When your organization is doing scenario-based risk assessments, it can be hard to know which risk to assess first. First you will want to do a threat and impact assessments to determine a basis of risk. . The risk with the highest probability and the most severe impact should be the one you assess first.
While it’s easy to see which risk carries the most severe consequence, determining probability can be a bit trickier. So — how can you determine the probability of a risk?
Criminals share information, and so should we. Read more about our security community.
5 indicators you can use to determine probability
When it comes to determining probability, there’s both bad news and good news. The bad news is that the physical security industry currently has no standardized way of determining probability. (You can invest in risk scores, but used wrong, they’ll give you a poor picture of both probability and risk.) The good news is that there are several ways you can figure out the likelihood of an incident happening on your own. You’ll need to invest some time in research and in some mathematics, but by doing the work yourself, you’ll come up with accurate indicators of probability for your specific site. But in any case it comes down to active monitoring and assessments. The more you perform, the more sources you review, the more incidents you are tracking the better your foresight will be.
Below are some indicators you can use to determine the probability of a risk:
- Location: The physical location of your site is a huge source of information when it comes to probability. Your location determines what risks your organization is closest to — higher crime rates, organized crime, intercity versus rural can all be factors. These can help determine how external threats like crime rates will impact your organization.
- Time: The time of year and day also help you understand probability. Breaking and entering at a business often happens at night, for example, though this is a hazard, and if you’re in a hurricane-prone area, you’ll be most likely to face extreme weather conditions in late summer and early fall. Holidays also fall under this heading; on St. Patrick’s Day, you may be more likely to deal with crowds or drinking in certain cities, and around Christmas, theft may be more likely.
- Historical context: Have you experienced certain issues in the past? If you’ve had a robbery at a specific site, it might happen again. If your IT infrastructure has already been hacked, the cybercriminals are probably going to find you again. This isn’t true of all incidents – you might not suffer two earthquakes in a region that doesn’t often get them, for example — but once an incident has occurred, its probability rises.
- Active External factors: Have there been any threats to your organization online? Are you in a controversial industry? Have there been any threats to your competitors? External threats – and paying attention to what’s happening at other, similar businesses — can give you important clues about a risk’s probability. This is why monitoring social media and other online activity is so important – external threats change fast, and to understand the probability of an incident, you need a tool that can help you keep an eye on what people are saying about your company online.
- Internal factors: Many businesses want to concentrate on external threats, but not everyone looks at the internal ones. That’s a mistake, because insider threats are some of the biggest issues an organization can face. (Many active shooters, for example, are disgruntled employees or the family members of employees.) Do you have anyone of concern working for you? Have there been internal issues, such as threats, thefts, or reports to HR from other employees?
How can you prepare for an active shooter? 5 best practices
The trick to determining probability
It’s important to understand that probability and foreseeability aren’t the same thing. Just because you can foresee an incident happening, that doesn’t mean it’s probable.
Instead, probability is all about asking the right questions, understanding a scenario, and getting to the root of its potential. Sometimes that means putting yourself in the shoes of the person delivering a specific threat. If you were a criminal, how would you go about stealing something from a company, hacking into a network, or walking onto a site with the intent of harming someone there? Other times it means looking at a situation and thinking outside of the box. One company I consulted for was experiencing shrinkage, for example. (They thought it was theft, but it turned out that a marketing promotion was giving away too many free punch cards.)
These exercises can be difficult for people who aren’t in physical security and who might know enough about security and crime trends to put themselves in a criminal mindset. This is why a qualified security consultant is a critical component of an effective risk assessment; they have the knowledge and experience to understand the data and what it means, and they can use that expertise to determine the probability of a risk.
Do you have a security project you need help with? Schedule your personalized demo today.