Security Assessments - The Layman's Guide

Four our inaugural blog post, it seems appropriate to discuss Risk Assessment.  Assessing Risk is key to everything we do in life and in business, so it is an important subject to understand.  You don’t need to be a security professional to have a basic knowledge of risk assessment and mitigation, however, there are often areas that go unchecked when organizations take it upon themselves to conduct their own security assessments.  Not to mention, you run the risk of ignoring bad smelling parts of your operation that you’ve gone “nose blind” to.

Now some of you might be saying, “Brian, who cares about this.  I’m not some kind of nerd who loves doing lighting surveys and walking around buildings at night.”  And yeah, guilty as charged, but understanding how to assess and mitigate risk is a process that most people can benefit from.

Before we start, we need to have an understanding of what a Risk is and why we would mitigate it.  ASIS International defines risk as “the likelihood or potential that a given threat will exploit vulnerabilities to cause loss or damage to an asset⁴.”  In simpler terms risk is “any bad outcome that CAN happen weighed against the likelihood that it WILL happen.”

An asset can be anything; from a person, to a physical object, intellectual property, or even your reputation.  Understanding the fundamentals of assessing and mitigating risk can help you make wiser decisions as you go about your daily life.

Risk Assessment starts by engaging in an activity.  For our purposes, an activity can be anything you do, such as running a business, hosting an event, or almost anything else you can think of where there may be some level of inherent risk.

Lots of people don’t realize it, but you’re constantly doing this process on a daily basis.  Something as simple as getting out of bed in the morning can involve the risk of falling which increases the likelihood of injury.  However, most of us realize that we have to get out of bed in order to do the things we enjoy in life, so we decide to take that risk every day.  I doubt any of us have penciled this out, but we have an inherent understanding of the costs and benefits associated with our actions.

Professional risk assessments are conducted when an activity has sufficient complexity that it is not obvious what steps should be taken to reduce the risk or where it may be unclear what the risks actually are.

A risk assessment generally includes 3 steps:

Step 1:  Assessment

In doing a risk assessment we’re going take a look at our activity from every conceivable angle and try to determine what risks are associated.

Step 2: Evaluation (Risk acceptance, risk transferal, risk mitigation, or risk avoidance)

We’re going to rank the risks based on their probability and decide what strategies are available to reduce the risk.

Risk acceptance –

Risk Acceptance essentially means to do nothing.  Generally, you’re going to want to accept any risk that would either a) be cost prohibitive to mitigate or transfer or b) will cause negligible or minimal damage if realized.

Risk transferal –

Risk transferal means asking some other organization to take on the risk for you.  This usually takes the form of insurance, but can also involve shopping out portions of the assessed activity to a 3^rd party, such as a specialty vendor

Risk mitigation –

Risk mitigation covers every step you take YOURSELF either a) prevent the risk from occurring entirely, or b) mitigate any serious consequences from the risk so they are manageable.  (For simplicity, we are combining the concepts of risk reduction and risk spreading in this article).

Risk avoidance – 

Risk avoidance occurs when you determine that the risks assessed outweigh the possible benefits of the activity.  When risk avoidance is chosen, the subject activity is often cancelled or heavy modified to account for this.  (Take for example, scheduling your beach vacation at the base of an actively erupting volcano).

Step 3: Recommendations

Based on the results of the evaluation, we are going to make recommendations that take into account all possible risk outcomes, while giving the asset the ability to still be used as it is intended.  For example, I could keep people from stealing my laptop by encasing it in a metal box with no openings, but then I would not be able to use my laptop.  Even though this might be identified as a form of risk mitigation, I would not list it as a recommendation because it would defeat the point of having the laptop in the first place.  Often, at the early stages of recommendations, the options that either severely limit functionality, or which are cost prohibitive, are dropped immediately.

What does a risk assessment look like in reality?

Let’s take an activity that most of us do every day – driving a car.  Despite deadly car crashes being on the news daily, I’m pretty sure none of us have stopped to say “wow, that’s a dangerous activity and I should stop doing it.”  But maybe you should. Let's compare the relative safety of driving a car with another mode of transportation, namely flying.

According to data from MIT², for airlines, only 1 death per 13.7 million passengers is expected as of 2024, which is the lowest it has ever been.  This means that statistically, you’d have to take have to personally take more than 2 million flights per year in order to have a likelihood of dying in a plane accident.  Seeing as that equals almost 5,500 flights per day, we’re pretty far in the land of fantasy, but I’m sure we have all heard the phrase “if it’s Boeing, I’m not going” thrown around by both media figures and our friends.

