How to find the weak link

Feb 1, 1998 12:00 PM, GEORGE PARTINGTON

Computer software can assess risks, target security weaknesses and suggest cost-effective remedies.

Most security directors depend on personal computers for everything from badging to control of CCTV and access systems. Computers automate tasks, organize files and reduce paperwork. But for a formal risk assessment, security directors have had to contend with reams of documents, and either rely on their own expertise or call in help from consultants. Now, PC software can supply the expertise for risk assessment, while reducing the paperwork and time involved.

RiskWatch, based in Annapolis, Md., and Akela, Santa Barbara, Calif., offer risk assessment software for both information systems and physical sites. The programs - also commonly called risk analysis, threat vulnerability and security audit software - find the weaknesses in a security program and determine the most cost-effective remedies.

"Risk analysis gives you a clear picture of your loss potential," says Caroline Hamilton, president of RiskWatch. "It establishes expected losses from defined threats based on asset exposures, vulnerabilities and estimated probabilities of occurrence."

Risk assessment programs quantify results in dollars, illustrating the amount of money that could be lost without specific security controls and allowing all results to be compared on a common basis. Risk assessment documents reveal the safeguards that return the most value and help justify the expenses when those safeguards are put into place.

In performing a risk assessment, both security and non-security personnel complete extensive surveys that cover facilities, equipment and procedures.

The questions can be disseminated through diskettes, e-mail, a LAN, the Internet or even paper.

Once the answers are returned, they are downloaded into the program, which then reveals where the security program is vulnerable and the best course to take to improve it.

Michael Gearhart, project manager for the consulting firm Lockwood Greene, says risk analysis computer programs provide more objective results, since people from outside developed the software and the underlying logic. "If you do it yourself in a reactionary mode, you could skew the questions and skew the answers simply based on the situation," he says. "Whereas software will consistently ask the same questions. So given the same set of questions and given the same input, you will always get the same output. It is merely trying to provide more structure and methodology to a subjective process."

Elements of risk assessment

Risk assessments can be divided into five major areas.

* Assets. Simply defined as the resources you are trying to protect, assets are the focus of the risk assessment, says Allan Hunt, president of Akela. A risk assessment assigns a direct and indirect value to each asset. Direct value is usually associated with the replacement cost of the asset. Indirect value is an "opportunity" cost - the cost incurred because the opportunity to use the asset has been lost.

* Threats. "Quantifying the frequency of occurrence of the threat is usually the hardest element of a risk assessment," says Hunt. "What has happened in the past at a specific location is not necessarily a good indication of what might happen in the future."

* Losses. These can include damage or loss of property, loss of data integrity and loss or delay of service.

* Vulnerabilities. Hamilton defines them as weaknesses in the system that create a window of opportunity for threat occurrence. They are always there tobe exploited even though there may have been no previous threat attempts, says Hunt, but they can be controlled through ...

* Safeguards. These are the recommended equipment, policies and procedures that eliminate, reduce or mitigate the impact of a threat occurrence.

"The key to risk analysis," says Hamilton, "is the evaluation of all five components in relation to one another." This analysis is gathered in a concise report that gives a clear picture of assets and detailed information on which ones are most in need of protection and how they should be protected. "It is much more valuable than a lengthy report that contains a jumble of confusing numbers and no specific recommendations," Hamilton says.

A labor-saving device Once a risk analysis program has been completed, periodic assessments are easier, says Bill Hughes, marketing coordinator for RiskWatch. "You survey your people again of course and then you go in and note changes," he says. "Then you hit a button and run a report."

"If it takes several months the first time you run it, it will probably take half that time the second time you run it, because all the ground work has already been done."

Hughes says it will take a security manager for a company with 500 employees about two weeks to complete a risk analysis using the RiskWatch Physical Security program. Hamilton estimates that automated risk analysis software tools can reduce the time involved in large risk assessment projects by more than 60 percent.

Government applications RiskWatch has its origins in government development. The company began about 10 years ago by designing an information system risk assessment tool for NASA. Akela originally designed a program for hospitals and soon produced an adaptation for the FAA.

