Presentation is loading. Please wait.

Presentation is loading. Please wait.

Headquarters U.S. Air Force

Published byAdrian Harper Modified over 6 years ago

Similar presentations

Presentation on theme: "Headquarters U.S. Air Force"— Presentation transcript:

1 Headquarters U.S. Air Force
EPRM Implementation Workshop Session 2: Risk Terminology I n t e g r i t y - S e r v i c e - E x c e l l e n c e

2 Session Objectives Learning Objective: To be able to define the key terms associated with risk management as it pertains to the Air Force Security Enterprise Enabling Learning Objectives: The student will be able to: Define risk Differentiate risk analysis from risk management Define the components of risk: Asset Threat source and threat method Vulnerability Describe the relationship between vulnerability and countermeasures Understand the risk management process

3 Overview Risk Terms

4 Risk & Risk Management What is Risk? What is Risk Management?
Probability and severity of loss linked to hazards. (Department of Defense Dictionary of Military and Associated Terms; hereafter “DoD Dictionary”) Hazard — A condition with the potential to cause injury, illness, or death of personnel; damage to or loss of equipment or property; or mission degradation. (DoD Dictionary) What is Risk Management? The process to identify, assess, and control risks and make decisions that balance risk cost with mission benefits. (DoD Dictionary) DoD defines risk as shown. Notice that there are multiple definitions across government, so you may well have heard/seen others, but this will serve as the baseline for EPRM purposes. NOTE: USG has ten different Departmental based risk definitions in the United States Government Compendium of Interagency and Associated Terms

5 Execution & Scoring How is Risk Management Executed?
The Commander manages risks based upon the association of the criticality of assigned assets and infrastructure, a comprehensive analysis of the threat and the respective vulnerabilities to those assets. (AFI ) What is a Risk Score? The Air Force manages through the application of threat and criticality lenses to the vulnerability of each asset. Later you will see or hear about EPRM’s risk numbers, which are a relative representation that assists in the decision making process for selecting countermeasures. The numerical result of a semi-quantitative risk assessment methodology numerical representation that gauges the combination of threat, vulnerability, and consequence at a specific moment. (DHS Lexicon)

6 Risk Assessment Purpose
The assessment process should provide the information necessary to calculate risk by relating: Criticality of the assets being protected Threat characterizations Quantification of vulnerabilities that the threats exploit Risk = Criticality of impacted asset Likelihood of loss or damage to the asset Or Risk = Criticality of impacted asset (Vulnerability * Threat) * Risk assessment is a process within the risk management process. It generally occurs as the last step in the risk management process. *

7 Assets Anything of value to the organization and worth protecting or preserving. People, information, equipment, facilities, activities/operations that have an impact on the mission Must have quantified (or qualified) value to the unit / organization

8 Assets Informational Asset lists based on content from OPSEC module / AF working groups Asset Criticality (0-100 scale) based on AFI User response input across four metrics: Criticality to Mission Criticality to National Defense Replacement (time, LOE) Relative Value (monetary, classification, etc.)

9 Threats Threat is any circumstance or event with the potential to cause the loss of or damage to an asset. Threats are generally considered in terms of a threat source (sentient actor or natural hazard) and a threat tactic (threat method). Frequency: Once we know that a threat is applicable, it is important to determine how likely it is to happen Anticipate loss for the year and if the threat occurs ten times, the loss we suffer from that threat each time is going to be multiplied by how often it will occur that year. It is useful to starting thinking about what threats are real for you and your organization.

10 Threat Sources Any individual, group, organization, or government that conducts activities, or has the intention and capability to conduct activities detrimental to operations or valued assets Any naturally occurring event that has a rate of periodicity and a capability to negatively affect operations or valued assets. Examples of Threat Sources: Non-State Actors (Terrorist) State Sponsored Actors Criminals Protestors Insider Natural Hazards

11 Threats Tactics or Methods
Threat lists include the categories of information collection activities Threat assessment (0-1 scale) based on AFI metrics and includes baseline recommendations from NASIC based on location

12 Vulnerability Any weakness that can be exploited by an adversary to gain access to an asset. Vulnerabilities can result from, but are not limited to the following: building characteristics equipment properties personal behavior locations of people, equipment and buildings operational procedures and personnel practices Quite simply put, if we didn’t have vulnerabilities, we wouldn’t be concerned about threats or our security posture.

13 Vulnerability Examples
Typically expressed in relation to a threat tactic. Such as Vulnerability to... HUMINT SIGINT IMINT MASINT OSINT IED CBRN contamination Arson Hurricane IP Vulnerabilities Physical Vulnerabilities Once you have determined the possible threats, you next need to examine what is your susceptibility to that threat. How likely is this threat to impact, disrupt or shut down your ability to function? What are the set of circumstances that allows a threat to take advantage of you? As you will learn later, a threat can take advantage of more than one vulnerability. For example, if lightning is the threat, what are some areas of vulnerability it would be able to exploit?

