Risk Analysis Methods - Research Paper Example

 Risk Analysis Methods Contents Contents 2 Introduction 3 MSRAM model 4 CARVER 8 DREAD model 10 References 11 Introduction Good risk assessment methodologies are an essential requirement and the cornerstone to the implementation of program that is used to protect critical infrastructure. There is large no. of methods that are used to critically evaluate the risks of important infrastructures. This existence of a large no. of methods supports the argument that risk assessment methods are an important requirement in order to implement the program to be used for protecting of critical infrastructure. The field of risk assessment is an indispensible field and is useful for identifying threats, accessing the vulnerability of critical processes, evaluating the impact on the assets, infrastructure or system given the probability of an occurrence of these perceivable threats. There are lots of risk assessment methodologies that are used to critically evaluate the risks that can occur on critical infrastructure. Almost all of these models follow a predefined approach that is common to all the methods and the approach contains certain specific elements. The common elements that are present are identification of classification of threats, identification of the vulnerabilities that are present and evaluating the impact of the threats (Giannopoulos, Filippini and Schimmer, 2012). These three steps are common to all risk assessment methods and form the backbone of any risk assessment methods. The factors that are used to differentiate in between the risk assessment methods are 1. The target audience or the audience which the method addresses 2. The scope of the risk assessment method 3. The applicability of the risk assessment method In the following pages three different risk assessment models are discussed at length. The models that are discussed in the follo0wing pages are MSRAM, CARVER and DREAD model. MSRAM model MSRAM model or Maritime Security Risk Analysis Model is a model that has been designed by the US coast guard for the purpose of mitigating the risk of terrorist attacks on US ports and waterways MSRAM was developed as a captain of the port level risk analysis tool soon after the incident of 9/11 occurred. As per the DHS strategic plan 2008-13, since it is not feasible to secure the United States again all possible forms of attacks that may occur or any other threats that may arise, they have made risk management as the primary basis of policy and resource allocation decision making. A principal of US coast guard operation is risk management. The task is challenging due to the fact that the organization is engaged in multiple missions. This however forms one of the criteria of US coast guard decision making. The ultimate aim is to form an integrated performance management system that is used for measuring risk, readiness and ROI. Figure 1 Understanding of risk (Source: Cooper, 2015) The first step in the risk management model is to understand the risk that is existent in the system. Understanding risk has several dimensions that are how likely is the fact that risk will occur? What are the things that can go wrong if the incident happens and finally estimating what can be the impacts if such an incident ever occurs? Based on these factors Risk is defined as a function of Likelihood and consequence. The unit is used to analyze the generic attack mode against a specific target. The department of homeland security planning scenario is also addressed. Each of the attack is defined in sufficient detail in order to support the analysis of consequences and vulnerabilities. The target of terrorist attack is defined in terms of class, location, consequences, location of the attack and other key facts that are used in the analysis of the attack. On the basis of target class and the potential consequence of every attack, no. of different attack modes has been specified for analyzing the consequences and the vulnerabilities. The value system is used to determine the consequence scoring and considers death and injury, economic impacts that are primary and secondary, impact on the environment, impact on national security and the impact that is symbolic. The value and scale to measure the different impacts is determined by the US coast guard leadership. The values of the system are used to represent that which characterizes the American people. Vulnerability of the system is further broken down in five different factors. The factors are achievability of attack, three factors that are related to the system security namely owner operator, local law enforcement and US coast guard and target hardness. The central theme of the MSRAM model is to be able to mitigate the risk. In order to be able to mitigate the risk, it should be able to assess the risk. The foundation of the risk assessment is held in historical experience, analytical methods and knowledge and intuition. The challenges that exist are that in case of the terrorism profiles there is poor availability of the data set and there is significant uncertainty of the frequency of attacks to occur and also there is uncertainty to the consequences. The risk can be strategic, operational, mission support or institutional. Figure 2 Residual risk returns (Source: Cooper, 2015) Figure 3 Risk impact of USCG intervention (Source: Cooper, 2015) Figure 