WIXLIB

Available online at www.sciencedirect.comProcedia Engineering 43 (2012) 600 – 609International Symposium on Safety Science and Engineering in China, 2012(ISSSE-2012)The Security Risk Assessment MethodologyChunlin Liua,*, Chong-Kuan Tanb, Yea-Saen Fangb, Tat-Seng LokcaConstruction Management Department of Tsinghua UniversityK&C Protective Technologies Pte Ltd,125A #02-132, Toh Payoh Lorong 2, Singapore 311125cNanyang Technological University, c/o Protective Technology Research Centre, School of Civil & Environmental Engineering, Nanyang Avenue,Singapore 639798bAbstractThere is an increasing demand for physical security risk assessments in which the span of assessment usually encompasses threats fromterrorism. This paper presents a brief description of the approach taken by the author’s organization based on a systematic computation ofratings, which are further supported by logical arguments backed by factual data. The procedure compiles the results of the threatassessment, vulnerability assessment and impact assessment to arrive at a numeric value for the risk to each asset against a specific threatgiven by:Risk Rating(R) Threat Rating (T) x Vulnerability Rating (V) x Impact Rating (I)This systematic approach could assist decision-makers in selecting risk management strategy by ranking various threats in accordance totheir respective Risk Profile. Following which mitigation measures can be explored to reduce the risk for valuable assets, and a logicalprioritization for implementation can be achieved. 2012 Published by Elsevier Ltd. Selection and/or peer-review under responsibility of the Capital University of Economicsand Business, China Academy of Safety Science and Technology. Open access under CC BY-NC-ND license.Keywords: Safety Rating, Risk and Threat Assessment, Methodology, Vulnerability, Security1. INTRODUCTIONThere is an increasing demand for physical security risk assessments in many parts of the world, including Singapore andin the Asia-Pacific region. This has arisen for a number of reasons. One is the stake for which economies and businesseshave become too critical to be ignored, particularly if a low-cost counter-measure perceived security incident giving rise todevastating consequences. Secondly, economies and businesses increasingly see the need to take due diligence and riskmanagement steps to manage physical security risks and to protect their critical assets, just as they would of other risks suchas financial/capital assets.Physical security risk assessment of threats including that from terrorism need not be a black box art nor an intuitiveapproach based on experience. Increasingly, rigor is being demanded and applied to the security risk assessment process andsubsequent risk treatment plan.This paper presents a short background study and description of the systematic risk assessment methodology used by theauthor’s organization.* Corresponding author. Tel.: (65) 62580620; fax: (65) 62586210.E-mail address: liu.chun.lin@kcpt.com.sg1877-7058 2012 Published by Elsevier Ltd. Open access under CC BY-NC-ND license.doi:10.1016/j.proeng.2012.08.106

Chunlin Liu et al. / Procedia Engineering 43 (2012) 600 – 6096012. CUSTOMISING THE RISK ASSESSMENT METHODOLOGYCurrently, there exist a number of industry publications on the topic of risk assessment. A Reference List is providedwhich includes some of the best guidelines at the present time. Notably, the publications from Sandia Laboratory SecurityRisk Assessment and Management [3] and from the Federal Emergency Management Agency (FEMA), which publishes anumber of guidelines, are worthy references. A relevant publication is FEMA 426 Reference Manual to Mitigate Potentialterrorist attacks against Buildings [4]. In Singapore, the authorities recommend two publications by the local authorities [12] which are often cited in risk assessments and risk management solutions.Based on industry guidelines in the above publications, and coupled with the author’s in-house expertise and practicalexperience, we have developed a systematic risk assessment methodology which is appropriate to Singapore and to theAsia-Pacific region.2.1. Importance of Risk AssessmentRisk assessment is a crucial, if not the most important aspect of any security study. It is with an accurate andcomprehensive study and assessment of the risk that mitigation measures can be determined.The objective of Risk Assessment is to identify and assess the potential threats, vulnerabilities and risks to which afacility under assessment is exposed to and their impact on its primary services and operations.Risk Assessment also establishes the basis and rationale for mitigation measures to be planned, designed andimplemented in the facility so as to protect the lives of people and to reduce damage to properties against potential threats.2.2. Methodology of Risk AssessmentThere are numerous methodologies and technologies for conducting risk assessment. One approach is to assemble theresults of a Threat Assessment, Vulnerability Assessment, and an Impact Assessment to determine a numeric value of Riskfor each asset and threat pair.Fig.1 Illustration of Risk Assessment ProcessThe Risk Assessment methodology introduced herewith employs both quantitative and qualitative techniques to providefindings resulted from a systematic computation of ratings, which are supported by logical arguments backed by factual data.It is based on the methodology used by the Federal Emergency Management Agency (US) [4- 5] and on a similar riskassessment model to mitigate potential terrorist attacks against buildings.The methodology compiles the results of the threat assessment, vulnerability assessment and impact assessment to arriveat a numeric value for the risk to each asset against specific threat in accordance with the risk formula:Risk T x V x I(1)WhereT Threat Rating, V Vulnerability Rating and I Impact RatingThe entire process of Risk assessment can be summarized as:xidentify the assets and people that need to be protected.xperform a threat assessment to identify and define the threats that could cause harm to the facility and its inhabitants.Identify assets and threats.xConduct a vulnerability assessment to identify weaknesses that might be exploited by a terrorist or aggressor.xCompute the risk using the results of the asset value, threat, and vulnerability assessments.

