Principal Sponsor
Sponsors
Lead Authors & Editors: Dr. Miles Jakeman & Julian Talbot
Graphics for Public Use
Security-In-Depth
Eliminate
Eliminate
Substitute
Isolate
Engineer
Administrative Controls
Personal Protection
PHYSICAL
PHYSICAL
PROPERTY
PROPERTY
PEOPLE
PEOPLE
INFORMATION
INFORMATION IN
FORMATION &
INFORMATIO
N &
COMMUNICATIO
N
COMMUNICATIO
N
TECHNOLOGIES
TECHNOLOGIES
CAPABILITYCAPABILITY
PHYSICAL
PHYSICAL
PROPERTY
PROPERTY
PEOPLE
PEOPLE
INFORMATION
INFORMATION IN
FORMATION &
INFORMATIO
N &
COMMUNICATIO
N
COMMUNICATIO
N
TECHNOLOGIES
TECHNOLOGIES
CAPABILITYCAPABILITY
Enablers
Regulation and PolicyTraining and Education
Operations and ApplicationGovernance and Oversight
Sustainability and Resilience
Strategic Knowledge Areas
ActivityAreas
Operational Competency Areas
Inte
grat
ion
Desig
n
Applic
atio
n
Assur
ance
Exposure
Risk
Resource
‘Quality’
SRM Integration
INTELLIGENCEPROTECTIVESECURITY INCIDENT
RESPONSE RECOVERY &CONTINUITY
Practice Areas
PhysicalPhysicalSecuritySecurity
PeoplePeopleSecuritySecurity
ICTICTSecuritySecurity
Information Information SecuritySecurity
SecuritySecurityManagementManagement
SRMBOK Framework
SRM & RM
DEFINED TERMS
RiskEvent
CONSEQUENCE
EFFECT
THREATS
HAZARD
SOURCE
RELATIONSHIPS
RiskEvent
CONSEQUENCE
EFFECT
THREATS
HAZARD
ESCALATIONFACTORS
ESCALATIONCONTROLS
THREATBARRIERS
ESCALATIONCONTROLS
CONSEQUENCEBARRIERS
ESCALATIONFACTORS
SOURCE
LIKELIHOODMANAGEMENT
CONSEQUENCEMANAGEMENT
Sample of integrated arrangements
RESILIENCE
Capabilities
Functions
Pe
op
le
Info
rma
tio
n
Ph
ysic
al
ICT
Operating Environment
Security-In-Depth
Eliminate
Eliminate
Substitute
Isolate
Engineer
Administrative Controls
Personal Protection
PHYSICAL
PHYSICAL
PROPERTY
PROPERTY
PEOPLE
PEOPLE
INFORMATION
INFORMATION IN
FORMATION &
INFORMATIO
N &
COMMUNICATIO
N
COMMUNICATIO
N
TECHNOLOGIES
TECHNOLOGIES
CAPABILITYCAPABILITY
PHYSICAL
PHYSICAL
PROPERTY
PROPERTY
PEOPLE
PEOPLE
INFORMATION
INFORMATION IN
FORMATION &
INFORMATIO
N &
COMMUNICATIO
N
COMMUNICATIO
N
TECHNOLOGIES
TECHNOLOGIES
CAPABILITYCAPABILITY
Enablers
Regulation and PolicyTraining and Education
Operations and ApplicationGovernance and Oversight
Sustainability and Resilience
Strategic Knowledge Areas
ActivityAreas
Operational Competency Areas
Inte
grat
ion
Desig
n
Applic
atio
n
Assur
ance
Exposure
Risk
Resource
‘Quality’
SRM Integration
INTELLIGENCEPROTECTIVESECURITY INCIDENT
RESPONSE RECOVERY &CONTINUITY
Practice Areas
PhysicalPhysicalSecuritySecurity
PeoplePeopleSecuritySecurity
ICTICTSecuritySecurity
Information Information SecuritySecurity
SecuritySecurityManagementManagement
SRMBOK Framework
ASSETASSET
Security In Depth
Hierarchy of ControlsSource: NOHSC
Eliminate
ASSETS
EliminateSubstituteIsolateEngineerAdministrative ControlsPersonal Protection
OIL EXPLORATION EXAMPLEEliminate
ASSETS
E Don’t explore for oilS Mauritania not IraqI Staff in remote areas not city
E Fence, gates, armoured veh.A Policies, Travel safety trainingP Bullet-proof vests
PRACTICE AREASPhysicalSecurity
PeopleSecurity
ICT Security
Information Security
SecurityManagement
SRM QUADRUPLE CONSTRAINTS
Risk
Exposure
ResourcesQ
uality
As Low As Reasonably PracticableMagnitude of Risk
Intolerable levels of riskAdverse risks are intolerable whatever the benefits and risk mitigation measures are essential at any cost if activity is to continue.
