By: Ravias Corp U.S.
Industrial espionage, geopolitical instability, radical ideologies, and catastrophic disasters are the drivers of today’s risk landscapes that are challenging public and private enterprises like never before in history. Organizations, constrained by limited resources, must accurately assess their most critical assets and develop cost-effective strategies to mitigate organizational risk.
The VECTOR Matrix is a free, easy to use, open source, self-assessment methodology developed to help organizations define and prioritize critical risks. The matrix allows users to easily quantify and visually represent all aspects of an organization’s risk to include natural disasters as well as adversarial paths. VECTOR© is an acronym for Vulnerability, Ease-of-Execution, Consequence, Threat-Probability, Operational-Importance and Resiliency that is based on universal risk principles scalable to small businesses and large enterprises within the domestic, international, public and private sectors. The risk formula and analysis follows:
Score each asset as 1 — 4 low, 5 — 7 moderate, or 8 — 10 high for each V.E.C.T.O.R.
In the above example of a hypothetical small business, the first column is used to describe important assets or business functions that support operations. Each asset is analyzed using the VECTOR criteria below to determine its risk, relative to other assets within the organization. In this example “Lab/Factory” received the highest rating of 10 for both “C” Consequence and “O” Operational-Importance with a total of risk score of 52. For illustrative purposes, this Lab/Factory was assessed as one asset since all of its functions were located within a very small, confined space. For best results, individual assets or functions within larger labs or factories (e.g. individual plant-operations such as pumps or processors) should each be assessed individually since some equipment or machinery will have greater value than others thus representing a higher target-selection desirability by an adversary. In the above example, the highest priority risks are: Lab/Factory 52, Patents* (e.g., trade secrets, critical information) 51, Database 50, Firewall 47, Building 42, and so on.
The VECTOR Matrix allows users to systematically prioritize their own organizational risk using an easy to remember mnemonic device that can be incorporated into improving any security culture.
RISK = V + E + C + T + O + R
VECTOR is define as:
Vulnerability: Attributes, characteristics, or components of an asset, business process or function, that make it susceptible or exposed to natural disasters or adversarial attack. Existing security measures (i.e., locks, alarms, firewalls, etc) serve to reduce asset-vulnerability, likewise, target hardness reduces vulnerability and refers to the design characteristics and strength-integrity of an asset. For example, a structure made of concrete and steel has a greater target harness compared to a structure made of wood.
Ease-of-Execution: Level of expertise, advanced training, special tools and equipment required to successfully accomplish an attack. A low ease-of-execution implies that an aggressor or natural event requires «higher expertise» or «greater force» to defeat an asset’s design characteristics and existing security measures. A high ease-of-execution implies that an aggressor or natural event requires «minimal expertise» or «minimal force» to defeat the asset.
Consequence: Loss of economic, symbolic, or psychological value (e.g., public confidence, brand-image); physical injuries, loss of life or damage to the environment resulting from attack or natural disaster.
Threat-Probability: This analysis is the very first step that should occur within this self-assessment process. Threat-probability is an event or adversary with the potential to cause harm such as natural disasters, criminals, terrorists, malicious competitors, or aggressive protestors. To determine the probability of occurrence for a natural disaster, examine historical flood or hurricane data for frequency and trends. For known adversarial groups, their capability, intent and history of attack methods can be studied to determine credibility of threat and potential attack scenarios. To counter against the internal threat of vandalism, theft or sabotage, the organization should conduct criminal, terrorist and financial-credit background checks upon initial hire and at periodic times throughout employment. New security counter-measures proposed or implemented as a result of this analysis should be designed based on these postulated threats.
Operational-Importance: This analysis is the second step that should occur and will determine what assets are listed in the first column of the matrix. Operational-Importance is the degree to which an asset supports the overall mission of an organization. Critical assets or key business processes if interrupted or disabled may halt all operations, whereas lesser assets if attacked, may only have a minimal impact on mission. Redundant systems and spare parts to conduct timely repairs serve to reduce operational-importance. During your first organizational assessment it is important to analyze a comprehensive list of assets and business processes to ensure that all aspects of organizational risk is captured. For example, an asset that may have been considered a low value asset at initial inspection may later be determined to be a critical component or key process within the larger context of operations. Over time, it is important to ensure that an organization’s asset list is updated and reassessed as a result of growth, restructuring, personnel changes, and/or the purchase and removal of property (i.e., land, factories, buildings) or systems.
Resiliency: Speed to which an organization can successfully recover, reorganize and reconstitute itself to resume operations after a significant security breach or natural disaster occurs. Risk scoring for this criteria is based on an inverse relationship. When an asset is considered to have a high degree of resiliency (i.e., fast recovery with minimal to no operational down-time) it will yield lower risk scores, likewise when an asset is considered to have a low degree of resiliency (i.e., no redundant systems, no data file back-ups, no alternate site plans, etc) it will yield higher risk scores. For more on organizational resiliency, click here.
Risk Strategies: When making risk mitigation decisions, security management should conduct cost-benefit and trade-off analysis to determine where implementation will have the greatest impact at reducing organizational risk. Once organizational risk has been prioritized within the VECTOR Matrix, security management can choose any or a combination of the following strategies when evaluating each asset.
1. Mitigate risks with counter-measures. A few examples include installing intrusion detection, closed-curcuit TV, and electronic badging/identification systems; establishing restricted areas or exclusionary zones; adding new administrative/HR/security policies and procedures; providing security awareness training; and conducting perpetual vetting (i.e., on going/frequent security background checks) of staff with access to critical functions.
2. Accept risk if the probability of occurrence or potential impact is relatively low and within the threshold of what the organization deems to be acceptable risk.
3. Transfer risk to a third party such as an insurance company, or for larger organizations with multiple sites, risk can be transferred to another facility or geographic location that possesses less risk.
4. Avoid risk by closing or minimizing certain operations or tasks where risk factors or security implementation costs are too great.
Evaluation & Documentation: The judgments resulting from the above VECTOR assessments may be conducted by an individual security manager or owner of organizational risk. However, for best results a panel of 3 to 5 members consisting of certified security professionals, supervisors of key business processes and other systems or engineering experts from within the organization should conduct comprehensive VECTOR assessments to capture all aspects of organizational risk. These findings should be documented as a baseline to build on and serve as a basis for periodic review and reassessment by security management. Additionally, all resulting documentation supporting this assessment process should be protected by the organization as critical security information.
VECTOR© Matrix is an organizational risk assessment tool developed by Ravias Corp U.S. scalable to small businesses and large enterprises within the domestic, international, public and private sectors. This model is distributed free of charge and is intended for use by certified security professionals and owners of organizational risk. For more information visit: Ravias.com
* Use the below VECTOR Matrix for your organization’s self-assessment. As necessary use multiple forms to capture all organizational risk.