Category Archives: Threat Sources

Massive Tornado & Boston Marathon Bombs Should Nudge Organizations to do More Security Risk Assessments

Posted on by
Reply

More Tornado victims will be buried this week.   Including many children who died at their schools because the school district didn’t spend the extra $3000 to have a storm cellar/safe room available.

One month ago, we watched as victims of the Boston Marathon Bombings were buried.

Yesterday, we watched an Islamic Jihadist savagely kill a  young British soldier with knives.

What other events do we have to witness before we start taking security assessments seriously?   How many more grieving parents do we have to watch crying on TV and, in my opinion, the casualities did not need to be so high and the aftermath so catastrophic.

If you group all these disasters together, you can that at the root of each one, is the feeling that, “IT CAN’T HAPPEN HERE”…..    Britain, for example, has tolerated mosques preaching hate, thinking that nothing like the knife attack could happen in civilized London.

In Moore, Oklahoma, people thought, “we already had a major tornado, so IT CAN’T HAPPEN AGAIN”!  Well, surprise – it happened again.  While forecasters cannot dictate the exact path of a tornado, they can get close, and with just fifteen minutes advance warning, there is  time to get everyone into storm cellars, safe rooms and underground shelters.  BUT IF THERE IS NO SHELTER AT A SCHOOL…….

Many obvious solutions-controls-safeguards were missed in these recent tragedies because proper, formal security risk assessments weren’t done effectively.  If they had been done, perhaps the London police could have picked up someone who touted murder and hate.

If a risk assessment had been done in Moore, OK, maybe the high risk of a tornado would have allowed the schools to all add the safe rooms they needed, and in Boston, the older brother Boston bomber, should have been in jail already for his participation in a previous murder – or at least actively monitored based on his facebook postings.

The clues are all there, and, looking backwards, you can see the pieces that SHOULD HAVE BEEN ENOUGH TO PROMOTE some kind of action to either:

        1. Eliminate the threat  or, 

              2. Reduce the severity of a potential threat in case it occurred.

Security risk assessments gather the numbers and the information organizations need to make better choices about how to protect people’s lives, facilities, and organizations.  I hope these events will prompt more Security Directors to take an objective and unbiased look at their own organizations, and the controls they have in place, before you end up on CNN!

 

Why DHS & FBI Need Google’s Help to Track Terrorists

Posted on by
Reply

The Boston Marathon bombings were bad enough.  The loss of life was terrible, but the runners and their families who lost legs and feet because they wanted to give their Dad a hug at the finish line were worse.

One week later, we all watch with trepidation as the first bomber is killed and the second captured bleeding in a boat in Watertown.

THE MOST TERRIBLE NEWS OF ALL IS THAT IT MIGHT HAVE BEEN PREVENTED!!  This is EXACTLY the situation that DHS was supposed to catch.  This is EXACTLY why the agencies were ORDERED to share information, and still these guys can tweet all they want, show violent Islamic videos on their web sites and call for Jihad and NOBODY NOTICES!!

This is made even more incomprehensible because the U.S. government was ALERTED BY THE RUSSIANSthat one of them was DANGEROUS.

What do we need to do to get these agencies to start paying attention to these potential terrorists? DO WE NEED TO MAKE THEM WEAR A RED SHIRT?

If the IRS can keep track of every American and in 2 minutes call up their entire history of taxes, and the Department of Labor can calculate your benefit rates in less than 1 minute, and Social Security keep track of all your information – why can’t DHS and the FBI  keep a contact database current?

Why can’t they have a person who scans these web sites and Facebook sites for Jihadist pages and then cross-references them with the site’s owner?   Why can’t a trip to a violent region of the world trigger a PING, as I heard one congressman call it.

Every company in the world has a simple Contact database on their own customers and suppliers that gives them years of data.   WHY CAN’T WE BE PROTECTED FROM THESE TERRORiSTS.

