A common challenge for security programs across all industries is to demonstrate return on investment, cost savings, and reduction of risk. Even though the need for proactive security measures to protect human life and assets is self-evident, program managers are usually required to articulate to their senior leaders in business terms, why specific security resources are necessary. This extends to protective intelligence programs as well, perhaps more so since protective intelligence is generally concerned with proactively addressing risks before they materialize. Additionally, PI program efforts and successes are typically invisible to the organization (excluding those directly involved).

In this introductory article we will propose some of our ideas regarding what protective intelligence means to the bottom line of organizations and why it is a critical element of any security risk management strategy. In addition, we’ll give a simple breakdown of how one might assess the cost effectiveness of a protective intelligence countermeasure quantitatively.

Is the Risk Real?

Before we begin this conversation, it must be understood how exposed organizations are to risks such as workplace violence, insider threats, and related undesirable outcomes.

From the U.S. Department of Labor (2017):

  • There were 5,147 incidents of violence in the workplace.
  • Of all categories of fatal occupational injuries, the U.S. Department of Labor found that “violence and other injuries” were the third most frequent cause.
  • There were 351 workplace shootings documented in US workplaces. [1]

Secondly, in its April 2018 report titled “Active Shooter Incidents in the United States in 2016 and 2017”, the FBI cited Business & commerce environments as being the most common single setting of mass shootings (of 17 offenders at these locations, 8 offenders were current or former employees).

What’s It Going to Cost if a Risk Materializes?

We know there is a legitimate risk of active shooter incidents and no organization is immune, but countermeasures for such risks can be costly and security managers are obligated to justify these expenditures in business terms. So how can this be done?

For one, we could rely on aggregate statistics from the US Department of Justice, OSHA, and related organizations; the only problem here is that these numbers tend to be dated and they are quoted (and misquoted) in media so often that most readers do not know what to believe. For the sake of accuracy and presenting you with timely figures, we will stick with recent concrete examples that we can point to.

Recent shooting incidents with their estimated cost have been listed below:

Las Vegas Route 91 shooting (possible $800M settlement + an immediate share price drop of nearly 5%), Orlando Pulse Nightclub shooting ($385M), and to provide some visibility for educational institutions, the estimated cost to the school district associated with the Columbine High School shooting was approximately $50M.

The True Cost of an Active Shooter Incident
The true cost of an active shooter incident is made up of the following primary factors: brand damage (reputation, talent loss, share price, etc.), lawsuit costs, workers compensation costs, and lost productivity. Currently, there is no reliable, concrete data on aggregate costs to organizations affected by active shooter incidents. Therefore, it is most helpful to use recent incidents to develop a baseline. [2]

Cost Savings & ROI

Even a small protective intelligence program led by a competent leader can create significant cost savings for an organization. First, consider that cost savings can be put into quantitative terms for senior executives by using standard risk management formulas to show how the program reduces the likelihood of a risk event (more on this in the following sections). Second, cost savings comes in other forms such as potentially reducing insurance premiums and being able to demonstrate due care taken by the organization to protect employees, in the event of litigation. Third, there are a number of ancillary benefits such as brand management, ad hoc investigative support, and more.

Using the Ontic Platform as an Example

Our mission at Ontic is to empower teams by delivering actionable risk insights to them. Outside of giving clients a secure database, proprietary data integrations, and a social listening solution, an important aspect of our platform is its analytics dashboard.

It can be overwhelming to quantify the work of your protective intelligence program and that’s why we capture all relevant security metrics in a single dashboard. It’s easy (or easier at least) to justify expenditures when program managers can point to the number of persons of interest that they are managing, actions taken by investigators, signals captured, BOLO reports disseminated to security staff, and more. It’s automating the routine and time-consuming tasks of security professionals, that frees them up for their most urgent tasks of the day.

How to Use a Quantitative Risk Analysis to Demonstrate ROI

Let’s use a fictitious quantitative risk analysis to demonstrate how one might show the return on investment of a protective intelligence countermeasure.
*As a reference for the below content relating to risk management formulas, we relied on writings from our expert industry peers: “(ISC)² Certified Information Systems Security Professional Official Study Guide” (8th Edition) and the ASIS “Protection of Assets” series.

