The ability to model risk is a critical skill as a security and intelligence professional

  • Category:
    Performing Arts
  • Document type:
  • Level:
  • Page:
  • Words:


Security Risk Model for Westfield Parramatta

Security Risk Model
for Westfield Parramatta


Commercial organizations rely on evidence-based security risk models to structure their security systems. The security risk models based on variables are developed with the objective of incorporating security variables to identify risk posed by people visiting the organization or the staff working at the organization to inform decision-making at each branch or entry point to the organization. The security models optimize security apparatus by centering on the variables that impact security risk (Sommestad, Ekstedt & Johnson, 2010). This paper presents a security risk model for Westfield Parramatta shopping center by providing analysis of different threats, risk, and scenarios to inform the security agencies at the mall. The model is based on data drawn from the western police department and other relevant scholarly documents.

Security System at Westfield Parramatta

Westfield Parramatta Mall is one of the premier fashion and lifestyle shops in Australia. The mall is located in Western Sydney and attracts a large pool of customers from within and outside Australia. Westfield Parramatta has ranked the second largest mall in Australia with its current customers estimated at 28 million shoppers per year and the chain operating 490 stores. The large-scale operation poses various security threats to the organization that necessitates an operational security risk model. The giant mall has been in the news for the last two months with cases of mall shootings, robbery and terror threats. The mall management is restructuring their security system to have plans that can mitigate cases of insecurity. The top risks on the management list are fraud, theft, assault, fire and loss of IT service. The security model for this case is as illustrated in the figure below

Security Objectives

ecurity Risk Model

sThe ability to model risk is a critical skill as a security and intelligence professional ecurity

The ability to model risk is a critical skill as a security and intelligence professional 1The ability to model risk is a critical skill as a security and intelligence professional 2The ability to model risk is a critical skill as a security and intelligence professional 3The ability to model risk is a critical skill as a security and intelligence professional 4

Existing vulnerabilities

Current Security Measures

The ability to model risk is a critical skill as a security and intelligence professional 5The ability to model risk is a critical skill as a security and intelligence professional 6

Past Crimes and Threats

The ability to model risk is a critical skill as a security and intelligence professional 7

The ability to model risk is a critical skill as a security and intelligence professional 8

Security Objectives

Westfield Parramatta management wants a system in which certain areas are only accessible by authorized staff. Customers are only allowed through the main entrance after scrutiny and authorization by the security guards at such points.

Consistency and availability

The model is to ensure the security apparatus at the mall are operational 24 hours a day. Besides, the emergency system must be on high alert for any emergency response.


The model is to ensure a system that monitors everybody in the mall to ensure all transactions are conducted with truthfulness, reliability, and honesty. The integrity monitoring will target security guards, staff working in the mall, customers, and suppliers.

Privacy and confidentiality

Security models must maintain privacy and confidentiality of information (Sommestad et al., 2010). The information sets to be kept with security persons include details of workers, customers, and anybody visiting the mall and registers at the security points. The security guards must ensure all collected information are preserved and made inaccessible by any unauthorized persons. Moreover, privacy and confidentiality ensure security camera footage are not accessible by unauthorized persons.

Assets in this model include but not limited to personnel, operational activities, material, and information (Poolsappasit, Dewri & Ray, 2012). The extended definition of assets includes unobligated and unanticipated balances of appropriations, contracts, property, records, intelligence, physical infrastructure, and technology. For the case of Westfield Parramatta, personnel include the employees, customers, contractors and visitors. Material assets include items that can be assigned a value
of the goods sold by various retail shops in the mall, the office equipment in each shop and structural accessories. According to Poolsappasit et al., 2012, Information is an intangible asset that includes sensitive information, system software, databases and important records. Other intangible assets include propriety information and reputation.

