These approaches will assist designers in defining asset value and evaluating vulnerability assessment data in order to integrate threat and hazard into a design base. Architects and engineers will be able to find the most effective and cost-efficient terrorist mitigation solutions for each building's specific security requirements.
Asset value is the monetary worth of an asset. It includes both tangible and intangible values. Tangible assets include buildings, equipment, and inventory. Intangible assets include customer relationships, brand identity, and website traffic. Terrorists attempt to destroy or otherwise harm assets so that they cannot be used by the owner or operator for financial gain or any other purpose. For example, terrorists may target assets that contain oil or natural gas because of their potential economic value.
Threats are actions or events that could lead to damage, injury, or loss. Threats can be physical (such as explosions), technological (such as computer viruses), environmental (such as floods), or intentional (such as terrorism). Design professionals use threat modeling techniques to identify possible threats to an asset and develop strategies for preventing or mitigating these threats.
Hazards are conditions that can cause damage or injury if not properly controlled. Hazards can be natural (such as earthquakes) or man-made (such as chemical spills). Design professionals use hazard analysis techniques to identify possible hazards at an asset and develop strategies for preventing damage or injuries caused by these hazards.
It provides a structural technique for identifying relevant assets (organized into asset groupings), potential vulnerabilities, and threats, integrating them into risks based on asset prices, vulnerability, and threat levels, and proposing appropriate countermeasures. It also aids in prioritizing risks and safeguards.
Asset evaluation involves three steps: identify assets, evaluate assets, and select/implement safeguards. First, an organization identifies its assets by categorizing them as physical or intellectual. Physical assets include equipment, buildings, inventory, and intangibles such as customer information and trademarks. Intellectual assets include data, processes, people, and training materials. Second, the organization evaluates each identified asset to determine its value. Value can be estimated using replacement cost, net present value, or some other method. Third, the organization selects safeguards that reduce risk to an acceptable level by balancing benefits against costs. The best safeguards are those that provide maximum benefit at minimum cost.
Asset evaluation is useful in risk analysis because it structures the process of considering various risks and their impacts. It also helps prioritize risks and safeguards since they are grouped by asset category. Finally, asset evaluation provides a basis for determining whether current security measures are effective so that they can be improved or replaced when necessary.
Security risk management is the ongoing process of identifying and mitigating security risks. Risk is calculated by taking into account the likelihood that known threats will exploit vulnerabilities and the impact on valuable assets. Risk management also includes monitoring risk indicators to identify potential problems before they become critical issues.
Risk assessment is the first step in risk management. It determines what risks exist within an organization and what degree of exposure those risks pose. Risk assessments should be conducted for each project that the organization undertakes.
The next step in risk management is risk identification. This involves listing all the risks that have been identified during the risk assessment process. Risk owners are then assigned to manage specific risks. They work with other members of the management team to determine how risks may be controlled or prevented from occurring.
Risk mitigation involves taking action to reduce the probability of a risk occurring or the severity of its effects if it does occur. Prevention is the best method of reducing risk, but sometimes prevention is not possible so management should try to minimize the damage done by remediation methods such as surveillance, testing, and audit trails.
Managing risk requires balancing the need for increased security with the cost of doing so. Risk-averse individuals may choose to avoid certain risks by moving data centers to remote locations or using low-security systems, for example.
Risk considers the asset's worth, the risks or hazards that may influence it, and the asset's vulnerability to the danger or security risk rating. We can give values to the three risk components during the risk analysis process to generate an overall risk assessment. The higher the risk score, the greater the potential loss.
Asset vulnerability refers to the degree to which an asset is susceptible to damage or loss. An asset that is well protected from hazard exposure will usually have a lower risk score than one that is not. For example, if a car has good safety features such as air bags and seat belts, it has less risk than one that doesn't have these protections. If computers were made out of glass they would be vulnerable to breakage but because they are manufactured with plastic they are considered durable assets that are resistant to damage.
Assets can also be vulnerable due to their location. For example, buildings can collapse due to damage caused by earthquakes or hurricanes. Storage tanks can leak petroleum products that can cause soil and water contamination. Ships can sink after being hit by large objects such as whales. The effectiveness of protection programs can also affect asset vulnerability. For example, if a company does not have any insurance to cover losses from environmental contamination then it is vulnerable to such risks.
Finally, assets can be vulnerable due to poor maintenance practices.
The possibility of loss or harm to a hazard is referred to as risk.
Assets have value. If an asset is destroyed or damaged, this means lost revenue or expense. For example, if your company's computer network is down, this is an asset that needs to be protected from damage or destruction. Threats can cause assets to lose value. For example, an earthquake could mean that buildings become damaged or destroyed. Risk is the chance that a threat will cause an asset to lose value.
Risk can be defined as the probability that a threat will cause an asset to lose value multiplied by the magnitude of the loss. For example, if one threat is that someone might break into your building and steal its contents and another is that a gas main might burst in your neighborhood causing everyone to evacuate their homes, then the risk of these threats causing an asset to lose value is very high (because there is a great chance that they will). The loss caused by each threat would be different—a broken window for the first threat and a house evacuated due to the second threat. However, because both losses are negative events, they have the same risk level: high.
A Threat, Risk, and Vulnerability Assessment (TRVA) takes into account the client's requirement to safeguard people and assets, limit exposure to crime and terrorism, security breaches, and overall company risk. This process should be conducted regularly to identify threats, assess risks, and update countermeasures.
During a TRVA, information about individuals, groups, organizations, facilities, equipment, materials, processes, and systems is collected through interviews with those who know them best-usually staff members who work with or around the subject of the assessment. This information is used to determine whether there are any threats or vulnerabilities that should be addressed immediately, such as in a Crisis Management Plan (CMP). If necessary, appropriate actions should be taken to reduce risks. This includes but is not limited to: changing passwords, updating software, etc.
Threats include acts of violence, vandalism, theft, arson, natural disasters, explosions, fires, chemicals releases, and other incidents that could harm the organization or its customers, employees, partners, or suppliers. Vulnerabilities include the presence of conditions that make an organization susceptible to threats. Examples include unprotected computers connected to the internet, default passwords, and outdated security measures.