Security risk management is a broad and challenging topic. So what does it involve? It’s essentially the ongoing process of identifying security risks and then implementing plans to address them. It’s about considering the likelihood that known threats will happen, how these threats might exploit any vulnerabilities in your security protection, and the impact they could have on your organisation.
As ASIS International explains: “The term risk management has been in common use in other fields such as insurance, business R&D for many years. However, it has been recently been applied in security management and asset protection. The concept is a perfect fit, as security’s primary objective is to manage risks by balancing the cost of protection methods with their benefit.
To manage risk effectively, a security professional would reduce or limit the total number of incidents leading to loss. A goal of risk management is to manage loss effectively at the least cost. In fact, many professionals believe that risk is the most significant factor that drives the deployment of security.”
The 3 main security risk categories to consider
In risk management, every threat is put into one of three categories: physical threats, human threats or cyber threats. Let’s look at these in the context of access control.
- Physical threats – for example, a criminal smashes a door to gain entry.
- Human threats – for example, an employee makes a mistake or deliberately gives access permissions to someone who’s not authorised for them.
- Cyber threats – for example, someone hacks into your access control database and steals employee data or changes access control permissions.
The threat of natural disaster is, of course, another consideration to take into account when carrying out your risk assessments.
In security, protection methods are becoming more IT-orientated, so there’s often a convergence between physical security risks and cyber security risks. For this reason, it’s increasingly important for teams responsible for physical security to work closely with teams responsible for IT and cybersecurity.
Important areas of focus for your security risk strategy
Drawing up a strategy for security risk management can be a big undertaking, so it helps to break it down into manageable projects. Some of the key areas to focus on are:
- Emergency management – so you’re able to take the right actions, immediately, if an emergency happens.
- Business continuity – so you can identify what would affect your business continuity, how to mitigate the risks and how to protect business continuity if the worst happens.
- Security and asset protection – so you can adequately protect the physical and intellectual assets that are valuable to your organisation.
- Occupational health and safety – so you can consistently and accurately restrict unauthorised access to areas that present health and/or safety risks.
- Securing budget – so you’re able to invest in the security systems you’ve identified.
The latter can be particularly difficult for security professionals. In most industries, it’s possible to present a clear, predicted return on investment. Whereas buying security technology is almost always seen as an outlay rather than a valuable investment to decisionmakers.
The challenge is to demonstrate the size of each risk and the potential costs, losses and other repercussions if they’re not mitigated by security systems and processes. This isn’t always a direct monetary cost, but it can have a dramatic effect on the bottom line. A security breach can, for example, lead to reputation damage that affects customer loyalty and causes a drop in sales.
3 key requirements when creating your security risk strategy
1. Clear thinking
Every organisation faces different risks. So the first crucial step is to know what risks you face now and are likely to face in the future. Remember to consider physical security risks, human security risks and cyber security risks.
Then, it’s important to map out each risk and how you plan to mitigate it. To help with this, there are various useful concepts. One such concept is the five avenues, through which you consider risks in the following ways.
- Risk avoidance
This is the most direct way to remove risk. Most organisations can’t avoid risk altogether, however, because it would prevent them fulfilling their core offering or business objectives. A bank could, for example, avoid risk by not storing money on its premises – but storing money is one of its key business functions.
- Risk spreading
How can you spread your valuable assets across your estate to ensure they’re not collated in one area of vulnerability? Once you’ve spread your assets out, you can protect them through multiple forms of physical security systems and procedures, and your overall risk mitigation strategy.
- Risk transfer
Risk can be transferred by ensuring compensation for any loss or costs. An example of this is setting up insurance to mitigate against the cost of an incident or loss.
- Risk reduction
How can you reduce risk? For example by minimising the number of entrance points and communal areas that provide a journey towards your valuable assets.
- Risk acceptance Not all risks can be mitigated against. So it can be helpful to acknowledge that there’s a potential risk but being willing to accept it. You might, for example, accept the risk of people gaining entry to your main reception, as the potential for loss there isn’t too high.
