relative terms to prioritize asset loss, damage, or destruction. A four-level scale
is suggested ranging from low to critical.
Critical—Assets that, if lost, damaged, or destroyed, can result in mission
High—Serious unwanted impact that may impair normal operations in
their entirety or complete loss of a portion of the operations for an
extended time period
Medium—Moderate operational impact that may only affect a portion
of the business processes and for a short period of time
Low—A manageable impact to business operations and no likelihood of
mission failure
20 Strategic Security Management
TAG's Risk Assessment Process
Policies &
Report and
Figure 2-2.
Strategic Risk Assessment Process, Copyright ©2007 by Threat Analysis Group,
LLC. Used by permission. Additional information available from Threat
Analysis Group, LLC via
Countermeasure Inventory
Asset identification is just the first step in the risk assessment methodology.
The second step involves inventorying existing security measures designed to
protect the assets at the facility. Depending on the quality of previous assess-
ments, existing countermeasures may or may not be effective in protecting
the facility and its critical assets. While time brings change to both the assets
and the countermeasures, previous risk assessments and subsequent security
program designs should be working to protect assets.
Existing countermeasures may include security personnel, physical meas-
ures, and policies and procedures. Security personnel include people
specifically designated or indirectly working toward the protection of assets.
Uniformed security officers would be the most visible and recognizable
example of security personnel. Others who may also be involved in the pro-
tection are not as easily identified, including undercover officers, security man-
agers dressed in business attire, and common employees trained in how to
handle security incidents. Physical security measures may range from low-
technology items such as barriers and curbing to high-tech measures such as
closed circuit television (CCTV) cameras, biometrics, and fencing. Physical
security measures may also include items not visible to the naked or untrained
eye, such as pressure mats and alarm sensors. Policies and procedures are
written documents and unwritten rules that relate directly to asset protection
and guide the security program. Security manuals and security post orders are
examples of policies and procedures.
One of the best sources of information regarding current security measures
at a facility is the security officer who is trained in observation and awareness
and spends much of his or her time simply observing. Other sources may
include the security manager or the officer’s direct supervisor. Security
manuals, if updated, can also provide invaluable information regarding the
security program.
Controlling the capability and motivation of adversaries is a difficult propo-
sition for security decision makers. Motivation is created by the actual crime
target and is considered the reason for security breaches. Since organizations
usually require assets to operate, the removal of motivation is not always pos-
sible. Most organizations must instead turn their attention to blocking the
opportunity of crime. As seen in Figure 2-3, reducing vulnerabilities for secu-
rity breaches leads to a reduction in incidents. Thus, the security decision
maker’s strategic goal of countermeasure deployment is to reduce the oppor-
tunity for security breaches to occur by reducing vulnerabilities. Opportuni-
ties relate to targets in that removing or hardening an asset will lead to a
reduction or an elimination of vulnerabilities. Asset protection programs inte-
grate a combination of policies and procedures, physical countermeasures, and
Asset Identification and Security Inventory 21
Figure 2-3.
Venn Diagram—assets, threats, and vulnerabilities.
Strategic Risk Assessment Process, Copyright ©2007 by Threat Analysis Group,
LLC. Used by permission. Additional information available from Threat
Analysis Group, LLC via
security personnel to protect assets against a design-basis threat. The charac-
teristics of asset protection programs include deterrence, detection, delay,
and defeat.
Typical security measures of a comprehensive security program include
security policies and procedures, physical security measures, and security per-
sonnel. These security measures are inventoried during the risk assessment and
are categorized into key areas as described in the following.
Security Policies and Procedures
Security Management Plan
Emergency Management Plan
Workplace Violence Prevention
Crisis intervention
Vital Records Protection
Key Control Policy
Visitor Management
Security Escort
Physical Security System Testing
Security Force Deployment
Fire Prevention and Response
Bomb Threat
Access Control
Employment Background Investigations
Physical Security Equipment
Alarm Systems
Control Panels/Communicators and Keypads
Door and Window Contacts
Motion Sensors
Glass break detectors
Object Detectors
Miscellaneous Detectors
Duress Alarms
CCTV Systems
22 Strategic Security Management

Get Strategic Security Management now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.