Humor! Personal Security Risk Assessment

Posted: May 30, 2007 in Risk Assessment, Security Governance
Tags:

This originally was supposed to be a short and funny example of a personal security risk assessment from the perspective of a security professional.  The assessment became much more involved than originally expected as do most first time security projects. Anyway this is my attempt to prove a simple point (why do a risk assessment?) by performing a somewhat comical personal security risk assessment.  I imagine law enforcement or insurance agencies probably have more complex models then the one presented below. 

Disclaimer: The names and facts of certain individuals have been changed to protect the guilty and innocent.  If anything in this is true, it was meant to be false; if anything is false, it was meant to be true.   

Assets

 As we all know the first step in any security solution should involve a risk assessment.  For this example, an asset based risk assessment will be used.  To begin, a list of assets must be defined and assigned a criticality.  You might think – what assets? – Shouldn’t there just be one asset (i.e. me).  No there are many more.  Here is the list of assets (Not to provide too much personal detail as it’s a risk).  After a good deal of time the list was reduced for simplicity too. 

Physical

Asset Criticality
Real-estate Medium
Automobile(s) Low

 

 

Financial

Asset Criticality
Career High
Cash Medium
Investments Medium
Credit Cards Low

Human / Animals (We won’t say which is an animal and which is a human)

Asset Criticality
Myself High
Immediate family High
Distant family Medium
Pets Low

 

Threats

 After identifying the assets and assigning a criticality ranking, the next step was to come up with a list of threats.  (This was getting way too personal to put on the internet.  Items needed to be skewed really quick and become more interesting).  There are several threats that affect me personally, which are represented in the table below. 

Environmental

Threat Likelihood Explanation
Fire Low Although I don’t wear a fireproof suit to work everyday the chance of being set on fire is fairly low.  Also, my house has a stove, coffee maker, and iron, but smoke detectors are installed on all floors and files are locked in a fireproof cabinet, thus the likelihood of this threat destroying anything is low.
Flood Low Hmm. My house is at the top of a mountain and I work in a high rise building so this is definitely not a big threat.
High Humidity Medium The southeast is a high humidity region of the
USA.  There is a possibility of my food going bad and mold contaminating my house, which could lead to poor health.
Tidal Wave Low Surfs up dude!  Not likely even after watching all those discovery channel movies about the super tsunami.

Human (Way too many to list!) 

Threat Likelihood Explanation
Terrorism  Low Even though
USA is a target, the likelihood of it affecting me is low at this point in time.
Robbery  Low Good luck my 9mm is attached 70% of the time in addition to my 15 years of martial arts training.  The house has an electric fence with a pair of pit bulls (Zero and Uno are their names).
Carelessness  Medium I must make at least several careless mistakes a day.  This posting is probably one of them.
Sickness  Low Fairly good health thanks to my military training and upkeep.

Enough, the point was made.  The next step was to identify the vulnerabilities.  It gets really scary thinking about all the real problems.  After a short brainstorm session I’m considering locking myself in the house and ordering delivery for the rest of my life, but based on my current paranoia level I might be afraid to answer the door for the food.  (Understand how a CEO must feel when the security consultant or CISO presents these problems for the first time).  “Well boss here is a list of our problems!” 

Vulnerabilities

Usually vulnerabilities should be broken down into categories, but that’s too much depth for this posting, therefore below is a sample list of vulnerabilities, their rating, and a brief description.   

Vulnerability Rating Description
Immediate family does not have appropriate martial arts training Medium Some immediate family has been trained with basic skills, but not all have the ability to stop a robbery. 
Mail not delivered to secure location Medium Although mail theft is a serious offence the proper safeguards to protect my regular mail are not in place because it’s delivered to a publicly accessible location.
Pit bulls have not been to obedience training Medium Pit bulls have been known to attack neighbors, visitors, pets, or family if not properly training.  This could cause serious time, damage to reputation, and have a financial impact.
Inadequate wallet protection Medium Although the wallet is buttoned in a pocket.  There is no chain protecting it from pick pockets or magicians during the regular course of a day.
Lack of sleep on a regular basis High Too many hours spent working, playing video games, and blogging.  This could affect career, family, pets, etc.
Partied too much in college Low A degree was obtained but as a result of daily partying a position in politics or at the FBI is unlikely due to past behavior at these events.
Not enough blogging Medium Blog was recently established but at the rate of 3 to 4 posts a month there is a risk losing visitor interest to the website and stagnation of career.

Calculating

To make this easy the scoring method is listed in the table below for each area.  More detail could have been provided, but the point is not to provide the scoring method.  Most of this follows the NIST guidelines anyway.  The big item not presented in the example below is the assignment of vulnerabilities and threats to each asset. 

