This originally was supposed to be a short and funny example of a personal security risk assessment from the perspective of a security professional. The assessment became much more involved than originally expected as do most first time security projects. Anyway this is my attempt to prove a simple point (why do a risk assessment?) by performing a somewhat comical personal security risk assessment. I imagine law enforcement or insurance agencies probably have more complex models then the one presented below.
Disclaimer: The names and facts of certain individuals have been changed to protect the guilty and innocent. If anything in this is true, it was meant to be false; if anything is false, it was meant to be true.
As we all know the first step in any security solution should involve a risk assessment. For this example, an asset based risk assessment will be used. To begin, a list of assets must be defined and assigned a criticality. You might think – what assets? – Shouldn’t there just be one asset (i.e. me). No there are many more. Here is the list of assets (Not to provide too much personal detail as it’s a risk). After a good deal of time the list was reduced for simplicity too.
Human / Animals (We won’t say which is an animal and which is a human)
After identifying the assets and assigning a criticality ranking, the next step was to come up with a list of threats. (This was getting way too personal to put on the internet. Items needed to be skewed really quick and become more interesting). There are several threats that affect me personally, which are represented in the table below.
|Fire||Low||Although I don’t wear a fireproof suit to work everyday the chance of being set on fire is fairly low. Also, my house has a stove, coffee maker, and iron, but smoke detectors are installed on all floors and files are locked in a fireproof cabinet, thus the likelihood of this threat destroying anything is low.|
|Flood||Low||Hmm. My house is at the top of a mountain and I work in a high rise building so this is definitely not a big threat.|
|High Humidity||Medium||The southeast is a high humidity region of the
USA. There is a possibility of my food going bad and mold contaminating my house, which could lead to poor health.
|Tidal Wave||Low||Surfs up dude! Not likely even after watching all those discovery channel movies about the super tsunami.|
Human (Way too many to list!)
USA is a target, the likelihood of it affecting me is low at this point in time.
|Robbery||Low||Good luck my 9mm is attached 70% of the time in addition to my 15 years of martial arts training. The house has an electric fence with a pair of pit bulls (Zero and Uno are their names).|
|Carelessness||Medium||I must make at least several careless mistakes a day. This posting is probably one of them.|
|Sickness||Low||Fairly good health thanks to my military training and upkeep.|
Enough, the point was made. The next step was to identify the vulnerabilities. It gets really scary thinking about all the real problems. After a short brainstorm session I’m considering locking myself in the house and ordering delivery for the rest of my life, but based on my current paranoia level I might be afraid to answer the door for the food. (Understand how a CEO must feel when the security consultant or CISO presents these problems for the first time). “Well boss here is a list of our problems!”
Usually vulnerabilities should be broken down into categories, but that’s too much depth for this posting, therefore below is a sample list of vulnerabilities, their rating, and a brief description.
|Immediate family does not have appropriate martial arts training||Medium||Some immediate family has been trained with basic skills, but not all have the ability to stop a robbery.|
|Mail not delivered to secure location||Medium||Although mail theft is a serious offence the proper safeguards to protect my regular mail are not in place because it’s delivered to a publicly accessible location.|
|Pit bulls have not been to obedience training||Medium||Pit bulls have been known to attack neighbors, visitors, pets, or family if not properly training. This could cause serious time, damage to reputation, and have a financial impact.|
|Inadequate wallet protection||Medium||Although the wallet is buttoned in a pocket. There is no chain protecting it from pick pockets or magicians during the regular course of a day.|
|Lack of sleep on a regular basis||High||Too many hours spent working, playing video games, and blogging. This could affect career, family, pets, etc.|
|Partied too much in college||Low||A degree was obtained but as a result of daily partying a position in politics or at the FBI is unlikely due to past behavior at these events.|
|Not enough blogging||Medium||Blog was recently established but at the rate of 3 to 4 posts a month there is a risk losing visitor interest to the website and stagnation of career.|
To make this easy the scoring method is listed in the table below for each area. More detail could have been provided, but the point is not to provide the scoring method. Most of this follows the NIST guidelines anyway. The big item not presented in the example below is the assignment of vulnerabilities and threats to each asset.
|Criticality High = 100 Med = 50 Low = 10||Likelihood High = .50 Med = .25 Low = .05||Rating High = .50 Med = .25 Low = .05||Risk High = 51-100 Med = 11-50 Low = 1-10|
Note: the top three risk assets were bolded in the above table.
Why do a Risk Assessment?
So what does this tell you? Probably not much initially as most people already know that immediate family, career, and some type of financial asset are the most critical personal items. Also, no matter how the risk assessment is conducted “Myself” will almost always be the highest risk asset. This brings me to the point – Why do a Risk Assessment? Before answering that question let us assume I hired or obtained advice from different specialists for each asset listed above. Here is the advice I received.
Real-estate security specialist: Install an alarm on all doors and windows. Consider moving to a gated community with guard. Install cameras by doors and sensor lights at the edge of the property that light when visitors arrive.
Automotive security specialist: Install bullet proof glass, upgrade car alarm, and consider upgrading to a car with more air bags and higher crash test rating.
Career security specialist: Update your resume, write more security articles, write a book and consider starting your own business.
Personal security specialist: Continue martial arts training, consider taking yoga working less to reduce stress and make less mistakes.
Without performing a risk assessment I should move to a gated community, upgrade my car to a Volvo, start my own business, and take yoga in my free time. This sounds like a great deal of change and more risk than continuing my regular course of actions. Seem familiar! Ever had an organization do an assessment and deliver thousands of vulnerabilities that need to be fixed? So what should be implemented and in what order? Does every recommendation need to be implemented? Therein lies one point of a risk assessment.
Putting It All Together
A risk assessment will usually provide more strategic recommendations associated with the overall risk of each asset. Individual specialized reports may not be able to identify these issues because specialists are not able to analyze the entire situation. Therefore, as a result of this personal risk assessment a sample of the controls that should have been recommended are provided below in order of priority.
Get at least 6 hours a sleep every night.
Get a PO box and have all important mail sent to this new address.
Enroll immediate family in martial arts training.
Perform regular maintenance on automobiles and ensure breaks are checked regularly.
Maintain current job, increase 401k holdings equal to company match.
The great thing about this being my personal security risk assessment is that I decide how much risk is acceptable. Therefore, I will try and sleep 6 hours a night, perform regular maintenance on my car, and maintain my current job while increasing my 401k holdings. On the other hand, I choose to accept the risk of personal mail delivery to my house and unless my family really wants, they probably won’t enroll in martial arts training. Hopefully organizations will also have a good mind of their own and take the risk based approach to security.