Risk Analysis Formula
Managing risk is a vital part of creating a secure and resilient infrastructure. Since there are limited resources available, an organization must prioritize risks in order to determine how to best use its resources to minimize risk. This is accomplished in part by identifying potential threats, and then using a formula to calculate the potential risk of given threats. (this will provide a prioritized list of threats to focus on)
Risk Score = Threat x Vulnerability x Consequence
While a risk analysis, in part, is intended to provide a prioritized list of threats, for this discussion, simply select one example of a threat that could impact your sector, or a particular region of your sector. Provide a risk score based on the formula above (use a 1-10 scale for each variable. 1=lowest and 10 for highest
1) List a viable threat. (could be geographically specific)
2) How Vulnerable is the sector to the threat? (based on statistical data from previous occurrences or an analysis by a subject matter expert)
3) What is the consequence to your sector should the threat actually occur? (based on statistical data from previous occurrences or an analysis by a subject matter expert)
I have provided 2 different examples below for the same type of event in order shed light on the difference in scores based on geographic locations:
EXAMPLE 1 (remember, the numbers are simply a best guess, so don’t fret about getting them exact)
Impact area: Water Wastewater Sector in New Orleans
- Threat = 1 Sub-freezing temperatures for extended period of time (uncommon occurrence)
- Vulnerability = 9 (most water systems in New Orleans are not designed for such an event)
- Consequence = 7 (2018 storm reflected a significant impact on the water system)
1 x 9 x 7 = 63
Risk score = 63 (this a relative score would be ranked against other risk assessments)
EXAMPLE 2 (remember, the numbers are simply a best guess)
- Impact area: Water Wastewater Sector in Denver, Colorado
- Threat = 9 (Extended periods of sub-freezing weather is common)
- Vulnerability = 1 (Colorado regulations insure that water systems are designed for such an event)
- Consequence = 3 (extreme freezing weather has some impact on water systems but no major impacts)
9 x 1 x 3 = 27
Risk score = 27 (this a relative score would be ranked against other risk assessments)
CRITICAL INFRASTRUCTURE
PROTECTION (CIP)
MANAGING RISK
Tulane University School of Professional Advancement (SoPA)
Fall 2020
Instructor: Douglas Fred
CRITICAL INFRASTRUCTURE PROTECTION
RISK MANAGEMENT
RISK is the potential for an unwanted outcome resulting from an incident, event,
or occurrence, as determined by its likelihood and the associated consequences.
It is influenced by the nature and magnitude of a threat or hazard, the
vulnerabilities from that threat or hazard and the consequences that could result.
CRITICAL INFRASTRUCTURE PROTECTION
RISK AND VULNERABILITY ASSESSMENT MANDATE
• Presidential directives
• PDD-63 (Nov 18, 1998) Clinton administration
• HSPD-7 (Dec 17, 2003) Bush administration
• On Feb. 19, 2013, President Obama issued Executive Order 13636, mandating that
the government work with the private sector to defend the nation’s infrastructure and
vital assets from attacks.
• Critical Infrastructure Evaluation
• Identify mission essential communications, information and other systems
• Identify significant vulnerabilities of organization minimum essential systems
• Identify any external interdependencies
• Assessments to determine vulnerabilities of department or agency minimum essential services to
failures by private sector providers of their respective industrial sectors or other infrastructure services
CRITICAL INFRASTRUCTURE PROTECTION
RISK MANAGEMENT FRAMEWORK
• Set Goals and Objectives: Define specific outcomes, conditions, end points,
or performance targets that collectively describe an effective and desired
risk management posture.
• Identify Infrastructure: Identify assets, systems, and networks that contribute
to critical functionality and collect information pertinent to risk management,
including analysis of dependencies and interdependencies.
• Assess and Analyze Risks: Evaluate the risk, taking into consideration the
potential direct and indirect consequences of an incident, known
vulnerabilities to various potential threats or hazards, and general or specific
threat information.
• Implement Risk Management Activities: Make decisions and implement
risk management approaches to control, accept, transfer, or avoid risks.
Approaches can include prevention, protection, mitigation, response, and
recovery activities.
