Security Principles and Practice

Questions and Answers

In assessing the indirect costs of security, which of the following is the most difficult to quantify?

• Harm to reputation (correct)
• Loss of employees
• Harm to employee morale
• Loss of goodwill

Which of the following is NOT typically a direct participant in a vulnerability assessment team?

• Chief Marketing Officer (correct)
• Data analyst
• Security systems engineer
• Security specialist (leader)

The primary objective of a vulnerability assessment is to:

• Reduce the cost of security personnel.
• Ensure compliance with industry regulations.
• Implement the latest security technologies.
• Identify and assess physical protection system components against specific threats. (correct)

What is the correct order of primary functions in a physical protection system (PPS)?

Detection, Delay, Response (A)

What are the two key measurements for the effectiveness of the detection function of a physical protection system (PPS)?

Probability of sensing adversary action; time required for reporting and assessing the alarm. (D)

The efficiency of the response function in a physical protection system (PPS) is best measured by:

The time elapsed between the communication of adversary action and its interruption. (B)

A vulnerability assessment team's primary task related to a physical protection system (PPS) relies on:

Determining security system effectiveness. (C)

When undertaking a risk assessment, which of the following represents the two fundamental analytical approaches one can employ?

Compliance based and Performance based (B)

What does 'V' represent in the residual risk formula $R = T \times A \times V$?

Vulnerability (C)

Which of the following is NOT a characteristic of a well-engineered physical protection system (PPS)?

Dynamic Adaptation (A)

Which of the following factors is LEAST likely to be considered as a contributor to the cost of replacement for a security system component?

Marketing and advertising expenses for the original product (D)

A company has $500,000 available for investment, with an annual rate of return of 8%. If a security breach prevents the company from accessing these funds for 30 days, what is the lost income cost? Use the formula $I = i/365 \times P \times t$.

$3,287.67 (C)

What insurance related values are required to calculate the total cost of loss (K) relating to a security event? $K = (Cp + Ct + Cr + Ci) – (I-a)$

Cost of permanent replacement; Cost of temporary substitue (C)

Within a systems approach to developing a physical protection system (PPS), what is the logical sequence of actions?

Assessment of Vulnerability, Implementation of Countermeasures, Evaluation of Effectiveness (B)

What should a risk assessment determine regarding the likelihood of an event?

What is the probability that something will go wrong? (A)

What factors should risk management address when analyzing potential options available?

The tradeoffs in terms of costs, benefits, and risks (D)

In the context of security, the term "design-basis threat" refers to:

The most credible adversary against which a utility must be protected. (A)

What are the general measures used when valuing assets?

Cost, Consequence Criteria, Policy (D)

What function is typically included within assets protection but NOT within security?

Risk management (A)

What concept is assets protection most commonly based upon?

Risk management. (D)

An IT company decides to address a potential data breach. If they transfer all risk to a cyber-insurance provider, which risk management avenue are they taking?

Transfer (A)

Within the 5 D's of security, which approach involves placing obstacles in the path of a would-be intruder?

Delay (D)

In the telecommunications sector, assets protection encompasses:

Information security, network/computer security, fraud prevention, and physical security. (B)

Which of the following is NOT one of the five forces shaping asset protection globally?

Economic recessions (D)

Davidow and Malone consider what of the new global economy to be of greatest importance?

The virtual product (A)

Which of the following is NOT one of the managerial dimensions of asset protection?

Financial forecasting (D)

What are the two general types of insurance?

Property and Liability (B)

A business has a fire, and the building cannot be used until it is repaired and passes inspection. Which of the following classifications of loss in insurance policies would cover the time it could not be occupied?

Loss of use (D)

Which of the following options is a coverage in a crime insurance policy?

Employee dishonesty bond (C)

A business owner wants to get insurance to cover against any losses incured if operations are interrupted. Which type of valuation method should they use in their policy?

Actual loss sustained (A)

In Pastor's public/private, substitute/supplement model of policing, which scenario is considered the rarest?

Public/Substitute (D)

Which of the following is NOT a contributing factor to the growth of private policing?

Decreasing trust in public police forces (C)

What is the most effective arrangement that can occur between police and private security?

Institutionalized coordination (A)

What was the objective of the Hallcrest reports?

