Risk Management Flashcards
Which process provides a systematic approach to acquiring and analyzing the information necessary for protecting assets and allocating security resources?
The risk management process
The five steps of the Risk Management Process:
- Asset assessment (nature and value of an asset and the degree of impact if the asset is damaged or lost)
- Threat assessment (type and degree of threat)
- Vulnerability assessment (identification and extent of vulnerabilities)
- Risk assessment (calculation of risks)
- Countermeasure determination (security countermeasure options that can reduce or
mitigate risk - cost effectiveness)
Five broad categories for ASSETS
� Activities & Operations � Equipment � Facilities � Information � People
Threat
A threat is any indication, circumstance, or event with the potential to cause the loss of or damage to an asset. Threat may also be defined as the intention and capability of an adversary to undertake detrimental actions against an asset owner’s interests. A threat may include any indication, circumstance, or event with the potential to cause the loss of or damage to an asset.
Adversary
An adversary is any individual, group, organization, or government that conducts activities, or has the intention and capability to conduct activities detrimental to assets. Common examples of adversaries are terrorists, criminals, and foreign intelligence services.
Types of Adversaries (6 examples)
Criminal Economic Espionage Foreign Industrial Espionage Foreign Intelligence Service Insider Terrorist
Criminal
A criminal is an adversary who violates the law causing the loss of or damage to assets. Examples include: violent acts against people, theft, hacking, etc.
Economic Espionage
Economic espionage is the theft or misappropriation of U.S. proprietary information or trade secrets, especially to foreign governments and their agents. Both traditionally friendly nations and recognized adversaries conduct industrial espionage.
Foreign Industrial Espionage
Foreign industrial espionage is industrial espionage conducted by a foreign government or a foreign company with direct assistance of a foreign government against a private U.S. company for the purpose of obtaining commercial secrets.
Foreign Intelligence Service
Foreign intelligence services are organizations that are part of a foreign government and engage in intelligence activities.
Insider
An insider is an adversary who has special access or privileges, e.g., employees, contractors, customers, etc.
Terrorist
A terrorist is an adversary who uses violence or the threat of violence to inculcate fear, with the intent to coerce or intimidate governments or societies in the pursuit of goals that are generally political, religious, or ideological.
Types of Adversary collection capabilities
HUMINT (Human Intelligence) is intelligence derived from people through interviews, elicitation, or reports originating from people.
IMINT (Imagery Intelligence) involves using various sources, such as satellites, photos, infrared, imaging radar, and electro-optical, for collecting image data.
MASINT (Measurement and Signatures Intelligence) is intelligence (excluding signals intelligence and traditional imagery intelligence) that, when collected, processed, and analyzed, results in intelligence that locates, tracks, identifies, or describes the signatures (distinctive characteristics) of fixed or dynamic target sources. It includes the advanced data processing and exploitation of data from overhead and airborne imagery collection systems. MASINT data can be acquired from a variety of satellite, airborne, or ship borne platforms; remotely piloted vehicles; or from mobile or fixed ground-based collection sites.
OSINT (Open Source Intelligence) includes resources such as newspapers, internet, magazines, international conventions, FOIA requests, seminars, and exhibits (e.g., CNN.com, The New York Times, Aviation Week, and Space & Technology).
SIGINT (Signals Intelligence) is comprised of communications and the electronic and telemetry
collection of information in the non-visible portion of the electromagnetic spectrum.
“Covert” refers to an operation planned and executed to conceal the identity of, or permit plausible denial by, the sponsor. A covert operation is similar to law enforcement’s undercover operation.
“Overt” refers to an operation conducted openly to acquire information via the public domain.
Critical Threat
A critical rating indicates that a definite threat exists against the assets. This rating is based on
knowledge that the adversary has both the capability and intent to launch an attack, and that the
subject or similar assets are targeted on a frequent or recurring basis.
High Threat
A high rating indicates that a credible threat against the assets exists. This rating is based on
knowledge of the adversary’s capability and intent to attack the assets as well as on related
incidents having taken place at similar facilities.
Medium Threat
A medium rating indicates there is a potential threat to the assets. This rating is based on the
adversary’s desire to compromise the assets and the possibility that the adversary could obtain
the capability through a third party who has demonstrated the capability in related incidents.
