What drives us

Nothing in life is risk free but risks can be managed. It’s our job to make everyone and everything safer. HawkSight software uses a sophisticated algorithm that assesses risks based on relevant threat data. This delivers a dynamic risk profile, identifies vulnerabilities, and provides options for mitigation.

We call it security risk insight and we’re global leaders at it.

We believe that this will enable people to live freer lives and enterprises to flourish as risk diminishes. The ability to live and operate safely in an increasingly complex world is our goal.

Book a call
zig-zag-img
left-laptop-image-

The Essentials of a standardised Security Risk Assessment (SRA): A Brief Overview

The Essentials of a standardised Security Risk Assessment (SRA): A Brief Overview

While numerous standards and guidelines on standard approaches to Security Risk Management have emerged over the past 15 years, a surprising number of security professionals still need to approach security risk assessments with uniformity. The absence of universally accepted terminology has obscured the distinctions between what is security reviews, audits, and risk assessments, and even a common undertaking of the term 'Risk'.

 

"Why the hesitation among security professionals to adopt a standard approach?"

Research from Ireland highlights the Australia Standards HB167:2006 Security Risk Management Handbook as the most frequently referenced source for security risk management.

So, to further promote a cohesive approach to Security Risk Assessments (SRA), let's distil its core elements concisely.

A comprehensive security risk assessment should address three pivotal questions:

What are you trying to protect?

What are you trying to protect from?

How vulnerable is it?

This framework is equally pertinent for both physical and cyber security risk assessments, bridging the divide between the two areas.

"A security risk assessment that doesn't tackle these queries is incomplete"

What are you trying to protect?

A competent security professional must identify what they are tasked to protect. The first step involves detailing assets essential to the business and prioritising them. Creating this list of assets, sometimes termed a criticality assessment, is foundational for subsequent analyses.

Essential assets typically encompass:

  • People: Employees and stakeholders.
  • Physical Assets: Infrastructure like buildings, vehicles, property and equipment.
  • Information: Documents, digital files, brand reputation.
  • ICT (Information & Communication Technology): Servers, devices, software, and Internet of Things (IoT).
  • Processes: Operations such as supply chain management and accounting.

What are you trying to protect from?

To ensure asset protection, understanding potential threats is paramount. A wealth of data, including open-source crime statistics, internal incident logs, and commercial intelligence, can be leveraged to discern these threats. Professionals should maintain a dynamic threat library, updated per the changing threat landscape.

Effective threat analysis involves discerning specific Threat activities (e.g. retail theft) and the respective Threat actors (e.g. a casual thief). Assessing motives, such as financial gain, combined with an understating of the Intent and Capability of the Threat actor, is vital. HB167 provides practical guidance on conducting Threat analysis to construct a suitable threat library.

How vulnerable is it?

Evaluating vulnerability goes beyond annual checks of security controls. It demands a recognition that the current controls are relevant to the prevailing threat landscape and critical assets. A genuine assessment not only verifies effective controls relevant to the assets underpinning it but also the organisation's profile. This insight, known as Target Attractiveness, is vital to gauge the Likelihood of threats impacting your organisation.

Risk Analysis

By cross-referencing each threat against each critical asset and then assessing the asset's vulnerability to each, risks can be calculated based on a widely accepted formula:

Risk = Likelihood x Impact

Likelihood weighs threat level, target attractiveness and the existing level of protective security measures.

Impact considers potential outcomes, or consequences, with the effectiveness of a response capability.

HB167 provides a straightforward process for carrying out this calculation manually, or several digital tools also facilitate this risk calculation.

The above offers a succinct overview of a standard Security Risk Assessment.

As businesses adhere to recognised standards, the corporate security function should be no different. Adopting internationally recognised benchmarks will elevate security professionals' roles, enhancing their recognition and value in their respective organisations.

"A security risk assessment is the foundation of any security management system."

Security professionals must be able to answer these three questions to lay a solid foundation for their security strategy to ensure they consistently deliver value to the organisations they are paid to protect.
blogs you may also like