To compare the U.S. security industry to public law enforcement quantitatively. (D)

What is the most signficant distinction that is made between public vs private policing?

Cost (D)

Primarily, which costs account for the reason public policing is more money than public policing?

Police officer salaries and benefits (B)

Which factor is NOT one of the explanations for cost savings when using private security instead of public police?

Stricter federal regulations. (C)

According to Carlson, what is one of the key differences between private police and public?

Police have limited power of arrest (B)

In comparing public verses private organizations, which aspect is the most important?

Government structure/corporate structure (C)

The addition of private security is very common in what public environment.

Business improvement districts (B)

What component is very influential for alternative security providers in the future?

Order maintenance operations. (B)

What constitutes the most effective training to provide to security officers?

Training curriculum focused on the role's specific duties (D)

Which type represents the largest group of security consultants?

Security management consultants (A)

What can best serve to find a security consultant?

Professional organizations (D)

How should a consult receive assistance for travel?

Equivalent to the client's senior management (B)

When contracting a security consultant, what individual will be assigned as a direct point of contact/project coordinator?

The CSO (B)

Which of the following is the emerging trend in consultant fees?

Project-based pricing (D)

In all industries, what workers are most likely to commit theft?

The employee's perceived chance of being detected. (C)

An organizational resilience management policy should primarily show managements commitment to what?

Legal requirements, prevention, preparedness, and improvement (A)

ASIS's Organizational Resilience standard is most closely aligned and influenced by which ISO standards?

ISO 9000, ISO 14001, ISO 27001, ISO 28000 (D)

Flashcards

Indirect Costs of Security

Harm to reputation, loss of goodwill, loss of employees, and harm to employee morale.

Vulnerability Assessment Team Members

Security specialist, systems engineer, response expert, data analyst, operations representatives, and SME's.

Goal of Vulnerability Assessment

Identify PPS components in detection, delay and response areas and gather data to estimate performance levels against certain threats.

Primary Functions of Physical Protection (PPS)

Detection, delay, and response.

Measurements for Detection Effectiveness

Measured by the probability of sensing adversary action, and the time required for reporting and assessing the alarm.

Measurement of PPS Response Function

Time between receipt of a communication of adversary action and interruption of the adversary action.

Primary job of vulnerability assessment team

To determine security system effectiveness.

Basic analytical approaches to risk assessment

Compliance based and Performance based.

Formula for residual risk

R = T x A x V, where R=residual risk, T=threat, A=asset, V=vulnerability.

Characteristics of a Well-Engineered PPS

Protection in depth, minimum consequence of component failure, balanced protection.

Contributors to Cost of Replacement

Purchase price / manufacturing cost, freight / shipping charges, make-ready / preparation cost.

Formula for Lost Income Cost

I = i/365 x P x t, where I=income earned, i=annual rate, P=principal, t=time.

Cost of Loss Formula

K = (Cp + Ct + Cr + Ci) – (I-a), where K=total cost of loss.

Elements of a Systems Approach to PPS

Assessment of vulnerability, implementation of countermeasures, and evaluation of effectiveness.

Questions Answered by Risk Assessment

What can go wrong? What is the likelihood? What are the consequences?

Questions Answered by Risk Management

What can be done? Available options? Associated tradeoffs? Impacts of decisions?

Design-Basis Threat

The adversary against which the utility must be protected.

General Measures of Valuing Assets

Cost, consequence criteria, and policy.

Assets Protection

Includes security functions, investigations, risk management, safety, compliance, and emergency management.

Assets increasingly based on what principle?

Risk management.

Avenues of Addressing Risk

Avoidance, transfer, spreading, reduction, acceptance.

The Five D's of Security

Deter, deny, detect, delay, destroy.

Assets protection areas telecommunications sector

Information security, network/computer security, fraud prevention, and physical security.

Forces Shaping Assets Protection Globally

Technology and touch, Globalization in business, Standards and regulation, Convergence of security solutions, Homeland security issues.

Centerpiece of the New Global Economy

The virtual product, where major business functions are outsourced.

Managerial Dimensions of Assets Protection

Technical expertise, management ability, ability to deal with people.

General Types of Insurance

Property and liability.

Classifications of Loss in Insurance Policies

Direct loss, loss of use, extra-expense loss.

