Presentation is loading. Please wait.

Presentation is loading. Please wait.

International Security Technology, Inc. New York City TerrorismRisk.Doc Terrorism How To Manage This New Risk. Robert V. Jacobson CISSP CPP.

Published byMarcus Rose Modified over 9 years ago

Similar presentations

Presentation on theme: "International Security Technology, Inc. New York City TerrorismRisk.Doc Terrorism How To Manage This New Risk. Robert V. Jacobson CISSP CPP."— Presentation transcript:

1 International Security Technology, Inc. New York City TerrorismRisk.Doc Terrorism How To Manage This New Risk. Robert V. Jacobson CISSP CPP

2 6 February 2002Copyright © 2002 International Security Technology, Inc.2 The Agenda  A true story from the past.  Thinking about Risks.  Risk Management of Terrorism.  Questions and Answers.

3 6 February 2002Copyright © 2002 International Security Technology, Inc.3 A Fable for Our Times  About twenty-five years ago, a pal, security manager for a financial organization, called me and asked:  “Bob, is it OK if my organization moves its offices to a high floor at the World Trade Center?”  I asked: “Have you already made the decision?”  “Well, yes, we have. We’re going to move.”  What did I say next?

4 6 February 2002Copyright © 2002 International Security Technology, Inc.4 A Fable for Our Times  I wanted to rub it in a bit. “Then why are you asking me after the fact?”  “I just wanted to know what you think.”  I would like to be able to tell you that I had a powerful crystal ball that I could consult, but I didn’t! Here is what I said…

5 6 February 2002Copyright © 2002 International Security Technology, Inc.5 A Fable for Our Times  “Whatever risks you had in your old location (in a low rise office building in the Wall Street area), you still have, but now you have whatever additional risks you get from being 100 floors above the street.”  “Like what?” he asked.  What did I say?

6 6 February 2002Copyright © 2002 International Security Technology, Inc.6 A Fable for Our Times  This is what occurred to me at the time:  Enhanced risk of electric power failures.  Greater risk of fire damage.  Staff access required a two-stage elevator ride.  Potential damage to windows in a category five hurricane.  Risks from a basement areas below sea level with a public garage, and an exposure to burst water mains and GKW.

7 6 February 2002Copyright © 2002 International Security Technology, Inc.7 A Fable for Our Times  Ah. I would be busting my buttons today if I had been prescient enough to have included an Al Qaeda attack with hijacked planes, but I wasn’t.  What is the moral of this Fable?

8 6 February 2002Copyright © 2002 International Security Technology, Inc.8 Thinking About Terrorism  Another story: About ten years ago a Coast Guard officer asked me if it was possible to estimate the risk of a terrorist attack on an off- shore drill rig, given that there was no past history to go on.  I said that in fact there was useful past history…

9 6 February 2002Copyright © 2002 International Security Technology, Inc.9 Thinking About Terrorism  Here are the considerations I suggested:  At that time, we were experiencing about 500 terrorist attacks worldwide each year. This suggests that the rate of occurrence would be a small fraction of 500/year if not zero.  An attack would be difficult technically to mount unless you were ready to steal a helicopter.  No ‘women and children” at risk so no drama.  No government or military involvement.  Zero collateral damage.

10 6 February 2002Copyright © 2002 International Security Technology, Inc.10 Thinking About Terrorism  The Conclusion:  The risk was very low, but not zero.  So what should be done to protect off- shore drill rigs against terrorist attacks?  How is a drill rig different from an IT facility?  How shall we decide what to do?

11 6 February 2002Copyright © 2002 International Security Technology, Inc.11 Thinking About Risk - 1  Threat events are not all the same.  They can be classified into five categories depending on…  Frequency (number per year), and  Consequence (dollar loss per event).  Here is how…

12 6 February 2002Copyright © 2002 International Security Technology, Inc.12 Thinking About Risks - 2  Here is the Universe of Risks with an example risk plotted on a log- log graph.