4 Type of targets and required attack model (Source: United States Coast guard, 2010) Figure 5 Scenario: Target + Attack model (Source: United States Coast guard, 2010) Figure 6 Scenario timeline (Source: United States Coast guard, 2010) MSRAM is used to quantify the USCG and other stakeholders’ methodology in mitigating risks through the process of Protective measures and primary consequence mitigation CARVER The matrix was developed by the United States special operation forces during the Vietnam War. CARVER stands for Criticality, Accessibility, Recoverability, Vulnerability, Effect and Recognizability (Michaelis, 2000). The CARVER matrix is a system that is used in order to rank specific targets so that the resources that are used to attack can be efficiently used. CARVEWR matrix was actually developed in the time of World War II and is used as a simple tool to identify and eradicate targets. CARVER can be used both from the offensive as well as defensive perspective. The CARVER matrix was designed by the US security forces in order to rank the targets according to a scale in order to identify the targets which seemed most important from the point of view of the CARVER matrix and could be attacked at first. The system that is the CARVER is used to identify the targets and aid different security agencies in selecting a target and accessing their risk vulnerability. The system is used to access the risk vulnerability and help in target selection by calculating the value of a potential target and the ease with which the target can be neutralized. In other words the method is used to logically analyze the question that what one would like to do and what is possible to be achieved given the resource availability at hand. When used as part of the offensive strategy the matrix can be used to predict which target should be attacked at the first place and when used as a defensive strategy the matrix can be used to predict as to which the target that is most vulnerable is and needs additional protection. To elucidate the point the CARVER matrix can be used to identify possible areas that are most vulnerable and most strategically important assets and it is required to deploy additional security forces to protect the assets. The profiling of the risk vulnerability of a target is measured on a specific scale depending on the parameters that are motioned in the CARVER matrix. For example if one wishes to access a water sanitation process based on the matrix then it will look like the following. After analyzing the different parts of the water sanitation process through the CARVER matrix one finds that the sanitation process itself ranks highest with a score of 18. So it is the most important process and needs to be given extra protection if the matrix is being used for the defensive purpose and the target that should be attacked at the first place if the matrix is used for offensive purpose. DREAD model There are two types of model that are used to analyze risk. One is Quantitative and another is qualitative risk analysis model. In the quantitative risk analysis model the following steps are followed. First the value of the asset is accessed and assigned. The next step is to calculate the single loss expectancy by multiplying the asset value with the exposure factor EF that is expressed as a percentage. The last step is to calculate the Annualized loss expectancy by multiplying single loss expectancy (SLE) with ARO or in other words annual rate of occurrence. The method that is used to neutralize the risk should not cost more than the ALE or annualized loss expectancy. The quality risk analysis on the other hand is based on opinion. It uses rating values in order to evaluate the risk. One of the qualitative methods used to access risk is known as the DREAD model (Czagan, 2015). The dread model stands for and measures the threat to an asset in the following terms. D-Damage Potential- This is used to assess the degree to which the assets are affected R- Reproducibility- this parameter access the degree to which the attack can be reproduced E-Exploitability- What is the degree of ease with which the attack can be launched A-Affected- No. of users that is likely to be affected by the attack D- Discoverability- The degree to which the vulnerability can be easily discovered. Each threat is rated based on the above factors and the overall valuation determines the severity of the threat and is measured on a scale. References Michaelis, Dean., 2000. The Complete .50-Caliber Sniper Course: Hard-Target Interdiction. (NY: Paladin Press, 2000), 64-65. Czagan, Dawid. 2015. Qualitative Risk Analysis with the DREAD Model. accessed 2 April, 2015, http://resources.infosecinstitute.com/qualitative-risk-analysis-dread-model. Giannopoulos, Georgios. Filippini, Roberto., and Schimmer, Muriel. 2012. Risk assessment methodologies for Critical Infrastructure Protection. Part I: A state of the art. accessed 2 April, 2015, http://ec.europa.eu/home-affairs/doc_centre/terrorism/docs/RA-ver2.pdf. Cooper, David, 2015. United States Coast Guard Risk Management Overview. accessed 2 April 2015, http://www.orau.gov/DHSsummit/presentations/March17/plenary/Cooper_Mar17.pdf. United States Coast guard, 2010. Maritime Security Risk Analysis Model Overview for USCG-CREATE Maritime Risk Symposium. accessed 2 April 2015, http://create.usc.edu/Fu-Mowrer%20-%20Pres.pdf. Read More