When it comes to calculating the risk of a particular security incident, risk scores can seem like a useful tool for executives and other business decision makers who might not be well-versed in physical security or calculating risk. Risk scores offer decision makers at organizations an easy way to quantify and qualify risk.
Unfortunately, external systems that assign risk in physical security are often irrelevant, because they compare your business to other organizations operating in different industries, regions, or with different sets of parameters. Using a risk score that compares you to outside groups is an exercise in comparing apples to oranges that won’t benefit your organization or your security.
So, should you do risk calculations yourself?
Not necessarily. There is a middle way, however: a risk score customized to your own organization.
What is a customized risk score?
Every organization is different, so it makes sense that at every organization, probability and severity — the two variables used to calculate risk — are also different for every business.
First let’s look at probability. Probability has two aspects: internal and external.
When calculating the probability of a theft, many organizations want to start by looking at the external components of probability, looking at crime statistics in your area, for example. Most of the time, however, the best indicators of a probable crime at your site are your internal statistics — if you have to call the police on an employee, for example.
That sort of information differs from organization to organization, as does your security response to an employee’s bad behavior at work, and the assets your employee might steal.
Now let’s look at severity.
Severity differs from organization to organization because every business values their assets differently — even if their assets are the same. Two organizations might carry the same exact goods but place a different value on them. Even if they put the same value on those goods, the loss might bankrupt a small business where a larger business might simply absorb it.
A customized risk score allows an organization to use their own key metrics to determine their own risk score.
Analyzing Risk for Hundreds of Sites? Take a Look at our Aggregate Feature
How can a customized score help your business?
We think organizations — and the subject matter experts who conduct security assessments — to be able to customize the values that are important to them, to be able to change the weight of certain variables in security assessment software, so that their score better reflects their own risk profile.
This means organizations should be able to add the value of their assets, the impact a loss would have on the organization, as well as the weight of their security countermeasures to protect them all. All of these factors will be used to calculate a customized risk score that shows an organization their own risk score — a score that shows them the risk of each incident at their own organization. A customized score means a more accurate score, without decision makers having to do all the math themselves.
It also allows an organization to change their weighted values and their metrics as their organization changes. Many of the tools on the market pigeonholing people into their current value system and their current metrics. A truly customizable tool will grow with your organization.