Mr. Michael Erbschloe’s book Physical Security for IT is a new text designed to assist IT security professionals in designing security plans to protect IT assets against physical attacks and disruptive events. This book, in my view, is an attempt to remind IT security that physical attacks can be as dangerous, if not more dangerous, than those cyber attacks initiated by viruses writers, hackers, etc.  In the preface of this book, the author asserts that:

Even though the skill level required to hack systems and write viruses is becoming widespread, the skill required to wield an ax, hammer, or fire hose and do thousands of dollars in damage is even more widespread.

In the first part of this book, the author describes the security context considered throughout this book.  The Protector is assumed to be an IT security manager, whether an employee of a government agency or small/medium/large business, that is interested in preserving the confidentiality, integrity, and availability of the organization’s information systems.  The Threats in this book include disgruntled and angry employees, activists and corporate foes, vandals, saboteurs, thieves and spies, domestic terrorists, international terrorists, natural disasters, and random incidents not categorized by any of the preceding threat types.  The Assets (or object of contention) of concern, as the title of the book suggests, are all physical aspects of an organizations IT system, to include the computers themselves, network hardware, cables, power, etc.

The remainder of the book takes the reader through the process of establishing a IT physical security function within an organization, developing an IT physical security plan, developing and documenting methods and procedures, and auditing and testing these procedures.  The later chapters of the book describe the role of incident response teams, proposes a training program for organizational employees, and examines (albeit in a rather brief and uninteresting way) the role of national planning documents (e.g., national strategies, legislation) in shaping the future of physical security.

From my perspective, I am upset by just how little treatment is afforded in most textbooks to the physical protection of IT assets. After all, while it may appear sexy to attempt the compromise of a specific system via a cyber attack, it is far easier to just destroy the system with a hammer, especially if the perpetrator is an insider or individual willing to break-in to a facility and carry out the deed.  I have personally participated in the vulnerability assessment of a few “critical” facilities, and found that despite having wonderful tools for detecting cyber intrusion, virus checkers, firewalls, etc., the IT infrastructure is still vulnerable if the only means of physical protection is a simple door lock affixed to a worn half-light glass door with aged hinges.  Add to that a weak CCTV system and lax security policies (e.g., not locking the door) and you find yourself with a system as well protected against malicious attacks as a naked man in a field during a thunderstorm is protected against lighting.  A discussion of the role of physical security for IT should be part of any course on security risk management centered on information systems, if even relegated to a single lecture.  That said, Physical IT for Security at the very least offers IT professionals some added insight to protect their assets against all hazards, physical and cyber alike.

All in all, Physical Security for IT reads like a Physical Security for IT Dummies book, which actually is a good thing given that its purpose is strictly to equip IT security professionals with a template for designing a physical security plan from start to finish, maintenance and testing included.  The book is very well organized, very easy to read, and is very low stress.  For instance, a dedicated security professional would not have a problem digesting the book in about 1-2 hours.  If I were teaching a class in IT security, I would at least list this book as optional, though in practice I would probably have students buy this book along with some other established text focusing on the cyber end of the security problem.  But keep in mind that the focus of this book is on making progress toward security, not on providing tools to inform resource allocation decisions based on risk.  So from that point of view, the book is very prescriptive about what should be done to protect an IT system, but does not provide much insight into whether the investment in security can justified in terms of benefits relative to costs.

Send article as PDF to

The fourth lecture of my SRA 311 (Risk Management: Assessment and Mitigation) class was by far my favorite this semester.  The lecture topic was “The Six Questions of Risk,” and centered on (1) the three risk assessment questions posed by Dr. Stan Kaplan and Dr. B. John Garrick in their 1981 research paper “On the Quantitative Definition of Risk” (Risk Analysis, Vol. 1, No. 1, pp. 11-27, doi: 10.1111/j.1539-6924.1981.tb01350.x), and (2) the three risk management questions offered by Professor Yacov Haimes (UVA) in his 1991 editorial “Total Risk Management” (Risk Analysis, Vol. 11, No. 2, pp. 169-171, doi: 10.1111/j.1539-6924.1991.tb00589.x).  These “six questions” are as follows (in slightly revised form relative to what I presented in class):

1. What can happen?
2. How likely is it to happen?
3. What are the consequences if it does?
4. What can be done?
5. What options are available and what are their benefits, costs, and risks?
6. What are the impacts of current management decisions on future options?