Basic Coverages of a Crime Insurance Policy

Employee dishonesty bond, Money and securities coverage inside/outside the premises, money order / counterfeit coverage, forgery coverage.

Valuation Methods for Business Interruption Insurance

Actual loss sustained, and valued loss.

Rarest Scenario in Pastor's Policing Model

Public/Substitute.

Factors Driving Growth of Private Policing

Economic and operational issues, fear of crime & violence, order maintenance.

Optimal Relationship Between Police and Private Security

Institutionalized coordination and cooperation through structural and contractual relationships.

Purpose of the Hallcrest Reports

To compare the U.S. security industry to public law enforcement quantitatively.

Significant Distinction Between Public and Private

Cost.

Public Policing Main Cost Drivers

Police officer salaries and benefits, 911 calls, alarm response, alternative services.

Explanations for Cost Savings of Private Security

More flexible labor, richer incentives/penalties, precise accountability, less constraint/more focus.

Carlson's Categories of Distinction

Philosophical, legal, financial, operational, security/political.

Most Important Distinction Between Public and Private

The delivery system (government versus corporations).

Where does private security supplement public?

Business Improvement Districts (BIDs).

Study Notes

Indirect Costs of Security

• Indirect costs of security include: harm to reputation, loss of goodwill, loss of employees, and harm to employee morale.

Vulnerability Assessment Team Members

• A vulnerability assessment team should include a security specialist (as the leader).
• The team should also have a security systems engineer.
• A response expert is another component of the team.
• The team should also include a data analyst.
• Operations representatives are important members.
• Subject matter experts like locksmiths, technical writers, and legal experts should be included.

Goal of a Vulnerability Assessment

• The goal is to identify physical protection system (PPS) components in functional areas, such as detection, delay, and response.
• Another goal is to gather data to estimate PPS performance against particular threats.

Primary Functions of a Physical Protection System (PPS)

• The three primary functions are detection.
• The three primary functions are delay.
• The three primary functions are response.

Key Measurements for Detection Function Effectiveness

• Probability of sensing adversary action.
• Time required for reporting and assessing an alarm.

Measuring the Response Function of a PPS

• The response function of a PPS is measured by the time between the receipt of a communication of adversary action and the interruption of the adversary action.

Primary Job of a Vulnerability Assessment Team Pertaining to a PPS

• It is to determine security system effectiveness.

Basic Analytical Approaches to a Risk Assessment

• These are compliance based.
• These are performance based.

Formula for Residual Risk

• R = T x A x V, where:
  • R = residual risk
  • T = threat
  • A = asset to be protected
  • V = vulnerability

Characteristics of a Well-Engineered Physical Protection System (PPS)

• Exhibits protection in depth.
• Exhibits minimum consequence of component failure, achieved through redundancy.
• Exhibits balanced protection.

Contributors to Cost of Replacement

• Purchase price or manufacturing cost.
• Freight and shipping charges.
• Make-ready or preparation cost to install it or make it functional.

Formula for Lost Income Cost

• I = i/365 x P x t, where:
  • I = income earned
  • i = annual percent rate of return
  • P = principal amount (in dollars) available for investment
  • t = time (in days) during which P is available for investment

Cost of Loss Formula

• K = (Cp + Ct + Cr + Ci) – (I-a)
  • K = criticality, total cost of loss
  • Cp = cost of permanent replacement
  • Ct = cost of temporary substitute
  • Cr = total related costs
  • Ci = lost income cost
  • I = available insurance or indemnity
  • a = allocable insurance premium amount

Elements of a Systems Approach to Developing a Physical Protection System (PPS)

• Assessment of vulnerability.
• Implementation of countermeasures.
• Evaluation of effectiveness.

Questions a Risk Assessment Attempts to Answer

• What can go wrong?
• What is the likelihood it would go wrong?
• What are the consequences?

Questions Risk Management Attempts to Answer

• What can be done?
• What options are available?
• What are the associated tradeoffs in terms of costs, benefits, and risks?
• What are the impacts of current management decisions on future options?

Design-Basis Threat

• The adversary against which the utility must be protected.
• It is used to help design and evaluate a physical protection system (PPS).

General Measures of Valuing Assets

• Cost.
• Consequence criteria.
• Policy.

Difference Between Assets Protection and Security

• Assets protection includes all security functions, investigations, risk management, safety, compliance, and emergency management

Principle Assets Protection is Increasingly Based On

• Risk management.

