In your own words, describe the elements of a risk analysis and the required skills for performing a risk analysis. What types of evidence are you looking for when you conduct a risk analysis and how do you find them?
Businesses and organizations are in place to provide services or products to customers and usually conduct the appropriate research to find the right marketplace to succeed. A thorough risk analysis involves evaluating the extent of an organization’s current assets and any countermeasures already in place, and determining any previous security issues. This process involves research, data collection, and synthesis and evaluation of the data. Many organizations have only done the research for the products or services that they provide and have neglected potential pitfalls and security and countermeasures that can keep them in business if threats occur.
In Module One, you will explore the concepts of what a risk analysis is, the skills needed to conduct a risk analysis, and the types of evidence needed, as well as ways to conduct research in order to gain that evidence.
The information in this module focuses on what a risk analysis is and why it is important. Security professionals are well versed in protecting assets, but if they do not conduct risk analyses, then they have no idea what assets they are protecting or how they should protect them. A risk analysis is the foundation for any and all security measures (Norman, 2010).
Many skills are required in order to conduct an appropriate risk analysis. According to Norman (2010), one of the first items needed is the mission statement of the business or organization that is undergoing the risk analysis. By obtaining the mission statement, one can understand the organization’s goals and its plans to accomplish its mission. In order to begin, one must also find out what programs the organization has, its assets, and what countermeasures it already has in place, if any. Gathering data is one of the most important skills to have when conducting a risk analysis (Norman, 2010).
Other skills needed are the ability to conduct research and gather evidence. This is done by conducting interviews, researching the organization on the internet, potentially conducting surveys of employees and/or nearby residents, and reviewing previous security issues at the location, to name a few (Norman, 2010).
According to Norman (2010), critical thinking (like deciding what questions to ask during interviews and/or surveys), quantitative and qualitative analysis, countermeasure selection through cost-benefit analysis, and the ability to accurately organize and write a report, are all skills needed for an individual to properly conduct a risk analysis.
Norman, T. L. (2010). Risk analysis and security countermeasure selection. Boca Raton, FL: CRC Press.This article provides another perspective on the importance of risk analysis.
*******In response to your classmates, indicate three skills that you believe are the most important for conducting a risk analysis and how would you obtain the information you are looking for.
Peer post 1
As odd as it may sound a risk analysis is a subjective endeavor. I say that because 1st Interstate Bank is going to approach a risk analysis from a different perspective and with different priorities than the Santa Monica Police Department which has different priorities and perspectives than the Marine Corps Squadron VMF-214. However, while a risk analysis may differ from organization to organization, they do have fundamental similarities. Each one is designed to identify threats and vulnerabilities, provide either a qualitative analysis, quantitative analysis or a hybrid of both, risk assignment or transfer of that risk to a third party and select the most appropriate countermeasures. In addition, the skills required to perform a risk analysis are similar, regardless of the organization. The first step in any risk analysis is identifying the mission statement of whatever organization or business you’re doing the analysis for. That way you can understand the goal of that organization and how they intend to accomplish those goals. Then you need to find out what measures, if any, they already have in place, its assets, and any countermeasures, if any, they have in place.
I come from a Naval Intelligence background, the Cold War era, which means I’m old, but I have always found Human Intelligence to be extremely beneficial; sometimes more so than more sophisticated forms of intelligence. I mention this, because as our references mention the gathering of data is one of the most important skills in a risk analysis and what better way to gather that data than going to the organization’s or businesses employees. These folks are in the trenches and know firsthand how well or ineffective the organization’s security or countermeasures are. To do this means you have to have very good interviewing skills. You need to make people feel comfortable with you, trust you to be open and honest. Perhaps the most important skill, not sure if it’s a skill or not, but you need to be able to think critically and be objective about the analysis. The best way to accomplish this is the test the organization’s security and countermeasures yourself.
Step outside of the company and become the attacker. Can you easily bypass their firewalls and steal corporate data? How easy is it to smuggle documents out of the organization? If you can successfully attack your organization or business than you can do a better threat analysis and come up with better countermeasures.
Peer post 2
The reason for a risk Assessment is the keep your staff and your business information or secrets safe for competitions and persons who may want to do you or your business harm. It also protects your staff from being place into unsafe positions or lactations without the proper equipment of means to keep them as safe from danger and possible. The person conducting the Risk assessment will look for all risk in a company area and try to minimize the danger of injury form all items or threats which can be identified and located on site or in the nearby area. Then figure out safe guard to stop these threats to staff and equipment as much as possible to reduce possible of any harm to company property or personnel working in this location.
The items needed to conduct a proper, Risk Assessment or Analysis are the mission statement of the Company or Organization you are working for with all their property, holding, assets and service they provide to their clients an other companies they service to gain profits in the type business they are dealing in servicing.
The types of evidence I would look for is building, cars and other equipment use the company to conduct their day to day operations. I will find most of this information by talking with the companies Chief Financial Officer, how will have tax paperwork on all items which company has purchased or rented for use in its daily activities for conduct business also well as any service orders placed for service of this company equipment. As well service personal information on people who service company equipment background checks and other information to help increase your security measures and access to your business areas for maximum safety for all business materials and staff information.
In some cases, special equipment or personnel maybe needed to increase protection of business assets, equipment or personnel in some cases also access controls like ID card for enter into areas with passcodes and biometric reading as well to enter some area with more sanative information and company material located there.
The risk objectives change with the different type of risk that you are trying to prevent from happening in the first place. Protection from Natural Disasters, Fire Hazards, Terrorism and War are all different. Also, they require different types of people and knowledge to protect these locations form these different threats to safety of the location and personnel working within area.
To complete this assignment, review the Discussion Rubric document.