E-Book, Englisch, 293 Seiten
Young Metrics and Methods for Security Risk Management
1. Auflage 2010
ISBN: 978-1-85617-979-9
Verlag: Elsevier Science & Techn.
Format: EPUB
Kopierschutz: 6 - ePub Watermark
E-Book, Englisch, 293 Seiten
ISBN: 978-1-85617-979-9
Verlag: Elsevier Science & Techn.
Format: EPUB
Kopierschutz: 6 - ePub Watermark
Metrics and Methods for Security Risk Management offers powerful analytic tools that have been absent from traditional security texts. This easy-to-read text provides a handy compendium of scientific principles that affect security threats, and establishes quantitative security metrics that facilitate the development of effective security solutions. Most importantly, this book applies these foundational concepts to information protection, electromagnetic pulse, biological, chemical and radiological weapons, theft, and explosive threats. In addition, this book offers a practical framework for assessing security threats as well as a step-by-step prescription for a systematic risk mitigation process that naturally leads to a flexible model for security standards and audits. This process helps ensure consistency and coherence in mitigating risk as well as in managing complex and/or global security programs. This book promises to be the standard reference in the field and should be in the library of every serious security professional.
* Offers an integrated approach to assessing security risk * Addresses homeland security as well as IT and physical security issues * Describes vital safeguards for ensuring true business continuity
Autoren/Hrsg.
Weitere Infos & Material
1;Front Cover;1
2;Metrics and Methods for Security Risk Management;4
3;Copyright Page;5
4;Dedication;6
5;Table of Contents;8
6;About the Author;12
7;Foreword;14
8;Preface;16
9;Acknowledgments;20
10;Part 1: The Structure of Security Risk;22
10.1;Chapter 1: Security Threats and Risk;24
10.1.1;1.1. Introduction to Security Risk Or Tales Of The Psychotic Squirrel and the Sociable Shark;24
10.1.2;1.2. The Fundamental Expression of Security Risk;30
10.1.3;1.3. Introduction to Security Risk Models And Security Risk Mitigation;35
10.1.4;1.4. Summary;38
10.1.5;References;39
10.2;Chapter 2: The Fundamentals of Security Risk Measurements;40
10.2.1;2.1. Introduction;40
10.2.2;2.2. Linearity and Nonlinearity;40
10.2.3;2.3. Exponents, Logarithms, and Sensitivity To Change;46
10.2.4;2.4. The Exponential Function ex;48
10.2.5;2.5. The Decibel;49
10.2.6;2.6. Security Risk and the Concept of Scale;52
10.2.7;2.7. Some Common Physical Models In Security Risk;54
10.2.8;2.8. Visualizing Security Risk;58
10.2.9;2.9. An Example: Guarding Costs;63
10.2.10;2.10. Summary;64
10.3;Chapter 3: Security Risk Measurements And security programs;66
10.3.1;3.1. Introduction;66
10.3.2;3.2. The Security Risk Assessment Process;68
10.3.2.1;3.2.1 Unique threats;68
10.3.2.2;3.2.2 Motivating security risk mitigation: The five commandments of corporate security;69
10.3.2.3;3.2.3 Security risk models;70
10.3.3;3.3. Managing Security Risk;75
10.3.3.1;3.3.1 The security risk mitigation process;75
10.3.3.2;3.3.2 Security risk standards;79
10.3.4;3.4. Security Risk Audits;91
10.3.5;3.5. Security Risk Program Frameworks;94
10.3.6;3.6. Summary;94
11;Part 2: Measuring and Mitigating Security Risk;100
11.1;Chapter 4: Measuring the Likelihood Component Of security Risk;102
11.1.1;4.1. Introduction;102
11.1.2;4.2. Likelihood Or Potential for Risk?;103
11.1.3;4.3. Estimating the Likelihood of Randomly Occurring Security Incidents;106
11.1.4;4.4. Estimating the Potential for Biased Security Incidents;109
11.1.5;4.5. Averages and Deviations;112
11.1.6;4.6. Actuarial Approaches to Security Risk;118
11.1.7;4.7. Randomness, Loss, and Expectation Value;120
11.1.8;4.8. Financial Risk;127
11.1.9;4.9. Summary;128
11.1.10;References;129
11.2;Chapter 5: Measuring the Vulnerability Component of Security Risk;130
11.2.1;5.1. Introduction;130
11.2.2;5.2. Vulnerability to Information Loss Through Unauthorized Signal Detection;131
11.2.2.1;5.2.1. Energy, Waves, and Information*;132
11.2.2.2;5.2.2 Introduction to acoustic energy and audible information;136
11.2.2.3;5.2.3 Transmission of audible information and vulnerability to conversation-level overhears;138
11.2.2.4;5.2.4 Audible information and the effects of intervening structures;141
11.2.2.5;5.2.5 Introduction to electromagnetic energy and vulnerability to signal detection;147
