c e E x c e l l e n c e Headquarters US Air Force EPRM Implementation Workshop Session 2 Risk Terminology 1 Session Objectives 2 Learning Objective To be able to define the key terms associated with risk management as it pertains to the Air Force Security ID: 646933
Download Presentation The PPT/PDF document "I n t e g r i t y - S e r v i" is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
Slide1
I n t e g r i t y - S e r v i c e - E x c e l l e n c e
Headquarters U.S. Air Force
EPRMImplementation WorkshopSession 2: Risk Terminology
1Slide2
Session Objectives2
Learning Objective: To be able to define the key terms associated with risk management as it pertains to the Air Force Security Enterprise
Enabling Learning Objectives: The student will be able to:Define risk Differentiate risk analysis from risk managementDefine the components of risk: Asset Threat source and threat method
V
ulnerability
Describe the relationship between vulnerability
and
countermeasures
Understand
the risk management
processSlide3
OverviewRisk Terms
3Slide4
Risk & Risk ManagementProbability and severity of loss linked to hazards. (Department of Defense Dictionary of Military and Associated Terms; hereafter “DoD Dictionary”)Hazard — A condition with the potential to cause injury, illness, or death of personnel; damage
to or loss of equipment or property; or mission degradation. (DoD Dictionary)4What is Risk? NOTE: USG has ten different Departmental based risk definitions in the United States Government Compendium of Interagency and Associated Terms
What is Risk Management?
The
process to identify, assess, and control risks and make
decisions that
balance risk cost with mission benefits.
(
DoD Dictionary
) Slide5
Execution & ScoringThe Commander manages risks based upon the association of the criticality of assigned assets and infrastructure, a comprehensive analysis of the threat and the respective vulnerabilities to those assets. (
AFI 31-101)5
What is a Risk Score?
The numerical
result of a semi-quantitative risk assessment methodology
numerical representation
that gauges the combination of
threat
,
vulnerability
, and
consequence
at a
specific moment
.
(DHS Lexicon)
How
is Risk Management Executed? Slide6
Risk Assessment Purpose
6The assessment process should provide the information necessary to calculate risk by relating:Criticality of the assets being protectedThreat characterizationsQuantification of vulnerabilities that the threats exploit
Risk = Criticality of impacted asset Likelihood of loss or damage to the asset
Or
Risk =
Criticality of impacted asset
(Vulnerability * Threat)
*
*Slide7
AssetsAnything of value to the organization and worth protecting or preserving.7
People,
information, equipment, facilities, activities/operations that have an impact on the missionMust have quantified (or qualified) value to the unit / organizationSlide8
Informational Asset lists based on content from OPSEC module / AF working groups
Asset Criticality (0-100 scale) based on AFI-31-101User response input across four metrics:Criticality to MissionCriticality to National Defense
Replacement (time, LOE) Relative Value (monetary, classification, etc.)Assets8Slide9
ThreatsThreats are generally considered in terms of a
threat source (sentient actor or natural hazard) and a threat tactic (threat method).9Threat is any circumstance or event with the potential to cause the loss of or damage to an asset.Slide10
Threat SourcesAny individual, group, organization, or government that conducts activities, or has the intention and capability to conduct activities detrimental to operations or valued assetsAny naturally occurring event that has a rate of periodicity
and a capability to negatively affect operations or valued assets. Examples of Threat Sources:Non-State Actors (Terrorist)State Sponsored ActorsCriminalsProtestorsInsiderNatural Hazards10Slide11
Threat lists include the categories of information collection activitiesThreat assessment
(0-1 scale) based on AFI 31-101 metrics and includes baseline recommendations from NASIC based on locationThreats Tactics or Methods11Slide12
Vulnerabilities can result from, but are not limited to the following:building characteristicsequipment properties
personal behaviorlocations of people, equipment and buildingsoperational procedures and personnel practicesAny weakness that can be exploited by an adversary to gain access to an asset.Vulnerability12Slide13
Typically expressed in relation to a threat tactic. Such as Vulnerability to...Vulnerability Examples
HUMINTSIGINTIMINTMASINTOSINT13IEDCBRN contaminationArsonHurricaneIP VulnerabilitiesPhysical VulnerabilitiesSlide14
Vulnerability Quantification14
Vulnerability levels are calculated based on the presence or absence of countermeasures.Countermeasures decrease vulnerability to one or more tacticsThe more countermeasures in-place that mitigate a particular tactic, the lower the vulnerabilityA ‘zero-level’ of vulnerability is not practicalSlide15
Countermeasures15
Administrative
PreventiveCorrective Detective A countermeasure is an action or device that is intended to stop or prevent something bad or dangerous.
Technical
Preventive
Corrective
Detective Slide16
Countermeasure ExamplesEvacuation proceduresBackground checksContingency planContainer Inspections
Virus software16
TrainingBackup proceduresAccess controlsCCTVGuardsSlide17
Arranged by protection area
Deconstructed into Y / N / NA formats
Countermeasures
17Slide18
The Risk Management Process 18
Step : Define the Scope
1Step : Assess Assets
2
Step :
Assess Threats
3
Step :
Assess
Vulnerabilities
4
Step :
Analyze Risk and
Create Reports
5
Step :
Manage Risk
6
Step :
Evaluate Effectiveness
and Reassess
7Slide19
Cost-Benefit AnalysisPart of the management decision-making process in which the costs and benefits of each alternative are compared and the most appropriate alternative is selectedTypically expressed as risk reduction per dollar in EPRM
19Slide20
Session Objectives20
What is risk?What is the difference between risk analysis and risk management?Define the components of risk
What is the relationship between vulnerability and countermeasures?What are the steps in the risk management process?