – $20 billion
  2. Value of lives of 20,000 – 50,000 shorebirds; 10,000 turtles; 0ther assorted marine mammals, birds, and fish   – $25 million.

So we have a resource worth about $33.5 billion dollars – that is potential loss estimate.

What we will lose if a threat materializes?    Keep in mind, for comparison purposes, that BP had recently doubled it’s profits from $3 billion to $6 Billion a quarter,  which calculated out to about  $24  Billion Dollars a Year.

Next we factor in the likelihood of a threat occurring.  Reviewing the frequencies of and problems problems with oil rigs, and oil spills, we find:

There are an average of about 2000 oil spills a year of various degrees.

There are an average of 1 million gallons spilled each year (going back 7 years).

(Already you can start to get a idea of how terrible this spill is.)

Next we list all the problems (vulnerabilities) that could or would have made it more likely to have a disaster occur,  you will recognize many of these from the latest news conference

  1. New,  untried technology
  2. No recovery plan if secondary shut offs fail
  3. Difficulty of working on deep ocean
  4. No reliable oil containment systems have ever been developed

SO – if British Petroleum is making $24 BILLION A YEAR and because of this spill, BP loses about $1 billion dollars. That’s not a bad Return.

The problem comes in with the $30 Billion dollars that is borne and felt, not by BP, who goes on to drill somewhere else, but by the citizens of the affected states and the whole United States due to the incalculable environmental damage.

The last thing we look at in a risk assessment model is the potential controls that could have been put in place to reduce the likelihood of the threat materializing, and the cost of those controls that could either reduce the threat, or, and even more important in this case, minimize the damage if the threat occurs anyway.

What controls could have been improved in this model?

Development of effective oil capping techniques BEFORE a disaster

Better training of oil rig workers

Better fire controls which might have saved the rig from sinking.

Accountability Increased for the Materials Management Service (MMS)

Tougher Regulations for Oil Companies

Better oil containment tools

Better oil absorption tools

Regular drills so that workers are better prepared in an emergency like this.

I’m still here watching the news coverage but I have learned why this happened – because BP was making so much money, it just didn’t have that much to lose from a disaster.  So it avoided improving its technology and spending money on controls that might have helped.

And the former and current U.S. administrations are to blame for not requiring accountability from the MMS.  And the rest of us, including the bluefin tuna, the birds, the jellyfish, the crabs, the shrimp, bottlenose dolphin, sperm whale, dozens of varieties of sharks, manatees, oysters, warblers, terns, swallows, egrets, plovers, sandpipers, pelicans,  loggerhead turtles, Ridley’s turtle, diamondback terrapins, and alligators.

According to the Louisiana Department of Wildlife and Fisheries,   here are the numbers of species that will be affected:

445 species of fish,

45 species of mammals

32 species of amphibians and reptiles

134 species of birds,
and the ocean itself, and all of us.



Exploring Ideas to Prevent Disasters like the Haiti Earthquake Disaster

Exploring Ideas to Prevent Disasters like the Haiti Earthquake Disaster

CNN seems like it’s grabbed the lead on Haiti Earthquake coverage. They crossed that line last night when Sanjay Gupta, the CNN doctor, spent all night in a field hospital caring for patients that the UN left alone in a tent.

So there are thousands of images of the aftermath of the earth. Thousands of sad stories of loss and tragedy and all of it magnified by the grinding poverty of the country and it’s lack of government control and working infrastructure (even before the earthquake).

Obviously – it is impossible to prevent an earthquake, so there are three areas that could be explored to make earthquake disasters less horrific.

1. Advance notice of seismic activity in an area. Hurricane can be seen forming and building and can be graded, and prep work can began days before the disaster strikes
(yes – like Katrina). But perhaps it is also possible to have sensors that mark seismic activity. At least enough to get a glimmer of warning. My research says that there has been a project since 2007 to install sensors in the ocean floor to track tremors. After the Indonesian tsunami, the urgency to install these sensors increased dramatically. And because Haiti was on a fault line — I can’t help but wonder if someone somewhere in a research lab, may have noticed a few unusual tremors because this actually occurred.

2. Creating a System of International Building Codes. Obviously the death, injuries and damage occur from falling buildings and building materials (in the Haitian earthquake – cinder blocks). The UN could create standards for buildings with different standards based on the type of earthquake zone. For example, there could be a simple 1-5 scale and places that often have earthquakes (California, Japan, Pakistan) would have stricter standards than a place with almost no earthquakes, i.e. Florida and India.

While every building in a quake-prone country might not comply with the guidelines, the big multi-nationals would – the hotel chains, the government buildings (perhaps), and the better residential areas — and who lives in the better residential areas? The doctors, the medical professionals, the government officers, exactly the group of people you need in an emergency.

3. Creating Standards for Better Emergency Planning and Disaster Recovery.
The big increase in business continuity plans and disaster recovery plans (see
www.recoveryplanner.com) is amazingly limited to INFORMATION recovery and working to limit or prevent interruptions in information systems. The same kind of planning does not exist for disasters in most underdeveloped countries. Again, this is an area where the U.S. agency, FEMA could play a leading role; or the UN should make it a priority to do some kind of minimal planning standards for these devastating emergencies with massive injuries and loss of life.

The National Fire Protection Associations (www.nfpa.org) has published an Emergency Preparedness standard called NFPA 1600 – the Standard on Disaster/Emergency
Management and Business Continuity Programs and it’s a good example of the basics of Emergency Preparedness.

Individual countries would do their citizens a service by acquainting them with how to prepare families to survive in emergencies, whether they are triggered by power outages, severe cold, hurricanes or earthquakes!

Emergency Preparedness’ critical role in emergencies is something you can watch unfolding this week, as the relief efforts get stalled by lack of clear roads, problems at the airports, time involves in sea travel, etc. There has to be a better way – one that can be refined and used in future disasters.

In case you think you will never see an earthquake – here are the statistics on how many earthquakes occur in the world each year. These are averages but you can see that there is, on average, one giant earthquake, and seventeen large earthquakes, 134 strong earthquakes and many more light and moderate earthquakes.

TYPE STRENGTH AVERAGE PER YEAR
Great 8 or higher 11
Major 7–7.9 172
Strong 6–6.9 1342
Moderate 5–5.9 1,3192
Light 4–4.9 c. 13,000

The Boy Scouts were right when they adopted “BE PREPARED” as their motto.

These are three areas:

1. Better Ways to Predict Earthquakes (by even a day),
2. Minimum Building Codes based on local geography, and
3. Uniform Emergency Preparedness standards around the world.

These could be explored to prevent or at least mitigate the devastation we have seen in Haiti this week.




top