11.2.2.6;5.2.6 Electromagnetic energy and the effects of intervening material;153
11.2.2.7;5.2.7 Vulnerability to information loss through unauthorized signal detection: A checklist;156
11.2.3;5.3. Vulnerability to Explosive Threats;157
11.2.3.1;5.3.1 Explosive parameters;157
11.2.3.2;5.3.2 Confidence limits and explosive vulnerability;163
11.2.4;5.4. A Theory of Vulnerability to Computer Network Infections;167
11.2.5;5.5. Biological, Chemical, and Radiological Weapons;172
11.2.5.1;5.5.1 Introduction;172
11.2.5.2;5.5.2 Vulnerability to radiological dispersion devices;173
11.2.5.3;5.5.3 Vulnerability to biological threats;183
11.2.5.4;5.5.4 Vulnerability to external contaminants; bypassing building filtration;189
11.2.5.5;5.5.5 Vulnerability to chemical threats;193
11.2.6;5.6. The Visual Compromise of Information;194
11.2.7;5.7. Summary;196
11.2.8;References;197
11.3;Chapter 6: Mitigating Security Risk: reducing vulnerability;200
11.3.1;6.1. Introduction;200
11.3.2;6.2. Audible Signals;201
11.3.2.1;6.2.1 Acoustic barriers;203
11.3.2.2;6.2.2 Sound reflection;205
11.3.2.3;6.2.3 Sound absorption;206
11.3.3;6.3. Electromagnetic Signals;208
11.3.3.1;6.3.1 Electromagnetic shielding;208
11.3.3.2;6.3.2 Intra-building electromagnetic signal propagation;212
11.3.3.3;6.3.3 Inter-building electromagnetic signal propagation;215
11.3.3.4;6.3.4 Non-point source electromagnetic radiation;216
11.3.4;6.4. Vehicle-borne Explosive Threats: Barriers and Bollards;219
11.3.5;6.5. Explosive Threats;224
11.3.6;6.6. Radiological Threats;227
11.3.7;6.7. Biological Threats;231
11.3.7.1;6.7.1 Particulate filtering;231
11.3.7.2;6.7.2 Ultraviolet germicidal irradiation;233
11.3.7.3;6.7.3 Combining UVGI and particulate filtering;235
11.3.7.4;6.7.4 More risk mitigation for biological threats;237
11.3.7.5;6.7.5 Relative effectiveness of influenza mitigation;238
11.3.8;6.8. Mitigating the Risk of Chemical Threats (Briefly Noted);243
11.3.9;6.9. Guidelines for Reducing the Vulnerability to Non-Traditional Threats in Commercial Facilities;245
11.3.10;6.10. Commercial Technical Surveillance Countermeasures;246
11.3.10.1;6.10.1 Questionnaire for prospective commercial TSCM vendors;254
11.3.11;6.11. Electromagnetic Pulse Weapons;255
11.3.11.1;6.11.1 The EPFCG threat;256
11.3.11.2;6.11.2 EMP generated in proximity to unshielded facilities;256
11.3.11.3;6.11.3 EMP generated in proximity to shielded facilities;258
11.3.12;6.12. Summary;259
11.3.13;References;260
12;Epilogue;264
13;Appendix A: Scientific prefixes;266
14;Appendix B: Sound levels and intensities;268
15;Appendix C: The speed of sound in common materials;270
16;Appendix D: Closed circuit television (CCTV) performance criteria and technical specifications;272
16.1;Performance Criteria;272
16.2;Operational Modes;272
16.3;Image Data and Transmission Requirements;272
16.4;Camera/System Management;272
16.5;Image Resolution;272
16.6;Record Frame Rate;273
16.7;Image Storage;273
16.8;Ambient Lighting;273
16.9;Power and Resilience;273
16.10;Field of View;273
16.11;Information Security Restrictions;273
17;Appendix E: Physical access authorization system performance criteria;274
17.1;High-Level System Architecture;274
17.2;Physical Access Authorization;274
17.3;Physical Access Authorization Conditions and Signaling;274
17.4;Physical Access Authorization Information Transmission;275
17.5;Physical Access Authorization History And Reporting;275
17.6;Physical Access Authorization Equipment Security;275
18;Appendix F: Exterior barrier performance criteria and technical specifications;276
19;Appendix G: Window anti-blast methods technical specifications*;278
20;Appendix H: Qualitative interpretation of Rw values;280
21;Index;282
Preface Believe it or not, some of my earliest moments on the planet were spent in the company of my parents while they toiled away on human cadavers. I doubt this was a traditional form of family entertainment, especially in the 1950s. But as both newly-minted parents and clinical pathologists they juggled their careers with domestic obligations as best they could. It seems that decent baby sitters have always been in short supply. There is no telling what effect this experience had on their eldest child's development or whether it influenced future career decisions, but it probably does help to explain personality traits that are probably best explored elsewhere. I consider myself fortunate to be working in security risk management, which has clearly been