Risk and Security LLC

Risk Assessments, Training and More

This content shows Simple View

return on investment

After Action report on LAX Shooting Recommends Risk Assessments

The Los Angeles World Airports (LAWA) released the long-anticipated After
Action Analysis on the LAX Active Shooter Incident in 2013.

The 83-page report was written by an independent consultant who analyzed
all aspects of the Shooting incident and includes a list of “Major Observations
and Recommendations.”   The recommendations are “to provide focus for
LAWA’s efforts toward continuous improvement in it’s security and emergency
preparedness programs.  

These areas were highlighted in the report as “7 priority observations that merit
special consideration.

Recommendation 1.1:  Evolve the LAX Security Program to reflect a more
integrated assessment of security risk and provide for the ongoing development
and management of mitigation measures.

Recommendation 1.2:  Based on the RISK ASSESSMENT and updated security
plan, consider the focus and structure of security functions to determine whether
realignment and integration are needed.

Recommendation 1.3:  With the benefit of recent vulnerability and risk assessments,
take a risk-based approach to evaluating current security programs and explore
intelligent use of technology.”

Once again, doing frequent Security Risk Assessments and managing the security
program and enhancements to follow the recommendations of the Risk Assess-
ment are the first recommendations in the After Action Analysis of an Active
Shooter Incident.

In my experience, in most organizations, Facility Security Risk Assessments are
not conducted correctly, are not reported to senior management, and not used as a
tool to ADJUST AND FOCUS the security program based on RISK.

Why aren’t security risk assessments done more often?  

1.  People don’t have the right expertise to do a full risk assessment.

2.  Security managers view Security Risk Assessments are too difficult
     to undertake.

3.  Law enforcement personnel still do not understand the concept of risk 
     assessments and instead, tend to rely on checklists of controls or
     security elements, rather than integrating all the information to
     create a true Risk-Based model for security.

The solution to this problem is to use affordable, easy to use software tools, like
the Risk-Pro Application for Facilties Security Assessment  and their Risk-Pro
Application for Active Shooter Incident to simplify the process of doing more
frequent risk assessments and using them as a management tool to focus
security so it will be able to recommend the security enhancements that are
needed, and not only how MUCH to spend, but actually dictate the order
of necessary controls.

Far from being a boring, intellectual exercise, well done security risk 
assessments can dramatically reduce the possibility of an active shooter
event, and also mitigate the many negative consequences that come
from such disruptive incidents.




Wondering Which Security Controls Offer the Highest Protection for Less Money?

Security Controls can be incredibly cost effective or astronomically expensive.  And when you’re faced with a facility or a school campus, or a system that has to be secured, but you also have a budget to keep in mind – what do you do?

The simple answer is ROI – Return on Investment.  This simple calculation compares the Cost of the Proposed Control to the Protection is Provides and that creates the magic ROI Number.

Here’s an example:   A hospital near the New Jersey shore wants to create a new emergency ops center.  They have the space,
but it would cost about $250,000 to build it out.  Here’s what we look at – how often would they use an emergency ops center?

Threat data shows that they would need to use it about 3-6

Operations Center (OPS)
Operations Center (OPS)

times a year, including severe storms, thunderstorms and hurricanes.

(After Hurricane Sandy, the hospital was closed for two days because they were not able to resume service right away.  As a result, the hospital lost about $2,000,000 per day because it could not bill for any services, none could be provided.)  

So we take that lost $2,000,000 per day and say that if we could keep the facility open because we had a better operational center, we could easily save 2 days of revenue which is $4,000,000 for the 2 days, and if it cost us only $ 250,000, and saves us $ 4,000,000, that’s a Return on Investment of SIXTEEN to ONE, 16:1.

Say it saved us 3 days of revenue a year – that’s a ROI of TWENTY-FOUR to ONE, 24:1!

You can get more info by writing to me directly at caroline@riskandsecurityllc.com and requesting a webinar invitation,
or a copy of the video.


Will the Risk of the Sequester Affect Security Budgets in 2013?

Every time the TV is on, every anchor is crying about the dreaded Sequester.

Will it have an impact on security budgets?  I have seen security budgets, especially for the facilities security departments, swing from almost unlimited budgets after 2001, to bare bones in 2009 and 2010, and thought they were trending back up for 2013.

