International Security Technology, Inc. New York City TerrorismRisk.Doc Terrorism How To Manage This New Risk. Robert V. Jacobson CISSP CPP.

Slides:



Advertisements
Similar presentations
Museum Presentation Intermuseum Conservation Association.
Advertisements

Risk Analysis Fundamentals and Application Robert L. Griffin International Plant Protection Convention Food and Agriculture Organization of the UN.
Risk Management Introduction Risk Management Fundamentals
Utility Theory.
OSG Computer Security Plans Irwin Gaines and Don Petravick 17-May-2006.
Information Risk Management Key Component for HIPAA Security Compliance Ann Geyer Tunitas Group
Chapter 9 Project Analysis Chapter Outline
Note: See the text itself for full citations. Information Technology Project Management, Seventh Edition.
Risk Analysis & Management. Phases Initial Risk Assessment Risk Analysis Risk Management and Mitigation.
Networked Systems Survivability CERT ® Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh, PA © 2002 Carnegie.
Service Design – Section 4.5 Service Continuity Management.
Lecture 8: Risk Management Controlling Risk
Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Information.
TERRORISM / POLITICAL VIOLENCE SOLUTIONS FAIR International Insurance Conference on "Political Violence" April 2010 – Karachi Daniel O’Connell
1 Continuity Planning An Overview…. 2 Continuity Planning Bill Scott CBCP Contingency Planning Coordinator Great Lakes Educational Loan Services, Inc.
Mastering Questioning Techniques Peter Rosenwald Director Chartered Developments
The Marriage Problem Finding an Optimal Stopping Procedure.
Copyright Security-Assessment.com 2006 S4 Conference Series BCP and DR. Timely Reminder Presented By Peter Benson.
Introduction Our Topic: Mobile Security Why is mobile security important?
Business Continuity for Facilities Managers Peter Carr FastTrack Solutions Ltd
Visual 3. 1 Lesson 3 Risk Assessment and Risk Mitigation.
Conostix S.A. Sensible defence.
WMD & Emergency Planning Steps Session 12. Emergency Planning Steps Vulnerability Assessment Mitigation Efforts Emergency Response Planning Recovery.
Screening for Safety Interviewing techniques with a focus on workplace safety attitudes and behaviors.
Economics of Extreme Climatic Events By Adil Rasheed (EPFL-ENAC-ICARE-LESO-PB)
1 Risk comments including some Re-insurance issues (Socio-Economic Security)  Jorge A. Prieto, PhD. PEng.  Natural Resources Canada, Geological Survey.
Risk Management Project Management Digital Media Department Unit Credit Value : 4 Essential Learning time : 120 hours.
“IF YOU THINK YOU CAN OR YOU THINK YOU CAN’T, YOU’RE RIGHT!”
Risk & Liability in Engineering. Source: On September 11, 2001, terrorists attacked the Twin Towers by flying two hijacked 727’s into them.
Risk and Human Health. Environmental Risk Analysis Comparing the risk of a situation to its benefits Allows people to evaluate and deal with consequences.
Risk Assessment and Management. Objective To enable an organisation mission accomplishment, by better securing the IT systems that store, process, or.
SCOPE THE PROJECT. Managing Client Expectations Client always seem to expect more than we are prepared to deliver. The expectations gap between client.
10-January-2003cse Context © 2003 University of Washington1 What is a development project? CSE 403, Winter 2003 Software Engineering
Chapter 2 Risk Measurement and Metrics. Measuring the Outcomes of Uncertainty and Risk Risk is a consequence of uncertainty. Although they are connected,
Risk Analysis & Management
An Anecdote An artist friend subscribes to AOL for and web services. Recently AOL attempted to make an automatic on- line upgrade to her address.
Chapter(3) Qualitative Risk Analysis. Risk Model.
Jacques Vanier ICAO EUR/NAT Regional Officer Almaty, 5 to 9 September 2005 SAFETY MANAGEMENT SYSTEMS RISK VERSUS SAFETY.
Climate Impact on MEC’s Infrastructure –Attempt to Quantify NYC's Risks from Coastal Storm Surges in the Face of Global Warming and Sea-Level Rise. K.
I chose to research about natural disasters as I have always been intrigued to find out more about these disastrous events. By: Asal Zamani.
The Money Pit! Carr, Chapter 6. How Dependent are we on infrastructures? Imagine having no running water -- How about no electricity --
Risk Management CS5493. Risk Management The process of ● identifying, ● assessing, ● prioritizing, and ● mitigating risks.
CJ228 Unit 8 Seminar Matthew A. Selves / Kaplan University.
Introduction to Information Security
 Define and recognize risk  Define the contents of a risk management plan  Conduct a risk identification and prioritization process  Define.
Sight Words.
Engineering | Architecture | Design-Build | Surveying | Planning | GeoSpatial Solutions November 16, 2015 THE AWWA J100 - WHAT IT IS, WHY IT IS BEING UPDATED,
Copyright © 2015 Scott Borg/U.S. Cyber Consequences Unit. All rights reserved. Making Economics a Cyber-Security Weapon Scott Borg Director (CEO) and Chief.
Testing External Survey Automatic Credit Granting Shepherd University Department of Psychology.
Protecting Your Data With Just Get Backup, LLC. Agenda How important is your data – Acknowledging worst-case scenarios. Understanding that data backup.
This presentation is my actual documentation that I have made since the first message that I have posted in yahoo groups. An actual Trade on actual meta.
Information Security Governance and Risk Chapter 2 Part 2 Pages 69 to 100.
UNECE – SC2 Rail Security Analysis and economic assessment of rail transport security 1st October 2009 Andrew Cook.
Risk. Step 1-Risk identification Analyze the project to identify the source of risk Step 2-Risk Asessment Assess risk interms of Severity of impact Likely.
INFORMATION SECURITY MANAGEMENT L ECTURE 8: R ISK M ANAGEMENT C ONTROLLING R ISK You got to be careful if you don’t know where you’re going, because you.
Principles of Information Security, Fourth Edition Risk Management Ch4 Part II.
INFORMATION SECURITY MANAGEMENT L ECTURE 8: R ISK M ANAGEMENT C ONTROLLING R ISK You got to be careful if you don’t know where you’re going, because you.
2007 Office of Risk Management Annual Conference 2007 David M. Shapiro Disaster Planning & Recovery Consultants
A. Define the term risk. Business Risk – the potential for loss or failure.
Research Project Overview
HUMAN RESOURCE GOVERNANCE, RISK MANAGEMENT AND COMPLIANCE
Fixed Fractional Method
TERRORIST PROTECTION PLANNING USING A RELATIVE RISK REDUCTION APPROACH
Succession Planning The 10 Most Important Non-Legal Questions
Succession Planning The 10 Most Important Non-Legal Questions
Small Cities Organized Risk Effort (SCORE) Target Funding Benchmarks
Securing Critical Chemical Assets: The Responsible Care® Security Code
Risk Management Part I Dr. Zahi Yaseen Contact Us
MANAGEMENT of INFORMATION SECURITY, Fifth Edition
CyberSecurity Strategy For Defendable ROI
Presentation transcript:

