Wednesday, December 28, 2011

Difference Between A Security Assessment and A Risk Analysis

The security assessment process is a common method used to determine specific security needs for a specific business based on the issue of foreseeability – the standard that Courts will use to determine if security was adequate and sufficient when security is legally challenged as a result of some incident that has occurred (something bad happens, someone gets hurt, you get sued). Pretty basic.

The security assessment process takes into account 4 specific issues: The inherent nature of the business (every place has its own inbuilt problems and vulnerabilities); the history of problems at the business (while not an exact predictor, past problems at any given place demonstrate the potential for future problems, all else being equal); history of problems in the area surrounding the business (problems which occur in the neighborhood have a tendency to affect everything within the neighborhood; nothing is immune); and industry standards/guidelines/best practices (what has been determined to work in similar places under similar circumstances is at least a good starting point to identify potential security strategies and tactics as related to identified threats and risks). Pretty straightforward for determining foreseeability – that which may occur.

But the concern for being sued shouldn’t be the only reason why a good security program should be part of a sound business plan – it’s just plain good business to maintain a place where assets are protected and employees and customers are safe.

So before a strategy to prevent and mitigate problems is formulated, perhaps we should first remember why security is important in the first place. And that determination can be accomplished by a risk analysis.

Before we begin figuring out why security is important, there are two basic premises that must be clearly understood:

1. There is no such thing as absolute or perfect security: No security program can ever totally assure that bad things will not occur or that a legal challenge will not be successful. Depending on a number of uncontrollable variables – such as the commitment, motivation and persistence of a bad guy; the inexplicable failure of a protective measure at a crucial time; or even the whims of a jury – the best security measures may sometimes fail. So the best that can be hoped for is to control as many facets of the security strategy as possible, and to monitor the strategies sufficiently to assure that unanticipated failures can be best and most expediently mitigated.

2. There are always alternatives to how security measures can be implemented: Because the practice of security is both science and art – the science being the body of knowledge used in protective efforts; the art being the most appropriate application of that knowledge to a given circumstance – there will always be alternate ways to blend the stuff and the applications into a sound, workable and efficient protective strategy.

So here’s what we know thus far:

· Every business and its stuff needs to be protected.

· Every business needs to be concerned about liability.

· Since every business and its stuff is different from everyone else’s business and stuff, efforts to protect anyone’s business and stuff will necessarily be different from the efforts to protect anyone else’s business and stuff.

If we accept these enumerated hypotheses, it becomes obvious that some formal or at least conscious consideration must be given to the development of a security program – if I want to adequately protect my stuff and my liability, I need to consider my situation and develop a security plan accordingly. So how do I do that?  Here’s the outline for our risk analysis:

· If I need to protect my business and my stuff and my liability, I need to know exactly what my business and my stuff and my liability is (these are my “assets” and they include not only my building and equipment but my employees and customers and vendors and my reputation and my business practices and anything else that is valuable to me).

· If I need to protect my business and my stuff and my liability, I need to know all of the potential problems and threats I might encounter (these are my “risks” and they include all the manmade and natural problems, both deliberate and inadvertent that pose a threat to my business).

· If I’ve identified all my potential problems and threats, I need to know how likely it is that each of those problems and threats might occur (all of the bad things that can potentially happen at my business do not all have the same potential for happening – an assault is more likely than a tornado, employee theft is more likely than an armed robbery, etc. – so we need to figure out what is most likely to occur so that we can determine which security measures will be most appropriate).

· If I’ve determined the likelihood of occurrence of each of my potential problems and threats, I need to know what the impact would be to my business, stuff and liability if any of those potential problems or threats occurred (even if/when something bad occurs the impact on business will be different – the loss from an employee caught stealing on his first day of work has less impact on the bottom line than the loss from an employee who has been stealing for the past 3 years, an attempted robbery in which an innocent bystander is seriously injured has greater impact on a business’s reputation than a loud disagreement about incorrect change – so we need to figure out which of the bad things most likely to occur will have the greatest negative impact if/when they do occur so that we can determine how best to allocate the limited resources for security measures) .

· If I need to develop a plan to protect my business and stuff from liability, I need to know if any adequate safeguards are currently in place (we need to determine if existing security measures are adequate to protect all identified assets and meet all identified risks, and to determine what additional security measures might need to be implemented).

So there you have it – we’ve come full circle: We know how to implement appropriate security strategies that will protect our businesses and do so in a manner that is legally defensible (by determining foreseeability via a security assessment); and we now know how to determine why we need a security program (as identified via a risk analysis).