Now, with the uncertainty about what a Sequester  actually is, (please note my use of the capital “S”), how will it affect our security departments?

Obviously, the most obvious casualty are the government contractors who’s contracts may be arbitrarily cut, and civilian managers of federal programs will see lost days and furloughs.

The trickle-down effect will probably extend to state, county and municipal governments, too.   So that means it’s even more important to start budgeting new security controls so that the most important get the funding!

One of the themes we go over in our webinar programs is how important it is to create a COST JUSTIFICATION and Return on Investment information so that you can create a business case for every control you need to improve security.

And one more thought on the Sequester – we often see an increase in crime, white collar crime and fraud when things are unsettled and people aren’t sure what’s going to happen next.

Maybe it’s a good time to do another risk assessment?  Maybe the Sequester is the next new Threat!



Data-Driven Security – Using Metrics to Focus & Target Security Programs

Security programs can be dramatically improved by using a metrics-based assessment to focus them on the areas of greatest threat, and to use metrics as a management tool to keep the security program targeted on the areas that need the most attention.

Using a data-driven approach – that is, using real numbers to measure
and quantify security, always results in tangible improvements.

Management of a security program is no different than management of any other department, whether it’s human resources, cash flow, employee productiveness, profitability, or any other set of metrics that organizations use to measure how well something is being done, and how it could be improved.

Security officers may complain that management is not listening to their complaints, including not making enough money available to implement new technology, or to fix a loophole that has the potential to create havoc in the organization.

Most security conferences feature sessions with titles like “How to Sell Security to Management” and try to address this disconnect between senior management and their security programs. Peter Drucker, the world famous management consultant, said “If you can’t measure it, you can’t manage it.”

Fortunately, recent improvements in security technology and in development of wider reporting of threats and vulnerabilities, allow management metrics to be applied to the management of the security program to target the program to be maximally effective, to focus the available dollars in the areas which would provide the most protection for the least amount of money, and to prioritize the controls that need to be implemented,  based on their return on investment.

Risk assessments are the foundation of a data-driven security program. Through the process of risk assessment, managers can measure the effectiveness of the organization’s total security program, including analyzing the value of the organizational assets, the threat level (based on the mission of the organization), the existing vulnerabilities, and the effectiveness of existing controls.

Basing the risk assessment on the concept of data-driven security means that real numbers are used in the following areas:

1.  Determining the value of the assets of the organization, including the facilities, the personnel, the security systems and the current controls.

2.  Analyzing the Threat Level, based on either internal incident reports, or industry data, including the Uniform Crime reports. 

3. Identifying vulnerabilities in the organization, including surveying individuals at every level of the organization, from the local facility manager to the CEO to find out how they are implementing security in their workplace.

4. Identifying potential categories of loss, which help focus the security program on the problem areas.

5. Analyzing current Controls that are currently in place, or that could be added to protect an organization.

By gathering data in these 5 categories, it becomes possible to run scenarios that pair the threat and vulnerability, match it to organizational assets, analyze the loss potential, and evaluate the cost effectiveness of a variety of different controls and prioritize security controls by “bang for the buck”.

Using data-based security builds a bridge between executive management and the security professionals in the organization who now have an avenue for open communication and consideration of the role of security throughout the organization.




Put your Hospital Security Department on a Low Fat Diet

Hospitals are reeling from potential losses in funding related to state budget cut-backs
and potential cuts in Medicare programs.  Every area of the hospital budget are being scrutinized, looking for areas to cut and reduce costs.

Instead of waiting for a memo about cuts that affect YOUR department, be a
pro-active manager and right-size your security department and show management
the changes you want to make.

It is possible to have an efficient, accountable security department without having costs run out of control.  It has to be based on real dollars, on real risks and it has to have the ability to show management WHY you need each element in your program.

The already-required risk assessment is the first start in this process.  When regulators come in to a hospital, they want to see the risk assessment first, and then they look to see if you followed the remediation plan identified in the risk assessment, which means they want to see you made the right improvements, based on the plan.

By including program elements in the risk assessment, and mapping it back to your actual budget, you can easily say that the Return On Investment is for each part of your program.

