Resilience

 

 

https://sm.asisonline.org/Pages/The-Most-Resilient-Countries-in-the-World.aspxThe Most Resilient Countries in the WorldGP0|#28ae3eb9-d865-484b-ac9f-3dfacb4ce997;L0|#028ae3eb9-d865-484b-ac9f-3dfacb4ce997|Strategic Security;GTSet|#8accba12-4830-47cd-9299-2b34a43444652017-05-11T04:00:00Zhttps://adminsm.asisonline.org/pages/lilly-chapa.aspx, Lilly Chapa<p>​Property loss prevention consultant FM Global released its <a href="http://www.fmglobal.com/research-and-resources/tools-and-resources/resilienceindex/explore-the-data/?&sn=1" target="_blank">fifth annual <em>Resilience Index</em></a><em>,</em> which ranks 130 countries on their enterprise resilience to disruptive events. The ranking is data-driven and assesses categories such as economic factors, risk quality, and supply chain. It allows executives to plan supply chain and expansion strategies based on insight regarding risks and opportunities, according to the FM Global website. </p><p>Giving a nod to new trends that affect supply chain resilience, FM Global introduced three new drivers of resilience to its assessment: supply chain visibility, urbanization rate, and inherent cyber risk. Supply chain visibility addresses the ease of tracking goods across a country’s supply chain. “The more visible and robust the supply chain and the faster it can begin functioning as normal following a major local event, the greater its resilience,” the report notes.</p><p>The urbanization rate is based on the percentage of the country’s population that lives in urban areas. While urbanization is typically associated with a country’s development, it can prove to be risky in an area with high natural hazards. And rapid and unplanned urbanization can create pressure on utilities and infrastructure, which can be a significant threat to the country’s resilience, according to the report.</p><p>2017 is also the first year that the threat of cyberattacks has been acknowledged in the report. The inherent cyber risk driver is defined as “a blend of a country’s vulnerability to cyberattack, combined equally with the country’s ability to recover.” This is calculated by determining the percentage of citizens with access to the Internet, as well as how the government responds to cyberattacks. “Countries that recover well from major events are those with a thriving industry in malware or cybersecurity, and where governments are willing to step in and help citizens in the event of a nationwide hacking,” the report says.</p><p>At the top of the list for the fifth year is Switzerland, an “acknowledged area of stability for generations” with infrastructure and political stability that makes its supply chain reliable and resilient. However, natural disasters and cyberattacks remain a threat to the country. </p><p>Also notable is Luxembourg, which was ranked eighth in 2013 but placed second this year. A growth in the country’s services sector, combined with its reduced economic reliance on oil and its business-friendly regulations, makes Luxembourg a safe place to expand operations to, the report finds. And due to its location, Luxembourg may serve as a new home for companies following the United Kingdom’s departure from the European Union.</p><p>At the other end of the spectrum, Haiti is ranked last due to its lack of supply chain and standards and its high rate of poverty. Similarly, Venezuela fared poorly due to corruption, natural disasters, poor infrastructure, and ill-perceived quality of local suppliers.  ​</p>

Resilience

 

 

