Review of the Department of Homeland Security's Approach to Risk Analysis (2010) / Chapter Skim
Currently Skimming:
2 Overview of Risk Analysis at DHS
2 Overview of Risk Analysis at DHS
Pages 22-43
The Chapter Skim interface presents what we've algorithmically identified as the most significant single chunk of text within every page in the chapter.
Select key terms on the right to highlight them within pages of the chapter.
From page 22... ...
The mission encompasses the following elements: Terrorism and natural hazards (e.g., see p. 3 of http://www.dhs.gov/xlibrary/assets/nat_strat_homelandsecurity_2007.pdf; natural hazards were emphasized also by Homeland Security Presidential Directive 5 [ HSPD -5 ]
|
From page 23... ...
This complexity and breadth distinguish DHS from many organizations that have successfully adopted risk analysis to inform decision making. THE DECISION CONTEXT AT DHS Regarding the types of decisions that effective risk management analysis might support, Figure 2-2 illustrates risk-informed decisions that confront DHS as defined by their time horizons.
|
From page 24... ...
24 DEPARTMENT OF HOMELAND SECURITY'S APPROACH TO RISK ANALYSIS FIGURE 2-1 The DHS organizational chart (with a sample of risk models associated by unit)
|
From page 25... ...
SHIRA Strategic Homeland Infrastruc- A high-level risk assessment of infra ture Risk Assessment structure elements IP Level 1/2 Also known as the "Level A risk-based process for identifying 1/Level 2" program high-risk infrastructure targets CFDI Critical Foreign Dependencies A process for examining supply Initiative chains to identify critical vulnerabili ties CFATS Chemical Facility Anti- A risk-based method for identifying Terrorism Standards which chemical facilities will be regu lated by DHS NISAC models* Models and simulations from Most NISAC work informs conse the National Infrastructure quence analyses Simulation and Analysis Cen ter PSAs Protective Security Advisors A program that provides security consultations to owners and opera tors of critical infrastructure elements SAVs Site Assistance Visits Evaluations performed by PSAs BZPP Buffer Zone Protection A program that identifies, based on Program analyses of risk, which areas con tiguous to critical infrastructure ele ments merit their own protection RRAP*
|
From page 26... ...
Risk Analysis Process for RAPID is a tool under development Informed Decision-Making to supply risk analysis to inform that process BTRA* Biological Threat Risk A computationally intensive, Assessment probabilistic event-tree model for assessing bioterrorism risks CTRA Chemical Threat Risk A computationally intensive, Assessment probabilistic event-tree model for assessing chemical terrorism risks Integrated CBRN Integrated Chemical- A computationally intensive, Biological-Radiological- probabilistic event-tree model for Nuclear risk assessment developing an integrated assessment of the risk of terrorist attacks using biological, chemical, radiological, or nuclear weapons HSTA Homeland Security Threat An I&A program to develop an Assessment understanding of threats CITA Critical Infrastructure Threat An I&A unit that produces threat Assessment Division analyses for critical infrastructure and key resources IT Sector Risk Information Technology A process to assess risks against the Assessment Sector Risk Assessment IT infrastructure RMAP/RMAT Risk Management Analysis RMAT is an agent-based tool under Process/Tool development by Boeing and TSA to evaluate airport vulnerabilities.
|
From page 27... ...
Not examined by this study FPS-Building FPS security assessments of federal Security buildings Assessments NFIP* National Flood Insurance A risk-based federal insurance pro Program gram Flood Maps Floodplain maps for the United Updating States underpin the NFIP, and ongo ing improvements improve the preci sion of risk analysis underlying the NFIP continues next page
|
From page 28... ...
FEMA allocates grants to first re sponders and others through a vari ety of programs. Some allocations are based on formula, whereas oth ers are based on coarse assess ments of risk HAZUS-MH HAZards U.S. -- Multi-hazard A software tool that uses databases of physical infrastructure to analyze potential losses from floods, hurri cane winds, and earthquakes SHIELD Strategic Hazards A scenario-based regional risk analy Identification and Evaluation sis for the National Capital Region for Leadership Decisions MSRAM Maritime Security Risk A computer-assisted tool to analyze Analysis Model risks primarily in the maritime sector.
|
From page 29... ...
FEMA Flood Insurance Coast Guard Program Planning, Priorities by Marine Budgeting, and Evaluation CIKR Sector Rescues Facilities Assessments & Protection Secret Service National Event Simulations & Personnel Priorities Terrorism National or Regional All-Hazards Protection Across CIKR Exercises Response Exercises Exercises Sectors TSA Passenger Screening ICE US-VISIT Program Balancing Mission Objectives: Anti-Terrorism, All-Hazards Preparedness, Emergency Evaluation, Selection, Deployment of CBP Vehicle Response, Prevention, etc. Protective Devices, Deterrents, Sensors, etc.
|
From page 30... ...
