Risk analysis for critical asset protection.

This article proposes a quantitative risk assessment and management framework that supports strategic asset-level resource allocation decision making for critical infrastructure and key resource protection. The proposed framework consists of five phases: scenario identification, consequence and criticality assessment, security vulnerability assessment, threat likelihood assessment, and benefit-cost analysis. Key innovations in this methodology include its initial focus on fundamental asset characteristics to generate an exhaustive set of plausible threat scenarios based on a target susceptibility matrix (which we refer to as asset-driven analysis) and an approach to threat likelihood assessment that captures adversary tendencies to shift their preferences in response to security investments based on the expected utilities of alternative attack profiles assessed from the adversary perspective. A notional example is provided to demonstrate an application of the proposed framework. Extensions of this model to support strategic portfolio-level analysis and tactical risk analysis are suggested.

[1]  Todd Sandler,et al.  The calculus of dissent: An analysis of terrorists' choice of targets , 1988, Synthese.

[2]  Walter Enders,et al.  After 9/11 , 2005, Transnational Terrorism.

[3]  Giovanni Manunta Risk and Security: Are they Compatible Concepts? , 2002 .

[4]  John C. McDonald,et al.  Confronting the risks of terrorism: making the right decisions , 2004, Reliab. Eng. Syst. Saf..

[5]  M. J. Hicks,et al.  Physical protection systems cost and performance analysis: a case study , 1999 .

[6]  Seth D. Guikema,et al.  Probabilistic Modeling of Terrorist Threats: A Systems Analysis Approach to Setting Priorities Among Countermeasures , 2002 .

[7]  E. J. Bonano Probabilistic safety assessment and management (PSAM6) : proceedings of the 6th International Conference on Probabilistic safety Assessment and Management, 23-28 June 2002, San Juan, Puerto Rico, USA , 2002 .

[8]  John D. Moteff Risk Management and Critical Infrastructure Protection: Assessing, Integrating, and Managing Threats, Vulnerabilities and Consequences , 2004 .

[9]  Vicki M. Bier,et al.  Protection of simple series and parallel systems with components of different values , 2005, Reliab. Eng. Syst. Saf..

[10]  James P. Peerenboom,et al.  Identifying, understanding, and analyzing critical infrastructure interdependencies , 2001 .

[11]  Eyke Hüllermeier,et al.  Risk assessment system of natural hazards: A new approach based on fuzzy probability , 2007, Fuzzy Sets Syst..

[12]  G. H. Dessent Prison Perimeter Cost-Effectiveness , 1987 .

[13]  Francois Modave Relating decision under uncertainty and multicriteria decision making models , 2000 .

[14]  Mark E. Johnson,et al.  Risk Analysis of Terrorist Attacks , 1987 .