Perform a Risk Analysis to Develop Countermeasures

1-5

DOMAIN 1 - TASK 5

 

This session will equip you with essential skills in risk analysis, including key formulas and methods—qualitative, quantitative, and hybrid. You'll learn to select and apply the Design Basis Threat (DBT) and utilize the all-hazards risk assessment framework. Additionally, you'll discover how to align risk management strategies with your business goals and assess residual risk while building a sustainable monitoring process.

⚖️ Risk Analysis Strategies and Methods

📊 Types of Risk Analysis

⚙️ Qualitative Risk Analysis

  • Based on expert judgment, interviews, and subjective scoring.
  • Tools: color-coded matrices, ordinal scales (e.g., 1–5 or Low/Medium/High).
  • Use when: Data is unavailable or assessments need to be performed quickly.
  • Limitations: Subjective, lacks mathematical precision.

📈 Quantitative Risk Analysis

  • Relies on numeric inputs and loss estimation models.
  • Can support Return on Security Investment (ROSI) calculations.
  • Examples: Annualized Loss Expectancy (ALE), Monte Carlo simulation.
  • Use when: Budget justification is needed, or for compliance reporting.

🔄 Hybrid Risk Analysis

  • Combines elements of both methods.
  • Example: Use incident trends (qualitative) to inform a loss estimate (quantitative).

🚧 Design Basis Threat (DBT)

  • A structured profile of likely adversaries and attack methods.
  • Includes:
    • Tactics, Techniques, and Procedures (TTPs)
    • Intent, capability, history
    • Target selection criteria
  • Use Case: DBT is crucial for critical infrastructure and DoD sites. If DBT includes threats like Vehicle-Borne IEDs (VBIED), mitigation such as bollards and standoff zones must be included.

🌪️ All-Hazards Risk Assessment

Assesses threats across three broad categories:

  • Natural: Hurricanes, earthquakes
  • Technological: Equipment failure, power loss
  • Human-Caused: Terrorism, vandalism, insider threats

Why it matters: Helps prioritize investments and create a more resilient enterprise risk plan.

🛠️ Common Tools and Techniques

🧩 Risk Management Lifecycle

📌 Document all accepted risks—especially in regulated environments.

🎯 Risk Treatment Options

💼 Role of the Security Professional

Security professionals must:

  • Lead and facilitate physical risk assessments.
  • Translate risks into business terms (operational downtime, safety risk, cost).
  • Recommend balanced controls that align with organizational goals.
  • Engage in continuous improvement cycles.

📚 Tip: Use metrics and dashboards to convey residual risks to leadership.

🏢 Integrating with Enterprise Risk Management (ERM)

Security's job: Integrate physical security into ERM just like finance integrates risk from investments.

📉 Residual Risk

After applying countermeasures, some risk will still remain.

 

📌 Residual Risk = Total Risk – Mitigation Impact

 

Security professionals must:

  • Document remaining vulnerabilities.
  • Ensure executive buy-in to accept them.
  • Monitor changes that might increase residual risk.

🔄 Continual Risk Monitoring

Threats evolve. So must your controls.

 

✅ Good practices:

  • Review incident logs and near-misses.
  • Validate assumptions used in risk models.
  • Update DBT annually or after a major event.
  • Incorporate lessons learned and changes in the threat landscape.

🧠 Quick Tips for Application

In physical security, risk is the likelihood of a threat exploiting a vulnerability to harm an asset.

 

Core Risk Formula:

Risk = Threat × Vulnerability × Consequence

 

Each element must be assessed appropriately to define priorities and shape countermeasure decisions.

📊 Core Definitions

  • Asset: People, property, information, or systems of value
  • Threat: Source of potential harm (human, natural, or technological)
  • Vulnerability: A weakness susceptible to exploitation
  • Consequence: The impact (financial, safety, operational) if a threat occurs

🛡️ Loss Event Profiles and Countermeasures

🧾 What is a Loss Event Profile (LEP)?

A Loss Event Profile (LEP) is a structured record that describes specific types of adverse events an organization may face, detailing their frequency, severity, affected assets, and consequences.

 

A Loss Event Profile documents:

  • Type of event
  • Assets affected
  • Frequency of occurrence
  • Consequence (qualitative + quantitative)

LEPs help prioritize mitigation by risk magnitude.

⚠️ Common Consequence Categories

📏 Quantifying Consequences

🧮 Prioritization Grid

🛡️ Countermeasure Selection Guidelines

  • Align measures to the actual threats and vulnerabilities
  • Use Total Cost of Ownership (TCO) and ROI to assess long-term value
  • Validate against legal, privacy, and life safety standards

📂 Where Loss Event Data Comes From

💼 Real-World Application Example

📚 ASIS Best Practices

  • Use LEP to justify countermeasure investment
  • Involve stakeholders from IT, legal, BCP
  • Document and revisit impact ratings regularly
  • Ensure security solutions align with mission critical assets

🎯 Key Takeaways

  • Risk = Threat × Vulnerability × Consequence
  • Use qualitative tools for fast assessments; quantitative for ROI-based decisions
  • LEP helps prioritize actions and justify budgets
  • Always align with DBT, legal, and business continuity frameworks

© Copyright. All rights reserved.
Legal Notice | Privacy Policy 

We need your consent to load the translations

We use a third-party service to translate the website content that may collect data about your activity. Please review the details in the privacy policy and accept the service to view the translations.

Privacy Settings

Website Translator

Privacy Settings

This tool helps you to select and deactivate various tags / trackers / analytic tools used on this website.

Select all services
Website Translator
More
Save Settings