RISK AND RISK MEASUREMENT

INTRODUCTION Life they say is an embodiment of risks. There are however venturable and avoidable risk. The business construction of the work risk is absolutely at variance with the security demystification of risk. There is however the similarity of the probability of a loss if appropriate variable are not considered and put in their respective positions. For example, it is expected that an entrepreneur that intends venturing into an undertaking should have done feasibility study of the business and conduct a market survey to determine the viability or otherwise of the business. The difference between business risk and security risk is however that it may be possible to embark upon a business without feasibility study and still succeed in the business, the tendency of achieving same or similar result in security risk is however remote because each security lapse is a vulnerable route. It therefore becomes unavoidably necessary that a proper risk analysis is conducted precursor to and such must be instructive I the implementation of the organization security policy and decisions. WHAT IS A RISK While conceding that there may not be universally acceptable definition of security, it is not out of place to define risk in line with the objective anticipation of the security industry. According to James .f Broder, CPP risk is the uncertainty of financial loss, the variations between actual and expected result, or the probability that loss has occur or will occur. The implementation of the above is that risk is a possible occurrence of an undesirable event. Perils i. Fire ii. Flood

}are causes of risk

iii. Earthquake Hazard: i. Loaded gun ii. Bottle containing acid or caustic soda iii. Storage of inflammables Risk: Speculative- its the difference between loss and gain - To person - To property - To liability from a second party e.g. termination of employment, sexual harassment etc. TYPES Crime Accident Medical Environment Psychological/ Emotional

RISK ANALYSIS AND ASSESSMENT The scientific aspect of risk is the analysis for the purpose of determining probable loss, there is never an exact figure of loss. It is actually a management tool to determine the standard of actual loss acceptable. Risk analysis can however be assessed to determine the veracity of the analysis. What then is Risk Assessment? Risk assessment is simply to identify what could go wrong, before and during activity and take such decision as to prevent or minimize these potential problems. There are basically five steps to risk assessment, vide; a. Look for the hazard: you have to stand out from the activities and look fresh

b. Decide who might be harmed and how c. Evaluate the risk and decide whether existing precautions are adequate or whether is need to do more to reduce the risk. d. Record your findings It must reflect a-c above It must be suitable and effective and show that (i) A proper check was made (ii) Who might be affected is identified (iii) Dealt with all significant hazard taking into account potential users (iv) The suggested precautions are reasonable, and the remaining risk is judged acceptable e. Review your assessment and revise it if necessary: the review should be from time to time to ensure effectiveness and take care of new hazards. The essence of the above is the carefully examination of what, in your work, could cause harm to people, so that you can weigh up whether you have taken enough precautions or should d o more to prevent harm. In other words, risk assessment analysis is a rational and orderly approach, and a comprehensive solution, to problem identification and probability determination. It is a method of estimating the expected loss from occurrence of some adverse event. ADVANTAGES OF RISK ANALYSIS TO THE MANAGEMENT It provides the information upon which to base decision The analysis will show the current security position of the organization. It will also reveal areas where greater or lesser security is needed. Risk analysis has a further advantage of helping to assemble some of the effective countermeasures. It will help to create security awareness by assessing and reporting the strength and weaknesses of security to all organizational levels from management to operations.

To however achieve the above merits optimally risk analysis must be performed periodically and continuously. Furthermore, the management has the primary obligation to support the risk analysis project, conscientize staff, employ team of qualified analysists, review the team`s findings and decide which of the recommend actions to be implemented. Risk Exposure Assessment 1. Determine the type of los or risk that can affect the assets involved. 2. Estimate the probability of occurrence. 3. Qualifying/ prioritizing loss potentials-: measure the impact of risk. RISK MEASUREMENT It was Alian Krull who rephrased a seemingly commonly asked question to bring out the true meaning and essence of such question. According to him: The question, is the system secure? is essentially meaningless. The meaningful question is, is the system protected against events believed to be harmful?. To however answer such professional question, there must be some measurable yardstick to affirm or rebut the question. Risk measurement is a qualitative means of determining potential cost of an unfavorable event and a logical expression of frequency of occurrence. COST DETERMINATION AND FREQUENCY OF OCCURRENCE Apart from the mathematical calculation applicable to risk measurement wherein the cost valuation or impact(i) of the risk is calculated in contra-distinction to estimated frequency (f) of the occurrence of the risk to produce the annual loss expectancy (ALE) i.e. i f =ALE In effectively measuring risk, there are basic elements that the risk analyst must of necessity consider and questions which answers are required, vide:

