SM05: Risk Analysis: A Comparison in Quantifying Asset Values, Threats, Vulnerabilities and Risk. Doug Haines Haines Security Solutions 9 April 2013

Transcription

1 SM05: Risk Analysis: A Comparison in Quantifying Asset Values, Threats, Vulnerabilities and Risk Doug Haines Haines Security Solutions 9 April 2013 The Broad Picture Learning Objectives Know the differences between Quantitative and Qualitative Analysis Assess and select the right methodology that serves you best Quantitative versus Qualitative Comparing MSHARPP, CARVER and RAVA 1

2 Quantitative v. Qualitative Qualitative analysis Relies on the individual s expertise Differs between individuals Not consistent over time Can work one-time or on an isolated basis Quantitative v. Qualitative Quantitative analysis Doesn t rely on the individual s expertise Doesn t differ significantly between individuals Consistent over time Works especially well for multiple assets 2

3 Risk Management Is not IS IT OVER, Complete risk avoidance YET? Developing the bunker or Ft Knox mentality Is Identifying all potential threat scenarios Accepting some level of risk CAN WE COME OUT NOW? Risk Analysis Why is identifying and understanding risk so important? Maybe it s cheaper to replace than to repair Maybe a loss isn t so bad Maybe there really is no threat 3

4 Risk Analysis Results What am I protecting (Asset) Protecting from what? (Threat) Am I in trouble? (Vulnerability) How much? (Risk)? What can I do? (Countermeasures) At what costs? (Cost benefit) What should I do first (Priorities) Risk Analysis Team Stakeholder Buy-in Must agree on asset value and priority Design Basis Threat (DBT) Weapons characteristics Levels of protection Vulnerabilities MSHARPP & CARVER No required for RAVA 4

5 M-S-H-A-R-P-P Background Primarily developed as a tool to assist asset owners on how to mitigate terrorist attacks Very adaptable Takes the perspective of the asset owner MSHARPP Mission Symbolism History Accessibility Recoverability/Recuperability Proximity Population 5

6 MSHARPP MATRIX ASSET M S H A R P P TOTAL Parking Lot Shops Parts Store Sales Offices MSHARPP Why it s important to have a different perspective 6

7 C-A-R-V-E-R Background Developed as a tool for US Special Forces Vietnam era Used to assess and determine value to military attackers From outside looking in C-A-R-V-E-R Criticality Accessibility Recoverability Vulnerability Effect on Population Recognizability 7

8 CARVER MATRIX ASSET C A R V E R TOTAL Parking Lot Shops Parts Store Sales Offices MSHARPP or CARVER MSHARPP CARVER INSIDE LOOKING OUT vs OUTSIDE LOOKING IN 8

9 Risk Analysis Vulnerability Assessment (RAVA) How about both? Plus a cost benefit tool, too! Prioritization list Implement countermeasures that will have the biggest risk reduction on the largest amount of people first MSHARPP CARVER + Cost Benefit Analysis & Prioritization = RAVA RAVA Developed by US Navy Naval Facilities Engineering Command (NAVFAC) As part of overall FAA project Several other contractors Antiterrorism Services Branch (ASB) Success likelihood validated onsite 9

10 Threat Analysis Not all threats are created equal Assumes attack will be successful Takes in to account likelihood of attack Threat Value Local Law Enforcement capabilities: Well trained and equipped and ready to assist 1 Limited resources and not well trained 3 No local resources available 5 Score 5 Organized crime, Gangs involved in thefts and/or theft rings are: Not in the geographic area 1 Known to be in the geographic area 2 Unknown if in the area 3 Known to be in the immediate vicinity 6 Score 3 10

11 Threat Value Initial Threat Likelihood (ITL) without adjustment = 0.65 Final Threat Likelihood (FTL) with adjustment = 0.65 Threat likelihood and effectiveness can be characterized as follows: Very Low Low Moderate Elevated Significant Critical Asset Analysis What are we protecting? Facilities People Money Processes/systems 11

12 Asset Value SME Perceived probability of success (Ps) in accomplishing an attack: Low probability of success <30% 1 Moderate possibility of success 30% to 85% 30 High probability of success >85% 70 Score 70 SME perceived level of sophistication required to carry out a successful attack: Aggressor would need paramilitary capability and have foreign country intelligence support Aggressorwould need exceptional sophistication, have financial support and advanced ability to collect intelligence Aggressor would need some level of sophistication, have some financial support and have limited ability to collect intelligence Score Asset Value TARGET ANALYSIS Asset Value to the Organization (AO) = 0.85 Asset Value to the Threat (AT) = 0.70 Total Asset Value (AV) = 0.78 The total asset value is the average of AO and AT. It can be characterized as follows: Very Low Importance Low Importance Moderate Importance High Importance Very High Importance 12

