The Main Concerns of the Risk Management - Assignment Example

Risk Management Question 1: Three methodologies that are useful in risk assessment/management are the Maritime Security Risk Analysis Model, Operational Risk Management, and CARVER, which is Criticality, Accessibility, Recoverability, Vulnerability, Effect and Recognizability. Each of these have advantages and disadvantages, but the most common problem is that they are aligned in terms of the specific operation that they were designed for, and not necessarily for more broad perspective with the exception of the Operational Risk Management methodology. However, even this methodology can be ineffective if the organization does not intend to put the amount of time that is required in order to efficiently supplied the data necessary. The MSRAM was designed in order to be able to create the basis of a ship security plan and meet all of the requirements necessary in order to make sure that the ship was fully secured. Nielson writes that “a plan that addressing all relevant Maritime security areas of concern and therefore be considered as not sufficient and subsequently open up the opportunity to challenge the seaworthiness of the ship in question”.1 The MSRAM generally aligns with the criteria established by DHS for risk assessment. It is considered to be reproducible, complete, documented, and defensible. The Coast Guard has worked towards improving the quality of MSRAM data and works towards training and using tools the staff so that the data can be entered efficiently into the model. However, some disadvantages include a lack of documentation and communications of the implications that arise from the key assumptions that are made under the MSRAM model. There are also some sources of uncertainty that affect the results.2 Kenett and Raanan explore number of different advantages and disadvantages of the Operational Risk Management technique. Then list the benefits of this technique as follows: 1. There is no dependency on a repository of risk events that already exists. 2. Even if a repository is available, this technique has the potential for preparing an organization for risks that may not have been identified. This is possible because they can be considered and preparation for mitigation can be accomplished through strategic planning. 3. The use of this technique can be done in a short period of time which means that you do not need an accumulation of events in order to create a risk repository. 4. This technique can be used in addition to an existing risk repository.3 The disadvantages that Kenett and Raanan list are as follows: 1. The basis for this technique is developed through mapping of business processes throughout all business. This means that a significant portion of business activity may be left without security coverage. In other words, they can be too broad at some junctures. 2. The use of this technique requires a large team and will often include people from engineering, risk management, and the operations of the business. However, people who are working within each of these units that will require change will have to be the ones implementing change thus, creating a disconnect between those who are making decisions and those who are in the process of implementation. 3. Without a significant history of events, the amount of time that it will take to create scenarios and expenses involved in this creation can be daunting. This would mean that management would have to determine to use this process and do all the work needed in order to have it arrive at effective solutions.4 Primarily, it would seem that the advantages are that the methodology can be used even in a company that has not had a lot of the events associated with risk, but the problems are associated with the time and effort that it will take in order to create a workable methodology based on building scenarios. One of the advantages of CARVER is that you can be used to generate options that can be considered useful for the mitigation of risk. One of the activities of mitigating risk is creating proposals for these considerations, and this methodology provides reports for enhancing security, while also reducing risk. Assessments through this methodology can be performed in order to measure how effective the changes have been in the mitigation of potential risks, as well as during events.5 CARVER was originally designed by the US Special Operations Forces as a method of determining the value that a target has for military attack. Seven attributes are ranked from a scale of 1 to 10 and the averages provide estimation for each component. The primary problem of CARVER is that it was designed for military applications and while it does a good job for determining potential targets, it does not do much for the analyst in terms of understanding the why that target would be of interest. This could be a disadvantage when trying to match motivation to the application of terror.6 Question 2 An IED is an improvised explosive devise created an effective threat from both Iraqi and Afghanistan forces and are considered to be a weapon of choice and the likely to remain as part of the global war on terrorism for the near future. Good example of this is from 1983 when reading barracks in Beirut, Lebanon came under attack from a truck bomb that killed 241 US Marines. Another example is a Pan American flight 103, which was over Lockerbie, Scotland when it was bombed in 1988. The plane was carrying passengers they came from 21 different countries, but 189 on board were from America and were killed. The Department of the Army, United States Marine Corps, has determined that the IED as a weapon of choice for terrorists because it is possible to kill a maximum number of people in one strike, creating a terrible and great destructive force.7 An examination of an IED as a weapon of choice has determined that it is a complex set of activities that the enemy has put into place in order to create a scenario in which