Task: Read all content within Lecture Material and focus on the Threat Assessment area then do assignment.

Before any risk judgments can be made or effective treatments applied, it is necessary to make a thorough assessment of all identifiable or credible risk exposures. Exposure analysis, although critical to all areas of risk management, lies at the heart of security risk management. In other types of risk management, it is important to acknowledge and consider vulnerabilities, however, the unique difference in Security Risk Management is that other human beings (rather than circumstances, mechanical failure or natural disaster) are likely to seek actively to attack or exploit an organization's vulnerabilities. Indeed, the traditional approach to Security Risk Management has been based on either rectifying vulnerabilities post incident or seeking to reduce vulnerabilities identified through a red-team approach.

The main objective of exposure assessment is to identify the assets at risk, and the duration and frequency in which they are at risk.

Although exposure is normally established as part of context setting in the risk management process, it has been separately identified here as one of the quadruple constraints because of its inherently dynamic nature. Establishing context as part of the risk management processsee section 6.3.6.3differs from exposure analysis for many reasons, not least that exposure is a subset of context. Risk ratings will vary dynamically depending on (a) the duration of exposure and (b) the nature of assets that are subject to potential risks. For example, a 10-day Heads of Government meeting will have a different risk rating from a 10-day carnival. Equally, a 10-day trade exhibition will have a different risk profile and rating from a 365-day "World Fair". Finally, a convenience store that is only open during daylight hours could have a different exposure from a convenience store that is open 24/7 in the same area.

Other factors such as changes in organizational culture, risk management practices, programs, or activities will invariably modify and form part of the organizational context but may or may not vary exposure. Similarly, context may remain unchanged, but a variation in travel routines may increase or decrease exposure. To retain the existing level of risk after an increase in travel frequency may require additional resources or improved quality may need to be implemented into existing risk management practices.

Assessing Exposure

When considering your own exposure, you should always examine the wider context for collateral exposure. Collateral exposure is the presence of other third-party high-vulnerability entities or high-threat targets. This could include your organization being in close proximity to attractive targets, such as embassies, places of worship, military installations, utility plants, or transport hubs, depending on the nature of the threat; or to other hazards subject to malicious or incidental threats, such as chemical storage facilities (accidental spill, explosion threats), commercial, industrial, or global icons, e.g., international food Chains, mining conglomerates, on companies associated with third-world child labor. Because of collateral exposure, it is important to determine the nature of the relationship between your entity and the third party, which includes the controls developed by the third party itself. For example, living on the same street as several foreign ambassadors may actually reduce your overall exposure as they are likely to have funded security services provided by the host country.

Broder describes three factors that need to be identified and evaluated as part of exposure analysis:

The types of loss or nature of hazards that can affect the assets involved The likelihood of those hazards materializing in a loss event The credible consequences as a result of such event/s.36

Although an estimation of likelihood and consequence will reflect on and inform exposure assessment, these are dealt with in more detail in the following section (risk). Exposure in the Security Risk Management context is similar to the concept of gross risk or greenfield risk, and a multitude of assessment systems have been developed to assist in this regard. The principle objective of exposure assessment is to provide an informed basis for decision making by understanding what the organization is exposed to. The key building blocks involved in creating and therefore assessing exposures are the interactions of three elements:

The threat(s) The asset(s) The significance of any interaction between the above two elements, which shows vulnerability.37

These three elements are discussed below in greater detail and can be variously assessed using the following existing methodologies:

Threat assessment Vulnerability assessment Criticality assessment

What is Threat?

Threat is usually assessed and described using a combination of intent and capability of a threat actor, whether individual or organization, to attack or adversely impact an item of value such an asset, function, or capability. As such, threat develops predominantly as an extant force to the organization or community of the individual. It is important to note that definition includes both extant and insider threat. The HB167 Security Risk Management Handbook extends this to include "anything that has the potential to prevent or hinder the achievement of objectives or disrupt the processes that support them."

The Threat Assessment.