The first three questions define the the scope of risk assessment and the second three questions bound the scope of risk management.  In general, risk analysis should focus only on answering these questions, which as a whole is often a very difficult and costly task in terms of time and analytic resources.  There is a seventh question (or perhaps a few more than that) that is risk-relevant but not included in the list of questions above.  That question is “are the risks acceptable?,” a legitimate inquiry that would come up somewhere between questions 3 and 5 above.  In order for a risk analyst to answer this question, he or she must impose subjective value judgments and preferences on behalf of their client.  As discussed in one of the articles from my previous lecture 3 (the one by Pate-Cornell), risk analysts are, not paid to pass judgment on the risks and options for risk reduction; rather, risk analysts are paid to be as objective about the nature of a particular problem and all its uncertainties as possible without expressing preference.  Nor do risk analysts seek to prescribe decisions (just like the way intelligence analysis should not prescribe decisions).  Decision analysts, on the other hand, take risk analysis the next step by characterizing decision maker preferences in attempt to identify the optimal option to a given problem.  Perhaps an individual wearing the hats of both risk and decision analyst might add this seventh question to the mix; but since the focus of my course is squarely on risk analysis, it does not factor into the scope of our analyses.

To begin answering the six questions of risk, one has to establish a security context (lecture 2) and clearly define the scope of the analysis (lecture 3).  Prior to introducing the six questions of risk I thoroughly reviewed the techniques for these items discussed in the previous two lectures and spent 30-minutes conducting group exercises where students had to articulate the scope of a pandemic-flu risk assessment from multiple stakeholder perspectives (e.g., CDC, pizza shop, parent, Penn State president, bus driver). (this was a good exercise, but I found that I could have perhaps been a bit more organized in its administration).

If one examines the first three questions, one could express the concept of risk (R) as the set of ordered triplets of the form:

R = <s,p,c>

where R is risk, s is the scenario (i.e., one answer to the first question), p is the probability of the scenario (i.e., answer to the second question), and c is the consequences given the scenario were to occur (i.e., asnwer to the third question).  According to this “classical risk triplet,” the scenario articulates a sequence of events from cause to some end state, the probability expresses the quantitative likeliness of this scenario occurring all things considered, and the consequence expresses the valuation of direct and indirect consequences associated with this end state (which may also be uncertain).  For example, a scenario might be “explosive attack against Building 1 that causes major structural damage.”  The probability, then, expresses the likeliness of this scenario considering the likeliness of the initiating event, quality of the explosive material and packaging, position of detonation, and the fragility of the target.  The consequence places value on the result of damage, to include lost property, number of individuals injured or killed, business disruption, and so on.

NOTE: regardless of whether numbers are used, the concept of the risk triplet still holds.  The key difference is that the probability will be couched in terms of the more generic notion of likeliness using phrases such as “Words of Estimative Probability” (WEPs) arrived at through reason and judgment, and consequence will be expressed in terms of outcome narratives (also see here and here for more information on WEPs.  Of course, these descriptions can later be converted to numbers as needed, but in the end the numbers are less useful than the knowledge used to generate them).

A more modern take on the “classical” risk triplet above (taken from my dissertation) is what I call the “modified” risk triplet (using slightly revised notation from my lecture):

R = <e,p,o>

which follows from the revised set of questions:

1. What initiating events are plausible? (e)
2. What outcomes are of concern? (o)
3. How likely are the different combinations of event and outcome? (p)

Regardless of whether one looks at the “classical” or “modified” triplet, risk, as the set of all ordered triples, the above quantitative definition suggests that risk is “simply” the likeliness of alternative outcomes in light of a full complement of initiating events.  If numbers are used, likeliness then takes the form of a probability distribution over the space of mutually exclusive, collectively exhaustive outcomes.  This is consistent with the working definition of risk offered in lecture 2: risk is the uncertainty about future events of interest (though admittedly the working definition includes more than simply likeliness expressed over a space of articulated outcomes).

Let’s return to the “modified” triplet.  Leveraging concepts of joint probability of two events expressed as the probability of one event times the condition probability of the other, the probabilty term in this expression in this expression can be expressed as follows:

Pr(e,o) = Pr(e)Pr(o|e)

where the notation Pr(e) and Pr(o|e) reads “probability of (initiating event) occurring” and “probability of (outcome) given the occurrence of (initiating event),” respectively.  The first term Pr(e) is the probability that a specified initiating event will occur (over some time span), and the second term Pr(o|e) is the vulnerability to a specified outcome given the occurrence of a specified initiating event.  Separate from its quantitative implications, this expression pretty much articulate the requisite phases of a risk assessment:

1. Identify a full suite of plausible initiating events (ei), striving for exhaustiveness to the maximum extent possible (which may require explicit assumptions to bound the scope).  This phase might be called “initiating event identification.”
2. Identify a full suite of plausible outcomes of concern (oj), again striving for exhaustiveness to the maximum extent possible (which may require explicitly assumptions to bound the scope).  This phase might be called “consequence assessment,” but would be of a different character.
3. Assess the likeliness (or probability if you so desire) of each initiating event Pr(ei) using all available knowledge and information.  This phase might be called “event likeliness assessment.”
4. Assess the likeliness of each outcome presuming the occurrence of each initiating event Pr(oj|ei) using all available knowledge and information.  This phase might be called “vulnerability assessment” or “outcome likeliness assessment.”