As Low as Reasonably PracticableA level of risk that is tolerable and cannot be reduced further without expenditure ofcosts disproportionate to the benefit gained or where the solution is impractical to implement
Ideal levels of riskRisks are negligible, or so small that they can bemanaged by routine procedures and no additional risk treatment measures are needed.
Ris
k In
crea
sin
gC
os
t Inc
reas
ing
Intolerable
ALARP
Tolerable
Cost/Benefit of MitigationR
isk
Cost / Benefit ALARP
“A level of risk that is tolerable and cannot be reduced further without the expenditure of costs that are
disproportionate to the benefit gained or where the solution is impractical to implement”
Level of Risk
$, Resources, Effort
Co
st
Magnitude of Risk
Risk Equilibrium (Optimal Trade-Off)L
ow
er R
isk
H
igh
er R
isk
Exposure
Resources Quality
Intolerable
ALARP
Tolerable
Resources and Quality in appropriate proportion to the Exposures for end result of risk ALARP
Opportunities and threats in the prevailing environment (both known and unknown) that an entity could interact with.
The degree to which a set of inherent characteristics fulfils requirements.
Historical / Probability Insignificant Negligible Moderate Extensive Significant
Almost Certain 6 7 8 9 10
Likely 5 6 7 8 9
Possible 4 5 6 7 8
Unlikely 3 4 5 6 7
Rare 2 3 4 5 6
Risk Equilibrium (Optimal Trade-Off)Low
er
Ris
k H
igh
er
Ris
k
10
9
8
7
6
5
4
3
2
Resources
Quality
Exposure
Risk
Magnitude of Risk
Risk High if Resources & Quality LowLow
er
Ris
k H
igh
er
Ris
k
10
9
8
7
6
5
4
3
2
Resources
Quality
Exposure
Risk
Magnitude of Risk
Resources High but Quality LowLow
er
Ris
k H
igh
er
Ris
k
10
9
8
7
6
5
4
3
2
Resources
Quality
Exposure
Risk
KNOWLEDGE AREAS
Risk
Exposure
Resources Quality
KNOWLEDGE AREASRisk
Exposure
Resources Quality
Reduce
Increase
Security-In-Depth
Eliminate
Eliminate
Substitute
Isolate
Engineer
Administrative Controls
Personal Protection
PHYSICAL
PHYSICAL
PROPERTY
PROPERTY
PEOPLE
PEOPLE
INFORMATION
INFORMATION IN
FORMATION &
INFORMATIO
N &
COMMUNICATIO
N
COMMUNICATIO
N
TECHNOLOGIES
TECHNOLOGIES
CAPABILITYCAPABILITY
PHYSICAL
PHYSICAL
PROPERTY
PROPERTY
PEOPLE
PEOPLE
INFORMATION
INFORMATION IN
FORMATION &
INFORMATIO
N &
COMMUNICATIO
N
COMMUNICATIO
N
TECHNOLOGIES
TECHNOLOGIES
CAPABILITYCAPABILITY
Enablers
Regulation and PolicyTraining and Education
Operations and ApplicationGovernance and Oversight
Sustainability and Resilience
Strategic Knowledge Areas
ActivityAreas
Operational Competency Areas
Inte
grat
ion
Desig
n
Applic
atio
n
Assur
ance
Exposure
Risk
Resource
‘Quality’
SRM Integration
INTELLIGENCEPROTECTIVESECURITY INCIDENT
RESPONSE RECOVERY &CONTINUITY
Practice Areas
PhysicalPhysicalSecuritySecurity
PeoplePeopleSecuritySecurity
ICTICTSecuritySecurity
Information Information SecuritySecurity
SecuritySecurityManagementManagement
SRMBOK FRAMEWORK
COMPETENCY AREAS
BusinessIntegration
FunctionalDesign
Implementation Assurance
SRM INTEGRATION
Strategic Knowledge AreasStrategic Knowledge Areas
Operational Competency Areas
SRM Integration
INTELLIGENCEPROTECTIVESECURITY INCIDENT
RESPONSE RECOVERY &CONTINUITY
SRMBOK Activity Areas
Event
CONSEQUENCE
EFFECT
THREATS
HAZARD
BowTie Model
PPRR Model
P LANNING P REPARATIONR ESPONSE
R ECOVERY
ACTIVITY AREAS
HackingAttack
BANKR
UPTCY
DATA
LOSS
HACKING
WWW
PORTAL
CRIMINAL S
Bow Tie / ESIEAP IP Example
E I E A PS Eliminate need
to hold sensitive
information
Substitute Open Source
or less sensitive material
Maintain secrecy or in
secret location
Firewall, backups in safe,
etc
P/word policies, training,
etc
Patents, legal
defence, file
encryption
Activity AreasINTELLIGENCE
PROTECTIVESECURITY INCIDENT
RESPONSE RECOVERY &CONTINUITY
Practice Areas
PhysicalPhysicalSecuritySecurity
PeoplePeopleSecuritySecurity
ICTICTSecuritySecurity
Information Information SecuritySecurity
SecuritySecurityManagementManagement
Activity AreasINTELLIGENCE
PROTECTIVESECURITY INCIDENT
RESPONSE RECOVERY &CONTINUITY
Practice Areas
PhysicalPhysicalSecuritySecurity
PeoplePeopleSecuritySecurity
ICTICTSecuritySecurity
Information Information SecuritySecurity
SecuritySecurityManagementManagement
ProjectManagers
RecoverClass. Docs.
