The types of crimes being committed has changed drastically in recent years. The same can be said for the factors that could potentially be of threat to companies. Incidents like terrorist attacks, cyber-attacks/hacks, and identity theft are putting our risk assessment to the test. To combat these challenges, we are seeing a rise in the use of a VTS-analysis to better identify and manage these new business risks.
We are used to mapping risks in relation to danger for a specific office/location. However, criminal networks are, now more than ever, targeting International businesses and Government agencies. Both technological and international expansion has provided criminals with new ways of exploiting vulnerability across the entire business. This has led to the development of new areas of crime and valuables that were previously unattractive being easily sold and traded on the black market.
Many businesses have experienced this first hand. The crime and safety investigation (KRISNO) conducted by The Norwegian Business and Industry Security Council in 2015 revealed that 70% of the companies surveyed had received invoices for goods and services they had never ordered.
How do we assess risks related to these new types of crime? I would argue that the VTS analysis is more suitable for uncovering risks concerning targeted business attacks, than the traditional proactive method.
The VTS analysis is based on the NS 5830 series, used by the police, and theoretically looks like this:
Value x Threat X Vulnerability = Risk
Here the value assessment forms the basis of the amount of resources allocated to security. If you do not have anything of value, then neither threat nor vulnerability exists (anything multiplied by zero will always be zero). Therefore the risk does not exist.
What distinguishes a VTS-analysis from other risk analysis?
You begin by identifying any valuables that must be secured, and how important these valuables are for those who own, manage or otherwise derive benefits from them. If you in this phase cannot identify any valuables, or you assess that they are not very important, you can end the process here.
However, if you do identify valuables that are of importance then the aim is to identify the security goal. A security goal is a description of the wanted end goal for your identified valuables.
The threat assessment maps the people or groups that have, or can have, interest in influencing the identified valuables. One of the distinctive features of a VTS analysis is that you, at this stage, make detailed scenarios of how identified individuals will proceed to affect valuables negatively. When considering vulnerability, we will also look at the security measures that will limit the development of each scenario.
After evaluating all relevant factors regarding value, threat and vulnerability, you can draw a conclusion from the various sub-assessments in the risk analysis. From here you go through each scenario and perform a discretionary assessment of all the information available. This will enable you to get a relevant risk assessment based on the current situation.
You also evaluate if the risk is acceptable and if not, you will move forward with the process.
Keep an eye on the criminal
The results of the security risk analysis are now transferred to the company’s risk management process and becomes operational. The work could stop there, and unfortunately, that is the case in many organisations. The analysis is left in a drawer, becoming outdated when there are developments such as:
- New products
- New methods of production
- New collaborations
- New suppliers
- New laws and regulations
Every change will create new areas of vulnerability and requires an updated analysis to cope with the criminal’s ability to adapt.
If you have prepared and saved the analysis electronically in a suitable crisis management tool, it will be easy to make adjustments when needed. It will also have a positive effect in regard to how risks are communicated within the organisation.
If you want to learn more about VTS analysis and how to make them systematic and efficient, I recommend you visit this page.