What is a risk (generic)

• A definable event… An expression of

possible impending negative impact
which may effect the objective of an
organization.
• A risk is not a problem …. A problem is a
risk whose time has come
 Apakah itu Risiko?

Satu peristiwa/keadaan pada

kebanyakan masa yang mungkin
mengakibatkan kesan negatif – yang
boleh menjejaskan objektif organisasi.

Risiko bukan masalah .... Masalahnya

ialah risiko yang telah tiba masanya.
 Characteristics of Risk

• Probability of Occurrence –
frequency of occurrence

• Consequence (impact) of
occurrence – degree of
severity
 CiriCiri Risiko

 Kemungkinan Kejadian -
kekerapan

 Akibat (kesan) kejadian –

keamatan impak
Apa yang boleh menyebabkan gangguan
dalam perniagaan serta masyarakat?
 Kebakaran
 Mogok, Rusuhan
 Kemalangan
 Keganasan
 Gangguan Seksual
 Penyakit Berjangkit
 Bencana Alam
 Pengodaman Komputer
 Terorisme
 Elemen-elemen Risiko
Risiko melibatkan 3 jenis elemen:
1. Aset - Benda-benda Organisasi
2. Ancaman – Peristiwa yang boleh
menyebabkan keadaan mengancan
terhadap aset
3. Kelemahan – Keadaan atau persekitaran
yang memudahkan serangan ancaman
1) Identify assets to be protected.
2) Assess assets.
3) Assess threats.
4) Assess vulnerabilities.
5) Assess risks.
6) Determine countermeasures options
and estimate costs.
7) Make risk management decisions.
 Proses Pengurusan Risiko
1) Kenal pasti aset-aset kritikal yang
hendak dilindungi.
2) Menilai aset.
3) Menilai ancaman.
4) Menilai kelemahan.
5) Menilai risiko.
6) Tentukan pilihan tindakan balas
dan anggaran kos.
7) Membuat keputusan pengurusan
risiko
 IDENTIFY ASSETS

• Material Intellectual Property

• Equipment Reputation

• Facilities Personnel

• Processes Records
 Kenalpasti Aset-aset Kritikal
Bahan-bahan Harta Intelek
Kritikal
Reputasi Peralatan
Kritikal

Pihak- Pihak Kemudahan

Kepentingan Kritikal

Rekod-rekod Proses-proses
Penting Kritikal
 ASSESS ASSETS
• What is the impact of loss, damage, compromise,
or interruption of operations?
• What does the facility stand to lose?
• What does an adversary stand to gain?
• What is the impact of loss on the
the organization?
• What is the potential impact on peoples’ lives?
• What is the cost of replacement or repair?
• Prioritize according to overall impact.
• Assign weighted scores.
 Menilai Aset
 Apakah kesan kerugian, kerosakan, kompromi, atau
gangguan operasi?
 Apakah kemudahan yang hilang?
 Apakah manfaat kritikal kepada seorang musuh?
 Apakah kesan kerugian pada organisasi?
 Apakah kesannya terhadap masyarakat?
 Apakah kos penggantian atau pembaikan?
 Mengutamakan mengikut kesan keseluruhan.
 Menetapkan penarafan keutamaan mengikut kritikal
Assessment begins with Adversary Characterization

1. Who: People most likely to threaten the assets

2. How: Tactics and Techniques likely employed
3. What: Tools, Weapons & Materials available
4. When: Time periods of greatest vulnerability
5. Where: Most likely points of attack
6. Why: Adversary Motivation & Objectives
Penilaian Bermula dengan Pencirian Musuh
1. Siapa: orang yang paling mungkin mengancam
aset-aset kritikal
2. Bagaimana: taktik dan teknik yang mungkin
digunakan
3. Apa: alat, senjata dan bahan yang dimiliki
4. Bila: tempoh masa tinggi kelemahannya
5. Di mana: titik serangan yang paling mungkin
6. Mengapa: motivasi dan objektif musuh
 ASSESS THREATS

• Who are the adversaries? • Revenge

• Terrorists • Labor unrest
• Anarchists • Competition
• Greed
• Extremists • Vandalism
• Fanatics • Ego
• Competitors • Political motive
• Criminals • Opportunity
• Natural disasters • Flood, earthquake
• Contagious diseases
• Endemics
 Menilai Ancaman

Siapa musuh? Apakah Motif?