13 6 February 2002Copyright © 2002 International Security Technology, Inc.13 Thinking About Risks - 3  Annualized Loss Expect- ancy (ALE), $/year of expected loss, is one way of comparing threats. Threats on a ALE contour have the same ALE

14 6 February 2002Copyright © 2002 International Security Technology, Inc.14 Thinking About Risks - 4  A plot of some typical threats. In the real world some kinds of threats just don’t happen, and some threats are trivial. How shall we classify the remaining threats?

15 6 February 2002Copyright © 2002 International Security Technology, Inc.15 Thinking About Risks - 5  This plot is the same as the prior plot. It was generated by CORA automatic- ally.

16 6 February 2002Copyright © 2002 International Security Technology, Inc.16 Thinking About Risks - 6  The Ignore Zone. The Minimum Significant Occ. Rate is a senior management call with some help from you.  MSOR = 1/100,000 years?

17 6 February 2002Copyright © 2002 International Security Technology, Inc.17 Thinking About Risks - 7  The Must Mitigate Zone. Maximum Tolerable Consequence is also a senior management call with help from the CFO, marketing, etc.

18 6 February 2002Copyright © 2002 International Security Technology, Inc.18 Thinking About Risks - 8  The ROI Mitigate Zone. Threats in the remaining zone are addressed on a cost-benefit basis using ROI.

19 6 February 2002Copyright © 2002 International Security Technology, Inc.19 Observations - 1  Notice this important fact. A threat’s occurrence rate does not determine if it will appear in the Must Mitigate zone, only its consequence matters.  Consequence is the product of two factors:  The worst case loss associated with each function (application or system), asset and liability.  The vulnerability of the functions and assets to the threat ( on a scale from 0 to 1).

20 6 February 2002Copyright © 2002 International Security Technology, Inc.20 Observations - 2  We can estimate worst case loss and vulnerability with some confidence based on scenario thinking and the assumption of a generic disastrous threat, i.e. 100% vulnerability.  Serious terrorist threats probably are in the Must Mitigate zone. In cases where you can make a reasonable estimate of occurrence rate, you may find some terrorist threats in the ROI Zone.

21 6 February 2002Copyright © 2002 International Security Technology, Inc.21 Managing Terrorist Risks - 1  Two ways to manage a Must Mitigate terrorist attack risk:  Reduce the consequence to a tolerable level. How?  Reduce the vulnerabilities by hardening the facility. Probably not feasible. (Doesn’t work at airports!)  Reduce the Worst Case Losses. ???  Get the occurrence rate below the Minimum Significant level into the Ignore Zone. How?  Hide the facility. Possibly, but how can you be sure?  Reduce its “attractiveness”. Uncertain effectiveness.

22 6 February 2002Copyright © 2002 International Security Technology, Inc.22 Managing Terrorist Risks - 2  Reducing the worst case loss is probably the best strategy because…  Accomplishment is within our control. Does not depend on external perceptions or decisions.  Not threat-centric, so greatest likely payoff.  How do we reduce worst case loss?

23 6 February 2002Copyright © 2002 International Security Technology, Inc.23 Managing Terrorist Risks - 3  We make sure that we have an effective contingency plan in place so that service interruption losses, regardless of the cause (threat), will be tolerable.  We know how to do contingency planning, so, we know how to deal with the Terrorist Threat!  Our focus switches from terrorism to the determination of the optimum Recovery Time Objective (RTO) for each line-of-business based on our analysis of our ROI Zone threats.  We don’t waste money on a futile attempt to ward off all possible terrorist threats.

24 6 February 2002Copyright © 2002 International Security Technology, Inc.24 Summary  Don’t over react to terrorism.  Do make sure your contingency plan is optimized to address the ROI Zone threats you are likely to experience in the years ahead. Then you can be sure that your plan will protect against terrorism as well.  Don’t leave yourself wide open to physical intrusions, but don’t try to ward off all terrorist attacks.  Don’t accept unnecessary risk exposures.

