SOLVING THE PROBLEM Countermeasures

Each leverage point indicates a possibility for a countermeasure, although it does not immediately suggest which countermeasure to use. As shown in Figure 4, the trade secret can be lost either through observation of the process or securing its documentation. Because either of these would cause the loss event, both must be neutralized. To observe the pro-cess, however, one must gain access to the production department while production is in process. Furthermore, to gain access, one must both enter the area and remain unchallenged.

To neutralize the risk of unauthorized observation, the first point of leverage is at the “and” set. Either entry is effectively denied or challenge is assured. This suggests several countermeasures, including (1) area access control at point of entry, (2) area surveillance on a continuing basis, and (3) area access control only during periods of production. The network or threat model is not extended to a logical conclusion in Figure 4, so it does not indicate a similar leverage point in regard to record security. Even if it were extended, it might not show any. To protect records, it might be nec-essary to apply specific countermeasures at each location where a record was available.

Countermeasures Criteria. To complete the countermeasures options development, we must look at each leverage point in the overall threat model network. We should list or catalogue each countermeasure that might be appropriate at that point. In our example, we show three. For each countermeasure, four factors should be determined and listed:

1. Validity. This determines whether the countermeasure does what it is supposed to do. For example, does a water flow alarm register the flow of water in a sprinkler riser? If actual detection of fire were the requirement, then a products-of-combustion or ultraviolet flame detector would be more appropriate.

2. Degree of reliability. Reliability is defined as the consistency with which the countermeasure achieves its functional objective over a large number of similar cases. For example, in 1000 cases in which ambient temperature actually reaches 165°F, how many times will a fixed temperature thermostat for that rated capacity operate? If it operates 1000 times, it is 100 percent reliable. Any lower percentage reduces its reliability proportionately.

3. Approximate cost to put it into effect.

4. Delay or elapsed time required to put it into effect. If this is signifi-cantly longer than for other available countermeasures, that fact should be underscored.

Cost is listed above as the third item to consider in selection. It is evi-dent that among countermeasures of equal or approximately equal validity and reliability, the least expensive measure should be chosen. This princi-ple, applied throughout the selection process, will produce an appropriate system at optimal cost. In regard to cost, it should be noted that there is some point at which the cost of loss and the cost of countermeasures are proportionate. Before that point, the amount spent would not buy adequate protection. After that point, increased expense would not buy added pro-tection of equal value. Figure 5 illustrates this relationship.

With the rapidly advancing technology now characterizing the protec-tion of assets field, the task of knowing the appropriate countermeasures will grow increasingly complex. Later chapters of this Manual assist in the

choice and evaluation of countermeasures by describing the strengths, weaknesses, availability and applications of many of them. But each profes-sional in the field should have other sources and inputs to assure that he or she remains current. The principal sources are professional, commercial and standards literature, each of which is growing. The bibliography at the end of this chapter identifies a number of such sources.

Systems Evaluation Technique

A system is defined as a regular and orderly arrangement of parts and components in an interrelated and integrated whole. The system is different from a simple group or aggregation in that it is integrated by design. Every part is present and functions in terms of its relationship to every other part. A system requires planning so that there are no unintended surplus parts or unanticipated absences of necessary parts. In applying the sys-tems technique to security countermeasures planning, it is first necessary to select individual countermeasures that will support or be supported by each other. Each resource in the properly designed system plays a unique and indispensable role. This type of design tends to reduce the total number of countermeasures and to optimize performance of those that are used.

Next, the system is assembled and tested. This can be done either theo-retically, such as through computer analyses or other parameter-varying model techniques, or physically, such as through the operation of mechan-ical, electric and electronic components. A system also involves the appli-cation of procedures and human actions and reactions, which can be tested by the command post exercise or simulated emergency.

Component Selection. We noted earlier that reliability of each counter-measure should be evaluated. When each risk in the threat network is

Figure 5. Optimum security resourcing.

considered for neutralization, an important point is the degree of reliability required of the countermeasure. In access control at facility entries, for example, an error rate of one improper admittance in every 100 might be sufficient. An error rate of one in 20 might also be acceptable. In the former case, we would assume that very few other countermeasures are in effect, and hence the door check has to be very effective. In the latter case, there may be sufficient other precautions that the door check can be relaxed. In the first case, 99 percent reliability would be required, a very high require-ment for that kind of countermeasure. In the second case, 95 percent would be required. The 4 percent reduction could avoid large dollar expenditures.

If 95 percent is acceptable, there is no need to spend to achieve 99 percent.

In another case, zero error may be demanded, as with a fire detection subsystem in a major computer installation. In that case, even with a very high reliability rate in a single sensing device, we might require two or three devices to provide redundancy. The likelihood that several highly reliable devices will fail simultaneously is calculated as the product of the separate probabilities of each device involved. Thus, if we used two ther-mostats, each with a probability of failure of 0.01 (99 percent reliable), the probability that both would fail simultaneously would be 0.01 × 0.01 (i.e., 0.0001), or 9999 to 1. Adding one more device would raise the odds to 999,999 to 1.

For achieving very high levels of reliability in security systems, it will generally be much less expensive to design complex redundant counter-measures than to seek a single countermeasure of the required level. In the fire scenario, we might use a fixed temperature thermostat and a rate-of-rise thermostat and a products of combustion detector. Each would operate in a different domain (detect a different aspect of fire) as well as multiply the detection devices. Also, standard models of multiple different detectors cost less than super-reliable models of a single detector.

Keeping the System Current

There are three main reasons for security losses:

1. Failure to recognize vulnerabilities

2. Failure to use the proper countermeasures 3. Failure to consider change

The change can be in the vulnerability or in the relevance of the counter-measure. Vulnerability changes can involve change in either probability of occurrence or criticality of impact, or both.

The assets protection professional must use the tools of vulnerability assessment in such a way as to maintain a current posture. This means remaining very close to ongoing processes and activities within the enter-prise and modifying the threat models or the priority lists, as required.

These practices lead to the best possible posture of defense and they are essential to good risk management.

Risk Management

The trend is toward closer integration of the three functions of risk man-agement; loss prevention, loss control and loss indemnification. This trend, in itself, is a testimonial to system techniques. The practical implication for assets protection professionals is that greater familiarity with and under-standing of the other functions are needed. Many enterprises combine the functions under a single executive called the risk manager. In later chap-ters of this handbook, loss prevention and loss insurance are discussed.

But these discussions are primarily intended to clarify the main issue: loss control. Wide and continued reading in the areas of prevention and insur-ance is strongly recommended.