(i)

(ii)

(iii)

(iv)

(v)

(vi)

Access Control: - Is the access difficulty, limited or open - Can any intruder gain access easily, or is it difficult? - What about employee - Any access criteria, if any, what are they? National Disaster: - What kind of natural disaster might realistically occur? - What degree of damage would occur - How will it affect processing, stores supplies? - How does the effect of loss of power or other utilities affect the entity? Environment hazard: - What are the specific hazards inherent in the operation - What is nearby (any nearby threat or risk) - Are there any explosive, inflammable objects in the area? - Ay nearby unused building. - What is the effect of fire - Water damage - Proximity to fire and police station Housing facility: - What are protective device installed or that can be installed? - Any burglar alarm system? - What about access control system - How about the building- construction, roofing, flooring. - What is inflammable? Etc. Worth and Vicinity: - What is the employee/ employer relation like (loyal/ suspicious)? - What are employees point of displeasure - Labour unionism? - Supervisors knowledge of and relationship with employees - Management attitude towards employee`s dishonesty (condone or dismissed)? Worth and Value:

Worth of intruders profit? Value of damage that could result in all How much can fraudulent employees gain How long before intrusion can be detected What is the security response capability time?

THE CONCEPT OF PROBABILITY: Risk they say is the possible happening of an undesirable event. An event on its own is something that occurs, a definable occurrence. An event can be described in terms of the damage it will present if it occurs or in terms of the probability of its occurrence. The concept of probability vis--vis risk measurement is basically the study of the possibility of occurrence. Theory of probability is a product of the indemnity of the Marquis de Laplace is his Theory Analytique des probabilities based on philosophical proofs rather than mathematical proofs. CONCLUSION When security is define as the implementation of a set of acceptable practices, procedures, and principles that, when taken as a whole, have the effect of altering the ratio of undesirable events to total events, the first principle and the importance of the probability theory becomes evident. The principle problem that security must try to deal with is that all undesirable events are breaches of security. The goal of security design is to decrease the ratio of unfavorable events to total events. Obviously, some events are more likely to occur than others in the same area. In estimating the frequency of the occurrence where experience has been provided with a satisfactory degree of confidence. In new situations or situation where data has not been or cannot be collected, there definitely would be insufficient knowledge upon which to base ones projection James. f. Broder

LOSMAN`S

PRINCIPLE OF RISK ANALYSIS

By CHARLES ONWUEGBUZIE
MORRIS ROYAL CONSULTING 08023341759

INTRODUCTION Many of the concepts that are used in this paper may appear strange to the reader, either in the definition or in their applications. This is because this presentation is based on the Losman School of security Management. The Losman School focuses on the criminal instead of the specie at risk in order to prevent crime. The school bases crime prevention on the understanding and application of some psychological principle that control the behavior of the criminal. RISK ANALYSIS Risk analysis is the process of attempting determining the seriousness of an anticipated undesirable event, so that appropriate measures can be taken to mitigate it. This process is a continuous activity in the security management. For example. Assuming you are the security manager at Access Bank Plc and your bank has a branch in Kano, suppose you receive a report of an imminent riot in Kano. It means that your organization is at risk due to the anticipated riot. Risk analysis is, we need to understand the concept of risk.