• Measure Effectiveness: Use metrics and other evaluation procedures to
measure progress and assess the effectiveness of efforts to secure and
strengthen the resilience of critical infrastructure.
CRITICAL INFRASTRUCTURE PROTECTION
RISK ANALYSIS
1. Identifying the
Threat
2. Assessing the
Vulnerabilities
3. Assessing the
consequence
Risk Analysis is the process of prioritizing risks based on the probability
of the risk occurring and the impact it would have.
Risk Formula: Risk = Threat x Vulnerability x Consequence
CRITICAL INFRASTRUCTURE PROTECTION
QUANTITATIVE VS QUALITATIVE METHODS OF ASSESSING RISK
When reliable data and costs are available…
Quantitative assessments generally estimate monetary value/cost associated with
a risk
• Identifying the likelihood that a damaging event or occurrence will happen
• Identifying costs resulting from potential losses from the event or occurrence
• Identifying costs necessary for mitigating actions resulting from those losses
• The cost of implementing countermeasures is compared to the cost of replacing lost assets
and information to determine the cost-effectiveness of the countermeasure.
When reliable data and costs are not available…
Qualitative assessments rely on the expertise, experience and judgment of the
individual(s) conducting the assessment.
• Vulnerabilities are identified and rated from high to low based on their potential impact to
the overall operation.
• Likelihood is based on experts or those capable of making sound judgements and rated
from high to low probability
CRITICAL INFRASTRUCTURE PROTECTION
QUANTITATIVE VS QUALITATIVE METHODS OF ASSESSING RISK
• Qualitative Assessment: Using a scale of
“Low, Medium, High” to indicate the
likelihood of a risk event occurring.
• Quantitative Assessment: Use of
measurable, objective data to determine
asset value, probability of loss, and
associated risk(s).
Qualitative Risk Assessment Example
CRITICAL INFRASTRUCTURE PROTECTION
RISK RESPONSE
4 basic strategies for response to an identified risk
1. Avoid Risk
• Prevent the occurrence of the impact (examples: increased security, preventative maintenance,
relocate assets,…etc.)
2. Transfer Risk
• Transfer the cost of the impact (example: purchase insurance to cover potential losses, contractually
transfer asset ownership,…etc.)
3. Mitigate Risk
• Implement strategies to minimize the impact (examples: perform audits, create asset redundancy,
develop a COOP,…etc.)
4. Accept Risk
• Accept the potential impact
CRITICAL INFRASTRUCTURE PROTECTION
RISK ASSESSMENT BENEFITS
• Given there is only a limited budget for protecting the sector, it will help
determine how best to allocate funds and resources
• Provides a fundamental understanding of what is involved in securing an
organization’s or industrial sector’s infrastructure.
• Provides decision makers with information necessary in determining and
understanding the factors that may negatively influence the operations
and outcomes of an organization’s operational success.
• Enables decision makers to make informed judgments concerning the
extent of actions needed to reduce risk.
CRITICAL INFRASTRUCTURE PROTECTION
DEFINING A THREAT
• Any agent (person, activity, or event) with the potential to cause harm to a
system or operational environment.
• The existence of a threat does not imply that the system will be harmed;
however, the potential for harm exists
• Threats are organized into three distinct main threat categories:
• Natural
• Accidental
• Intentional or malicious
• There are two sources of threat that come from accidental and intentional:
• Inside
• Outside
CRITICAL INFRASTRUCTURE PROTECTION
THREAT COUNTERMEASURES
• Establish processes, procedures and system features that serve to
• Detect potential threats
• Deflect potential threats
• Reduce Impact
• Reduce the vulnerability
• Harden assets
• Relocate Assets
• Reduce Assets
CRITICAL INFRASTRUCTURE PROTECTION
BASIC RISK ASSESSMENT ELEMENTS
• Identify known, apparent or evident threats
• Estimate threat occurrences
• Identify and rank value, sensitivity and criticality of operations
affected
• Estimate the losses should the threat occur
• Build the threat scenario
• Identify, analyze and assess vulnerability
• Identify actions to mitigate or remove the risk
• Document, document, document
CRITICAL INFRASTRUCTURE PROTECTION
IDENTIFY KNOWN, APPARENT OR EVIDENT THREATS
• It should be clear that a threat exploits a vulnerability to cause injury to
an asset, leaving the entity suffering some loss
• Identify threats that can potentially disrupt, disable or adversely
prevent/inhibit process operations within, throughout, and between
critical infrastructure.
