Category Archives: Building codes

Threat Modeling is the Exciting, Sexy Part of Risk Assessment

As a risk assessment professional, when I get into a risk discussion, most security people want to talk about THREAT!  Threat is the most sexy and exciting part of doing a risk assessment.

Threats are exciting all by themselves.  Think about all the threats you can name:

All the natural disasters like Earthquakes, Tornadoes, Storms, Hurricanes, Tsunamis, Lightning, Floods

Crimes like Homicide, Assault, Rape, Burglary, Theft, Kidnapping, Blackmail, Extortion

Terrorism like Sabotage, Explosions, Mail Bombs, Suicide Bombs

All the IT Threats like Malicous Code, Disclosure, Data Breaches, Theft of Data

And about 50 more including Chem/Bio incidents, Magnetic waves, High Energy Bursts, Microbursts, Contamination and Reputation Damage.

Each of these threats could theoretically occur at any time, but we try to establish a pattern of how often they have occurred in the past, in this location, in this county, in this country, in the company, etc.   So NASA, for example, gets thousands of hacker attacks, but another company, like the local Salvation Army, gets 1 every 10 years.

Same model for natural disasters, although you might have to factor in climate change, it’s easy to get the threat incidents for hurricanes in Florida, snow storms in Cleveland, earthquakes in northern California, etc.

We also like to examine industry specific data to see if some threats are higher in a certain industry, like the high incidence of workplace violence incidents in hospitals and high risk retail establishments (like Wawa or 7-11).

Another factor we use in calculating threat likelihood is how the threat could actually affect different types of assets…. for example, would an earthquake damage a car?  Probably not. Would it cause damage to an old historical building – probably (unless it had been retrofitted).  Could it cause loss of life, or injuries (think Haiti).

So I use a multidimensional model that takes the threats list (I have a standard list of 75 threats that I use), and map it to each potential loss, based on the ‘asset’ that might be affected.

The more data you get, the better your model will be, and the more value it will have as a decision support tool!

 

Exploring Ideas to Prevent Disasters like the Haiti Earthquake Disaster

Exploring Ideas to Prevent Disasters like the Haiti Earthquake Disaster

CNN seems like it’s grabbed the lead on Haiti Earthquake coverage. They crossed that line last night when Sanjay Gupta, the CNN doctor, spent all night in a field hospital caring for patients that the UN left alone in a tent.

So there are thousands of images of the aftermath of the earth. Thousands of sad stories of loss and tragedy and all of it magnified by the grinding poverty of the country and it’s lack of government control and working infrastructure (even before the earthquake).

Obviously – it is impossible to prevent an earthquake, so there are three areas that could be explored to make earthquake disasters less horrific.

1. Advance notice of seismic activity in an area. Hurricane can be seen forming and building and can be graded, and prep work can began days before the disaster strikes
(yes – like Katrina). But perhaps it is also possible to have sensors that mark seismic activity. At least enough to get a glimmer of warning. My research says that there has been a project since 2007 to install sensors in the ocean floor to track tremors. After the Indonesian tsunami, the urgency to install these sensors increased dramatically. And because Haiti was on a fault line — I can’t help but wonder if someone somewhere in a research lab, may have noticed a few unusual tremors because this actually occurred.

2. Creating a System of International Building Codes. Obviously the death, injuries and damage occur from falling buildings and building materials (in the Haitian earthquake – cinder blocks). The UN could create standards for buildings with different standards based on the type of earthquake zone. For example, there could be a simple 1-5 scale and places that often have earthquakes (California, Japan, Pakistan) would have stricter standards than a place with almost no earthquakes, i.e. Florida and India.

While every building in a quake-prone country might not comply with the guidelines, the big multi-nationals would – the hotel chains, the government buildings (perhaps), and the better residential areas — and who lives in the better residential areas? The doctors, the medical professionals, the government officers, exactly the group of people you need in an emergency.

3. Creating Standards for Better Emergency Planning and Disaster Recovery.
The big increase in business continuity plans and disaster recovery plans (see
www.recoveryplanner.com) is amazingly limited to INFORMATION recovery and working to limit or prevent interruptions in information systems. The same kind of planning does not exist for disasters in most underdeveloped countries. Again, this is an area where the U.S. agency, FEMA could play a leading role; or the UN should make it a priority to do some kind of minimal planning standards for these devastating emergencies with massive injuries and loss of life.

The National Fire Protection Associations (www.nfpa.org) has published an Emergency Preparedness standard called NFPA 1600 – the Standard on Disaster/Emergency
Management and Business Continuity Programs and it’s a good example of the basics of Emergency Preparedness.

Individual countries would do their citizens a service by acquainting them with how to prepare families to survive in emergencies, whether they are triggered by power outages, severe cold, hurricanes or earthquakes!

Emergency Preparedness’ critical role in emergencies is something you can watch unfolding this week, as the relief efforts get stalled by lack of clear roads, problems at the airports, time involves in sea travel, etc. There has to be a better way – one that can be refined and used in future disasters.

In case you think you will never see an earthquake – here are the statistics on how many earthquakes occur in the world each year. These are averages but you can see that there is, on average, one giant earthquake, and seventeen large earthquakes, 134 strong earthquakes and many more light and moderate earthquakes.

TYPE STRENGTH AVERAGE PER YEAR
Great 8 or higher 11
Major 7–7.9 172
Strong 6–6.9 1342
Moderate 5–5.9 1,3192
Light 4–4.9 c. 13,000

The Boy Scouts were right when they adopted “BE PREPARED” as their motto.

These are three areas:

1. Better Ways to Predict Earthquakes (by even a day),
2. Minimum Building Codes based on local geography, and
3. Uniform Emergency Preparedness standards around the world.

These could be explored to prevent or at least mitigate the devastation we have seen in Haiti this week.