Security Risk Management Body of Knowledge E-Book

Table of Contents

Cover

Title

Copyright

Preface

Acknowledgments

About (SRMBOK) Security Risk Management Body of Knowledge

WHAT IS SRMBOK?

HOW CAN SRMBOK HELP?

WHAT DOES SRMBOK COVER?

WHAT SRMBOK DOES NOT INCLUDE

WORKING THROUGH THE CHAPTERS

AUDIENCE FOR SRMBOK

1: Introduction and Overview

1.1 WHY SRMBOK?

1.2 WHERE DO WE GO FROM HERE?

1.3 WHAT IS SECURITY RISK MANAGEMENT?

1.4 HOW DOES SRM RELATE TO RISK MANAGEMENT?

1.5 CONCLUSION

2: Security Risk Management Context

2.1 THE CHANGING SECURITY ENVIRONMENT

2.2 CHANGING CONCEPTS IN SECURITY RISK MANAGEMENT

2.3 ORIGINS OF SECURITY AND RISK MANAGEMENT

2.4 TRENDS AND FUTURE DIRECTIONS

2.5 GLOBALIZATION, OPPORTUNITY, AND VOLATILITY

2.6 TRANSNATIONAL AND EXTRAJURISDICTIONAL RISKS

2.7 LAW, REGULATORY FRAMEWORK, AND RAMIFICATIONS FOR MANAGEMENT

2.8 DIVERSIFICATION OR CONCENTRATION?

2.9 POLITICAL AWARENESS

2.10 RISK VERSUS REWARD

2.11 SUMMARY OF KEY POINTS

3: Security Governance

3.1 INTRODUCTION

3.2 WHAT IS SECURITY GOVERNANCE?

3.3 DUTY OF CARE

3.4 RESILIENCE

3.5 SECURITY CULTURE

3.6 GOVERNANCE FRAMEWORKS

3.7 INCIDENT MANAGEMENT AND REPORTING

3.8 SUMMARY OF KEY POINTS

4: SRMBOK Framework

4.1 SRMBOK GUIDING PRINCIPLES

5: Practice Areas

5.1 INTRODUCTION

5.2 SECURITY MANAGEMENT

5.3 PHYSICAL SECURITY

5.4 PEOPLE SECURITY

5.5 ICT SECURITY

5.6 INFORMATION SECURITY

6: Strategic Knowledge Areas

6.1 INTRODUCTION

6.2 EXPOSURE

6.3 RISK

6.4 RESOURCES

6.5 QUALITY

7: Operational Competency Areas

7.1 BUSINESS INTEGRATION

7.2 FUNCTIONAL DESIGN

7.3 IMPLEMENTATION MANAGEMENT

7.4 ASSURANCE AND AUDIT

8: Activity Areas

8.1 INTRODUCTION

8.2 INTELLIGENCE

8.3 PROTECTIVE SECURITY

8.4 RESPONSE

8.5 RECOVERY AND CONTINUITY

8.6 SUMMARY OF KEY POINTS

9: Security Risk Management Enablers

9.1 INTRODUCTION

9.2 SUMMARY OF KEY POINTS

10: Asset Areas

10.1 WHAT IS AN ASSET?

10.2 KEY ASSET GROUPS

11: SRM Integration

11.1 SRM INTEGRATION WITH ENTERPRISE RISK MANAGEMENT

11.2 ERM FRAMEWORKS

11.3 IMPLEMENTING AN INTEGRATED ERM PROGRAM

11.4 SUMMARY OF KEY POINTS

12: SRM Lexicon

12.1 INTRODUCTION

12.2 ILLUSTRATIONS

12.3 NOTES TO READERS

12.4 DEFINITIONS

13: Sample Templates

13.1 SECURITY RISK REGISTER FORM (EXAMPLE 1)

13.2 SECURITY RISK REGISTER FORM (EXAMPLE 2)

13.3 RISK TREATMENT SCHEDULE (EXAMPLE 1)

13.4 RISK TREATMENT SCHEDULE (EXAMPLE 2)

13.5 OUTLINE SECURITY PLAN

13.6 DAY-TO-DAY OPERATIONAL GOVERNANCE REGISTERS

13.7 PROPERTY SELECTION AND SECURITY PLANNING CHECKLIST

13.8 SAMPLE COMMITMENT STATEMENT TO SECURITY AND RISK MANAGEMENT

13.9 SAMPLE BOMB THREAT CHECKLIST

13.10 SAMPLE BOMB THREAT ROOM SEARCH CHECKLIST

13.11 EVALUATION CRITERIA FOR BUSINESS CONTINUITY AND ORGANIZATIONAL RESILIENCE

14: About the Lead Authors

14.1 Julian Talbot, CPP

Bibliography and Other References

Index

End User License Agreement

List of Tables

1: Introduction and Overview

Table 1.1 Threat groupings by source, motive and method

Table 1.2 Grouping assets by risk and threat

Table 1.3 Asset group and organizational exposures

2: Security Risk Management Context

Table 2.1 Changing paradigms that affect security risk management

5: Practice Areas

Table 5.1 Overview of security practice areas

Table 5.2 Principles of information security-definition of terms

Table 5.3 Example of commercial security marking definitions and handling requirements

6: Strategic Knowledge Areas

Table 6.1 Correlations among SRM constraints

Table 6.2 Pros and cons of various risk measurement approaches

Table 6.3 Example of bow-tie tabular format

Table 6.4 Example of a controls register

Table 6.5 Example components of a security control environment

Table 6.5 Example of HCSD applied to information assets

Table 6.6 Example of threat-based organizational security specification

Table 6.7 Threat-level equivalence matching

Table 6.8 Worked example of security specification for range of threat actors

Table 6.9 Example of a threat-based organizational security posture

Table 6.10 SRM capability maturity model

7: Operational Competency Areas

Table 7.1 Example of audit performance rating scales

8: Activity Areas

Table 8.1 Tips and tricks with emergency plans

10: Asset Areas

Table 10.1 Common ICT assets

12: SRM Lexicon

Table 12.1 Example of alignment of defined terms to the risk statement

List of Illustrations

About (SRMBOK) Security Risk Management Body of Knowledge

FIGURE 1 Overview of SRM resilience model.

