Let’s be honest—navigating the world of physical security risk management can feel like wading through alphabet soup. 🍲 With so many standards, guidelines, and methodologies floating around, it’s easy to feel overwhelmed. Just look at this lineup:

• 📄 HB 167:2006 – Security Risk Management
• 🛢️ ANSI/API Standard 780:2013 – Security Risk Assessment (SRA) Methodology
• 🕵️‍♂️ Adversarial Risk Management (ARM) Methodology
• 🏢 ASIS SRA-2024 – Security Risk Assessment Standard
• 📚 SRMBOK – Security Risk Management Body of Knowledge
• 🌐 ISO 31000:2018 – Risk Management Guidelines
  
  

So, which one should you use? 🤔 It’s no wonder that when I speak with clients, the mere mention of conducting a security risk assessment is met with confusion, frustration, and let’s be honest—a strong desire to do literally anything else. 😅

But here’s the truth: risk assessment is the foundation of any successful security management system. 💡 Don’t just take my word for it—Google any of the standards above, and they’ll say the same. More importantly, it’s not just best practice—it’s a compliance requirement. ✅ With the SEC’s Cybersecurity Rules in the U.S. 🇺🇸 and the NIS2 Directive (EU 2022/2555) in Europe 🇪🇺, organisations are now required to carry out comprehensive and ongoing risk assessments.

So, what’s the solution? 🤷‍♂️

🔺 Enter the Security Risk Triangle

In this blog, I want to cut through the noise 📢 and give you a simple, foundational tool that demystifies the Security Risk Assessment (SRA) process. This tool aligns with every standard, guideline, and methodology mentioned above—for both physical and cybersecurity risk management. Yes, that’s two for one! 🎯

The Security Risk Triangle boils every security risk assessment down to three fundamental questions:

1. What are you trying to protect? (Assets) 💼

2. What are you trying to protect it from? (Threats) ⚠️

3. How vulnerable is it? (Control Effectiveness) 🛡️

Imagine this as a sturdy triangle 🔺. If you remove any of these three elements, the whole thing collapses. 💥

• Focus only on threats without linking them to your critical assets? Collapse. 🚨

• Implement controls without aligning them to actual threats? Collapse. 🏚️

• Don’t know what assets are critical to your operations? Well, what exactly are you protecting? 🤷

It’s that simple. Three questions. This is your starting point for all security risk assessment methodologies. 🚀

📏 How the Security Risk Triangle Aligns with Major Standards

Let’s see how this concept stacks up against industry-leading standards and methodologies. 📊

What Are You Protecting? (Assets) 💼

• ARM Methodology: “Asset Identification is all about knowing yourself better than the adversary knows you.” 🕵️‍♂️
• ANSI/API 780: Designed for assessing a broad range of assets and operations. 🏭
• ASIS SRA-2024: Emphasises identifying potential threats to assets. 🏢
• ISO 31000: Asset identification and value estimation are foundational steps. 📘
• SRMBOK: Recognises asset identification as critical to protecting valuable resources. 💎

What Are You Protecting It From? (Threats) ⚠️

• ARM Methodology: Focuses on understanding adversary objectives. 🎯
• ANSI/API 780: Highlights identifying potential adversaries and their impact. 👀
• ASIS SRA-2024: Prioritises thorough threat assessment. 🔍
• ISO 31000: Implicitly includes threat assessment in risk identification. 📝
• SRMBOK: Emphasises the need for detailed threat assessments. 📊

How Vulnerable Is It? (Control Effectiveness) 🛡️

• ARM Methodology: Advocates selecting effective controls to counter threats. 💪
• ANSI/API 780: Stresses vulnerability assessment to inform control measures. 🛠️
• ASIS SRA-2024: Highlights the importance of evaluating security controls. ✅
• ISO 31000: Encourages ongoing assessment of control effectiveness. 🔎
  
  

🔄 Converged Security Risk Assessment: The Future Is Here

In 2025, the UK 🇬🇧 will launch the Level 4 Protective Security Apprenticeship, which mandates converged security risk assessments—covering both physical and cyber domains. 💻🔒🏢

This shift isn’t optional. Converged security is the future 🚀, and staying ahead of the game now will pay off later. 📈

🏢 Integrating SRM with Enterprise Risk Management (ERM)

So, what’s the difference between SRM and ERM? 🤔

• SRM (Security Risk Management): Focuses on protecting the organisation from security threats. It is a subset of ERM. 🛡️
• ERM (Enterprise Risk Management): Covers all risk types to improve performance and resilience. 📈

By adopting ISO 31000 for security risk management, you effectively translate the complex language of physical and cyber security into something business leadership can actually understand. 🗣️💼

Aligning SRM with ERM means security risks are evaluated alongside business risks—making it easier for leadership to grasp the value security brings to the table. 🏢🤝

✅ Conclusion: Why the Security Risk Triangle Works

Adopting the Security Risk Triangle as your foundation for security risk management will empower you to:

1. Enhance the value of the security function and secure that long-coveted seat at the boardroom table. 🏛️💼

2. Support a converged SRM approach—it’s inevitable, so why not lead the charge? 🚀

3. Stay compliant with both organisational and personal regulatory requirements. 

Using ISO 31000 as your base framework allows you to adapt any security risk methodology to fit your organisation’s needs. That’s exactly what we did when we developed the HawkSight algorithm. 🦅🔍

We combined ISO 31000 with an adversarial threat analysis approach, blending lessons from both physical and cyber domains. The result? A digital risk framework that delivers efficient, converged security risk management—helping you do more with less. 💡📉

💬 Let’s Keep the Conversation Going!

This isn’t just a one-way chat—I’d love to hear your thoughts! Whether you’re in the boardroom making strategic decisions or on the front line managing day-to-day security risks, your perspective matters. 👀🛡️

• What challenges are you facing with security risk assessments? 🤔
• How do you see the Security Risk Triangle fitting into your approach? 🔺

Drop a comment or send me a message. Let’s make this a real conversation and keep pushing security forward together! 🚀

🍻 ASIS Europe in Dublin?

If this blog has piqued your interest, come join Mads Pærregaard, Douglas Gray (HumanRisks), David Llewellyn (atNorth) and me at ASIS Europe in Dublin! 🇮🇪 We’ll be diving deeper into this topic—and perhaps enjoying a Guinness or two. 🍺😉

Thanks for reading! 🙌

This blog was proudly crafted in collaboration with my good friend ChatGPT—my ideas, her research and wordsmithery. ✍️🤖