25 6 February 2002Copyright © 2002 International Security Technology, Inc.25 Thank you... Thank you for your attention to this briefing by Robert V. Jacobson:  International Security Technology, Inc., 99 Park Avenue - 11th Floor, New York, NY 10016-1501  +1 (212) 557-0900 or  (888) IST-CORA  FAX +1 (212) 808-5206 E-mail: jacobson @ ist-usa.com Web site: www.ist-usa.com

Download ppt "International Security Technology, Inc. New York City TerrorismRisk.Doc Terrorism How To Manage This New Risk. Robert V. Jacobson CISSP CPP."

Similar presentations

Museum Presentation Intermuseum Conservation Association.

Museum Presentation Intermuseum Conservation Association.
Risk Analysis Fundamentals and Application Robert L. Griffin International Plant Protection Convention Food and Agriculture Organization of the UN.

Risk Analysis Fundamentals and Application Robert L. Griffin International Plant Protection Convention Food and Agriculture Organization of the UN.
Risk Management Introduction Risk Management Fundamentals

Risk Management Introduction Risk Management Fundamentals
Utility Theory.

Utility Theory.
OSG Computer Security Plans Irwin Gaines and Don Petravick 17-May-2006.

OSG Computer Security Plans Irwin Gaines and Don Petravick 17-May-2006.
Information Risk Management Key Component for HIPAA Security Compliance Ann Geyer Tunitas Group 209-754-9130

Information Risk Management Key Component for HIPAA Security Compliance Ann Geyer Tunitas Group
Chapter 9 Project Analysis Chapter Outline

Chapter 9 Project Analysis Chapter Outline
Note: See the text itself for full citations. Information Technology Project Management, Seventh Edition.

Note: See the text itself for full citations. Information Technology Project Management, Seventh Edition.
Risk Analysis & Management. Phases Initial Risk Assessment Risk Analysis Risk Management and Mitigation.

Risk Analysis & Management. Phases Initial Risk Assessment Risk Analysis Risk Management and Mitigation.
Networked Systems Survivability CERT ® Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15213-3890 © 2002 Carnegie.

Networked Systems Survivability CERT ® Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh, PA © 2002 Carnegie.
Service Design – Section 4.5 Service Continuity Management.

Service Design – Section 4.5 Service Continuity Management.
Lecture 8: Risk Management Controlling Risk

Lecture 8: Risk Management Controlling Risk
Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Information.

Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Information.
TERRORISM / POLITICAL VIOLENCE SOLUTIONS FAIR International Insurance Conference on Political Violence 12-13 April 2010 – Karachi Daniel O’Connell

TERRORISM / POLITICAL VIOLENCE SOLUTIONS FAIR International Insurance Conference on "Political Violence" April 2010 – Karachi Daniel O’Connell
1 Continuity Planning An Overview…. 2 Continuity Planning Bill Scott CBCP Contingency Planning Coordinator Great Lakes Educational Loan Services, Inc.

1 Continuity Planning An Overview…. 2 Continuity Planning Bill Scott CBCP Contingency Planning Coordinator Great Lakes Educational Loan Services, Inc.
Mastering Questioning Techniques Peter Rosenwald Director Chartered Developments

Mastering Questioning Techniques Peter Rosenwald Director Chartered Developments
The Marriage Problem Finding an Optimal Stopping Procedure.

The Marriage Problem Finding an Optimal Stopping Procedure.
Copyright Security-Assessment.com 2006 S4 Conference Series BCP and DR. Timely Reminder Presented By Peter Benson.

Copyright Security-Assessment.com 2006 S4 Conference Series BCP and DR. Timely Reminder Presented By Peter Benson.
Introduction Our Topic: Mobile Security Why is mobile security important?

Introduction Our Topic: Mobile Security Why is mobile security important?
Business Continuity for Facilities Managers Peter Carr FastTrack Solutions Ltd 021 638190.

Business Continuity for Facilities Managers Peter Carr FastTrack Solutions Ltd

Similar presentations

Ads by Google