Assets Register

In this security model, Asset describes anything that an individual or an organization deems to be of value. A survey of the mall brought a list of the various assets that are essential in defining the security details of the mall. The assets registered include HVAC (Heating, Ventilation, and Air Condition) system, UPS AC system, AC Servers, Fire system, Access Control system, EWIS (Electrical Wiring Interconnect System), IT (information Technology) servers, UPS (Uninterrupted Power Supply) and CCTV. The asset details are given for both level 1 and level 2 showing the cost, value the recommended replacement and criticality. The details from asset survey are as presented in the excel sheet.

Current Security Measures

Frisk at all Entry Points

The Westfield Parramatta Mall has security guards at all the entry points to frisk everybody before passing through the gates. The security guards are under strict instructions not to allow anybody into the mall area without going through the inspection process or in case one has suspicious objects.

Metal Detectors

Every gate to the mall has an installed metal detector

Security/ Surveillance Cameras

Westfield Parramatta has security cameras installed inside and outside its perimeters. The security cameras are to help the security guards spot suspicious activities inside the mall, allow the guards investigate the scene and deploy security personnel if need-be. The cameras are set at strategic locations to monitor the premises for any suspicious behaviors to curtain fights, violent flare-up or any unfortunate criminal activities. Shostack (2014) explains that security cameras are used to monitor employee activities to capture instances of theft or misconduct. The presence of security cameras in the mall enhances customer confidence while shopping because they provide security assurance. Additionally, the camera footage can be used in crime investigation.

Past Risk

Risk according to Young 2010 describes a person or state of affairs that poses a threat to the security of an organization. According to the Western police, the common risks that threaten the security of organizations are fraud, theft, burglary, assault, loss of IT service, arson, graffiti and property damage. The risk is a function of possibility that the mall will be attacked and the nature of harm the attack is likely to cause (Feng, Wang & Li, 2014). The computation formula for risk is given as

Risk = Threat*Vulnerability*Consequences

Vulnerability defines the physical features or operational components of a company that renders it open to exploitation or makes the company susceptible to certain hazards (Ruan, 2014). The main vulnerability of Westfield Parramatta is the large-scale operations that create a large pool of customers rendering the mall susceptible to attacks. According to Wheeler (2011), vulnerability assessment should involve identification of the physical features or the operational elements that render the system, network, and assets in the mall exposed to hazards or insecurity. The mall management must have ion place adequate security measures like surveillance cameras and enough guards to minimize vulnerability.


Consequence is defined as the result of 100% completion of a threat event. The level of consequence is determined by the nature of threat or attack (Cox Jr, 2008). Example, if a robbery happens in the mall the level of consequence is likely to be higher than a case of theft by one customer. Robbers break into several shops stealing a number of items and in most cases do many destructions. Threats or hazards like arson have high consequence because fire affects a larger part. According to Schiuma 2011, the other factors that determine the level of consequence include the extent of fear instilled, the financial impact from the losses encountered and the regulatory responses.

A threat is a person or something that is likely to cause damage to people or property. Moreover, it includes a statement of an intention to inflict damage, pain, and injury in payback for something done or not done (Smith & Brooks, 2012). The security threat is a function of opponent’s capability and intent to carry out attacks. In this model, threat is determined by getting the product of intent to do something and the capability of dong it.

Threat= Intent x Capability

The intent is the resolved or fortitude to do something. Intent refers to the determination to meet a set objective. According to Aafer et al., 2015, Intent involves desire and confidence to do something.

Intent = Desire x Confidence

Capacity to do something must include the availability or access to resources and the knowledge to do whatever is in the plan.

Capacity = Resources x Knowledge

internal and external operations are as belowof Survey on the various security risks for commercial organizations in the recent past was conducted. The risks identified were arising from the inside operations while some were external cases. The likely security risk and the corresponding categories







Goods Receiving



Goods Dispatch


Petty Cash

Loss of IT Service


Network loss




Break & entry




Act of God

The security risks are as discussed below

Several offenses are in the category of fraud. When one induces a course of action by dishonesty or deceit conduct with the intention of getting money, any benefit or evasion of liability such conduct is fraudulent. Possession or use of forged financial papers with the intention of getting an advantage with it is fraudulent. Taking or converting property, which is another person’s possession, is an act of fraud. Individuals in authority getting rewards to influence their exercise of power are fraudulent.

