Category Archives: Threat Assessment

School Security Threat Assessment Program helps Schools Identity Weaknesses in Security after Sandy Hook Shootings

Posted on by 0 Comments

School Security Threat Assessment Program helps Schools
Identity Weaknesses in Security after Sandy Hook Shootings.

Boca Raton, Florida,  Dec. 17, 2012

 

Schools around the U.S. have found it difficult to put strong security controls in place because of lack of funding and resistance by parents and staff, who, unfortunately, saw physical security controls as too restrictive.

After the recent tragedy in Newtown, CT, it is critically important that every school do a security threat/risk assessment to see where their own vulnerabilites may be.

To address the situtuation and make it easier to do a simple, effective school security asssessment,  Risk and Security LLC
has announced a new School Security app, which can run on a tablet, smart phone or laptop.

The Risk-Pro for School Security© app is available for only $ 495.00 for non-profit healthcare organizations ($595.00 for others), and comes with an on-line user guide and free training.

The program is looks at the entire school,  addressing areas like access control, entry controls, and incident response.  The program was developed by Caroline Hamilton with the National Institute of Justice and Eastern Kentucky University to create an easy way for schools to use FEMA 428, How to have Safe Schools.

The web 2.0 program, Risk-Pro for School Security©,  is affordable and simple to use.  It includes fully-updated threat databases, and automated web-surveys  based on security requirements from FEMA 428.

“With 3-year old twins in my family, I was high motivated to make sure they are safe at their pre-school, and have fielded calls from dozens of security professionals who are worried about their children’s school security posture.   The Risk-Pro©  model has been used for easy software applications with the Department of Defense and over fifty hospitals, health plans and government agencies.
About Risk & Security  LLC

Risk & Security  LLC is a security risk assessment and risk analysis company with over 30 years of combined expertise in security risk.  It specializes in consulting on risk assessment projects and global application development of risk solutions.  Risk & Security partners with security companies around the world to provide state-of-the-art security expertise to analyze risk and recommend cost-effective countermeasures.

The team of risk and security experts is led Caroline Ramsey-Hamilton, who has created more than 18 security assessment software programs, and conducted more than 200 specialized security risk assessments in a variety of environments, including companies in the United States and around the world.

 

 

For more information:  caroline@riskandsecurityllc.com or

caroline@riskandsecurityllc.com

Why the State Department Needs Better Threat-Risk Assessments

Posted on by 0 Comments

Obviously, the tragedy in Libya this week focused the world’s attention, not just on the bodies of our countrymen returning home, but made me wonder about the risk assessments and threat assessments that are routinely done in these extremely sensitive locations.

Unfortunately, the threat assessments tend to be more political forecasting and less about the reality of the situation on the ground.  One problem with these simple manual threat/risk assessments is that they take too long to complete.  Maybe they spend a few days looking at the physical controls, and then a week writing up a report, and much of it may rely on anecdotal incidents or reports of questionable value.

That’s why I am a believer in automating these threat/risk assessments, and in a potentially dangerous area like the whole country of Libya, they should be at least weekly, or bi-weekly, or even daily when tensions are running high.  It allows you to get a quick assessment in less than 30 minutes, and allows for quick updating, which is critical in situations like this week.

And no, I don’t believe a threat/risk assessment would necessarily PREVENT a terrible tragedy like the death of an American Ambassador, but I do think that having these updated assessments allows for safeguards to be continuously checked, measured and improved, and also may expose weaknesses that can be exploited by a terrorist group when the opportunity presents itself.

The practice of running continual assessments is not used very often, but when it is, it’s very effective because when the situation goes south, you already the blueprint of what to do right in front of you, and it allows better decision support under such stressful conditions.

The information-sharing done by different groups can be wrapped up in the risk assessment and combined, so that maybe a higher threat condition can be identified, in time to relocate, leave the country, or whatever else it takes to protect the lives of our diplomatic staff.

 

A Terrible Day in Colorado – Terrorism by Twenty-Something

Posted on by 0 Comments

Just saw that now 71 people were shot at the Aurora, Colorado theatre, and 12 have died, including children.

This is exactly the kind of incident that I used to think would wake everyone up to the dangers of NOT doing annual security reviews, and  NOT allowing everyone on the planet to stock their attic with automatic assault rifles, and instead, we are at an intersection in the national dialogue where talking about assault rifles, OR security controls, is something people would rather ignore.

Whether it’s the hospital security administrator who thinks posting a simple “NO WEAPONS” sign is too much security, to the facilities who deny the security officers any weapons bigger than a purse-size pepper spray, they are actually ENABLING security incidents of this type.

I heard these officials in CNN saying, “It’s not terrorism”!   It certainly IS terrorism.  It’s just domestic terrorism, but it shows you how easy it would be for a terrorist to walk into the US, buy some AK-47s and walk into a regional mall, a batting cage, a mega-church, a hospital, a sports arena, and proceed to kill dozens of innocent people in just a few minutes.

With 71 shot, and 12 dead, it is more deadly than your typical IED in Afghanistan!  It’s more deadly because their is human ‘intelligence’ (and I use the word loosely) behind the attack.  Instead of a simple detenation event, the shooter can choose victims, look them in the eyes and then kill them.

