Exposure: A New Decision Metric for Selecting Effective Sets of Security Upgrades
Abstract
The United States Army Corps of Engineers (USACE) conducts Security Risk Assessments (SRAs) at its most consequential dam projects. The Common Risk Model for Dams (CRM-D) provides a mathematically rigorous and easy-to-implement way to conduct SRAs. The CRM-D quantifies risk as the product of the probability of a successful attack, given it is attempted, and consequences. Referred to as conditional risk, this decision metric is the expected loss given a specified attack is attempted on a particular target. A specified attack (consisting of an attacker type and an attack vector) carried out on a particular target comprises a scenario. The CRM-D considers three attacker types and thirty-two attack vectors identified by USACE Headquarters (HQs). A dam with only a modest number of critical assets could thus have several hundred scenarios and, consequently, several hundred conditional risk estimates. This paper introduces a decision metric, exposure, which allows the analyst to aggregate conditional risk estimates across scenarios. The analyst can use exposure to compare risks by attack type, by target or for any useful set of scenarios. These comparisons can guide an analyst in determining a proposed set of security upgrades. A standard set of graphics and return-on-investment calculations based on exposure are introduced that summarize the current level of risk at a dam project as well as the reduced level of risk should the set of recommended security upgrades be implemented.
Document Details
- Document Type
- Technical Report
- Publication Date
- Jan 01, 2015
- Accession Number
- ADA618041
Entities
People
- Enrique E. Matheu
- J. D. Morgeson
- Jason A. Dechant
- Kevin E. Burns
- Yazmin Seda-sanabria
Organizations
- Institute for Defense Analyses