https://sm.asisonline.org/Pages/The-Most-Resilient-Countries-in-the-World.aspx2017-05-11T04:00:00ZThe Most Resilient Countries in the World
https://sm.asisonline.org/Pages/After-an-Active-Shooter.aspx2017-05-01T04:00:00ZAfter an Active Shooter
https://sm.asisonline.org/Pages/Responding-to-San-Bernardino.aspx2017-05-01T04:00:00ZResponding to San Bernardino
https://sm.asisonline.org/Pages/Cinco-Acontecimientos-que-Moldearon-la-Gestión-de-Crisis.aspx2017-04-12T04:00:00ZCinco Acontecimientos que Moldearon la Gestión de Crisis
https://sm.asisonline.org/Pages/Ramping-Up-Resilience.aspx2017-03-01T05:00:00ZRamping Up Resilience
https://sm.asisonline.org/Pages/The-Road-to-Resilience.aspx2017-02-01T05:00:00ZThe Road to Resilience
https://sm.asisonline.org/Pages/World-Water-Woes.aspx2017-01-01T05:00:00ZWorld Water Woes
https://sm.asisonline.org/Pages/Reducción-de-la-Violencia-en-América-Latina.aspx2016-10-11T04:00:00ZReducción de la Violencia en América Latina
https://sm.asisonline.org/Pages/A-Hospital’s-Life-Safety-Lessons.aspx2016-10-01T04:00:00ZA Hospital’s Life Safety Lessons
https://sm.asisonline.org/Pages/Five-Post-Incident-Concerns.aspx2016-09-01T04:00:00ZFive Post-Incident Concerns
https://sm.asisonline.org/Pages/Resilience-Trends.aspx2016-09-01T04:00:00ZResilience Trends
https://sm.asisonline.org/Pages/A-Strategic-Response.aspx2016-08-01T04:00:00ZA Strategic Response
https://sm.asisonline.org/Pages/Book-Review---Crowd-Science.aspx2016-07-01T04:00:00ZBook Review: Crowd Science
https://sm.asisonline.org/Pages/The-Calculus-of-Catastrophe.aspx2016-06-01T04:00:00ZThe Calculus of Catastrophe
https://sm.asisonline.org/Pages/Planning-After-Paris.aspx2016-03-01T05:00:00ZPlanning After Paris
https://sm.asisonline.org/Pages/Smart-and-Secure.aspx2016-01-19T05:00:00ZSmart and Secure
https://sm.asisonline.org/Pages/Resilience-After-Katrina.aspx2016-01-11T05:00:00ZResilience After Katrina
https://sm.asisonline.org/Pages/Extreme-Resilience.aspx2016-01-07T05:00:00ZExtreme Resilience
https://sm.asisonline.org/Pages/The-FEMA-Five.aspx2016-01-06T05:00:00ZThe FEMA Five
https://sm.asisonline.org/Pages/Constructing-Resilience.aspx2015-11-01T04:00:00ZConstructing Resilience

 You May Also Like...

 

 