1: Introduction and Overview

FIGURE 1.1 The security risk management journey

FIGURE 1.2 Relationship of SRMBOK within the Risk Management Body of Knowledge

FIGURE 1.3 Risk-Management Framework (ISO 31000:2008)

FIGURE 1.4 Risk-Management Process (AS/NZS4360:2004)

2: Security Risk Management Context

FIGURE 2.1 Maslow’s hierarchy of needs

FIGURE 2.2 Organizational resilience-capabilities, functions, and assets

3: Security Governance

FIGURE 3.1 Components of resilience

FIGURE 3.2 Managing resilience

18

FIGURE 3.3 Integrating governance, risk, and compliance

FIGURE 3.4 A sample governance, risk, and compliance operating model

4: SRMBOK Framewor

FIGURE 4.1 Relationship of knowledge and competency to SRM

FIGURE 4.2 Integration of practice areas with activity areas and bow-tie

FIGURE 4.3 SRMBOK organizational resilience model

FIGURE 4.4 Security governance framework

FIGURE 4.5 Inter-relationship of SRMBOK better practice principles

5: Practice Areas

FIGURE 5.1 SRMBOK practice areas

FIGURE 5.2 Inter-relationship of practice areas

FIGURE 5.3 Inter-relationship of practice areas

FIGURE 5.4 Example of RAG modeling

FIGURE 5.5 Four tiers of human error

FIGURE 5.6 Example of human factors as Swiss-cheese barriers

FIGURE 5.7 Example of ICT system interdependencies

FIGURE 5.8 Principles of information security

FIGURE 5.9 Information life cycle

FIGURE 5.10 Example of information flows and vulnerabilities

FIGURE 5.11 Threats to intellectual property

FIGURE 5.12 Example of security classification markings

FIGURE 5.13 Example of commercial security classification markings

6: Strategic Knowledge Areas

FIGURE 6.1 SRMBOK strategic knowledge areas

FIGURE 6.2 Risk, exposure, resources, and quality

FIGURE 6.3 Elements of the SRM knowledge areas

FIGURE 6.4 SRM quadruple constraints

FIGURE 6.5 Correlation of exposure, resources, and quality against risk

FIGURE 6.6 As low as reasonably practicable

FIGURE 6.7 Risk equilibrium (optimal trade-off)

FIGURE 6.8 Inadequate resources and quality results in higher risk

FIGURE 6.9 Example of risk rating matrix

FIGURE 6.10 Lower quality equates to higher risk

FIGURE 6.11 Opportunity realization matrix

FIGURE 6.12 Intent and capability as a subset of motivation and threat actor attributes

n

FIGURE 6.13 Threat assessment model

o

FIGURE 6.14 Attacker’s perspective of the target

FIGURE 6.15 Protector’s perspective of the threat actor

FIGURE 6.16 Example of threat actor relative groupings

FIGURE 6.17 Example of threat actor 2 perspectives

FIGURE 6.18 Vulnerability assessment model

FIGURE 6.19 Criticality assessment model

FIGURE 6.20 Impact of SRM quadruple constraints on supply chains

FIGURE 6.21 Timeline of risk management approaches

48

FIGURE 6.22 Basic risk management process

3

FIGURE 6.23 U.S. GAO Risk Management Framework

34

FIGURE 6.24 AS/NZS 4360:2004 Risk Management Process

FIGURE 6.25 SRM process from HB167

FIGURE 6.26 SRM process

3

FIGURE 6.27 Example of a 5 × 5 risk rating matrix

FIGURE 6.28 Application of resources and quality to mitigate risk

FIGURE 6.29 Scenario analysis based on alternative futures

FIGURE 6.30 Allocating resources to possible future scenarios

FIGURE 6.31 Key elements of monitor and review processes

FIGURE 6.32 Risk appetite/tolerance

FIGURE 6.33 James Reason’s Swiss cheese model illustrated using D3R2 security concepts

FIGURE 6.34 Example of Swiss cheese barriers and an arson attack using human factors analysis (Ref: Figure 5.5)

FIGURE 6.35 Risk bow-tie

FIGURE 6.36 Risk bow-tie expanded

FIGURE 6.37 Bow-tie relationship of hazard to event to consequence and swiss cheese

FIGURE 6.38 Risk bow-tie—likelihood and consequence management

FIGURE 6.39 Overview of DHS’ Urban Areas Security Initiative (UASI) grant determination process in fiscal year 2006

34

FIGURE 6.40 Example of security-in-depth

FIGURE 6.41 Hierarchy of controls for security-in-depth (HCSD)

FIGURE 6.42 Example of HCSD for a multinational oil and gas explorer

FIGURE 6.43 Maslow’s hierarchy of needs

FIGURE 6.44 The concept of ALARP

FIGURE 6.45 ALARP cost/benefit trade-off

FIGURE 6.46 AESRM risk intelligence capability maturity model

FIGURE 6.47 Security Risk Management maturity journey

7: Operational Competency Areas

FIGURE 7.1 SRMBOK operational competency areas

FIGURE 7.2 Generic business process example

FIGURE 7.3 Role of functional design-linking assets to capabilities

FIGURE 7.4 Training’s impact on organizational culture

FIGURE 7.5 Skill-awareness journey

FIGURE 7.6 Example of linkages in an SRM framework

FIGURE 7.7 PRINCE2 project management methodology

FIGURE 7.8 Berenschot project management methodology

FIGURE 7.9 Risk bow-tie and role of assurance in identifying escalation factors

FIGURE 7.10 Example of an audit finding

FIGURE 7.11 Example of an audit finding

8: Activity Areas

FIGURE 8.1 Activity areas

FIGURE 8.2 Level of effort for each element at different phases

FIGURE 8.3 PPRR emergency management model

FIGURE 8.4 Alignment of activity areas with likelihood and consequence management

FIGURE 8.5 Alignment of PPRR, D3R2, bow-tie, and activity areas

FIGURE 8.6 Practice areas complementing activity areas

FIGURE 8.7 What is Intelligence?

67

FIGURE 8.8 Intelligence process-converting information to decisions

FIGURE 8.9 Generic example of the intelligence process

FIGURE 8.10 Intelligence cycle of the U.S. Central Intelligence Agency

FIGURE 8.11 Linkages between intelligence process and the Risk Management Process

FIGURE 8.12 Effects of situational volatility on the intelligence process

FIGURE 8.13 Intelligence professionals’ place in practice and activity areas

FIGURE 8.14 Examples of practitioner intelligence roles

FIGURE 8.15 Examples of practitioner security roles

FIGURE 8.16 Examples of practitioner emergency response following a security incident