they use a device. In order to defeat this particular attack, it is essential to understand the enemy and understand motivations that create certain types of common activities that accompanied this type of attack. This includes understanding, planning, leadership, material procurement, financing, the making of the bomb, the way the target is selected, and how recruiting occurs in order to execute the attack. Defining this type of attack requires a holistic approach so that the requirements of the events can be identified and vulnerabilities mitigated.8 One of the reasons that it is likely that the threat and risk assessments for chemical and biological attacks may have more of a need is because it is a more difficult threat to contain. While an IED attack is primarily based on a finite localized area, a chemical or biological attack can be very broad and the threat against civilians is far more complicated. In addition, agents who have characteristics that make them very poor in terms of military applications can still be used in the deployment of chemical or biological attacks, meaning that discovering the who and why of these attacks is not as straightforward as it might be in an IED attack. In addition, chemical, biological weapons are not always selected for their potential for fatalities and terrorists may have other reasons to choose to deploy these particular methods.9 Another reason they can be considered for this particular comparison is that bombs can typically be identified through certain types of signatures whereas biological and chemical weapons may not necessarily provide any means through which authorities can identify their existence. Previously, the development of biological and chemical weapons was not an easy task. It required getting certain types of materials and being able to have access to the correct resources to develop these types of weapons. Unfortunately, with the development of the Internet and the higher possibility of being able to get certain types of materials, biological and chemical weapons can be made in someone's basement as easily as an IED. Unfortunately, even though military applications are tragic in terms of these types of weapons, civilian applications can cause a great deal more damage over a wider area than most IED's. Even taking the example of a nuclear device, the impact of chemical and biological agents can have a wider variation than even nuclear level of destruction. As an example, the choice of weapon can lead towards death, but it can also lead towards temporary impairment, disfigurement, or injury. The use of a chemical or biological weapon has essential for a wider variety of different types of events than those that of an IED.10 Fortunately, an IED is more commonly used, but the potential damage that can be leveled using either biological or chemical weapons is such that a more comprehensive threat and risk assessment is necessary. Question 3: Three infrastructure sectors that are critical for the continuation of public safety and function are the communication sector, the financial services sector, and the energy sector. One of the ways in which these three sectors can be identified is through watching fictional representations of the consequences of taking over these particular sectors. The film Live Free or Die Hard (2007) shows the consequences of what happens when a terrorist takes over all three of these sectors, creating panic and disruption of functionality to a level that is deep enough that the terrorist is able to accomplish a completely different goal. In other words, they create a distraction that is difficult to overcome for both the public and for authorities. However, what appears to be fiction is actually rationally feasible. North Korea underwent a nationwide Internet blackout in December of 2014, providing an example of how an entire country can be affected by communications event.11 Society has become dependent upon communications, and a lack of communications places everyone in a position of insecurity. This becomes especially true of government agencies who are trying to coordinate, as well as public services like the police, the fire department, and hospitals. It also creates panic when people cannot connect with their loved ones or be able to connect with services that they may need. As a step one, this is a critical method of crippling a society. The second sector that would affect society would be the financial services sector. According to the Department of Homeland Security, the perfect storm is when a hacker disables the communication sector and then proceeds to disable or cause havoc within the financial services sector.12 capitalism is at the core of how society functions within the United States. Attacking the financial services sector could create a number of different responses, including triggering a recession or depression. The Department of the Treasury is the government agency which is at the core of managing risk for the Banking and Finance SSP. The bulk of the responsibility is through state regulatory agencies in terms of ensuring individual bank accounts even though they are backed up by the federal government or the FDIC up to $250,000.13 The third infrastructure that would contribute to the habits of the first two would create would be the energy sector. Energy is directly tied to everything from communications into the financial sector, as well as all sectors between and beyond. If the power goes out, activity ceases until power is restored. There isn't much that can be done without power. Taking out power is likely going to disrupt communications, hamper the financial sector, and actually contribute to all of the other infrastructures that would have an effect on the continuation of society.14 Question 4: Risk matrices are often used in organizations because they have in the intuitive appeal and they are easy to use. Sometimes they're considered to be the only way in which to approach risk management because they create