Risk Training - An Introduction to Risk and Security


An Introduction to Risk and Security


An introduction to Risk and Security

What is Risk

The American Heritage Dictionary defines Risk in the following terms:

  1. The possibility of suffering harm or loss; danger.
  2. A factor, thing, element, or course involving uncertain danger; a hazard: "the usual risks of the desert: rattlesnakes, the heat, and lack of water" (Frank Clancy).
    1. The danger or probability of loss to an insurer.
    2. The amount that an insurance company stands to lose.
    1. The variability of returns from an investment.
    2. The chance of nonpayment of a debt.
  3. One considered with respect to the possibility of loss: a poor risk.

In commercial terms, Risk is anything that causes harm of any sort to a business, the staff within that business or other people and organisations that work with that business.

In this section, we look at risk, how to identify it and quantify it and then hopefully, how to take steps to prevent the risk.

Determining Risk

The first steps in any form of risk policy is to determine what risks there are and then to come up with prevention or recovery techniques for the identified risks.

There are two current mainstream methodologies for Data Security Risk within an organisation in use today; they have many similarities but also huge fundamental differences that are not always that clear on the surface.

The tradition approach to security has always been something called the CIA model. This has nothing to do with the security agency of the same name, though the naming was probably somewhat tongue-in-cheek in the distant past. The CIA model says that the most important controls to put on data are:

For any given piece of data or system, these three issues should be examined, and relevant controls should be put in place to implement security accordingly.

Some broad-minded security professionals today argue that this goal-oriented approach to security is not always sensible and relevant in the real world and does not allow risk planning, security breach and prioritisation to be flexibly factored in.

These debates and differences of opinion have led to another approach to planning which is called the Risk Assessment Method or Disaster Recovery Method.

This new and very rarely taught method is still lagging behind the comfortably easy to implement CIA model but represents a more flexible approach to risk management. It starts by assuming the worse and planning in minimising risks of the worst actually happening. It follows Murphy's Law that if something can go wrong, it almost certainly will. Though the CIA method can happily be used to set a number of goals, on top of this the question "So what else could go wrong" or "How important is this in the grand scheme of things?" is factored in as well.

This Risk Assessment Method often incorporates something known as "Time Based Security" where rather than assume your data is safe, the time taken to spot a breach, fix it and correct for the breach is taken into account. This is why it is sometimes known as the Disaster Recovery Method since it is flexible enough to assume that the worse will happen, and provide guidelines for fixing the mess.

The Risk Assessment Method is not at all new. Consider the example of a traditional castle - It doesn't work on the CIA assumption that you can actually stop someone getting in but instead works on the far more flexible assumption of working out methods to slow someone down if they do breach the defences The defences even takes into account that the bad-guys may actually be inside and still has measures of protection and escape given these possibilities.

Risk Procedures

Some interesting statistics came out of a Security Survey conducted by the DTI in 2000. They interviewed 1000 companies and found the following:

These figures indicate a few important things.

  1. A lot of companies would still rather pretend there are no risks.
  2. Most companies can detect breaches, but were unprepared for it.
  3. People are a very significant factor in this risk.

Any company that is serious about addressing risk must first accept that there is some inherent risk present in their business operation and then start to think about what they should do if the identified dangers ever occur. This is a very simple statement to make and on the face of it sounds rather naive, but even in these days of heightened security awareness, most people would still rather take the Ostrich Approach (*) to security and risk planning.

Once someone within an organisation does start to accept the risk and start on the path of identifying it, the next problem may be knowing when to stop! Paranoia is a side-product of becoming risk-aware and in some ways isn't always helpful. Another "risk" of doing your own risk assessment is that too much knowledge of the organisation often leads to too many assumptions being made. There are a few ways of avoiding the "blinkered" approach:


One of the nice things about identifying risk is that the means of protecting against it tend to become fairly obvious. Most forms risks will have multiple protection methods so it always pays to research these things properly and again, take the advice of a security specialist.

The most important protection method for Risk is the existence of a Security Policy. when all the risks have been identified and documented, a policy should be drawn up that explains:

The security policy is a separate document from a Health and Safety policy and from the Disaster Recovery policy.

One important thing to remember is that not all risks will be preventable. where this is the case, there is no alternative but to use the Disaster Recovery method. If you can't prevent a risk then a means of minimising it, or effecting a speedy recovery should it happen should be devised, documented and implemented.

What is Security?