FIGURE 8.17 Examples of practitioner roles in business continuity

FIGURE 8.18 Overview of BCM process

FIGURE 8.19 Business continuity threat environment

FIGURE 8.20 Crisis management planning

FIGURE 8.21 Indicative examples of practitioner/activity roles

9: Security Risk Management Enablers

FIGURE 9.1 Security Risk Management enablers

FIGURE 9.2 Relationship of enablers to the risk management process

10: Asset Areas

FIGURE 10.1 The link between assets and economic value

FIGURE 10.2 Assets supporting functions that deliver capabilities

FIGURE 10.3 Key asset categories required to deliver capabilities

FIGURE 10.4 Example of physical assets

FIGURE 10.5 Example of people assets

FIGURE 10.6 Examples of key information asset groups

11: SRM Integration

FIGURE 11.1 Integration of practice areas with activity areas and bow-tie

FIGURE 11.2 SRMBOK organizational resilience model

FIGURE 11.3 Expansion of AS/NZS 4360:2004 Risk Management Process for Security Risk Management

FIGURE 11.4 Conceptual alignment of bow-tie with eliminate, substitute, isolate, engineer, administrative controls, and personal protection (ESIEAP)

FIGURE 11.5 Indicative example of alignment of ESIEAP with bow-tie to protect data

FIGURE 11.6 Alignment of bow-tie with SRMBOK risk management model

FIGURE 11.7 COSO Enterprise Risk Management Framework

FIGURE 11.8 Quadruple constraints of Security Risk Management

12: SRM Lexicon

FIGURE 12.1 Relationship of defined terms in vulnerability assessment

FIGURE 12.2 Relationship of defined terms in threat assessment process

FIGURE 12.3 Relationship of defined terms in criticality assessment

FIGURE 12.4 Relationships of defined terms

FIGURE 12.5 Risk bow-tie elements

FIGURE 12.6 Relationship of controls to enablers in SRM processes

FIGURE 12.7 Relationship of exposure, current risk, and residual risk

FIGURE 12.8 Relationship of hazard, event and impact

FIGURE 12.9 Example recommendation

FIGURE 12.10 Conceptual example of security-in-depth

FIGURE 12.11 Example of security review finding

FIGURE 12.12 Swiss cheese model

Guide

Cover

Contents

Begin Reading

Pages

Cover

Contents

iii

iv

xiii

xiv

xix

xv

xvi

xvii

xviii

xx

xxi

xxii

xxiii

xxiv

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

40

41

42

43

44

45

46

47

48

49

50

51

52

53

54

55

56

57

58

59

60

61

62

63

64

65

66

67

68

69

70

71

72

73

74

75

76

77

78

79

80

81

82

83

84

85

86

87

88

89

90

91

92

93

94

95

96

97

98

99

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

166

167

168

169

170

171

172

173

174

175

176

177

178

179

180

181

182

183

184

185

186

187

188

189

190

191

192

193

195

196

197

198

199

200

201

202

203

204

205

206

207

208

209

210

211

212

213

214

215

216

217

218

219

220

221

222

223

224

225

226

227

228

229

230

231

232

233

234

235

236

237

238

239

240

241

242

243

244

245

246

247

248

249

250

251

252

253

254

255

256

257

258

259

261

262

263

264

265

266

267

268

269

270

271

272

273

274

275

276

277

278

279

280

281

282

283

285

286

287

288

289

290

291

292

293

294

295

296

297

298

299

300

301

302

303

304

305

306

307

308

309

310

311

312

313

314

315

316

317

318

319

320

321

322

323

324

325

326

327

328

329

330

331

332

333

334

335

336

337

338

339

340

341

342

343

344

345

346

347

348

349

350

351

352

353

354

355

356

357

358

359

360

361

362

363

364

365

366

367

368

369

370

371

372

373

374

375

376

377

378

379

380

381

382

383

384

385

386

387

388

389

390

391

392

393

394

395

396

397

398

399

400

401

402

403

404

405

406

407

408

409

410

411

412

413

414

415

417

418

419

420

421

422

423

424

425

427

428

429

430

431

432

433

434

435

436

437

438

439

440

441

442

443

444

445

Security Risk Management Body of Knowledge

Copyright © 2009 by Risk Management Institution of Australasia Limited. All rights reserved

Published by John Wiley & Sons, Inc., Hoboken, New Jersey

Published simultaneously in Canada

No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, scanning, or otherwise, except as permitted under Section 107 or 108 of the 1976 United States Copyright Act, without either the prior written permission of the Publisher, or authorization through payment of the appropriate per-copy fee to the Copyright Clearance Center, Inc., 222 Rosewood Drive, Danvers, MA 01923, (978) 750-8400, fax (978) 750-4470, or on the web at www.copyright.com. Requests to the Publisher for permission should be addressed to the Permissions Department, John Wiley & Sons, Inc., 111 River Street, Hoboken, NJ 07030, (201) 748-6011, fax (201) 748-6008, or online at http://www.wiley.com/go/permission.

Limit of Liability/Disclaimer of Warranty: While the publisher and author have used their best efforts in preparing this book, they make no representations or warranties with respect to the accuracy or completeness of the contents of this book and specifically disclaim any implied warranties of merchantability or fitness for a particular purpose. No warranty may be created or extended by sales representatives or written sales materials. The advice and strategies contained herein may not be suitable for your situation. You should consult with a professional where appropriate. Neither the publisher nor author shall be liable for any loss of profit or any other commercial damages, including but not limited to special, incidental, consequential, or other damages.

For general information on our other products and services or for technical support, please contact our Customer Care Department within the United States at (800) 762-2974, outside the United States at (317) 572-3993, or fax (317) 572-4002.

Wiley also publishes its books in a variety of electronic formats. Some content that appears in print may not be available in electronic formats. For more information about Wiley products, visit our web site at www.wiley.com.

Library of Congress Cataloging-in-Publication Data is Available

ISBN: 978-0-470-45462-6

Preface

Originally, we set out to write a short reference manual on enterprise security risk management as part of our contribution to increasing the professionalization of the industry, and to improving the body of knowledge in this area. It quickly became evident that the field of security, despite an ancient pedigree and growing knowledge among practitioners, did not have an agreed body of knowledge to reference.

This, of course, will come as no surprise to our fellow practitioners. They are well aware of the limitations in our profession and that we still struggle to achieve consistency on even such basics as definitions for threat, risk, and vulnerability, much less across security practices, approaches, or training requirements. It is not for lack of trying-many texts, standards, and guidelines exist in the field. What is missing, however, is a unified framework that links elements of physical, information, and personnel security with each other and indeed with the latest research in areas such as management, financial theory, behavioral psychology, and technology.

After we had repeated numerous times, “someone should really write something along these lines,” we eventually decided that it may as well be us who started the process. In conjunction with RMIA, we then approached the broader network of security professionals to seek their contributions, peer review, as well as frank and honest feedback on how to proceed.