https://sm.asisonline.org/Pages/Day-to-Day-Tactics.aspxDay-to-Day Tactics<p>​Managers can also share day-to-day tips with employees on avoiding burnout and staying energized, experts say. They include the following: </p><h4>Give me a break</h4><p>Take breaks at the right time. Whenever energy is highest—often in the morning for many workers—focus on moving forward on tasks to maximize your productivity. After a few hours of that, step away for a rest.</p><h4>Walk it off</h4><p>Getting out of the office can help you get out of the weeds and consider the big picture. Sometimes, this is when solutions become apparent. Have lunch away from your desk or take a walk in the afternoon.  </p><h4>Screen your time</h4><p>Limit the use of digital devices after hours. Some place their smartphone in a drawer after arriving home, so they are not tempted to keep checking texts and emails. Others turn it off after a certain hour, like 8 p.m. </p><h4>Refresh with a film</h4><p>Schedule restorative experiences. Studies indicate that doing an activity you find interesting—even if that activity is taxing—can be more restorative than simply relaxing. Using the mind for something other than work can also be renewing. When he experienced writer’s block due to fatigue, Nobel Prize–winning novelist Saul Bellow found that going to see a movie on five consecutive nights was mentally refreshing. </p><h4>Get out of here</h4><p>Vacations are critical, but many workers can take them only once a year. Given this reality, taking regular three-day weekends can be an excellent way to periodically reduce stress. But don’t assume that burnout can be alleviated simply by giving a worker an unexpected day off, which is merely a Band-Aid.   ​</p>GP0|#28ae3eb9-d865-484b-ac9f-3dfacb4ce997;L0|#028ae3eb9-d865-484b-ac9f-3dfacb4ce997|Strategic Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465
https://sm.asisonline.org/Pages/Seeing-the-Risk-Through-the-Trees.aspxSeeing the Risk Through the Trees<p>​</p><p>THE FIRST STEP TOWARD SOLVING—or preventing—any crime is to think like the criminals, beginning with what motivates them. When it comes to common thieves, that’s easy; they are motivated by the desire for money. But for violent nonfinancial crimes, understanding the motivation can be far more challenging.</p><p>I experienced this firsthand in the early 1990s, while running the Special Investigations Unit for the Ohio Bureau of Criminal Investigation. My team and I were tracking a serial rapist with a fetish for elderly women. He haunted small towns in rural areas, and during more than eight months he claimed 13 victims. We needed to understand our attacker if we wanted to anticipate his next move. To that end, an 18-page questionnaire was developed looking for anything the victims had in common: where they shopped and banked; who provided their lawn service; what clubs they frequented; who their family doctors were.</p><p>We used the answers to build an investigative “attack tree” that revealed the commonalities shared by the victims, and provided clues to the attacker’s goal and his modus operandi. Through this process, we were able to solve the case.</p><p>Any company can use the same attack tree methodology to mitigate risks, such as a terrorist attack, by thinking like the would-be attacker and anticipating what he or she might do. That information can be used to develop the appropriate countermeasures.</p><p>Attack trees are simply a visual display of the answer to the question: How would the criminal commit a crime—whether it’s a theft, a rape, a hack into a computer system, or the planting of a bomb. The branches of the tree illustrate the different scenarios and the steps physically taken to accomplish the task.</p><p>Filling Out the Branches<br>In laying out an attack tree, the overall goal of the attacker is considered the trunk and the steps that he or she would take become the branches. Once a security director has thought of the overall threat and laid out the possible ways it could be carried out, the next step is to assess the probability that it might occur—the level of risk. Ultimately, the risk may be handled in four different ways: accepted, transferred, eliminated, or reduced.</p><p>A security professional may determine that the risk is low, and the company may decide to accept it. But a corollary consideration is the consequence of an act; if the act is low probability but high consequence, as is the case with terrorism, that will affect the calculation of whether accepting the risk is a reasonable course of action. Calculating the risk of a terrorist attack is further complicated by the difficulty of obtaining reliable intelligence.</p><p>Using attack tree methodologies, our security team at a major utility looked at our potential adversaries with the limited intelligence provided by the U.S. Coast Guard and our own staff. The trunk of the tree—the attackers’ goal—was assumed to be to disrupt power. We then explored methods of attack that could be used against our critical areas to achieve that goal, such as ramming a gate with a vehicle; cutting a fence; approaching by a boat on the river; or posing as a delivery driver to place a vehicle borne improvised explosive device (VBIED) near a critical asset.</p><p>We then “pruned” our trees by factoring in the already existing risk-reducing measures, such as intrusion detection systems, lighting, perimeter fencing, and signs. In consultation with government agencies, we assessed the extent to which our measures had sufficiently reduced the risk and whether additional measures were needed.</p><p>The pruning process took into account that the trunk, or goal, is to disrupt power. If we look at the branch exploiting a vulnerability of approaching by boat from the water and gaining access to our facility, the next leaf would involve damaging a critical piece of equipment to obtain the result. In order to prune this branch, we installed fencing along the waterway with intrusion detection to alarm to our guard posts in an effort to detect an intrusion along several miles of the channel.</p><p>Planting Your Tree<br>While there are several models and even some software that you can use to help you in the attack tree process, in the beginning, you might want to follow this general rule: the simpler, the better. Start by assembling several members of your team in a room with a whiteboard or flip chart. At the bottom center, draw a box and insert what the goal of a terrorist attack against your company’s facilities might be. For a mall or other public venue, it might simply be to terrorize the population. For a strategic facility, it may be to disrupt services, to contaminate food or water supplies, or to cause economic damage.