My grandson Randy called me this morning to let me know that he and two of his buddies would be leaving later in the day to drive from Atlanta to Las Vegas. Randy's barely 21 and he's known to have done unwise things in his short life, so I told him to be careful because a long drive like that was risky. He assured me he would. When I hung up I pondered on the word "risky." The risk in this case is that the car could crash and that Randy could be injured or killed (God forbid).

In security-speak, Randy is the asset and a traffic crash is the threat. If Randy would let me, I'd manage this risk by keeping him home or canceling the trip. The first option, keeping him home, moves the asset out of harm's way. The second option, canceling the trip, eliminates the threat. Simply stated, risk is a function of two variables: asset and threat. Remove either or both, and risk disappears. Risk is determined by the dynamic relationship between asset and threat. The implication for the chief security officer of an enterprise is the need to adjust protective measures relative to risk. We can see the principle in action when DHS informs the nation (asset) of a possible terrorist act (threat).

Characteristics of the Asset
Risk assessment begins to get complicated when we characterize the asset. To do so, we ask a three-part question: If the asset were lost, damaged or destroyed, what would be the probable impact on human life, physical property and process? When the asset is life, we can count the number of people likely to be affected in certain ways. We can use dollars to determine probable impact because actuarial groups have calculated the dollar value of a life, as well as limbs and bodily functions.

As to the impact on physical property, we have a handle on the dollar cost of repair or replacement.

Determining probable impact on process is a bit more complicated. Process is a combination of work activities that perform a function. In a manufacturing setting, process can be a series of activities that construct a product on an assembly line; in an information technology environment, process can produce decision-related information by electronic manipulation of data.

Loss of process can be minor, such as a partial and temporary interruption, or major, such as total and permanent shutdown. The loss-of-process impact is measurable in the dollars spent returning the process to normal operation and the dollars lost in the meantime from sales not made.