Risk and Security LLC

Risk Assessments, Training and More

This content shows Simple View

Earthquakes

A New Threat Appears – Meteor Strikes

After the meteor showers over Siberia this week, Russia put together a

Financial analysis of the damage from the meteors:

1200 injured by flying glass

             $33,000,000 in damage

4,000 building damaged

50 Acres of windows shattered

In the last twenty-five years, as the rate of climate change has increase, we have occasionally added new threats like Tsunami and ash pollution.

Now meteor showers have actually come to cause damage to companies so they are another factor to be included in risk assessments.

In evaluating threats for a risk assessment, many in the northeast would always tell me, “take out earthquakes”, we don’t have earthquakes in Virginia, Maryland, and Ohio. That changed in 2011 when the Mineral, Virginia earthquake hit during a mid-week business day.

RICHMOND, VA (WWBT) – Aug. 24, 2011. 

There was an earthquake in Central Virginia that measured 5.8 on the Richter scale centered about 5 miles south of Mineral in Louisa, depth 3.7 miles at about 1:51 p.m. The quake was centered at 38°N, 78°W.

The U.S. Geological Survey said the earthquake was centered about 38 miles northwest of Richmond, Va., about 84 miles southwest of Washington, D.C., and was felt as far north as Rhode Island and New York City. See a map of the quake from Chuck Bailey, professor of geology at the College of William and Mary.

Hospitals, government offices, dams and power generating plants,  including nuclear plants, were forced to suddenly reevaluate the long held idea that earthquakes just didn’t happen in the NorthEast.

The threat from meteor damage is the same idea.  It never happened before, but now it has happened again, if you count Tunguska as the first time.

Damage from meteor showers will now add a new category into the Threat index, even though this was the first event in my lifetime, if analyst factor in the previously known instances, such as the Tunguska Meteor Event, which did not occur thousands of years ago, like the meteor event in the Yucatan peninsula that killed off the dinosaurs, but
Tunguska occurred in 1908!   Almost in this century.

Over the next month, we’ll be looking at each different threat every week.  Sign up for my blog or access by following me on twitter at www.twitter.com/riskalert.

 



Threat Modeling is the Exciting, Sexy Part of Risk Assessment

As a risk assessment professional, when I get into a risk discussion, most security people want to talk about THREAT!  Threat is the most sexy and exciting part of doing a risk assessment.

Threats are exciting all by themselves.  Think about all the threats you can name:

All the natural disasters like Earthquakes, Tornadoes, Storms, Hurricanes, Tsunamis, Lightning, Floods

Crimes like Homicide, Assault, Rape, Burglary, Theft, Kidnapping, Blackmail, Extortion

Terrorism like Sabotage, Explosions, Mail Bombs, Suicide Bombs

All the IT Threats like Malicous Code, Disclosure, Data Breaches, Theft of Data

And about 50 more including Chem/Bio incidents, Magnetic waves, High Energy Bursts, Microbursts, Contamination and Reputation Damage.

Each of these threats could theoretically occur at any time, but we try to establish a pattern of how often they have occurred in the past, in this location, in this county, in this country, in the company, etc.   So NASA, for example, gets thousands of hacker attacks, but another company, like the local Salvation Army, gets 1 every 10 years.

Same model for natural disasters, although you might have to factor in climate change, it’s easy to get the threat incidents for hurricanes in Florida, snow storms in Cleveland, earthquakes in northern California, etc.

We also like to examine industry specific data to see if some threats are higher in a certain industry, like the high incidence of workplace violence incidents in hospitals and high risk retail establishments (like Wawa or 7-11).

Another factor we use in calculating threat likelihood is how the threat could actually affect different types of assets…. for example, would an earthquake damage a car?  Probably not. Would it cause damage to an old historical building – probably (unless it had been retrofitted).  Could it cause loss of life, or injuries (think Haiti).

So I use a multidimensional model that takes the threats list (I have a standard list of 75 threats that I use), and map it to each potential loss, based on the ‘asset’ that might be affected.

The more data you get, the better your model will be, and the more value it will have as a decision support tool!

 



How to Correctly Analyze 100-Year Threats for Risk Assessments

Starting a risk assessment in northern Virginia and going through the threat list they say, “You can take earthquakes out – we don’t have earthquakes here”!

Hey, Haiti didn’t have earthquakes!

Vermont didn’t have major floods!

Connecticut doesn’t have tornados!

Like Murphy’s Law, as soon as you discount a threat, and think, “it will never happen here”, it happens!   The earthquake in the mid-Atlantic in August was a wake-up call for those who that they would never have earthquake damage.