The enormity of the subject is daunting as security touches on the most profound elements of society and the human psyche. The literature is also overwhelming, and each day new material is published. Consequently, we have had to be selective. We have done our best, however, to ensure that omissions are the result of a decision rather than an oversight.

For this project, we have been dependent on the generosity and contributions of others. Old friends and new from a wide variety of disciplines have provided invaluable assistance, criticism, and encouragement. To these people who have volunteered their time, effort, and intellectual property with no reward other than our gratitude, we are forever indebted. To this group goes much of the credit; the errors and omissions are ours.

For our part, we have poured the best of our intellectual capital into this document in the interests that it may add to the profession and prove useful to you, the reader. We also encourage you to join us in contributing to future editions so that SRMBOK can continue to reflect the growing body of knowledge for this field.

One day, we will finish that short reference manual on security. In the meantime, we hope this contribution proves to be a valuable starting point.

JULIAN TALBOT AND MILES JAKEMAN

Acknowledgments

RMIA gratefully acknowledges the assistance provided by members of the SRMBOK Working Group who contributed to, wrote components of, edited, or peer reviewed this material before publication. Unlike other books and standards, SRMBOK was developed by practitioners who donated their time and knowledge for the advancement of the profession, rather than their own personal gain. A very special thanks must go to Jakeman Business Solutions Pty Ltd (JBS), which not only provided the lead authors and project managers to compile the numerous articles and comments received but also financially underwrote SRMBOK.

A few people also rendered assistance far beyond the call of duty, and we owe a special debt to Bob Ross, Jason Brown, Konrad Buczynski, Spanky Kirsch, Lee Hutchison, and Don Williams for their countless comments, suggestions, and honest feedback. We would also like to acknowledge the generous assistance and contributions of the following persons:

Adam Fitzpatrick

Allan Halsey

Allen Fleckner

Anthony Moorehouse

Anthony Northover

Athol Yates

Bernard Poerschke

Bob Ross

Brendan Rasmussen

Brian Kelly

Brian Roylett

Broughton Steele

Charles Bishop

Clive Williams

Dai Hockaday

Damian Hine

David Schofield

David Van Lambaart

Deborah Watkins

Don McLean

Don Williams

Donna O’Brien

Frazer Holmes

Garry Young

Geoff Harris

Gerold Knight

Glen Gardiner

Glen Morgan

Grant Whitehorn

Ian Gordon

Jason Brown

Jeff Corkill

Jim Allen

John-Martin Collett

John Greaves

John Green

Julian Claxton

Julian Gaillard

Katherine Krilov

Konrad Buczynski

Leigh Dixon

Keith Mills

Le-Anne Jakeman

Lee Hutchison

Lennon Hopkins

Lloyd Masters

Mark Edmonds

Mark Dinnison

Mark Golsby

Mark Jarratt

Mark Patch

Mark Wylie

Michael MacLean

Michael Roach

Mike Rothery

Neil Connell

Neil Porter

Noel Mungovan

Pam McGilvray

Paul Curwell

Paul Longley

Phil Taleulei

Phillip Carr

Rex Stevenson, AO

Richard Turner

Rob Krauss

Rob Smart

Robert Sadleir

Roger Fitzgerald

Ross Babbage

Ry Crozier

Scott Petrie

Shane Cassidy

Spanky Kirsch

Steven Hancock

Steve Rohan-Jones

Stewart Hayes

Susan Trappett

Tonya Graham

Tim Green

Tony Pierce

Tony Solomon

Wayne Olsen

As RMIA is a not-for-profit organization, proceeds from the sales of SRMBOK will go toward further professionalizing the Security Risk Management community and in funding the ongoing maintenance and development of future editions.

Sponsors

Finally, RMIA and the members of the SRMBOK working group would sincerely like to thank the sponsors who supported the initial development of SRMBOK through the provision of considerable financial resources. Key sponsors included JBS, ATMAAC International, and the Australian Government Department of the Prime Minister and Cabinet. Other sponsors included ADI Thales and Siemens Australia.

BRIAN ROYLETT, NATIONAL PRESIDENT, RMIA

About (SRMBOK) Security Risk Management Body of Knowledge

SRMBOK was developed as an initiative of the Risk Management Institution of Australasia Limited (RMIA) to contribute to the identification and documentation of agreed better practice in Security Risk Management.

It is designed to provide the reader with a framework for formalizing risk management thinking in today’s complex environment and details the Security Risk Management process in a format that can be applied by executive managers and security risk management practitioners.

SRMBOK provides both a graphical and written framework for bringing better practice to bear when addressing and treating security risks. The objective of SRMBOK is to support Security Risk Management practitioners with both technical and business guidance.

Status of this document

This document is the second release of SRMBOK. It endeavors to remain consistent with the overall body of better practice guidance in the discipline of security risk management while also introducing new material from other disciplines, such as occupational health and safety, financial risk management, engineering, and business continuity.

In particular, SRMBOK has been developed to align with the ISO 31000 Risk Management Standard and the Australian and New Zealand Standard for Risk Management (AS/NZS 4360:2004).

The intention of SRMBOK is that it should be a living document. Thus, this document will be updated, replaced, or made obsolete by other documents over time. Interested parties and subject matter experts are invited to contribute to the ongoing development and refinement of this body of knowledge.

It is hoped that there will be feedback and suggestions for improvement from subject matter experts about this relatively young document. Comments on SRMBOK should be submitted via the online discussion forum at www.srmbok.com or sent to [email protected]. Subject matter experts who are interested in contributing to subsequent editions in a closed “wiki” environment should in the first instance contact the administrator at www.srmbok.com or www.rmia.org.au. Alternatively, please feel free to contact the lead authors at [email protected] and [email protected].

WHAT IS SRMBOK?

SRMBOK is a repository of knowledge in the form of a book that provides an overview of those areas of Security Risk Management that are generally recognized as better practice.a The identification of better practice has been a key element in developing SRMBOK. It is built on several hundred years of experience among the authors and coauthors, two years of research and development, and peer review workshops in four major cities before finally being subjected to peer review by independent subject matter experts prior to publication.

It is not the intent of SRMBOK to establish compliance proscriptions, proprietary solutions, or technology-based solutions. The concepts outlined here were selected on the basis they embody principles that are timeless, or at least enduring. As Security Risk Management is a dynamic and evolving field, what we offer here is a snapshot of better practice, and subsequent editions will be refined through industry participation supported by continuing research as the discipline and environmental context continue to evolve.

The Security Risk Management Body of Knowledge (SRMBOK) is as follows: An all-encompassing term that describes the sum of knowledge regarding readily accepted better practices, innovations and research within the evolving field of Security Risk Management.