Security risks can be differentiated from other risk functions by several criteria, not least of all that security threats spring primarily from deliberate intention rather than from accidental, natural, or systemic causes.

Peoplenot acts of god, mechanical failures, or management systems create security threats. People not only can execute deliberate actions to release hazards or cause loss, but also can apply creative intellect to their misdeeds. This ability to apply intelligence enables human beings to identify and evaluate any existing security barriers and to devise and test ways of bypassing them.

Consequently, the first necessary activity in any security risk process is to understand the threat. Does a threat exist? Do any criminally, subversive, politically motivated or issue-motivated threat actors pose a risk to the organization, and if so, what are the likely attack vectors? Once a threat assessment has been made, the typical processes and methodologies of general risk management commence, and the subsequent steps after the threat assessment are common to both security and general risk management functions.

Formal threat assessments are usually conducted by intelligence professionals; however, it is reasonable to suggest that as individuals, we conduct ongoing threat assessments in our daily life as a relatively unconscious process, which includes, for example, decisions such as where to park our car or whether to take a holiday in a particular country.

The most common form of formal threat assessments is usually conducted either as an output of intelligence processes or as part of an organizational security risk assessment. These latter threat assessments are often conducted by security risk professionals informed by generic threat assessment information, consultation with subject matter experts, review of incidents, analysis of open source information, and so on. Such an approach almost invariably involves some element of subjective estimation. Data and information commonly do not exist to determine, with a degree of precision, the likely probability of variables within the model because

The data or information may not have been collected before The data or information are too expensive to obtain The problem being modeled are new Past data or information are no longer relevant because of changes in the environmental context Data or information are scarce

In such situations, one way of determining the likelihood of threat occurrence is to rely on the knowledge and experiences of subject matter experts and attempt to fill in the information holes based on their considered opinions. This strategy obviously has some limitations but may be the best tool available as any quantifiable or statistical tool is likely to be equally flawed through incomplete data inputs.

A commonly used technique to overcome limitations associated with opinions or imprecise information is the admiralty scale. This scale provides a means of rating the reliability and accuracy, and hence usefulness, of information through a graduated alphanumeric scale. The reliability of the information source is assessed on criteria such as the previous quality of information supplied by the source as well as the situation, location, and likely access of the source at that time of the information collected. The accuracy of the information provided is assessed as an actual or perceived relative measurement in relation to each item of information received. For example, this accuracy can be based on a comparison of the supplied information with other confirmed facts or other previously but not necessarily confirmed information, or with trends or patterns of other events or threats. Reliability of Source Accuracy of Information A Completely reliable 1 Confirmed by other sources B Usually reliable 2 Probably true and accurate C Fairly reliable 3 Possibly true and accurate D Not usually reliable 4 Doubtful E Unreliable 5 Improbable F Cannot be judged or assessed 6 Cannot be judged or assessed

Another approach is to adopt a green team and a red team. Under this arrangement, the green team would develop the threat assessment, and a second team, the red team, would then independently review the logic of the first group. In so doing, bias can be removed, and the logic flow of deductions can be confirmed. Such an approach is also a useful tool in reviewing a range of documents, which includes procurement evaluations or risk treatment plans.

Assessing Threat.

The twin drivers often used to determine threat are intent and likelihood, which are themselves functions of the motivation and attributes of the threat actor. For example, motivation is a long-term driver that may be expressed as a "desire to overthrow the government to provide equality for the underprivileged." A more immediate intent, however, is possibly to be something like "use violence to destabilize the government and raise our international profile." Depending on the threat actor's desires and their confidence in their ability to achieve those desires, they may consider a variety of ways to achieve this intent. Similarly, if the threat actor has the resources and capability to use explosives, for example, they may choose to attack against members of the public with bomb attacks to materialize that capability.

____________________________________________________________________________________________________

ASSIGNMENT:

Using that content, and a Mock Scenario of "a School that has several External Threats to its Location", please create a portion of a Threat Assessment, where you will author 10 Questions that are attributed to creating a prevention plan for this School; You will assume the role of Security Consultant;