This one wasn’t hiding in the shadows – he was ON SOCIAL MEDIA!   He wasn’t locked up in a cabin – he was traveling internationally,   his brother was getting a scholarship.  And they did this FOR YEARS!!

This intelligence failure is just exactly like 9/11 all over again.  These agencies are so procedural that they cannot connect the dots.  Ok – they’re human. But we have super computers that CAN connect the dots and do profiles and create alerts…

Maybe we should call Google and get some help.  We obviously need it.

The Effect of the Sequester on Security Budgets

Posted on by
Reply

Every time the TV is on, every anchor is crying about the dreaded Sequester.

Will it have an impact on security budgets?  I have seen security budgets, especially for the facilities security departments, swing from almost unlimited budgets after 2001, to bare bones in 2009 and 2010, and thought they were trending back up for 2013.

Now, with the uncertainty about what a Sequester  actually is, (please note my use of the capital “S”), how will it affect our security departments?

Obviously, the most obvious casualty are the government contractors who’s contracts may be arbitrarily cut, and civilian managers of federal programs will see lost days and furloughs.

The trickle-down effect will probably extend to state, county and municipal governments, too.   So that means it’s even more important to start budgeting new security controls so that the most important get the funding!

One of the themes we go over in our webinar programs is how important it is to create a COST JUSTIFICATION and Return on Investment information so that you can create a business case for every control you need to improve security.

And one more thought on the Sequester – we often see an increase in crime, white collar crime and fraud when things are unsettled and people aren’t sure what’s going to happen next.

Maybe it’s a good time to do another risk assessment?  Maybe the Sequester is the next new Threat!

 

How to Plan for a Rare Threat or Weather Event

Posted on by
1

Whether it’s a crime, a meteor shower, a dam breach or a major hack attack, how can
security directors, managers (and even individuals) plan for the extremely rare threat event?

Even with the challenges of global warmings and changing patterns in society, and, apparently, in space, it’s still possible to anticipate and prepare for the outlier events.

You start with the known elements, for example, lately, some residential developers have been building in established flood plains, because, hey , there hasn’t been a flood in over 50 years.  But there are 100-year flood plains, 50-year flood plains and 200-year flood plains.  If your home, or facility, is located in a 50-year flood plain, and it’s been 48 years since the last flood, you can correctly infer that the next five years, you have an increased flood risk!

How to find out about flood risk?  If you live in the USA, you can go to www.floodsmart.gov, put in your zip code, and find out whether or not you are located in a flood plain, or flood prone area.  If you find out that you are, then you can add some additional preparation to make sure this threat is not going to materialize, or if it does, you’re ready!

Another example,  if your house/facility is in a high risk flood area, that means that there is a 1 in 4 chance (25% chance) that the property will experience a flood during the next 30 years.

If we look at chance of being hit by a meteor shower, we might find that a meteor hits the earth, with an impact, once every hundred years.   And so we take that 1 in 100 number and factor in the global surface, say divide it into 50 regions.  So that reduces that 1 in 100 number down to a much lesser number, maybe one in 100,000.

While the rare events are shocking when they occur, you can plan for them, by analyzing your risk, and putting in the proper controls so that if or when it happens, you’re ready and can continue to operate with the minimal of disruption!

We’re analyzing and examining  over 65 threats in the next 12 months, so subscribe to the blog and collect all the latest threat information.

Adding a New and Real Threat – Meteor Shower Damage

Posted on by
Reply

After the meteor showers over Siberia this week, Russia put together a Financial analysis of the damage from

1200 injured by flying glass
$33,000,000 in damage
4,000 building damaged
50 Acres of windows shattered

In the last twenty-five years, as the rate of climate change has increase, we have added new threats like Tsunami and ash pollution (from Subic Bay in the Phillipines).

Now meteor showers have actually come to cause damage to companies so they are another factor to be included in risk assessments.

