Every Incident Tells a Story—Are You Listening?

When a physical security incident is reported to your organization, where does that information go? What data is collected? What consistent factors, if any, are identified and documented? I encourage you to reflect on your own business practices and think about the data you can extract from the incidents reported. Is it organized? Is it clear? Is it meaningful?

Incident tracking practices vary drastically across organizations. Some may take a less structured approach and manually log incidents with no consistent format or formal follow-up process. Others may use an incident management system (IMS) or ticketing tool to capture several required details. In each case, there is opportunity to transform and adapt these practices to produce strategic risk assessments. 

This starts with developing a framework and methodology specific to your organization that can be used not only to identify threats, but also the impact and likelihood of them occurring. You are likely already familiar with the risk assessment formula of:

Threats + Impact + Likelihood = Risk

The bottom line is: being proactive can help identify areas of concern or precursors at a granular level before problems arise.

To get started, identify the elements, variables and impacts most important to your organization and structure a framework around them. Essential categories include incident and asset types and subtypes. These are the basic descriptors for a physical incident. Adding subtypes provides an additional layer of specificity that can be used to identify the underlying drivers of high-level trends. Think of incident type as the overall classification or category of an incident, with the subtypes adding additional clarification about the actions used to achieve the incident outcome.

I recommend excluding “sabotage” as an option under incident type. Doing so adds no value when attempting to extrapolate tactical trends from the data. Instead, consider describing intent within a separate field. This allows you to consistently evaluate the potential motive without sacrificing the ability to capture the tactic used in future trend analysis.

For assets, take inventory of your organization’s facilities and create a list of the items, equipment and materials within them. As an initial step, read through previous incidents to identify and document the assets and sub-assets most frequently impacted.

An additional area to capture is the impact an incident had on your organization. Create a set of criteria distinguishing levels of impact and customize and adjust based on asset type. Potential impacts from an incident at a “live” site will vary drastically from those at administrative sites, for example.

It is also important to capture costs associated with each incident. Try to use specific totals rather than a range. This will provide a more accurate reflection of the costs incurred. For geographic variables, think about what categorization measure would provide the most value to your organization. This will vary depending on company size and footprint. What is useful to a multistate organization may not be to a smaller municipal utility.

Perhaps most importantly, create a document with definitions for each variable captured. This is crucial for consistency and trend identification. If the incident characteristics are not applied consistently, then the data will lose its integrity. This is not to say that definitions cannot be changed and adapted as your incident tracking methodology grows and matures. Changes should, however, be documented and applied retroactively.

Advanced software is not needed to achieve this level of incident tracking. If the current IMS used cannot be adapted, consider starting with tools such as Excel and performing a manual assessment with built-in data validations. Run charts using pivot tables and filter the data. This can be built upon and incorporated into dashboards to provide helpful visualizations.

Over time, the collection of this information in the form of a structured dataset can be leveraged to produce trend analysis and support proactive risk management. By consistently capturing a wide net of incident characteristics, you can assist your organization in understanding multivariable risk within its footprint. You can analyze the data and look for trends related to each variable assessed. You can confidently determine which incident types pose the greatest risk to your organization by looking at the frequency of their occurrence paired with severity as defined by you. You can identify seasonal trends, asset vulnerabilities and additional areas of concern.

A framework that reflects multiple elements means more data-driven insights. With the right framework in place, incident tracking becomes less about logging events and more about evaluating and preventing them.

———

About the Author:
Haley Luis is a Physical Security Analyst at the Electricity Information Sharing and Analysis Center (E-ISAC) with a strong background in critical infrastructure protection. In her current role, she focuses on analyzing incident data to identify threats and risks to the North American electric sector and improve situational awareness across industry. She was previously a security control center supervisor at a large gas and electric utility where she played a crucial role in ensuring the successful execution of real-time operations and incident response.