International Security Technology, Inc. New York City TerrorismRisk.Doc Terrorism How To Manage This New Risk. Robert V. Jacobson CISSP CPP

6 February 2002Copyright © 2002 International Security Technology, Inc.2 The Agenda  A true story from the past.  Thinking about Risks.  Risk Management of Terrorism.  Questions and Answers.

6 February 2002Copyright © 2002 International Security Technology, Inc.3 A Fable for Our Times  About twenty-five years ago, a pal, security manager for a financial organization, called me and asked:  “Bob, is it OK if my organization moves its offices to a high floor at the World Trade Center?”  I asked: “Have you already made the decision?”  “Well, yes, we have. We’re going to move.”  What did I say next?

6 February 2002Copyright © 2002 International Security Technology, Inc.4 A Fable for Our Times  I wanted to rub it in a bit. “Then why are you asking me after the fact?”  “I just wanted to know what you think.”  I would like to be able to tell you that I had a powerful crystal ball that I could consult, but I didn’t! Here is what I said…

6 February 2002Copyright © 2002 International Security Technology, Inc.5 A Fable for Our Times  “Whatever risks you had in your old location (in a low rise office building in the Wall Street area), you still have, but now you have whatever additional risks you get from being 100 floors above the street.”  “Like what?” he asked.  What did I say?

6 February 2002Copyright © 2002 International Security Technology, Inc.6 A Fable for Our Times  This is what occurred to me at the time:  Enhanced risk of electric power failures.  Greater risk of fire damage.  Staff access required a two-stage elevator ride.  Potential damage to windows in a category five hurricane.  Risks from a basement areas below sea level with a public garage, and an exposure to burst water mains and GKW.

6 February 2002Copyright © 2002 International Security Technology, Inc.7 A Fable for Our Times  Ah. I would be busting my buttons today if I had been prescient enough to have included an Al Qaeda attack with hijacked planes, but I wasn’t.  What is the moral of this Fable?

6 February 2002Copyright © 2002 International Security Technology, Inc.8 Thinking About Terrorism  Another story: About ten years ago a Coast Guard officer asked me if it was possible to estimate the risk of a terrorist attack on an off- shore drill rig, given that there was no past history to go on.  I said that in fact there was useful past history…

6 February 2002Copyright © 2002 International Security Technology, Inc.9 Thinking About Terrorism  Here are the considerations I suggested:  At that time, we were experiencing about 500 terrorist attacks worldwide each year. This suggests that the rate of occurrence would be a small fraction of 500/year if not zero.  An attack would be difficult technically to mount unless you were ready to steal a helicopter.  No ‘women and children” at risk so no drama.  No government or military involvement.  Zero collateral damage.

