International Security Technology, Inc. New York City TerrorismRisk.Doc Terrorism How To Manage This New Risk. Robert V. Jacobson CISSP CPP

International Security Technology, Inc.New York City

TerrorismRisk.Doc

TerrorismTerrorismHow To Manage

This New Risk.

Robert V. Jacobson CISSP CPP

6 February 2002 Copyright © 2002 International Security Technology, Inc. 2

The AgendaThe Agenda

A true story from the past.

Thinking about Risks.

Risk Management of Terrorism.

Questions and Answers.


A Fable for Our TimesA Fable for Our Times About twenty-five years ago, a pal, security

manager for a financial organization, called me and asked: “Bob, is it OK if my organization moves its offices to a

high floor at the World Trade Center?”

I asked: “Have you already made the decision?”

“Well, yes, we have. We’re going to move.” What did I say next?


A Fable for Our TimesA Fable for Our Times

I wanted to rub it in a bit. “Then why are you asking me after the fact?”

“I just wanted to know what you think.”

I would like to be able to tell you that I had a powerful crystal ball that I could consult, but I didn’t! Here is what I said…



“Whatever risks you had in your old location (in a low rise office building in the Wall Street area), you still have, but now you have whatever additional risks you get from being 100 floors above the street.”

“Like what?” he asked.

What did I say?



This is what occurred to me at the time: Enhanced risk of electric power failures. Greater risk of fire damage. Staff access required a two-stage elevator ride. Potential damage to windows in a category five

hurricane. Risks from a basement areas below sea level with

a public garage, and an exposure to burst water mains and GKW.



Ah. I would be busting my buttons today if I had been prescient enough to have included an Al Qaeda attack with hijacked planes, but I wasn’t.

What is the moral of this Fable?


Thinking About TerrorismThinking About Terrorism

Another story: About ten years ago a Coast Guard officer asked me if it was possible to estimate the risk of a terrorist attack on an off-shore drill rig, given that there was no past history to go on.

I said that in fact there was useful past history…


Thinking About TerrorismThinking About Terrorism Here are the considerations I suggested:

At that time, we were experiencing about 500 terrorist attacks worldwide each year. This suggests that the rate of occurrence would be a small fraction of 500/year if not zero.

An attack would be difficult technically to mount unless you were ready to steal a helicopter.

No ‘women and children” at risk so no drama. No government or military involvement. Zero collateral damage.


Thinking About TerrorismThinking About Terrorism The Conclusion:

The risk was very low, but not zero.

So what should be done to protect off-shore drill rigs against terrorist attacks?

How is a drill rig different from an IT facility?

How shall we decide what to do?


Thinking About Risk - 1Thinking About Risk - 1

Threat events are not all the same. They can be classified into five categories

depending on…

Frequency (number per year), and

Consequence (dollar loss per event).

Here is how…


Thinking About Risks - 2Thinking About Risks - 2 Here is the

Universe of Risks with an example risk plotted on a log-log graph.


Thinking About Risks - 3Thinking About Risks - 3 Annualized

Loss Expect- ancy (ALE), $/year of expected loss, is one way of comparing threats. Threats on a ALE contour have the same ALE


Thinking About Risks - 4Thinking About Risks - 4 A plot of some

typical threats. In the real world some kinds of threats just don’t happen, and some threats are trivial. How shall we classify the remaining threats?


Thinking About Risks - 5Thinking About Risks - 5

This plot is the same as the prior plot. It was generated by CORA automatic-ally.


Thinking About Risks - 6Thinking About Risks - 6 The Ignore

Zone. The Minimum Significant Occ. Rate is a senior management call with some help from you.

MSOR = 1/100,000 years?


Thinking About Risks - 7Thinking About Risks - 7 The Must

Mitigate Zone. Maximum Tolerable Consequence is also a senior management call with help from the CFO, marketing, etc.


Thinking About Risks - 8Thinking About Risks - 8 The ROI

Mitigate Zone. Threats in the remaining zone are addressed on a cost-benefit basis using ROI.


Observations - 1Observations - 1 Notice this important fact. A threat’s

occurrence rate does not determine if it will appear in the Must Mitigate zone, only its consequence matters.

Consequence is the product of two factors:

The worst case loss associated with each function (application or system), asset and liability.

The vulnerability of the functions and assets to the threat ( on a scale from 0 to 1).


Observations - 2Observations - 2

We can estimate worst case loss and vulnerability with some confidence based on scenario thinking and the assumption of a generic disastrous threat, i.e. 100% vulnerability.

Serious terrorist threats probably are in the Must Mitigate zone. In cases where you can make a reasonable estimate of occurrence rate, you may find some terrorist threats in the ROI Zone.


Managing Terrorist Risks - 1Managing Terrorist Risks - 1

Two ways to manage a Must Mitigate terrorist attack risk:

Reduce the consequence to a tolerable level. How?Reduce the vulnerabilities by hardening the facility. Probably not feasible. (Doesn’t work at airports!)Reduce the Worst Case Losses. ???

Get the occurrence rate below the Minimum Significant level into the Ignore Zone. How?

Hide the facility. Possibly, but how can you be sure?Reduce its “attractiveness”. Uncertain effectiveness.



Reducing the worst case loss is probably the best strategy because…

Accomplishment is within our control. Does not depend on external perceptions or decisions.

Not threat-centric, so greatest likely payoff.

How do we reduce worst case loss?



We make sure that we have an effective contingency plan in place so that service interruption losses, regardless of the cause (threat), will be tolerable.

We know how to do contingency planning, so, we know how to deal with the Terrorist Threat!

Our focus switches from terrorism to the determination of the optimum Recovery Time Objective (RTO) for each line-of-business based on our analysis of our ROI Zone threats.We don’t waste money on a futile attempt to ward off all possible terrorist threats.


SummarySummary Don’t over react to terrorism.

Do make sure your contingency plan is optimized to address the ROI Zone threats you are likely to experience in the years ahead. Then you can be sure that your plan will protect against terrorism as well.

Don’t leave yourself wide open to physical intrusions, but don’t try to ward off all terrorist attacks.

Don’t accept unnecessary risk exposures.


ThankThank you... you... Thank you for your attention to this

briefing by Robert V. Jacobson: International Security Technology, Inc.,

99 Park Avenue - 11th Floor, New York, NY 10016-1501

+1 (212) 557-0900 or (888) IST-CORA FAX +1 (212) 808-5206

E-mail: [email protected] site: www.ist-usa.com

Documents

International Security Technology, Inc. New York City TerrorismRisk.Doc Terrorism How To Manage This New Risk. Robert V. Jacobson CISSP CPP