Undertaking ‘security risk assessments’ (SRAs) is a fundamental component of an effective risk management strategy, involving the identification, analysis and evaluation of risks to determine and prioritise the most significant security risks facing the organisation. The outcomes of SRAs aid decision-makers in selecting appropriate treatment plans from various options. Conducting inaccurate or ineffective SRAs can have devastating consequences for an organisation’s critical assets, reputation and viability. Central to undertaking SRAs is the identification and management of uncertainties associated with potential future events. This study aims to explore how extensive the adoption of ISO 31000:2018 Risk Management – Guidelines is among physical security professionals in Ireland when undertaking SRAs. It also considers which alternative standards, frameworks or processes they employ when they do not adopt this standard, as well as the challenges they face. An exploratory study was conducted over a five-year period, during which 30 security professionals were interviewed. The selection of interviewees was undertaken through purposive sampling, with the target population being identified as security consultants, in-house security professionals and security service providers. Data was gleaned through semi-structured interviews and analysed adopting reflective thematic analysis. The research identified that only three participants applied the process as outlined in the ISO 31000:2018, with one additional participant indicating use of an alternative defined methodology when undertaking SRAs. The remaining participants use a variety of approaches, frameworks and processes for conducting SRAs, which could benefit from a more formalised, logical and coherent structure. The lack of adoption of standards may be attributed to participants’ lack of knowledge about standards, their perception that the standards are complex, cumbersome and expensive to apply, and their lack of professional competency due partly to a shortage of third-level educational courses in Ireland. The research also identified two variables that typically fall outside the scope of SRAs: the consideration of health and safety as an input, and the evaluation of the costs associated with adopting standardisation and implementing mitigation measures. It was also identified that future research is needed on the competencies required for security risk professionals and security professionals, as these may differ, requiring distinct training, knowledge, and experience for each role. The research concluded with recommendations for providing a defined methodology that can be integrated into the ISO 31000:2018, process, with a requirement for the statement of scope to specify what is included and excluded from the SRA process.
| Date of Award | 26 Jun 2025 |
|---|
| Original language | English |
|---|
| Awarding Institution | |
|---|
| Supervisor | Moufida Sadok (Supervisor), Simona Ciobotaru (Supervisor) & Aram Ghaemmaghami (Supervisor) |
|---|
To What Extent do Physical Security Professionals in Ireland Adopt ISO 31000: 2018 Risk Management Guidelines When Undertaking Security Risk Assessments?
Harris, W. L. (Author). 26 Jun 2025
Student thesis: Doctoral Thesis