In evaluating threats for a risk assessment, many in the northeast would always tell me,“take out earthquakes”, we don’t have earthquakes in Virginia, Maryland, and Ohio.  That changed in 2011 when the Mineral, Virginia earthquake hit during a mid-week business day.

RICHMOND, VA (WWBT) – Aug. 24, 2011.  There was an earthquake in Central Virginia that measured 5.8 on the Richter scale centered about 5 miles south of Mineral in Louisa, depth 3.7 miles at about 1:51 p.m. The quake was centered at 38°N, 78°W.

The U.S. Geological Survey said the earthquake was centered about 38 miles northwest of Richmond, Va., about 84 miles southwest of Washington, D.C., and was felt as far north as Rhode Island and New York City. See a map of the quake from Chuck Bailey, professor of geology at the College of William and Mary.

Hospitals, government offices, dams and power generating plants,  including nuclear plants, were forced to suddenly reevaluate the long held idea that earthquakes just didn’t happen in the NorthEast.

The threat from meteor damage is the same idea.  It never happened before, but now it has happened again, if you count Tunguska as the first time.

Damage from meteor showers will now add a new category into the Threat index, even though this was the first event in my lifetime, if analyst factor in the previously known instances, such as the Tunguska Meteor Event, which did not occur thousands of years ago, like the meteor event in the Yucatan peninsula that killed off the dinosaurs, but
Tunguska occurred in 1908!   Almost in this century.

Over the next month, we’ll be looking at each different threat every week.  Sign up for my blog or access by following me on twitter at www.twitter.com/riskalert.

 

Chemical Weapons – the True December 21st Potential Disaster

Posted on by
Reply

Maybe the Mayan Calendar has forecast a deadly chemical attack that would poison the world, not a pole shift after all.

Know much about chemical weapons?  They are semi-easily dispersed. They can decimate a population in the time it takes a plane to fly overhead.  They are gruesome death.

The U.S. actually keeps track of all chemical weapons – and biologic weapons, too.  Did you know that inspectors all over the world fan out when a nation state fails (and sometime before) and can tell you exactly what it is and where it is kept.

My friends in this business have traveled all over the former Soviet Union, counting the anthrax vials in a deserted laboratory in the middle of a forest, for example, and making careful notes, not just on the location of the now-deserted laboratory, but also checking the state of security for those sites.

Is the facility secured? Is there a guard service?  Are there card access or cypher locks on the doors?  Are the windows locked and secured?  Is there access from the roof?

Is there a tree too close to the roof that could be used for access?

All these plans and assessments can be hauled out at times like these, helping to keep the world safe from chemical and biological weapons.  At least, that’s what we are all hoping, and counting on.

Happy Saturday!!

Threat Modeling is the Exciting, Sexy Part of Risk Assessment

Posted on by
Reply

As a risk assessment professional, when I get into a risk discussion, most security people want to talk about THREAT!  Threat is the most sexy and exciting part of doing a risk assessment.

Threats are exciting all by themselves.  Think about all the threats you can name:

All the natural disasters like Earthquakes, Tornadoes, Storms, Hurricanes, Tsunamis, Lightning, Floods

Crimes like Homicide, Assault, Rape, Burglary, Theft, Kidnapping, Blackmail, Extortion

Terrorism like Sabotage, Explosions, Mail Bombs, Suicide Bombs

All the IT Threats like Malicous Code, Disclosure, Data Breaches, Theft of Data

And about 50 more including Chem/Bio incidents, Magnetic waves, High Energy Bursts, Microbursts, Contamination and Reputation Damage.

Each of these threats could theoretically occur at any time, but we try to establish a pattern of how often they have occurred in the past, in this location, in this county, in this country, in the company, etc.   So NASA, for example, gets thousands of hacker attacks, but another company, like the local Salvation Army, gets 1 every 10 years.

Same model for natural disasters, although you might have to factor in climate change, it’s easy to get the threat incidents for hurricanes in Florida, snow storms in Cleveland, earthquakes in northern California, etc.

