{"product_id":"security-risk-assessment-and-management-isbn-9780471793526","title":"Security Risk Assessment and Management","description":"Proven set of best practices for security risk assessment and management, explained in plain English  \u003cp\u003eThis guidebook sets forth a systematic, proven set of best practices for security risk assessment and management of buildings and their supporting infrastructures. These practices are all designed to optimize the security of workplace environments for occupants and to protect the interests of owners and other stakeholders. The methods set forth by the authors stem from their research at Sandia National Laboratories and their practical experience working with both government and private facilities.\u003c\/p\u003e \u003cp\u003eFollowing the authors' step-by-step methodology for performing a complete risk assessment, you learn to:\u003c\/p\u003e \u003cul\u003e \u003cli\u003eIdentify regional and site-specific threats that are likely and credible\u003cbr\u003e \u003c\/li\u003e \u003cli\u003eEvaluate the consequences of these threats, including loss of life and property, economic impact, as well as damage to symbolic value and public confidence\u003cbr\u003e \u003c\/li\u003e \u003cli\u003eAssess the effectiveness of physical and cyber security systems and determine site-specific vulnerabilities in the security system\u003cbr\u003e \u003c\/li\u003e \u003c\/ul\u003e \u003cp\u003eThe authors further provide you with the analytical tools needed to determine whether to accept a calculated estimate of risk or to reduce the estimated risk to a level that meets your particular security needs. You then learn to implement a risk-reduction program through proven methods to upgrade security to protect against a malicious act and\/or mitigate the consequences of the act.\u003c\/p\u003e \u003cp\u003eThis comprehensive risk assessment and management approach has been used by various organizations, including the U.S. Bureau of Reclamation, the U.S. Army Corps of Engineers, the Bonneville Power Administration, and numerous private corporations, to assess and manage security risk at their national infrastructure facilities. With its plain-English presentation coupled with step-by-step procedures, flowcharts, worksheets, and checklists, you can easily implement the same proven approach and methods for your organization or clients. Additional forms and resources are available online at \u003ca href=\"http:\/\/www.wiley.com\/go\/securityrisk\"\u003ewww.wiley.com\/go\/securityrisk\u003c\/a\u003e.\u003c\/p\u003e \u003cp\u003eFigures xv\u003c\/p\u003e \u003cp\u003eTables xix\u003c\/p\u003e \u003cp\u003ePreface xxi\u003c\/p\u003e \u003cp\u003eAcknowledgments xxv\u003c\/p\u003e \u003cp\u003e\u003cb\u003ePart I 1\u003c\/b\u003e\u003c\/p\u003e \u003cp\u003e\u003cb\u003e1 Security Risk Assessment and Management Process 3\u003c\/b\u003e\u003c\/p\u003e \u003cp\u003e1.1 Introduction 3\u003c\/p\u003e \u003cp\u003e1.2 Security Risk Equation 6\u003c\/p\u003e \u003cp\u003e1.3 Security Risk Assessment and Management Process 8\u003c\/p\u003e \u003cp\u003e1.3.1 Facility Characterization 9\u003c\/p\u003e \u003cp\u003e1.3.2 Threat Analysis 10\u003c\/p\u003e \u003cp\u003e1.3.3 Consequence Analysis 11\u003c\/p\u003e \u003cp\u003e1.3.4 System Effectiveness Assessment 13\u003c\/p\u003e \u003cp\u003e1.3.5 Risk Estimation 16\u003c\/p\u003e \u003cp\u003e1.3.6 Comparison of Estimated Risk Levels 17\u003c\/p\u003e \u003cp\u003e1.3.7 Risk Reduction Strategies 17\u003c\/p\u003e \u003cp\u003e1.4 Presentation to Management 18\u003c\/p\u003e \u003cp\u003e1.5 Risk Management