How to get Management On Board with Security Enhancements — or how to avoid cocktail party security decisions.

One of the most aggrevating issues that security people have to deal with is someone who has no security background and knows little about the current technology, who decides what should be funded based on:

1. My wife thinks cameras are an invasion of privacy.
2. My secretary like X instead of Y
3. My friend, Sam, said his company was adding
some new widget.

This applies whether you are doing corporate security or information security and it is basically having your management make an emotional decision, or what I call a “cocktail party decision” about where the security budget should be spent.

Don’t confuse them with the facts. In fact, most of this is from people who do not understand the complexities of security or the interactions of various security solutions with each other.

Last evening, I spent quite a bit of time with a client from Asia, who had a big client who couldn’t decide which solutions they wanted to implement. Should it be A or B; and how to set it up? Regionally? by Business Unit? By Subsidiary? By Sub-subsidiary?

As we discussed it, I realized that the Director in question was really avoiding having to spend any money! It wasn’t about the decision – it was sort of smoke and mirrors to avoid having to admit a lack of funding for security.

In these cases, when your organization may have had the budget trimmed, cut or slashed — it is imperative to be able to use some quantative measurement of the risk to justify the cost of the controls. Whether you have enough budget for one control, or for everything, it must always be prioritized by NEED and by RISK. By Return On Investment. What losses can we prevent or avoid if we add this specific control? How much loss are we preventing? What is our potential exposure if we do nothing?

These are the elements that need to be understood by management in order to get the right controls in place, in the right amounts, at the right time.

Return On Investment (ROI) Risk Assessment Relationship

The relationship between the Risk Assessment and the Return On Investment for good security is very important to management because it creates a business case for further investment and “appropriate investment” in the IT security program.  Return On Investment is that ratio that tells you if you invest so much, you’ll get so much back in return. 

IT security directors should also be interested in Return On Investment because it has the side benefit of cost justifying the security budget and making sure you get the controls you need to support your infrastructure.

Cost justification based on the results of the risk assessment is a requirement for financial institutions and the healthcare industry — especially with the FFIEC and the DHS’ HIPAA requirement.   For example, for banks, the FFIEC Examiner’s Handbook for IT Security says, “A risk assessment provides a foundation for the remainder of the security process by guiding the selection and implementation of security controls and the timing and nature of testing those controls.”  

The selection of the appropriate security controls for an organization is based on several factors:

1.  The percent of the control that is currently in place.

2.  The cost of increasing the implementation of the control to 100%.

3.  The cost of maintaining and auditing the control over time.

Again, the idea of the Return on Investment is that the most needed controls are funded by the organization first, so that money is not applied to less critical areas, leaving the very sensitive areas, like protection of customer information, exposed.  The main components of calculating a Return On Investment are the value of the assets, and that includes not only the replacement value, but also the sensitivity and confidentiality of the information — especially the potential loss to the asset of an incident.  For example, the reputation cost of a high profile identity theft could be devastating to a bank or credit union.

To estimate asset value, the confidentiality, integrity and availability (CIA) are values that have to be included in the risk assessment because these can all cause a devastating loss to a organization.   Adding identify theft to the already long list of other threats (which also have to be factored into the ROI equation), has been addressed by the FDIC and NCUA with the new Red Flag (FACT) CFR (Federal Registry).  

Take a look at the controls your organization is planning to add to your IT infrastructure and see if they pass the ROI test. 


Caroline R. Hamilton is the Founder of RiskWatch, Inc., the original top-rated risk assessment software.  Hamilton served on the NIST Model-Builder’s Workshop on Risk Management from 1988-1995 and on the National Security Agency’s Network Rating Workshop.  In addition, she was a member of the U.S. Department of Defense’s Defensive Information Warfare Risk Management Model and has worked on a variety of risk assessment and risk management groups, including the ASIS Information Technology Security Council and the IBM Data Governance Council, created by Steven Adler.  Hamilton also received the Maritime Security Council’s Distinguished Service Award and has written for a variety of books and magazines including the CSI Alert, the Computer Security Journal, the ISSA Newsletter, The HIPAA Compliance Handbook, Defense News, Security & Design, Cargo Security and many other publications.  Based in Annapolis, Maryland, Hamilton is a graduate of the University of California.