UNDERSTANDING THE CONCEPT OF RISK

Bearing in mind that the fundamental objective of security manager is risk control, the concept of risk is therefore very important to the security manager. Many times, the concept of risk and threat have been used inter-changeably. However, these two concepts do not mean the same thing. Risk is defined as the chance of loss due to an undesirable event. One important understanding we can derive from the above definition is that risk is neither the occurrence nor loss that might emanate from it. It is :1. The chance of a particular event occurring.

2. The impact of the event (loss) on the victim, should it occur. What we can understand from the above explanation is that risk has two elements, which are: 1. Probability. 2. Criticality. If we can foresee the chance of an incident happening prior to the actual occurrence, then what we see is a risk. For example, if someone has his mobile phone expose in his breast pocket in a crowed place, you can say that there is a possibility of the phone being stolen; this is not a certainty that the phone will be stolen, it is only a possibility. This means that the occurrence may or may not happen. Secondly, risk is expressed in terms of liability to violation; therefore, you can say that the phone is liable to theft. Risk identification helps us to know what will happen in future, so that we can prevent it. You cannot prevent what you do not anticipate. In a facility, you would be able to identify two kinds of risks: a) Crime risk. b) Accident risks 1. Risk Analysis: After a risk has been identified, the next thing to do is to analysis, Risk analysis is the determination of the probability and criticality of an anticipated event. The essence of risk analysis is to determine the seriousness of an anticipated event so as to know the amount of resource to allocate into dealing with it. There are two kinds of analysis: A) Quantitative analysis (Criticality) B) Qualitative analysis(Probability) Efficient use of resources is very important in security management therefore, not all risk will deserve the professional attention and seriousness of the security

manager. Because of this, there has to be a mechanism by which the seriousness of a risk can be determined so that the deployment of resources can be prioritized in order to avoid wastage Assuming we can identify seven risks in a facility, it may only be necessary for us to bother with providing protection against three of them, based on their seriousness; this means that we do not bother the other four which may be of little or no significance to the property owner. Furthermore, the loss that is expected to emanate in the event of an anticipated occurrence may be so insignificant that it becomes unreasonable to deploy resources to prevent it.

PROPERTIES OF RISKS
There are two properties of risk which risk analysis helps us to establish: 1. Probability: this is the measurement of the chance of occurrence of anticipated event. Like I said earlier, not every risk will result to an occurrence. Therefore, the probability of a risk is important in determining its significance. A car may be liable to theft due to its beauty and accessibility but environmental factors may reduce the probability of its been violated. There are two ways to infer the probability of event: a) Incident inference: this is where consideration of the probability of an event is based on the past occurrences. this principle is based on the thought that there is a higher chance of an event happening, if it has happened successfully before and the circumstance remain the same for example, if a car was successfully stolen from a park in the night and another car parked there in the night under same security conditions, the chances that the second car will also be stolen. This is called the background of the incident (BG): i. If an event happened before: BG=1. ii. If an event has not happened before: BG= 0.

b) Players Inference: This is where the probability of an event is inferred based on the ability of target species to avoid a violation and ability of threat to cause a violation. For example, if robbers go to a facility that is guarded by armed mobile policemen, the differential of the capacity of their groups will determine the success or failure of the operation. 1. When the target specie has the inherent ability to avoid a violation, we call it INSET, when target specie does not have the inherent ability to avoid a violation, we call it NON_OUTSET. THE RELATIVE PROBABLITY INFERENCE TABLE: i. ii. iii. iv. INSET + OUTSET INSET + NON-OUTSET NON-INSET + OUTSET NON- ISET + NON-OUTSET =3 =1 =4 =2

