Metrics and Methods for Security Risk Management - Carl Young

Metrics and Methods for Security Risk Management (eBook)

Carl Young (Autor)

eBook Download: EPUB

2010 | 1. Auflage
296 Seiten
Elsevier Science (Verlag)
978-1-85617-979-9 (ISBN)

Metrics and Methods for Security Risk Management offers powerful analytic tools that have been absent from traditional security texts. This easy-to-read text provides a handy compendium of scientific principles that affect security threats, and establishes quantitative security metrics that facilitate the development of effective security solutions. Most importantly, this book applies these foundational concepts to information protection, electromagnetic pulse, biological, chemical and radiological weapons, theft, and explosive threats. In addition, this book offers a practical framework for assessing security threats as well as a step-by-step prescription for a systematic risk mitigation process that naturally leads to a flexible model for security standards and audits. This process helps ensure consistency and coherence in mitigating risk as well as in managing complex and/or global security programs. This book promises to be the standard reference in the field and should be in the library of every serious security professional.

* Offers an integrated approach to assessing security risk * Addresses homeland security as well as IT and physical security issues * Describes vital safeguards for ensuring true business continuity

Security problems have evolved in the corporate world because of technological changes, such as using the Internet as a means of communication. With this, the creation, transmission, and storage of information may represent security problem. Metrics and Methods for Security Risk Management is of interest, especially since the 9/11 terror attacks, because it addresses the ways to manage risk security in the corporate world. The book aims to provide information about the fundamentals of security risks and the corresponding components, an analytical approach to risk assessments and mitigation, and quantitative methods to assess the risk components. In addition, it also discusses the physical models, principles, and quantitative methods needed to assess the risk components. The by-products of the methodology used include security standards, audits, risk metrics, and program frameworks. Security professionals, as well as scientists and engineers who are working on technical issues related to security problems will find this book relevant and useful. - Offers an integrated approach to assessing security risk- Addresses homeland security as well as IT and physical security issues- Describes vital safeguards for ensuring true business continuity

