Security Risk Assessment and Mitigation Prioritization

Similar documents
FlyntGroup.com. Enterprise Risk Management and Business Impact Analysis: Understanding, Treating and Monitoring Risk

Information Technology Risk Management

Supplemental Tool: Executing A Critical Infrastructure Risk Management Approach

Risk Workshop Overview. MOX Safety Fuels the Future

Vulnerability Assessment. U.S. Food Defense Team

BUILDING DESIGN FOR HOMELAND SECURITY. Unit IV Vulnerability Assessment

BUILDING DESIGN FOR HOMELAND SECURITY. Unit I Building Design for Homeland Security

1.20 Appendix A Generic Risk Management Process and Tasks

CONTINUITY OF OPERATIONS PLAN TEMPLATE

Seismic Design and Performance Criteria for Large Storage Dams

Chapter 5 RISK MANAGEMENT ANALYSIS CHAPTER 5 RISK MANAGEMENT ANALYSIS PAGE 49

Project Risk Management

CONTACT US TECHNICAL SUMMARIES: CONXL AISC PRE-QUALIFIED CONNECTION SMF CONNECTION

FERC Engineering Guidelines Risk-Informed Decision Making

The Office of Infrastructure Protection

I N S T I T U T E F O R D E FE N S E A N A L Y S E S NSD-5216

Strategic Risk Management for School Board Trustees

Project Risk Management. Presented by Stephen Smith

Section 6 Benefit-Cost Analysis

DECISION PROCESS AND OPTIMIZATION RULES FOR SEISMIC RETROFIT PROGRAMS. T. Zikas 1 and F. Gehbauer 2

Executive Protection Facility Security Convoy Escort

APPENDIX B Understanding the FEMA Benefit-Cost Analysis Process

How To Manage Transportation Asset Management

TESTIMONY OF DANIEL DUFF VICE PRESIDENT - GOVERNMENT AFFAIRS AMERICAN PUBLIC TRANSPORTATION ASSOCIATION BEFORE THE

Surveillance and Security Technologies for Bridges and Tunnels

Increasing Competitiveness / Lowering Costs with Supply Chain Management and Security Standards

A Risk Assessment Methodology (RAM) for Physical Security

Establishing A Secure & Resilient Water Sector. Overview. Legislative Drivers

Training Opportunities

Much attention has been focused recently on enterprise risk management (ERM),

RISK MANAGEMENT OVERVIEW - APM Project Pathway (Draft) RISK MANAGEMENT JUST A PART OF PROJECT MANAGEMENT

Federal Energy Regulatory Commission Division of Dam Safety and Inspections DRAFT RECOVERY PLAN FORMAT

Zurich s approach to Enterprise Risk Management. John Scott Chief Risk Officer Zurich Global Corporate

Nova Scotia EMO. Hazard Risk Vulnerability Assessment (HRVA) Model. Guidelines for Use. October, 2010

Asset Management Plan

A New Paradigm in Urban Road Network Seismic Vulnerability: From a Link-by-link Structural Approach to an Integrated Functional Assessment

Life Cycle Cost Analysis (LCCA)

Verizon, 911 Service and the June 29, 2012, Derecho

Which cybersecurity standard is most relevant for a water utility?

UNCLASSIFIED/FOR OFFICIAL USE ONLY. Department of Homeland Security (DHS) Continuous Diagnostics & Mitigation (CDM) CDM Program Briefing

Risk Assessment / Risk Management Protocol

How To Manage A Security System

December 23, Congressional Committees

Business Continuity Policy

Experience the commitment WHITE PAPER. Information Security Continuous Monitoring. Charting the Right Course. cgi.com 2014 CGI GROUP INC.

MAJOR PROJECTS CONSTRUCTION SAFETY STANDARD HS-09 Revision 0

Joint Universities Computer Centre Limited ( JUCC ) Information Security Awareness Training- Session Three

For Official Use Only. Springfield-Greene County, Missouri Multi-Year Training and Exercise Plan (TEP) July 27, For Official Use Only

Ontario Pandemic Influenza Plan for Continuity of Electricity Operations

Chapter 4 Public Perspective: Economic, Environmental and Social Concerns

Aon Risk Solutions Aon Crisis Management. Crisis Management Consulting Terrorism Probable Maximum Loss (PML) Studies

TESTIMONY. Analyzing Terrorism Risk HENRY WILLIS CT-252. November 2005

Methods for Assessing Vulnerability of Critical Infrastructure

Success or Failure? Your Keys to Business Continuity Planning. An Ingenuity Whitepaper