602Chunlin Liu et al. / Procedia Engineering 43 (2012) 600 – 6092.3. Identification of Critical Assets to be ProtectedPrior to conducting a Risk Assessment, it is most important to identify all the critical assets within the facility that requireprotection.Assets are resources of value to the facility, which can be tangible (e.g., tenants, installations, facilities, equipment,activities, operations, and information) or intangible (e.g., processes or a company’s reputation). In order to achieve thegreatest risk reduction at the least cost, identifying and prioritizing the facility’s critical assets is a vital. This can beaccomplished by defining/ understanding the facility’s core functions and processes; and by identifying infrastructures/components within the facility that are essential to achieving and maintaining such core functions and processes. The detailscan be tabulated to list these assets and their corresponding redundancy and recovery plans, so that reference can be made inthe course of Risk Assessment. Table 1 shows an example of this process.Table 1 – List of Critical Facilities in the Facility under AssessmentRef NoNameAssetofDescription of AssetASST01Asset Ae.g. Production system ASST02Asset Be.g.EmergencysupplyASST03 powerRedundancyRecovery Plan(Quantity & Readiness)(Repair/ Replacement Cost & Time)e.g. 100% redundancy, but requires 2 hours leadtime to fully activate.e.g. 10,000 - 50,000/ 6 monthse.g. 1 no 2 cells on hot standbye.g. 200,000 / 3 months 2.4. Identification of Potential ThreatsThe preliminary step in the Risk Assessment process is to subject the facility under assessment to a list of threats; andassess the applicability and probability of occurrence of such threats at the facility based on geopolitical situation, currentevents, and historical data within the region that are relevant to the facility.In many cases, such a list of possible or potential threats is compiled based on known criminal and terrorist activitieswithin the region where the facility is located. In others, the list may be prescribed by government agencies or the bodyauthorizing such Risk Assessment. Table 2 below shows a list of threats that are commonly used for Risk assessment in, forexample, Singapore.It is important to note that certain threats are peculiar to a particular security environment whilst others can occur at anytime under any environment. One common way of defining such different environments within which different levels ofthreats prevail is to categorize them into Peacetime (PT) and Heightened Security (HS) periods.xPeace Time (PT) - Time whereby the prevalent security situation is normal both at the national level and the facilitylevel. High-level security threats are not expected to occur. For the purpose of Risk Assessment, it is commonlytaken that baseline security measures are in place at the facility.xHeightened Security (HS) – A period of heightened state of alert as a result of present and lurking aggression fromknown criminal or terrorist organizations. Heightened Security situation may also be declared when intelligencefrom government agencies indicates a high risk of terrorist attacks. During Heightened Security period, securitymeasures are expected to be strengthened whilst maintaining general daily routines.Table 2 – List of Conventional Threat Scenarios (The table below illustrates possible threat scenarios that are commonly considered in Risk Assessments.Actual threat scenarios to a particular facility shall be assessed on a case-by-case basis)S/NoThreatDescriptionPossible Mode of AttackApplicableDuringT1Theft / BurglaryUnlawful removal of property from the facilityduring and/or after business hours committed bylone motivated individuals (insiders/outsiders) ororganized syndicates.Unauthorized access with or without the use ofspecial tools and equipment, including theft ofIntellectual Property by Industrial Espionage.PTRemoval of valuables by force or threat of forceor by fear. May occur during and/or afterbusiness hours and may be committed bymotivated individual(s) or organized syndicates.Use of physical force, threat of bodily harm orintimidation of visitors and staff with or withoutuse of weapons (either lethal or non-lethalweapons).PTT2RobberyHSHS