T H R E AT A S S E S S M E N T A N D R I S K A N A LY S I S T H R E AT A S S E S S M E N T A N D R I S K A N A LY S I S An Applied Approach GREGORY ALLEN RACHEL DERR AMSTERDAM • BOSTON • HEIDELBERG • LONDON • NEW YORK • OXFORD PARIS • SAN DIEGO • SAN FRANCISCO • SINGAPORE • SYDNEY • TOKYO Butterworth Heinemann is an imprint of Elsevier Acquiring Editor: Tom Stover Editorial Project Manager: Hilary Carr Project Manager: Priya Kumaraguruparan Cover Designer: Mark Rogers Butterworth Heinemann is an imprint of Elsevier The Boulevard, Langford Lane, Kidlington, Oxford OX5 1GB, UK 225 Wyman Street, Waltham, MA 02451, USA Copyright © 2016 Elsevier Inc All rights reserved No part of this publication may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying, recording, or any information storage and retrieval system, without permission in writing from the publisher Details on how to seek permission, further information about the Publisher’s permissions policies and our arrangements with organizations such as the Copyright Clearance Center and the Copyright Licensing Agency, can be found at our website: www.elsevier.com/permissions This book and the individual contributions contained in it are protected under copyright by the Publisher (other than as may be noted herein) Notices Knowledge and best practice in this field are constantly changing As new research and experience broaden our understanding, changes in research methods, professional practices, or medical treatment may become necessary Practitioners and researchers must always rely on their own experience and knowledge in evaluating and using any information, methods, compounds, or experiments described herein In using such information or methods they should be mindful of their own safety and the safety of others, including parties for whom they have a professional responsibility To the fullest extent of the law, neither the Publisher nor the authors, contributors, or editors, assume any liability for any injury and/or damage to persons or property as a matter of products liability, negligence or otherwise, or from any use or operation of any methods, products, instructions, or ideas contained in the material herein ISBN: 978-0-12-802224-5 British Library Cataloguing-in-Publication Data A catalogue record for this book is available from the British Library Library of Congress Cataloging-in-Publication Data A catalog record for this book is available from the Library of Congress For Information on all Butterworth Heinemann publications visit our website at http://store.elsevier.com/ INTRODUCTION TO THE DEPARTMENT OF HOMELAND SECURITY Gregory Allen CHAPTER OUTLINE Introduction 2 Homeland Security Platform  Risk Analysis and Management for Critical Asset Protection  Asset Characterization and Screening  Threat Characterization  Consequence Analysis  Vulnerability Analysis  Threat Assessment  Risk Assessment  Homeland Security Act of 2002  Homeland Security Presidential Directives  Abstract The Department of Homeland Security (DHS) has set the framework and best practices for all security professionals This chapter outlines different parts of the DHS organization and the importance of each area of homeland security risk management Central to this policy are the premises that security partners can most effectively manage risk by working together and that management capabilities must be built, sustained, and integrated with federal, state, local, tribal, territorial, nongovernmental, and private sector homeland security partners Although successful integration requires implementation across the entire homeland security enterprise, the DHS plays an essential role in leading the unified effort to manage risks to the nation from a diverse and complex set of hazards, including acts of terrorism, natural and human-made disasters, pandemics, cyber attacks, and transnational crime Threat Assessment and Risk Analysis DOI: http://dx.doi.org/10.1016/B978-0-12-802224-5.00001-4 © 2016 2014 Elsevier Inc All rights reserved 2  Chapter 1  Introduction to the Department of Homeland Security Keywords: Department of Homeland Security (DHS), Central Intelligence Agency (CIA), Federal Bureau of Investigation (FBI), Transportation Security Administration (TSA), Risk Analysis and Management for Critical Asset Protection (RAMCAP), asset characterization, threat characterization, consequence, vulnerability, threat, risk, Homeland Security Act of 2002, Homeland Security Presidential Directives (HSPD), National Incident Management System (NIMS), Federal Emergency Management Agency (FEMA), National Continuity Policy Introduction The Department of Homeland Security (DHS) has set the framework and best practices for all security professionals This chapter outlines different parts of DHS and the importance of each area of homeland security risk management According to the Homeland Security Risk Management Doctrine: …In May 2010, the Secretary of Homeland Security established a Policy for Integrated Risk Management (IRM) Central to this policy is the premise that security partners can most effectively manage risk by working together, and that management capabilities must be built, sustained, and integrated with Federal, state, local, tribal, territorial, nongovernmental, and private sector homeland security partners While successful integration requires implementation across the entire homeland security enterprise, the Department of Homeland Security (DHS) plays an essential role in leading the unified effort to manage risks to the Nation from a diverse and complex set of hazards, including acts of terrorism, natural and manmade disasters, pandemics, cyber attacks, and transnational crime.1 Homeland Security Platform Before learning about risk itself, it is a good idea to understand how everything is placed together to form the mindset of risk analysis and organizational security Terrorism has been around for at least hundreds, if not thousands, of years, and we have all read about terrorist attacks around the world and the destruction caused and lives they have taken But not until the 1993 World Trade Center bombing did Americans realize that terrorism could be directed against us and even occur on our own soil This definitely should have been a  Beers, 2011 Chapter 1  Introduction to the Department of Homeland Security  wakeup call; however, it was not until the September 9/11 bombings that we realized that international terrorism is as much of a threat as domestic terrorism Intelligence agencies across the world failed to protect us, and nearly 3000 lives were taken in an act that should have been prevented More lives would have been lost if it were not for Rick Rescorla, director of security for Morgan Stanley, who made employees working in the Twin Towers at the World Trade Center practice an emergency evacuation plan on a monthly basis, for years prior to the attack His forethought singlehandedly saved all of his employees’ lives, yet he died in the attacks At least one person tried to be prepared for such a horrific event As a result of this event, we realized not only that our intelligence community was not prepared to protect our nation but also that our law enforcement community had not been informed