• Threat may be deliberate, accidental, or natural
• If the threat is the result of a deliberate act, determine if an attacker has
the knowledge, skills, abilities, resources, intent and commitment the act
• After analysis, and determine whether or not there is a sufficient number of
connections to warrant attention.
CRITICAL INFRASTRUCTURE PROTECTION
ESTIMATE THREAT OCCURRENCES
• The probability of the threat attempting to manifest itself to exploit
the vulnerabilities in the system.
• Involves combination of historical research
• Determine the number of occurrences in a period of time
• Future projection
• Based on knowledgeable resources, determine whether the same factors
that allowed threat to manifest itself in the past are applicable to future
projections
CRITICAL INFRASTRUCTURE PROTECTION
IDENTIFY AND RANK VALUE, SENSITIVITY & CRITICALITY OF OPERATIONS
AFFECTED
• Consider not only on the importance of operations, but also legal, and regulatory
requirements
• Consider the health and wellness of population and environment
• Consider both Critical Infrastructure Protection (CIP) and Critical Infrastructure Assurance (CIA).
• Consider not only the internal impact, but the external consequences and liabilities that can be
assigned to an event.
• A relatively inconsequential act may not affect internal operations to a great extent; however, if that
disruption triggers a cascading failure through critical networks the dynamics will change
• Consideration of the fact that some events can exceed insurance coverage.
CRITICAL INFRASTRUCTURE PROTECTION
ESTIMATE THE LOSSES SHOULD THE THREAT OCCUR
• Most significant aspect within the risk assessment process cycle
• Assigns a value to the process, operations, and assets
• Defines the potential losses or damage that could occur if a threat were to
materialize
• Includes recovery costs to restore service and operations to the
organization
• Determines (prior to a threat occuring) the amount of money the organization
would need to continue to operate successfully
• Value of assets can be the result of different factors
• Critical to operation but largely unregulated
• Noncritical asset may be subject to significant regulatory controls (linked to significant
penalties)
• Irreplaceable cultural heritage to the community
CRITICAL INFRASTRUCTURE PROTECTION
BUILD THE THREAT SCENARIO
• Create a threat scenario
• Keep the threat scenario real and documented
• Describe how the threat causes the impact to the asset within a period of time or under
certain conditions
• A viable scenario allows for clear understanding and aligns information being presented
with a potential event
CRITICAL INFRASTRUCTURE PROTECTION
IDENTIFY AND ANALYZE VULNERABILITIES
What is a Vulnerability?
• An inherent weakness or flaws in a system or its operating
environment that may be exploited to cause harm to the system.
• System design
• Personnel within the
system
• Management
• Hardware
• Software, etc..
• The vulnerability of an asset may be modified by using
countermeasures that can reduce or remove the probability of a
particular attack
CRITICAL INFRASTRUCTURE PROTECTION
IDENTIFY AND ANALYZE VULNERABILITIES (CONTINUED)
What is a Vulnerability Analysis?
• Vulnerability analysis is perhaps the most important skill needed to practice
CIP.
• This important skill involves several difficult steps:
• Identification of essential components (critical nodes),
• Understanding the linkages and relationships among critical nodes (network analysis)
• Focusing on what is critical and what is desirable to protect
• A process of calculating sector vulnerability from estimates of component
vulnerabilities.
• Without vulnerability analysis, policy makers are merely making wild guess
about what to protect and how best to invest limited funds.
• Vulnerability is a measure of the strength of a component in the face of a
threat.
CRITICAL INFRASTRUCTURE PROTECTION
IDENTIFY AND ANALYZE VULNERABILITIES (CONTINUED)
• The analysis begins with asset identification
• Identify vulnerabilities
• Estimate the likelihood being impacted
• Perform a financial analysis of investing in target hardening versus the
anticipated improvement in sector security.
• Involves sector modeling, vulnerability modeling, financial modeling
and planning.
• Vulnerability is not the same as risk.
