A common challenge for security programs across all industries is to demonstrate return on investment, cost savings, and reduction of risk. Even though the need for proactive security measures to protect human life and assets is self-evident, program managers are usually required to articulate a business case to their senior leaders on why specific security resources are necessary.
This requirement extends to protective intelligence programs, and is an even stronger argument since a successful program proactively addresses risks before they materialize. Additionally, these efforts and successes are typically invisible to the rest of the organization.
In this introductory article, we share:
- Our ideas regarding what protective intelligence means to the bottom line of organizations
- Why it is a critical element of any security risk management strategy
- A simple breakdown of how one might assess the cost effectiveness of a protective intelligence countermeasure quantitatively
Is the Risk Real?
Before we begin this conversation, it must be understood how exposed organizations are to risks such as workplace violence, insider threats, and related undesirable outcomes. (These statistics are from the U.S. Department of Labor Statistics 2018 Report).
- There were 5,250 incidents of violence in the workplace.
- Of all categories of fatal occupational injuries, the U.S. Department of Labor found that “violence and other injuries” were the third most frequent cause.
- There were 351 workplace shootings documented in US workplaces.
Secondly, in its April 2018 report titled “Active Shooter Incidents in the United States in 2016 and 2017,” the FBI cited business and commerce environments as being the most common single setting of mass shootings (of 17 offenders at these locations, 8 offenders were current or former employees).
The Bottom Line: What’s the Cost if a Risk Materializes?
We know there is a legitimate risk of active shooter incidents and no organization is immune, but countermeasures can be costly and security managers are obligated to justify these expenditures in business terms. So how can this be done?
For one, we could rely on aggregate statistics from the U.S. Department of Justice, OSHA, and related organizations; however, these numbers tend to be dated and they are quoted (and misquoted) in media so often that most readers do not know what to believe. For the sake of accuracy and presenting you with timely figures, we will stick with recent concrete examples.
Recent shooting incidents with their estimated cost have been listed below:
- Las Vegas Route 91 shooting (possible $800M settlement + an immediate share price drop of nearly 5%)
- Orlando Pulse Nightclub shooting ($385M)
- Columbine High School shooting (school district cost was approximately $50M)
The true cost of an active shooter incident is made up of the following primary factors: brand damage (reputation, talent loss, share price, etc.), lawsuit costs, workers compensation costs, and lost productivity. Currently, there is no reliable, concrete data on aggregate costs to organizations affected by active shooter incidents. Therefore, it is most helpful to use recent incidents to develop a baseline.
Protective Intelligence: Why It’s a Critical Component of Security Risk Management
Even a small protective intelligence program led by a competent leader can create significant cost savings for an organization. Here’s why:
- First, consider that cost savings can be put into quantitative terms for senior executives by using standard risk management formulas to show how the program reduces the likelihood of a risk event (more to follow in the sections below).
- Second, cost savings comes in other forms, such as potentially reducing insurance premiums and being able to demonstrate due care taken by the organization to protect employees, in the event of litigation.
- Third, there are a number of ancillary benefits such as brand management, ad hoc investigative support, and more.
The Power of Analytics: Using the Ontic Platform as an Example
Our mission at Ontic is to empower teams by delivering actionable risk insights to them. Outside of giving clients a secure database, proprietary data integrations, and a social listening solution, an important aspect of our platform is its analytics dashboard.
It can be overwhelming to quantify the work of your protective intelligence program, and that’s why we capture all relevant security metrics in a single dashboard. It’s easy (or easier, at least) to justify expenditures when program managers can point to the number of persons of interest that they are managing, actions taken by investigators, signals captured, BOLO reports disseminated to security staff, and more. It’s automating the routine and time-consuming tasks of security professionals, and frees up their time for their most urgent tasks of the day.
A Simple Breakdown: How to Use a Quantitative Risk Analysis to Demonstrate ROI
Let’s use a fictitious quantitative risk analysis to demonstrate how one might show the return on investment of a protective intelligence countermeasure. (We relied on writings from our expert industry peers, from ISC2 and ASIS, for the methods below.)
The average cost to their respective organizations between the Las Vegas and Orlando shootings was approximately $495M. For this example, we will use this as our figure for asset value / single loss expectancy.
We will make the following assumptions in this scenario about our specific risk analysis for the risk of a shooting incident at our corporation:
- Asset Value (AV) = $495M
- Single Loss Expectancy (SLE) = $495M (loss expected if the risk materializes)
- Annualized Rate of Occurrence (ARO) = 0.01 (expected to occur once every 100 years)
- Annualized Loss Expectancy (ALE)= $495M x 0.01 = $4.95M (expected cost per year)
Given this information, we can evaluate various countermeasures, such as a protective intelligence program, a technology solution, a policy change, etc. The most important factor that we must consider when it comes to selecting a countermeasure is that the countermeasure’s cost and effectiveness make financial sense. So, how do we do this? There is a simple formula: We take our ALE (annualized loss expectancy without the countermeasure) and subtract it by two figures: ALE (with the countermeasure) and the cost of the countermeasure.
Formula: ALE1 – (ALE2 + Countermeasure Cost)
Of course we want this equation to end in a positive number, indicating that the result of the equation is the annual savings for the organization if they deploy the countermeasure. If the equation ends in a negative number, then that indicates that this countermeasure is not a financially responsible choice.
Let’s suppose that implementing a simple protective intelligence program (a single analyst and a software solution) costs the organization $100,000/year and by implementing this program the likelihood of our risk of a shooting incident will decrease by 50%. This means that our new annual risk of occurrence after accounting for the countermeasure, is now 0.005 (expected to occur once every 200 years).
Working Out the Numbers: What Would Our Cost Savings Be With the Countermeasure?
- Original ALE: $495M x 0.01 = $4.95M
- New ALE with countermeasure: $495M x 0.005 = $2.475M
(A) $2.475M + $100,000 (the cost of the countermeasure) = $2.575M
(B) $4.95M – $2.575M = $2.375M
(C) The organization can save $2.375M annually by implementing this countermeasure.
Not every reader will have a need to quantify cost savings using risk management formulas; however, we felt it is important to show that this is relatively simple to do on your own when the situation calls for it.
There is no question that our organizations are exposed to violent threats, as demonstrated by the figures from the U.S. Department of Labor and the FBI. In the rare instance that these types of threats occur, they can be debilitating for an organization because of the immediate financial/litigation costs and the lingering damage to the organization’s brand.
Luckily, there are several ways to tackle the challenge of justifying the implementation (and budget) of proactive countermeasures. This can be done with security metrics or qualitative and quantitative assessments.
To learn more about the importance of establishing a proactive approach to security and how to establish a minimum standard when gathering or sharing intelligence, check out The Protector’s Guide to Establishing an Intelligence Baseline.