Now, due to recent events such as the crash of TWA flight 800, the FAA is going through a round of formalized threat assessments, evaluating a number of different software packages, as directed by the Vice President's Commission on Aviation Security. The government agency has contracted about six companies to do risk assessments at one or two airports around the country and will choose a recommended technique when they are done, according to Hunt.

Both Akela and RiskWatch are being evaluated. Tests of RiskWatch are under way at Hartsfield International in Atlanta and Logan in Boston, according to Hamilton.

Risk analysis programs were originally developed with the government and hospitals in mind because they had regulations for risk assessment. In 1988, for example, California announced a security and risk analysis requirement for every department, agency, board and commission using electronic data processing. The state mandates a risk analysis review every two years.

Hospitals are especially interested in risk assessment. "Within the hospital community, the security plan and risk assessment are big issues," says Gearhart. "Whether it is computerized or non-computerized, there is a requirement for documented risk assessment from the Joint Commission on Accreditation of Hospitals." Gearhart says the commission called an automated risk analysis of a hospital as thorough as they had ever seen.

Increasingly, a variety of commercial enterprises are using, and benefiting from, the software. "Demand in the commercial avenues is picking up as the federal and state level government seems to be dropping off a bit with budget cuts and things of that nature," says Bill Hughes, marketing coordinator for RiskWatch. "They still have the directives to do the work and they still need the tools, they just can't find the money to pay for it. Whereas the commercial companies seem to be recognizing the need for this type of work now, and they are buying the tools."

In the final analysis, risk assessment programs allow security directors to breathe easier. Not only does the tool help improve safety and security, but it also illustrates in the monetary terms familiar to management what is at stake if a security program suffers the budgetary ax.

About SASSy

Akela's Security Analysis Support System (SASSy) software comes in several versions, including hospitals, general business, airports and air carriers, and FAA facilities - the Civil Aviation Security Risk Assessment Program, or CASRAP.

SASSy quantifies risk, provides consistent assessments and supports recommendations for specific improvements to the security program. "Embedded in SASSy is software that does what a security expert does; it knows what questions to ask about equipment, procedures and policies and makes judgments about vulnerabilities," says Allan Hunt, president of Akela.

SASSy defines risk in terms of dollar loss of assets, which are determined using a combination of how often a threat will try to deprive the user of assets, the likelihood that each attempt will be successful and the value of the assets lost, says Hunt.

"Assets are threatened in ways that cannot be controlled," he says, "because threats choose when to act, where to act and how to act. Vulnerabilities, however, can be controlled. Vulnerabilities are a direct result of the way in which security measures are implemented to protect assets.

"Since there are so many different ways equipment, procedures and policies can combine to protect assets, it usually takes a security expert to determine the vulnerabilities of a facility. An expert's experience allows judgments about the vulnerabilities in new situations." SASSy is designed to be the security expert in software form.

About RiskWatch

RiskWatch identifies threats that could impact assets, discovers vulnerabilities that could allow those threats to occur, and identifies safeguards to reduce or eliminate potential losses, says Caroline Hamilton, RiskWatch president.

Security directors can customize the software to fit the needs of a facility or information system by choosing the questions (from a store of 8,000 to 10,000 culled from security experts) that apply to the situation.

RiskWatch uses feedback from customers to continually update the database of questions used for analysis.

RiskWatch Information Security covers ADP centers, application programs, network management, personnel, facilities security, micros/workstations, sensitive systems, voice mail, communications systems, network users, electronic commerce and general organization.

RiskWatch Physical Security addresses crimes against property, crimes against people, equipment/systems failure, terrorism, natural disasters and fire/bomb threats. Areas surveyed include access control, operations/planning, disgruntled employees, angry customers, emergency planning, security systems, grounds/ parking, angry spouses, security/safety, technical systems, mail/deliveries, personal security, stalkers and natural disasters.

Capable versions of the software add the Relational Database Modification Tool, which allows customization at the "designer level."

Want to use this article? Click here for options!
© 2009 Penton Media Inc.

This month in Access Control

• Targeting The Customer
• Electronic Pedigrees
• One Hero Among Many
• Who? What? When? Where? Why?
• More from September's issue