Now what is nice about this development?  For starters, the expression for risk and the process for its assessment has been derived from first principles (bottom-up) rather than from someone’s ideas on how to map their perceptions on what security risk analysis is to a mathematical formula (often arithmetic or logical) that seems right (top-down).  (I suspect that many of the “formulas” for risk proposed or in current use actually were arrived at via top-down thinking, which is perhaps the reason why so many people find it easy to challenge their mathematical integrity).  Second, regardless of whether one uses numbers to express likeliness, the expression offer guidance on how to clearly think through a risk analysis problem.  It is true the devil is in the details, but in the end the four steps above will lead to knowledge that enables higher confidence statements about risk relative to those generated through other ad hoc analytic approaches.

The four items above – initiating event, outcomes of concern, event likeliness, and vulnerability – will each be addressed in turn over the course of the next four lectures (two weeks).  Fortunately for my students, I intend to address these topics in a manner that assumes the minimal amount of background knowledge in set theory and probability theory.  But that doesn’t mean my students are exempt from knowing this material; my job is to ensure that they do by the time they finish this course. (Note: Issues centered on the remaining three questions for risk management will begin in part III of the course, or after lecture 20).

Send article as PDF to

If one peruses the security risk analysis literature, one might notice the absence of any significant discussion on ethics in security risk analysis (from the analyst perspective).  In fact, if you look at much of the broader risk analysis literature, you are likely to make the same observation (save for discussion of ethics associated with risk management decisions or in the use of risk analysis to inform decisions in the first place).  One exception is a very short discussion on the topic in the book RAMAS Risk Calc 4.0 by Dr. Scott Ferson (BTW: Scott is an excellent uncertainty and risk scientist).

Up until recently, I believed that the only good sources of information on analytic ethics was available in the Intelligence Studies literature.  One noted reference in this domain is entitled The Ethics of Spying: A Reader for the Intelligence Professional by Dr. Jan Goldman (ISBN: 0810856409).  Of course, if one expands the search, one can also include the Code of Ethics for Competitive Intelligence Professionals published by the Society for Competitive Intelligence Professionals.

But then on my quest for “risk enlightenment,” I encountered the American Association of Actuaries Code of Professional Conduct.  After reviewing this document’s contents, I discovered that much of this code is relevant to both the security risk analysis and intelligence analysis professions.  I suspect that codes from other analytic disciplines (e.g., engineering), too, are quite similar in nature, but for now let’s just focus on this one as it is closest to my research domain.  Below I summarize the 14 precepts of this AAA code of conduct without annotations (see the full document for the complete code):  Note that I use [security risk analyst] as a substitute for the word “actuary” and [risk analytic] “actuarial.”  Also, the word “Principal” has been replaced with [client decision maker].

<< CODE OF PROFESSIONAL CONDUCT >>

PRECEPT 1. An actuary shall act honestly, with integrity and competence, and in a manner to fulfill the profession’s responsibility to the public and to uphold the reputation of the [security risk] profession.

PRECEPT 2. A [security risk analyst] shall perform [risk analytic] services only when the [security risk analyst] is qualified to do so on the basis of basic and continuing education and experience, and only when the [security risk analyst] satisfies applicable qualification standards.

PRECEPT 3. A [security risk analyst] shall ensure that [risk analytic] services performed by or under the direction of a [security risk analyst] satisfy applicable standards of practice.

PRECEPT 4. A [security risk analyst] who issues an [risk analytic] communication shall take appropriate steps to ensure that the [risk analytic] communication is clear and appropriate to the circumstances and its intended audience, and satisfies applicable standards of practice.

PRECEPT 5. A [security risk analyst] who issues a [risk analytic] communication shall, as appropriate, identify the [client decision maker(s)] for whom the [risk analytic] communication is issued and describe the capacity in which the [security risk analyst] serves.

PRECEPT 6. A [security risk analyst] shall make appropriate and timely disclosure to a present or prospective [client decision maker] of the sources of all direct and indirect material compensation that the [security risk analyst] or [security risk analyst's] firm has received, or may receive, from another party in relation to an assignment for which the [security risk analyst] has provided, or will provide, [security risk analysis] services for the [client decision maker].  The disclosure of sources of material compensation that the [security risk analyst's] firm has received, or may receive, is limited to those sources known to, or reasonably ascertainable by, the [security risk analyst].

