Risk and Security LLC

Risk Assessments, Training and More

This content shows Simple View

Threat Sources

A New Threat Appears – Meteor Strikes

After the meteor showers over Siberia this week, Russia put together a

Financial analysis of the damage from the meteors:

1200 injured by flying glass

             $33,000,000 in damage

4,000 building damaged

50 Acres of windows shattered

In the last twenty-five years, as the rate of climate change has increase, we have occasionally added new threats like Tsunami and ash pollution.

Now meteor showers have actually come to cause damage to companies so they are another factor to be included in risk assessments.

In evaluating threats for a risk assessment, many in the northeast would always tell me, “take out earthquakes”, we don’t have earthquakes in Virginia, Maryland, and Ohio. That changed in 2011 when the Mineral, Virginia earthquake hit during a mid-week business day.

RICHMOND, VA (WWBT) – Aug. 24, 2011. 

There was an earthquake in Central Virginia that measured 5.8 on the Richter scale centered about 5 miles south of Mineral in Louisa, depth 3.7 miles at about 1:51 p.m. The quake was centered at 38°N, 78°W.

The U.S. Geological Survey said the earthquake was centered about 38 miles northwest of Richmond, Va., about 84 miles southwest of Washington, D.C., and was felt as far north as Rhode Island and New York City. See a map of the quake from Chuck Bailey, professor of geology at the College of William and Mary.

Hospitals, government offices, dams and power generating plants,  including nuclear plants, were forced to suddenly reevaluate the long held idea that earthquakes just didn’t happen in the NorthEast.

The threat from meteor damage is the same idea.  It never happened before, but now it has happened again, if you count Tunguska as the first time.

Damage from meteor showers will now add a new category into the Threat index, even though this was the first event in my lifetime, if analyst factor in the previously known instances, such as the Tunguska Meteor Event, which did not occur thousands of years ago, like the meteor event in the Yucatan peninsula that killed off the dinosaurs, but
Tunguska occurred in 1908!   Almost in this century.

Over the next month, we’ll be looking at each different threat every week.  Sign up for my blog or access by following me on twitter at www.twitter.com/riskalert.

 



Data-Driven Security: The Best Way to Improve Security for Anything, Anywhere

How can you improve your security program?  Are we talking about a seaport?  A church?  A manufacturing facility?  A gas pipeline?  An office building?  Corporate Headquarters?   Zoo?  Hospital?  Bank?  Clinic?  City Hall?  Harbor?  Stadium?  Government Agency?

It doesn’t matter what you need to protect — if you decide it is a critical asset, it needs good, continually improving security, and
an on-going assessment program is the fastest, easiest way to get it.

If wonderful, dedicated you, (as the security pro), don’t know what’s working and what’s not, how can you improve the overall program, unless you wait for an “precipitating event”, like a THEFT, like an ASSAULT, like a FLOOD, or a HURRICANE, or a POWER LOSS, and then you immediately start working on that and making sure THAT particular disaster doesn’t happen again!
Meanwhile, everything else is slowly losing energy due to lack of constant attention.

And so let’s say you are the Super Bowl, and the power went out!  Terrible. Inexcusable.  And you’re busy getting a 2nd or 3rd backup generator to make sure THAT POWER LOSS never happens again.

This problem with this model – fixing what’s broken and ‘learning from experience’ is that it’s always a day late.  You’re always chasing after something that already happened.

Instead, you can  set up a program so that you use to continually evaluate the current condition, assess the risk, and then improve the security controls, based on THAT RISK ASSESSMENT.

Tony Robbins used to call it CANI

  • Constant And Never-ending Improvement.  You can accomplish this by setting up regular assessments and then adjusting or tweeking the security controls to adjust to the new, or more aggressive threats.
    “Regular” assessments can be monthly, quarterly, semi-annually, annually, bi-annually, whatever schedule suits you and the organization.   The idea is that by continually reassessing your last improvement,and changing the threats and risk level,
    you can create a dynamic, data-driven security program that improves the security profile dramatically, without having to
    suffer through another triggering event!
    The concept of CANI – Constant And Never-ending Improvement can breathe life into your security program, you can use it to improve your health, your fitness level, your guitar playing, your _______________________.
    You fill in the rest!