This is an intentional event by someone so lost that he didn’t even put up any resistance to police.  Why should he, he’s already made his statement and now has his 15 minutes of fame.   That is 5.5 people killed or injured for each 1 minute of fame.

If you are reading this today, you should do a quick risk assessment of your organization and make sure your staff are developing situational awareness, watching and evaluating what is going on around them.  It may make the difference between life and death someday.

Man Makes Meth in his Car in Hospital Parking Lot

Posted on by 0 Comments

Hospital security cameras showed that a
33-year-old man was making meth in his car in the facility’s
parking lot before the vehicle became engulfed in flames.
The man was burned over 80 percent of his body and
later died of his injuries. The car, which was in the Horizon
Medical Center lot, was captured on security video that
showed the man mixing ingredients just before there was
fireball inside the car. A sheriff’s office detective working
security at Horizon requested assistance to put out the fire.
In examining the site, he noticed canisters and other possible
drug-related items in the car and called the drug task force,
according to news accounts

Get Ready for Severe Weather!

Posted on by 0 Comments

Whether it is Spring tornados or spring-summer thunderstorms and hurricanes.  We officially enter the season of severe weather across the U.S.

A major focus at the beginning of each severe weather season, take a few minute to get ready and make sure you are prepared, and your kids are prepared, and your pets are prepared.

You can download a complete list of preparation details at www.ready.gov but here is a
short list to review:

1.  Keep enough food and water for at least two weeks.

2.  Have a family evacuation plan and practice it often, including a meeting place.

3.  Keep a ‘ready-kit’ in your car with extra food, water, change of clothes and don’t forget to include pet food, plastic bags, diapers and other essentials that could carry you for a few days.

4.  Make sure and keep large trees trimmed to decrease the chance they could fall on your house.

5.  Use the internet, like Twitter or National Weather Service, to get breaking alerts, and invest in a battery powered radio.

6.  Keep extra batteries available to keep the radio alerts going.

7.   Keep your car gassed up, instead of running out during an emergency and finding
it’s out of gas, and remember, if the power goes out, the gas pumps don’t work.

8.  Stay alert and try to keep a day ahead of the weather!

Severe Tornados and Why We Need to Stay Prepared

Posted on by 0 Comments

The damage and destruction from the path of a tornado is incredible – and only matched by the sad stories of the survivors, if they are lucky enough to survive.

If there’s one thing that social media has improved – it is the ability of an individual in an affected area to get detailed updated by the minute on a smartphone or over the internet.

The old early warning systems were set up for radio, that was in the days when everyone listened to radios.   I do listen to the radio for maybe 5 minutes a day, in the car, just long enough to put in the CD or connect my ipod.   So the Twitter accounts and iphone-smartphone apps from CNN, the National Weather Service, Weatherbug and dozens more really help to keep people informed.

I often hear news anchors lament the over-availability of information these days, but I think the more access we get to this kind of information and other kinds of info is absolutely a wonderful thing for society and for most people!

If you do live in a tornado-, hurricane- or other disaster-likely area, the Weatherbug app is one of the best because you can set it to actually chirp if severe weather threatens.

As far as risk reduction – being able to protect yourself against major weather events is one of the threats you can more easily eliminate or at least manage.

Are there mor

“Although the average number of April tornadoes steadily increased from 74 a year in the 1950s to 163 a year in the 2000s, nearly all of the increase is of the least powerful tornadoes that may touch down briefly without causing much damage. That suggests better reporting is largely responsible for the increase.

There are, on average, 1,300 tornadoes each year in the United States, which have caused an average of 65 deaths annually in recent years.

The number of tornadoes rated from EF1 to EF5 on the enhanced Fujita scale, used to measure tornado strength, has stayed relatively constant for the past half century at about 500 annually. But in that time the number of confirmed EF0 tornadoes has steadily increased to more than 800 a year from less than 100 a year, said Harold Brooks, a research meteorologist at the National Severe Storms Laboratory. ”

 

 

Data-Driven Security – Using Metrics to Focus & Target Security Programs

Posted on by 0 Comments

Security programs can be dramatically improved by using a metrics-based assessment to focus them on the areas of greatest threat, and to use metrics as a management tool to keep the security program targeted on the areas that need the most attention.

Using a data-driven approach – that is, using real numbers to measure
and quantify security, always results in tangible improvements.

Management of a security program is no different than management of any other department, whether it’s human resources, cash flow, employee productiveness, profitability, or any other set of metrics that organizations use to measure how well something is being done, and how it could be improved.

Security officers may complain that management is not listening to their complaints, including not making enough money available to implement new technology, or to fix a loophole that has the potential to create havoc in the organization.

Most security conferences feature sessions with titles like “How to Sell Security to Management” and try to address this disconnect between senior management and their security programs. Peter Drucker, the world famous management consultant, said “If you can’t measure it, you can’t manage it.”

Fortunately, recent improvements in security technology and in development of wider reporting of threats and vulnerabilities, allow management metrics to be applied to the management of the security program to target the program to be maximally effective, to focus the available dollars in the areas which would provide the most protection for the least amount of money, and to prioritize the controls that need to be implemented,  based on their return on investment.