Despite these widely available statistics, there are people who have sworn off flying after seeing the several high-profile plane crashes.  This demonstrates a fundamental human deficiency in adequately assessing risk.

Conversely, research from the National Safety Council shows you have a 1 in 95 chance of dying in a vehicular accident in your lifetime³.  1 in 95.  In other words, if you ONLY drive to work and back.  And ONLY during the week.  And you never drive on the weekends.  And you take a two week vacation every year where you don’t drive, within around 20 years, the odds that YOU will die in a car crash become statistically significant.

You might be saying, “sure, driving is more dangerous, but it’s not like I can take a plane to work” (unless you’re a billionaire, in which case, we have excellent relationships with some personal protection specialists).  And you’re right.  Most people in the US live in areas where driving a car is an absolute necessity in order to go to work, find recreational activities, and buy groceries.

Since we’re still considering engaging in driving a car, let’s take make a quick list of some of the major risks that might be associated with it.

• Personal Injury or Death that is self-inflicted

• Personal Injury or Death due to external factors

• Damage to YOUR personal property resulting in financial cost to you

  • This may be due to negligence on your part, the part of another person or simply due to road hazards or unforeseen factors

• Liability for damage to other people’s personal property caused by you

• Liability for the injury or death of others

  
  

If you look at all those risks and think “Man, I should start taking the bus,” then congratulations, you have implemented one of our 4 strategies for remediation – Risk Avoidance (unless you live in New York City or Europe and you were already taking public transit, in which case, nice!). For most of us in the US, this is simply not an option, so let’s look at some of our options for how to mitigate this risk.

The first logical place to start is Risk Transferal.  If you are driving anywhere in the US except for New Hampshire (make sure to avoid that “die” part and remember to Live Free), it’s likely that the government has mandated that you engage in Risk Transferal by way of auto insurance.  Auto insurance takes the financial costs of the net risk of car crashes and spreads them out across all policy holders.  If the odds of paying out a claim in which someone was killed or seriously injured are 1 in 95, that means they are able to collect 94 premiums for every one they pay out.  At scale, that allows them to remain solvent while reducing the likelihood of you personally going bankrupt for the injuries you cause someone in an accident are greatly reduced.

If we were only concerned about the financial considerations, we might stop there, as many states require insurance that pays out regardless of fault.  But we should consider more than the financial cost of a car accident.  We can also pay with our time if we have to take off work or school because of an injury, or because our car is rendered un-drivable due to the accident.  For this reason, we also include a Risk Mitigation strategy in our plans.  Again, most of this is done for you and you may even take it for granted, but keep in mind that although the first Ford rolled off the assembly line in 1908, it took 60 years for seat-belts to become mandatory in all vehicles at the federal level.  Again, unless you live New Hampshire, you probably don’t have a choice in that (legally speaking).  You do, however, have many choices when it comes to safety features on your car.  There are many different design configurations for crumple zones, airbags and other safety features which are installed in the car, as well as many online tools to help you compare them.  As cars have become smarter, we are even beginning to see lane detectors, automated emergency braking, and warnings when you may be merging into another car. 

Now that we’ve done all of our risk mitigations, it is time to make our recommendations.  Depending on your risk appetite, you may desire a higher level or risk reduction, or be willing to a bigger risk if there is some associated reward with that. For example, a Honda Civic is one of the safest and most reliable cars on the market.  They have mitigated much of the standard risk for drivers by also reducing your ability to look cool as hell when you’re driving.  On the other hand, a Lamborghini might be a much cooler car to drive, but it is definitively less safe and prone to mechanical failures.  How much you value the cool factor will determine how much you are willing to compromise on safety. Additionally, if you want, you are able to buy more insurance than the state minimums.  If you are worried about a particular outcome such as a lawsuit or high medical bills, this may be another recommendation to ensure you’re in the instance of an adverse event.

By now, you should have more than enough information to make simple risk assessments and mitigate everyday risk.  If you have a complicated situation, you should call an expert, which is what we specialize in.  Check out the Contact Us page to start a conversation about how we can best serve your needs.  If you want to secure your access to quality content like this, you can subscribe to our newsletter, which will notify you when we post new content like this.  See you next time.

Sources:

¹https://news.gallup.com/poll/388484/air-travel-remains-down-employed-adults-fly-less.aspx

²https://news.mit.edu/2024/study-flying-keeps-getting-safer-0807

³https://injuryfacts.nsc.org/all-injuries/preventable-death-overview/odds-of-dying/

⁴ASIS International, Physical Security Principals, 2015