Front Cover 1
Metrics and Methods for Security Risk Management 4
Copyright Page 5
Dedication 6
Table of Contents 8
About the Author 12
Foreword 14
Preface 16
Acknowledgments 20
Part 1: The Structure of Security Risk 22
Chapter 1: Security Threats and Risk 24
1.1. Introduction to Security Risk Or Tales Of The Psychotic Squirrel and the Sociable Shark 24
1.2. The Fundamental Expression of Security Risk 30
1.3. Introduction to Security Risk Models And Security Risk Mitigation 35
1.4. Summary 38
References 39
Chapter 2: The Fundamentals of Security Risk Measurements 40
2.1. Introduction 40
2.2. Linearity and Nonlinearity 40
2.3. Exponents, Logarithms, and Sensitivity To Change 46
2.4. The Exponential Function ex 48
2.5. The Decibel 49
2.6. Security Risk and the Concept of Scale 52
2.7. Some Common Physical Models In Security Risk 54
2.8. Visualizing Security Risk 58
2.9. An Example: Guarding Costs 63
2.10. Summary 64
Chapter 3: Security Risk Measurements And security programs 66
3.1. Introduction 66
3.2. The Security Risk Assessment Process 68
3.2.1 Unique threats 68
3.2.2 Motivating security risk mitigation: The five commandments of corporate security 69
3.2.3 Security risk models 70
3.3. Managing Security Risk 75
3.3.1 The security risk mitigation process 75
3.3.2 Security risk standards 79
3.4. Security Risk Audits 91
3.5. Security Risk Program Frameworks 94
3.6. Summary 94
Part 2: Measuring and Mitigating Security Risk 100
Chapter 4: Measuring the Likelihood Component Of security Risk 102
4.1. Introduction 102
4.2. Likelihood Or Potential for Risk? 103
4.3. Estimating the Likelihood of Randomly Occurring Security Incidents 106
4.4. Estimating the Potential for Biased Security Incidents 109
4.5. Averages and Deviations 112
4.6. Actuarial Approaches to Security Risk 118
4.7. Randomness, Loss, and Expectation Value 120
4.8. Financial Risk 127
4.9. Summary 128
References 129
Chapter 5: Measuring the Vulnerability Component of Security Risk 130
5.1. Introduction 130
5.2. Vulnerability to Information Loss Through Unauthorized Signal Detection 131
5.2.1. Energy, Waves, and Information* 132
5.2.2 Introduction to acoustic energy and audible information 136
5.2.3 Transmission of audible information and vulnerability to conversation-level overhears 138
5.2.4 Audible information and the effects of intervening structures 141
5.2.5 Introduction to electromagnetic energy and vulnerability to signal detection 147
5.2.6 Electromagnetic energy and the effects of intervening material 153
5.2.7 Vulnerability to information loss through unauthorized signal detection: A checklist 156
5.3. Vulnerability to Explosive Threats 157
5.3.1 Explosive parameters 157
5.3.2 Confidence limits and explosive vulnerability 163
5.4. A Theory of Vulnerability to Computer Network Infections 167
5.5. Biological, Chemical, and Radiological Weapons 172
5.5.1 Introduction 172
5.5.2 Vulnerability to radiological dispersion devices 173
5.5.3 Vulnerability to biological threats 183
5.5.4 Vulnerability to external contaminants bypassing building filtration
5.5.5 Vulnerability to chemical threats 193
5.6. The Visual Compromise of Information 194
5.7. Summary 196
References 197
Chapter 6: Mitigating Security Risk: reducing vulnerability 200
6.1. Introduction 200
6.2. Audible Signals 201
6.2.1 Acoustic barriers 203
6.2.2 Sound reflection 205
6.2.3 Sound absorption 206
6.3. Electromagnetic Signals 208
6.3.1 Electromagnetic shielding 208
6.3.2 Intra-building electromagnetic signal propagation 212
6.3.3 Inter-building electromagnetic signal propagation 215
6.3.4 Non-point source electromagnetic radiation 216
6.4. Vehicle-borne Explosive Threats: Barriers and Bollards 219
6.5. Explosive Threats 224
6.6. Radiological Threats 227
6.7. Biological Threats 231
6.7.1 Particulate filtering 231
6.7.2 Ultraviolet germicidal irradiation 233
6.7.3 Combining UVGI and particulate filtering 235
6.7.4 More risk mitigation for biological threats 237
6.7.5 Relative effectiveness of influenza mitigation 238
6.8. Mitigating the Risk of Chemical Threats (Briefly Noted) 243
6.9. Guidelines for Reducing the Vulnerability to Non-Traditional Threats in Commercial Facilities 245
6.10. Commercial Technical Surveillance Countermeasures 246
6.10.1 Questionnaire for prospective commercial TSCM vendors 254
6.11. Electromagnetic Pulse Weapons 255
6.11.1 The EPFCG threat 256
6.11.2 EMP generated in proximity to unshielded facilities 256
6.11.3 EMP generated in proximity to shielded facilities 258
6.12. Summary 259
References 260
Epilogue 264
Appendix A: Scientific prefixes 266
Appendix B: Sound levels and intensities 268
Appendix C: The speed of sound in common materials 270
Appendix D: Closed circuit television (CCTV) performance criteria and technical specifications 272
Performance Criteria 272
Operational Modes 272
Image Data and Transmission Requirements 272
Camera/System Management 272
Image Resolution 272
Record Frame Rate 273
Image Storage 273
Ambient Lighting 273
Power and Resilience 273
Field of View 273
Information Security Restrictions 273
Appendix E: Physical access authorization system performance criteria 274
High-Level System Architecture 274
Physical Access Authorization 274
Physical Access Authorization Conditions and Signaling 274
Physical Access Authorization Information Transmission 275
Physical Access Authorization History And Reporting 275
Physical Access Authorization Equipment Security 275
Appendix F: Exterior barrier performance criteria and technical specifications 276
Appendix G: Window anti-blast methods technical specifications* 278
Appendix H: Qualitative interpretation of Rw values 280
Index 282

Preface

Believe it or not, some of my earliest moments on the planet were spent in the company of my parents while they toiled away on human cadavers. I doubt this was a traditional form of family entertainment, especially in the 1950s. But as both newly-minted parents and clinical pathologists they juggled their careers with domestic obligations as best they could. It seems that decent baby sitters have always been in short supply. There is no telling what effect this experience had on their eldest child's development or whether it influenced future career decisions, but it probably does help to explain personality traits that are probably best explored elsewhere.