of the terrorist activity leading up to the attacks The 19 terrorists involved in the bombings had performed their own due diligence regarding soft and hard areas to attack that would make an immediate impact on this country without being noticed We discovered that the terrorists lived in the Las Vegas, Nevada, area for months in hopes of attacking the city and placing stress on the city’s financial sector However, they learned that Las Vegas was an expendable money city, and an attack would not be financially crippling During this time, terrorists were stopped by local and state police for traffic violations, but there was no hint of any terrorist activity or movement The 9/11 attack could have been stopped if our intelligence community had obtained information on these activities However, this was not the case, and the attacks showed other countries our vulnerabilities and incapability to handle such events on our own soil The U.S DHS was created and founded on November 25, 2002, in response to the 9/11 attacks This agency’s purpose is to protect the homeland of the United States and U.S territories DHS is one of the most important agencies in the country because it is responsible for responding to terrorist attacks, natural disasters, and man-made accidents Before the attacks on 9/11, most of the U.S population believed that we were unbeatable and unaffected by attacks occurring in other countries The 9/11 attacks opened many Americans’ eyes— and the federal government’s—to our vulnerability The DHS was created to thwart further attacks on the United States and its territories Before 9/11, most local, state, and federal agencies did not communicate with each other to share information about illegal activities, let  alone terrorists’ movements These were agencies such as the Central Intelligence Agency (CIA); Federal Bureau of Investigation (FBI); and Bureau of Alcohol, Tobacco, 4  Chapter 1  Introduction to the Department of Homeland Security Firearms and Explosives (ATF) Prior to 9/11 limited information was shared between agencies on terrorist activities or the collaboration of terrorist investigations If more information would have been shared the likelihood of the 9/11 attacks may not have occurred The DHS was put into place as an effort to centralize all information-sharing initiatives from agencies, such as the FBI, CIA, ATF, and other defense agencies within the United States The intent was to defend our borders more effectively against further attacks Some have questioned the effectiveness of DHS because we have not had another foreign terrorist attack on US soil, but others suggest this is due to the presence of this department and that it has worked to plan The American people have noticed some inconsistencies in the DHS approach to national security (e.g., changes in the Transportation Security Administration [TSA] procedures) However, changes are constantly being made in the hopes of seeing examples of proper protection of this nation Although our efforts need to be accurate 100% of the time, a terrorist attack only has to be right once for a disaster to occur Risk Analysis and Management for Critical Asset Protection Another framework to address is Risk Analysis and Management for Critical Asset Protection (RAMCAP) RAMCAP is used for risk analysis and management associated with terrorist attacks on critical infrastructure assets RAMCAP provides users with a consistent and sound methodology to identify, analyze, qualify, and communicate the various characteristics and impacts terrorists may use to identify targets and methods of attack This process is primarily used to identify security vulnerabilities but it also provides methods to evaluate what can be done to improve these weaknesses RAMCAP is simple, yet transparent, and an effective tool to help our nation’s critical infrastructure sectors, whether public or private It allows us to compare and contrast risks at any level or in any sector and is adaptable to the strengths and weaknesses presented It looks at alternative pathways to achieve objectives needed for a positive result This process can be used by business owners and operators to assess the consequences and vulnerabilities related to terrorist attacks on their infrastructures It can also give them the guidance to assess and evaluate risk through a common framework, and it provides an efficient mechanism to both the public and private sectors to report risks to DHS This reporting is an important issue because it gives the baseline for risk assessment and the tools needed Chapter 1  Introduction to the Department of Homeland Security  to protect our critical infrastructure These efforts will foster the development and distribution of more refined methods for improving the quality and consistency of risk assessment If we look back, even before the 9/11 attacks, risk analysis methods were used in the past; however, after the attacks, they were used even more but not to the extent that we had expected Both the public and private sectors have used RAMCAP based on the aspects of applying risk to terrorism and homeland security The RAMCAP methods were developed for the application of protecting our critical infrastructure by using a general and broad-based approach RAMCAP has both a qualitative and quantitative framework and is intended to incorporate a cooperative effort with both the public and private sectors Each partner, no matter what the level, has different goals, and by working together, each participant has information that is valuable to the others No sector is in the position to know all of another’s vital information, even that which is important to risk assessment The same goes for any facility or system in understanding the intentions or capabilities of a terrorist movement By working together and sharing information and knowledge through the use of RAMCAP, participants are able to achieve their goals At any time, RAMCAP can assist with all different types of processes needed to gain the results important to a terrorist movement RAMCAP is comprised of six interrelated steps of analysis They are as follows Asset Characterization and Screening Asset characterization and screening is analysis of a facility’s or system’s operational process for the identification of critical assets and hazards while performing a preliminary evaluation of a terrorist act Threat Characterization Threat characterization is the identification of specific and general aspects of a terrorist attacks on a given target DHS has compiled a set of baseline threats that are evaluated for each asset or system Known threats are formed by the collaborative activities of law enforcement agencies and intelligence organizations that are in charge of understanding the means, methods, and motivations of terrorists This evaluation is based on the various types of threats that are present These partners can then apply these threats to the facility or system based on knowledge of those assets Not all threats result in the formation of assets 6  Chapter 1  Introduction to the Department of Homeland Security Consequence Analysis Consequence analysis is the identification of the worst consequences that could be generated by a