PRECEPT 7. A [security risk analyst] shall not knowingly perform [security risk analysis] services involving an actual or potential conflict of interest unless:

• the [security risk analyst's] ability to act fairly is unimpaired;
• there has been disclosure of the conflict to all present and known prospective [client decision maker(s)] whose interests would be affected by the conflict; and
• all such [client decision maker(s)] have expressly agreed to the performance of the [security risk analytic] services by the [security risk analyst].

PRECEPT 8. A [security risk analyst] who performs [security risk analytic] services shall take reasonable steps to ensure that such services are not used to mislead other parties.

PRECEPT 9. A [security risk analyst] shall not disclose to another party any confidential information unless authorized to do so by the Principal or required to do so by Law.

PRECEPT 10. A [security risk analyst] shall perform [security risk analytic] services with courtesy and professional respect and shall cooperate with others in the [client decision maker's] interest.

PRECEPT 11. A [security risk analyst] shall not engage in any advertising or business solicitation activities with respect to [security risk analytic] services that the [security risk analyst] knows or should know are false or misleading.

PRECEPT 12. A [security risk analyst] shall make use of membership titles and designation of a recognized [security risk analysis] organization only in a manner that conforms to the practices authorized by that organization.

PRECEPT 13. A [security risk analyst] with knowledge of an apparent, unresolved, material violation of the Code by another [security risk analyst] should consider discussing the situation with the other [security risk analyst] and attempt to resolve the apparent violation.  If such discussion is not attempted or is not successful, the [security risk analyst] shall disclose such violation to the appropriate counseling and discipline body of the profession, except where the disclosure would be contrary to Law or would divulge confidential information.

PRECEPT 14. A [security risk analyst] shall respond promptly, truthfully, and fully to any request for information by, and cooperate fully with, an appropriate counseling and disciplinary body of the profession in connection with the disciplinary, counseling, or other proceeding of such body relating to the Code.  The [security risk analyst's] responsibility to respond shall be subject to applicable restrictions on confidential information and those imposed by Law.

<< END CODE >>

This list of 14 precepts is pretty comprehensive, and I would be hard pressed at present to suggest any additional precepts relevant to security risk analysis.  Now I intend to use this “Code” as the basis for constructing a series of very short risk analytic ethics case studies for use as part of lecture 29 in my SRA 311 course at Penn State.  Feel free to offer suggestions on case studies, refinement to the code, and perhaps suggestions on how to establish such a code as this in the security risk analysis profession (such as through SARMA).

Send article as PDF to

Many, if not most, upper-level undergraduate and first-year graduate engineering students are familiar with the famous text entitled Advanced Engineering Mathematics by Erwin Kreyszig (now in its ninth edition).  If you are not familiar with this book and you desire a single source for the body of practical mathematical concepts that enable engineering analysis, then I strongly advise that you become acquainted with “Kreyszig.”  This book covers the practical elements of calculus, differential equations, linear algebra, numerical analysis, optimization, and probability and statistics, all in 1248 pages!  I will forever keep this book handy.

Recently I encountered a book that, in my mind, rivals Kreyszig in terms of comprehensiveness and thoroughness.  The title is Actuarial Mathematics by Bowers, Gerber, Hickman, Jones, and Nesbitt (second edition, ISBN: 0938959468).  But unlike the Kreyszig text, Actuarial Mathematics is all about the mathematics of risk.  Topics covered in this book include probability models, survivorship functions, insurance pricing, regression, and so on.  Though the title may sound dry, this book is sufficiently lively in tone to keep my mind occupied during an otherwise boring meeting.  This book is absolutely amazing, and for that reason I call it the “Kreyszig of Risk.”  But I would argue that the text advocates mathematical practice that, despite being the accepted standard of practice in the world of professional actuaries, is primitive relative to modern uncertainty modeling approaches (e.g., probability boxes).  I think there is potential for quite a lot of research work focused on applying modern mathematical theory to actuarial problems.

Now despite its mathematical allure, Actuarial Mathematics does not help security risk professionals do their job any better given their inherent relucatance to quantify things without supporting data.  But this did not stop me from buying the book and enjoying every minute of it.  Actually, I believe (as of late) that there is much for a security risk professional to learn from other disciplines where risk analysis is routinely used (e.g., political risk assessment, actuarial science).  So picking this book up for me was my first attempt at understanding the requisite mathematical body of knowledge to become an actuary (see the American Academy of Actuaries website for more information on what an actuary does and what it takes to become one).

Send article as PDF to