I consider myself fortunate to be working in security risk management, which has clearly been at the forefront of public awareness since September 11, 2001. Some might find it ironic that the events of that day caused a huge uptick in an interest in security almost overnight. The irony is twofold: terrorism has been around for a long time (recall Guy Fawkes in 1605) and there is now a focus on security in ways that have nothing to do with terrorism. One possible explanation is that this horrific event exposed a powerful nation's vulnerability and raised the specter of much broader security concerns.

In my view, the consequences of this renewed interest are mixed. On the positive side, corporate security is no longer viewed as a necessary evil and left to be managed in relative obscurity by non-professionals. Progressive firms now view security as part of the company's business strategy. Savvy executives even market security as a means of distinguishing their company from the competition.

The downside has been the inevitable increase in “security theater”, a term purportedly coined by the cryptography expert Bruce Schneier. These are measures that give the appearance of providing security but are ineffective when exposed to rigorous analyses. The field of security tends to be dominated by action-oriented types who sometimes invoke a “ready, shoot, aim” approach to problem solving. That is okay if the goal is just to get something done quickly. Unfortunately without a coherent and reasoned approach to risk it is not clear that “something” is always effective.

Security problems in the commercial world have changed in part because the office environment itself has evolved. These changes are due principally to the proliferation of the Internet as a communication tool in conjunction with ubiquitous software applications that facilitate the creation, transmission, and storage of information. These technology advances represent security challenges precisely because they are integrated into the fabric of companies at every level and make communication incredibly convenient from almost anywhere in the world.

Risk mitigation is of great importance to modern corporations. However, a truly useful mitigation strategy is one that is derived from a big-picture perspective and realistic approach. An aggressive security posture might be effective but can't be at the expense of business performance. Aside from hurting the bottom line, such a strategy could result in a one-way ticket to unemployment for the well-intentioned security director.

In today's world, private companies are often viewed as representatives, if not ambassadors, of the countries in which they are incorporated and/or physically located. So not only are companies sometimes targeted by competitors in order to steal their information, they are also the focus of political or religious groups who understand their economic and symbolic importance.

At the same time, budgets are decreasing while security departments are dealing with threats that demand greater vigilance and resources. In the wake of the 2008 global economic meltdown, corporate executives are asking more difficult questions about return on investment. But the effectiveness of the defensive measures used in security is difficult to quantify in the same way as profit and loss. That is part of what this book is all about. The need for rigor in security is greater today than ever and not only to address more complex threats, but also to employ cost-effective methods that are explicitly proportionate to risk.

This book attempts to bridge the worlds of two distinct audiences. One group consists of career security professionals who have wisdom born of experience in assessing risk but often possess no technical background. In the other camp are the scientists and engineers who work on technical problems related to security but have little or no background and therefore lack the context for these specialized problems. The former group often knows a lot about security but has little technical knowledge. The latter group has familiarity with mathematics and/or scientific principles but may not know how these apply to security risk.

Many individuals who work in security function as both theorist and practitioner. This is a difficult challenge in a field where the theoretical underpinnings have not been formally recognized or at the very least have not been centrally codified. It is precisely this divide between theory and practice that must be solidified for security professionals to continue to grow and if the subject is to be universally accepted as a legitimate academic discipline.

It is important to recognize that security problems must be viewed in terms of risk in order to be relevant to the corporate world. Although significant insights will be gained from the study of well-established physical principles, the utility of these principles derives from knowing how they affect risk, and moreover, how they can be used to develop effective and proportionate mitigation.

To that end, this book endeavors to provide the reader with the following: the fundamentals of security risk and its individual components, an analytic approach to risk assessments and mitigation, and quantitative methods to assess the individual components of risk and thereby develop effective risk mitigation strategies. In so doing, I hope it will provide security professionals, engineers, scientists, and technologists with both an interesting and useful reference.

This book is divided into two distinct parts. Part 1 is entitled “The Structure of Security Risk” and comprises Chapter 1, Chapter 2 and Chapter 3. Part 2, “Measuring and Mitigating Security Risk”, consists of Chapter 4, Chapter 5 and Chapter 6.

Part 1 is meant to be a detailed exposition of security risk and I believe it is a unique treatment of the subject. It discusses the individual components of risk in detail as well as some important physical models relevant to assessing those components. These will be crucial to the development of the risk metrics discussed in Part 2. In addition, risk assessment and mitigation processes are delineated and can assist in establishing a risk-based security management program.

