Headquarters U.S. Air Force EPRM Implementation Workshop Session 2: Risk Terminology I n t e g r i t y - S e r v i c e - E x c e l l e n c e

Session Objectives Learning Objective: To be able to define the key terms associated with risk management as it pertains to the Air Force Security Enterprise Enabling Learning Objectives: The student will be able to: Define risk Differentiate risk analysis from risk management Define the components of risk: Asset Threat source and threat method Vulnerability Describe the relationship between vulnerability and countermeasures Understand the risk management process

Overview Risk Terms

Risk & Risk Management What is Risk? What is Risk Management? Probability and severity of loss linked to hazards. (Department of Defense Dictionary of Military and Associated Terms; hereafter “DoD Dictionary”) Hazard — A condition with the potential to cause injury, illness, or death of personnel; damage to or loss of equipment or property; or mission degradation. (DoD Dictionary) What is Risk Management? The process to identify, assess, and control risks and make decisions that balance risk cost with mission benefits. (DoD Dictionary) DoD defines risk as shown. Notice that there are multiple definitions across government, so you may well have heard/seen others, but this will serve as the baseline for EPRM purposes. NOTE: USG has ten different Departmental based risk definitions in the United States Government Compendium of Interagency and Associated Terms

Execution & Scoring How is Risk Management Executed? The Commander manages risks based upon the association of the criticality of assigned assets and infrastructure, a comprehensive analysis of the threat and the respective vulnerabilities to those assets. (AFI 31-101) What is a Risk Score? The Air Force manages through the application of threat and criticality lenses to the vulnerability of each asset. Later you will see or hear about EPRM’s risk numbers, which are a relative representation that assists in the decision making process for selecting countermeasures. The numerical result of a semi-quantitative risk assessment methodology numerical representation that gauges the combination of threat, vulnerability, and consequence at a specific moment. (DHS Lexicon)

Risk Assessment Purpose The assessment process should provide the information necessary to calculate risk by relating: Criticality of the assets being protected Threat characterizations Quantification of vulnerabilities that the threats exploit Risk = Criticality of impacted asset Likelihood of loss or damage to the asset Or Risk = Criticality of impacted asset (Vulnerability * Threat) * Risk assessment is a process within the risk management process. It generally occurs as the last step in the risk management process. *

Assets Anything of value to the organization and worth protecting or preserving. People, information, equipment, facilities, activities/operations that have an impact on the mission Must have quantified (or qualified) value to the unit / organization

Assets Informational Asset lists based on content from OPSEC module / AF working groups Asset Criticality (0-100 scale) based on AFI-31-101 User response input across four metrics: Criticality to Mission Criticality to National Defense Replacement (time, LOE) Relative Value (monetary, classification, etc.)

Threats Threat is any circumstance or event with the potential to cause the loss of or damage to an asset. Threats are generally considered in terms of a threat source (sentient actor or natural hazard) and a threat tactic (threat method). Frequency: Once we know that a threat is applicable, it is important to determine how likely it is to happen Anticipate loss for the year and if the threat occurs ten times, the loss we suffer from that threat each time is going to be multiplied by how often it will occur that year. It is useful to starting thinking about what threats are real for you and your organization.

Threat Sources Any individual, group, organization, or government that conducts activities, or has the intention and capability to conduct activities detrimental to operations or valued assets Any naturally occurring event that has a rate of periodicity and a capability to negatively affect operations or valued assets. Examples of Threat Sources: Non-State Actors (Terrorist) State Sponsored Actors Criminals Protestors Insider Natural Hazards

Threats Tactics or Methods Threat lists include the categories of information collection activities Threat assessment (0-1 scale) based on AFI 31-101 metrics and includes baseline recommendations from NASIC based on location

Vulnerability Any weakness that can be exploited by an adversary to gain access to an asset. Vulnerabilities can result from, but are not limited to the following: building characteristics equipment properties personal behavior locations of people, equipment and buildings operational procedures and personnel practices Quite simply put, if we didn’t have vulnerabilities, we wouldn’t be concerned about threats or our security posture.

Vulnerability Examples Typically expressed in relation to a threat tactic. Such as Vulnerability to... HUMINT SIGINT IMINT MASINT OSINT IED CBRN contamination Arson Hurricane IP Vulnerabilities Physical Vulnerabilities Once you have determined the possible threats, you next need to examine what is your susceptibility to that threat. How likely is this threat to impact, disrupt or shut down your ability to function? What are the set of circumstances that allows a threat to take advantage of you? As you will learn later, a threat can take advantage of more than one vulnerability. For example, if lightning is the threat, what are some areas of vulnerability it would be able to exploit?

Vulnerability Quantification Vulnerability levels are calculated based on the presence or absence of countermeasures. Countermeasures decrease vulnerability to one or more tactics The more countermeasures in-place that mitigate a particular tactic, the lower the vulnerability A ‘zero-level’ of vulnerability is not practical

Countermeasures A countermeasure is an action or device that is intended to stop or prevent something bad or dangerous. Administrative Preventive Corrective Detective Technical Preventive Corrective Detective

Countermeasure Examples Evacuation procedures Background checks Contingency plan Container Inspections Virus software Training Backup procedures Access controls CCTV Guards These are some examples of countermeasures. Can you name any that are not on this list?

Countermeasures Arranged by protection area Deconstructed into Y / N / NA formats

The Risk Management Process Step : Assess Threats 3 Step : Assess Vulnerabilities 4 Step : Assess Assets 2 Step : Define the Scope 1 Step : Analyze Risk and Create Reports 5 Step : Evaluate Effectiveness and Reassess 7 Step : Manage Risk 6

Cost-Benefit Analysis Part of the management decision-making process in which the costs and benefits of each alternative are compared and the most appropriate alternative is selected Typically expressed as risk reduction per dollar in EPRM Since you will only be collecting the information, you will not need to input cost information for the analysis module.

Session Objectives What is risk? What is the difference between risk analysis and risk management? Define the components of risk What is the relationship between vulnerability and countermeasures? What are the steps in the risk management process?