Decisions 18\u003c\/p\u003e \u003cp\u003e1.6 Information Protection 19\u003c\/p\u003e \u003cp\u003e1.7 Process Summary 19\u003c\/p\u003e \u003cp\u003e1.8 References 20\u003c\/p\u003e \u003cp\u003e1.9 Exercises 21\u003c\/p\u003e \u003cp\u003e\u003cb\u003e2 Screening Analysis 23\u003c\/b\u003e\u003c\/p\u003e \u003cp\u003e2.1 Introduction 23\u003c\/p\u003e \u003cp\u003e2.2 Screening Analysis Methods 23\u003c\/p\u003e \u003cp\u003e2.3 Summary 30\u003c\/p\u003e \u003cp\u003e2.4 References 30\u003c\/p\u003e \u003cp\u003e2.5 Exercises 30\u003c\/p\u003e \u003cp\u003e\u003cb\u003e3 Facility Characterization 31\u003c\/b\u003e\u003c\/p\u003e \u003cp\u003e3.1 Introduction 31\u003c\/p\u003e \u003cp\u003e3.2 Undesired Events 32\u003c\/p\u003e \u003cp\u003e3.3 Facility Description 33\u003c\/p\u003e \u003cp\u003e3.3.1 Physical Details 33\u003c\/p\u003e \u003cp\u003e3.3.2 Cyber-Information System 34\u003c\/p\u003e \u003cp\u003e3.3.3 Facility Operations 34\u003c\/p\u003e \u003cp\u003e3.3.4 Security Protection Systems 35\u003c\/p\u003e \u003cp\u003e3.3.5 Workforce Description 38\u003c\/p\u003e \u003cp\u003e3.3.6 Restrictions, Requirements, Limitations 39\u003c\/p\u003e \u003cp\u003e3.4 Critical Assets 40\u003c\/p\u003e \u003cp\u003e3.4.1 Generic Fault Tree 40\u003c\/p\u003e \u003cp\u003e3.4.2 Identifying Critical Assets 42\u003c\/p\u003e \u003cp\u003e3.5 Protection Objectives 44\u003c\/p\u003e \u003cp\u003e3.6 Summary 45\u003c\/p\u003e \u003cp\u003e3.7 References 46\u003c\/p\u003e \u003cp\u003e3.8 Exercises 46\u003c\/p\u003e \u003cp\u003e\u003cb\u003e4 Threat Analysis 49\u003c\/b\u003e\u003c\/p\u003e \u003cp\u003e4.1 Introduction 49\u003c\/p\u003e \u003cp\u003e4.2 Sources of Threat Information 50\u003c\/p\u003e \u003cp\u003e4.2.1 Local and State Sources 51\u003c\/p\u003e \u003cp\u003e4.2.2 National Sources 52\u003c\/p\u003e \u003cp\u003e4.3 Adversary Spectrum 53\u003c\/p\u003e \u003cp\u003e4.4 Adversary Capability 56\u003c\/p\u003e \u003cp\u003e4.5 Threat Potential for Attack 58\u003c\/p\u003e \u003cp\u003e4.5.1 Outsider Threat 62\u003c\/p\u003e \u003cp\u003e4.5.2 Insider Threat 69\u003c\/p\u003e \u003cp\u003e4.6 Summary 71\u003c\/p\u003e \u003cp\u003e4.7 References 71\u003c\/p\u003e \u003cp\u003e4.8 Exercises 72\u003c\/p\u003e \u003cp\u003e\u003cb\u003e5 Consequence Analysis 75\u003c\/b\u003e\u003c\/p\u003e \u003cp\u003e5.1 Introduction 75\u003c\/p\u003e \u003cp\u003e5.2 Reference Table of Consequences 75\u003c\/p\u003e \u003cp\u003e5.3 Consequence Values for Undesired Events 77\u003c\/p\u003e \u003cp\u003e5.4 Summary 81\u003c\/p\u003e \u003cp\u003e5.5 References 81\u003c\/p\u003e \u003cp\u003e5.6 Exercises 81\u003c\/p\u003e \u003cp\u003e\u003cb\u003e6 Asset Prioritization 83\u003c\/b\u003e\u003c\/p\u003e \u003cp\u003e6.1 Introduction 83\u003c\/p\u003e \u003cp\u003e6.2 Prioritization Matrix 84\u003c\/p\u003e \u003cp\u003e6.3 Summary 85\u003c\/p\u003e \u003cp\u003e6.4 References 85\u003c\/p\u003e \u003cp\u003e6.5 Exercises 86\u003c\/p\u003e \u003cp\u003e\u003cb\u003e7 System Effectiveness 87\u003c\/b\u003e\u003c\/p\u003e \u003cp\u003e7.1 Introduction 87\u003c\/p\u003e \u003cp\u003e7.2 Protection System Effectiveness 88\u003c\/p\u003e \u003cp\u003e7.2.1 Adversary Strategies 88\u003c\/p\u003e \u003cp\u003e7.2.2 Physical Protection System Effectiveness 90\u003c\/p\u003e \u003cp\u003e7.2.3 Cyber-Protection System Effectiveness 106\u003c\/p\u003e \u003cp\u003e7.3 Summary 116\u003c\/p\u003e \u003cp\u003e7.4 References 117\u003c\/p\u003e \u003cp\u003e7.5 Exercises 118\u003c\/p\u003e \u003cp\u003e\u003cb\u003e8 Estimating Security Risk 121\u003c\/b\u003e\u003c\/p\u003e \u003cp\u003e8.1 Introduction 