The Security Risk Management Triangle: A Thinking Aid

The Triangle

Discernum’s Security Risk Management Triangle (SRMT) is a thinking aid for risk analysts and security planners.

The concept is that risk can be mitigated by acting on any one of the triangle's three angles:

Angle 1.  The location of the asset
Angle 2.  The intent, capability, or existence of the threat
Angle 3.  The presence of vulnerabilities

Angle 1:  The Asset

Acting on the asset angle generally involves removing the asset from the risk equation.  If the asset is not present when the bomb goes off, the incident is without impact.  As good as this sounds, it is generally unreasonable or impossible to remove the asset from the situation.  Protected individuals need to be able to move throughout the world, often visiting elevated risk locations and events.  If the asset is a building, it can't just be picked up and moved.  When an option at all, removing the asset from an equation is generally a last resort, for example when resources capable enough to manipulate other areas of the triangle are unavailable.

Angle 2:  The Threat

In a security fantasy land, we would remove the threat from all security equations.  This would allow assets to go about their day without experiencing any form of inconvenience or physical harm.  Unfortunately in the real world removing the threat entirely isn't always a reasonable solution.  We can't stop earthquakes (yet), and it can be difficult to deal with attackers not yet identified by security/intelligence teams.  That said, the threat of an all too likely slip and fall can be mostly removed by arriving in advance of a protectee and looking for spilled oil, ice, and the like.  The threat of an unwanted gun at an event can be removed by using magnetometers and other search techniques.  Yes, the threat angle can in fact be manipulated to our advantage.

Angle 3:  The Vulnerability

Vulnerabilities are situations that allow threats to have impact on an asset.  Threats need vulnerabilities just as vulnerabilities need threats.  Without each other they are nothing.  That said, vulnerabilities are often the factors in a situation most in a security planner's control.  We know threats exist, and we know assets require some exposure to the world.  But exposure can be controlled.  If your company's network faces the internet, you reduce vulnerabilities by closing non-essential ports with a firewall. If your principal flies in a private jet, you prevent the plane from being tracked by implementing a block.  If your house has a door, you lock it.

Play The Game

It can be a good team or solo mental exercise to use the Security Risk Management Triangle as a way to analyze various security planning options.  Try this the next time you're with a colleague:  Imagine a difficult security situation and find ways of mitigating risk by manipulating different aspects of the triangle.  If one angle doesn't work, try another.