Introduction
This paper discusses three risk analysis methodologies, specifically, MSRAM, OCTAVE, and CRAMM and provides a detailed description of each and how they incorporate risk into a platform for decision makers to use in their endeavors to prevent, protect, mitigate, respond, and in recovery measures as part of the risk assessment and management processes.
MSRAM
The MSRAM method was established through the U.S. Coast Guard to deliver a uniform and all-inclusive approach for gauging risks and allocating resources throughout all areas of responsibility of the U.S. Coast Guard. It replaced the Port Security Risk Tool and offers a comprehensive, risk-based approach to assessing the nation’s port’s and waterways (Edmonson 2006, 18).
…show more content…
The drawback of the MSRAM approach is the time and expertise required to populate the MSRAM database. Unfortunately, MSRAM is not available outside of the U.S. Coast Guard.
Quality assurance is provided by paralleling new data to averages calculated from the national database for each attack scenario. This is accompanied by an alert, informing the user whenever the new data are outside of recommended ranges. If a user insists on entering data outside of recommended ranges, the software requires the user to enter a detailed explanation and flags any such entries for further review at the local, district, area, and headquarters levels.
MSRAM defines 23 attack modes (methods used by terrorists to cause harm) and 62 target classes (based on specific functionality), which are provided by the tool through selectable drop-down windows. Each target class/attack-mode pair is called a scenario. The possible pairings of target class with attack modes represent a reasonable sampling of plausible event scenarios. However, scenarios are hard-wired into the tool and cannot be changed by users.
Threat numbers for each scenario are determined by subject matter experts at an Intelligence Coordination Center (ICC) and provided through the MSRAM tool. It is important to note that users do not calculate threat probabilities. Instead, they use threat probabilities provided by the MSRAM tool. This is an
Intelligence analysts in the IC, DHS, and FBI are tasked with the primary responsibility of developing threat assessments against the United States and national critical infrastructure. The
The Department of Homeland Security supplies a national protection plan concerning critical infrastructure security. This plan targets a wide audience, including public and private critical infrastructure owners and administrators. Managing risks through identifying, deterring, and disrupting threats to critical infrastructure is the direct focus of this plan. The ability of an organization to reduce the impact of a threat that has occurred and reducing the impact of one that may occur is essential to an active security posture. Compromise of a critical infrastructure such as oil, airports, or traffic flow management could result in a major loss of life or resources (Department of Homeland Security, 2013).
Tactical threat analysis is timely and thorough analysis and dissemination of information regarding terrorist and their current and potential activities. It allows for immediate and near-term action and provides useful warning systems. The strategic analysis of the enemy places emphasis of the organizations that may conduct terrorist attacks against the United States (Force n.d.). Being able to knowingly identify financial and political sources of support, motivation, goals, current and future capabilities, and vulnerabilities of those organizations will assist in preventing and preempting future attacks and in taking long-term actions that will weaken support for organizations that seek to bring harm to any United States
The study reflects upon the possible and probable threats and the ways to mitigate those threats.
The ability of the Department of Homeland Security to effectively manage risk is vital to national security. Risk in general, is something that is permanent but because this is known, strategies can be used to mitigate situations as they present themselves. Government managers must manage risk in a complex environment taking into consideration the diverse missions and multiple objectives of public agencies (Hardy, 2014). The role of risk management within the homeland security enterprise was managed by best and worst case scenario planning. This is something that is inevitable as we are faced within a definite variety of threats. One way to grade or rank threats is through worst-case analysis. As this analysis can be used for worst-case scenarios the federal government cannot leave out lower ranking situations (Roberts, 2007). Since the Department of Homeland Security is charged with managing risk within the enterprise, a basic equation is used to help figure out different variables and how they would be affected.
Before Risk Assessment can be addressed we must first briefly discuss Risk Management (RM), the framework of which is where risk assessment resides for the United States Army. The Army uses RM to ensure mission accomplishment in current as well as future operations and applies to operations and non-operational activities (Department of the Army [ATP 5-19], 2014, p. 1-1). The Army process of RM utilizes five steps as part of its holistic approach to mitigate risks, but because this paper’s focus in on the Risk Assessment of the management solutions identified last week, it will only focus on the first two steps of RM, Identify the hazard and Assess the hazard.
This make “Think Like an Attacker” threat modeling sure to
After the 9/11 terrorist attacks against the United States, a series of risk management evaluations were created by the US Federal Government to assess the future risks the homeland was going to face. When the Department of Homeland Security (DHS) was officially created in 2002, more effective risk management assessments were re-designed to evaluate the past and present dangers, prevent them and respond successfully to more terrorist attacks. Since 2001 until 2007, a development of risk assessment has been divided in phases to be able to reach a better formula that would analyze the risk within the homeland security and provide the appropriate fund to homeland security enterprise.
Research shows that various risk management tools exist, ranging from the strict minimum to very comprehensive methodological (Harrison 1997). In different countries there are different methods applied in risk management, however the methodology is the same, systems characterization and description, threat and vulnerability identification, risk assessment and recommended
The strengths that the human reliability analysis technique has in identifying the specific threats on the selected security challenge is that it is an effective and systematic way of identifying potential human errors, making sure all credible errors are considered as well as identifying risk control measures in relation to the reliability on surveillance
Risk management is an essential task the United States federal government is responsible for. The governments role is to protect its citizens from domestic and foreign threats such as an WMD attack. One way to break down different WMD attacks is using the Impact/ Probability chart, this chart offers a helpful framework that assists what threats are attention worthy. Probability is the likelihood of something happening, while impact always is associated with a negative effect but the impact can vary depending on costs and impacts on infrastructure, human life, and health. This chart offers a way to rate possible risks on these two measurements. The different WMD attacks will be measured based on low impact/low probability, low impact/high
Vital to this are on-going threat assessments. Effective threat assessment is the need for abundant, timely and useable intelligence, about potential terrorist sponsors, perpetrators, activities and targets, as well as intelligence to guide our prevention and preparation activities and programs. Despite the transnational nature of many terrorist groups, challenges to integrating foreign intelligence with domestic law enforcement information remains.
231). It is important to analyze project risk to improve project performance. Therefore as part of this case research and recommendations, an exploration of PMI’s six-stage risk process as outlined in the PMBOK Guide (2008) will be conducted as it relates to risk management alternatives involved with the DIA development with a specific focus on its implementation of an automated area-wide baggage handling system. To evaluate the success of proposed solutions, each stage of the process is presented as an alternative analysis to establish a basic framework of how risk management is approached for this project and the suggested tools utilized to accomplish its overall structure as: (1) risk management planning; (2) risk identification; (3) risk qualification; (4) risk quantification; (5) risk response planning; and (6) risk monitoring and control. Finally detailed recommendations are specified and conclusions drawn that should be implemented with an evaluation process to measure the success of the case review based on the risk analysis presented.
As mentioned above the first threat in this threat modeling process is vulnerability and threat source identification. In this step it is job of the threat modeler to perform research to identify detailed sources of information about threats and vulnerabilities. When choosing sources about threat and vulnerabilities it is essential to ensure that the sources are up to date and credible. This often requires the threat modeler to look for published sources of information or even scholarly websites to ensure the integrity and accuracy of the information. One example of an excellent source for information about threats and vulnerabilities which are commonly used by threat modelers in the National Institute of Technology’s National Vulnerability Database. This is an up to date government repository of identify vulnerabilities
How to Systematically Conduct Risk Assessment of Information System Security Risks – Fundamentals and Methods