Risk assessments are the foundation of a data-driven security program. Through the process of risk assessment, managers can measure the effectiveness of the organization’s total security program, including analyzing the value of the organizational assets, the threat level (based on the mission of the organization), the existing vulnerabilities, and the effectiveness of existing controls.

Basing the risk assessment on the concept of data-driven security means that real numbers are used in the following areas:

1.  Determining the value of the assets of the organization, including the facilities, the personnel, the security systems and the current controls.

2.  Analyzing the Threat Level, based on either internal incident reports, or industry data, including the Uniform Crime reports. 

3. Identifying vulnerabilities in the organization, including surveying individuals at every level of the organization, from the local facility manager to the CEO to find out how they are implementing security in their workplace.

4. Identifying potential categories of loss, which help focus the security program on the problem areas.

5. Analyzing current Controls that are currently in place, or that could be added to protect an organization.

By gathering data in these 5 categories, it becomes possible to run scenarios that pair the threat and vulnerability, match it to organizational assets, analyze the loss potential, and evaluate the cost effectiveness of a variety of different controls and prioritize security controls by “bang for the buck”.

Using data-based security builds a bridge between executive management and the security professionals in the organization who now have an avenue for open communication and consideration of the role of security throughout the organization.

 

 

 

Threat Modeling is the Exciting, Sexy Part of Risk Assessment

Posted on by 0 Comments

As a risk assessment professional, when I get into a risk discussion, most security people want to talk about THREAT!  Threat is the most sexy and exciting part of doing a risk assessment.

Threats are exciting all by themselves.  Think about all the threats you can name:

All the natural disasters like Earthquakes, Tornadoes, Storms, Hurricanes, Tsunamis, Lightning, Floods

Crimes like Homicide, Assault, Rape, Burglary, Theft, Kidnapping, Blackmail, Extortion

Terrorism like Sabotage, Explosions, Mail Bombs, Suicide Bombs

All the IT Threats like Malicous Code, Disclosure, Data Breaches, Theft of Data

And about 50 more including Chem/Bio incidents, Magnetic waves, High Energy Bursts, Microbursts, Contamination and Reputation Damage.

Each of these threats could theoretically occur at any time, but we try to establish a pattern of how often they have occurred in the past, in this location, in this county, in this country, in the company, etc.   So NASA, for example, gets thousands of hacker attacks, but another company, like the local Salvation Army, gets 1 every 10 years.

Same model for natural disasters, although you might have to factor in climate change, it’s easy to get the threat incidents for hurricanes in Florida, snow storms in Cleveland, earthquakes in northern California, etc.

We also like to examine industry specific data to see if some threats are higher in a certain industry, like the high incidence of workplace violence incidents in hospitals and high risk retail establishments (like Wawa or 7-11).

Another factor we use in calculating threat likelihood is how the threat could actually affect different types of assets…. for example, would an earthquake damage a car?  Probably not. Would it cause damage to an old historical building – probably (unless it had been retrofitted).  Could it cause loss of life, or injuries (think Haiti).

So I use a multidimensional model that takes the threats list (I have a standard list of 75 threats that I use), and map it to each potential loss, based on the ‘asset’ that might be affected.

The more data you get, the better your model will be, and the more value it will have as a decision support tool!

 

What’s the Risk of Backing Newt Gingrich?

Posted on by 0 Comments

Hundreds of the shakers and movers in the Republican party AND the Democratic party are doing their risk assessments this week on who to openly support, and doing the risk calculation on whether it is better to wait and see what emerges, or make their comments/endorsements now and worry about the fall out later!

Here is the kind of risk model for politics that people use, often unconsciously- to make those decisions. Political risk is especially tricky because there are 2 stakeholders to consider:

1. what’s good for ME personally
2. what’s good for THE PARTY, DISTRICT, or COUNTRY.

Here’s a list of threats that politicians worry about in a situation like this:

1. Lose my current position
2. Lose my Power in the Party/Coalition/Media
3. Lose campaign contributions
4. Lose voters
5. Lose tea party support
6. Lose respect from peers
7. Lose future election
8. Lose income
9. Look wrong in the media
10. Create bad sound byte
11. Face Reprisals Later from Establishment
12. Lose Media Support (however it exists).

More tomorrow on how to value the assets of an ongoing campaign.

Webinar Looks at New OSHA Workplace Violence Directive

Posted on by 0 Comments

Workplace Violent Incidents have been on the rise in several specific organizations, including hospitals, home health organizations, social workers who do in home visit, and also late-night retail stores.

On September 8, 2011, OSHA suddenly released their internal Directive on what their OSHA investigators look for when they go to an organization to investigate a Workplace Violence incident.

Whether the incident involves a domestic violence incident, like when a husband shoots his wife at work; or whether it is patient violence against the Emergency Room nurses, it is a big problem that has been increased over the last 8 years.

We have set up a special no-cost webinar to review the new directive and see what it means for employers. Join us to look at how to protect your organization and make sure your staff, and patients stay safe.