Avenues of Addressing Risk

• Avoidance.
• Transfer.
• Spreading.
• Reduction.
• Acceptance.

The Five Ds of Security

• Deter.
• Deny.
• Detect.
• Delay.
• Destroy.

Areas Assets Protection Covers in the Telecommunications Sector

• Information security.
• Network/computer security.
• Fraud prevention.
• Physical security.

Forces Shaping Assets Protection Globally

• Technology and touch.
• Globalization in business.
• Standards and regulation.
• Convergence of security solutions.
• Homeland security and the international security environment.

Centerpiece of the New Global Economy, According to Davidow and Malone

• The virtual product, where major business functions are outsourced with hardly any internal departmentalization.

Managerial Dimensions of Assets Protection

• Technical expertise.
• Management ability.
• Ability to deal with people.

General Types of Insurance

• Property.
• Liability.

Classifications of Loss in Insurance Policies

• Direct loss.
• Loss of use.
• Extra-expense loss (e.g. cost of defending a liability suit or paying a judgment).

Basic Coverages of a Crime Insurance Policy

• Employee dishonesty bond.
• Money and securities coverage inside the premises.
• Money and securities coverage outside the premises.
• Money order and counterfeit paper currency coverage.
• Depositors' forgery coverage.

Types of Valuation Methods for Insurance Against Business Interruption

• Actual loss sustained.
• Valued loss.

Rarest Scenario in Pastor's Public/Private Policing Model

• Public/Substitute.

Factors Driving the Growth of Private Policing

• Economic and operational issues.
• Fear of crime and violence.
• Order maintenance.

Optimal Relationship Between Police and Private Security

• Institutionalized coordination and cooperation through structural and contractual relationships.

Purpose of the Hallcrest Reports

• It was to compare the U.S. security industry to public law enforcement quantitatively.

Most Significant Distinction Between Public and Private Policing

• Cost.

Main Costs that Make Public Policing More Expensive than Private Security

• Police officer salaries and benefits.
• 911 calls.
• Alarm response.
• Alternative services such as traffic control.

Explanations for Cost Savings When Using Private Security Versus Public Police

• More flexible labor.
• Richer incentives and penalties.
• More precise allocation of accountability.
• Less constraint on process, more focus on results.

Categories of Distinction Between Public and Private Policing, Identified by Carlson

• Philosophical (public police have more moral authority).
• Legal (private police have limited power of arrest).
• Financial (private police cost less).
• Operational (private police are more flexible).
• Security/political (private police give citizens more control over their safety by augmenting public police efforts).

Most Important Distinction Between Public and Private Police

• The delivery system (government versus corporations).

Where Private Security Supplements Police in a Public Environment

• Business improvement districts.

Key Component for Alternative Security Providers in the Future

• Order maintenance operations.

Best Practice for Security Officer Training

• Develop a training curriculum that focuses on the particular role or function to be performed.

Types of Security Consultants

• Security management consultants (largest group).
• Technical security consultants.
• Forensic security consultants.

Best Sources for Finding Security Consultants

• Colleagues.
• Security associations.
• Industry-specific associations.

Travel Allowances for a Consultant

• The same as those given to members of the client's senior management.

Typical Assignment for a Company's Project Coordinator for a Security Consultant

• Typically, the CSO or vice president of security.

Emerging Trend in Consultant Fees

• Project-based pricing rather than hourly fees.

Most Consistent Predictors of Theft in All Industries

• Employee's access to property.
• Perceived chances of being detected.

Issues that Reflect Senior Management's Commitment to Organizational Resilience

• Compliance with legal requirements.
• Prevention, preparedness, and mitigation of disruptive incidents.
• Continual improvement.

ISO Standards Aligned with ASIS's Organizational Resilience Standard

• ISO 9000.
• ISO 14001.
• ISO 27001.
• ISO 28000.

Experience Required for a CSO Applicant, According to ASIS's CSO Standard

• Three to five years of direct experience at a senior level.

Workers Most Likely to Steal Electronics Components in Manufacturing Environments

• Engineers.

Surety Bond

• Insurance that protects an organization if there is a failure to perform specific tasks within a certain time period.

Turnover Costs as a Percentage of Security Officer's Salary

• 25 percent or more.

