c e E x c e l l e n c e Headquarters US Air Force 1 EPRM Implementation Workshop Session 2 Risk Terminology Session Objectives 2 Learning Objective To be able to define the key terms associated with risk management as it pertains to the Air Force Security Enterpr ID: 543605
Download Presentation The PPT/PDF document "I n t e g r i t y - S e r v i" is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
Slide1
I n t e g r i t y - S e r v i c e - E x c e l l e n c e
Headquarters U.S. Air Force
1
EPRM
Implementation Workshop
Session 2: Risk TerminologySlide2
Session Objectives
2
Learning
Objective: To be able to define the key terms associated with risk management as it pertains to the Air Force Security Enterprise
Enabling Learning Objectives
: The student will be able to:
Define risk
Differentiate risk analysis from risk management
Define the components of risk:
Asset
Threat source and threat method
V
ulnerability
Describe the relationship between vulnerability
and
countermeasures
Understand
the risk management
processSlide3
3
Risk Terms
OverviewSlide4
“The possibility of sustaining loss”What is risk?
The potential for loss of, or damage to, an asset. It is measured based upon the criticality of the asset in relation to the threats and vulnerabilities associated with it. – AFI 31-101An event that has a potentially negative impact and the possibility that such an event will occur and adversely affect an entity’s assets, activities, and
operations. – Government Accountability Office (Report #GAO-06-91, Dec 2005)
4Slide5
Risk Assessment & ManagementAn analytical process designed to provide an understanding of vulnerabilities and how potential threats may exploit those vulnerabilities to impact assetsThe process includes the quantification of the
likelihoods and expected consequences for identified risks to assist in prioritization
What is Risk Management?
The process of identifying and prioritizing risks followed by decisions to either accept or mitigate them
Risk analysis is the first part of risk management
What is Risk Assessment?
5Slide6
Risk Assessment Purpose
The assessment process should provide the information necessary to calculate risk by relating:
Criticality of the assets being protected
Threat characterizations
Quantification of vulnerabilities that the threats exploit
Risk =
Criticality of impacted asset
*
Likelihood of loss or damage to the asset
Or
Risk =
Criticality of impacted asset
*
(Vulnerability * Threat)
6Slide7
AssetsAnything of value to the organization and worth protecting or preserving.
7
People,
information
, equipment, facilities, activities/operations that have an impact on the mission
Must have quantified (or qualified) value to the unit / organizationSlide8
Informational Asset lists based on content from OPSEC module / AF working groups
Asset Criticality (0-100 scale)
based on AFI-31-101
User response input across four metrics:
Criticality to Mission
Criticality to National Defense
Replacement (time, LOE)
Relative Value (monetary, classification, etc.)
Assets
8Slide9
ThreatsThreats are generally considered in terms of a
threat source (sentient actor or natural hazard) and a threat tactic (threat method).
Threat is any circumstance or event with the potential to cause the loss of or damage to an asset.
9Slide10
Any individual, group, organization, or government that conducts activities, or has the intention and capability to conduct activities detrimental to operations or valued assetsAny naturally occurring event that has a rate of periodicity and a capability to negatively affect operations or valued assets.
Examples of Threat Sources:Non-State Actors (Terrorist)State Sponsored ActorsCriminalsProtestorsInsiderNatural Hazards
Threat Sources
10Slide11
Threat lists include the categories of information collection activities
Threat assessment (0-1 scale) based on AFI 31-101 metrics and includes baseline recommendations from NASIC
based on locationThreats Tactics or
Methods
11Slide12
Vulnerabilities can result from, but are not limited to the following:building characteristicsequipment properties
personal behaviorlocations of people, equipment and buildingsoperational procedures and personnel practices
Any weakness that can be exploited by an adversary to gain access to an
asset.
Vulnerability
12Slide13
Typically expressed in relation to a threat tactic. Such as Vulnerability to...Vulnerability Examples
HUMINTSIGINTIMINTMASINTOSINTIED
CBRN contaminationArsonHurricane
13
IP Vulnerabilities
Physical VulnerabilitiesSlide14
14
Vulnerability levels are calculated based on the presence or absence of countermeasures.Countermeasures decrease vulnerability to one or more tacticsThe more countermeasures in-place that mitigate a particular tactic, the lower the vulnerability
A ‘zero-level’ of vulnerability is not practical
Vulnerability QuantificationSlide15
15
Countermeasures
Administrative
Preventive
Corrective
Detective
A countermeasure is an
action or device that is intended to stop or prevent something bad or
dangerous.
Technical
Preventive
Corrective
Detective Slide16
Countermeasure ExamplesEvacuation proceduresBackground checksContingency planContainer Inspections
Virus software
Training
Backup
procedures
Access
controls
CCTV
Guards
16Slide17
Arranged by protection area
Deconstructed into Y / N / NA formats
Countermeasures
17Slide18
The Risk Management Process
Step : Define
the Scope
1
Step :
Assess Assets
2
Step :
Assess Threats
3
Step :
Assess
Vulnerabilities
4
Step :
Analyze Risk and
Create Reports
5
Step :
Manage Risk
6
Step :
Evaluate Effectiveness
and Reassess
7
18Slide19
Cost-Benefit AnalysisPart of the management decision-making process in which the costs and benefits of each alternative are compared and the most appropriate alternative is selected
Typically expressed as risk reduction per dollar in EPRM19Slide20
Session Objectives
20
What is risk?
What is the difference between risk
analysis
and risk management?
Define the components of
risk
What
is the relationship between vulnerability
and
countermeasures?
What are the steps in
the risk management
process?