 

 



What do Benghazi and Newtown have in common? Flawed Security!

After the attack on the Benghazi mission and the tragic mass shooting at Sandy Hook Elementary, its apparent that what these two terrible incidents have in common is that security was not adequate.

In Benghazi, after the hearings and the pundits and speculation, the bottom line is that there was insufficient security.  In-place security controls were not sufficient to deter an attack, and the emergency controls were also not sufficient to recover and deal with the emergency attack.

In Newtown, at Sandy Hook Elementary, security was inadequate.  Security people often say that security is just as good as the weakest link, and despite adding new security controls, it was defeated because of the glass entry.  The shooter wasn’t allowed in so he simply broke the glass.  That slowed him up by 2 minutes, maybe. Also backup security controls were non-existent.  The shooter was observed and still there was no effective response.

There are three elements to security – DETER, DENY and RESPOND:

DETER – means to make the facility look too difficult to attack, and so the attacker thinks it’s too hard and goes away.

DENY – means that it is impossible for the attacker to get into the facility to launch an attack.

RESPOND/PROTECT means that after the attack is launched, the facility can defend itself, or to protect the individuals and/or property inside the facility.
Both Benghazi and Newtown did not deter, didn’t deny access, and didn’t have an adequate security response.

The Newtown shooting showed that this school, like many others across the country, had a false sense of security, because while some security elements were in place, the shooter easily entered the school, making the other elements irrelevant and  him to inflict mass casualties.

In both cases, the response was not adequate, it was ‘too little too late’.  And ‘too late’ means the attack can’t be stopped or contained.

The WHY is easy, because the security budget was inadequate.  These facilities did not have adequate risk assessments that could have demonstrated the critical assets contained within them.  What is more critical than classrooms of 6 year old children?  What is more critical than a State department facility with a U.S. ambassador inside?  Yet both didn’t have the protective security controls they deserved because their wasn’t enough budget for enough security.

Another element these incidents have in common is that they are both government facilities.  Yes, one was the Federal government and one was a local school district – but they both had the same problem of being short on budgets.  And when organizations are short on budgets, security is one of the first things to get their funding cut, or reduced.

Every facility needs a SECURITY risk assessment up front, how else can you allocate the funding and make sure that there is ENOUGH security in place to protect our most critical assets, our children?



Why the State Department Needs Better Threat-Risk Assessments

Obviously, the tragedy in Libya this week focused the world’s attention, not just on the bodies of our countrymen returning home, but made me wonder about the risk assessments and threat assessments that are routinely done in these extremely sensitive locations.

Unfortunately, the threat assessments tend to be more political forecasting and less about the reality of the situation on the ground.  One problem with these simple manual threat/risk assessments is that they take too long to complete.  Maybe they spend a few days looking at the physical controls, and then a week writing up a report, and much of it may rely on anecdotal incidents or reports of questionable value.

That’s why I am a believer in automating these threat/risk assessments, and in a potentially dangerous area like the whole country of Libya, they should be at least weekly, or bi-weekly, or even daily when tensions are running high.  It allows you to get a quick assessment in less than 30 minutes, and allows for quick updating, which is critical in situations like this week.

And no, I don’t believe a threat/risk assessment would necessarily PREVENT a terrible tragedy like the death of an American Ambassador, but I do think that having these updated assessments allows for safeguards to be continuously checked, measured and improved, and also may expose weaknesses that can be exploited by a terrorist group when the opportunity presents itself.

The practice of running continual assessments is not used very often, but when it is, it’s very effective because when the situation goes south, you already the blueprint of what to do right in front of you, and it allows better decision support under such stressful conditions.