121\u003c\/p\u003e \u003cp\u003e8.2 Estimating Security Risk 121\u003c\/p\u003e \u003cp\u003e8.2.1 Conditional Risk 122\u003c\/p\u003e \u003cp\u003e8.2.2 Relative Risk 122\u003c\/p\u003e \u003cp\u003e8.3 Summary 125\u003c\/p\u003e \u003cp\u003e8.4 References 125\u003c\/p\u003e \u003cp\u003e8.5 Exercises 125\u003c\/p\u003e \u003cp\u003e\u003cb\u003e9 Risk Reduction Strategies 127\u003c\/b\u003e\u003c\/p\u003e \u003cp\u003e9.1 Introduction 127\u003c\/p\u003e \u003cp\u003e9.2 Strategies for Reducing Likelihood of Attack 127\u003c\/p\u003e \u003cp\u003e9.3 Strategies for Increasing Protection System Effectiveness 129\u003c\/p\u003e \u003cp\u003e9.3.1 Physical Protection System Upgrades 129\u003c\/p\u003e \u003cp\u003e9.3.2 Cyber-Protection System Upgrades 129\u003c\/p\u003e \u003cp\u003e9.3.3 Protection System Upgrade Package(s) 129\u003c\/p\u003e \u003cp\u003e9.4 Strategies for Mitigating Consequences 132\u003c\/p\u003e \u003cp\u003e9.4.1 Construction Hardening 133\u003c\/p\u003e \u003cp\u003e9.4.2 Redundancy 141\u003c\/p\u003e \u003cp\u003e9.4.3 Optimized Recovery Strategies 143\u003c\/p\u003e \u003cp\u003e9.4.4 Emergency Planning 145\u003c\/p\u003e \u003cp\u003e9.5 Combinations of Reduction Strategies 148\u003c\/p\u003e \u003cp\u003e9.6 Summary 149\u003c\/p\u003e \u003cp\u003e9.7 References 150\u003c\/p\u003e \u003cp\u003e9.8 Exercises 151\u003c\/p\u003e \u003cp\u003e\u003cb\u003e10 Evaluating Impacts 153\u003c\/b\u003e\u003c\/p\u003e \u003cp\u003e10.1 Risk Level 153\u003c\/p\u003e \u003cp\u003e10.2 Costs 157\u003c\/p\u003e \u003cp\u003e10.3 Operations\/Schedules 159\u003c\/p\u003e \u003cp\u003e10.4 Public Opinion 160\u003c\/p\u003e \u003cp\u003e10.5 Other Site-Specific Concerns 160\u003c\/p\u003e \u003cp\u003e10.6 Review Threat Analysis 161\u003c\/p\u003e \u003cp\u003e10.7 Summary 162\u003c\/p\u003e \u003cp\u003e10.8 References 162\u003c\/p\u003e \u003cp\u003e10.9 Exercises 163\u003c\/p\u003e \u003cp\u003e\u003cb\u003e11 Risk Management Decisions 165\u003c\/b\u003e\u003c\/p\u003e \u003cp\u003e11.1 Introduction 165\u003c\/p\u003e \u003cp\u003e11.2 Risk Assessment Results 166\u003c\/p\u003e \u003cp\u003e11.2.1 Executive Summary 167\u003c\/p\u003e \u003cp\u003e11.2.2 Introduction 167\u003c\/p\u003e \u003cp\u003e11.2.3 Threat Analysis 168\u003c\/p\u003e \u003cp\u003e11.2.4 Consequence Analysis 168\u003c\/p\u003e \u003cp\u003e11.2.5 System Effectiveness Assessment 169\u003c\/p\u003e \u003cp\u003e11.2.6 Risk Estimation 169\u003c\/p\u003e \u003cp\u003e11.2.7 Risk Reduction Strategies and Packages 170\u003c\/p\u003e \u003cp\u003e11.2.8 Impact Analysis 170\u003c\/p\u003e \u003cp\u003e11.2.9 Supporting Documentation 171\u003c\/p\u003e \u003cp\u003e11.2.10 Report Overview 171\u003c\/p\u003e \u003cp\u003e11.3 Risk Management Decisions 171\u003c\/p\u003e \u003cp\u003e11.4 Establish Design Threat 173\u003c\/p\u003e \u003cp\u003e11.5 Summary 174\u003c\/p\u003e \u003cp\u003e11.6 References 174\u003c\/p\u003e \u003cp\u003e11.7 Exercises 174\u003c\/p\u003e \u003cp\u003e\u003cb\u003e12 Summary 175\u003c\/b\u003e\u003c\/p\u003e \u003cp\u003e12.1 Facility Characterization 177\u003c\/p\u003e \u003cp\u003e12.2 Threat Analysis 178\u003c\/p\u003e \u003cp\u003e12.3 Consequence Analysis 180\u003c\/p\u003e \u003cp\u003e12.4 System Effectiveness Assessment 180\u003c\/p\u003e \u003cp\u003e12.5 Risk Estimation 182\u003c\/p\u003e \u003cp\u003e12.6 Comparison of Estimated Risk Level to Threshold 183\u003c\/p\u003e \u003cp\u003e12.7 Risk Reduction Strategies 183\u003c\/p\u003e \u003cp\u003e12.8 Analysis of Impacts Imposed by Risk Reduction Upgrade Packages 184\u003c\/p\u003e \u003cp\u003e12.9 Presentation