Some key objectives of the material covered in SRMBOK include:

A common platform and terminology to establish Security Risk Management frameworks for government, Nongovernmental organization (NGO), and private sector organizations

A vulnerability analysis, Security Risk Management, and resilience framework for protection of assets in a robust, reliable, and repeatable fashion that is consistent with and can be aligned to industry standards, current practice, and government security doctrine

Detailed guidance for customizing and implementing organizational security specifications and vulnerability assessment tools consistent with better practice across industries

Support for the development of consistent vocational training and higher education

Collate a toolkit for security risk professionals and allied disciplines

Compile a library of appropriate tactics and strategies

Detailed, specific, tangible advice and case studies to assist consistent implementation.

HOW CAN SRMBOK HELP?

The aim of SRMBOK is to improve the effectiveness of organizational and individual Security Risk Management practices. In particular, the goal is to improve the resilience of organizations, communities, and individuals by documenting and integrating best-practice concepts from a range of complementary disciplines in a way that assists practitioners, leaders, managers, and politicians to assess, demonstrate, and deliver the fullest potential value of Security Risk Management.

SRMBOK aims to assist readers improve their skills, knowledge, and awareness of the range of factors that affect security and safety.

Terminology

Although most Security Risk Management systems follow consistent themes, some of the subtle differences in terminology and process can often make it challenging for one system to be compared or applied with another.

Confusion surrounding frequently interchanged terms such as threat and risk, likelihood, and probability is unlikely to go away, particularly as most of these terms not only are translated differently between languages but also reflect different cultural nuances. Languages themselves are of course dynamic, and the use of terms such as risk and threat vary over time even within the same language. Nonetheless, it has been possible in most disciplines to provide technical definitions and relationships of terms for commonly used words and such is the intent of the subsequent chapters.

A key focus of SRMBOK, therefore, has been the provision of a common lexicon to assist practitioners integrate, compare, and apply Security Risk Management more effectively.

Framework

SRMBOK is of course more than a translator between differing platforms-it is also designed to capture and integrate existing better practice, including the following:

Standard descriptions of Security Risk Management processes

Guidance to relationships among the standard processes

Standard metrics to measure process performance across industries and organizations

Management practices that produce best-in-class performance

The ultimate goal is to enhance our abilities to protect assets, capabilities, and the community in general by documenting systems and cultures as follows that can be:

Implemented purposefully to achieve competitive advantage

Described without ambiguity and readily communicated

Measured, managed, and controlled in a manner that demonstrates both duty of care and return on investment

Tuned and retuned to a specific purpose

WHAT DOES SRMBOK COVER?

SRMBOK is written with modern Security Risk Management in mind, but the material it contains is designed to be principles based and broadly applicable to all elements and types of protective security. It addresses Security Risk Management from a holistic approach as a subset of general management but with a focus on protection of assets, functionality, and capability.

As illustrated in Figure 1, SRMBOK divides security into the following categories to analyze, illustrate, and integrate the principles and processes of Security Risk Management, which are required to provide security-in-depth:

Practice areas:

the activity groups that embody distinct areas of expertise within Security Risk Management

Assets:

items, functions, or processes that an individual, community, or organization values and needs to protect to provide and support capabilities

Knowledge areas:

the foundation set of concepts, principles, experience, and skills that a security risk practitioner requires to manage security risk effectively and efficiently

Competency areas:

a group of closely related skill sets that a practitioner is well qualified to perform to implement security measures

Activity areas:

principle security risk countermeasure areas through the life cycle of SRM from preincident prevention (intelligence and protective security) to post-event response (emergency management and business continuity)

Enablers:

elements required to ensure the application of Security Risk Management processes and activities in a sustained fashion

FIGURE 1Overview of SRM resilience model.

These concepts are explained in detail in the respective section on each, and their relationship to the others is described in Chapter 11 (SRM Integration). Many separate guides to SRMBOK discusses and illustrate principles in specific areas, e.g., transport security, travel safety, explosives incidents, building a business case for security, and so on.

WHAT SRMBOK DOES NOT INCLUDE

As a single document, SRMBOK cannot include detailed examination of all aspects of Security Risk Management, nor can it cover all the other disciplines that affect SRM, many of which are worthy of, or already have, their own body of knowledge.

It is also not intended to be a primer on the topic of Security Risk Management. Several excellent texts meet this purpose for the casual or inexperienced reader, many of which are listed in the bibliography section. Although it is suitable for readers with little or no SRM experience, it contains many advanced concepts and, as such, requires a degree of commitment from readers if they are to gain full value from it.

Although much of the way in which information is presented here may be new to some readers, SRMBOK itself introduces little that is truly new to Security Risk Management. Rather, it integrates existing knowledge with better practices, methodologies, and tools from complementary disciplines.

Where possible, we have provided additional (but by no means exhaustive) reference material and bibliography.

WORKING THROUGH THE CHAPTERS

Time is precious, and most of us have deadlines and responsibilities that provide us little opportunity for reflection or unguided research.

Although the earnest student of Security Risk Management is encouraged to read SRMBOK from start to finish, it is written so that it can be approached in sections as and when needed, and it has been structured in two main parts. The target audience is different for each part and for the elements within them.

It is recommended that all readers familiarize themselves with the core concepts of SRMBOK as outlined in Chapter 4 (SRMBOK Framework). This chapter highlights the central SRMBOK framework and the relationship of the various SRM elements to each other. It will also assist readers to identify which chapter(s) and supporting guides to SRMBOK they might refer to first. This section is also discussed in greater detail in the section on SRM Integration (Chapter 11) after the key concepts have been introduced in more detail.

Applications and Case Studies

SRMBOK is also supported by many Guides to SRMBOK that provide detailed guidance and examples of how the SRMBOK framework has been applied across areas such as follows:

Access management

Business continuity and resilience

Command, control, and communications

Consequence management and business continuity management

Counterterrorism

Crime prevention through environmental design

Crisis management

Environmental security

Events and mass gatherings

Executive protection

Explosives and bomb threats

Home-based work

Human rights and security

Implementing Security Risk Management

Intellectual property protection

Intelligence approach to SRM

Investigations and root cause analysis

Maritime security and piracy

Mass transport security

Organizational structure

Pandemic

Personal protective practices

Psychology of security

Red teaming and scenario modeling

Resilience and critical infrastructure protection

Security risk assessment-asset, function, or project based

Security risk assessment-enterprise based [enterprise secutiry risk assessment (ESRA)]

Security specifications and postures

Security training

SRM management systems (SRM-MS)

Supply chain security

The security manager

Transnational security

Travel security

This list of guides will vary and expand over time because of the everchanging threat and risk context as additional guides to SRMBOK are created and revised.