The information-sharing done by different groups can be wrapped up in the risk assessment and combined, so that maybe a higher threat condition can be identified, in time to relocate, leave the country, or whatever else it takes to protect the lives of our diplomatic staff.

 



Threat Modeling is the Exciting, Sexy Part of Risk Assessment

As a risk assessment professional, when I get into a risk discussion, most security people want to talk about THREAT!  Threat is the most sexy and exciting part of doing a risk assessment.

Threats are exciting all by themselves.  Think about all the threats you can name:

All the natural disasters like Earthquakes, Tornadoes, Storms, Hurricanes, Tsunamis, Lightning, Floods

Crimes like Homicide, Assault, Rape, Burglary, Theft, Kidnapping, Blackmail, Extortion

Terrorism like Sabotage, Explosions, Mail Bombs, Suicide Bombs

All the IT Threats like Malicous Code, Disclosure, Data Breaches, Theft of Data

And about 50 more including Chem/Bio incidents, Magnetic waves, High Energy Bursts, Microbursts, Contamination and Reputation Damage.

Each of these threats could theoretically occur at any time, but we try to establish a pattern of how often they have occurred in the past, in this location, in this county, in this country, in the company, etc.   So NASA, for example, gets thousands of hacker attacks, but another company, like the local Salvation Army, gets 1 every 10 years.

Same model for natural disasters, although you might have to factor in climate change, it’s easy to get the threat incidents for hurricanes in Florida, snow storms in Cleveland, earthquakes in northern California, etc.

We also like to examine industry specific data to see if some threats are higher in a certain industry, like the high incidence of workplace violence incidents in hospitals and high risk retail establishments (like Wawa or 7-11).

Another factor we use in calculating threat likelihood is how the threat could actually affect different types of assets…. for example, would an earthquake damage a car?  Probably not. Would it cause damage to an old historical building – probably (unless it had been retrofitted).  Could it cause loss of life, or injuries (think Haiti).

So I use a multidimensional model that takes the threats list (I have a standard list of 75 threats that I use), and map it to each potential loss, based on the ‘asset’ that might be affected.

The more data you get, the better your model will be, and the more value it will have as a decision support tool!

 



What’s the Risk of Backing Newt Gingrich?

Hundreds of the shakers and movers in the Republican party AND the Democratic party are doing their risk assessments this week on who to openly support, and doing the risk calculation on whether it is better to wait and see what emerges, or make their comments/endorsements now and worry about the fall out later!

Here is the kind of risk model for politics that people use, often unconsciously- to make those decisions. Political risk is especially tricky because there are 2 stakeholders to consider:

1. what’s good for ME personally
2. what’s good for THE PARTY, DISTRICT, or COUNTRY.

Here’s a list of threats that politicians worry about in a situation like this:

1. Lose my current position
2. Lose my Power in the Party/Coalition/Media
3. Lose campaign contributions
4. Lose voters
5. Lose tea party support
6. Lose respect from peers
7. Lose future election
8. Lose income
9. Look wrong in the media
10. Create bad sound byte
11. Face Reprisals Later from Establishment
12. Lose Media Support (however it exists).

More tomorrow on how to value the assets of an ongoing campaign.



Webinar Looks at New OSHA Workplace Violence Directive

Workplace Violent Incidents have been on the rise in several specific organizations, including hospitals, home health organizations, social workers who do in home visit, and also late-night retail stores.

On September 8, 2011, OSHA suddenly released their internal Directive on what their OSHA investigators look for when they go to an organization to investigate a Workplace Violence incident.

Whether the incident involves a domestic violence incident, like when a husband shoots his wife at work; or whether it is patient violence against the Emergency Room nurses, it is a big problem that has been increased over the last 8 years.