One of the reasons that security risk assessment is so highly valued as an analytical took, and why it’s required by so many governments is because it DOES take into account the 100-year flood, the 75-year drought, etc.

Natural disasters can be so overwhelming, and catastrophic, that they must be considered in any proper risk assessment.  This is why some areas are not suitable for building housing tracts, because they are in a 100-year flood plan.

Because human memories are short, just because YOU haven’t experience a flood
along a meandering creek, doesn’t mean it will never happen.  

Always check the long-term probabilities when you start a risk assessment and make the numbers work for you!



Does Being on TV Make Us Better World Citizens?

Does Being on TV Make Us Better World Citizens?

To quote the character in the 1995 movie, “To Die For” — “You’re not really anybody in America unless you’re on TV… ’cause what’s the point of doing anything worthwhile if there’s nobody watching?  So when people are watching, it makes you a better person.” So if everybody was on TV all the time, everybody would be better people.

A minor statistic – that the recent tsunami in #Japan got CNN its highest ratings since Obama’s inauguration!   What can beat the reality of earthquakes and rising water, followed almost immediately by nuclear power plants with seawater cannons blasting?   And then add the airstrikes over #Libya – all delivered in breathtaking color.

Does showing these images on TV make people more sympathetic to the plight of the rest of the world?   I think it probably does – and that it does make us better people for caring.

The social media has contributed greatly to this – working hand in glove with TV – expanding coverage to new audiences and flashing breaking news around the world.  The immediacy of Twitter and email make us seem empathetic because we are sending the news out to our social circles. 

The middle east uprisings are possible not because of just the media, but because people around the world weigh in and give political support to the protesters.  They know the world is watching and because they know they are not alone anymore, they are empowered to stick with their protests. 

And look at the payoff – the rebels in Libya make their case and the world comes to their aid.  Obviously there are other critical factors at play here, but the TV makes it all possible. 

Just five years ago, people were wondering when the One World concept would finally catch hold and we would collectively realize that we’re really all people on this tiny planet – Pax Humana, aka World Peace. 

It looks like that day has come – not because of highideals or harmonic convergence, or universal values, but because we can tweet pictures to our friends about other people on the other side of the world.  This is true reality TV and it’s going to be a game changer for businesses and governments everywhere.



Not with a Bang…. The Japanese Nuclear Disaster

Too late to run a formal risk assessment on the dismal situation at the Japanese nuclear plants.  Obviously, the switch has been turned to ‘survival mode’.  But risk decisions are still being made, individually and collectively.

The bravery of the nuclear plant workers who stayed to continue at their posts and try to avert a full catastrophe reflects 50 individual risk decisions  by people risking their own lives for the elusive greater good. 

One of the U.S. TV morning shows talked about the risk calculation being made about whether to continue to build nuclear plants when “stuff happens”, as this double play of earthquake-tsunami proves.  

The assets which are generated by nuclear energy are large amounts of relatively ‘clean’ energy.  The risks have been underwritten by governments which support the growth of these plants by sharing the risk with the electric companies to encourage them to build. 

The threats to these plants have been addressed dozens of times and right at the top of the list are both international and domestic terrorists; followed by natural disasters, including earthquakes, tsunamis (we added tsunamis into our threat matrix in 2002),  tornados and hurricanes; followed by sabotage by insiders who work in the plants themselves. 

Personnel working in these plants are heavily investigated and also undergo continuing scrutiny of their lifestyles, checking accounts, etc., because of the sensitivity of the work they do.    US National Public Radio (NPR) reported yesterday that U.S. nuke plants have a failure rate of 40% on security inspections – and that’s when they get TWO WEEKS ADVANCE NOTICE of the inspections.  What if they got no notice?  What kind of results would we see?

One of the major risk correlations in formal risk assessment is the Threat-Asset ratio, which means, for example,  don’t build a nuclear plant on an earthquake fault line.  If the threat is too high, it increases the probability that the asset (the plant) will be compromised and could experience a loss, based on a threat occurring.

The standard list of controls are also analyzed and these can range from specific security controls to having multiple backup power sources (that DO NOT DEPEND on electricity).    Obviously, when this control was no longer viable due to the natural disasters, that’s when things started to go rapidly downhill.

Without electricity to keep the cooling activities running, you have to start to look at the possible losses that could result from the event.   The nuclear power equation is especially worrisome because radioactivity is not only instantly fatal, but it can be blown around, and it is FOREVER.  It doesn’t burn itself out in a few days like a fire, or dry up like a flood when the sun comes out.