certain threat This step looks at facility and system design, layout, and operations to identify the types of consequences that could result These consequences can be qualified as financial costs, as well as fatalities and injuries They can also cause psychological impacts and effects on our nation Vulnerability Analysis Vulnerability analysis is the determination of the likelihood of a successful attack by using certain threats on an exact asset This process involves the evaluation of security capabilities, countermeasures, and mitigation in the effort to lessen the probability of a successful attack Threat Assessment Threat assessment involves two steps The first is the evaluation of asset attractiveness and a full threat assessment This asset assessment is perceived to give value to terrorist attacks on a given facility or system and the value of deterrence on that target These assessments are made by the owner or operators of that target The threat assessment is conducted by DHS as it looks at how attractive a target is and at terrorists’ capabilities and intent Risk Assessment Risk assessment is a systematic and comprehensive evaluation of previously developed data that was gathered for a specific facility or system The partners create a foundation for the selection of strategies and tactics to defend against terrorism on any level Risk management is a deliberate process of understanding risk and making a decision on implementing a plan to achieve an acceptable level of risk at a cost Risk management includes identification, evaluation, and the control of risk to the level of accepted value Many assets are considered critical to DHS and those organizations that are required to follow federal compliance policies are required to complete a vulnerability assessment This depends on a conditional risk assessment that an attack will occur All data are gathered and evaluated for possible deterrence of future potential attacks From this process, DHS has the information needed to effectively allocate proper resources for risk reduction of terrorism on a national scale Homeland Security Act of 2002 The primary purposes of the creation of the Homeland Security Act were to prevent terrorist attacks within the United States, reduce Chapter 1  Introduction to the Department of Homeland Security  the vulnerability of the United States to terrorism, and minimize the damage and assist with the recovery from any attack on our soil Based on the Homeland Security Act of 2002, Congress created a standalone entity to unify our national homeland security efforts DHS was created through 22 different agencies within the federal government Shortly after the 9/11 attacks, Tom Ridge was appointed the first director of DHS as the office coordinated efforts in protecting our country through a comprehensive strategy against terrorism and other attacks DHS officially opened its doors on March 1, 2003 On February 15, 2005, former DHS Secretary Michael Chertoff initiated a Second Stage Review to evaluate DHS’s operations, policies, and procedures More than 250 members of the organization and 18 action teams contributed to the effort The teams also worked with public and private sector partners, which resulted in a significant reorganization of the department In 2010, Secretary Janet Napolitano completed the first ever Quadrennial Homeland Security Review, which created a more unified, strategic framework for homeland security missions and goals When this occurred, DHS conducted a bottoms-up review to align all departments with the missions and goals that had been put into place With this review, all of the public and private sector partners were brought together for a better understanding of a unified approach to national security, with the primary purpose of protecting our homeland Homeland Security Presidential Directives Homeland Security Presidential Directives (HSPD) are issued by the presiding president on issues regarding homeland security There are presently three directives affecting the role of our emergency response system The following are some of the 25 directives that have been issued: HSPD-5: The Management of Domestic Incidents establishes a single, comprehensive National Incident Management System (NIMS) and National Response Framework HSPD-7: Critical Infrastructure Identification, Prioritization and Protection requires federal agencies to coordinate the protection of crucial infrastructure and other key resources For example, the Environmental Protection Agency (EPA) is responsible for our drinking water and water treatment systems HSPD-8: National Preparedness directs the federal government’s agencies and departments to be prepared and able to respond to national direct attacks where they occur in the United States The Federal Emergency Management Agency (FEMA) provides assistance when needed 132  Chapter 11  Mitigation and Preparedness Do not make unified command overly complicated or formal Prepare to deal with issues associated with sharing of (sensitive) information ● Better notification and alert procedures may be needed Clearly, emergency response drills and simulation exercises are worth the effort Exercises help evaluate an organization’s capability to execute one or more portions of its response plan or contingency plan, and research has shown that people respond to an emergency in the way that they have trained ● ● EMERGENCY ACTION PLANS 12 Gregory Allen CHAPTER OUTLINE Introduction 133 Evacuation Procedures, Escape Routes, and Floor Plans  135 Accounting for Everyone After Implementing an Emergency Action Plan  136 Emergencies Outside of the Building  136 Reporting and Alerting Authorities  136 Alerting Staff and Visitors of an Emergency  137 Notifying Next of Kin  137 Identifying a Media Contact Person  138 Training New Staff  138 Policies for Updating and Maintaining the Emergency Action Plan  139 Abstract This chapter outlines the importance of an organization’s Emergency Action Plan An emergency action plan assists an organization in preparing for the worst case scenario This chapter will cover from evacuation of a facility, making sure the scene is safe outside of a facility prior to an evacuation, emergency response procedures, notification procedures of emergency personnel, executive staff, and next of kin Keywords: Emergency Action Plan (EAP), OSHA, Disaster, Emergency, Planning, Evacuation, Escape route, Floor plan, Communication, Notification system Introduction An emergency action plan (EAP) is a strategy that is developed by an organization to comply with the Occupational Safety and Health Administration’s (OSHA’s) policies to help prepare employees to Threat Assessment and Risk Analysis DOI: http://dx.doi.org/10.1016/B978-0-12-802224-5.00013-0 © 2016 2014 Elsevier Inc All rights reserved 133 134  Chapter 12  Emergency Action Plans respond to emergency situations The plan is designed to minimize loss of life, reduce injury, and train employees to have the right resources, properly train peers, and assign responsibilities during an emergency Emergency action plans should be designed to address both natural and human-made disasters that could disrupt the workplace These can include terrorist