FAST HOME HELP WHAT'S NEW COMMENTS SEARCH
GUIDANCE
Security Risk Management Guide (Added 02/2000)

1. Security Risk Management (SRM)

SRM is a logical process that may be used to assess and quantify risk, and provide management with cost-effective solutions to security risk reduction using available resources. SRM starts at program inception and is applied throughout the life cycle. It is designed to:

  • identify and quantify assets to be safeguarded;
  • measure the criticality of each asset by determining the impact of loss of each asset;
  • address the threat taxonomy that applies;
  • identify and quantify the vulnerabilities associated with each asset when matched with each identified threat, and
  • analyze the costs and benefits associated with risk mitigation.

1.1. When referring to SRM it is necessary to define what type of risk is being addressed and it is necessary to be clear concerning what type of risk is being managed. By leaving the word "security" out of the term risk management it restricts the venue to "speculative" and "program" risk almost exclusively.

1.1.a. Program risk: In any program developmental scenario somewhere there will be a reference to a risk assessment. The concern is with which factors apply to determining whether or not the program will achieve its intended goal within budget, on schedule, and within specification. This is certainly a form of risk management but it is not "pure risk".

1.1.b. Speculative risk: Finds its venue most often on the stock market and at the racetrack.

1.1.c. Pure risk: Pure Risk is defined as "the probability that if a threat occurs it will be successful in causing a loss event." The concept of loss event is defined as "physical loss of, or damage to an asset."

2. SRM TEAM.

The SRM team is composed of program managers, Facility managers, Integrated Product Team (IPT) leaders, SRM security representatives, and others working with programs, projects, operations, systems, or facilities.

STEP 1

3. ASSET IDENTIFICATION.

3.1. Identification of the assets to be safeguarded is a fundamental requirement of the SRM process. The term asset is defined as any person, place, thing, or commodity, for which there is a safeguarding requirement.

3.2. Each asset must be identified and quantified in dollars as to its value.

3.3. Until all assets have been identified and quantified the program, project, operation, system, or facility design cannot be properly assessed.

3.4. The SRM team determines the specific assets that need to be considered when evaluating risk, and the priority in which those assets should be addressed.

STEP 2

4. DETERMINATION OF THE ASSET CRITICALITY.

Criticality is defined and quantified in terms of Impact of Loss. Impact of Loss is measured in terms of four specific quantifiable areas. The result is expressed in dollars. Each asset that needs to be safeguarded is evaluated in terms of its impact of loss (value in dollars). Its initial costs, temporary replacement cost, permanent replacement costs and the remaining related costs to include impact in dollars that would result from loss or damage of the asset.

4.1. Human life - employees, contractors, the flying public, is always assigned the highest criticality rating of "1". In order to maintain the quantifiable continuity of the process, human life is assigned a dollar value of $2.7 million.

4.2. Specific cost factors are used in determining asset criticality:

4.3. The "Impact of Loss" formula for a single loss event impacting on an asset is expressed as follows:

 

K= (Ci + Ct + Cp + Cr)

 

K = criticality or total cost of loss.

Ci= total initial asset cost.

Ct= cost of temporary substitute.

Cp= cost of permanent replacement.

Cr= total related costs.

4.4. The individual weighting factors that determine the impact of loss of an asset as shown above are further expanded using the criteria listed below.

Ci

Initial cost of the asset to include site selection and engineering, procurement, installation, and testing, training, freight, etc.

Ct

Cost of a temporary substitute. The cost of the temporary substitute is properly attributable to the loss event that requires the replacement. Costs include:

a. Lease or rental costs.

b. Cost of labor.

c. Testing

d. Activation

Cp

Cost of a permanent replacement of the asset. To permanently replace an asset will cost as much as necessary to put the new asset in the place of the lost asset. Costs include:

Purchase price or manufacturing cost.

Freight and shipping charges.

Site preparation costs.

Actual installation.

Testing.

Activation.