</p><p>Once you have placed the ultimate objective in the bottom box, ask your team the oldest security question known to man: “How would I do that?” For example, if terrorists are the adversary, the overall goal is to kill as many people as possible. As the security director for a mass transit subway, you have to place yourself in the terrorists’ shoes, and build your tree accordingly. If you were the terror cell, how would you accomplish your goal?</p><p>In answering the question, you would look at the recent history of events. For example, history has shown that terrorists may choose backpack bombs with cellphone detonators or timing devices; or they might pick suicide bombers, or chemical agents, or perhaps other methods that you and your team could visualize.</p><p>Each method becomes a branch. Place those in individual boxes connected to the bottom box and you have begun the formation of your tree. Repeat the steps of asking “how would I do that” over again for each “branch” of your tree, and continue to expand the possibilities. Once you have exhausted your avenues of attack, your tree is completed. You can then create another tree simply by changing the ultimate goal in the bottom box.</p><p>Leaves. As one becomes more proficient with the trees, there are several complex formulas, or “leaves,” that can add value. One leaf is the risk tolerance of the attacker. Another is his or her financial capability. These additions play a valuable role as a security team contemplates risk-reduction measures. For example, signs warning of surveillance might give pause to a terrorist who wants to case a utility plant without being detected; they would not deter a suicide bomber.</p><p>Pruning the Tree<br>A completed tree needs “pruning,” or an examination of the potential threats that have been identified and how they might be mitigated by existing or new protective measures. Each branch that starts in row two above the bottom box can be pruned. The thought here is to find logical places on that branch where you could apply—or where you have already put in place—security measures to reduce that risk.</p><p>When considering items to prune your tree, look into the box and determine which system makes the most sense from the perspective of cost and applicability.</p><p>Cost-effectiveness. Your team should scrutinize whether the deployment of one system could prune several branches of the tree, thus improving the cost-effectiveness of the countermeasures. In the example of the utility facility, our team identified seven ways to gain entry to a site and then complete the overall goal of service disruption. In examining our tree, four of the seven ways to gain entry involved breaching our perimeter fence, by cutting the fence, ramming the gate, cutting the lock at the gate, or climbing over the fence and barbed wire.</p><p>By placing an intrusion alarm system on the fence, we were able to effectively mitigate all four possible branches. Similarly, if you are working on multiple attack trees simultaneously, you may gain a significant benefit to several trees from deploying a single appropriate system. In deterring terrorist attacks by hardening an asset, you also make it much more difficult for a burglar to gain entry, for example. In the utility sector, the installation of an intrusion detection system at some substations to prevent terrorist attacks also helps prevent copper thieves and vandals from entering the property undetected.</p><p>Group think. As you experiment with the use of the attack tree methodology, try breaking your team into several subgroups and assigning each subgroup a different goal for the trunk of each tree. After building out the branches, bring the whole group back together, have each subgroup present its tree, then work on strategies to collectively prune the attack paths by deploying a similar strategy or system.</p><p>The value added in these exercises is derived from an enterprise-wide security approach that can be helpful in solidifying objectives—especially in a convergence model where pockets of isolationism and standalone mentalities can exist.</p><p>Mature Trees<br>Once you have completed several attack trees with your team and feel comfortable with the process of deploying effective strategies to prune the branches, you may wish to expand your knowledge base and experiment with advanced methodologies.</p><p>In traditional risk modeling, consequence and probability are core elements. One can use the same principles to enhance attack tree modeling. Start by examining the overall goal at the trunk and use a standard model to evaluate probability of the event occurring. Use a numeric scale from 1 (very low) to 10 (very high) to estimate the possibility that the mode of attack against an asset will occur in the foreseeable future.</p><p>The consequence axis requires a definition as to which score you will apply. It is typical to view consequence in terms of dollars to replace stolen property, lost revenue, capital replacement costs, loss of life, or loss of reputation. If your consequence model is based solely on loss of life and your event is a large theft, your consequence rating may be zero. Conversely, if your model is based on capital replacement costs and your scenario is workplace violence, your score will be very low.</p><p>A blended model that factors in both loss of life and a cost estimate for revenue is more useful. Once you have chosen your consequence variable, you can assign it a numeric rating similar to the probability scale. Next, you should go to each box on your tree and label it with the scores for probability (P) and consequence (C). This process will highlight the most probable and severe attacks and will aid you in applying risk reduction strategies in a priority order.</p><p>To work with the mature tree further, look at adversaries and attempt to understand their relation to the model. A utility has to protect against sabotage from disgruntled workers and theft of assets for monetary gain, for example, in addition to terrorist attacks. This becomes important as we look at which security systems to deploy and their potential effectiveness.