Access Control
Psychologists
Technicians
IntelligenceProfessionals
Fraud Analysts
Investigators
Prison Officers
DecryptionSpecialists
IncidentController
Public Affairs
Firefighters
First Aider
Emergency Comms
Chief SecurityOfficer
IT Security Advisers
Close PersonalProtection
Vetting Officer
FirewallProgrammer
Activity AreasINTELLIGENCE
PROTECTIVESECURITY INCIDENT
RESPONSE RECOVERY &CONTINUITY
Practice Areas
PhysicalPhysicalSecuritySecurity
PeoplePeopleSecuritySecurity
ICTICTSecuritySecurity
Information Information SecuritySecurity
SecuritySecurityManagementManagement
ProjectManagement
RecoverClass. Docs.
Access Control
Peer SupportTraining
RestoreNetworks
IntelligenceProfessionals
Fraud Analysts
Investigators
Prison Officers
DecryptionSpecialists
IncidentControl
Public Affairs
Firefighter
First Aid
Emergency Comms
Chief SecurityOfficer
IT Security Advisers
Close PersonalProtection
Vetting Officer
FirewallProgrammer
Event
CONSEQUENCE
CONSEQUENCE
EFFECT
THREATS
HAZARD
HAZARD
EventEventEvent
CONSEQUENCE
CONSEQUENCE
EFFECT
THREATS
HAZARD
HAZARD
Links with Bow-Tie
ASSET AREAS
PHYSICAL
PROPERTY
PEOPLE
INFORMATION INFORMATIO
N &
COMMUNICATIO
N
TECHNOLOGIES
CAPABILITYCAPABILITY
SRM ENABLERS
Regulation and Policy
Training andEducation
Operations andApplication
Governance& Supervision
Sustainability& Resilience
PHYSICAL
PROPERTY
PEOPLE
INFORMATION INFORMATIO
N &
COMMUNICATIO
N
TECHNOLOGIES
CAPABILITY
Security-In-Depth
Eliminate
Eliminate
Substitute
Isolate
Engineer
Administrative Controls
Personal Protection
PHYSICAL
PHYSICAL
PROPERTY
PROPERTY
PEOPLE
PEOPLE
INFORMATION
INFORMATION IN
FORMATION &
INFORMATIO
N &
COMMUNICATIO
N
COMMUNICATIO
N
TECHNOLOGIES
TECHNOLOGIES
CAPABILITYCAPABILITY
PHYSICAL
PHYSICAL
PROPERTY
PROPERTY
PEOPLE
PEOPLE
INFORMATION
INFORMATION IN
FORMATION &
INFORMATIO
N &
COMMUNICATIO
N
COMMUNICATIO
N
TECHNOLOGIES
TECHNOLOGIES
CAPABILITYCAPABILITY
Enablers
Regulation and PolicyTraining and Education
Operations and ApplicationGovernance and Oversight
Sustainability and Resilience
Strategic Knowledge Areas
ActivityAreas
Operational Competency Areas
Inte
grat
ion
Desig
n
Applic
atio
n
Assur
ance
Exposure
Risk
Resource
‘Quality’
SRM Integration
INTELLIGENCEPROTECTIVESECURITY INCIDENT
RESPONSE RECOVERY &CONTINUITY
Practice Areas
PhysicalPhysicalSecuritySecurity
PeoplePeopleSecuritySecurity
ICTICTSecuritySecurity
Information Information SecuritySecurity
SecuritySecurityManagementManagement
SRM INTEGRATION
PICTURES PAINT A…
Targets and Hazards
Asset Attributes
AS/NZS4360:2004
Mo
nit
or
an
d R
ev
iew
TreatRisks
Residual Risk
SRMBOK Elements of the Security Risk Management Process
Establish Context
Identify Risks
Analyse Risks
Evaluate Risks
Co
mm
un
ica
te a
nd
Co
ns
ult
Treat Risks
Establish Security Criteria
Assess Existing Controls
Document 'Risk Statement'
Avoidthe Risk
Change Likelihood
ChangeConsequence
Sharethe Risk
Retainthe Risk
INTERNAL / EXTERNAL ENVIRONMENT
Intent
Hazard Attributes
Capability
Asset Targetability
Vulnerability
Threat(Intelligence based)
Likelihood(and/or Probability)
Consequence('Shock')
Risk Rating
Threat Actor Motivation
Risk Treatment Options
Suitability DeployabilityExposure (Duration)
Accessibility (of target)
Desire ConfidenceResources Knowledge
EffectivenessOpportunity
Threat Actor Attributes
Temporal Qualities
Recover-ability
Recognis-ability
Asset Attributes
E liminate the risk
S ubstitute the risk
I solate the asset
E ngineering controls
A dministrative controls
P ersonal Protective Equip.
Impact
ESIEAP (in order of preference)
Risk Prioritisation
Availability Criticality