Theft is the common risk in malls. It describes the unlawful obtaining of money or property with the intent of depriving the owner. However, theft does not involve the use of force, deception, violence or coercion. Examples are customers obtaining good from the mall without paying, the employees in the mall unlawfully getting goods without paying. There are cases where customers steal items from other customer’s bags, employees stealing from customers or employees stealing from their colleagues.


Burglary is the act of entering or attempting to enter the premises of the mall or a business enterprise within the mall without the consent or authority of the security of the guards or shop owner with the intention of committing an offense.

Aggravated Assault

Assault describes the direct infliction of violence, force, and injury upon a person or a group of people. Assault is not limited to the actual infliction of force but includes the threat of violence, force or violence in instances where apprehensions can be enacted. Aggravated assault is those, which involve the exasperating circumstances that cause serious injuries to the body.

Fire is a common threat to the mall. Arson describes the intentional and unlawful destruction of property by fire.


Graffiti is the destruction of property by applying certain substances like paint, posters to the surface of the property.

Property damage

Property damage is an act of drawings or omission with the intention of destroying property.

Level of Risk from Police Crime Statistics

The survey data from the Metropolitan State Police Service in the last one year between July 2015 and June 2016 show the highest security risk being in the property offenses category, which had a total 17584 cases. In this category, the highest risk is theft with a record 7093 cases, followed by burglary with cases from dwellers within the premises at 3470 and non-dwellers at 2075. Coming in third is property damage with 2746 cases. The least cases in the property damage category were arson and illegal use that registered 106 and 31 cases respectively. The second category is that of personal offenses which registered 1870 cases. In this category, non-aggravated assault accounted for the prevalent number of cases with 808 cases. The least risks in personal offense category during that period were murder and manslaughter that had a single case each.

Considering the data from police statics as the indicators for threat and vulnerability for each element of insecurity to occur, the level of risk can be determined using the formula

Risk = Threat*Vulnerability*Consequences

The results of the computation in excel gives details as shown in the table. The table shows the consequence of each case per shop and the average for each category.

The ability to model risk is a critical skill as a security and intelligence professional 9


Aafer, Y., Zhang, N., Zhang, Z., Zhang, X., Chen, K., Wang, X., … & Grace, M. (2015, October). Hare hunting in the wild android: A study on the threat of hanging attribute references. In Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security (pp. 1248-1259). ACM.

Cox Jr, L. A. T. (2008). Some limitations of “Risk= Threat× Vulnerability× Consequence” for risk analysis of terrorist attacks. Risk Analysis, 28(6), 1749-1761.

Feng, N., Wang, H. J., & Li, M. (2014). A security risk analysis model for information systems: Causal relationships of risk factors and vulnerability propagation analysis. Information sciences, 256, 57-73.

Poolsappasit, N., Dewri, R., & Ray, I. (2012). Dynamic security risk management using Bayesian attack graphs. IEEE Transactions on Dependable and Secure Computing, 9(1), 61-74.

Ruan, X. (2014). Platform embedded security technology revealed: Safeguarding the future of computing with Intel Embedded Security and Management Engine.

Schiuma, G. (2011). Managing knowledge assets and business value creation in organizations: Measures and dynamics. Hershey PA: Business Science Reference.

Shostack, A. (2014). Threat modeling: Designing for security.

Smith, C., & Brooks, D. J. (2012). Security Science: The Theory and Practice of Security. Burlington: Elsevier Science.

Sommestad, T., Ekstedt, M., & Johnson, P. (2010). A probabilistic relational model for security risk analysis. Computers & security, 29(6), 659-679.

Wheeler, E. (2011). Security risk management: Building an information security risk management program from the ground up. Waltham, MA: Syngress.

Young, C. S. (2010). Metrics and methods for security risk management. Amsterdam: Syngress/Elsevier.