Key Skills of a CSO

• Relationship leader.
• Executive leader.
• Subject matter expert.
• Governance team leader.
• Risk executive.
• Strategist.
• Creative problem solver.

Factors Leading to Fraud, According to Donald Cressey

• Perceived non-sharable financial problem.
• Perceived opportunity for a trust violation.
• Series of rationalizations to justify behavior.

Edwin Sutherland's Theory of Crime

• Criminal behavior is most often correlated with a person's association with a criminal environment, according to Sutherland.

Characteristics a Loss Event Must Have Before Security Countermeasures Can Be Planned

• A measurable loss.
• A loss that did not result from speculative risk.

Formula for Loss Event Probability

• P = f/n, where:
  • P = the probability that a given event will occur
  • f = the number of actual occurrences of that event
  • n = the total number of experiments seeking that event

First Step in a Qualitative General Security Risk Assessment

• Understand the organization.

Useful Categories for Security Data Analysis

• Claims avoided.
• Proofs of loss.
• Recovered physical assets.
• Uninsured claims or causes of action.

Incidents an Asset Protection Program Should Consider

• Major incidents and events.
• Incidental cost avoidances and asset or value recoveries that occur in the course of operations.

Percentage of Business Failures Resulting from Employee Theft

• The U.S. Chamber of Commerce estimates that 30 percent of business failures result from employee theft.

Percentage of Revenues U.S. Businesses Lose to Fraud

• U.S. organizations lose 6 percent of their annual revenues to fraud.

Comparison of Employee Theft to Shoplifting in the Retail Industry

• Employees steal 15 times as much as shoplifters.

Employee Theft "Tax" in Food Service

• Employee theft in food service is equal to a 4 percent tax.

Items Most Frequently Stolen by Employees

• Time.
• Finished goods.
• Scrap and waste.
• Intellectual property.

Hypotheses Clark and Hollinger Put Forth to Explain Employee Theft

• External economic pressures.
• Youth.
• Opportunity.
• Job dissatisfaction.
• Social control.

Fraction of Employees Admitting to Stealing, According to Clark and Hollinger

• One-third of employees reported stealing from their employer.

Who Commits Most Workplace Property Theft?

• Employees with the greatest access to the property and least perceived chance of detection.

Who Commits Most Theft in Hospitals?

• Nurses.

Most Consistent Predictor of Theft in All Industries

• The employee's perceived chance of being detected.

Factors Present in Every Fraud, According to Joseph Wells

• Financial pressure.
• Opportunity.
• Justification.

"Lapping"

• Pocketing small amounts from incoming invoices payments and then applying subsequent payment to cover the missing cash from the previous invoice, and so on.

"Shun" that Does the Victim Most Good

• Restitution.

Factors Linked to Greatest Levels of Fear, According to Lewis and Maxwell

• Crime.
• Incivility.

Principal Value of Security Awareness to Executive Management

• Awareness of the security program's financial contribution to the bottom line.

Primary Purpose of a Security Awareness Program

• To educate employees on how to protect company assets and reduce losses.

Features of the Most Effective Security Awareness Training Programs

• They engage staff and let them have fun.

Main Obstacles to an Effective Security Awareness Program

• Low credibility of security department.
• Organizational culture.
• Naiveté.
• Perception of a minimal threat.
• Departmental/employee indifference.
• Lack of reporting capability.

Measures Security Departments can use to Create Positive Contacts with Staff to Promote Security Awareness

• Conducting home protection clinics.
• Lending property marking devices.
• Offering group purchases of alarms.
• Conducting personal protection programs.
• Conducting cybersecurity awareness programs.
• Conducting children's fire prevention campaigns.

Organizational Models for Security Forces

• Vertical or hierarchical.
• Shamrock.
• Network.

Hierarchical Model of Organizational Structure

• Authority comes from the top and flows down through a series of managers to the front-line staff.

Shamrock Model of Organizational Structure

• Leaf one represents a small core of professionals and managers whose skills are critical to the organization.
• The second leaf consists of third-party suppliers with special expertise.
• The third leaf consists of part-time and temporary workers who are employed as needed.

Network Model of Organizational Structure

• Employees are connected not just to their immediate supervisor and their direct reports, but to many others in the organization.
• People come together for particular tasks and disband or reorganize as needed.