Specifically, the fundamentals of risk management are discussed in Chapter 1. In particular it introduces a key expression that I somewhat dramatically refer to as “The Fundamental Expression of Risk.” This important statement expresses the defining attributes of risk and is fundamental to any problem in security. In particular, the likelihood and vulnerability components are discussed in detail and are the focus of much of this book. This chapter also discusses the role of important tools such as security standards and risk models.

Chapter 2 introduces key security-related concepts that are used to measure risk and thereby establish security metrics later in the book. It discusses the notion of scale or how physical quantities that affect the vulnerability component of risk change as a function of scenario-dependent parameters like distance and time. Recurring physical models are highlighted that directly relate to the assessment and mitigation of the vulnerability component of risk and are discussed in detail in Part 2.

Chapter 3 may arguably be the most appealing and/or useful to security professionals. It describes the risk assessment and risk mitigation processes in detail. These provide the context for the technical methods discussed in Part 2. This chapter also specifies how the risk mitigation process provides a natural segue to the development of risk-based security standards, assessments, metrics, and security program frameworks.

At this point I must give even the most intrepid reader fair warning: Part 2 represents a more quantitative treatment of security risk management than security professionals may be accustomed. However, Part 2 provides the machinery that is necessary to rigorously assess security risk and that has been mostly absent from traditional books on security. The goals are twofold: to show the engineer or scientist how well-established scientific principles apply to security risk problems and to introduce the security professional to key technical/scientific concepts that are important to assessing security risk. Wherever possible, real-world examples are provided and sample calculations are performed.

Chapter 4 provides the concepts and techniques necessary to assessing the likelihood component of risk. These include useful probability distributions and a discussion of the important distinction between the likelihood and potential for further incidents. The goal is to provide the reader with an appreciation for some of the probabilistic tools that are relevant to security risk and to show how and when they apply.

Chapter 5 details the physical models, principles, and quantitative methods necessary to assess the vulnerability component of risk. The recurring...

Erscheint lt. Verlag	21.8.2010
Sprache	englisch
Themenwelt	Informatik ► Netzwerke ► Sicherheit / Firewall
	Naturwissenschaften
	Wirtschaft ► Betriebswirtschaft / Management ► Allgemeines / Lexika
	Wirtschaft ► Betriebswirtschaft / Management ► Unternehmensführung / Management
ISBN-10	1-85617-979-6 / 1856179796
ISBN-13	978-1-85617-979-9 / 9781856179799

Informationen gemäß Produktsicherheitsverordnung (GPSR)
Haben Sie eine Frage zum Produkt?

EPUB (Adobe DRM)

Kopierschutz: Adobe-DRM
Adobe-DRM ist ein Kopierschutz, der das eBook vor Mißbrauch schützen soll. Dabei wird das eBook bereits beim Download auf Ihre persönliche Adobe-ID autorisiert. Lesen können Sie das eBook dann nur auf den Geräten, welche ebenfalls auf Ihre Adobe-ID registriert sind.
Details zum Adobe-DRM

Dateiformat: EPUB (Electronic Publication)
EPUB ist ein offener Standard für eBooks und eignet sich besonders zur Darstellung von Belletristik und Sachbüchern. Der Fließtext wird dynamisch an die Display- und Schriftgröße angepasst. Auch für mobile Lesegeräte ist EPUB daher gut geeignet.

Systemvoraussetzungen:
PC/Mac: Mit einem PC oder Mac können Sie dieses eBook lesen. Sie benötigen eine Adobe-ID und die Software Adobe Digital Editions (kostenlos). Von der Benutzung der OverDrive Media Console raten wir Ihnen ab. Erfahrungsgemäß treten hier gehäuft Probleme mit dem Adobe DRM auf.
eReader: Dieses eBook kann mit (fast) allen eBook-Readern gelesen werden. Mit dem amazon-Kindle ist es aber nicht kompatibel.
Smartphone/Tablet: Egal ob Apple oder Android, dieses eBook können Sie lesen. Sie benötigen eine Adobe-ID sowie eine kostenlose App.
Geräteliste und zusätzliche Hinweise

Buying eBooks from abroad
For tax law reasons we can sell eBooks just within Germany and Switzerland. Regrettably we cannot fulfill eBook-orders from other countries.

Andere Ausgabe

Buch | Softcover (2010)

CHF 66,30