attacks, fires, explosions, hurricanes, tornadoes, toxic material releases, radiologic and biologic accidents, civil disturbances, and workplace violence As you prepare yourself for a disaster, for each incident, you must ask yourself: What would you in case of an emergency, and what would you if the emergency impacts your business operations? You must prepare yourself, as well as other employees, with the resources needed to handle any disaster that comes your way A well-documented EAP can be a valuable tool to reduce adverse impact on your operation All plans should include tools and resources specific to the business and should cover potential situations your organization may face A thorough analysis and description of your organization’s operations and site locations, as well as careful planning for each possible emergency, must be performed Customize your plan to suit your operation as well as each potential emergency Continuous training before an emergency occurs is a critical step for a successful end result Thorough training is recommended for all employees who could be affected during an emergency The first step in creating an EAP is to conduct a risk assessment When conducting an assessment, make sure you address all possible events that your organization could face You are wasting time if you not have a proper process for this in place With lost time, you could lose lives, as well as vital business operations After you identify risks, you can begin planning how to avoid or reduce the impact of those disasters Each potential threat must be explored to recognize the possible impact it could have For example, if you had an information technology failure that disrupts your operations, it could take hours or longer to fix and would result in a loss of business You need to look at each risk and worst-case scenario and calculate what it would cost the company during the time of disruption An easy way of looking at the risk assessment process is to look at all possible hazards and whether they directly or indirectly affect your organization, as well as the likelihood of their occurrence You then need to calculate what impact a disaster could have on the organization, both on human life and infrastructure This is why risk mitigation is so important in planning for the unknown One example of an EAP is from Morgan Stanley, a financial services firm formerly located in the south tower of the World Trade Center Years before 9/11, the company hired a security director to handle security for the 22 floors that were occupied by its employees Emergency preparedness exercises were performed every months Chapter 12  Emergency Action Plans  for years, with several employees questioning the purpose of these exercises because they thought they were in a safe environment and nothing disastrous would or could occur When 9/11 occurred, the evacuation plan was enacted, and the result was that approximately 2600 lives were saved that day because of proper training and practice Unfortunately, the security director lost his life during his attempt to save everyone else Evacuation Procedures, Escape Routes, and Floor Plans With every EAP, preparing for the worst scenario is the key to the success of that organization In the past, businesses did not think of being prepared; all they did was react to disasters the best way possible Often, an organization was unable to recover from a disaster Today, being prepared gives an edge for an organization to survive Part of being prepared is having evacuation procedures in place for the safety of employees All employees must be alert; understand what is expected of them when a particular disaster occurs; and be familiar with policies and procedures, as well as evacuation routes Part of an evacuation plan includes identifying which situations will require an evacuation process Today, it is common practice to delegate employees to be responsible to lead and coordinate the organization’s evacuation plan It is important for these employees to have the authority to make decisions needed for an evacuation during emergencies These coordinators should be responsible for assessing a situation and determining the best avenue to take for that emergency They should help move employees from a dangerous area to a designated safe area and should be available during work hours for any action or decisions that need to be made They are responsible for checking offices and bathrooms to ensure all employees have left the area, making sure fire doors are closed, and identifying employees with special needs who may need assistance during an evacuation These coordinators must be trained to understand workplace diagrams of the buildings and to know alternate routes when needed Each organization must develop evacuation routes for disasters but also designate areas within the building to keep employees safe if the evacuation plan will not work during that time Evacuations plans must be posted so they are visible to all employees and visitors Plans must be developed for all possible ways for employees to quickly exit an area Having these plans in place and communicating them to employees are key factors in being successful in saving lives There may be several ways to safely exit a building, but an emergency evacuation route must be properly communicated, and organizations must practice drills in order to be prepared when disaster strikes 135 136  Chapter 12  Emergency Action Plans Evacuation plans must be clear and easy to follow Organizations must complete periodic exercises or drills for employees to have a better understanding of what is expected of them and where they should go Make sure that floor diagrams are posted, with arrows that designate exit routes These maps must include location points for exits, assembly points, and equipment that may be needed That equipment can include fire extinguishers, first aid kits, and spill kits All evacuation routes should be clearly marked and well lit, have the capacity to evacuate a large number of people at one time, and be unobstructed and clear of debris at all times Accounting for Everyone After Implementing an Emergency Action Plan Accountability for all employees after an evacuation is very critical Confusion in an evacuation process can cause problems and may create the need for a rescue and recovery process Employees should take the fastest possible route for evacuation There must be a record maintained to ensure all employees were evacuated It is important for evacuation coordinators to have the names and work area locations of all employees At times, an emergency plan may specify different actions for employees depending on what the emergency is Your plan should include locations of utilities so they can be shut down, if necessary This includes knowing which utilities should be shut down, where they are located, and for how long they will be shut off Emergencies Outside of the Building There may be times when emergencies occur outside, but in close proximity to, your building or organization You should treat these as just as important as emergencies that directly impact your organization It is important to know what is happening in your immediate area and to what extent the emergency could have