 

Cr

Total related costs. If other personnel or systems are under-utilized as a result of the loss, the cost of waiting or downtime is attributable to the loss event. Costs associated with delays and rerouting in the NAS which result from a catastrophic outage of an Air Route Traffic Control Center are examples of related costs. If moneys were to be diverted from other projects to meet the emergency needs created by a security loss event, these moneys would be an example of lost income costs. Lost revenue costs and impact in terms of dollars that the assets damage or loss would have on the NAS, the flying public, and the aviation industry.

STEP 3

 5.  ASSIGNING A CRITICALITY RATING.

Criticality ratings are indicated by assignment of numerical values from 1 through 4. The significance of each rating is indicated in the table below.

Criticality Rating
Severity of Loss

Impact Description

Level of Impact

Impact of Loss

1

Catastrophic

Total destruction or loss of the asset or damage to the asset sufficiently severe to cause complete loss of mission capability for an extended period.

2

Very serious

Major damage to the asset requiring extensive repairs with consequent severe impairment of the mission capability.

CRITICALITY RATINGS BASED ON IMPACT OF LOSS

STEP 4

5. IDENTIFICATION OF THE THREATS ASSOCIATED WITH EACH ASSET.

5.1. All threats to an asset must be identified.

5.2. Every threat associated with an asset, if it occurs, does not necessarily result in a loss event.

5.3. When a loss event does occur however, it always results in quantifiable physical damage to, or destruction of the asset.

5.4. The threat identification process incorporates the elements of a traditional threat assessment. Any information or data that indicates the probability that a particular threat will occur must be incorporated into the overall analysis.

STEP 5

6. IDENTIFICATION AND ASSESSMENT OF EXISTING COUNTERMEASURES WITH REFERENCE TO THE IDENTIFIED THREATS.

6.1. Countermeasures are those actions taken to eliminate, reduce, or control vulnerabilities to specific threats. In most instances countermeasures require the expenditure of funds as well as the allocation of resources.

6.2. Existing countermeasures must be identified and assessed to determine the extent to which they are providing the intended vulnerability reduction.

STEP 6

7. ASSIGNMENT OF AN ASSET VULNERABILITY RATING.

7.1. Each asset which has been prioritized according to criticality, is now evaluated to determine the extent to which it is vulnerable to identified threats.

7.2. Vulnerabilities are those physical, technical, administrative, procedural, or human characteristics of an asset that constitute quantifiable weaknesses. If a threat occurs, these weaknesses increase the probability that it will be successful in causing a loss event. Vulnerability is defined as "a weakness associated with any condition or attribute of an asset whether technical, administrative, or human, which facilitates or increases the probability that a threat will result in a loss event."

7.3. With regard to any asset the level of risk is directly related to the magnitude of the vulnerabilities. Associated with the asset the greater the number and magnitude of vulnerabilities, the greater is the probability or risk that a loss event will occur. Vulnerabilities constitute a measure of the probability that an identified threat occurs it will be successful in causing a loss event.

7.4. An alphabetical rating from "A" through "D" is assigned to each asset reflecting the vulnerability level. The "A" rating designates the highest vulnerability, and the "D" rating the lowest as shown in the table below.

Probability that if a threat occurs it will be successful in causing a loss event.

Rating:

Description:

Extremely high probability

A

Given no changes, the vulnerability is so severe that if a threat occurs the probability that it will be successful in causing a loss event is extremely high.

Very High Probability

B

The vulnerability is such that if a threat occurs the threat or loss event is much more likely to occur than not to occur.

Moderately High Probability

C

The threat or loss event is more likely to occur than not to occur.

Low Probability

D

The threat or loss event is less likely to occur than not to occur.

VULNERABILITY AND PROBABILITY OF LOSS RATINGS

STEP 7

8. DETERMINE THE LEVEL OF RISK, (RISK LOGIC).

8.1. At this point in the SRM process each asset has been assigned two designators.

8.1.a. The first designator, numerical designator indicates the criticality of the asset.

8.1.b. The second designator, letter designator indicates the vulnerability of the asset to a loss event.