quantitative information, which is often scarce or even nonexistent. Unfortunately, Kent Wall has determined that the theoretical basis on which they are constructed is both superficial and has a lack of validity in terms of qualitative information. The impact that they have suffers from most of the problems that come from subjective assessment. Often there is a qualitative approach that is taken towards risk management, but the use of the risk matrix is common because it is a simple approach.15 Limitations from the Risk = Threat X Vulnerability X Consequence for risk analysis of terror attacks include a failure to be able to be adjusted when correlations between components shift, and inability to add risks using the formula, and an inability to be able to score risks and optimally allocate resources. Another limitation is that there is an intrinsic amount of subjectivity to the use of this particular formula and it has too much ambiguity to have any real effect. Using probabilities for actions instead of modeling adaptive pursuits of goals in terms of available information is a path towards creating mistakes that will have a high cost. Without using techniques that allow for rational planning and adaptation, is not necessarily going to be very effective in terms of the qualitative issues involved.16 In an opinion piece, Jeff Lowder goes on to discuss why this particular formula is mathematical nonsense. He begins his argument by stating that risk analysis is based on decision theory and is even further more defined by expected value, or utility theory. In order to understand the reason why this is important is that you have to understand that an action in expected value or utility theory is a weighted average. It is calculated in terms of jointly exhaustive possible outcomes and mutually exclusive outcomes. These probabilities are then multiplied to discover the possible outcomes in terms of utility. However, the equation that is being discussed here is unclear and has incoherent mathematics involved.17 Some of the reasons why this doesn't work is because the concepts of threats and vulnerabilities, while relevant to the outcome of an event, are not relevant to the probability. Plugging those concepts into a mathematical formula doesn't work because there are no units for threats and vulnerabilities. In addition, looking at this formula shows that it violates various axioms of probability theory and of inductive logic. In terms of inductive logic, risk needs to be evaluated for all potential outcomes, but the formula doesn't allow for that. It only looks at security threats. In fact, it could be said that only looks at a single security threat and therefore it value approach doesn't allow for all possible outcomes.18 Lowder goes on to explain that the formula is not a literal interpretation of the mathematical formula, but unfortunately it is being used as one because the people were using it, do not understand how it is representative rather than actual. This can be used as a way to state that security risk can be defined as a function of vulnerabilities, threats, and consequences, but it is just a representation and not something that should be used to actually function as a formula.19 Bibliography Cox, Louis Anthony. “Some Limitations of ‘Risk = Threat x Vulnerability x Consequence’ for Risk Analysis of Terrorist Attacks. Research Gate, 2015. Accessed 25 April 2015 from http://www.researchgate.net/publication/23464582_Some_limitations_of_Risk__Threat_ x_Vulnerability_x_Consequence_for_risk_analysis_of_terrorist_attacks Department of Homeland Security. "Banking and Finance Sector-Specific Plan", November 5, 2012. Accessed March 10, 2015. http://www.dhs.gov/sites/default/files/publications/nipp- ssp-banking-and-finance-2010.pdf. Department of Homeland Security "Communications Sector-Specific Plan An Annex to the National Infrastructure Protection Plan." Communications Sector | Homeland Security. June 12, 2014. Accessed March 10, 2015 http://web.archive.org/web/201411 07223442/http://www.dhs.gov/xlibrary/assets/nipp-ssp-communications-2010.pdf. Guaracio, Massimo. Safety and Security Engineering IV. New York: WIT Press. Headquarters, Department of the Army, United States Marine Corps. “Improvised explosive device defeat”, September 2005. Accessed on 21. April 2015 from https://fas.org/irp/doddir/army/fmi3-34-119-excerpt.pdf Lowder, Jeff. “Why the ‘Risk = Threat X Vulnerability X Consequence’ Formula is Mathematical Nonsense”. Information Security Magazine. Accessed on 25 April 2015 from http://www.bloginfosec.com/2010/08/23/why-the-risk-threats-x-vulnerabilities-x- impact-formula-is-mathematical-nonsense/ Kenett, Ron & Yossi Raanan. Operational Risk Management; a Practical Approach to Intelligent Data Analysis. New York: Wiley & Sons. Nielsen, Detlef. Maritime Security and Met: [proceedings of The] Six Annual General Assembly (aga) of the International Association of Maritime Universities, Hosted by the World Maritime University, October 24-26, 2005, Malmö, Sweden. Southampton, Boston: WIT Press, 2005. Norman, Thomas L. Risk Analysis and Security Countermeasure Selection. Philadelphia, PA: CRC Press. Shea, Dana A. and Frank Gottron“Small-scale Terrorist Attacks using Chemical and Biological Agents: an Assessment Framework and Preliminary Comparisons”, 20 May 2004. Accessed on 21 April 2015 from http://fas.org/irp/crs/RL32391.pdf The Guardian. “North Korea’s Internet Temporarily Blacked Out”. Accessed on 22 April 2015 from http://www.theguardian.com/world/2014/dec/22/north-korea-suffers-internet- blackout U.S. Government Accountability Office. “Coast Guard: security risk model meets DHS criteria, the more training to enhance its use for managing programs and operations”. Accessed on 22. April 2015 from http://www.gao.gov/products/GAO-12-14 Wall, Kent D. “The Trouble with Risk Matrices”. 18 August 2011. Accessed on 22 April from http://www.nps.edu/Academics/Centers/DRMI/docs/DRMI%20Working%20Paper%201 1-2.pdf Read More