Watershed Rehabilitation Program in Texas

Preparedness in the Southwest

Integrated Restoration Prioritization

QUANTITATIVE RISK ASSESSMENT FOR ACCIDENTS AT WORK IN THE CHEMICAL INDUSTRY AND THE SEVESO II DIRECTIVE

About the Port Authority

MONTGOMERY COUNTY, KANSAS EMERGENCY OPERATIONS PLAN. ESF14-Long Term Community Recovery

The Cybersecurity Journey How to Begin an Integrated Cybersecurity Program. Version 1.0 March 2005

All Oil and Gas Companies under the Jurisdiction of the National Energy Board (the Board or NEB) and All Interested Parties

Risk Assessment and Risk Management: Necessary Tools for Homeland Security

ICOLD POSITION PAPER ON DAM SAFETY AND EARTHQUAKES

Information technology Security techniques Information security management systems Overview and vocabulary

Risk - Based Inspection Frequencies

Threat and Hazard Identification and Risk Assessment

October Security Vulnerability Assessment Methodology for the Petroleum and Petrochemical Industries, Second Edition

Flood Protection Structure Accreditation Task Force

Appendix V Risk Management Plan Template

State of the Art Paper 1 A framework for landslide risk assessment and management

ROLE OF THE MODELING, MAPPING, AND CONSEQUENCES PRODUCTION CENTER

PROJECT RISK MANAGEMENT

THE DIGITAL AGE THE DEFINITIVE CYBERSECURITY GUIDE FOR DIRECTORS AND OFFICERS

Billing Code: 3510-EA

Flooding Emergency Response Exercise

Catastrophe Modeling: A New Approach to Managing Risk

Enterprise Risk Management

Western Washington University Basic Plan A part of Western s Comprehensive Emergency Management Plan

Yampolskiy, Analysis of Cyber Infrastructure Authentication Failure Vulnerabilities to Inform Security Decisions

Adapting to Climate Change Through Asset Management Planning. Tiffany Batac David Rose, PhD Parsons Brinckerhoff

Transcription:

Security Risk Assessment and Mitigation Prioritization Stephanie King, PhD, PE Weidlinger Associates, Inc. FFC Committee on Physical Security and Hazard Mitigation July 15, 2008 www.wai.com New York Massachusetts Washington DC New Jersey California New Mexico Edinburgh UK

Outline Introduction Security Risk Assessment Key elements and terminology Basic methods (screening) Critical issues Mitigation Prioritization Quantified benefit-cost analysis Critical issues Examples 2

Introduction Limited resources + competing priorities Where are the risks? Which risks are acceptable? What should be mitigated first? Which mitigation options are best? Specific to security Electronic v. Operational v. Hardening? How much protection is enough? Rational defense against irrational acts 3

General Components of Risk Management Risk Components and Terminology Threat Assessment Vulnerability Assessment 4 Risk = P[Event] x E[Consequences Event] Risk = Vulnerability x Criticality Risk = Threat x Vulnerability x Consequences Risk = Occurrence x Vulnerability x Importance Criticality/ Consequences

Risk Assessment Methods Threat Assessment 5 Likelihood of Occurrence Low High Minor Vulnerability Assessment Catastrophic Outcome if Event Occurs Criticality or Importance Assessment Slope of boundaries and definitions depend on risk tolerance

Risk Assessment Methods 100 EXAMPLE: AASHTO Guide for Bridges & Tunnels (2002) Quadrant IV Low criticality and high vulnerability Quadrant I High criticality and high vulnerability Vulnerability (Y) 50 Quadrant III Low criticality and low vulnerability Quadrant II High criticality and low vulnerability Visibility and Attendance Access to the Asset Site-specific Hazards 0 0 50 100 Criticality (X) 6 Defer/Defend Factors Loss and Damage Consequences Consequences to Public Services Consequences to the General Public

Risk Assessment Methods EXAMPLE: DHS ODP State Homeland Security Assessment and Strategy Program: Special Needs Jurisdiction Tool Kit (2003) 7 High Risk Threshold

8 Risk Assessment Methods

Risk Assessment Methods Risk = Asset Value X Threat Rating X Vulnerability Rating 9 EXAMPLE: Results from FEMA 452 (2005)

Risk Assessment Methods Fault-tree / Consequence-based Assessment Unacceptable Outcome Loss X Consequence Assessment Glazing = high hazard Response 5 AND OR Collapse Response 3 AND Vulnerability Assessment Event A Event A1 4K blast in city At location 1 Response 4 No Collapse Event A 4K blast in city Event A1 At location 1 Threat Assessment 10 Useful for multi-hazard risk assessment