I This table can be interpreted to mean that the relative probability of an event is 4 in a scenario where the threat has the inherent ability to cause the violation while the target specie lacks the inherent ability to avoid the violation. ii.The relative probability of an event is 3 in a scenario where threat has the inherent ability to cause a violation and target specie has inherent ability to avoid it. iii.The relative probability of an event is 2 in a scenario where threat lacks the inherent ability to cause a violation and the target specie also lacks the inherent ability to avoid it. iv.The relative probability of an event is 1 in a scenario where threat lacks the inherent ability to cause a violation and the target inherent ability to avoid it. Occurrence Based Probability: this is where the probability of an event is based on past occurrence. For example, if somebody is to travel on a road

that has witnessed a high incidence of robbery, we can say that there is the probability of such person being robbed? 2. THREAT ASSESSMENT A threat is a person that has the capacity to violate particular specie. If you are able to recognize that a particular incident is likely to occur, you should be able to identify with more or less certainty, the threat is like to cause the event. Like you already know, all criminal events are caused by human beings. Therefore, every threat in a scenario of crime is a human being. In vulnerability studies, you are required to present the person or persons that are likely to cause the anticipated event. Using our earlier example, if a girl walks along a desert alley where there are miscreants, especially in the night, we can recognize the risk of her being raped. The threats are the miscreants. If you are unable to present the treat for a risk, your report is unlikely to be useful. There are two ways to present a threat: i. Specific Threats: this is where the individual or individuals that are likely to cause the anticipated event can be presented. Example; if you keep some money in your house and fear that your wife might remove it, and then you have specified a threat your wife. Unspecified threat: this is the kind of threat that you can not specify. In the former example, miscreants are presented as a threat. Miscreants does not does not refer to any person; it simply presents a group of people. If you have an orchard near a school and you recognize that your fruit can be stolen, then a group that is likely to do the stealing is students. Therefore, students are your threats.

ii.

THE CAPACITY OF A THREAT

This is the measurement of the capacity of a threat to cause a violation. The capacity of a threat is determined by three elements and these are: a) Motivation: this element deals with the willingness of the threat to cause a violation considering available deterrence. b) Ability: This includes; physical and intellectual abilities, technical skills as well as equipments and weaponry. c) Opportunity: opportunity refers to those factors outside the individual, that enable him do a thing. In criminating, those factors are: i. Information: this includes knowledge of the value, presence and conditions of target specie, including the kind of security in place. ii. Vulnerability: this is the exposure of a valuable to violation. It is determined by two elements: 1. Accessibility 2. Susceptibility. MEASUREMENT OF THREAT CAPACITY (TC) i. ii. iii. Probability Probability is the measurement of the likelihood of an event, or the mathematical odds of an event happening. Probability from a mathematical standpoint is complex to determine. It is a logical statement of likelihood of an event occurringsuch as being struck by lightning or winning a lottery. Fortunately, the odds can be calculated with exact accuracy when the factors of capability are applied to criminality. Since subjective behavioral variables can be converted to mathematical measurements, the probabilities can be precisely determined. We can also make objective decision based on spatial relationship, location and history (James and Fitcher2000). In addition, consideration must be given to what If a threat has either ability, opportunity or motivation, its capacity is =1 If a threat has any two of the elements, its capacity is = 2. If a threat has all three of the elements, then its capacity is = 3

security policies exist and how they may affect the chances of the event occurring. Can technology- say, proximity card access be compromisedby unlawful duplication or circumvention of the system? And if so, what are the odds of that occurring, and are there processes in place to deter or frustrate such potential threat? Probability: is the extent to which danger can act on a valuable as calculated from all conceived possibilities. This is achieved through mathematical calculations under the following indices:If the probability of an event happening is 1, the crime is certain to happen. If the probability of an event happening is 0, the crime cannot happen. If the probability of an event happening is p, and the probability of the event not happening is q, then q = 1 p. CALCULATION OF THE PROBABILITY OF AN EVENT PRINCIPLES: 1. 2. 3. 4. 5. If the probability of event is = 1, then the event is certain to occur If the probability of event is =o, then the event is certain not to happen The probability of event is based on the continuum between 0 and 1 Probability cannot be less than 0 and cannot be more than 1. The probability of event is calculated as the sum of BG, RP and TC divided by 8. Thus BG+RP+TC 8 6. BG = Event back ground, RP = Relative probability, TC =Threat capacity CASE; A cashier in JM Bush Nigeria Limited was given the sum of =N=3;000,000 to deposit in the bank, when he got there, the teller confirmed that the money was actually =n=3=100,000. In the past, this cashier has never returned such money to the office. What is the probability that he will also embezzle tis = N= 100,000?

i. ii. iii.