Our American Heratige Dictionary defines Security as:
  1. Freedom from risk or danger; safety.
  2. Freedom from doubt, anxiety, or fear; confidence.
  3. Something that gives or assures safety, as:
    1. A group or department of private guards: Call building security if a visitor acts suspicious.
    2. Measures adopted by a government to prevent espionage, sabotage, or attack.
    3. Measures adopted, as by a business or homeowner, to prevent a crime such as burglary or assault: Security was lax at the firm's smaller plant.
    4. Measures adopted to prevent escape: Security in the prison is very tight.

In more simple terms, security is anything that protects or attempts to minimise risk. This can range from physical things such as a highly visible security guard to conceptual things such as a corporate security architecture (the design of your network and all the security mechanisms incorporated into it).

There are a number of different areas of security which often cross over and get highly confused so this section will look at the four main ones and attempt to explain what they actually do.

Physical Security

At first sight, physical security would seem to be a nice and simple one to explain. This area covers everything from the people involved in protecting tangible items to the various devices used in this protection. Physical Security is not there to protect knowledge and data, it is there to protect the things that hold the knowledge and data.

The most obvious area of physical security are the people involved in protecting buildings, people and equipment. Security Guards are often the front line of defence for a company and are involved with keeping people out of buildings and also keeping staff from stealing company property. Although many security guards are ex-police and some are very highly trained and key to a business, they are generally viewed as fairly unskilled staff and ironically are much overlooked in a company's overall security plans. It is often suprising that companies will pay Information Security hundreds of pounds a day and yet the security guards will probably be on the minimum wage. It is all very well spending hundreds of thousands protecting data but if a security guard isn't being paid enough to do a good job protecting the systems holding this data from theft this may be a very dangerous economy. It is often worthwhile enlisting the help of your Security Guards in doing your Risk Assessment.

The professional and more highly-skilled version of the security guard is the Close Protection Operative (or more commonly, the bodyguard). This is a very misunderstood profession since CPOs are usually depicted as big beefy chaps with guns who stop people getting shot. Although this is a big part of the profession, the other large and usually overlooked aspect to this job is risk minimilasition - It is far better to put a lot of work into not having a client put at risk than it is to have to do something about it when the risk happens.

CPOs will generally come from a military background, and much of their work is covert, or fairly secretive. There are a number of specialisms in this profession such as:

Although it is unlikely you will come across CPOs in day-to-day business they can be very useful as someone to give you a second opinion or a "sanity check". They should be able to show a broad spectrum of experience and hopefully a good deal of common sense as well. CPOs don't come cheap so be careful who you employ, it is worth making sure they are members of a well respected Bodyguard Association and also check up on what experience they really have if you can.

The other area of physical security are the Security Devices that are installed and hopefully used to protect an organisation. Some examples of these are:

IT and Network Security

IT Security is the area of security that deals with protecting non physical data within an organisation and Network Security is the area of security that deals with protecting data that comes in to, out of or travels across the organisation.

The boundaries of these two areas of security are often blurred and in smaller organisations one person or department will be responsible for both areas. These two areas are very specialist areas and how much resource is put into it depends on the level of risk and value of the data that the Risk Analysis exposes.

Because of the technical and specialised nature of these jobs, there is a common risk that people doing them will be somewhat over specialised and "blinkered". There are many cases where an organisation will have amazingly good data security and absolutely no physical protection to stop the systems of media storing that data being stolen. If you are going to employ someone for this sort of job, look for a broad base of experience and some common sense as opposed to someone with a string of technical qualifications and very little practical experience, it will almost certainly pay off in the long term even if they need to go on a few more training courses.

Some areas of IT Security:

Some areas of Network Security:

Commercial Security

Commercial Security specialists are usually only found in larger organisations and definitions of what these people do vary depending who you ask. To make life easier, we will define a Commercial Security Specialist as:

A Security Specialist who has responsibility for all of the commercial operations of a system, process or organisation. This includes:

It is the job of the Commercial Security Specialist to have a complete and current overview of the area of their responsibility and as such they will liaise with all of the security people mentioned in this section and add a working knowledge of the business processes to achieve this end. They need a broad area of skills, an equally broad area of experience and importantly, good people skills, a lot of patience, common sense and an odd imagination.

The Commercial Security Specialist will usually be the owner of the Security Policy and the person responsible for keeping this up to date and monitoring compliance with that policy.

Risk Training Info. Email: info@risktraining.info
Copyright © 2002 Michael Lawrie. All rights reserved. For more information on using these documents click here.