The risks/potential losses can include:

Loss of life of plant employees
Loss of life of the surrounding population – to 5 miles, 50 miles, 100 miles, farther?
Loss of the electricity that cannot be generated and what that means to a country.
Loss of the plant itself – as a replacement cost of billions of dollars.

The problem with the nuclear power risk equation is that the biggest potential loss is the contamination of one, two or multiple countries, possible permanent radioactive contamination of the ocean, or, in a very worst case, loss of the planet.

As this latest disaster proves, the potential loss is so high, that even twenty years of extra electricity don’t seem worth the risk, especially if the calculation includes plants built-in areas susceptible to the list of potential threats exactly like earthquakes.

We’re running a set of scenarios that will continue to evolve as the situation stabilizes or possibly gets even worse. It seems that Mother Nature is controlling events now.



Exploring Ideas to Prevent Disasters like the Haiti Earthquake Disaster

Exploring Ideas to Prevent Disasters like the Haiti Earthquake Disaster

CNN seems like it’s grabbed the lead on Haiti Earthquake coverage. They crossed that line last night when Sanjay Gupta, the CNN doctor, spent all night in a field hospital caring for patients that the UN left alone in a tent.

So there are thousands of images of the aftermath of the earth. Thousands of sad stories of loss and tragedy and all of it magnified by the grinding poverty of the country and it’s lack of government control and working infrastructure (even before the earthquake).

Obviously – it is impossible to prevent an earthquake, so there are three areas that could be explored to make earthquake disasters less horrific.

1. Advance notice of seismic activity in an area. Hurricane can be seen forming and building and can be graded, and prep work can began days before the disaster strikes
(yes – like Katrina). But perhaps it is also possible to have sensors that mark seismic activity. At least enough to get a glimmer of warning. My research says that there has been a project since 2007 to install sensors in the ocean floor to track tremors. After the Indonesian tsunami, the urgency to install these sensors increased dramatically. And because Haiti was on a fault line — I can’t help but wonder if someone somewhere in a research lab, may have noticed a few unusual tremors because this actually occurred.

2. Creating a System of International Building Codes. Obviously the death, injuries and damage occur from falling buildings and building materials (in the Haitian earthquake – cinder blocks). The UN could create standards for buildings with different standards based on the type of earthquake zone. For example, there could be a simple 1-5 scale and places that often have earthquakes (California, Japan, Pakistan) would have stricter standards than a place with almost no earthquakes, i.e. Florida and India.

While every building in a quake-prone country might not comply with the guidelines, the big multi-nationals would – the hotel chains, the government buildings (perhaps), and the better residential areas — and who lives in the better residential areas? The doctors, the medical professionals, the government officers, exactly the group of people you need in an emergency.

3. Creating Standards for Better Emergency Planning and Disaster Recovery.
The big increase in business continuity plans and disaster recovery plans (see
www.recoveryplanner.com) is amazingly limited to INFORMATION recovery and working to limit or prevent interruptions in information systems. The same kind of planning does not exist for disasters in most underdeveloped countries. Again, this is an area where the U.S. agency, FEMA could play a leading role; or the UN should make it a priority to do some kind of minimal planning standards for these devastating emergencies with massive injuries and loss of life.

The National Fire Protection Associations (www.nfpa.org) has published an Emergency Preparedness standard called NFPA 1600 – the Standard on Disaster/Emergency
Management and Business Continuity Programs and it’s a good example of the basics of Emergency Preparedness.

Individual countries would do their citizens a service by acquainting them with how to prepare families to survive in emergencies, whether they are triggered by power outages, severe cold, hurricanes or earthquakes!

Emergency Preparedness’ critical role in emergencies is something you can watch unfolding this week, as the relief efforts get stalled by lack of clear roads, problems at the airports, time involves in sea travel, etc. There has to be a better way – one that can be refined and used in future disasters.

In case you think you will never see an earthquake – here are the statistics on how many earthquakes occur in the world each year. These are averages but you can see that there is, on average, one giant earthquake, and seventeen large earthquakes, 134 strong earthquakes and many more light and moderate earthquakes.

TYPE STRENGTH AVERAGE PER YEAR
Great 8 or higher 11
Major 7–7.9 172
Strong 6–6.9 1342
Moderate 5–5.9 1,3192
Light 4–4.9 c. 13,000

The Boy Scouts were right when they adopted “BE PREPARED” as their motto.

These are three areas:

1. Better Ways to Predict Earthquakes (by even a day),
2. Minimum Building Codes based on local geography, and
3. Uniform Emergency Preparedness standards around the world.

These could be explored to prevent or at least mitigate the devastation we have seen in Haiti this week.




top