Metrics and Methods for Security Risk Management book cover

Metrics and Methods for Security Risk Management

Not only are corporations and other organizations sometimes targeted by competitors in order to steal their information, they are also targets of political and/or religious groups who understand their economic and symbolic importance. However, a realistic security strategy requires a big-picture approach. At the same time, budgets are decreasing while security departments are dealing with threats that demand greater vigilance. In the wake of the 2008-2009 global economic meltdown, corporate executives are asking difficult questions about effectiveness and efficiency. The need for both information security and physical security is greater today than ever before, and not only to address more complex and dangerous crisis situations, but also to ensure that the methods deployed are proportionate to the risk.

The notion of risk is the lens from which all such problems must be viewed. This book identifies and explains these foundational principles, and shows how they directly relate to an assessment of physical security risk. This book provides the modern security professional with a useful reference that facilitates both rigorous thinking and sensible decisions about key strategic choices.


Security managers with both IT security and physical security responsibilities; counterterrorism practitioners

Paperback, 296 Pages

Published: July 2010

Imprint: Syngress

ISBN: 978-1-85617-978-2


  • "Carl S. Young, VP [and senior risk strategist at a major international corporation], has delivered a volume to make the technology bedrock of security more comprehensible. To justify any security measure, Young shows how risk management can be understood quantitatively. That’s important because so many workplace decisions on vulnerability are made after calculating risk metrics."--Security Letter, Vol. XL, No. 9 (September 2010)

    "…This author has a unique and useful perspective on an important and timely topic."-- Jon A. Schmidt, PE, BSCP, Director of Antiterrorism Services, Burns & McDonnell, Kansas City, MO.

    "Dealing with security risks requires not only the wisdom and experience to assess threats, but also the scientific and technical knowledge to mitigate their risk. Carl Young's wide-ranging expertise in both these areas has been recognized and honored during his distinguished career in government and in the private sector, and informs this fascinating book…[T]his book will be valuable to security professionals as well as concerned citizens."--Prof Emeritus Sidney Drell, Deputy Director, Stanford Linear Accelerator Center (1969-1998).

    "In the post 9/11 world we had to find cost effective, practical, risk-based, resilient solutions to immensely challenging issues. Carl Young was, and is, central to that work. He combines academic brilliance with practical, hands-on experience of delivering security solutions. This book is a synthesis of that work."--James A. King, CBE, Senior UK government security and counterterrorism advisor (1978-2008). Head of Security and Fraud, Lloyds Banking Group, UK.

    "There is nobody in the field of security who surpasses Carl Young's experience and expertise. And now, for the benefit of us all, he has written Metrics and Methods for Security Risk Management. From the thoughtful layout of the chapters, to the clarity of his language and examples, Carl has given the gift of his experience as a scientist and hands-on professional with a talent for writing. This book provides direction and disciplined analysis essential for risk managers and security professionals serious about their work and their careers."--Ed Stroz, Co-president, Stroz Friedberg LLC, leading IT security and digital forensics consulting firm.


  • Dedication

    Foreword and Acknowledgements

    PART I


    Chapter 1 Security Threats and Risk

    1.0 Introduction to Security Risk or Tales of the Psychotic Squirrel and the Sociable Shark

    1.1 The Fundamental Expression of Security Risk

    1.2 Introduction to Security Risk Models and Security Risk Mitigation

    1.3 Summary

    Chapter 2 The Fundamentals of Security Risk Measurements

    2.0 Introduction

    2.1 Linearity and Non-linearity

    2.2 Exponents, Logarithms and Sensitivity to Change

    2.3 The Exponential Function ex

    2.4 The Decibel (dB)

    2.5 Security Risk and the Concept of Scale

    2.6 Some Common Physical Models in Security Risk

    2.7 Visualizing Security Risk

    2.8 An Example: Guarding Costs

    2.9 Summary

    Chapter 3 Risk Measurements and Security Programs

    3.0 Introduction

    3.1 The Security Risk Assessment Process

    3.1.1 Unique Threats

    3.1.2 Motivating Security Risk Mitigation: The Five Commandments of Corporate Security

    3.1.3 Security Risk Models

    3.2 Mitigating Security Risk

    3.2.1. The Security Risk Mitigation Process

    3.2.2 Security Risk Standards

    3.3 Security Risk Audits

    3.4 Security Risk Program Frameworks

    3.5 Summary

     PART II


    Chapter 4 Measuring the Likelihood Component of Security Risk

    4.0 Introduction

    4.1 Likelihood or Potential for Risk?

    4.2 Estimating The Likelihood of Randomly Occurring Security Incidents

    4.3 Estimating The Potential for Biased Security Incidents

    4.4 Averages and Deviations

    4.5 Actuarial Approaches to Security Risk

    4.6 Randomness, Loss, and Expectation Value

    4.7 Financial Risk

    4.8 Summary

    Chapter 5 Measuring the Vulnerability Component of Security Risk

    5.0 Introduction

    5.1 Vulnerability to Information Loss through Unauthorized Signal Detection

    5.1.1 Energy, Waves and Information

    5.1.2 Introduction to Acoustic Energy and Audible Information

    5.1.3 Transmission of Audible Information and Vulnerability to Conversation-Level Overhears

    5.1.4 Audible Information and the Effects of Intervening Structures

    5.1.5 Introduction to Electromagnetic Energy and Vulnerability to Signal Detection

    5.1.6 Electromagnetic Energy and the Effects of Intervening Structures

    5.1.7 Vulnerability to Information Loss through Unauthorized Signal Detection: A Checklist

    5.2 Vulnerability to Explosive Threats

    5.2.1 Explosive Parameters

    5.2.2 Confidence Limits and Explosive Vulnerability

    5.3 A Theory of Vulnerability to Computer Network Infections

    5.4 Biological, Chemical and Radiological Weapons

    5.4.1 Introduction

    5.4.2 Vulnerability to Radiological Dispersion Devices

    5.4.3 Vulnerability to Biological Threats

    5.4.4 Vulnerability to External Contaminants; Bypassing Building Filtration

    5.4.5 Vulnerability to Chemical Threats

    5.5 The Visual Compromise of Information

    5.6 Summary

    Chapter 6 Mitigating Security Risk: Reducing Vulnerability

    6.0 Introduction

    6.1 Audible Signals

    6.1.1 Acoustic Barriers

    6.1.2 Sound Reflection

    6.1.3 Sound Absorption

    6.2 Electromagnetic Signals

    6.2.1 Electromagnetic Shielding

    6.2.2 Intra-Building Electromagnetic Signal Propagation

    6.2.3 Inter-Building Electromagnetic Signal Propagation

    6.2.4 Non-Point Source Electromagnetic Radiation

    6.3 Vehicle-borne Explosive Threats: Barriers and Bollards

    6.4 Explosive Threats

    6.5 Radiological Threats

    6.6 Biological Threats

    6.6.1 Particulate Filtering

    6.6.2 Ultraviolet Germicidal Irradiation (UVGI)

    6.6.3 Combining UVGI with Particulate Filtering

    6.6.4 More Risk Mitigation for Biological Threats

    6.6.5 Relative Effectiveness of Influenza Mitigation

    6.7 Mitigating the Risk of Chemical Threats (briefly noted)

    6.8 Guidelines on Reducing the Vulnerability to Non-Traditional Threats in Commercial Facilities

    6.9 Commercial Technical Surveillance Countermeasures (TSCM)

    6.10 Electromagnetic Pulse (EMP) Weapons

    6.11 Summary


    Appendix A

    Appendix B

    Appendix C

    Appendix D

    Appendix E

    Appendix F

    Appendix G


advert image