SRM Maturity Model
Level 1 - INITIALCompliance approach with minimal or excessive ad hoc reactive practices, and
little awareness of SRM benefits
Level 2 - BASICInformal or unstructured SRM systems which
are focussed on loss prevention and threat mitigation
Level 3 - REPEATABLEStructured SRM built into routine management
processes with evident awareness of benefits at all levels
Level 4 - OPTIMISINGProactive SRM, resilience & opportunity realisation practiced at all levels as part of
competitive advantage
Application
Policy
Procedures
Security Instructions
Tools, Templates, etc
Systems
Re
po
rt,
Mo
nit
or,
Re
vie
w
Org
an
isa
tio
na
l G
oa
ls
Direction Execution
Vis
ion
& M
iss
ion
Imp
lem
en
tati
on
Tra
inin
g
Se
cu
rity
Ris
k A
ss
es
sm
en
t
Application
Application
Enterprise Security Specifications (1)
Security Measure / Area Type
Threat/Risk Level
Low Moderate Medium High Extreme
Building Protection *SHOULD
Commercial grade alarm
MANDATORYCommercial
alarm - monitored
MANDATORYCommercial
alarm - monitored
MANDATORYEncrypted
alarm - monitored
MANDATORYEncrypted
alarm – encrypted monitoring
Intruder Resistant Area Encrypted Alarm system & peripherals
Secure Room
Type 1 Alarm system & peripheralsNOTES:* Sensor-activated halogen flood lighting should be installed at both the front and rear of the office/residence to illuminate the immediate grounds area. A command switch for the lighting shall be installed within the house for manual override or for manual use of the lighting.** For all Encrypted Intruder Alarm Systems (IAS):Detectors should cover all entrance and exit points. All perimeter doors should be protected with balanced magnetic reed switches. All SAS hardware is to be located in the controlled perimeterA Man-Machine Interface, (keypad), should be located within the residence in close proximity to the main entry door, and should provide for a 30-second delay on entry/exit. If power is lost to the residence, an uninterrupted power supply (UPS) or battery back up system should be used to provide power to the SAS for a minimum of four (4) hoursThe SAS should be monitored by a host country accredited monitoring station, in accordance with Australian Standard (AS) 2201 or an equivalent specificationThere should be written procedures in place in the event of an alarm. These may vary in accordance with operational requirements, but they must encompass instructions on contacting the staff and families, and a suitable response. Contingency plans should be put in place in the event of failure of the Type 1 SAS
Enterprise Security Specifications (2)
1 2 3 4 5VC S M M M M-CryptIMG S M M M-CryptPMV S M M M-CryptEsp. S M M-Crypt M-Crypt M-Crypt
THREAT LEVELS
Intruder Alarm System
Enterprise Security Specifications
1 2 3 4 5
VC S M M M M-Crypt
IMG S M M M-Crypt
PMV S M M M-Crypt
Esp. S M M-Crypt M-Crypt M-Crypt
VC S1 S22343-R1 2343-R2 2343-R2
IMG S 2343-R1 2343-R2 2343-R2PMV S 2343-R1 2343-R2 2343-R2Esp. S S M 2343-G0
VC M M M10 M11 M12
IMG M M M10 M11 M11
PMV M M M10 M11 M11
Esp. M M M10 M11 M12
10 Pick-resistant hardened
11 Pick-resistant hardened, controlled profile
12 Pick-resistant hardened, restricted profile, organisation-endorsed
THREAT LEVELS
Intruder Alarm System
Window Treatments
Locks
Enterprise Security Postures
SAFETY MEASURE
1 2 3 4 5
Briefings Upon induction/ recruitment plus on an annual basis, all staff are to be briefed on local security plans and on protective security measures/ practices.Intelligence & Staff Safety summaries provided on each country as required, but no less than quarterly.
