A security risk assessment is a very complex procedure, which involves the revision of the threat environment of the organization, the value of assets, the vulnerabilities of the security controls, the criticality of systems, the impact of expected loses, and, finally, recommendations for increased controls that may reduce risk to an acceptable level. The data collected in this process enable the senior manager of the organization to identify its needs for any additional security controls. It is a reliable way of estimating risk, which plays a very important role in developing actions aimed to eliminate, reduce or mitigate risk.
The risk assessment process was designed in the 1990s for the needs of the Interagency Forum for Infrastructure Protection (IFIP), founded in response to the issue of security protection against the terrorist threat. Initially, it was used to protect federal dams, high-voltage electric power transmission systems, and other important national infrastructures (Biringer, Mataluccin and O’Connor, 2007). Recently, following the theorist attack on the 11 September 2001, the threat potential in the United States has dramatically increased. Thus, it is particularly important to provide organizations with appropriate controls and security measures to protect their facilities as well as the lives of their employees (Biringer, Mataluccin and O’Connor, 2007).
The process of security risk assessment starts with a detailed facility characterization, which involves such components as understanding of the mission, operating conditions of the company’s building, and the security evens. It is necessary to make a thorough physical description of the building, including its physical layout, floor plans, locations of site boundaries, building locations, construction details and assess point. A physical