 Pengganas  Membalas dendam
 Anarkis  Keresahan buruh
 Extremis  Persaingan
 Fanatik  Ketamakan
 Pesaing  Vandalisme
 Penjenayah  Motif politik
 Bencana alam  Peluang
 Endemik  Banjir, gempa bumi
 Penyakit berjangkit
CHARACTERISTICS OF ADVERSARY
• Knowledgeable, skilled, and well equipped.
• Use of sophisticated penetration aids and
methods.
• Highly organized.
• Dedicated.
• Familiar with security systems and operations.
• Stay-behind.
• Plant covert devices.
• Stealth.
• Diversionary tactics.
• Stand-off surveillance.
 Ciri-ciri Pengancam
 Berpengetahuan, mahir, dan dilengkapi
dengan baik.
 Penggunaan alat dan kaedah penembusan /
pencerobohan yang canggih.
 Sangat teratur.
 Dedikasi yang kuat.
 Mengenali sistem keselamatan dan
operasinya.
 Biasanya balik lewat:menunggu-nunggu.
 Memasang alat pengintipan.
 Pandai menipu helah.
 Mahir dalam taktik penyelewengan.
 Melakukan pengawasan dari jauh
 ASSESS VULNERABILITIES

• What weaknesses could be exploited to result in

loss, damage, compromise, or disruption?

• Determine functional requirements of the

physical security system.

• Assess physical, technical, and operational

aspects of the site.
 Menilai Kelemahan

 Apa kelemahan yang boleh

dieksploitasi untuk mengakibatkan
kerugian, kerosakan, kompromi, atau
gangguan?

 Tentukan keperluan fungsian sistem

keselamatan fizikal.

 Menilai aspek fizikal, teknikal dan

operasi tapak
 Physical Aspects

• Perimeter barriers

• Building construction and layout

• Facility layout

• Access roads

• Response vehicles and equipment

 Aspek fizikal

 Perintang perimeter
 Pembinaan bangunan dan pelan
susun atur
 Pelan susun atur tapak fasiliti
 Jalan masuk
 Kenderaan dan peralatan tindak
balas
ASSESS VULNERABILITIES (CONT.)

Technical Aspects

• Existing physical security systems and

equipment
• Communications
• Power and signal distribution infrastructure
• Lighting
 Aspek Teknikal

 Sistem dan kelengkapan

keselamatan fizikal sedia ada
 Komunikasi
 Infrastruktur pengedaran kuasa dan
isyarat
 Pencahayaan di tapak fasiliti
ASSESS VULNERABILITIES (CONT.)
Concept of Operations:
Pre-planned, integrated operation of:
• Personnel
• Procedures
• Equipment
• Security Concept
First: Deter, Detect Then: Respond,
Delay, and Detain, or
Determine/Assess Destroy
 Aspek Operasi
Konsep Operasi:
 Operasi bersepadu yang telah dirancang
sebelum ini melibatkan:
 Kakitangan
 Prosedur
 Peralatan
Konsep Keselamatan
 Langkah Pertama: menghalang,
mengesan, melambatkan & menilai
 Langkah Berikut: respon, menahan atau
memusnahkan
ASSESS VULNERABILITIES (CONT.)

Location of Facility:

• High threat area

• Nearness of outside human activity
• Accessibility of facility
• Proximity of other building
• Nearness of response forces
• Vehicle access roads
 Lokasi Kemudahan/Tapak

 Kawasan ancaman tinggi

 Kehadiran aktiviti manusia luar
 Kemudahan yang boleh diakses
 Jarak bangunan lain
 Kehadiran pasukan tindak balas
 Jalan masuk kenderaan
ASSESS VULNERABILITIES (CONT.)

