I n t e g r i t y - S e r v i - PowerPoint Presentation

Slide1

I n t e g r i t y - S e r v i c e - E x c e l l e n c e

Headquarters U.S. Air Force

EPRMImplementation WorkshopSession 2: Risk Terminology

1Slide2

Session Objectives2

Learning Objective: To be able to define the key terms associated with risk management as it pertains to the Air Force Security Enterprise

Enabling Learning Objectives: The student will be able to:Define risk Differentiate risk analysis from risk managementDefine the components of risk: Asset Threat source and threat method

V

ulnerability

Describe the relationship between vulnerability

and

countermeasures

Understand

the risk management

processSlide3

OverviewRisk Terms

3Slide4

Risk & Risk ManagementProbability and severity of loss linked to hazards. (Department of Defense Dictionary of Military and Associated Terms; hereafter “DoD Dictionary”)Hazard — A condition with the potential to cause injury, illness, or death of personnel; damage

to or loss of equipment or property; or mission degradation. (DoD Dictionary)4What is Risk? NOTE: USG has ten different Departmental based risk definitions in the United States Government Compendium of Interagency and Associated Terms

What is Risk Management?

The

process to identify, assess, and control risks and make

decisions that

balance risk cost with mission benefits.

(

DoD Dictionary

) Slide5

Execution & ScoringThe Commander manages risks based upon the association of the criticality of assigned assets and infrastructure, a comprehensive analysis of the threat and the respective vulnerabilities to those assets. (

AFI 31-101)5

What is a Risk Score?

The numerical

result of a semi-quantitative risk assessment methodology

numerical representation

that gauges the combination of

threat

,

vulnerability

, and

consequence

at a

specific moment

.

(DHS Lexicon)

How

is Risk Management Executed? Slide6

Risk Assessment Purpose

6The assessment process should provide the information necessary to calculate risk by relating:Criticality of the assets being protectedThreat characterizationsQuantification of vulnerabilities that the threats exploit

Risk = Criticality of impacted asset Likelihood of loss or damage to the asset

Or

Risk =

Criticality of impacted asset

(Vulnerability * Threat)

*

*Slide7

AssetsAnything of value to the organization and worth protecting or preserving.7

People,

information, equipment, facilities, activities/operations that have an impact on the missionMust have quantified (or qualified) value to the unit / organizationSlide8

Informational Asset lists based on content from OPSEC module / AF working groups

Asset Criticality (0-100 scale) based on AFI-31-101User response input across four metrics:Criticality to MissionCriticality to National Defense

Replacement (time, LOE) Relative Value (monetary, classification, etc.)Assets8Slide9

ThreatsThreats are generally considered in terms of a

threat source (sentient actor or natural hazard) and a threat tactic (threat method).9Threat is any circumstance or event with the potential to cause the loss of or damage to an asset.Slide10

Threat SourcesAny individual, group, organization, or government that conducts activities, or has the intention and capability to conduct activities detrimental to operations or valued assetsAny naturally occurring event that has a rate of periodicity

and a capability to negatively affect operations or valued assets. Examples of Threat Sources:Non-State Actors (Terrorist)State Sponsored ActorsCriminalsProtestorsInsiderNatural Hazards10Slide11

Threat lists include the categories of information collection activitiesThreat assessment

(0-1 scale) based on AFI 31-101 metrics and includes baseline recommendations from NASIC based on locationThreats Tactics or Methods11Slide12

Vulnerabilities can result from, but are not limited to the following:building characteristicsequipment properties

personal behaviorlocations of people, equipment and buildingsoperational procedures and personnel practicesAny weakness that can be exploited by an adversary to gain access to an asset.Vulnerability12Slide13

Typically expressed in relation to a threat tactic. Such as Vulnerability to...Vulnerability Examples

HUMINTSIGINTIMINTMASINTOSINT13IEDCBRN contaminationArsonHurricaneIP VulnerabilitiesPhysical VulnerabilitiesSlide14

Vulnerability Quantification14

Vulnerability levels are calculated based on the presence or absence of countermeasures.Countermeasures decrease vulnerability to one or more tacticsThe more countermeasures in-place that mitigate a particular tactic, the lower the vulnerabilityA ‘zero-level’ of vulnerability is not practicalSlide15

Countermeasures15

Administrative

PreventiveCorrective Detective A countermeasure is an action or device that is intended to stop or prevent something bad or dangerous.

Technical

Preventive

Corrective

Detective Slide16

Countermeasure ExamplesEvacuation proceduresBackground checksContingency planContainer Inspections

Virus software16

TrainingBackup proceduresAccess controlsCCTVGuardsSlide17

Arranged by protection area

Deconstructed into Y / N / NA formats

Countermeasures

17Slide18

The Risk Management Process 18

Step : Define the Scope

1Step : Assess Assets

2

Step :

Assess Threats

3

Step :

Assess

Vulnerabilities

4

Step :

Analyze Risk and

Create Reports

5

Step :

Manage Risk

6

Step :

Evaluate Effectiveness

and Reassess

7Slide19

Cost-Benefit AnalysisPart of the management decision-making process in which the costs and benefits of each alternative are compared and the most appropriate alternative is selectedTypically expressed as risk reduction per dollar in EPRM

19Slide20

Session Objectives20

What is risk?What is the difference between risk analysis and risk management?Define the components of risk

What is the relationship between vulnerability and countermeasures?What are the steps in the risk management process?