8.1.c. The combinations of the two designators (Criticality and Vulnerability) represent the level of Risk.

8.1.d. The assets are reprioritized, those assets having the highest Risk level being given the highest priority.

8.2. Using the Risk Level Values assigned, each asset is entered into a risk logic matrix as shown below

 

Vulnerability

Probability that if a threat occurs it will be successful in causing a loss event

Impact of Loss - Criticality/Vulnerability - Risk Level

Assessed Rating

  

2

3

4
Catastrophic  Very Serious Moderately Not Serious

A

Extremely high probability

1A  

2A 3A 4A

B

Very High Probability

1B

2B 3B 4B

C

Moderately High Probability

1C

2C 3C 4C

D

Low Probability

1D

2D 3D 4D

RISK LOGIC MATRIX

8.3. Unacceptability and AcceptabilityRisk

Normally, all risks can not be controlled or eliminated; for assets that are controlled, as a minimum, however, it is important to control or reduce extremely high and very high levels of risk to a moderate or low level of risk.

STEP 8

9. DECISION MAKING.

9.1. The goal of the SRM process is to provide the SRM team and other decision makers with a means to logically quantify and group assets according to criticality and vulnerability.

9.2. The risk logic matrix presentation permits extrapolating risk information pertaining to assets in such a way that management has a clear perception of where the critical decision boundaries are to be found.

9.3. For example, the risk levels reflected in the risk logic table above for each asset are interpreted for purposes of decision making as shown in the table below.

FAA ASSET RISK LEVEL

INTERPRETATION

1A, 1B, 1C, 2A, 2B, 3A

These risks are unacceptable and must be controlled or eliminated.

1D, 1B, 2D, 3B, 3C

These risks should be unacceptable. However, management may determine to accept the risk in writing.

3D, 4A, 4B, 4C, 4D

These risks may be accepted with management review.

RISK MATRIX MANAGEMENT GUIDE

STEP 9

10. USING THE MATRIX.

10.1. The term managing risk is significant. The entire thrust of the SRM process is to provide a logical and comprehensive set of procedures for determining where resources must be expended to reduce unacceptable risks, and what options the decision maker has in terms of directing resources toward the remaining risk categories.

10.2. The process can be applied equally effectively to any asset provided the value of the asset in terms of impact of loss can be quantified in dollars.

10.3. When the process has been completed to the stage where the risk logic matrix is complete the decision maker can readily identify those vulnerabilities that must be given the highest priority for elimination or control because of the catastrophic consequences of the impact of loss.

10.4. This process ensures that the criticality and impact of loss concerns for the assets together with their associated overall risk levels have been identified and prioritized.

10.5. Decision makers will be able to use the most cost effective measures that can be employed to address the risks in priority order and to reduce those vulnerabilities associated with risks that are unacceptable to an acceptable level.

10.6. Risk reduction measures include physical modification, procedural changes, or other measures that will reduce the risk to an acceptable level.

10.7. Decision makers shall ensure that established minimum FAA security standards are included in the process of identifying and quantifying risk reduction strategies.

10.8. The overall risk severity for a given threat or loss event is normally taken to be a judgmental-defined credible "worst case".

STEP 10

11. DETERMINE APPROPRIATE RISK REDUCTION METHODS AND THEIR ASSOCIATED COSTS.

11.1. Identify all required countermeasures, and their costs, necessary to reduce identified risk to an asset to an acceptable level.

11.2. Identify cost effective countermeasure alternative approaches.

STEP 11

12. COST BENEFIT ANALYSIS (CBA).

12.1. All of the essential elements in the SRM process are quantified in terms of dollar value.

12.2. CBA shall be applied to the results of the SRM process, as well as to any stage of the process, to ensure that risk reduction strategies are cost beneficial.

12.3. Decision makers use the results of CBA as necessary to assist them in making decisions by clearly indicating the advantages and disadvantages of alternative approaches to a given risk reduction situation and weighing the comparative costs for each advantage.