On of the most common reasons behind why security fails – in other words, why security protection systems fail to deal with the threats that ultimately confront them – is that the countermeasures are poorly targeted to deal with these emergent threats. Whether as a result of specific direction by the client, or a lack of rigour on the part of the outsourced security contractor, there is often a reliance of ‘baseline’ security measures such as CCTV, intruder alarms, fencing or security officers as an ‘absolute’ mechanism for the mitigation of risk.
These baseline countermeasures are implemented, often at considerable financial cost, in the assumption that they will be appropriate to deal with any issues that the enterprise in question may face in the present or the future; this is a hugely problematic way of approaching risk management. It is certainly an inadequate approach in organisations where there is continuous change and development, or in environments where risks are significant or constantly evolving. In such cases, formalised risk analysis is needed to prioritise risks and therefore the allocation of resources.
The preferred model of risk analysis utilised by Oakpark Security is the SRA® approach designed by the International Security Management Institute. This model understands the measurement of risk as a composite of three key interlocking variables: Likelihood, Impact and Vulnerability. All three of these variables must be systematically measured in order to determine the primary threats to a given organisation.
The two-stage methodology involves firstly developing a quantitative assessment of potential risks by their probability and their consequences, before secondly weighing this value against the quality of the existing security countermeasures in place. An overall Risk Priority can therefore be determined for each individual threat.
Of course, there are obvious limitations to probability-based models of risk. I have discussed these very briefly here and will return to this subject in later blogs. However this should not detract from the importance of ensuring that security solutions delivered by external providers are fit for purpose – and the ISMI’s SRA® model is one way of raising the standards of outsourced security.
By ensuring that a structured risk analysis takes place before the design of each security solution, Oakpark Security can better appropriate the security budget of our customers, ensuring that any security solution provides a clear return on investment. The choice of certain security countermeasures can be justified clearly through a best-practice methodology that is accredited by a professional training institute external to the ISMI.
For more information of how Oakpark Security can produce a structured and documented Risk Analysis of your business, please get in touch through firstname.lastname@example.org or by calling 01206 793673 (Option 3).