I n t e g r i t y - S e r v i - PowerPoint Presentation

Slide1

I n t e g r i t y - S e r v i c e - E x c e l l e n c e

Headquarters U.S. Air Force

1

EPRM

Implementation Workshop

Session 2: Risk TerminologySlide2

Session Objectives

2

Learning

Objective: To be able to define the key terms associated with risk management as it pertains to the Air Force Security Enterprise

Enabling Learning Objectives

: The student will be able to:

Define risk

Differentiate risk analysis from risk management

Define the components of risk:

Asset

Threat source and threat method

V

ulnerability

Describe the relationship between vulnerability

and

countermeasures

Understand

the risk management

processSlide3

3

Risk Terms

OverviewSlide4

“The possibility of sustaining loss”What is risk?

The potential for loss of, or damage to, an asset. It is measured based upon the criticality of the asset in relation to the threats and vulnerabilities associated with it. – AFI 31-101An event that has a potentially negative impact and the possibility that such an event will occur and adversely affect an entity’s assets, activities, and

operations. – Government Accountability Office (Report #GAO-06-91, Dec 2005)

4Slide5

Risk Assessment & ManagementAn analytical process designed to provide an understanding of vulnerabilities and how potential threats may exploit those vulnerabilities to impact assetsThe process includes the quantification of the

likelihoods and expected consequences for identified risks to assist in prioritization

What is Risk Management?

The process of identifying and prioritizing risks followed by decisions to either accept or mitigate them

Risk analysis is the first part of risk management

What is Risk Assessment?

5Slide6

Risk Assessment Purpose

The assessment process should provide the information necessary to calculate risk by relating:

Criticality of the assets being protected

Threat characterizations

Quantification of vulnerabilities that the threats exploit

Risk =

Criticality of impacted asset

*

Likelihood of loss or damage to the asset

Or

Risk =

Criticality of impacted asset

*

(Vulnerability * Threat)

6Slide7

AssetsAnything of value to the organization and worth protecting or preserving.

7

People,

information

, equipment, facilities, activities/operations that have an impact on the mission

Must have quantified (or qualified) value to the unit / organizationSlide8

Informational Asset lists based on content from OPSEC module / AF working groups

Asset Criticality (0-100 scale)

based on AFI-31-101

User response input across four metrics:

Criticality to Mission

Criticality to National Defense

Replacement (time, LOE)

Relative Value (monetary, classification, etc.)

Assets

8Slide9

ThreatsThreats are generally considered in terms of a

threat source (sentient actor or natural hazard) and a threat tactic (threat method).

Threat is any circumstance or event with the potential to cause the loss of or damage to an asset.

9Slide10

Any individual, group, organization, or government that conducts activities, or has the intention and capability to conduct activities detrimental to operations or valued assetsAny naturally occurring event that has a rate of periodicity and a capability to negatively affect operations or valued assets.

Examples of Threat Sources:Non-State Actors (Terrorist)State Sponsored ActorsCriminalsProtestorsInsiderNatural Hazards

Threat Sources

10Slide11

Threat lists include the categories of information collection activities

Threat assessment (0-1 scale) based on AFI 31-101 metrics and includes baseline recommendations from NASIC

based on locationThreats Tactics or

Methods

11Slide12

Vulnerabilities can result from, but are not limited to the following:building characteristicsequipment properties

personal behaviorlocations of people, equipment and buildingsoperational procedures and personnel practices

Any weakness that can be exploited by an adversary to gain access to an

asset.

Vulnerability

12Slide13

Typically expressed in relation to a threat tactic. Such as Vulnerability to...Vulnerability Examples

HUMINTSIGINTIMINTMASINTOSINTIED

CBRN contaminationArsonHurricane

13

IP Vulnerabilities

Physical VulnerabilitiesSlide14

14

Vulnerability levels are calculated based on the presence or absence of countermeasures.Countermeasures decrease vulnerability to one or more tacticsThe more countermeasures in-place that mitigate a particular tactic, the lower the vulnerability

A ‘zero-level’ of vulnerability is not practical

Vulnerability QuantificationSlide15

15

Countermeasures

Administrative

Preventive

Corrective

Detective

A countermeasure is an

action or device that is intended to stop or prevent something bad or

dangerous.

Technical

Preventive

Corrective

Detective Slide16

Countermeasure ExamplesEvacuation proceduresBackground checksContingency planContainer Inspections

Virus software

Training

Backup

procedures

Access

controls

CCTV

Guards

16Slide17

Arranged by protection area

Deconstructed into Y / N / NA formats

Countermeasures

17Slide18

The Risk Management Process

Step : Define

the Scope

1

Step :

Assess Assets

2

Step :

Assess Threats

3

Step :

Assess

Vulnerabilities

4

Step :

Analyze Risk and

Create Reports

5

Step :

Manage Risk

6

Step :

Evaluate Effectiveness

and Reassess

7

18Slide19

Cost-Benefit AnalysisPart of the management decision-making process in which the costs and benefits of each alternative are compared and the most appropriate alternative is selected

Typically expressed as risk reduction per dollar in EPRM19Slide20

Session Objectives

20

What is risk?

What is the difference between risk

analysis

and risk management?

Define the components of

risk

What

is the relationship between vulnerability

and

countermeasures?

What are the steps in

the risk management

process?