1

ASIS School of ESRM

Session 2 – Understanding Assets and Risk
 2

Identifying and Prioritizing Risks

 What is Risk?
Three components of risk:
• Assets (What we need to protect)
• Threats (What we need to
protect it from)
• Vulnerabilities (How the threat
might get to it)
Therefore, a Risk is the effect of a
threat on a critical asset resulting in
disruption to key business
objectives.
What are Assets?
● People may include internal people like
employees and other dedicated personnel
as well as external people such as
customers and other invited persons
including contractors or guests.
● Physical assets include, buildings,
machinery, infrastructure
● Information may include hard and soft
copy documents, databases, software
code, critical company records, personnel A Critical Asset Assessment
files, proprietary knowledge.
Is a means of prioritizing the importance or
● Information & Communication
Technology (ICT) – server rooms laptops, dependence that an organisation has on its
other devices, IoT. assets.
 Security Threats originate from human & non-human sources. They can affect the
perceived or actual security & quality of life of individuals and the interests & choices
available to organizations and governments.
Human Threats
These are deliberate, usually malicious, actions or attacks by human actors that could harm the customer’s assets.
Typically, human threats evolve to account for new protections, and so require continual assessment to ensure effective
protection. Human threats include categories such as theft, violence, vandalism, or unethical actions.

Accidents and Natural Hazards

These can be man-made or natural and are characterized as unintentional, non-malicious, and do not evolve in response to
mitigations in place. This category includes natural or accidental industrial disasters, safety issues such as wet floor,
security issues such as doors left open, or accidental harm to assets.

Social and Political Hazards

Encompass risks that are externally driven by systemic changes that are not easily controlled by the organization. These
include changes in regulations, political climate, or social climate that security must consider as part of a holistic security risk
management program.

Threat is a function of both Capability and Intent that define the Threat Level.
This is known as a threat assessment.
Vulnerability
A Vulnerability is the gap or weakness in
your security architecture that can be
exploited by a threat actor to expose to
an asset to disruption or harm.

This is generally assessed through a

control audit to establish Control Level
Effectiveness.

Vulnerability must also consider the

attractiveness of the asset to a potential
threat actor. This is known as Target
Attractiveness.
 7

What is a
Security Risk
Assessment
1. What are you trying to
protect?

1. What are the most

important assets that
support it?

1. What threats might affect

those assets?

1. How vulnerable are those

assets to the threats you
have identified?
 8

Context
Enterprise Security Risk
Management (ESRM) is a
strategic approach to
security management that
ties an organization’s
security practice to its
mission, values, vision and
objectives using globally
established and accepted
risk management principles.
 9

Critical Asset Assessment

Critical Target Asset/

Threat/level PSC/level RSC/level Risk level
asset/level attractiveness Risk owner
 10

Critical Asset Assessment

Critical Target Asset/

Threat/level PSC/level RSC/level Risk level
asset/level attractiveness Risk owner

Hotel
Hotel guests
manager
 11

Threat Assessment
Threat activity – What happened?
Threat actor - Who is responsible?
Threat driver - Why do they do it?
What is the level of Intent? - Little,
Expressed, Determined
What is the level of Capability? - Low,
Moderate, Extensive
Threat level - Low, Moderate, Significant,
High, Extreme

Critical Target Asset/

Threat/level PSC/level RSC/level Risk level
asset/level attractiveness Risk owner

Hotel guests Hotel

manager
 12

Threat Assessment
Threat activity – What happened?
Threat actor - Who is responsible?
Threat driver - Why do they do it?
What is the level of Intent? - Little,
Expressed, Determined
What is the level of Capability? - Low,
Moderate, Extensive
Threat level - Low, Moderate, Significant,
High, Extreme

Threat Activity Threat Actor Threat Driver Intent Capability Threat level

Pick Opportunist Financial

Expressed Moderate Significant
pocketing criminal gain
 13

Vulnerability Assessment
How attractive is a tourist visiting Kingston to a pickpocket?

● Visibility ● Extreme
● Iconic status ● High
● Threat access ● Significant
● Collateral exposure ● Moderate
● Interdependency ● Low

Critical Target Asset/

Threat/level PSC/level RSC/level Risk level
asset/level attractiveness Risk owner

Pick Hotel
Hotel guests
pocketing manager
 14

Vulnerability Assessment
How attractive is a tourist visiting Kingston to a pickpocket?

● Visibility ● Extreme
● Iconic status ● High
● Threat access ● Significant
● Collateral exposure ● Moderate
● Interdependency ● Low

Critical Target Asset/

Threat/level PSC/level RSC/level Risk level
asset/level attractiveness Risk owner

Pick Hotel
Hotel guests High
pocketing manager
 15

Vulnerability Assessment
What level of controls has the hotel put in place to mitigate the risk
of pick pocketing of their guests?

● Unsatisfactory
● Protective Security
● Weak
Controls (PSC) - stop it ..
● Satisfactory
● Reactive Security
● Good
Controls (RSC) - respond
● Excellent
to it ..
Critical Target Asset/
Threat/level PSC/level RSC/level Risk level
asset/level attractiveness Risk owner

Pick Hotel
Hotel guests High
pocketing manager
 16

Vulnerability Assessment
What level of controls has the hotel put in place to mitigate the risk
of pick pocketing of their guests?

Protective Security Control (PSC)

Guest awareness campaign?

Reactive Security Control (RSC)

Surveillance system?

Critical Target Asset/

Threat/level PSC/level RSC/level Risk level
asset/level attractiveness Risk owner

Pick Hotel
Hotel guests High Awareness Surveillance
pocketing manager
 17

Risk assessment

Likelihood = Threat Level x PSC level x Target attractiveness level

Impact = Consequence level x RSC level

Risk level = likelihood x Impact

Critical Target Asset/

Threat/level PSC/level RSC/level Risk level
asset/level attractiveness Risk owner

Pick Hotel
Hotel guests High Awareness Surveillance High
pocketing manager
 18

A dynamic security register

The foundation of
successful
Enterprise Security
Risk Management
(ESRM)
 19

Evaluate risk
Tolerate
Transfer
Terminate
Treat ...
“ESRM involves educating business leaders on the realistic impacts of
identified risks, presenting potential strategies to mitigate those
impacts, then enacting the option chosen by the business in line with
accepted levels of business risk tolerance.”
John Petruzzi, CPP. ASIS International Board of Directors
 20

Risk treatment

Consequences
Threat drivers
Protective Reactive
Security RISK Security
Controls (PSC) Controls (PSC)

Threat Direction
Is there a change in Context? Monitor & Review
Are there a change in The cycle as a management tool
assets/owners? enables you to partner with the
clients in a comprehensive security
Is there a change in risk decision-making process.
Control Level Effectiveness
Security risks change constantly… all
(CLE) ?
aspects of the program must be
reviewed & monitored on an ongoing
Is there a change in Threat? basis.

Is there a change in profile Executive / Partner Feedback and risk

(Target Attractiveness)? metrics drive the cycle
 22

“Downloadable eBook
ESRM Toolbox outlining an ISO approach
to Security Risk
Assessment methodology”
Questions…?
 24

5 Minute
Break