Professional Documents
Culture Documents
Threat is a function of both Capability and Intent that define the Threat Level.
This is known as a threat assessment.
Vulnerability
A Vulnerability is the gap or weakness in
your security architecture that can be
exploited by a threat actor to expose to
an asset to disruption or harm.
What is a
Security Risk
Assessment
1. What are you trying to
protect?
Context
Enterprise Security Risk
Management (ESRM) is a
strategic approach to
security management that
ties an organization’s
security practice to its
mission, values, vision and
objectives using globally
established and accepted
risk management principles.
9
Hotel
Hotel guests
manager
11
Threat Assessment
Threat activity – What happened?
Threat actor - Who is responsible?
Threat driver - Why do they do it?
What is the level of Intent? - Little,
Expressed, Determined
What is the level of Capability? - Low,
Moderate, Extensive
Threat level - Low, Moderate, Significant,
High, Extreme
Threat Assessment
Threat activity – What happened?
Threat actor - Who is responsible?
Threat driver - Why do they do it?
What is the level of Intent? - Little,
Expressed, Determined
What is the level of Capability? - Low,
Moderate, Extensive
Threat level - Low, Moderate, Significant,
High, Extreme
Threat Activity Threat Actor Threat Driver Intent Capability Threat level
Vulnerability Assessment
How attractive is a tourist visiting Kingston to a pickpocket?
● Visibility ● Extreme
● Iconic status ● High
● Threat access ● Significant
● Collateral exposure ● Moderate
● Interdependency ● Low
Pick Hotel
Hotel guests
pocketing manager
14
Vulnerability Assessment
How attractive is a tourist visiting Kingston to a pickpocket?
● Visibility ● Extreme
● Iconic status ● High
● Threat access ● Significant
● Collateral exposure ● Moderate
● Interdependency ● Low
Pick Hotel
Hotel guests High
pocketing manager
15
Vulnerability Assessment
What level of controls has the hotel put in place to mitigate the risk
of pick pocketing of their guests?
● Unsatisfactory
● Protective Security
● Weak
Controls (PSC) - stop it ..
● Satisfactory
● Reactive Security
● Good
Controls (RSC) - respond
● Excellent
to it ..
Critical Target Asset/
Threat/level PSC/level RSC/level Risk level
asset/level attractiveness Risk owner
Pick Hotel
Hotel guests High
pocketing manager
16
Vulnerability Assessment
What level of controls has the hotel put in place to mitigate the risk
of pick pocketing of their guests?
Pick Hotel
Hotel guests High Awareness Surveillance
pocketing manager
17
Risk assessment
Pick Hotel
Hotel guests High Awareness Surveillance High
pocketing manager
18
The foundation of
successful
Enterprise Security
Risk Management
(ESRM)
19
Evaluate risk
Tolerate
Transfer
Terminate
Treat ...
“ESRM involves educating business leaders on the realistic impacts of
identified risks, presenting potential strategies to mitigate those
impacts, then enacting the option chosen by the business in line with
accepted levels of business risk tolerance.”
John Petruzzi, CPP. ASIS International Board of Directors
20
Risk treatment
Consequences
Threat drivers
Protective Reactive
Security RISK Security
Controls (PSC) Controls (PSC)
Threat Direction
Is there a change in Context? Monitor & Review
Are there a change in The cycle as a management tool
assets/owners? enables you to partner with the
clients in a comprehensive security
Is there a change in risk decision-making process.
Control Level Effectiveness
Security risks change constantly… all
(CLE) ?
aspects of the program must be
reviewed & monitored on an ongoing
Is there a change in Threat? basis.
“Downloadable eBook
ESRM Toolbox outlining an ISO approach
to Security Risk
Assessment methodology”
Questions…?
24
5 Minute
Break