top of page
  • Writer's pictureRamel Lee

Case Study: Risk Analysis Report for Pharmaceutical Headquarters


Risk Analysis Report


Report Prepared By


  1. Executive Summary

1.1 Purpose

To calculate risk to XXXX’s XXXXXXXXXXXXX Headquarters, recommend countermeasures to reduce, transfer, avoid, or accept risk, and provide a countermeasures budget.

1.2 Background

XXXX is a pharmaceutical company based in XxxxxxxxXxxxxxx but is headquartered in XxxxXxxxxXxxx, XxxxxxxXxxxxx. XXXX has recently developed a vaccine for the xxxxxxxxxxx and has several pending patents that can result in medical breakthroughs. Senior management has requested a risk analysis be conducted for their XxxxXxxxxXxxx headquarters where a majority of their research, sales, and high level meeting activities take place.

1.3 Assessment Process

The appropriate assessment process for the XXXX headquarters in XxxxxXxxxxXxxx is to conduct a risk analysis for facilities and structures. In formulating the risk the following calculation was used per the American Petroleum Institute/National Petrochemical and Refiners Association (API/NPRA) Methodology:

Risk = Probability * Vulnerability * Consequence

The methodology used to prepare the report is one created by security expert Thomas L. Norman, CPP/PSP/CSC as outlined in his book Risk, Analysis and Security Countermeasure Selection. The methodology used is DHS compliant. The steps in the process include:

  • Facility Characterization

  • Threat Assessment

  • Vulnerability Assessment

  • Risk Calculation

  • Countermeasures

  • Baseline Security Program

  • Key Assets for Special Consideration

  • Countermeasure Budget

  • Countermeasure Implementation Recommendations

Interview with key stakeholder were conducted to help determine valuations in threats, probability, vulnerability, criticality, and consequence. Tools used to calculate quantitative analysis includes:

  • Criticalities and Consequence Matrix

  • Adversary/Means Matrix

  • Adversary Sequence Diagrams

  • Crime Statistics

  • Asset Target Value Matrices

  • Surveillance Matrix

  • Circulation Path/Threat Nexus Points Matrix

  • Circulation Path/Weapons Nexus Matrix

  • Vulnerability Matrix

  • Risk Matrix (sorted and unsorted)

  1. Facility Characterization

The mission of XXXX is to provide the world definitive solutions to their health problems. XXXX is about curing diseases, not finding treatments. As noble a mission of XXXX, there are several threats that are of concern to senior management. Their headquarters in XXX is where senior management meets, academic research and development is performed, and the sales and marketing departments are located. Security, along with regulatory issues, political climate, and legal requirements are all concern of the management and employees of XXXX.

There are four classes of assets that are to be taken into consideration when conducting assessments: People, Property, Proprietary Information, and Business Reputation

  • People

  • Senior management

  • Management and Employees

  • Visitors

  • VIPs

  • Contractors

  • Delivery Personnel

  • Property

  • Reception Lobby

  • Xxx Avenue Exit

  • Offices

  • Research Library

  • Conference Rooms

  • Cafeteria

  • Mail Room

  • Passenger Elevators

  • Service Elevators

  • Stairwells

  • Utility Rooms

  • Proprietary Information

  • Pharmaceutical Formulas

  • Pending patents

  • Sales Predictions

  • Research Information

  • Business Reputation

The asset classes rank the same in criticality and consequence

  1. Proprietary Information

  2. People

  3. Business Reputation

  4. Property

Although the consequence matrix ranks people as second, it should be noted that loss of life is an unacceptable consequence.

  1. Threat Assessment

The threat assessment is used to determine the design based threat in which the baseline security program will based upon. Terrorist, Economic Criminals, Non-terrorist violent criminals, Subversives, and Petty Criminal were the potential threat actors that were analyzed for capabilities and probability of attack. While it has been determined that a state sponsored terrorist has the capabilities and would cause the worse consequences for XXXX, an industrial spy has the specific capabilities and the highest probability of attacking XXXX.

Therefore, the baseline security program will be based on the design based threat of an industrial spy using social engineering to gain access to classified information that is contained within our XxxxXxxxxXxxx headquarters.

However, XXXX is an international company and the threat of terrorism cannot be ignored. Key assets for special consideration will also be addressed.