Low Threat
A low rating indicates little or no credible evidence of capability or intent with no history of
actual or planned threats against the assets
Vulnerability Areas
- Equipment
- Facility
- Human
- Information
- Operational
The best method to analyze asset vulnerabilities with existing countermeasures is through _________________
Regressive analysis. Regressive analysis requires analyzing the asset in an unprotected state first and then analyzing the asset considering the current countermeasures.
5-steps to complete regressive analysis
- Assess the asset’s vulnerabilities as if they were in a pure, unprotected state.
- Reevaluate the asset’s vulnerabilities taking into consideration the effectiveness of the
existing countermeasures. - Identify the asset’s vulnerability differences between the unprotected and protected.
- Identify the ineffective countermeasures.
assessments. - Identify and characterize the specific vulnerabilities that still exist, given the current
countermeasures.
Name Procedural Countermeasures
- Awareness Programs
- Disclosure Statements
- Legal Prosecution
- Paper Shredder
- Personnel Transfer
- Polygraph, Cover Procedures
- Response Planning
- Security Investigations
- Security Policies & Procedures
- Training, OPSEC Procedures
Name Equipment Countermeasures
- Alarms/Sensors
- Badges
- Weapons
- Doors, Vaults
- Fences, Safe Havens
- Hardware/Software
- Lighting, CCTV
- Locking Mechanism
- TEMPEST Devices
- Window Bars
Name Manpower Countermeasures
- Contractor Guard Force
- Local Guards
- Military Guards
- Special Police Officers
Critical Vulnerability
A critical rating indicates that there are no effective countermeasures currently in place and all
known adversaries would be capable of exploiting the asset.
High Vulnerability
A high rating indicates that, although there are some countermeasures in place, there are still
multiple weaknesses through which many adversaries would be capable of exploiting the asset.
Medium Vulnerability
A medium rating indicates that there are effective countermeasures in place; however, one
weakness does exist which some known adversaries would be capable of exploiting.
Low Vulnerability
A low rating indicates that multiple layers of effective countermeasures exist and few or no
known adversaries would be capable of exploiting the asset.
Risk =
Impact x (Threat x Vulnerability) or (R = I [T x V])
Critical Risk
A critical rating indicates that compromise to the assets targeted would have grave consequences
leading to loss of life, serious injury, or mission failure.
High Risk
A high rating indicates that a compromise to assets would have serious consequences resulting in
loss of classified or highly sensitive data that could impair operations affecting national interests
for a limited period of time.
Medium Risk
A medium rating indicates that a compromise to the assets would have moderate consequences
resulting in loss of confidential, sensitive data or costly equipment/property that would impair
operations affecting national interests for a limited period of time.
Low Risk
A low rating indicates that there would be little or no impact on human life or the continuation of
operations affecting national security or national interests.
Acceptable Risk
An asset’s acceptable risk cannot be determined by a formula. Acceptable risk varies with time,
circumstances, and management’s attitude toward risk in the organizational environment. The
asset sponsors or owners have the responsibility of deciding what constitutes an acceptable level
of risk for their assets.
The costs of implementing countermeasures must be considered relative to:
Dollars: When determining the dollar cost of a countermeasure, consider the purchase price and
the life-cycle maintenance costs (e.g., installation, preventive maintenance, repair/warranty,
replacement, and training).
Inconvenience: When determining the cost of a countermeasure in terms of inconvenience,
consider whether the inconvenience caused is offset by the measure of risk reduction gained. If a
countermeasure is inconvenient, people will find a way to circumvent it.
Personnel: When determining the cost of a countermeasure in terms of the personnel required
for its implementation, consider the number of personnel needed to manage the countermeasure
as well as the skills, knowledge, and abilities of the personnel involved. Additionally, personnel
training needs/costs must be considered.
Time: When determining the cost of a countermeasure in terms of time, include the time to
implement or oversee the countermeasure and the time to prepare for its implementation, as well
as any time required for follow-up and evaluation.
Other: When determining the cost of a countermeasure in terms of any other influences,
consider the adverse publicity, political repercussions, reduced operational efficiency, and
unfavorable working conditions resulting from its implementation.
