Improve procedures to close gaps in controls.

These might include better controls over operations or more rigorous standards for programming and software testing.

Early detection of harmful situations permits more rapid response to minimize damage.

Fire and intrusion detectors are both typical examples.

Contingency plans permit satisfactory accomplishment of command missions following a damaging event. Contingency plans include immediate response to emergencies to protect life and property and to limit damage, maintenance of plans and materials needed for backup operation offsite, and maintenance of plans for prompt recovery following major damage to or destruction of the AIS facility. The command's Disaster Control Plan should coincide with the AIS facility's contingency plans.

Table 4-3 shows examples of remedial measures for a few threats. When selecting specific remedial measures, use the following two criteria:

^1. The annual cost is to be less than the reduction in expected annual loss that could be caused by threats.

2. The mix of remedial measures selected is to be the one having the lowest total cost.

The first criterion simply says there must be a cost justification for the security program-that it returns more in savings to the AIS facility than it costs. This may seem obvious but it is not uncommon for an AIS manager to call for a security measure, to comply with higher authority security instructions and directives, without first analyzing the risks.

The second criterion reflects the fact that a given remedial measure may often be effective against more than one threat. See table 4-3.

Since a given remedial measure may affect more than one threat, the lowest cost mix of measures probably will not be immediately obvious. One possible way to make the selection is to begin with the threat having the largest annual loss potential. Consider possible remedial measures and list those for which the annual cost is less than the expected reduction in annual loss. Precision in estimating cost and loss reduction is not necessary at this point. If two or more remedial measures would cause a loss reduction in the same area, list them all, but note the redundancy. Repeat the process for the next most serious threat and continue until reaching the point where no cost justifiable measure for a threat can be found. If the cost of a remedial measure is increased when it is extended to cover an additional threat, the incremental cost should

Table 4-3.-Example of Remedial Measures by Threat Type

be noted. At this point, there exists a matrix of individual threats and remedial measures with estimates of loss reductions and costs, and thus an estimate of the net saving. This is shown graphically in table 4-4.

For each threat (A, B, C, and D), the estimated loss reduction (column 1), the cost of the remedial measure (column 2), and the net loss reduction (column 3) are given in thousands of dollars. By applying remedial measure J to threat A at a cost of $9,000, a loss reduction of $20,000 can be expected (a net saving of $1 1,000). Furthermore, remedial measure J will reduce the threat B loss by $10,000 at no additional cost and the threat C loss by $4,000 at an added cost of only $1,000. Finally, though, it appears that it would cost more than it would save to apply J to threat D. Therefore, J would not be implemented for D. The net loss reduction from J could be expressed as:

The table indicates that J and K have the same reduction effect on threat A. Since K costs more than J, it might, at first glance, be rejected. However,

and

Therefore, while J and K are equally effective on threat A, K appears to be more effective than J on the other threats. Further checking shows their combined use results in the greatest overall net loss reduction.

By going through the process just described, using preliminary estimates for cost and loss reduction, you can test various combinations of remedial measures, and thus identify the subset of remedial measures that appears to be the most effective. At this point, review the estimates and refine them as necessary to ensure compliance with higher authority security instructions.

If all the preceding procedures are followed, the following factors will be established and documented:

l The significant threats and their probabilities of occurrence;

l The critical tasks and the loss of potential related to each threat on an annual basis;

l A list of remedial measures that will yield the greatest net reduction in losses, together with their annual cost.

With this information at hand, AIS upper management can move ahead with implementing the AIS security program. Since the analysis of remedial measures will have identified those with the greatest impact, relative priorities for implementation can also be established.