AUDIENCE FOR SRMBOK

SRMBOK has been designed as a reference guide with the following main audiences in mind:

Executive managers and senior officials

Line managers with a Security Risk Management responsibility

Consultants, advisers, and other Security Risk Management professionals

Educators and trainers developing Security Risk Management courses

Students of Security Risk Management

Each chapter contains cross-references to relevant information in other chapters, and a bibliography is included to make it easier to find supporting information from other sources. There is also a lexicon designed for all audiences.

The sections on Security Risk Management context and security governance are designed to set the scene and, although applicable to everyone, are intended primarily for Chief Executive Officers, directors, and other senior executives.

For Chief Security Officers (CSOs), consultants, or management personnel with SRM responsibilities, the strategic knowledge areas, operational competency areas, practice areas, activity areas, SRM enablers, asset areas, and SRM integration provide an overview of SRM. With a sound understanding of these topics, a line manager, consultant, or practitioner should be able to provide leadership in managing organizational security risks.

The Guides to SRMBOK provide the user with a greater understanding of the theory and application of SRMBOK concepts and practical implementation of organizational resilience. These guides are designed to assist managers understand areas that they might have responsibility for, as well as security risk practitioners who might be either seeking greater insight into an area that they are already familiar with, or where they need to conduct research for activities outside their existing knowledge.

a

Better practice is defined for our purposes as those practices that will work well in

most situations, most of the time

. It does not mean that the techniques described should always be applied uniformly in all situations. The decision as to what is appropriate at that time is best made by the responsible managers for any given area or activity. SRMBOK uses the term “better practice” rather than “best practice” to recognize that what is best practice today may be out of date tomorrow and that no single best practice can be universally applied to every situation.

1Introduction and Overview

1.1 WHY SRMBOK?

We live in a world of uncertainty; the world is changing at an ever accelerating pace. Life, society, economics, weather patterns, international relations, and risks are becoming more and more complex. The nature of work, travel, recreation, and communication is radically altering. We live in a world where, seemingly with each passing year, the past is less and less a guide to the future.

Security is involved in one way or another in virtually every decision we make and every activity we undertake. The contributions that Security Risk Management (SRM) make to society, personal safety, and national stability are easy to underestimate but hard to overlook. We have been concerned about safety, security, and protection since the dawn of our species and yet will still struggle to consistently define or reliably manage our security risks.

This is to a large extent understandable-although the fundamentals remain consistent, advances in security and related disciplines continue unabated. The global environment has never been more volatile, and societal expectations for security are increasing if anything.

The complexities of globalization, public expectation, regulatory requirements, transnational issues, multijurisdictional risks, crime, terrorism, advances in information technology, cyber attacks, and pandemics have created a security risk environment that has never been more challenging.

Despite the continuing development of security as a discipline, no single framework pulls together all the excellent but disparate work that practitioners and researchers are continually developing. Overall, there is little dispute that risk is a factor that must be considered by decision makers when deciding what, if anything, should be done about a risk that falls within their responsibility. Security is one such area where there has been less than total agreement as to what this means in practical terms.

The body of knowledge (BOK) surrounding Security Risk Management continues to evolve, but even the most dynamic of fields needs a point of common agreement, or at least agreed debate. It is unreasonable to expect SRMBOK to be all things to all people, but we the society, and the profession, need a place to collectively discuss and shape our thinking surrounding core concepts in SRM.

Much of the existing body of knowledge on risk management was developed for issues that do not possess the same degree of complexity, uncertainty, and ambiguity as those associated with modern security-related decision making. For example, managing financial or operational risk can be quantified more easily than some of the abstract concepts that security practitioners must manage. These areas offer us insights into the tools and techniques that have been pioneered in other disciplines. Areas such as safety management systems, financial formulas, project methodologies, engineering science, hazard identification, and human factors analysis, to name just a few, also have much to offer security practitioners.

1.1.1 Key Challenges

The abundance of valuable but disparate material from Security Risk Management and other disciplines presents a significant challenge for developing a common framework to assess and consider risk when making security and related policy decisions. In addition to risk assessment methodological questions, other questions plague organizational risk deliberations. Among them are the following:

Who is responsible for the risk assessment?

Who is responsible for managing risk?

How should alternative courses of action be developed, and how should they be evaluated?

How does one perform cost/benefit analysis on an abstract problem where potential consequences are astronomical but probability is unknown and may be close to zero?

How should terrorist and criminal adaptive responses to security measures be taken into account as potential security measures are being considered?

Security professionals everywhere are making some progress in answering these questions, and more significantly, the profession is developing a more mature understanding of the complexities involved. Increasingly, academic and practical research is also refining our understanding of the issues and giving us a basis for more risk-informed decision making.

Much of the past practices in security have revolved around the three Gs (guns, guards, gates), national security, intelligence and defense, firewalls, and cryptography. As important as these are, moving from a focus on threat mitigation to benefit realization is a growing imperative for many security professionals and for most organizations.

1.2 WHERE DO WE GO FROM HERE?

“The empires of the future are the empires of the mind.”

SIR WINSTON CHURCHILL

We are facing an increasingly complex and interdependent future in which information and intangible assets are likely to become increasingly valuable, and tangible assets are likely to diminish in value by comparison.

Risk-management activities in the 21st century are likely to continue to move away from the early focus on compliance and loss minimization toward opportunity realization. Although Security Risk Management will continue to require sound management of threats and minimization of losses, already we are starting to see threat mitigation as just part of standard management practice, rather than a standalone discipline.

The organizations and societies of today are seeking a greater understanding of the true nature of risks. This is not an altruistic or inherent desire for risk management per se, but it is an endeavor to better exploit opportunities and minimize harm.1 As illustrated in Figure 1.1, organizations typically start out as risk controllers with a focus on compliance and loss minimization. Over time, they realize that quality SRM adds value to operational performance, and if integrated across the enterprise, SRM can become a significant contributor to both organizational resilience and opportunity realization.

FIGURE 1.1 The security risk management journey

It is likely that some organizations will always view security as a cost center rather than as profit center. Those that have sound Security Risk Management systems in place, however, will have competitive advantages in many areas:

Personnel screening can help to select the best candidates and also increase marketability to clients who may be concerned about protecting their intellectual property or funds.

Information security management helps to introduce products to market without advance knowledge by competitors.

Appropriate physical security is likely to increase profitability at a venue when customers know they will be safe and their cars will not be vandalized while they are inside.

