CPP STUDY COURSE

1
CPP STUDY COURSE
Protection of Assets Manual Security
Vulnerability Presented By Mike Webster,
CPP President, CEO Secure Concepts International
2
Presentation Overview

• Vulnerability Assessment
• Vulnerability Assessment Model
• Loss Event Profile
• Loss Event Probability/Frequency
• Loss Event Criticality
• Threat Analysis
• Countermeasures
• Cost Benefit Analysis
• Team Approach

3
Security Vulnerability
Risks/Threats
Assets
Probability
Criticality
Threat Analysis
No security plan or program can be effective
unless
based upon a clear understanding of the actual
risks it faces.
Countermeasures
Cost Benefit Analysis
Measurement
4

• Assets
• Threats
• Risks

Loss Event Profile
Define a loss event by identifying the kinds of
threats or risks affecting the assets to be
safeguarded.

• Business or Conventional Risk - The individual
  events of manufacture, distribution, and sale
  that produced a profit gain or loss.
• Pure Risk - Anticipated profits are not realized
  because of some event which could only cause a
  loss - Calls for loss prevention measures.

5

• Assets
• Threats
• Risks

Loss Event Profile
Pure Risk Loss Events
Nuclear War Natural Catastrophe Industrial
Disaster Civil Disturbance Crime Conflicts of
Interest Workplace Violence Terrorism
6
Loss Event Probability or Frequency

• What is the likelihood of a loss event occurring?
• Typical probability calculations are not
  practical because
• Not all simultaneous events are equally
  probable
• Some events will occur more than once.
• We can employ the following concept
• The more ways a particular event can occur in
  given circumstances, the greater the probability
  that it will occur.

7
Loss Event Probability or Frequency
For effective assessment of probability, as many
as possible of those circumstances that could
produce the loss must be known and recognized.

• PROBABILITY FACTORS
• Physical Environment Factors
• Social Environment Factors
• Political Environment Factors
• Historical Experience
• Criminal State of the Art

8
Loss Event Probability or Frequency
Physical Environment Factors

• Composition
• Climate
• Geography
• Location
• Conditions of Use

9
Loss Event Probability or Frequency
Social Environment Factors

• Ethnic Identity
• Age Groups
• Income Levels
• Neighborhood
• Social History
• Planning
• Crime

10
Loss Event Probability or Frequency
Political Environment Factors

• Government Unit
• General Tone
• Attitudes
• Political Area

11
Loss Event Probability or Frequency
Historical Experience
The collection and organization of incident data
about past losses or suspected losses. Problem -
Not usually done or done well. Typical - insured
loss data only. Accurate historical information
about losses or loss events can be among the most
useful information kept by an enterprise.
12
Loss Event Probability or Frequency
Use Checklists, Matrices and Ratings
Use checklists to identify assets, risks, threats
and vulnerabilities. Use a matrix and ratings
system to prioritize risks and threats.
13
Loss Event Probability or Frequency
Loss Event Probability Ratings

• Virtually Certain
• Highly Probable
• Moderately Probable
• Improbable
• Probability Unknown

14
Loss Event Criticality
Highly probable risks may not require
countermeasures attention if the net damage they
would produce is small. But moderately probable
risks require attention if the size of the loss
they produce is great.
Loss impact can be measured in employee morale,
community relations or public image, and in
dollars. POA defines dollars as the most
important criticality factor.
15
Loss Event Criticality
Costs to be considered
PERMANENT REPLACEMENT
TEMPORARY SUBSTITUTE
RELATED COSTS
LOST INCOME COSTS
DIRECT COSTS
INDIRECT COSTS

• Money
• Negotiable Instruments
• Property
• Information
• Intellectual Property

• Reputation
• Goodwill
• Loss of Employees
• Morale of Employees

16
Loss Event Criticality
Criticality Ratings

• Fatal
• Very Serious
• Moderately Serious
• Relatively Unimportant
• Seriousness Unknown

17
Threat Analysis
After prioritizing risks and threats by
performing probability and criticality analysis,
prepare a solution to the identified security
problems by analyzing the prioritized
threats. For each security risk identified as a
primary vulnerability certain events or
conditions are necessary before it can occur.
Use a threat modeling process to uncover these
critical events and conditions.
18
Threat Analysis
Threat Model
Theft of finished goods
Manufacturing Floor
Quality Control Room
Warehouse and Dock
OR
OR
AND
Gain Access
During Production
Network Design Arrange risks, threats and
vulnerabilities to find common inter-relationships
to address multiple risks with single
countermeasures.
AND
Enter Area
Remain Unobserved
19
Countermeasures
Countermeasures should be developed at junction
points or leverage points in the threat
model. Countermeasures Criteria
Keep the System Current There are 3 main reasons
for security losses.

• Validity
• Degree of Reliability
• Approximate Cost
• Delay in implementation

• Failure to recognize vulnerabilities
• Wrong countermeasures
• Failure to consider change

20
Cost Benefit Analysis
Security expenditures are typically considered
resources that could be used elsewhere in an
organization to enhance profitability. Economic
Justification of Security Security professionals
are regularly placed in the position of
justifying expenditures for security program
requirements. It is a difficult task to quantify
expenditures to protect against intangible
losses.
21
Cost Benefit Analysis
Methods for justifying security expenditures
COST AVOIDANCE Demonstrate that the losses which
would (or probably would) have occurred without
the security program did not occur at all or did
not occur to the extent expected. ASSET
RECOVERIES Identifying and evaluating actual
recoveries made solely as a result of having a
security program.
ROE Model
AL avoided losses R recoveries made CSP
cost of the security program ROE return on
expenditures
AL R ---------- ROE CSP
22
Team Approach to Vulnerability Assessment
It is necessary that all exposures be considered
when developing a security program. Including
team members from various business units will
ensure a more detailed analysis of risk exposure.
Other Target Functions
Data Processing Travel Department Cashier Transpor
tation Returned Goods Salvage/Scrap Warranty
Admin. General Insurance Real Estate Fixed Asset
Accounting Tools Maintenance Advertising Food
Service
Permanent Team Members
Security or Loss Prevention Manager General
Auditor Accounting Manager Information Systems
Manager Controller Treasurer
23
Security Vulnerability
Risks/Threats
Assets
Probability
Criticality
Threat Analysis
No security plan or program can be effective
unless
based upon a clear understanding of the actual
risks it faces.
Countermeasures
Cost Benefit Analysis
Measurement
24
CPP STUDY COURSE
Discussion Presented By Mike Webster,
CPP President, CEO Secure Concepts
International 13649 Montfort Drive, Suite
320 Dallas, TX 75240 (972) 789-0140 www.sci4securi
ty.com