The event has been happening before, BG=1 The cash cannot avoid being stolen therefore, RP=4 Cashier has ability and motivation, and the cash is vulnerable. Therefore, TC= Probability= 1+4+3 =8 = 1 8 8

This means that the cashier is certain to embezzle the money. Therefore, the probability that the offer will steal the cash is 0.86, which is very high. In the above scenario, it is natural to reason that the officer will not steal the money since attraction is zero based on his background, but this is not so because opportunity is overwhelming and this leads to temptation. Criticality Criticality is the calculation of the possible impact of an anticipated event based on the value of species at risk and the potential effects on the victim. The reason for the measurement of criticality is to accurately determine priorities in the deployment of limited resources. For this reason, the security manager has to test every risk to assess the potential impact. There are three division of potential impact of event. A) Disastrous impact. When the impact of an event can incapacitate the victim, either temporarily or permanently. B) Critical impact: this is when an event can cause embarrassment on the victim. C) Valuable impact: where impact of an event is equal to the value of specie at risk.

MEASUREMENT OF CRITICALITY

As we have seen above, criticality is the impact of an undesirable event on the victim. It is important for a security manager to determine the likely impact of an event before it actually occurs. This helps the security manager to prioritize the allocation of resources based on severity of anticipated impact. Depending on the circumstances of an event, not all losses can result. The security manager should therefore be able to group anticipated losses into; which losses are possible, which are probable and which are likely. Possible loss: This is all losses that can result from an anticipated event, considering available protection. For example if a robber attack a bank, the possible value of all species that are susceptible to the attack. From the above example, if there is = N= 5m in cash in the vault of the bank, and all the other computers, equipment and furniture including cost of medical care to people who may suffer physical injuries as a result of the attack amount to another =N= 3m, then the possible loss is equal to =N=8m. Note that other social and psychological effects of the possible attack are not quantifiable in monetary terms. Probable loss: this refers to the losses that may result from an anticipated event in the face of present security arrangements. Still using the above example it common practice for robbers to damage or remove the furniture and equipment in a bank? Remember that the security of the robbers is of great essence to them too. How convenient is it, how much time do they have? If they steal these equipments, do they have a need or market for them? These and many others are the questions that must be answered in order to establish the probable loss of an anticipated event. Likely loss: likely loss is the sum of all the losses that will ultimately result, considering available security arrangements. From the example, we know that the cash will be removed if the vault is not indomitable to the attack, then we can enumerate all other species that are susceptible to the attack in the circumstance.

THE PROBABILITY AND CRICTICALITY MATRIX Criminals do not attack just anything they see. Therefore, a thing must be of value to a criminal for him to attack it. No matter the motivation of a criminal, a valuable must catch his fancy for him to attack it. Therefore, we can say that two factors jointly determine the attention to be paid to a security fault and the resources to be allocated. These are probability of the attack and anticipated impact of the attack on the victim. PROBABILITY and CRITICALITY MATRIX Disastrous Impact Serious impact 8 5 3 7 2 1

Valuable impact

Valuable impact 0 0.5 Probability A calculation of the imminence of an event should be made before a decision can be made in terms of prioritizing on the deployment of recourse to correct a physical deficiency. The question to ask is will a loss certainly occur if no processes are deployed? Or is it highly unlikely that the situation will lead to a loss? Thank. 0.8 1.0