The average cost to their respective organizations between the Las Vegas and Orlando shootings was approximately $495M. For this example, we will use this as our figure for asset value / single loss expectancy.

We will make the following assumptions in this scenario about our specific risk analysis for the risk of a shooting incident at our corporation:

  • Asset Value (AV) = $495M
  • Single Loss Expectancy (SLE) = $495M (loss expected if the risk materializes)
  • Annualized Rate of Occurrence (ARO) = 0.01 (expected to occur once every 100 years)
  • Annualized Loss Expectancy (ALE)= $495M x 0.01 = $4.95M (expected cost per year)

Given this information, we can evaluate various countermeasures such as a protective intelligence program, a technology solution, a policy change, etc. The most important factor that we must consider when it comes to selecting a countermeasure is that the countermeasure’s cost and effectiveness make financial sense. So, how do we do this? There is a simple formula for this. We take our ALE (without the counter measure) and subtract it by two figures: ALE (with the countermeasure) and the cost of the countermeasure.

Formula: ALE1 – (ALE2 + Countermeasure Cost)

Of course we want this equation to end in a positive number, indicating that the result of the equation is the annual savings for the organization if they deploy the countermeasure. If the equation ends in a negative number, then that indicates that this countermeasure is not a financially responsible choice.

Let’s suppose that implementing a simple protective intelligence program (a single analyst and a software solution) costs the organization $100,000/year and by implementing this program the likelihood of our risk of a shooting incident will decrease by 50%. This means that our new annual risk of occurrence after accounting for the countermeasure, is now 0.005 (expected to occur once every 200 years).

Working Out the Numbers: What Would Our Cost Savings Be With the Countermeasure?

  • Original ALE: $495M x 0.01 = $4.95M
  • New ALE with countermeasure: $495M x 0.005 = $2.475M

(A)  $2.475M + $100,000 (the cost of the countermeasure) = $2.575M

(B)  $4.95M – $2.575M = $2.375M

(C)  The organization can save $2.375M annually by implementing this countermeasure.

Not every reader will have a need to quantify cost savings using risk management formulas, however, we felt it was important to show that this is relatively simple to do on your own when the situation calls for it.

Final Thoughts

There is no question that our organizations are exposed to violent threats, as demonstrated by the figures from the U.S. Department of Labor and the FBI. In the rare instance that these types of threats occur, they can be debilitating for an organization because of the immediate financial/litigation costs and the lingering damage to the organization’s brand. Luckily, there are several ways to tackle the challenge of justifying the implementation (and budget) of proactive countermeasures. This can be done with security metrics or qualitative & quantitative assessments.

Thank you for reading this introductory piece about our thoughts on how security professionals can demonstrate the ROI and cost savings that their initiatives bring to their organizations.

Stay informed on the latest Protective Intelligence updates by following our newsletter.

References

[1] U.S. Department of Labor, Bureau of Labor Statistics, Census of Fatal Occupational Injuries; https://www.bls.gov/news.release/pdf/cfoi.pdf[2] http://fortune.com/2017/10/02/las-vegas-shooting-mandalay-bay-mgm-stock/
https://www.casino.org/news/mgm-estimates-800-million-settlement-for-las-vegas-shooting-victims-not-even-close-says-lawyer
https://www.cnn.com/2016/08/09/health/orlando-shooting-costs/index.html
https://www.chicagotribune.com/news/ct-xpm-1999-05-06-9905060172-story.html

About The Protective Intelligence Blog

By every metric, the role of protective intelligence is growing increasingly important for your security program, as it operates domestically and (especially) internationally.  Protective Intelligence is our medium for understanding not only threat matrix and risk level, but also trends, problems, solutions, as well as ideas to support the mission of protective security professionals.  The speed by which we can send and receive information, and the amount of information we need to evaluate, has eliminated problems in some areas and exponentially compounded problems in others.  Our team seeks to address issues stemming from these problem areas, offering next-level analyses and proven solutions with an eye toward the future.

Our content contributors come from organizations involved in protective intelligence research, corporate executive protection, threat assessment investigations, and related security intelligence fields.

Subscribe to Protective Intelligence Thought Leadership