Organizations that have prepared by developing a sound Security Risk Management system can quickly and safely deploy to higher risk locations to take advantage of opportunities ahead of their competitors.

Appropriate security will mean that managers can focus on opportunity realization rather than on filling out incident reports or chasing down missing equipment.

Just as threat mitigation seeks to avoid threats turning into losses, so does opportunity realization seek to manage the conversion of opportunities into benefits. Although most of us realize intuitively that Security Risk Management is integral to opportunity realization, the framework and tools to demonstrate this transition from risk controllers to risk transformers is comparatively in its infancy. The process of moving from being perceived as a cost center to being recognized as a profit center is integral to achieving effective organizational Security Risk Management.

SRMBOK aims to provide a framework that security professionals can use to integrate Security Risk Management along with lessons from other disciplines, such as engineering, occupational health and safety, behavioral psychology, and finance.

1.3 WHAT IS SECURITY RISK MANAGEMENT?

It is appropriate from the outset to define the scope of SRMBOK by defining the term “Security Risk Management.” SRMBOK starts with the fundamental premise that Security Risk Management is an essential part of any individual’s, organization’s or community’s wider risk-management activities.

SRMBOK takes the position that there is no such thing as perfect security and that all security involves making trade-offs. For example, most of us willingly accept the risk of being involved in a car accident or assaulted in exchange for the benefits of living in a modern society. If we wanted to avoid completely the risk of being assaulted, we would live on a deserted island. This deserted island choice, however, is likely to increase other personal risks and reduce our longevity as a result of the lack of health-care services. We also accept the additional cost of fitting a lock to our front doors and the inconvenience of having to lock the door on the way out in exchange for reducing the risk of burglary. Similarly, we accept a little inconvenience when undergoing security checks before flying as well as a small additional cost for that security with good grace because it reduces our real or perceived risk.

1.3.1 Security

Security is the condition of being protected against danger or loss. It is achieved through the mitigation of adverse consequences associated with the intentional or unwarranted actions of others.

In general usage, security is a concept similar to safety, but as a technical term, security means that something is not only secure but also that it has been secured. In this context, security refers to the measures used to protect sensitive organizational assets that collectively create, enable, and sustain organizational capability. Such assets will differ depending on the nature of the organization’s activities but typically include classified or sensitive information, physical assets of value, people, unique processes, alliances/partnerships, and intellectual capital.

Individuals or actions that encroach on the condition of protection cause a breach of security.

As suggested from the word “unwarranted” in this definition, the intentional actions of others that are legal and acceptable, at least in the eyes of the defender, are excluded from the scope of security. For example, the actions of others in derivatives trading or commercial enterprise may have adverse consequences, but preventing those lawful and normal consequences is the domain of areas such as financial risk management. They would not normally be security issues unless fraud or similar was involved.

The use of the word “intentional” similarly clarifies the distinction between security and areas such as safety. Security involves protection from deliberate acts, whereas safety risk management includes the management of risks from unintended events such as motor vehicle accidents and falls.

There is a strong overlap between safety and security (as there is between security and finance, engineering, psychology, etc.); in fact, many languages have only one word for both concepts. Many activities will involve a wide range of threats from different sources (e.g., a journey to a high-risk country involves risks from crime, foreign currency fluctuations, and road safety, to name but a few).

It can be tempting to include security as a subset of safety, and in some cases, this would be correct. For example, even the protection of national security classified information could be indirectly related to protecting the lives of the nation’s citizens or the identity of agents in the field. However, security as a subset of safety is inappropriate when we consider financial and property threats such as fraud, embezzlement, commercial espionage, and website hacking, where the impact on personnel safety is tenuous, if it exists at all.

1.3.2 Perceived versus Actual Risk

Like many other areas of risk management, security involves making trade-offs. Security decisions often include a range of costs as well as compromises to convenience, privacy, and so on, and in many cases, we will have to trade one or more of these elements.

Within this, we will often be called on to make decisions and trade-offs regarding perceived versus actual risks. Sometimes, managing the actual risk will also mitigate the perceived risks and vice versa. Sometimes not.

Often, it might appear that the actual risks are more important than the perceived risk, and in some cases, this is appropriate. There are many reasons, however, why we might choose to focus more on managing perceived risks. Removing nail clippers from airline passengers may have little to do with managing the actual risk of hijack, but it is part of the process that visibly demonstrates that something is being done. In fact, the risk of hijack may well be perceived by the traveling public to be much higher than it actually is. The greater risk associated with airline hijackings is probably not one of hijack but the economic losses to the community and the increased incidence of road fatalities if people lose confidence in aviation safety.2,a

Similarly, it will often be appropriate to put in place measures such as tamper-proof packaging on food and drugs, even though it is still entirely possible to contaminate the goods inside. Such measures in practice will only deter the lazy or ignorant would-be poisoner, but they do reassure the consumer to continue purchasing the product.

Of course, these issues of perceived versus actual risk are largely subjective and will vary depending on individual risk appetite and understanding. The greater driver in this decision-making process is likely to be personal or organizational agendas, which will involve greater or lesser good to various parties.

Although most people as individuals are concerned about the safety of the traveling public, for example, the various stakeholders all have different agendas. The airlines are not as interested in treating the real risk of hijacking as they are in treating the perceived risk. An actual hijack is a dramatic but rare event. The perceived risk of hijack can result in a dramatic impact on every quarterly revenue statement. Airlines, like any business, have an agenda to spend the bare minimum of their own money but recognize the return on investment by managing security perceptions. Meanwhile, politicians are facing the next election cycle-or next coup if not in a democratic society, and have their own agenda to consider. Being seen to be doing something and acting quickly will generally be more important in the first instance than actually understanding and addressing the real security risk.

The key word here of course is “risk.” Each stakeholder’s agenda is driven by their own perception of risk, and it might not be the same as the actual risks. For example, mobile phone technology has sufficient encryption on most digital systems to allow them to ensure that it can be marketed as encrypted but not enough to ensure that an average personal computer (PC) with some basic equipment cannot break the encryption. The cost of research and the bandwidth implications for significantly enhanced encryption are not commercially rewarded in the current threat environment, so the security is a compromise.

These are just a few of the examples of how various security agendas interact with the perceived and real security threats to make trade-offs that affect us all. This is a theme that is reflected throughout SRMBOK and one to which there is no easy or immediate answer.

1.3.3 Security Risks

A security risk is any event that could result in the compromise of organizational assets. The unauthorized use, loss, damage, disclosure, or modification of organizational assets for the profit, personal interest, or political interests of individuals, groups, or other entities constitutes a compromise of the asset, and it also includes the risk of harm to people. Compromise of organizational assets may adversely affect the enterprise, its business units, and their clients. As such, consideration of security risk is a vital component of risk management.

