level. As is often the case with security measures, the sum is greater than the
parts in that multiple security measures working in conjunction with one
another can reduce risk to an acceptable level. Similarly, one security measure
may protect more than one asset. In either case, the overall effectiveness of secu-
rity measures should be assessed to determine their net effect.
As deﬁned above, security measures that provide maximum protection often
come at a high price. While maximum protection may be warranted in certain
critical infrastructures, it is not the standard for most industries. The typical
standard is reasonable. Deﬁning a reasonable level of protection to provide for
the protection of people, property, and information is the primary task of most
security decision makers. The problem with this standard, however, is that
reasonable minds may disagree. Another security strategy is the concept of
balanced protection, which simply means that no matter how an adversary
attempts to reach the asset, security measures that deter, detect, or delay his
advance will be encountered. Balanced protection is accomplished through yet
another security strategy called protection in depth. Protection in depth is also
known as security layering wherein the asset is behind multiple layers of secu-
rity measures, each requiring penetration in sequence to reach the asset.
Regardless of whether maximum or reasonable protection is required, the
cost of each security measure must be determined. Security equipment costs
include initial costs, training costs, and ongoing maintenance and repair costs.
Security personnel costs include background checks, training and continuing
education, uniforms, equipment, and licensing. The rule of thumb for the
selection of security measures is that their total cost should not exceed the cost
to replace or repair the asset being protected. Another strategy used in the pro-
tection of assets is to provide protection only for critical assets, with the antic-
ipation that other assets will be secured through a diffusion of beneﬁts.
Diffusion of beneﬁts will be discussed in detail in the prevention chapter.
Risk Assessment Report
The risk assessment report is a comprehensive written document that incor-
porates all elements of the risk assessment methodology. Typical components
of a full-scale risk assessment report include a listing of major assets, critical
assets, and the facility characterization, a summary of existing security meas-
ures, the threat assessment report including supporting documentation with
crime analysis charts and graphs, major elements of the vulnerability assess-
ment report with the security survey included as an appendix, and recom-
mendations for security modiﬁcations with the cost-beneﬁt analysis. The goal
of the report is to highlight the ﬁndings of the risk assessment so that those
who hold the purse strings are able to make educated risk mitigation decisions
that may include one or more of the ﬁve risk mitigation strategies (avoidance,
reduction, spreading, transfer, and acceptance). The following suggested format
builds upon the format used for the risk assessment report.
116 Strategic Security Management