We also like to examine industry specific data to see if some threats are higher in a certain industry, like the high incidence of workplace violence incidents in hospitals and high risk retail establishments (like Wawa or 7-11).

Another factor we use in calculating threat likelihood is how the threat could actually affect different types of assets…. for example, would an earthquake damage a car?  Probably not. Would it cause damage to an old historical building – probably (unless it had been retrofitted).  Could it cause loss of life, or injuries (think Haiti).

So I use a multidimensional model that takes the threats list (I have a standard list of 75 threats that I use), and map it to each potential loss, based on the ‘asset’ that might be affected.

The more data you get, the better your model will be, and the more value it will have as a decision support tool!

 

What’s the Risk of Backing Newt Gingrich?

Posted on by
Reply

Hundreds of the shakers and movers in the Republican party AND the Democratic party are doing their risk assessments this week on who to openly support, and doing the risk calculation on whether it is better to wait and see what emerges, or make their comments/endorsements now and worry about the fall out later!

Here is the kind of risk model for politics that people use, often unconsciously- to make those decisions. Political risk is especially tricky because there are 2 stakeholders to consider:

1. what’s good for ME personally
2. what’s good for THE PARTY, DISTRICT, or COUNTRY.

Here’s a list of threats that politicians worry about in a situation like this:

1. Lose my current position
2. Lose my Power in the Party/Coalition/Media
3. Lose campaign contributions
4. Lose voters
5. Lose tea party support
6. Lose respect from peers
7. Lose future election
8. Lose income
9. Look wrong in the media
10. Create bad sound byte
11. Face Reprisals Later from Establishment
12. Lose Media Support (however it exists).

More tomorrow on how to value the assets of an ongoing campaign.

Webinar Looks at New OSHA Workplace Violence Directive

Posted on by
Reply

Workplace Violent Incidents have been on the rise in several specific organizations, including hospitals, home health organizations, social workers who do in home visit, and also late-night retail stores.

On September 8, 2011, OSHA suddenly released their internal Directive on what their OSHA investigators look for when they go to an organization to investigate a Workplace Violence incident.

Whether the incident involves a domestic violence incident, like when a husband shoots his wife at work; or whether it is patient violence against the Emergency Room nurses, it is a big problem that has been increased over the last 8 years.

We have set up a special no-cost webinar to review the new directive and see what it means for employers. Join us to look at how to protect your organization and make sure your staff, and patients stay safe.

OSHA Starts New Enforcement Initiative for Workplace Violence Issues

Posted on by
Reply

On September 8, OSHA issued a new directive about enforcement activity on workplace violence issues.  This directive (CPL 02-01-052) takes effective on Sept. 8, 2011 and is called Enforcement Procedures for Investigating or Inspecting Workplace Violence Incidents.  It details new procedures for the OSHA inspectors, but it is also a valuable document to show employers what they can expect.

The directive follows the shocking news that in 2010, 18% of workplace fatalities were caused by assaults and violent acts, while only 14% were caused by falls, according to the Bureau of Labor Statistics.

Workplace violence incidents are even higher in the hospital and healthcare industries.

The new inspection directive shows how OSHA inspectors are going to look at employers to see whether they have performed a workplace violence analysis.  These assessments follow the security risk assessment model and should take into account the threat level at the organization, the history of incidents and examination of trends, and whether ‘accepted’ controls have been implemented at the place of employment.

Some of the ‘accepted controls’ they will be examining include:

  • Having a recent workplace violence analysis
  • Having a formal workplace violence training program in place
  • Showing the employer had incident reports to identity possible threat levels
  • Methods the employer used to inform employees of the risk of workplace violence
  • Evidence the employer has a workplace violence prevention plan in place
  • Evidence the employer has a current security plan
  • There are also a set of recommended physical controls that include proper lighting, cameras, curved mirrors, etc.

For more information, or a copy of the document, email info@riskwatch.com.