Critical Issues: Assessment Definition of Risk Metric Stakeholders input and buy-in Subjectivity, Uncertainty, Quantification Transparent, rational, unbiased Consistency among assessors Simplifying assumptions Limitations on results Snapshot in Time = Re-Assess 11

Mitigation Prioritization Vulnerability Modeling Hazard Modeling Compute Pre-Mitigation Risk Consequence Modeling Compute Post-Mitigation Risk Repeat for all Mitigation Projects for Facility or System Estimate Mitigation Costs & Benefits Repeat for all Facilities and Systems 12 Develop Mitigation Project Priority

Mitigation Prioritization Occurrence (O) V Importance (I) Vulnerability Modeling Hazard Modeling Consequence Modeling Compute Pre-Mitigation Risk Compute Post-Mitigation Risk Risk = O x V x I Reduction in O, V, and/or I Repeat for all Mitigation Projects for Facility or System Estimate Mitigation Costs & Benefits Repeat for all Facilities and Systems 13 Develop Mitigation Project Priority

Mitigation Prioritization Threat scenario-based assessment n Risk = Σ [O i V i ] I i=1 threat scenarios Similar to earthquake insurance loss estimation methods Transparent impact of mitigation (hardening v. operational v. electronic) 14

Example I: Gravity Dam (HYPOTHETICAL) Upstream Face Outlet System Spillways Powerhouse A Abutment B Powerhouse B Downstream Face Abutment A Powerhouse C 15

Threat Scenario Definition Gravity Dam A Pedestrian Abutment A Water Borne Vehicle Borne Pedestrian Abutment B Water Borne Vehicle Borne Powerhouse A Pedestrian Vehicle Borne i = 1 to 21 Pedestrian Powerhouse B Vehicle Borne Powerhouse C Pedestrian Vehicle Borne Upstream Face Pedestrian Water Borne Downstream Face Pedestrian Vehicle Borne Spillways Pedestrian Water Borne Outlet System 16 Pedestrian Water Borne Vehicle Borne

Occurrence n Σ[O i V i ] I i Computed for each threat: Gravity Dam A Abutment A Vehicle Borne 17 Weighted sum of pseudo-utility values: O i =Σx j w j j=1 Attributes mapped to quantitative scale Access for attack Security against attack Attractiveness as a target Capability of aggressor 4

18 Example Utility Value Mapping

Vulnerability Computed for each threat: n Σ[O i V i ] I i Gravity Dam A Abutment A Weighted sum of pseudo-utility values: Attributes mapped to quantitative scale Expected damage Expected closure Expected casualties Vehicle Borne 3 V i =Σx j w j j=1 19

20 Example Utility Value Mapping

Importance Computed once for the facility Weighted sum of pseudo-utility values: Attributes mapped to quantitative scale Exposed population Historical/symbolic importance Replacement value Importance to regional economy Importance to irrigation system Importance for power generation Importance to transportation network Annual revenue n Σ[O i V i ] I i 8 I=Σx j w j j=1 21

Importance Modeling Example Historical significance (HS) Evacuation route (EV) Regional economy (RE) Transportation network (TN) Replacement value (BV) Revenue value (RV) Attached utilities (AU) Military importance (MI) Exposed population (EP) Importance to the Regional Economy: Insignificant = 0 Highly critical = 1 22

Pre-Mitigation Risk Scores (HYPOTHETICAL EXAMPLE) 23

Post-Mitigation Risk Scores (HYPOTHETICAL EXAMPLE) 24

Example II: Existing Building (HYPOTHETICAL EXAMPLE) Car Parking Interior Column Facade Exterior Column 25

Example III: New Design (HYPOTHETICAL EXAMPLE) Example: truck explosive at curbside 26

Critical Issues: Prioritization Based on rational, rigorous, and unbiased risk assessment Assumptions and limitations Benefits and costs Objectives and constraints Time frame Decision support 27

Example IV: Existing Tunnel Single deterministic threat Prioritize on all benefits and costs Benefits: Expected Performance (Reliability) Ease of Tunnel Repair Benefit to Emergency Response Secondary/Other Benefits Costs: Construction Cost Construction Risk Construction Duration Impact on Operations During Construction Impact on Operations Long Term 28

29 Benefit-Cost Comparison

Concluding Remarks Security risk assessment Components, basis, terminology Screening methods Assumptions and limitations Mitigation prioritization Risk-based, quantitative benefit/cost Rational unbiased approach Several other influences Economic, social, legal, political Rational assessment provides data 30

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information