Towards a Comparable Cross-Sector Risk Analysis: RAMCAP Revisited

The search for a uniform risk analysis approach for critical infrastructures has prompted a reexamination of the Risk Analysis and Management for Critical Asset Protection (RAMCAP) methodology to see if it can accommodate emerging threats from climate change, aging infrastructure and cyber attacks. This chapter examines the challenges involved in taking a site-specific formulation and turning it into a general model capable of analyzing performance under a full range of simulated conditions. The AWWA J100-10 standard provides the blueprint for a basic RAMCAP model that calculates risk as an attenuation of consequences via probability estimates of vulnerability, threat, resilience and countermeasures. The RAMCAP model was subjected to varying scenario loads in deterministic simulations that examined all hypothetical conditions and probabilistic simulations that examined likely conditions. RAMCAP performance was measured by the average net benefit and represented by the distribution of component values. Contrary to expectations, RAMCAP performance did not improve as the number of scenarios increased in the simulations. The methods and results of this study may hold implications for other critical infrastructure risk methodologies that are based on consequence, threat and vulnerability.

[1]  Sadie Creese,et al.  A logical high-level framework for Critical Infrastructure resilience and risk assessment , 2011, 2011 Third International Workshop on Cyberspace Safety and Security (CSS).

[2]  Mohamed Ghazel,et al.  Using Stochastic Petri Nets for Level-Crossing Collision Risk Assessment , 2009, IEEE Transactions on Intelligent Transportation Systems.

[3]  Borut Mavko,et al.  Application of the fault tree analysis for assessment of power system reliability , 2009, Reliab. Eng. Syst. Saf..

[4]  E. Adar,et al.  Risk management for critical infrastructure protection (CIP) challenges, best practices & tools , 2005, First IEEE International Workshop on Critical Infrastructure Protection (IWCIP'05).

[5]  Louis Anthony Cox,et al.  What's Wrong with Risk Matrices? , 2008, Risk analysis : an official publication of the Society for Risk Analysis.

[6]  Edna Schechtman,et al.  Odds ratio, relative risk, absolute risk reduction, and the number needed to treat--which of these should we use? , 2002, Value in health : the journal of the International Society for Pharmacoeconomics and Outcomes Research.

[7]  Ian Dobson,et al.  Interdependent Risk in Interacting Infrastructure Systems , 2007, 2007 40th Annual Hawaii International Conference on System Sciences (HICSS'07).

[8]  Ian Dobson,et al.  Risk Assessment in Complex Interacting Infrastructure Systems , 2005, Proceedings of the 38th Annual Hawaii International Conference on System Sciences.

[9]  Bryan Ware,et al.  State/local CIP risk analysis: First results and emerging trends in the data , 2009, 2009 IEEE Conference on Technologies for Homeland Security.

[10]  J. Resurreccion,et al.  Stochastic modeling of manufacturing-based interdependent inventory for formulating sector prioritization strategies in reinforcing disaster preparedness , 2012, 2012 IEEE Systems and Information Engineering Design Symposium.

[11]  R. Cooke,et al.  Expert judgement elicitation for risk assessments of critical infrastructures , 2004 .

[12]  Louis Anthony (Tony) Cox,et al.  Some Limitations of Qualitative Risk Rating Systems , 2005, Risk analysis : an official publication of the Society for Risk Analysis.

[13]  Ted G. Lewis,et al.  Model-based Risk Analysis For CriticalInfrastructures , 2012 .

[14]  Seok-Won Lee Probabilistic Risk Assessment for Security Requirements: A Preliminary Study , 2011, 2011 Fifth International Conference on Secure Software Integration and Reliability Improvement.

[15]  Bilal M Ayyub,et al.  Risk analysis for critical asset protection. , 2007, Risk analysis : an official publication of the Society for Risk Analysis.

[16]  John D Moteff Critical Infrastructures: Background, Policy, and Implementation , 2009 .