at the forefront of public awareness since September 11, 2001. Some might find it ironic that the events of that day caused a huge uptick in an interest in security almost overnight. The irony is twofold: terrorism has been around for a long time (recall Guy Fawkes in 1605) and there is now a focus on security in ways that have nothing to do with terrorism. One possible explanation is that this horrific event exposed a powerful nation's vulnerability and raised the specter of much broader security concerns. In my view, the consequences of this renewed interest are mixed. On the positive side, corporate security is no longer viewed as a necessary evil and left to be managed in relative obscurity by non-professionals. Progressive firms now view security as part of the company's business strategy. Savvy executives even market security as a means of distinguishing their company from the competition. The downside has been the inevitable increase in “security theater”, a term purportedly coined by the cryptography expert Bruce Schneier. These are measures that give the appearance of providing security but are ineffective when exposed to rigorous analyses. The field of security tends to be dominated by action-oriented types who sometimes invoke a “ready, shoot, aim” approach to problem solving. That is okay if the goal is just to get something done quickly. Unfortunately without a coherent and reasoned approach to risk it is not clear that “something” is always effective. Security problems in the commercial world have changed in part because the office environment itself has evolved. These changes are due principally to the proliferation of the Internet as a communication tool in conjunction with ubiquitous software applications that facilitate the creation, transmission, and storage of information. These technology advances represent security challenges precisely because they are integrated into the fabric of companies at every level and make communication incredibly convenient from almost anywhere in the world. Risk mitigation is of great importance to modern corporations. However, a truly useful mitigation strategy is one that is derived from a big-picture perspective and realistic approach. An aggressive security posture might be effective but can't be at the expense of business performance. Aside from hurting the bottom line, such a strategy could result in a one-way ticket to unemployment for the well-intentioned security director. In today's world, private companies are often viewed as representatives, if not ambassadors, of the countries in which they are incorporated and/or physically located. So not only are companies sometimes targeted by competitors in order to steal their information, they are also the focus of political or religious groups who understand their economic and symbolic importance. At the same time, budgets are decreasing while security departments are dealing with threats that demand greater vigilance and resources. In the wake of the 2008 global economic meltdown, corporate executives are asking more difficult questions about return on investment. But the effectiveness of the defensive measures used in security is difficult to quantify in the same way as profit and loss. That is part of what this book is all about. The need for rigor in security is greater today than ever and not only to address more complex threats, but also to employ cost-effective methods that are explicitly proportionate to risk. This book attempts to bridge the worlds of two distinct audiences. One group consists of career security professionals who have wisdom born of experience in assessing risk but often possess no technical background. In the other camp are the scientists and engineers who work on technical problems related to security but have little or no background and therefore lack the context for these specialized problems. The former group often knows a lot about security but has little technical knowledge. The latter group has familiarity with mathematics and/or scientific principles but may not know how these apply to security risk. Many individuals who work in security function as both theorist and practitioner. This is a difficult challenge in a field where the theoretical underpinnings have not been formally recognized or at the very least have not been centrally codified. It is precisely this divide between theory and practice that must be solidified for security