We have set up a special no-cost webinar to review the new directive and see what it means for employers. Join us to look at how to protect your organization and make sure your staff, and patients stay safe.



OSHA Starts New Enforcement Initiative for Workplace Violence Issues

On September 8, OSHA issued a new directive about enforcement activity on workplace violence issues.  This directive (CPL 02-01-052) takes effective on Sept. 8, 2011 and is called Enforcement Procedures for Investigating or Inspecting Workplace Violence Incidents.  It details new procedures for the OSHA inspectors, but it is also a valuable document to show employers what they can expect.

The directive follows the shocking news that in 2010, 18% of workplace fatalities were caused by assaults and violent acts, while only 14% were caused by falls, according to the Bureau of Labor Statistics.

Workplace violence incidents are even higher in the hospital and healthcare industries.

The new inspection directive shows how OSHA inspectors are going to look at employers to see whether they have performed a workplace violence analysis.  These assessments follow the security risk assessment model and should take into account the threat level at the organization, the history of incidents and examination of trends, and whether ‘accepted’ controls have been implemented at the place of employment.

Some of the ‘accepted controls’ they will be examining include:

  • Having a recent workplace violence analysis
  • Having a formal workplace violence training program in place
  • Showing the employer had incident reports to identity possible threat levels
  • Methods the employer used to inform employees of the risk of workplace violence
  • Evidence the employer has a workplace violence prevention plan in place
  • Evidence the employer has a current security plan
  • There are also a set of recommended physical controls that include proper lighting, cameras, curved mirrors, etc.

For more information, or a copy of the document, email info@riskwatch.com.



Playing Footsie with the Haqqani Crime Network

I am a risk analyst and risk assessment expert, certainly not a diplomat.  In fact,  my friends might say I am probably really un-diplomatic most of the time.  I like the direct approach.

But watching the U.S. State Department and the Obama administration playing footsie with the Haqqani network in Afghanistan and Pakistan is worse than enduring waterboarding.  What a waste of American dollars — paying off these criminals to finance construction projects that Americans are doing to build up Afghani infrastructure.  

I have watched for years as the U.S. State Department props up brutal dictators, only to see them toppled overnight.  Of course, Mubarak and Quaddfi come to mind right away.

But to try and win a WAR, while paying off criminals and murderers who are launching attacks on our embassy, letting them run our relationship with Pakistan, is just wrong.

What has this got to do with risk assessment?  PLENTY – because the problem here is large amounts of unaccountable cash.  Cash passed out by the State Department, USAID and the intelligence services, theoretically, to ‘grease’ the skids and get something done, but instead, these wholesale PAYOFFS just finance and empower our enemies, while ruining the U.S. reputation and maddening the citizens who provide this money in the first place.

I would vote for anyone who could put REAL ACCOUNTABILITY back into the U.S. spending abroad.  As the Arab spring proved — this kind of diplomacy never works!



How to Correctly Analyze 100-Year Threats for Risk Assessments

Starting a risk assessment in northern Virginia and going through the threat list they say, “You can take earthquakes out – we don’t have earthquakes here”!

Hey, Haiti didn’t have earthquakes!

Vermont didn’t have major floods!

Connecticut doesn’t have tornados!

Like Murphy’s Law, as soon as you discount a threat, and think, “it will never happen here”, it happens!   The earthquake in the mid-Atlantic in August was a wake-up call for those who that they would never have earthquake damage.

One of the reasons that security risk assessment is so highly valued as an analytical took, and why it’s required by so many governments is because it DOES take into account the 100-year flood, the 75-year drought, etc.

Natural disasters can be so overwhelming, and catastrophic, that they must be considered in any proper risk assessment.  This is why some areas are not suitable for building housing tracts, because they are in a 100-year flood plan.

Because human memories are short, just because YOU haven’t experience a flood
along a meandering creek, doesn’t mean it will never happen.  

Always check the long-term probabilities when you start a risk assessment and make the numbers work for you!




top