</p><p>On several occasions, we were faced with the theft of high-dollar computer equipment stolen from unstaffed remote facilities. By examining the crime scene, a lot can be learned about the thief. How was entry gained? Was a key used at the gate, was the lock cut, or was a chain used to pull the gate off the hinges? How was entry into the building achieved? Was the lock picked or was the door beaten in with a sledgehammer?</p><p>After examining these traits, effective strategies can be developed that match the skills of the adversary. A loud alarm might be enough to deter someone who uses a chain and a sledgehammer, while a more sophisticated system may be needed to deter someone with the skills to pick locks.</p><p>Based on these details, one can flesh out the attack tree by marking different paths that different adversaries may take, and then deploying tailored strategies to stop them. A simple scenario illustrating this methodology is a company-owned warehouse in an area that has suffered several break-ins. The particular warehouse, which houses electronic components that could be used to make bomb detonators, has not been hit yet, but the company is aware of the threat, and security personnel are debating how to protect against it.</p><p>Local police and other security directors representing victimized area businesses have been consulted about any previous crimes in the locale. Important information has been gleaned: There have been three burglaries inside of a month within five miles of the still-virgin warehouse. Each theft involved high-value small electronic devices similar to those in the company’s warehouse. In two instances, the thieves used a torch to cut the hinges on a roof hatch to gain entry, and in one case, they picked the lock on the front door. Each time they exited from the loading dock in the rear.</p><p>An attack tree grows rapidly out of such details. The trunk (showing the thief’s goal) is the acquisition of pricey electronic units. Due to the number of incidents in the area, there is a high probability of the warehouse being targeted. The consequence score is up because of the potential dollar loss. Risk is, therefore, red hot.</p><p>The tree can be filled out by adding different attack strategies. The thieves are not garden-variety; they used tools to cut their way in from the roof and picked locks, suggesting a certain amount of professional skill.</p><p>Other scenarios can be added, such as rocks being thrown through the glass doors in front, or a chain being tied to the bumper of a truck and the door being ripped from its hinges.</p><p>Then prune the tree with the necessary risk-reducing measures, such as alarm systems, surveillance cameras, or maybe security guards. The warehouse is now set to be safeguarded, and potential thieves tracked should an incident occur.</p><p>A Weakness in the Tree<br>Looking at attack trees from a homeland security perspective reveals a weakness in the methodology. Sweeping terrorist goals, such as the destruction of the U.S. economy, produce very large trees. More specific and credible scenarios need to be imagined. That can be difficult but it doesn’t mean that the attack tree methodology cannot be adapted to this task. The Nuclear Regulatory Commission, for example, has used scenario-based attack trees for years.</p><p>The use of attack trees is by no means the single solution for today’s security environment. However, in the never-ending attempt to manage risk, the use of attack trees can help companies to weed out vulnerabilities and ensure that countermeasures are rooted in solid ground.</p><p>Ted Almay is assistant vice president of corporate security at the United Services Automobile Association (USAA). His previous posts included stints as the managing director of security for American Electric Power (AEP), America’s largest electric producer, and superintendent of the Ohio Bureau of Criminal Investigation. He is a member of ASIS.<br></p>GP0|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465
https://sm.asisonline.org/Pages/Five-Post-Incident-Concerns.aspxFive Post-Incident Concerns<p>​<span style="line-height:1.5em;">On June 12, 2016, a gunman shot 102 people in an Orlando, Florida, nightclub, killing 49. Agencies, both government and private, must be prepared to recover from such major incidents. Following are five issues that should be considered when crafting post-incident plans.</span></p><p><strong>1. COUNSELING.</strong> Identify a list of counselors for the living victims, family members of the deceased, and other persons who were directly or indirectly involved with the incident. This includes first responders. (In this case, where the gay community was targeted, special emphasis was placed on their needs.) Counselors can include certified therapy animals and their trained handlers. Providing privacy and personal time for the families and friends of the victims in their time of grief is crucial. It is also important to shield those who ask for privacy from the media.  </p><p><strong>2. BUSINESSES. </strong>Access must be granted to the area surrounding the incident so that local businesses can resume operation as soon as possible. The crime scene should be processed in a timely manner to allow the community to return to a feeling of normalcy and business as usual.</p><p><strong>3. COMMUNITY AWARENESS.</strong> The use of the friendly and concerned media can help keep the community informed and involved. Holding frequent press conferences and meetings with the community and its leaders conveys that agencies plan to be open about the incident and the follow-up.</p><p><strong> 4. DEBRIEFING.</strong> Ensure that all victims, witnesses, and responders are fully interviewed in a humane and caring way. This will assist the lead agency in trying to reconstruct the incident and come to a fuller understanding of its causes and outcomes.</p><p><strong>5. PLANNING.</strong> Continue to work within the community to plan for possible future incidents, identify possible soft targets, educate the public on the appropriate response to such an attack, work with the public on developing strategic response plans, and communicate openly with all involved.</p><p>--<br></p><p><em><strong>H.R. "Hank" Nolin, CPP,</strong> is a retired U.S. Army Master Sergeant who has owned various security agencies in Central Florida. He is an active member of the ASIS Military Liaison Council.</em></p>GP0|#28ae3eb9-d865-484b-ac9f-3dfacb4ce997;L0|#028ae3eb9-d865-484b-ac9f-3dfacb4ce997|Strategic Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465