Risk analysis for natural disasters is discussed first because it is the most mature of these processes. Risk Analyses for Natural Hazards DHS's natural hazards preparedness mission is addressed principally within the Federal Emergency Management Agency (FEMA)
|
From page 31... ...
has the mandate to produce threat, vulnerability, and consequence analyses to inform priorities for strengthening CIKR assets. Table 2-2 lists the 18 CIKR sectors and the federal agency or agencies that have the lead responsibility for managing the associated risks.
|
From page 32... ...
32 DEPARTMENT OF HOMELAND SECURITY'S APPROACH TO RISK ANALYSIS TABLE 2-2 CIKR Sectors and Federal Agencies with Lead Responsibility for Managing the Associated Risks Sector-Specific Agency Critical Infrastructure and Key Resources Sector Department of Agriculture Agriculture and food Department of Health and Human Services Department of Defense Defense industrial base Department of Energy Energy Department of Health and Health care and public health Human Services Department of the Interior National monuments and icons Department of the Treasury Banking and finance Environmental Protection Water Agency Department of Homeland Chemical Security Commercial facilities Office of Infrastructure Protection Critical manufacturing Dams Emergency services Nuclear reactors, materials, and waste Office of Cybersecurity Information technology and Communications Communications Transportation Security Postal and shipping Administration Transportation Security Transportation systems Administration, U.S. Coast Guard Immigration and Government facilities Customs Enforcement, Federal Protection Services SOURCE: DHS-IP (2009, p.
|
From page 33... ...
When developing threat estimates with the involvement of uncleared experts, the SMEs are given generic attack scenarios against generic infrastructure assets. Generic attack scenarios allow for the moving of classified information to the unclassified level and also some consistency in the variables described across scenarios.
|
From page 34... ...
33] Risk-Informed Grants Programs Another major DHS responsibility is issuing grants to help build homeland security capabilities at the state and local levels.
|
From page 35... ...
The objective is to identify the information needed to manage homeland security and preparedness grant programs. The C2C model replaces "vulnerability" with "capability," in a sense replacing a measure of gaps with a measure of hardness against threats.
|
From page 36... ...
In making the determination, factors that the agency most wishes to guard against are identified: for example, loss of life or serious injury; the ability of the agency to communicate and move people effectively; negative impacts on the livelihood, resources, or wealth of individuals and businesses in the area, state, region, or country; or replacement cost of critical assets of the agency The TRAM process then guides SMEs through a threat assessment. A potential list of specific types of threats (e.g., attack using small conventional explosives, large conventional explosives, chemical agents, a radiological weapon, or biological agents)
|
From page 37... ...
Biological Threat Risk Assessment The Biological Threat Risk Assessment tool is a computer-based probabilistic risk analysis (PRA) , using a 17-stage event tree, to assess the risk associated with the intentional release of each of 29 biological agents.
|
From page 38... ...
Mode of agent acquisition Interdiction during acquisition Location of production and processing Mode of agent production Preprocessing and concentration Drying and processing Additives Interdiction during production and processing Mode of transport and storage Interdiction during transport and storage Interdiction during attack Potential for multiple attacks Event detection The evaluation of consequences is performed separately, not as part of the event tree (NRC 2008, p.
|
From page 39... ...
Integrated Risk Management Framework Recognizing the need for coordinated national-level risk management, on April 1, 2007, DHS created the Office of Risk Management and Analysis (RMA) within the National Protection and Programs Directorate.
|
From page 40... ...
An interim draft of the Integrated Risk Management Framework was released in January 2009. The IRMF is intended to provide doctrine and guidelines that enable consistent risk management throughout DHS in order to inform enterprise-level decisions.
|
From page 41... ...
include cataloging of risk models and processes in use across DHS, formation and coordination of a Risk Steering Committee (RSC) , development of a risk lexicon, and work on the RAPID process (Risk Analysis Process for Informed Decision-Making)
|
From page 42... ...
The risk analysis processes for infrastructure protection, the grants program, and the IRMF were documented mostly through presentations. With the exception of NISAC work, the committee was not told about or shown any document explaining the mathematics of the risk modeling or any expository write-up that could help a newcomer understand exactly how the risk analyses are conducted.
|
From page 43... ...
The risk assessments done by FEMA to underpin the National Flood Insurance Program are better documented, in part because of their long history, perhaps because they are linked to an academic community. The NRC committee that reviewed the BTRA methodology had difficulty understanding the mathematical model and its instantiation in software, and noted in its report that the classified description produced by DHS lacked essential details.
|
Key Terms
This material may be derived from roughly machine-read images, and so is provided only to facilitate research.
More
information on Chapter Skim is available.