• Vulnerability is a probability, whereas risk is measured in terms of financial
risk, casualty risk, equipment risk, and so forth.
• Vulnerability reduction attempts to limit the likelihood of
undesirable incident, while Risk reduction attempts to limit cost
associated with an undesirable incident.
EXAMPLE: VULNERABILITY VS RISK
• Automobile accident may occur with probability of 50% but one accident may cause
$100 damages whereas another may cause $1000 of damage.
• The vulnerability is the same in both cases, 50% but the risk is 50% x $100 = $50
• The other case 50% x $1000 = $500
• Risk is ten time greater for one accident than the other
• Vulnerability is never absolute; vulnerabilities differ depending on the threat.
• Two cars are both equally vulnerable, one is 25% vulnerable to a head-on collision, the other is
75% vulnerable to rear-end Collison. Are both cars equally vulnerable?
• No, because it depends on the threat. Car one is less vulnerable in relation to the threat of a head-
on collision.
• Both cars may be vulnerable to both threats, in different proportions, depending on the size and
safety of each.
• An important fact, vulnerability analysis is complicated by several factors:
• Nature of threat
• Likelihood of successful attacks
• Interplay among components that make up the critical infrastructure sector
CRITICAL INFRASTRUCTURE PROTECTION
IDENTIFY ACTIONS TO MITIGATE OR REMOVE THE RISK
• Three part process can be used to create a roughly prioritized list of risks to the
organization
Part I: Pure Risk
• Determine the pure risk faced by the
organization
• Pure risk simple relationship
between threat, asset, and
projected loss
• Generate the first prioritize list that
can be used by management to look
at issues from a purely conceptual
view of operations
• Identifying a clear start point for the
on-site survey that will identify what
vulnerabilities are present in the
system
Part II: Vulnerability Analysis
• Describe in terms of deficiency, lack
or incomplete application of
something the reduces the impact or
probability of an incident
• Describes what deficiency is exploited
by the threat in clinical or near
scientific detail (describes the
mechanics of how the organization is
vulnerable)
• Focuses on the characteristics of the
vulnerability itself
Part III: Vulnerability Assessment
• Three elements to align
• First involves the threat and the
knowledge, skills, abilities, resources,
intent, and commitment of that threat
• Second looks at the vulnerability and
determines how those characteristic of
the threat would affect the means,
opportunity or intent associated with
the vulnerability (all factors that affect
probability) and potential impact
associated with the event (in terms of
nature, extent, containment, etc.)
• Third is the nature of the assessment
that answers just how relevant or
connected the vulnerability is to
operations. (probability comes into
play)
CRITICAL INFRASTRUCTURE PROTECTION
IDENTIFY ACTIONS TO MITIGATE OR REMOVE THE RISK (CONTINUED)
• Implementation of new organizational policies and procedures
• Goal is one of more the following:
• Reduce impact (losses) associated with the event
• Lower or reduce the probability associated with the event
• Reduce the means or opportunity that the threat has to exploit the vulnerability
• Cause the threat to come to its own conclusion; no realistic chance of success without
apprehended or failing, and suffer negative consequences
• Provide management with the information needed to make sound and appropriate
decisions.
• The assessor is not there to dictate to management
CRITICAL INFRASTRUCTURE PROTECTION
DOCUMENT, DOCUMENT, DOCUMENT
• Assessor will need to prove his/her work
• Necessary for showing work that supports the conclusions
• Needed as part of the official records associated with the work
completed
• Provides management with ability to analyze and assess data and
information when looking at the recommendations
• Provides support for creating effective contingency plans
CRITICAL INFRASTRUCTURE PROTECTION
CHALLENGES ASSOCIATED WITH ASSESSING RISK
• Reliably assessing security risk is typically more difficult than assessing
other forms of risk.
• Threat likelihoods and costs associated with those risk factors are
constantly changing
• Advances in technology make obsolete technology vulnerable to attacks
• Publicly available information on the internet and/or other forums of
data interchange more visible to the general public
• Costs of remediation once considered possible now has a higher cost
• It is difficult to precisely estimate any related indirect costs
QUESTIONS?
Doug Fred
dfred@tulane.edu
541-740-4891
mailto:dfred@tulane.edu