13 Vulnerability Analysis Baseline Where you are today Defense in depth Layer 1 (boundary perimeter) Layer 2 (internal boundary) Layer 3 (asset façade) Layer 4 (interior area) Vulnerability Value Ref # LAYER 1: Outer most perimeter (Example: Installation perimeter fence) Question 1 Is the asset located on a defined (actual physical barrier) and controlled (not easily bypassed) installation or compound? YES (1.0) NO or asset forms part of the perimeter (10.0) (If you answer NO, select the highest baseline value for all questions in Layer 1 and then go on to Layer 2) Baseline Value Optimized Value Mitigation Category PS 13

14 Vulnerability Value Ref # LAYER 2:Dedicated Asset perimeter/enclave (Example: fence around an antenna array) Question 1 Does the enclave perimeter barrier have lighting sufficient to detect movement (greater than 0.5 foot-candles)? YES (1.0) NO perimeter lighting or NO defined and controlled enclave perimeter (3.0) Baseline Value Optimized Value 3 3 Mitigation Category PS Vulnerability Optimized Where you can be after implementing countermeasures Module is intuitive enough to discount countermeasures that won t affect a risk change 14

15 Vulnerability Value Ref # LAYER 1: Outer most perimeter (Example: Installation perimeter fence) Question 1 Is the asset located on a defined (actual physical barrier) and controlled (not easily bypassed) installation or compound? YES (1.0) NO or asset forms part of the perimeter (10.0) (If you answer NO, then select the highest baseline value for all questions in Layer 1 and then go on to Layer 2) Baseline Value Optimized Value 10 1 Mitigation Category PS Vulnerability Value Ref # LAYER 2:Dedicated Asset perimeter/enclave (Example: fence around an antenna array) Question 1 Does the enclave perimeter have lighting sufficient to detect movement along the perimeter (greater than 0.5 foot-candles for 25 feet on each side of the perimeter? YES (1.0) NO perimeter lighting or NO defined and controlled enclave perimeter (3.0) Baseline Value Optimized Value 3 1 Mitigation Category PS 15

16 Risk Analysis Culmination of threat, asset & vulnerability (optimized) Determines calculated value of risk to a specific target (asset) by a specific threat Threat x Asset Value x Vulnerability = RISK Value Risk Calculations ANALYSIS OF RISK REDUCTION THREAT BASELINE RISK OPTIMIZED RISK % DECREASE REDUCTION Explosive % 0.48 Standoff % 0.34 Covert % 0.49 Overt % 0.45 Chem/Bio % 0.50 AVERAGES % 0.44 ANALYSIS OF VULNERABILITY REDUCTION THREAT VULNERABILITY VULNERABILITY VULNERABILITY REDUCTION Explosive % 0.58 Standoff % 0.41 Covert % 0.59 Overt % 0.54 Chem/Bio % 0.60 AVERAGES %

17 Value Risk Calculations Risk Risk Level Explosive Standoff Covert Overt Chem/BioAverages Threats Baseline Risk Vulnerability Level Vulnerability Explosive Standoff Covert Overt Chem/Bio Threats Baseline Vulnerability Cost Benefit Analysis PROTECTION RISK Provides Cost Benefit Analysis (CBA) Is based on cost versus reduction in vulnerability and risk Helps determine if the countermeasure is worth spending the money on Allows decision makers to prioritize funding Address countermeasures that provide the greatest amount of risk reduction to the greatest number of personnel first 17

18 Cost Benefit Analysis BASELINE RISK OPTIMIZED RISK RISK REDUCTION COST BENEFIT RATIO % 1,077 Note: 1. Baseline = current condition w/o countermeasures being implemented. 2. Optimized = future condition w/ countermeasures being implemented. 3. Results of RA equation measuring cost effectiveness. In general, the lower the number the more cost effective the countermeasures are in mitigating the risks. Refer to scaled matrix below for details. SCALED MATRIX FOR COST EFFECTIVENESS > 5001 are not cost effective and should not be implemented may not be cost effective are minimally cost effective are moderately cost effective are cost effective and should be implemented are extremely cost effective and should be implemented SCALE MATRIX FOR RISK VERY LOW LOW MODERATE HIGH VERY HIGH Cost Benefit Analysis Countermeasure# Description (Short title) ROM Cost Estimate ($K) 1 Install perimeter fencing 1,000 2 Increase Lighting Install electronic security system (CCTV) 10 4 Upgrade entry points 4,000 5 Post guard (hours of darkness) 5,000 Total 10,160 18

19 Cost Benefit Analysis Countermeasure ROM Cost Estimate ($K) Average Cost Benefit 1 Install fence 1, Increase lighting Install Electronic Security Upgrade access points 4,000 3,378 5 Post Guard 5,000 4,472 Cost Benefit Analysis Acceptance Matrix CBA Values: > 5001 are not cost effective and should not be implemented may not be cost effective are minimally cost effective are moderately cost effective are cost effective and should be implemented are extremely cost effective and should be implemented Instructions: Populate columns 1 & 2. Reference the cost benefit ratio column using the Cost Benefit Analysis Acceptance Matrix at left. Summary Quantitative is better than Qualitative Don t go it alone/get help Variety of methods out there Choose the methodology that works best for you 19

20 Questions Contact Information Tel: (805) Website: 20