Several methods can be used to identify security risks. One method of identifying threats with the potential to affect the organization adversely is to group them according to their source, motivation, and method of operation, as shown in Table 1.1.

Table 1.1 Threat groupings by source, motive and method

Source

Motive

Method of Operation

Criminal

Profit

Theft, robbery, assault, fraud, disclosure

Terrorist

Political manipulation

Bombing, hijacking, kidnapping, assassination

Foreign intelligence services

Strategic, military, political, or economic advantage

Espionage, sabotage, subversion, disclosure

Commercial or industrial competitors

Profit, competitive edge

Industrial or economic espionage

Malicious people

Revenge, fame, discredit

Disclosure, destruction, vandalism

Another method to identify threat sources that can become security risks is to focus on the assets (functions, resources, and values) that are essential for the organization to perform its role and to group them according to the threat and consequent risk posed, as shown in Table 1.2.

Table 1.2 Grouping assets by risk and threat

Organization Assets

Risks

Threats

Buildings, facilities

Destruction, damage, or unavailability of the building or facility

Fire, explosion, hoaxes, power failure, contamination, unauthorized access

Information system

Loss or compromise of security classified material, loss of confidentiality, availability or integrity of information

Unauthorized users, forensic disc examination, careless handling of printout, careless transmission

Management's confidence in the business unit or program

Loss of management or public confidence in the business unit or program, or its processes

Mishandling of sensitive data, inconsistent policy or service delivery, adverse media coverage

Organizational reputation

Loss of organizational reputation

Poor service, mishandling of sensitive data, inconsistent policy or service delivery, adverse media coverage

A third method is to examine at the organizational exposures or vulnerabilities and to then use these to review the suitability of existing security controls (Table 1.3).

Table 1.3 Asset group and organizational exposures

Asset Group

Possible Exposures or Vulnerabilities Identified

People Assets

AbductionAssassinationAttack, assault, or harassmentBombingCivil disorderCo-location with high risk tenantsConferences/exhibitionsCrimeCultural or religious differencesDiscrimination/prejudiceDisgruntled employeeDomestic violenceDrive by shootingFamily influenceFinancial stress or gain/influenceImpersonation of staff memberInadequate proceduresInadequate trainingInadequate vettingIsolation KidnapLanguageLoyalty/coercion/corruption/collusionMail handling and receiptMismanagementOrganizational structure and responsibilitiesPhysical assaultPoisoningReluctance to adopt security policyRobberySexual assaultSexual preference or discriminationStress related behavioral issuesTravelVerbal assault or harassmentWorkplace violencePublic perceptionStaff attractionStaff retention

Information Assets

Destruction or corruptionDisruption of serviceCommercial espionageFire/arsonFraudInadvertent disclosureLeakageLoss of data or sensitive trade materialManipulation of data/informationSabotage Staff loyalty

Physical Assets/Information and Communications Technology (ICT)

Break-inCo-location with high-risk tenantsCommercial espionage-electronic surveillance/listening DeviceFire/arsonInadequate emergency management proceduresInadequate threat detailsFailure of equipment (e.g., maintenance and reliability)HackingFundingMail handlingMaintenanceProcurement methodologyUnauthorized or forced accessVandalismVehicle bombingSabotageTheft

Identified threats will represent sources of security risks (i.e., how and why a particular security risk event might happen). Information obtained from a formal threat assessment will then assist in determining the likelihood of particular risks occurring.

1.3.4 Security Risk Management

The focus of SRMBOK is toward the direct and unwarranted actions of people. The term “security” can of course be a much broader term. For example, if we consider security as a “state of being protected from hazards, danger, harm, loss or injury,” it also includes elements of protection from natural disasters and concepts of organizational resilience. SRMBOK accordingly, although focused on intentional acts, takes an all-hazards approach that considers the broader interplay of environment and other factors that can impact an organization or individual. In terms of natural hazards, for example, organizational resilience takes into account both the direct impact of natural disasters (e.g., power outages and infrastructure) and the indirect impacts, such as fire, looting, civil unrest, and so on.

Security Risk Management is the culture, processes, and structures that are directed toward maximizing benefits and minimizing adverse effects associated with the intentional and unwarranted actions of others against organizational assets.3

The definition used above complements and supports an all-hazards approach to organizational resilience that, in practice, is achieved by supporting the preparedness, protection, and preservation of people, property, information, and organizational capability.4

Although some terminology used in Security Risk Management is common to other forms of risk management, most threat assessment processes and risk treatments used are unique to the Security Risk Management profession and play a definitive role in the progression of an organization’s objectives.

Like most security professionals, SRMBOK considers threat and risk as different concepts. Threat is a hazard or source of risk (criminals, terrorists, etc.)- usually measured in terms of intent and capability. Meanwhile, risk considers the likelihood of an attack with the most credible impact(s) or consequence on assets. Security Risk Management, therefore, involves understanding the threat as part of the objective of determining and applying countermeasures to manage (treat) the risks.

Threat determines risk, which in turn determines countermeasures.

In practice, this is a cycle where each countermeasure changes the context and either introduces new risks or at the very least will modify the threat actors’ methods of attack. This in turn modifies the risk and so on.

1.4 HOW DOES SRM RELATE TO RISK MANAGEMENT?

Security Risk Management is a subset and essential part of a broader risk management system. As illustrated in Figure 1.2, SRM is simply another management discipline fitting predominantly within the sphere of risk management.

FIGURE 1.2 Relationship of SRMBOK within the Risk Management Body of Knowledge

Risk management is “the culture, processes and structures that are directed towards realizing potential opportunities whilst managing adverse effects.”3

This definition implies that risk management is a coordinated activity to direct and control an organization with regard to risk.5

In a fully integrated risk-management system, Security Risk Management is interlinked at each stage with all other risk-management activities being undertaken (e.g., financial, safety, marketing, reputation, regulatory, etc.). Although the application of Security Risk Management requires discipline-specific knowledge, the overall risk-management process remains the same.

As noted in ISO 31000 Risk Management, the elements of a framework for managing risks are shown in Figure 1.3.

FIGURE 1.3 Risk-Management Framework (ISO 31000:2008)

SRMBOK addresses this in more detail in section 5 on Governance Frameworks (page 65), and section 13 on Implementing an Integrated ERM Program (page 331).

A typical risk-management process as described in both ISO 31000 Risk Management and the AS/NZS4360:2004 Risk Management Standard is illustrated in Figure 1.4.

FIGURE 1.4 Risk-Management Process (AS/NZS4360:2004)