OPSEC as synonym for vulnerability management
Risk management is often more poorly understood by managers than one might imagine. The concept of risk is fairly straightforward: There are bad things that might happen; There is some likelihood of this bad thing happening; If the bad thing happens there are consequences. The combination of these things gives you the measure of risk.
Risk can be high or low. As an example of an event that has a high probability but a low risk, we can look at pens. If you have an office, people will surely wander off with your pens. The cost of this, however, is so low that it is better to buy extra pens than to implement a pen protection program.
When you know the level of risk you can make a decision to manage the risk (taking action to minimize either the likelihood or the consequence), transfer the risk (through insurance), or live with the risk. You cannot, however, eliminate the risk.
As an example, some time ago we were helping deal with the risk involved in trading swaps and derivatives. Much of the management of risk came from a combination of financial models designed to maximize gain while reducing risk, and certain financial constraints that would limit the losses in case the model failed by limiting the amount that could be committed in any one deal or by any one trader (something that was apparently sorely lacking at Barings Bank, which had been offered risk management software, but didn’t feel it was worth the $50,000).
One day we lost some money, and a managing director (who knew considerably less about risk than he should) asked how we could see that this didn’t happen in the future. The answer given was that we should sell refrigerators rather than exotic financial instruments, because we would know the exact worst-case exposure we faced on each one.
Because many appear to have a very poor understanding of risk, the OPSEC process can provide an extremely instructive operational tool. Although designed to deal with critical information, the process is one that The LUBRINCO Group extends to cover all our risk analysis, whether financial, physical, informational, or any other-“al.” Let’s start with the five pieces of the OPSEC process.
• Identify critical information
• Analyze the threat
• Analyze vulnerabilities
• Assess risk
• Apply countermeasures
If we transform this into a generic way of looking at risk we might get:
• What people, processes, or things are critical to our business?
• What bad things could happen to these people, processes, or things?
• How can these bad things happen to our people, processes, or things?
• Given the probability of these things happening, how much risk do we face and need to deal with?
• What should we do about it?
In the real world, doing something about one threat to a problem will often take care of many threats to the problem. As an example, if you are dependent on computers, you may decide that keeping off-site backups is all you need. If your building is washed away in a flood, burned to the ground by an arsonist, flattened by a hurricane or earthquake, or carried away by a tornado, it won’t matter: You will eventually buy a new computer, reinstall the software, and be back in business. If you need to be back in business soon, you might have one or more redundant computers in various locations, so that a problem that affects a wide geographical region won’t bother you. In any case, if you don’t deal much with risk, the formalized structure of the OPSEC process will give you the mindset to do so. It will allow you, as a business professional, to identify, quantify, and thus manage risk.