an impact on you or your organization Keep a current list of contacts who can help your organization when there is an emergency outside of the building Reporting and Alerting Authorities Your organization should designate certain employees as having the authority to communicate with the outside world, such as with the police and fire departments as well as with the media This task can be performed by someone on the organization’s security staff or in the Chapter 12  Emergency Action Plans  human resources department Having designated employees to handle these tasks can reduce stress and confusion during an emergency It is important to maintain a current list of higher level employees in case the police or fire personnel ask for this information The designated contact person will communicate with police and fire officials the details of the company’s EAP Alerting Staff and Visitors of an Emergency Your organization’s EAP should include employee awareness of what disasters may potentially occur This information will help employees know what to in the case of an emergency Most, if not all, organizations have a series of mechanisms to notify employees and visitors on the property that evacuation is necessary The most traditional type of notification is bells or sirens that indicate an emergency The use of a public address system for broadcasting emergency information is the most common way to alert both employees and guests Visual alarms (flashing lights) are available to help those who are hearing impaired How an organization notifies its employees and visitors is an important task, and there should be a clear communication system in place Most organizations have a notification system, so that any announcement can be pushed out to employees and visitors for any emergency Some of these communication tools may include voice-activated fire alarms situated throughout a building, as well as a “real-time” system in which a message can be pushed out through desktop computers, telephones, and cell phones The more communication tools you can use, the more effective you can be in alerting employees and visitors about an emergency and what steps need to be taken to move people to areas of safety As discussed, all departments must have a process to account for all employees in the event of an emergency Knowing the names and contact information of those working in each area can assist you in identifying who is working at any given time and whether or not they have been evacuated to safety In addition, it is important to have a sign-in sheet for visitors because it allows you to identify who else must be accounted for Notifying Next of Kin If an emergency occurs, law enforcement and emergency response teams are notified When these public agencies come to the scene of an emergency, they are responsible for taking over the emergency plan and have the authority to make decisions based on 137 138  Chapter 12  Emergency Action Plans the organization’s needs In addition, they are responsible for notifying next of kin when there is loss of life This is why having lists of employees working in each area is so critical Having a good public– private sector relationship is important because it allows everyone to understand each other’s responsibilities when there is a disaster In the event of an emergency, it is important to have ready access to personal information about the organization’s employees This includes home addresses, home telephone numbers, names and addresses of their next of kin, and medical information This information may need to be shared with public authorities Organizations can certainly reach out to next of kin to offer assistance, but that first contact is to be made by the agencies in charge of the disaster scene Identifying a Media Contact Person Depending on the size of an organization, there may be a public relations person who represents the organization at times when the organization needs to make a statement to the media If it is a smaller organization, that position is usually the president of the company Either way, when a disaster occurs, the public law enforcement agency responding to that emergency usually discusses the event details with the media and gives information on what occurred, the number of injuries and fatalities, and so forth It is common for an organization’s spokesperson to stand strategically next to the police or fire information officer to potentially give other information about the organization or the event that occurred Having a law enforcement spokesperson talk to the media is in the best interest of the organization so that what is stated is based on facts rather than rumors or false information This also allows the organization’s personnel to concentrate on those who are injured, as well as begin to implement the company plan to get up and running again Training New Staff Training should be offered to employees on a regular basis because emergency plans can change, and you want to make your employees aware of the changes so they understand what is expected of them in an emergency This training should be part of every new employee orientation Training is important to help employees understand their roles and responsibilities when it comes to an emergency; understand the Chapter 12  Emergency Action Plans  potential threats and hazards; know the notification, warning, and communications procedures; learn emergency response procedures; know evacuation, shelter, and accountability procedures; and identify the locations and use of common emergency equipment as well as the shutdown procedures After new employees have been trained, they need to practice this training on a regular basis to feel comfortable with their responsibilities during an emergency Policies for Updating and Maintaining the Emergency Action Plan Some organizations are so small that they believe they not need a plan, others are in the process of implementing one, and still others simply think that an EAP is not necessary Certainly, it is better to be prepared than not, given the potential disasters we face today An EAP not only protects employees and assets but also reduces the organization’s liability for such protection The plans should correspond to assessments conducted on possible hazards to your workplace From time to time, brainstorm about what could occur to disrupt the organization’s operations; then use the ideas you generate to develop action plans and policies After the policies and procedures have been put into place, they should be reviewed on a regular basis to ensure that all employees understand what is expected of them and the lengths to which the organization will go to protect them Change the policies and procedures as needed, but if they are effective, then abide by them and use them as working tools in the event of an emergency This process is something that is necessary because it seems everyday policies and procedures change because of the needs of an organization 139 REFERENCES  141 REFERENCES American Planning Association CDC Emergency Preparedness Website Dartmouth College’s Institute for Security Technology DHS National Incident Management System Best Practices DisasterCenter.com Disaster Mitigation