14 Vulnerability Quantification
Vulnerability levels are calculated based on the presence or absence of countermeasures. Countermeasures decrease vulnerability to one or more tactics The more countermeasures in-place that mitigate a particular tactic, the lower the vulnerability A ‘zero-level’ of vulnerability is not practical

15 Countermeasures A countermeasure is an action or device that is intended to stop or prevent something bad or dangerous. Administrative Preventive Corrective Detective Technical Preventive Corrective Detective

16 Countermeasure Examples
Evacuation procedures Background checks Contingency plan Container Inspections Virus software Training Backup procedures Access controls CCTV Guards These are some examples of countermeasures. Can you name any that are not on this list?

17 Countermeasures Arranged by protection area
Deconstructed into Y / N / NA formats

18 The Risk Management Process
Step : Assess Threats 3 Step : Assess Vulnerabilities 4 Step : Assess Assets 2 Step : Define the Scope 1 Step : Analyze Risk and Create Reports 5 Step : Evaluate Effectiveness and Reassess 7 Step : Manage Risk 6

19 Cost-Benefit Analysis
Part of the management decision-making process in which the costs and benefits of each alternative are compared and the most appropriate alternative is selected Typically expressed as risk reduction per dollar in EPRM Since you will only be collecting the information, you will not need to input cost information for the analysis module.

20 Session Objectives What is risk?
What is the difference between risk analysis and risk management? Define the components of risk What is the relationship between vulnerability and countermeasures? What are the steps in the risk management process?

Download ppt "Headquarters U.S. Air Force"

Similar presentations

Museum Presentation Intermuseum Conservation Association.

Museum Presentation Intermuseum Conservation Association.
Risk Management Introduction Risk Management Fundamentals

Risk Management Introduction Risk Management Fundamentals
Marine Corps Artillery Detachment, Fort Sill Veterans Day 2008 ORM.

Marine Corps Artillery Detachment, Fort Sill Veterans Day 2008 ORM.
THE FOLLOWING MINI PRESENTATION ON OPSEC IS TAKEN FROM A US AIR FORCE BRIEFING. ALTHOUGH THIS IS A MILITARY PRESENTATION, IT PROVIDES A GOOD OVERVIEW OF.

THE FOLLOWING MINI PRESENTATION ON OPSEC IS TAKEN FROM A US AIR FORCE BRIEFING. ALTHOUGH THIS IS A MILITARY PRESENTATION, IT PROVIDES A GOOD OVERVIEW OF.
CST 481/598 Many thanks to Jeni Li.  Potential negative impact to an asset  Probability of a loss  A function of three variables  The probability.

CST 481/598 Many thanks to Jeni Li.  Potential negative impact to an asset  Probability of a loss  A function of three variables  The probability.
Introducing Computer and Network Security

Introducing Computer and Network Security
By: Ashwin Vignesh Madhu

By: Ashwin Vignesh Madhu
Randy Marchany VA Tech Computing Center

Randy Marchany VA Tech Computing Center
Operational Risk Management

Operational Risk Management
Risk Management at a Glance. Terms Hazard Hazard Risk Risk Probability Probability Severity Severity Estimating Estimating Exposure Exposure Risk Assessment.

Risk Management at a Glance. Terms Hazard Hazard Risk Risk Probability Probability Severity Severity Estimating Estimating Exposure Exposure Risk Assessment.
Visual 3. 1 Lesson 3 Risk Assessment and Risk Mitigation.

Visual 3. 1 Lesson 3 Risk Assessment and Risk Mitigation.
PRM 702 Project Risk Management Lecture #28

PRM 702 Project Risk Management Lecture #28
Chapter 11: Project Risk Management

Chapter 11: Project Risk Management
Security Risk Assessment Applied Risk Management July 2002.

Security Risk Assessment Applied Risk Management July 2002.
1 Introduction to Security Chapter 5 Risk Management: The Foundation of Private Security.

1 Introduction to Security Chapter 5 Risk Management: The Foundation of Private Security.
Operations Security (OPSEC) 301-371-1050. Introduction  Standard  Application  Objectives  Regulations and Guidance  OPSEC Definition  Indicators.

Operations Security (OPSEC) Introduction  Standard  Application  Objectives  Regulations and Guidance  OPSEC Definition  Indicators.
WMD & Emergency Planning Steps Session 12. Emergency Planning Steps Vulnerability Assessment Mitigation Efforts Emergency Response Planning Recovery.

WMD & Emergency Planning Steps Session 12. Emergency Planning Steps Vulnerability Assessment Mitigation Efforts Emergency Response Planning Recovery.
Security Risk Management

Security Risk Management
Introducing Computer and Network Security. Computer Security Basics What is computer security? –Answer depends on the perspective of the person you’re.

Introducing Computer and Network Security. Computer Security Basics What is computer security? –Answer depends on the perspective of the person you’re.
CAIRA is a quantitative vulnerability assessment tool for examining the physical security of energy systems (electrical, natural gas, steam and water)

CAIRA is a quantitative vulnerability assessment tool for examining the physical security of energy systems (electrical, natural gas, steam and water)

Similar presentations

Ads by Google