6 February 2002Copyright © 2002 International Security Technology, Inc.10 Thinking About Terrorism  The Conclusion:  The risk was very low, but not zero.  So what should be done to protect off- shore drill rigs against terrorist attacks?  How is a drill rig different from an IT facility?  How shall we decide what to do?

6 February 2002Copyright © 2002 International Security Technology, Inc.11 Thinking About Risk - 1  Threat events are not all the same.  They can be classified into five categories depending on…  Frequency (number per year), and  Consequence (dollar loss per event).  Here is how…

6 February 2002Copyright © 2002 International Security Technology, Inc.12 Thinking About Risks - 2  Here is the Universe of Risks with an example risk plotted on a log- log graph.

6 February 2002Copyright © 2002 International Security Technology, Inc.13 Thinking About Risks - 3  Annualized Loss Expect- ancy (ALE), $/year of expected loss, is one way of comparing threats. Threats on a ALE contour have the same ALE

6 February 2002Copyright © 2002 International Security Technology, Inc.14 Thinking About Risks - 4  A plot of some typical threats. In the real world some kinds of threats just don’t happen, and some threats are trivial. How shall we classify the remaining threats?

6 February 2002Copyright © 2002 International Security Technology, Inc.15 Thinking About Risks - 5  This plot is the same as the prior plot. It was generated by CORA automatic- ally.

6 February 2002Copyright © 2002 International Security Technology, Inc.16 Thinking About Risks - 6  The Ignore Zone. The Minimum Significant Occ. Rate is a senior management call with some help from you.  MSOR = 1/100,000 years?

6 February 2002Copyright © 2002 International Security Technology, Inc.17 Thinking About Risks - 7  The Must Mitigate Zone. Maximum Tolerable Consequence is also a senior management call with help from the CFO, marketing, etc.

6 February 2002Copyright © 2002 International Security Technology, Inc.18 Thinking About Risks - 8  The ROI Mitigate Zone. Threats in the remaining zone are addressed on a cost-benefit basis using ROI.

6 February 2002Copyright © 2002 International Security Technology, Inc.19 Observations - 1  Notice this important fact. A threat’s occurrence rate does not determine if it will appear in the Must Mitigate zone, only its consequence matters.  Consequence is the product of two factors:  The worst case loss associated with each function (application or system), asset and liability.  The vulnerability of the functions and assets to the threat ( on a scale from 0 to 1).

6 February 2002Copyright © 2002 International Security Technology, Inc.20 Observations - 2  We can estimate worst case loss and vulnerability with some confidence based on scenario thinking and the assumption of a generic disastrous threat, i.e. 100% vulnerability.  Serious terrorist threats probably are in the Must Mitigate zone. In cases where you can make a reasonable estimate of occurrence rate, you may find some terrorist threats in the ROI Zone.

6 February 2002Copyright © 2002 International Security Technology, Inc.21 Managing Terrorist Risks - 1  Two ways to manage a Must Mitigate terrorist attack risk:  Reduce the consequence to a tolerable level. How?  Reduce the vulnerabilities by hardening the facility. Probably not feasible. (Doesn’t work at airports!)  Reduce the Worst Case Losses. ???  Get the occurrence rate below the Minimum Significant level into the Ignore Zone. How?  Hide the facility. Possibly, but how can you be sure?  Reduce its “attractiveness”. Uncertain effectiveness.

6 February 2002Copyright © 2002 International Security Technology, Inc.22 Managing Terrorist Risks - 2  Reducing the worst case loss is probably the best strategy because…  Accomplishment is within our control. Does not depend on external perceptions or decisions.  Not threat-centric, so greatest likely payoff.  How do we reduce worst case loss?

6 February 2002Copyright © 2002 International Security Technology, Inc.23 Managing Terrorist Risks - 3  We make sure that we have an effective contingency plan in place so that service interruption losses, regardless of the cause (threat), will be tolerable.  We know how to do contingency planning, so, we know how to deal with the Terrorist Threat!  Our focus switches from terrorism to the determination of the optimum Recovery Time Objective (RTO) for each line-of-business based on our analysis of our ROI Zone threats.  We don’t waste money on a futile attempt to ward off all possible terrorist threats.

6 February 2002Copyright © 2002 International Security Technology, Inc.24 Summary  Don’t over react to terrorism.  Do make sure your contingency plan is optimized to address the ROI Zone threats you are likely to experience in the years ahead. Then you can be sure that your plan will protect against terrorism as well.  Don’t leave yourself wide open to physical intrusions, but don’t try to ward off all terrorist attacks.  Don’t accept unnecessary risk exposures.

6 February 2002Copyright © 2002 International Security Technology, Inc.25 Thank you... Thank you for your attention to this briefing by Robert V. Jacobson:  International Security Technology, Inc., 99 Park Avenue - 11th Floor, New York, NY  +1 (212) or  (888) IST-CORA  FAX +1 (212) ist-usa.com Web site:

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.