The Essentials of a Physical Security Systems Risk Assessment

Return to Program Best Practices
Created by the Security Executive Council

The following is a brief guide on the essentials of a physical security systems risk assessment.
Before you begin an assessment of your security systems, you need to know your security goals. All your security activities should support these goals. If you don't have a clear understanding of your goals, you will not be able to implement a cost-effective system that meets your needs.

A clear statement of your security goals is usually built on answers to questions like the following:

  • Do I want to correct a problem or reduce a potential risk?
  • Do my proposed solutions address the needs that I have identified?
  • Are my solutions consistent with the business culture?
  • Will the solutions hinder business operations?
  • Will the solutions enhance security performance guidelines for the business?
  • Is new technology part of the solution?
  • Is the new technology consistent with the long-range plans of the business?

Physical security must make sense within the context of your business operations. To build a security system that works for any business, the needs of that business must first be assessed.

At the core of this assessment are the following operational issues:
  • What is the general level of risk for this business?
  • What are the critical events that will stop this business?
  • What are the products, information, and assets at this site? What specific risks are associated with each of them?
  • How do people and materials enter and leave?
  • What are the work schedules?

We recommend a security assessment as the first step in assessing the needs of your business. This helps you arrive at an overall assessment of the security issues relating to your business operations—your people, information, property, product, and the corporation's reputation.

In order to use a security assessment properly, you first need to understand three fundamental elements of security: probability, criticality, and vulnerability. The next section describes how an effective security assessment is based on these three concepts.

An effective security assessment applies an understanding of the fundamental elements of security to a particular location or area within the business. As you look at each area, you must consider the following questions:
  • What is the probability of a security-related incident occurring in this area?
  • How critical might the incident be to my business operations?
  • How vulnerable is the area to a security incident?

Answers to these questions help you to arrive at an assessment of the level of security risk associated with a particular area of your business.

Probability is the likelihood that a security incident will occur, independent of any effort you may make to avoid the incident. Probability is affected by factors such as your location and environment, your product, the personnel at your site, and other factors that are essentially beyond your control.

For example, if your facility is in a high-density area of a large city, the probability of parking lot incidents and vandalism is much greater than if your facility is in a small rural town. Or, if you use a proprietary process or have proprietary information that has a high market value, you are more likely to have theft attempts than if you don't use such a process or possess such information.

As you perform a security assessment, keep in mind that each area of your business must be evaluated in terms of the probability that security incidents will occur there. As you assess each area of your business, make a list of the most frequent incidents that have occurred in your building, at your location, and in the surrounding area or neighborhood.

The criticality of a security incident is the degree to which it affects your ability to do business. An incident with high criticality is one that:
  • Interrupts your business operations;
  • Has significant operational or legal ramifications;
  • Impacts or reduces sales;
  • Erodes the quality of your products or services;
  • Gives the competition a significant advantage;
  • Causes the loss of substantial revenue; and/or
  • Damages the corporation's reputation.

As you assess each area of your business, make a list of the security incidents that could have a high degree of criticality.

Vulnerability is a measure of your ability to prevent a security incident. Your current security system and procedures represent the active steps you've taken to decrease your vulnerability.

Vulnerability is a dynamic concept. It changes whenever your environment, operations, personnel, business and/or systems change. Each time a substantive security-related change occurs in an area of your business, you need to reconsider your vulnerability in that area.

As you assess your business, keep track of the things that make it easier to reduce the likelihood that an incident will occur, as well as the ones that make it more difficult.

The most cost-effective security systems consider all three elements of security simultaneously to arrive at an assessment of the risk associated with a particular area.

You can gauge the overall security risk for an area by determining the degree to which the area has high values for probability, criticality, and vulnerability.

It makes most sense to concentrate your resources on areas that have the greatest degree of security risk. Highest priority should be given to those areas that have high values for probability, criticality, and vulnerability.

When the values for a particular area add up to an unacceptable level of risk, it is vital that you lower one or more of them by implementing security measures. On the other hand, areas that have a uniform set of low values should not be using security resources that could be better spent in other areas of your business.

Return to Program Best Practices