  1. Vulnerability Assessment

Vulnerability Assessment revealed several vulnerabilities in the XXX location. In determining vulnerability we identified the mostly likely attack scenarios, identified what areas are most likely to be attacked, the threat actor’s weapons of choice, and their surveillance opportunities. The vulnerability assessment uncovered a lack of:

  • Physical Barriers – to prevent a truck or car bomb from destroying the property

  • Strong Information Technology Governance – to mitigate hacking and other information technology attacks from occurring

  • Background Investigation of Contractors and Visitors – Contractor and/or visitors may be subject to the usual criminal background investigation, however, there is no investigation conducted to ensure contractors and visitors aren’t affiliated with organizations that may seek to harm one of XXXX’s assets

  • Electronic Access Control – Once inside XXX location, access control is maintained by employees of XXXX. There is nothing preventing employee from moving freely into locations in which there is no authorization to be there.

  • Counter-surveillance Program – No program exist to determine is XXXX’s assets are under the surveillance of an adversary

  • Security Intelligence Program – No program exist to collect, analyze, process, and disseminate information regarding possible threat actors

The vulnerability assessment also uncovered intrinsic vulnerabilities that included current or former manager and/or employees with malevolent intentions toward XXXX.

  1. Risk Calculation

The American Petroleum Institute/National Petrochemical and Refiners Association (API/NPRA) Methodology of calculating risk was used:

Risk = Probability * Vulnerability * Consequence

All values are on 0-10 scale, with 10 being the greatest amount of risk exposure to AIPC.

Using the probability, vulnerability, and consequences matrices, the top risk were:

  • Employee exploiting weak IT governance to steal proprietary information

  • Industrial spy exploiting weak IT governance to steal proprietary information

  1. Countermeasures

Hi-tech, low-tech, and no-tech countermeasures can be used to address the risk that XXXX are exposed to.

  • Physical Barriers capable of stopping a truck or car from jumping the curb and driven into XXX site

  • Strong IT Governance Policy that will deter and/or prevent proprietary information from being destroyed, stolen, or lost

  • Electronic Security System that integrates electronic access control and surveillance

  • A robust security program that includes investigative, intelligence, and counter-surveillance units

  1. Baseline Security Program

The baseline security program is designed to stop the design based threat, which is an industrial spy using social engineering to steal pharmaceutical formulas.

The Baseline Security Program enhancements need to consist of:

  • Policies

  • Access Control

  • IT Governance

  • Employee Security Awareness

  • Establishment of a IT security group under the direction of the Chief Security Officer

  • Confidentiality

  • Security Training

  • Intelligence

  • Counter-Surveillance

  • Investigation

  • Computer Forensics

  1. Key Assets for Special Consideration

Although, the design based threat targeted asset is XXXX’s proprietary information, special consideration needs consideration when it comes to XXXX’s people and property. The biggest threat to XXXX’s people and property would be an attack by a religious or special interest terrorist organization. The vulnerability to such an attack is the lack of any barriers, active access control, and video surveillance of the site’s exterior perimeter.

Special Countermeasures should include:

  • Physical Barrier on site’s perimeter

  • Smart Card Technology Active Electronic Access Control

  • CCTV surveillance integrated with alarms, intrusion detection, and AC&D console

  1. Countermeasure Budget



Concrete Reinforced Bollards (8)


Smart Card ID Access Control System


Integrated Electronic Security System

$700,000 (estimate)

Security Department Training (20)

$8000.00/per employee



  1. Countermeasure Implementation Recommendations

Based on the calculated risk, countermeasures, and countermeasures budget, the following countermeasure implementations are recommended:

  • Steel bollards, reinforced with cement, 4 on the sidewalk in front and back of XXX sight

  • Smart cards with picture ID issued to all employees

  • Need to swipe in at reception lobby

  • Need to swipe into restricted areas

  • All visits must be pre-arranged

  • Integrated Electronic Security System

  • CCTV cameras

  • Intrusion Detection Sensors

  • Alarms

  • Security Training

  • Employee awareness

  • Security Intelligence

  • Counter-surveillance

  • Investigations

  • Computer Forensics

  • IT Governance

  • IT security team

  • Sufficient firewalls and anti-virus systems

  • Physical security of hardware

39 views0 comments
bottom of page