Act of 2000: A New Beginning EKU’s Online Programs in Fire & Safety Science Exponent.com FEMA Guide to Citizen Preparedness FEMA Mitigation Division Homepage FEMA Mitigation Planning How-To Guide George Washington Univ Institute for Disaster Management Harvard Center for Risk Analysis Heritage Emergency National Task Force Library of Congress Emergency Preparedness Plan National Council on Readiness and Preparedness National Law Enforcement & Corrections Technology Center (NLECTC) National Safety Council’s Emergency Preparedness Website NIST Building & Fire Research Laboratory NIST Report on World Trade Center Collapse Protecting Buildings from Bomb Damage Ready.gov RiskINFO.com Society for Risk Analysis Univ of Sydney Report on WTC Collapse Printed Resources Alexander, D., 2002 Principles of emergency planning and management Oxford Univ Press, NY Armitage, D., 2008 Governance and the commons in a multi-level world International Journal of the Commons (1), 7–32 Bannister, J., 1997 How to manage risk LLP Limited, London Bedford, T., Cooke, R., 2001 Probabilistic risk analysis Cambridge Univ Press, NY Bellavita, C., 2007 Changing homeland security: A strategic logic of special event security Homeland Security Affairs III (September) Biggs, J., 1964 Introduction to structural dynamics McGraw Hill, NY Broder, J., 1999 Risk analysis and the security survey Butterworth-Heinemann, NY Bullock, J., Haddow, G., Coppola, D., Ergin, E., Westerman, L., Yeletaysi, S., 2005 Introduction to homeland security Elsevier, Boston Cameron, G., 1998 The likelihood of nuclear terrorism Journal of Conflict Studies (Fall), 5–28 Chavas, J., 2004 Risk analysis in theory and practice Academic Press, San Diego Defense Research LLC, 2004 Terrorism preparedness Defense Research LLC, Washington DC Department of Homeland Security (2010, September) DHS Risk Lexicon 2010, 60 Erickson, P., 1999 Emergency response planning for corporate and municipal managers Academic, San Diego Fahey, J., & Kahn, C (2012, March 3) BP begins to put spill behind it with settlement Retrieved January 2015, from boston.com: Flynn, S., 2007 The edge of disaster Random, NY Godschalk, D., 1986 Mitigation strategies and integrated emergency management Univ of NC Press, Center for Urban and Regional Studies, Chapel Hill Godschalk, D., Beatley, T., Berke, T., Brower, D., Kaiser, E., 1999 Natural hazard mitigation Island Press, Washington DC Gordon, J., 2002 Comprehensive emergency management for local governments Rothstein Associates, NY Haddow, G., Bullock, J., 2003 Introduction to emergency management Elsevier, Boston Hart, B.H.L., 1967 Strategy, 2e, reprint Frederick A Praeger, NY Herrmann, D., 2001 A practical guide to security engineering and information assurance CRC Press, Boca Raton, FL Hopkins, L., 2001 Urban development: The logic of making plans Island Press, Washington DC Interagency Security Committee, 2013, August The risk management process for federal facilities An interagency security committee standard, 1st, Vol 19 ISC Jerolleman, A., Kiefer, J (Eds.), 2012 Natural hazard mitigation, CRC Press, Boca Raton Kaplan, S., 1997 The words of risk analysis Risk Analysis 17 (4), 407–418 Kaiser, E., Godschalk, D., Chapin, S., 1995 Urban land use planning Univ of Illinois Press, Champaign-Urbana 142 REFERENCES Kelly, E., Becker, B., 2000 Community planning Island Press, Washington DC Kelly, R., 1989 Industrial emergency preparedness Wiley, NY Koenig, D.R., 2012 Governance reimagined: Organizational design, risk and value creation John Wiley & Sons Inc., Hoboken, NJ Krauthammer, T., 2004 Conventional blasts, ballistic attack, and related threats The Construction Specifier (May), 73–84 [author’s website] Leflar, J., Siegel, M., 2013 Organizational resilience CRC Press, Boca Raton Leonard, B., 1988 Guide to exercises in chemical emergency preparedness programs Diane Pub Co, NY Litman, T., 2005 Lessons from Katrina Victoria Transport Policy Institute, Victoria, BC Longinow, A., 1995 The threat of terrorism: Can buildings be protected? Building Operating Management (July) pages unknown Low, P (2013, May 29) Natural Catastrophes in 2012 Dominated by U.S Weather Extremes Retrieved January 2015, from World Watch Institute: Molak, V., 1996 Fundamentals of risk analysis and risk management Lewis Publishers, Chelsea, MI Mukund, B (NA, NA NA) SO 17799: The Key Components of the Standard Retrieved October 2014, from ISO 17799 Information and Resource Portal: Nicholson, J., 2003 Design of public buildings In: Kemp, R (Ed.), Homeland security: Best practices for local government, ICMA, Washington DC, pp 61–64 Nudell, M., Antokol, N., 1988 The handbook for effective emergency management Lexington Books, Lexington, MA Omika, Y., Fukuzawa, E., Koshika, N., Morikawa, H., Fukuda, R., 2005 Structural responses of world trade center under aircraft attacks Journal of Structural Engineering 131 (1), 6–15 O’Connor, T, 2014 Mitigation and Preparedness MegaLinks in Criminal Justice Retrieved from Palin, P., 2010 Resilience: The grand strategy Homeland Security Affairs issue (January), http://www.hsaj org/?article=6.1.2 Perry, R., 1985 Comprehensive emergency management JAI Press, Greenwich, CT Rodriguez, H., Quarantelli, E., Dynes, R (Eds.), 2006 Handbook of disaster research, Springer, NY Quarentelli, E., 1979 Studies in disaster response and planning Univ of Delaware Disaster Research Center, Newark Schneid, T., Collins, L., 2000 Disaster management and preparedness Lewis Publishers, Chelsea, MI, [sample excerpt] Veenema, T., 2003 Disaster nursing and emergency preparedness for chemical, biological, and radiological terrorism Springer, NY Vose, D., 2000 Risk analysis: A quantitative guide Wiley, NY Waugh, W., 2000 Living with hazards: Dealing with disasters: An introduction to emergency management M.E Sharpe, NY White, Jonathan., 2004 Defending the homeland Wadsworth, Belmont, CA, Last updated: Jan 19, 2014 Not an official webpage of APSU, copyright restrictions apply, see Megalinks in Criminal Justice Index  143 INDEX Note: Page numbers followed by “f” and “t” refer to figures and tables, respectively A Access control, 22, 111–112 Accessibility, 76–77 Accountability, 58–60, 136 Action plans, 59 Activity support, 113 Adapting organizations, 130 All-hazards approach, 38–41 Amelioration, 117–118 Assessment process, 13, 38, 38f Asset, 12, 57–58 assessment, 11 characterization and screening, classification and control, 20 identification and prioritization, 63–64 B Biodefense for the 21st Century, “Broken window” theory, 109, 114 BS 7799, 20 Built environment concepts, 108–109 Bureau of Alcohol, Tobacco, Firearms and Explosives (ATF), 3–4 Business activities, 18 Business continuity management, 23 Business continuity plan, 34–36 Business’s internal processes, 58–59 C Centers for Disease Control and Prevention (CDC), 41 Central Intelligence Agency (CIA), 3–4 Chemical, biological, radiologic, nuclear, and explosive (CBRNE) materials, 73, 77–78, 80t, 82t, 91 Chemical spill, 93, 95 Closed Caption Television (CCTV), 85t, 89, 113 Collateral mass casualties, potential for, 73, 78–79 Communications and operations management, 21 Communication tools, 137 Compliance, 23 Computing and network equipment, 87 Computing