Risk Analysis

Completing the Risk Analysis Puzzle

A Presentation by Michelle Magario
For BSDP 583 Spring 2012
 Table of Contents

• Part 1: • Part 2:
• Risk Analysis • Interventions
• Limitations • Recommendations
• Interdependency • Budgetary considerations

• Part 3
• In Practice
 Purpose Statement

Purpose: Protect Defend

• Characterize
• Define
• Mitigate
• Eliminate
Risk Management

© Copyright 2004 Risk Mitigation Associates -- All rights reserved.

 Risk Analysis

• Phase 1 • Phase 2
– Analyze Risks – Countermeasures
 Assets  Mitigation Opportunities
 Threats  Plan Development
 Vulnerabilities  Policy Institution
 Risks
Phase 1
 Risk Assessment: Phase 1

• Asset Characterization
Risks Assets • Criticality Analysis
• Threat Identification
• Consequence Analysis
• Vulnerability Analysis
• Probability Assessment
Vulnerabilities Threats • Risk Assessment
• Risk Prioritization
• Risk Management
Risk Assessment: Phase 1

Assets

People
Property
Proprietary Information
Reputation
 Risk Assessment: Phase 1

• Criticality Analysis
Understand -which assets are critical
• Mission related

Describe -describe the asset

• Location
• Type

Rank -assign a value

• Numeric
• Relative
 Risk Assessment: Phase 1

Hazard Threat
• Natural • Manmade
• Manmade • Intentional
• Unintentional • With Malice
• Safety • Terrorists
• Security • Petty or Economic Criminals
• Disasters • Subversives
• Political/Military
• Environmental or Behavioral
 Risk Assessment: Phase 1

• Consequence Analysis
– Losses
• Human life
• Property
• Proprietary information
• Reputation
– Impact
• Environmental
• Economical
 Risk Assessment: Phase 1

• Vulnerability Analysis
Define

– 3 distinct steps
• Define
• Evaluate
• Identify Vulnerability

Identify Evaluate
 Risk Assessment: Phase 1

• Probability Assessment
– View point dependent
– Based on attractiveness
– Historic Data
– Statistics
Risk Assessment: Phase 1

Risk =
Probability x Vulnerability x Consequence
 Risk Assessment: Phase 1

• Risk:

Assess
– Assessment
– Prioritization
Prioritize
– Management

Manage
Phase 2
 Risk Assessment: Phase 2

Countermeasures
• Mitigation opportunities
Policy
– Safety Safety
– Security
– Policy Development Security

• Enforcement
• Costs
Mitigation
 Risk Assessment: Phase 2

Safety: In Place Safety: In Need Of

• Identify • Identify
• Evaluate • Evaluate
• Enforce • Implement
• Assess
• Enforce
 Risk Assessment: Phase 2

Security: In Place Security: In Need Of

• Identify • Identify
• Evaluate • Evaluate
• Enforce • Implement
• Assess
• Enforce
 Risk Assessment: Phase 2

• Policy Development and Implementation:

Trigger

Monitor Review

Approval Impact

Expert
Review
Phase 3
 Risk Assessment: Phase 3

• In Practice:
– Small facility
– 5 employees
– Widgets
 Risk Assessment: Phase 3

Asset Risk Consequence Vulnerability Probability

Employees 12 2 3 2
Facility 16 4 2 2
Equipment 20 5 2 2
Proprietary info 100 5 5 4
Reputation 125 5 5 5
 Risk Assessment: 3
Asset Risk Consequence Vulnerability Probability
Employee 12 2 3 2
 Risk Assessment: 3
Asset Risk Consequence Vulnerability Probability
Facility 16 4 2 2
 Risk Assessment: 3
Asset Risk Consequence Vulnerability Probability
Equipment 20 5 2 2
 Risk Assessment: 3
Asset Risk Consequence Vulnerability Probability
Proprietary info 100 5 5 4
 Risk Assessment: 3
Asset Risk Consequence Vulnerability Probability
Reputation 125 5 5 5
 Risk Assessment: Phase 3

• Prioritization

Asset Risk
Reputation 125
Proprietary Information 100
Equipment 20
Facility 16
Employees 12
 Risk Assessment: Phase 3

• Countermeasures

– QA/QC support
– Sabotage protection
– Computer back-up and security
– Visitor management
 Risk Assessment: Phase 3

• Policy Development and Implementation

 References

Booz-Allen and Hamilton, Inc. (2000). Analytical risk management: A course guide for

security risk management.

Norman, T. L. (2010). Risk Analysis and Security Countermeasure Selection. Boca

Raton, FL: Taylor & Francis Group.