to Management 185\u003c\/p\u003e \u003cp\u003e12.10 Risk Management Decisions 185\u003c\/p\u003e \u003cp\u003e\u003cb\u003ePart II 187\u003c\/b\u003e\u003c\/p\u003e \u003cp\u003e\u003cb\u003e13 Demonstration of the Security Risk Assessment and Management Process 189\u003c\/b\u003e\u003c\/p\u003e \u003cp\u003e13.1 Introduction 189\u003c\/p\u003e \u003cp\u003e13.2 Security Risk Assessment and Management Process 190\u003c\/p\u003e \u003cp\u003e13.3 Screening Analysis 192\u003c\/p\u003e \u003cp\u003e13.4 Facility Characterization 195\u003c\/p\u003e \u003cp\u003e13.5 Operations 196\u003c\/p\u003e \u003cp\u003e13.6 General Description 198\u003c\/p\u003e \u003cp\u003e13.7 Threat 214\u003c\/p\u003e \u003cp\u003e13.8 Consequences 228\u003c\/p\u003e \u003cp\u003e13.9 Prioritization Analysis 238\u003c\/p\u003e \u003cp\u003e13.10 Protection System Effectiveness 243\u003c\/p\u003e \u003cp\u003e13.10.1 Physical Protection System Effectiveness 245\u003c\/p\u003e \u003cp\u003e13.10.2 Analysis of Blast Effects 264\u003c\/p\u003e \u003cp\u003e13.11 Estimation of Risk 269\u003c\/p\u003e \u003cp\u003e13.11.1 Risk Summary 269\u003c\/p\u003e \u003cp\u003e13.12 Risk Reduction Strategies 272\u003c\/p\u003e \u003cp\u003e13.12.1 Physical Protection System Upgrades 273\u003c\/p\u003e \u003cp\u003e13.12.2 Result of Physical Protection System Upgrades 276\u003c\/p\u003e \u003cp\u003e13.12.3 Cyber-Protection System Upgrades 280\u003c\/p\u003e \u003cp\u003e13.12.4 Results of Cyber-Protection System Upgrades 281\u003c\/p\u003e \u003cp\u003e13.12.5 Consequence Mitigation Upgrades 281\u003c\/p\u003e \u003cp\u003e13.12.6 Summary 284\u003c\/p\u003e \u003cp\u003e13.13 Impact Analysis 285\u003c\/p\u003e \u003cp\u003e13.13.1 Impacts of Upgrade Package 285\u003c\/p\u003e \u003cp\u003e13.13.2 Impacts of Consequence Mitigation Package 288\u003c\/p\u003e \u003cp\u003e13.14 Presentation to Management 288\u003c\/p\u003e \u003cp\u003e13.14.1 Threat Description 289\u003c\/p\u003e \u003cp\u003e13.14.2 Security Risk Estimates for the Baseline System 289\u003c\/p\u003e \u003cp\u003e13.14.3 Risk Reduction Packages 290\u003c\/p\u003e \u003cp\u003e13.14.4 Impact Analysis for Risk Reduction Package 294\u003c\/p\u003e \u003cp\u003e13.15 Risk Management Decisions 295\u003c\/p\u003e \u003cp\u003eAppendix A: Generic Fault Tree for Buildings 297\u003c\/p\u003e \u003cp\u003eAppendix B: Adversary Sequence Diagrams 303\u003c\/p\u003e \u003cp\u003eAppendix C: Physical System Effectiveness Worksheets 309\u003c\/p\u003e \u003cp\u003eAppendix D: Insider Threat 329\u003c\/p\u003e \u003cp\u003eAcronyms 345\u003c\/p\u003e \u003cp\u003eGlossary 347\u003c\/p\u003e \u003cp\u003eIndex 353\u003c\/p\u003e \"Used by government and private corporations, it sets forth a systematic, proven set of best practices for security risk assessment and management of both buildings and their supporting infrastructure.\" (\u003ci\u003eENR.com\u003c\/i\u003e; 11\/7\/07)  \u003cb\u003eBETTY E. BIRINGER\u003c\/b\u003e is currently the manager of the Security Risk Assessment Department at Sandia National Laboratories. She has developed security risk assessment methodologies for dams, high-voltage electric power transmission, chemical facilities, communities, and energy infrastructures that connect the gas industry to the electric power grid. She previously managed projects for the Office of Counterintelligence, where she developed a risk method to address the insider threat.  \u003cp\u003e\u003cb\u003eRUDOLPH V. MATALUCCI\u003c\/b\u003e, PhD, PE, is a retired Lieutenant Colonel in the United States Air Force and President of Rudolph Matalucci Consultants, Inc. Prior to starting his consulting firm, Dr. Matalucci was a project engineer\/manager for Sandia National Laboratories, where he directed numerous risk-related projects for the Department of Energy, the Department of Defense, several other government agencies, and private organizations. He has developed, validated, implemented, and taught risk assessment methodologies for dams\/locks\/levees, electric power generation\/transmission facilities, buildings, and other infrastructures.\u003c\/p\u003e \u003cp\u003e\u003cb\u003eSHARON L. O'CONNOR\u003c\/b\u003e is a Principal Member of the Laboratory Staff in the Security Systems and Technology Center at Sandia National Laboratories. For the last ten years, she has supported Architectural Surety© and security risk assessment work. Her baccalaureate degree is from the University of New Mexico.\u003c\/p\u003e  Proven set of best practices for security risk assessment and management, explained in plain English\u003cbr\u003e \u003cbr\u003e   \u003cp\u003eThis guidebook sets forth a systematic, proven set of best practices for security risk assessment and management of buildings and their supporting infrastructures. These practices are all designed to optimize the security of workplace environments for occupants and to protect the interests of owners and other stakeholders. The methods set forth by the authors stem from their research at Sandia National Laboratories and their practical experience working with both government and private facilities.\u003c\/p\u003e \u003cp\u003eFollowing the authors' step-by-step methodology for performing a complete risk assessment, you learn to:\u003c\/p\u003e \u003cul\u003e \u003cli\u003eIdentify regional and site-specific threats that are likely and credible\u003c\/li\u003e \u003cli\u003eEvaluate the consequences of these threats, including loss of life and property, economic impact, as well as damage to symbolic value and public confidence\u003c\/li\u003e \u003cli\u003eAssess the effectiveness of physical and cyber security systems and determine site-specific vulnerabilities in the security system\u003c\/li\u003e \u003c\/ul\u003e \u003cp\u003eThe authors further provide you with the analytical tools needed to determine whether to accept a calculated estimate of risk or to reduce the estimated risk to a level that meets your particular security needs. You then learn to implement a risk-reduction program through proven methods to upgrade security to protect against a malicious act and\/or mitigate the consequences of the act.\u003c\/p\u003e \u003cp\u003eThis comprehensive risk assessment and management approach has been used by various organizations, including the U.S. Bureau of Reclamation, the U.S. Army Corps of Engineers, the Bonneville Power Administration, and numerous private corporations, to assess and manage security risk at their national infrastructure facilities. With its plain-English presentation coupled with step-by-step procedures, flowcharts, worksheets, and checklists, you can easily implement the same proven approach and methods for your organization or clients. Additional forms and resources are available online at www.wiley.com\/go\/securityrisk.\u003c\/p\u003e","brand":"Wiley","offers":[{"title":"Default Title","offer_id":47989999829221,"sku":"NP9780471793526","price":119.95,"currency_code":"USD","in_stock":false}],"thumbnail_url":"\/\/cdn.shopify.com\/s\/files\/1\/1842\/7735\/files\/9780471793526.jpg?v=1761786163","url":"https:\/\/k12savings.com\/es\/products\/security-risk-assessment-and-management-isbn-9780471793526","provider":"K12savings","version":"1.0","type":"link"}