infrastructure, 86, 88 Confusion, during evacuation process, 136–137 Consequences, 103 analysis, considerations for, 98–100 economic impact, 99 human impact, 98 impact on government capability, 100 impact on public confidence, 100 determination of, 100–102 Controls, 21–22, 27, 120–121 Coordinators, in emergency action plans, 135 Cost-effective security solutions, 30 Cost-to-benefit ratio, 30 Countermeasure options, determination of, 11 Crime prevention through environmental design (CPTED), 107 categories, 111–114 activity support, 113 maintenance, 114 natural access control, 112 natural surveillance, 112–113 target hardening, 114 territoriality, 111–112 and crime reduction, 114–116 history of, 108–111 Critical Infrastructure and Key Resources (CIKR), 64–70 protection, 103–104 Critical Infrastructure Identification, Prioritization and Protection, Cyber infrastructure, 66 Cyber Security Initiative, Cyber terrorism, 85 D Deepwater Horizon oil spill, 99 Defensible space, 108–109 Department of Homeland Security (DHS), 1, 32, 41, 64, 66–69, 90 Homeland Security Act of 2002, 6–7 homeland security platform, 2–4 Homeland Security Presidential Directives (HSPDs), 7–8 risk analysis and management for critical asset protection, 4–6 threat levels used by, 91f Design-basis threat, 40 Deterrence, 84, 88 DHS Security Information Intelligence Agency (CIA), 42 Disaster management, phases of, 119t Documented procedures, 21 Domestic Nuclear Detection, 144 Index E Economic impact (EI), 26–27, 99 EI value, 101 worksheets, 101t Electronic commerce, 21 Emergency action plans (EAP), 90–95, 133–134 accounting for everyone after implementation, 94, 136 coordinators in, 135 creation of, 134 emergencies outside of the building, 94, 134 evacuation procedures, escape routes, and floor plans, 92–93, 135–136 media contact person, identifying, 94–95, 138 in Morgan Stanley, 134–135 new staff, training, 95, 138–139 notifying next of kin, 94, 137–138 policies for updating and maintaining, 95, 139 reporting and alerting authorities, 93, 136–137 staff and visitors, alerting, 93–94, 137 Emergency management, phases of, 79 Emergency plan, 35, 89–90, 95, 136, 138 Emergency preparedness, 130–132 Emergency response team, 137–139 Emerging organizations, 130 Employee background checks, 88 Enterprise risk management (ERM), 13–14, 72 Environmental disruption, 88 Environmental issues, 17 Environmental Protection Agency (EPA), 7–8 Escape routes, 92–93, 135–136 Evacuation planning, 118, 134–136 Evacuation procedures, 92–93, 135–136 Event incidents in order of probability, 123–127 Executive management, in risk analysis, 32–36 Exercises, in emergency preparedness, 130–131 Expanding organizations, 130 Exposure, 30, 58–60 Extending organizations, 130 Exxon Valdez oil spill, 51 F Facility owners, 41 Facility’s vulnerability, 79 Family-based disaster planning, 128–129 Federal Bureau of Investigation (FBI), 3–4 FBI Joint Terrorism Task Forces, 41 Federal Emergency Management Agency (FEMA), 7, 131–132 Federal grants, 65 Flashing lights, 137 Floor plans, for evacuation, 92–93, 135–136 “The four dimensions of crime”, 109 Full-scale exercise, 131 Full security threat assessment, 39 Fusion centers, 42, 44 G General assessment, 79 Government capability, impact on, 100 Great San Francisco fire and earthquake, 46, 47f H Hazard Identification Worksheet, 53t Hazardous material, release of, 102 Hazards, identifying, 45–46 Health emergencies, 93 Hearing impaired, emergency notification for, 137 Heat wave of 1980, 47 High impact threat, 121 High probability threat, 121 Homeland Security Act of 2002, 6–7, 65, 69 Homeland Security Offices, 41 Homeland security platform, 2–4 Homeland Security Presidential Directives (HSPDs), 7–8 HSPD-5, HSPD-7, 7, 64, 70, 98 HSPD-8, HSPD-9, HSPD-10, HSPD-12, HSPD-14, HSPD-20, HSPD-23, Human error, 88 Human impact (HI), 98 and economic impact worksheets, 101t value, 101 Human-made (terrorist) attacks, 72–74 assessment worksheet, 80t Human-made disaster, 64–66, 102 Human-made hazards, 49–54 Exxon Valdez oil, 51 interstate 35 (I-35) Mississippi River bridge collapse, 50, 51f Kansas City hotel walkway collapse, 49, 50f Oil Pollution Act of 1990, 51 Hurricane Katrina, 2005, 48 I Impact analysis, 126 Industrial relations, 17 Information, 12 and software exchange agreements, 21 gathering, 41–42 Information security infrastructure, creation of, 20 Information security policy for organization, 20 Information security professionals, 86 Index  Infrastructure database warehouse, 67 Intangible assets, 12 Intelligence community, Intelligence Reform and Terrorism Prevention Act of 2004, 68 Interagency Security Committee (ISC) Standard, 41 Interstate 35 (I-35) Mississippi River bridge collapse, 50, 51f Intrusion, 84, 90–91 Inventory system, 67 Islamic State in Iraq and the Levant (ISIL), 42 ISO 17799, 20 J Jurisdiction, 38 criticality of target site to, 73–75 impact outside of, 73, 75–76 Jurisdictional threat, 42–44 K Kansas City hotel walkway collapse, 49, 50f L Law enforcement community, 3, 109 Law enforcement team, 137–138 Legal risk (information security), 16, 19–23 access control, 22 asset classification and control, 20 business continuity management, 23 communications and operations management, 21 compliance, 23 information security infrastructure, creation of, 20 information security policy for organization, 20 ISO 17799 and BS 7799, 20 personnel security, 20–21 physical and environmental security, 21 system development and maintenance, 22 Legislative compliance, 18 Level of visibility, 73–74, 74t Litigation or legal risk, 18 Local law enforcement, 88–89, 91 Long-term planning, 117–118 Loss-control techniques, 120 Losses, 60–61 Low impact threats, 121 Low probability threats, 121 M Maintenance, 114 Management of Domestic Incidents, Media contact person, identifying, 94–95, 138 Mitigation, 35, 40, 117–119, 126t and preparedness, 117 Mitigation measures, 60–61 evaluation, 61 Mitigation of risk, 120–121 Mitigation planning, 118 Morgan Stanley, emergency action plans (EAP) in, 134–135 Mutual aid agreements See Reciprocal aid agreements N National Construction Safety Team Act (2002), 128 National Continuity Policy, National Fire Protection Association, 131–132 National Incident Management System (NIMS), National Infrastructure Protection Plan (NIPP), 63–70, 98, 103 and critical infrastructure and key resources, 64–70 goal of, 64–66 mission of, 64 protection of resources, 65 National Institute of Standards and Technology (NIST) investigation, 128 examples of, 128t National Preparedness, National Preparedness Guidelines (NPG), 65 145 National Response Center, 131–132 National Response Framework (NRF), 7, 65 National Strategy for Homeland Security, 69 National Strategy to Secure Cyberspace, 69 National Transportation Safety Board, 128 Natural access control, 112 Natural disaster, 17, 38, 46, 64–66, 102 Natural hazards, 46–49 great San Francisco fire and earthquake, 46 heat wave of 1980, 47 Hurricane Katrina, 48 Natural surveillance, 112–113 Negative socioeconomic dynamics, 114–115 Network management, 21 New staff, training on emergency action plan, 83, 138–139 Next of Kin, notifying, 137–138 9/11 attack, 2–3, Notification system, 137 Nuclear Regulatory Commission, 131 O Observation, 