professionals to continue to grow and if the subject is to be universally accepted as a legitimate academic discipline. It is important to recognize that security problems must be viewed in terms of risk in order to be relevant to the corporate world. Although significant insights will be gained from the study of well-established physical principles, the utility of these principles derives from knowing how they affect risk, and moreover, how they can be used to develop effective and proportionate mitigation. To that end, this book endeavors to provide the reader with the following: the fundamentals of security risk and its individual components, an analytic approach to risk assessments and mitigation, and quantitative methods to assess the individual components of risk and thereby develop effective risk mitigation strategies. In so doing, I hope it will provide security professionals, engineers, scientists, and technologists with both an interesting and useful reference. This book is divided into two distinct parts. Part 1 is entitled “The Structure of Security Risk” and comprises Chapter 1, Chapter 2 and Chapter 3. Part 2, “Measuring and Mitigating Security Risk”, consists of Chapter 4, Chapter 5 and Chapter 6. Part 1 is meant to be a detailed exposition of security risk and I believe it is a unique treatment of the subject. It discusses the individual components of risk in detail as well as some important physical models relevant to assessing those components. These will be crucial to the development of the risk metrics discussed in Part 2. In addition, risk assessment and mitigation processes are delineated and can assist in establishing a risk-based security management program. Specifically, the fundamentals of risk management are discussed in Chapter 1. In particular it introduces a key expression that I somewhat dramatically refer to as “The Fundamental Expression of Risk.” This important statement expresses the defining attributes of risk and is fundamental to any problem in security. In particular, the likelihood and vulnerability components are discussed in detail and are the focus of much of this book. This chapter also discusses the role of important tools such as security standards and risk models. Chapter 2 introduces key security-related concepts that are used to measure risk and thereby establish security metrics later in the book. It discusses the notion of scale or how physical quantities that affect the vulnerability component of risk change as a function of scenario-dependent parameters like distance and time. Recurring physical models are highlighted that directly relate to the assessment and mitigation of the vulnerability component of risk and are discussed in detail in Part 2. Chapter 3 may arguably be the most appealing and/or useful to security professionals. It describes the risk assessment and risk mitigation processes in detail. These provide the context for the technical methods discussed in Part 2. This chapter also specifies how the risk mitigation process provides a natural segue to the development of risk-based security standards, assessments, metrics, and security program frameworks. At this point I must give even the most intrepid reader fair warning: Part 2 represents a more quantitative treatment of security risk management than security professionals may be accustomed. However, Part 2 provides the machinery that is necessary to rigorously assess security risk and that has been mostly absent from traditional books on security. The goals are twofold: to show the engineer or scientist how well-established scientific principles apply to security risk problems and to introduce the security professional to key technical/scientific concepts that are important to assessing security risk. Wherever possible, real-world examples are provided and sample calculations are performed. Chapter 4 provides the concepts and techniques necessary to assessing the likelihood component of risk. These include useful probability distributions and a discussion of the important distinction between the likelihood and potential for further incidents. The goal is to provide the reader with an appreciation for some of the probabilistic tools that are relevant to security risk and to show how and when they apply. Chapter 5 details the physical models, principles, and quantitative methods necessary to assess the vulnerability component of risk. The recurring...
