Assessment of Resources in Physical Security System – Chapter 14

Learning Outcomes

• By the end of the lesson students should be able to:
  • Understand the assessment of resources available in a physical security system.
  • Understand the mitigation plan needed to protect those resources.

Lecture Overview (Slide-Deck Road-Map)

• Introduction to physical security assessment.
• Concept of an acceptable level of risk within an organisation.
• Creation of a mitigation plan to protect resources.
• Development and use of an action plan / assessment checklist.

Introduction to Physical Security Assessment

• Physical security unit is responsible for:
  • Developing and enforcing controls that protect:
  • Software‐security management
  • Hardware‐security management
  • Human-resource / talent security
  • Application policies and procedures
  • Ensuring safety for:
  • Computer installations
  • Backup facilities
  • Office layouts
  • Personnel background checks
• Organisations measure security posture via baseline parameters to ensure protection at an acceptable level.
• Security assessment is mandatory to verify whether existing controls deliver maximum protection.

Why Perform Security Assessment?

• Determine current cost, resources and talent utilisation.
• Check integration of various programmes / hardware / software with business requirements and security performance.
• Conduct comprehensive vulnerability assessment and risk measurement to understand overall security performance.

Acceptable Level of Risk (ALR)

• ALR = the maximum risk an organisation is willing to tolerate.
• Must be defined in line with:
  • Nature of business
  • Security policies, procedures, implementation time-frame
• Requires setting of threshold values for selected security parameters.
• Studied via:
  • Quantitative approach (numerical scoring, \text{Likelihood} \times \text{Impact}, monetary loss, etc.)
  • Qualitative approach (high/medium/low scales, colour-coded matrices, expert judgement).
• Best practice: maintain an ALR table for fast reference.

Illustrative Example – ATM Locations

• ALR varies with location, policy, procedure and time of implementation.

Why Is Defining ALR Important?

1. Efficient resource allocation
   • Ensures critical/high-value assets receive larger share of security budget.
   • Aligns security spending with organisational goals and threat landscape.
2. Strategic decision‐making
   • Helps management balance cost vs protection.
   • Decides whether a risk is tolerable or requires mitigation.

How ALR Influences Security-Resource Assessment

1. Defines scope & scale
   • Low ALR ⇒ strict controls (e.g.
     • Biometric access
     • 24/7 surveillance)
   • High ALR ⇒ fewer or low-cost controls may suffice.
2. Enables risk-based prioritisation
   • Directs robust controls toward assets whose acceptable risk is lowest.

Mitigation Plan Development

• Create a resource matrix/table listing:
  • Assets (hardware, software, talent, cash, data, facilities, etc.)
  • Associated vulnerabilities, threats & potential attacks
• Identify policies, guidelines, models to be followed (ISO/IEC 27001, NIST SP 800‐115, etc.).
• For every study area:
  • Define measurement criteria (quantitative values or qualitative descriptors).
  • Decide on scoring methodology:
  • Quantitative 0!–!100, \ loss, incident rate, etc.
  • Qualitative High / Medium / Low, traffic-light scale.
• Map resources into:
  • Weights/metrics/scorecards
  • Compliance assessment results
  • Incident statistics & vulnerability scans
• Specify deliverables / outputs:
  • Progress meetings
  • Documentation & reports
  • Action plans, presentations, videos

Assessment Checklist (Illustrative Questions and Status Field ✔ ✘ NULL)

Preventive Measures (Generic)

Protection Measures (Computer Lab / IT Facility Example)

Specialist Data-Collection Sheet (Exterior Perimeter CCTV System)

• Installation location
• Operational test frequency & method
• Sensitivity test frequency & method; acceptance criteria
• Vegetation / snow removal procedures
• False-alarm history & records
• Make & model of device
• Zone-by-zone test results:
  • Functional test
  • Field-of-view test
  • Obstruction test
  • Speed-of-response test
• Comments & anomaly logs

Foundational Risk Formula (contextual link)

• Frequently used in previous lectures for quantitative risk analysis:
  \text{Risk} = \text{Threat} \times \text{Vulnerability} \times \text{Asset_Value}
• Indicates why vulnerability assessment and asset valuation are key components of the resource assessment process.

Practical / Ethical / Regulatory Considerations

• Legal & regulatory compliance (e.g. GDPR, Malaysian PDPA, PCI-DSS): assessment verifies adherence.
• Ethical obligation to safeguard personally identifiable information (PII) and ensure staff safety.
• Budgetary realism: assessment informs financial planning and avoids over- or under-spending on controls.

Conclusion & Key Takeaways

• Assessment uncovers unknowns within the environment, surfacing latent vulnerabilities.
• Confirms whether implemented actions comply with established standards & procedures.
• Validates legal / regulatory compliance status.
• Provides management with data to drive financial & budgetary decisions.
• Without systematic assessment, organisations risk misaligned controls, wasted resources and exposure to unacceptable threats.

Memory Aids / Quick-Reference

• ALR answers “how much risk can we live with?”
• Mitigation plan answers “what shall we do about the risk?”
• Checklist answers “have we actually done it?”
• Repeat the assessment cycle periodically (e.g. quarterly) to match evolving threats and organisational changes.