34 Occupational Safety and Health Administration’s (OSHA’s) policies, 131, 133–134 Occupational Safety and Health Organization, 35 Oil Pollution Act of 1990, 51 Operational risk, 15–19 areas contributing to, 16–17 business activities, 18 environmental issues, 17 industrial relations, 17 legislative compliance, 18 litigation/legal risk, 18 natural disasters, 17 payment and processing system, 18 146 Index Operational risk (Continued) risk management techniques, 18 security, 17 technology failures, 17 legal risk, 16 personnel risk, 16 property risk, 16 regulatory risk, 16 reputation risk, 16 technology risk, 16 Organizations, 129–130 adapting, 130 emerging, 130 expanding, 130 extending, 130 redundant, 130 P Partnership, 65, 68–69 Payment and processing system, 18 People, 12 Performance metrics, use of, 68 Personnel risk, 16 Personnel security, 20–21 Physical and environmental security, 21 Physical security, 14 risk assessments, 10–14, 27–28 Physical security systems, for vulnerabilities, 84–88 component matrix, 84t, 85t physical threat See Physical threat technology and physical security blended, 86–87 Physical threat, 87–88 environmental disruption, 88 human error, 88 monitoring, 85–86 sabotage, 87 theft, 87 Policies for updating and maintaining EAP, 95, 139 Possible terrorist attack, 77, 79 Post orders, 85t, 89 Posttraumatic stress counseling, 35 Potential population capacity, 73 Potential target threat of hazard, 77–78 Potential threat element (PTE), 40, 42–44, 54, 73, 77, 80t, 81t, 82t Preparedness, 35 in emergency management, 130–132 National Preparedness, real, 130–131 short-term, 130–131 Project management, 120 Property assets, 12 Property risk, 16 Psychological impact, 98, 100 Public address system, 137 Public confidence, impact on, 100 Public law enforcement agency, 138 Public relations person, 138 Q Quadrennial Homeland Security Review, Quantitative methods, 124 Questioning, 34 R Real preparedness, 130–131 “Real-time” system, 137 Reciprocal aid agreements, 129–130 Reconstruction, 117–118 Recorded business information, 58 Recovery plan, 35–36 Redundant organizations, 130 Regulatory risk, 16 Relative risk analysis, 126t Reporting and alerting authorities, 93, 136–137 Reputational risk, 23 managing, 23 Reputation risk, 16, 23 “Residual” risks, 123 Resilience, 127–128 Response protocol, 84, 90–91 Response to a disaster, 35 Risk, defined, 10 Risk analysis, 25, 120, 123–127 business perspective, 26 decision-making process, 26 executive management role in, 32–36 major event incidents in order of probability, 123–127 physical security risk assessments, 27–28 quantitative risk model, 26 risk assessment method, 28–30 security assessments, benefits of, 31–32 Risk Analysis and Management for Critical Asset Protection (RAMCAP), 4–6 Risk assessment, 6, 11, 56–58, 60, 97, 120–121, 134 applied approach, 100–102 consequences, considering, 98–100 economic impact, 99 government capability, impact on, 100 human impact, 98 public confidence, impact on, 100 consequences, determining, 100–102 departments involved in, 57 effective, 58–60 formulas, 126t matrix, 121, 122f physical security, 27–28 tools, 58, 60 types of, 57 vulnerability assessment, 60–61 Risk assessment method, 28–31 Risk control, 29 Risk identification, 29, 55 assets, 57–58 exposure, 58–60 losses, 60–61 Risk impact, 56, 58–59 Risk management, 6, 10–11, 14–15, 65, 68, 120 asset assessment, 11 countermeasure options, determination of, 11 formula used in, 11 risk assessment, 11 Index  threats assessment, 11 vulnerabilities assessment, 11 Risk management model, 121t Risk Management Process for Federal Facilities, 41 Risk management program, 56 Risk management techniques, 18 Risk mitigation, 65–67 Risk occurrence, 56, 59 likelihood of, 59–61 Risk tolerance, 59 S Sabotage, 87 Security, 17, 22 information security, 19–20 and intelligence organizations, 41 personnel, 20–21 physical and environmental, 21 physical security systems, 84–88 and safety engineering, 128–129 Security assessments, benefits of, 31–32 cost effectiveness, 31 Security audits, 33 Security guard, 89 Security officers, use of, 88–90 Security program, 72 Security survey, 33–34 Security threat assessment, 12–13 Security vulnerability, 72 Short-term preparedness, 130–131 Sign-in sheet, for visitors, 137 Six ranking level for accessibility, 76 for potential target site population, 78 for potential target threat of hazard, 77–78 Smart Practices, 131–132 Social media, 43f Staff, alerting of an emergency, 93–94, 137 Staff and visitors, alerting, 137 Surveillance, 112 natural, 112–113 System development and maintenance, 22 147 T U Target hardening, 111, 114 Target site criticality of, to jurisdiction, 74–75 potential target site population, 78 Technology failures, 17 Technology risk, 16 Territoriality, 111–112 Terrorism, 2–3, 42 Terrorist attack, 4, 102 Terrorist attack, possible, 77, 79 Terrorist mitigation, 118 Terrorist Threat Integration Center (TTIC), 42 Threat, 103 analysis, 126, 126t assessment, 6, 11, 28 characterization, defined, 12, 120–121 deterrence, 65 physical and virtual, 87 probability, 124 rating, 72, 74–75 sources, 126 Threat Factor Rating Worksheet, 44 Threat factors, 43–44 capability, 43 existence, 43 history, 43 intention, 43 targeting, 43 Threat identification and rating, 37, 41–42 all-hazards approach versus design-basis threat, 38–41 human-made hazards, 49–54 identifying hazards, 45–46 information gathering, 41–42 jurisdictional threat, 42–44 natural hazards, 46–49 TOPOFF (Top Officials), 131–132 Tornado, 90, 92–93, 95 Total consequence score, 102 Training for new staff, 138–139 for security officer, 89–90 Transportation Security Administration (TSA), U.S Department of Justice, 131 V Violent emergencies, 94 Visitors, alerting of an emergency, 93–94, 137 Visual alarms, 137 Voice-activated fire alarms, 137 Vulnerabilities, 83, 103 defined, 12, 120–121 emergency action plans (EAP) for, 90–95 employee background checks, 88 lessening of, 65–69 physical security systems, 84–88 security officers, use of, 88–90 Vulnerability analysis, 6, 31, 124–125, 126t Vulnerability assessment, 11, 27–28, 31, 60–61, 71–79 accessibility, 76–77 collateral mass casualties, potential for, 78–79 criticality of target site to jurisdiction, 74–75 impact outside of the jurisdiction, 75–76 level of visibility, 74 potential target site population, 78 potential target threat of hazard, 77–78 worksheet human-made (accidental), 81t human-made (terrorist), 80t natural disaster, 82t Vulnerability hazards, 45 W White-collar crime, 32 WMD-CST (weapons of mass destruction, civil support team), 131–132 World Trade Center bombing (1993), 2–3 ... Consequence Analysis Vulnerability Analysis Threat Assessment Risk Assessment Homeland Security Act of 2002  Homeland Security Presidential Directives  Abstract The Department of Homeland Security... areas such as: ● Personnel risk ● Property risk ● Technology risk ● Legal risk 15 16  Chapter 2  What is Risk? Regulatory risk Reputation risk Personnel risk deals with the risks that affect the safety... and countermeasures should be implemented to take care of potential risks Before going any further with risk analysis, you must understand how threat and vulnerabilities play a role in risk analysis