Rick Mounfield MSC CSyP FSyI, Director, Optimal Risk Group discusses reliable risk data sourcing through penetration testing.
As humans, we all have an innate ability to perceive risks. It’s called intuition, developed through human evolution over millennia.
Some people trust their intuition and others are unaware of why they feel uneasy about a given situation. Our species has outperformed other animals over time because of the intelligent approach we take to considering what is over the horizon in terms of risk.
As a result of multiple experiences, we have evolved to cope with risk and we learn from bad outcomes to become more resilient or anti-fragile if that risk event were to ever occur again. In his book, ‘Anti Fragile’, Nassim Taleb suggests that a resilient business is unchanged by a risk event; it is resilient to the impact of the risk.
However, Taleb goes on to state that a business that is anti-fragile will rebound stronger than it was before the event. In this article, I will recommend to you the benefit of risk and vulnerability simulation and the lessons that can be learned from the lived experience of a risk event in a controlled environment. The penetration test.
The risk equation
The fast thinking response to a dynamic risk is different to the considered, slow thinking response that is required to pre-empt a potential risk. Statistics in security risk management allow professionals to make assumptions about the likelihood of risk event affecting their business.
This being said, because statistics are relative to so many factors, no two situations can be compared. “Statistical representations are inherently generalisations and probabilities do not imply certainty for a given situation” claims Carl S Young in his book ‘Metrics and Methods for Security Risk Management’.
Each scenario is somewhat unique as players do not react the same way even under virtually identical conditions. Therefore, it is vital that both human experience and science inform judgements in assessing the totality of risk.
Security Risk (Threat) = Likelihood x Vulnerability x Impact – this is a well-known equation in our world. The fundamental expression of risk.
Vulnerability is usually the focus of mitigation strategies and security professionals are used to identifying improvements to reduce them, but often find it harder to convince the business that the cost or change to operations outweighs the likelihood of that event occurring even if the impact is obvious.
Perhaps, claims Young, we should use the phrase potential for occurrence instead of likelihood! This resonates with me and I believe that in the risk journey, physical penetration exercises can help to highlight the actual outcome of an event that could potentially impact your business.
The “Risk Journey” is a term I first heard when I wrote the foreword for Charlie Swanson’s second book which will be published later this year.
In the book, Swanson creates a template for risk management that starts with the threat and vulnerability assessment. It migrates into taking those identified threats and assessing the asset to see that it will cope with those risk events occurring. The implementation and audit regime follows to tweak the security posture as required.
Here’s a thought though – what if you could take your identified vulnerabilities, design a team to physically test the reactions of security staff, physical measures and the response by senior executives to a breach of stated risk event to know what the outcome would be without the damaging effects of a real life event?
That allows a tailored design of security, specific to the actions and inactions realised in the exercise. The physical and/or cyber penetration test is a powerful tool in assessing your security posture.
Most people learn best by experiential exercises. A picture paints a thousand words. The UK government understands this, and, in 2019, the Cabinet Office created a working group backed by The Security Institute and Crest, the owners of the Crest Approved Cyber Pen test register of competent companies, to create the equivalent in Physical Penetration Testing (PPT).
The Security Institute gathered expertise from within its membership and CREST advised on the format of their register and how the PPT register could marry in with the existing expertise. The aim was to provide a register of competent physical penetration testing companies and individuals with skills that complement the phases of the exercise.
The COVID-19 pandemic did have an impact on delivery but on behalf of The Security Institute, Mike O’Neill CSyP FSyI and Hayley Elvins MSyI demonstrated great tenacity in leading the working group and keeping the momentum going.
With all the competencies and due diligence checks in place, the physical penetration testing register is ready to launch.
Companies and individuals will be eligible to apply for admission to the register. As with Cyber Penetration testing, evidence of training and experience will be required for peer review. There are different disciplines to consider beyond the actual exercise itself.
Surveillance expertise as well as social engineering skills form part of the register. There is even a QNUK accredited Level 4 Physical Penetration tester course available for those that wish to upskill into a new and exciting career branch.
Crest will be responsible for the management and onboarding of companies wishing to be recognised as a Crest Approved Physical Penetration testing company.
The Security Institute will manage the register of individuals who want to be considered for contracts with Crest approved companies.
Together, this will create a trusted source of suitably qualified and experienced (SQEP) professionals that will be eligible for government contracts in pen testing non-critical national infrastructure estates as well as the corporate clients who need to know who is exercising an attack on their property. Together with the cyber pen test operators, this converges cyber, physical and personnel security considerations in a holistic manner that fits well into the risk journey.
If you are a security manager who wishes to understand the response to a vulnerability scenario, why would you seek support from a company not on the register? If you are a surveillance operator, a close protection operator or security officer that understands how security can be defeated, why not upskill on the Pen Test course?
Ultimately, it’s another revenue stream that adds value to your personal brand. Another tool in your security toolbox.
For more information, visit: optimalrisk.com
This article was originally published in the July 2022 edition of Security Journal UK. To read your FREE digital edition, click here.