All staff to be briefed on change of Alert Level and threat where known.All staff to be reminded to be vigilant/ inquisitive about strangers, to watch out for unidentified or unattended packages and vehicles.Monthly Intelligence & Staff Safety summaries provided on each country.
All staff to be briefed on change of Alert Level and threat where known.All staff to be advised of contingency and emergency response plans, and reminded to be particularly vigilant.Intelligence & Staff Safety summaries provided on each country as required but not less than weekly.
All staff to be briefed on change of Alert Level and specific threat.Intelligence & Staff Safety summaries provided on each country as required but not less than bi-weekly.
All staff to be briefed on change of Alert Level and specific threat.Intelligence & Staff Safety summaries provided on each country as required but not less than daily.
Uniform No restrictions on the wearing of uniform except that security passes are not to be worn outside of airports.
No restrictions on the wearing of uniform except that security passes are not to be worn outside of airports
No security restrictions on the wearing of uniform, unless the cabin crew manager imposes local restrictions.
No uniforms to be worn outside of airport precincts. Staff are to change within designated lounges.
Consider cancelling flights until Alert Level lowers. Otherwise as per Alert Level 4.
I nappropriate Acts
I nappropriate Acts
ErrorError Deliberate ActDeliberate Act
Pre-Conditions
Pre-Conditions
Environmental Factors
Environmental Factors
Condition of I ndividuals
Condition of I ndividuals
Personnel Factors
Personnel Factors
OversightOversight
I nadequate Supervision
I nadequate Supervision
Planned I nappropriate
Operations
Planned I nappropriate
Operations
Fail to Correct Known
Problem
Fail to Correct Known
Problem
Supervisory Violations
Supervisory Violations
Organisational I nfluences
Organisational I nfluences
Resource/ Acquisition
Management
Resource/ Acquisition
Management
Organisational Climate
Organisational Climate
Organisational Process
Organisational Process
Swiss Cheese Theory
Organisational Influences
Supervision & Oversight
Pre-Conditions
Inappropriate Behaviours
Door left open on a warm day
Air-con failed in warmweather due to inadequate maintenance contract
Culture of rule breaking and inadequate selection / training for managers & staff
Failed or Absent Barriers
Inadequate management interventionand training (procurement & security)
Principal Sponsor
Sponsors
Lead Authors & Editors: Dr. Miles Jakeman & Julian Talbot
Intellectual Property Rights and Copyright
These SRMBOK slides and graphics are provided for public and corporate use to assist in consistency of presentation. They may only be used in accordance with the following terms: • Use of the material must acknowledge and identify RMIA and JBS as
its owners and developers. Subscriber organisations or RMIA members have the right to adapt the product, and could do a self-assessment on their own or engage the services of consultants to help them carry out an assessment. Any adaptation must still continue to acknowledge and identify RMIA and JBS as the source of this product.
• The material may not be copied and furnished to others without the express written permission of RMIA, except as needed for the purpose of research as permitted under copyright legislation.
• The material is provided on an "as is" basis. RMIA disclaims all warranties, express or implied, including but not limited to any warranty that the use of the information herein will not infringe any rights or any implied warranties of merchantability or fitness for a particular purpose.
• Further information on SRMBOK procedures with respect to rights in RMIA specifications can be found at www.srmbok.com. Copies of claims of rights made available for publication and any assurances of licenses to be made available, or the result of an attempt made to obtain a general license or permission for the use of such proprietary rights by implementers or users of this specification, can be obtained from the RMIA President.