 

Asset

Criticality
High = 100
Med = 50
Low = 10
Likelihood
High = .50
Med = .25
Low = .05
Rating
High = .50
Med = .25
Low = .05
Risk
High = 51-100
Med = 11-50
Low = 1-10
Real-estate 50 .08 .05 7
Automobile(s) 10 .05 .05 1
Career 100 .19 .31 50
Cash 50 .19 .22 21
Investments 50 .22 .01 9
Credit Cards 10 .22 .14 4
Myself 100 .50 .50 100
Immediate family 100 .50 .41 91
Distant family 50 .15 .14 15
Pets 10 .22 .01 2

Note: the top three risk assets were bolded in the above table. 

 

 

Why do a Risk Assessment?

 So what does this tell you?  Probably not much initially as most people already know that immediate family, career, and some type of financial asset are the most critical personal items.  Also, no matter how the risk assessment is conducted “Myself” will almost always be the highest risk asset.  This brings me to the point – Why do a Risk Assessment? Before answering that question let us assume I hired or obtained advice from different specialists for each asset listed above.  Here is the advice I received. 

Real-estate security specialist:  Install an alarm on all doors and windows.  Consider moving to a gated community with guard.  Install cameras by doors and sensor lights at the edge of the property that light when visitors arrive. 

Automotive security specialist: Install bullet proof glass, upgrade car alarm, and consider upgrading to a car with more air bags and higher crash test rating.

Career security specialist: Update your resume, write more security articles, write a book and consider starting your own business.

Personal security specialist: Continue martial arts training, consider taking yoga working less to reduce stress and make less mistakes.

Without performing a risk assessment I should move to a gated community, upgrade my car to a Volvo, start my own business, and take yoga in my free time.  This sounds like a great deal of change and more risk than continuing my regular course of actions.  Seem familiar!  Ever had an organization do an assessment and deliver thousands of vulnerabilities that need to be fixed?  So what should be implemented and in what order?  Does every recommendation need to be implemented?  Therein lies one point of a risk assessment.   

Putting It All Together

 A risk assessment will usually provide more strategic recommendations associated with the overall risk of each asset.  Individual specialized reports may not be able to identify these issues because specialists are not able to analyze the entire situation.   Therefore, as a result of this personal risk assessment a sample of the controls that should have been recommended are provided below in order of priority. 

Get at least 6 hours a sleep every night.

Get a PO box and have all important mail sent to this new address.

Enroll immediate family in martial arts training.

Perform regular maintenance on automobiles and ensure breaks are checked regularly. 

Maintain current job, increase 401k holdings equal to company match.

The great thing about this being my personal security risk assessment is that I decide how much risk is acceptable.  Therefore, I will try and sleep 6 hours a night, perform regular maintenance on my car, and maintain my current job while increasing my 401k holdings.  On the other hand, I choose to accept the risk of personal mail delivery to my house and unless my family really wants, they probably won’t enroll in martial arts training.  Hopefully organizations will also have a good mind of their own and take the risk based approach to security. 

 

Advertisements
Comments
  1. some insurance agencies are very greedy that is why i always take a second thought when dealing with them”,’

  2. Good article on risk assessment! I may carry out a personal security risk assessment on myself – it would be interesting to see what came up. It would make a change from risk assessing chemicals anyway.

  3. there are insurance agencies that are scam too so make sure that you deal with legit insurance agencies *~`

  4. I’m really impressed with your writing skills as well as with the layout on your
    blog. Is this a paid theme or did you modify it yourself?
    Either way keep up the excellent quality writing, it is rare to see a nice blog like this one today.

  5. I really like your blog.. very nice colors & theme.
    Did you make this website yourself orr did you hire soimeone to do it for you?
    Plz answer back as I’m looking to create my own blog and would like too know where u got this from.
    thanks

  6. This battery operated cigarette is an amazing device, designed
    to replicate the effects of smoking both in design and
    purpose. Users report that they feel better, have an easier time breathing
    and even have more energy after they quit traditional cigarettes and use e-cigarettes.
    Electronic cigarettes emit only a tiny fraction of nicotine that
    is normally emitted by the regular cigarette.

  7. So any unwelcome sound that reaches the ear is usually considered undesirable and given the label of “noise”.
    More of The Best Audio Recording Software for in the Studio.

    They should also only require the processing power that
    you home computer can provide.

  8. Heather says:

    Hello, after reading this amazing post i am also cheerful to share my know-how here with mates.

  9. walk ways says:

    An outstanding share! I have just forwarded this onto a coworker who was doing a little research on this.
    And he actually bought me breakfast due to the fact that I discovered it for him…
    lol. So allow me to reword this…. Thanks for the meal!!
    But yeah, thanx for spending the time to talk about this
    subject here on your web page.

  10. Many online multiplayer games permit players to intermingle with their content and come up with
    fresh things. Points are generally acquired for selefting terms within a 4×4 grid of
    characters. The most common place to see dice used for this purpose are gambling, tabletop games, and board
    games.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s