2. A layered approach
Next, consider how you’ll layer your security so your most valuable assets, or the assets that would lead to greatest loss, are the best protected. View security like an onion. So the perimeter of a site, for example, is the outer skin. While a vault would be at the very centre of the onion protected by layers of security.
This may include, for example:
- Layer 1 – a barrier with vehicle recognition on the estate’s perimeter.
- Layer 2 – card entry at reception and communal areas.
- Layer 3 – card and PIN verification to enter higher-security zones.
- Layer 4 – a card and PIN and/or biometric reader for double or triple verification to enter the vault.
3. The right tools
Once you’ve mapped out your organisation’s specific security risks, and thought how to layer your protection, it’s time to select products and processes to mitigate and manage your risks. And also plan how you’re doing to use them for optimum effect.
When you’re doing this, remember to think about potential future risks as well as those you face now. And also take the following into account to reduce the number of incidents possible:
- Location – for example the surrounding geography, terrain and positioning on the site.
- Structural design – the size and shape of buildings and sites and the materials used.
- Security layers or zones – so you can ensure all assets gets the appropriate level of protection.
- Clear zones – for surveillance, threat detection and standoff.
- Access control – for controlling access to sites, buildings and the rooms and locations within them.
- Positioning of security equipment – strategic placement can dramatically increase performance.
Remember to mitigate strongly against insider human threats
The biggest type of threat to an organisation is always human threat. So remember that any products and processes you use must be user-friendly to ensure they’re operated correctly, efficiently and effectively. Alarm handlers, such as the AEOS graphical alarm handler, are really useful to identify and highlight threats, giving you as much time as possible to respond accordingly.
Training is key to make sure employees know how to identify threats, manage events and react appropriately to reduce the risks posed by each threat.
Also, bear in mind that it’s no good having a security system that offers an incredibly high level of protection if it’s operated by someone who can’t be trusted. This is why vetting is vital to ensure you’re working with trustworthy people who have the appropriate skills and capabilities. A system with the ability to hide sensitive data will help you to manage this threat, and the option to do a full system audit will also help with any post-incident analysis needed.
A futureproofing approach is essential
Cyber threats are increasingly apparent and raise additional risks, which is why it’s vital to take future risks into account when creating your strategy. From a system point of view, it’s crucial to choose one with no end-of-life, which can be upgraded to manage current and future threats. And ensure it works hand in hand with your constantly evolving security risk management strategy.
Want to talk about the role access control and AEOS can take in your security management strategy? Visit us at the ASIS Europe Online Congress on 2 March.
Be a security expert
Interested in security management technology trends? With our newsletter you will receive updates from our blog on a regular basis.
Frequently asked questions
At a very basic level, access control is a means of controlling who enters a location and when. The person entering may be an employee, a contractor or a visitor and they may be on foot, driving a vehicle or using another mode of transport. The location they’re entering may be, for example, a site, a building, a room or a cabinet. We tend to call it physical access control to differentiate it from access control that prevents people from entering virtual spaces – for example when logging into a computer network.
If you decide to use an access control system, it’s probably because you want to secure the physical access to your buildings or sites to protect your people, places and possessions. That’s just the start for access control systems though. The right system, used well, can add value in a range of ways. You can use it, and the data it generates, to boost not just security but productivity, creativity and performance.
Today, physical security is about so much more than locks and bolts. Many modern physical access control systems are IP-based, powered by smart software and able to process large quantities of data. This provides more functionality, flexibility, scalability and opportunities for integration. It also means they’re part of your IT network, so it’s essential they’re protected and upgraded – just like your other IT systems.
From our perspective, a centralised access control system is always preferable – whether you have just two locations in the same town or hundreds spread around the world. Centralising your access control brings a range of far-reaching benefits.
For the people using your building, biometrics can give a better experience compared to an access badge. These days, biometrics are used for both identification and verification – sometimes even both at the same time. Being allowed to enter your building just by scanning your hand or face makes access control more convenient than ever.
Mechanical keys are the simplest form of physical access control and the method many smaller organisations use. Even for a small company, however, using mechanical keys has several flaws and limitations – especially as an organisation gets bigger. Below are just some of the problems presented by using keys.