• Measure of Effectiveness of existing security

system --- Timely Detection.
• Timely Detection --- Minimum cumulative
probability of detection while enough time
remains to respond
• Identify adversary paths to target
• What deterrents must adversary overcome?
• How much delay time do they provide?
• What is the probability of detection?
Menilai Keberkesanan Sistem Keselamatan
 Pengesanan yang tepat pada masanya.
 Kemungkinan waktu pengesanan minimum yang
cukup untuk bertindak balas
 Kenal pasti laluan musuh ke sasaran:
1. Apakah halangan yang mesti diatasi oleh
musuh?
2. Berapa banyak masa lengah yang
diberikan?
3. Apakah kebarangkalian pengesanan?
ASSESS VULNERABILITIES (CONT.)
Adversary is successful if:

• He (she) is quicker than response forces.

• (Detection is not a concern.)

• He (she) escapes detection.

• (Time is not a concern.)
Musuh/Pengancam akan berjaya jika:

 Dia lebih cepat daripada pasukan

tindak balas.
 (Sistem pengesanan tidak menjadi
kebimbangan).
 Dia dapat melarikan diri dari
pengesanan.
 (Masa tidak menjadi kebimbangan).
ASSESS VULNERABILITIES (CONT.)

Assign weighted score to most feasible

threat to each asset and/or that threat
presenting the lowest measure of
effectiveness (timely detection).
 Risk Analysis Model

Assets

Attacks or Negative
Consequences

Threats

(+) Increases Likelihood

(-) Decreases Likelihood
or Impact or Impact

Vulnerabilities Controls
 ASSESS RISKS
• The level of risk is specific to each asset.
• Up to this point, we have:
• Identified assets,
• Assessed assets,
• Assessed threats, and
• Assessed vulnerabilities.
 ASSESS RISKS

Now we must consider the probability of occurrence of an

adversarial action.

• PROBABILITY = THREAT X VULNERABILITY

• Worst case threat to each asset.

SEVERITY OF IMPACT

• Worst case vulnerability of that asset.

PROBABILITY OF OCCURRENCE
 ASSESS RISKS (CONT.)

RISK = IMPACT X PROBABILITY

 ASSESS RISKS (CONT.)

• Prioritize assets according to severity of

impact of loss, damage, compromise, or
disruption of operations.
• Select quantified (scored) worst case threat
to that asset.
• Select quantified (scored) worst case
vulnerability to that asset.
• Calculate probability of occurrence.
• Calculate risk.
Select countermeasures appropriate
to the level of risk that
management is willing to accept.
DETERMINE COUNTERMEASURES OPTIONS

Consider all of the options:

• Do nothing
• Upgrade existing system
• Augment existing system
• Replace existing system
• Modify concept of operation
• Retrain personnel
• Re-equip personnel
• Relocate assets
• Re-evaluate physical security objectives
DETERMINE COUNTERMEASURES OPTIONS

Consider costs of countermeasure options:

• Purchase or development
• Installation and test
• Training
• Operation
• Maintenance and logistics
• Life expectancy
• Perform trade-off studies and cost-benefit
analyses
MAKE RISK MANAGEMENT DECISIONS

Assess Cost Analysis

Assets

Determine Make Risk

Identify Assess Assess Countermeasure Management
Assets Threats Risks Options Decisions

Assess
Vulnerabilities Benefit Analysis

• Willing to accept cost of countermeasures

or
• Willing to accept consequences of loss
A GOOD RISKS MANAGEMENT PROGRAM INVOLVES
FOUR BASIC STEPS

1. Identification of risks or specific vulnerabilities.

2. Analysis and study of risks, which include the
likelihood and degree of danger of an event.
3. Optimization of risks management alternatives.
4. Ongoing study of security programs.