Headquarters U.S. Air Force I n t e g r i t y - S e r v i c e - E x c e l l e n c e EPRM Implementation Workshop Session 2: Risk Terminology

Session Objectives Learning Objective: To be able to define the key terms associated with risk management as it pertains to the Air Force Security Enterprise Enabling Learning Objectives: The student will be able to: Define risk Differentiate risk analysis from risk management Define the components of risk: Asset Threat source and threat method Vulnerability Describe the relationship between vulnerability and countermeasures Understand the risk management process

Overview Risk Terms

“The possibility of sustaining loss” What is risk? “The possibility of sustaining loss” The potential for loss of, or damage to, an asset. It is measured based upon the criticality of the asset in relation to the threats and vulnerabilities associated with it. – AFI 31-101 An event that has a potentially negative impact and the possibility that such an event will occur and adversely affect an entity’s assets, activities, and operations. – Government Accountability Office (Report #GAO-06-91, Dec 2005) This isn’t a class on risk analysis per se, but this definition does give us the basic elements that we need to collect and use in an automated methodology. Purpose is to identify by deconstruction the methodology being used what values are required Assets with some understanding of their value. Threats and their relationship to assets And, of course, some understanding of the vulnerability of the asset, usually based upon some weighted function of countermeasures that are in-place to mitigate each vulnerability. So, let’s start with these three and see what we would do with them..

Risk Assessment & Management What is Risk Assessment? An analytical process designed to provide an understanding of vulnerabilities and how potential threats may exploit those vulnerabilities to impact assets The process includes the quantification of the likelihoods and expected consequences for identified risks to assist in prioritization What is Risk Management? Risk Analysis Risk analysis is a process. It quantifies vulnerabilities, risk, and loss, presenting an objective representation of a systems security posture. Risk analysis is a continuous process. Threat environments and countermeasures are constantly changing. Any risk analysis needs to be constantly updated to reflect the changing environment. The process of identifying and prioritizing risks followed by decisions to either accept or mitigate them Risk analysis is the first part of risk management

Risk Assessment Purpose The assessment process should provide the information necessary to calculate risk by relating: Criticality of the assets being protected Threat characterizations Quantification of vulnerabilities that the threats exploit Risk = Criticality of impacted asset * Likelihood of loss or damage to the asset Or Risk = Criticality of impacted asset * (Vulnerability * Threat) Risk assessment is a process within the risk management process. It generally occurs as the last step in the risk management process.

Assets Anything of value to the organization and worth protecting or preserving. People, information, equipment, facilities, activities/operations that have an impact on the mission Must have quantified (or qualified) value to the unit / organization

Assets Informational Asset lists based on content from OPSEC module / AF working groups Asset Criticality (0-100 scale) based on AFI-31-101 User response input across four metrics: Criticality to Mission Criticality to National Defense Replacement (time, LOE) Relative Value (monetary, classification, etc.)

Threats Threat is any circumstance or event with the potential to cause the loss of or damage to an asset. Threats are generally considered in terms of a threat source (sentient actor or natural hazard) and a threat tactic (threat method). Frequency: Once we know that a threat is applicable, it is important to determine how likely it is to happen Anticipate loss for the year and if the threat occurs ten times, the loss we suffer from that threat each time is going to be multiplied by how often it will occur that year. It is useful to starting thinking about what threats are real for you and your organization.

Threat Sources Any individual, group, organization, or government that conducts activities, or has the intention and capability to conduct activities detrimental to operations or valued assets Any naturally occurring event that has a rate of periodicity and a capability to negatively affect operations or valued assets. Examples of Threat Sources: Non-State Actors (Terrorist) State Sponsored Actors Criminals Protestors Insider Natural Hazards

Threats Tactics or Methods Threat lists include the categories of information collection activities Threat assessment (0-1 scale) based on AFI 31-101 metrics and includes baseline recommendations from NASIC based on location

Vulnerability Any weakness that can be exploited by an adversary to gain access to an asset. Vulnerabilities can result from, but are not limited to the following: building characteristics equipment properties personal behavior locations of people, equipment and buildings operational procedures and personnel practices Quite simply put, if we didn’t have vulnerabilities, we wouldn’t be concerned about threats or our security posture.

Vulnerability Examples Typically expressed in relation to a threat tactic. Such as Vulnerability to... HUMINT SIGINT IMINT MASINT OSINT IED CBRN contamination Arson Hurricane IP Vulnerabilities Physical Vulnerabilities Once you have determined the possible threats, you next need to examine what is your susceptibility to that threat. How likely is this threat to impact, disrupt or shut down your ability to function? What are the set of circumstances that allows a threat to take advantage of you? As you will learn later, a threat can take advantage of more than one vulnerability. For example, if lightning is the threat, what are some areas of vulnerability it would be able to exploit?

Vulnerability Quantification Vulnerability levels are calculated based on the presence or absence of countermeasures. Countermeasures decrease vulnerability to one or more tactics The more countermeasures in-place that mitigate a particular tactic, the lower the vulnerability A ‘zero-level’ of vulnerability is not practical

Countermeasures A countermeasure is an action or device that is intended to stop or prevent something bad or dangerous. Administrative Preventive Corrective Detective Technical Preventive Corrective Detective

Countermeasure Examples Evacuation procedures Background checks Contingency plan Container Inspections Virus software Training Backup procedures Access controls CCTV Guards These are some examples of countermeasures. Can you name any that are not on this list?

Countermeasures Arranged by protection area Deconstructed into Y / N / NA formats

The Risk Management Process Step : Assess Threats 3 Step : Assess Vulnerabilities 4 Step : Assess Assets 2 Step : Define the Scope 1 Step : Analyze Risk and Create Reports 5 Step : Evaluate Effectiveness and Reassess 7 Step : Manage Risk 6

Cost-Benefit Analysis Part of the management decision-making process in which the costs and benefits of each alternative are compared and the most appropriate alternative is selected Typically expressed as risk reduction per dollar in EPRM Since you will only be collecting the information, you will not need to input cost information for the analysis module.

Session Objectives What is risk? What is the difference between risk analysis and risk management? Define the components of risk What is the relationship between vulnerability and countermeasures? What are the steps in the risk management process?