threat.Whentheprobabilityandconsequencesareexpressednumerically
theexpectedriskiscomputedastheproductofthosevalueswithuncertaintyconsiderations….Insecurity
riskisbasedontheanalysisandaggregationofthreewidelyrecognizedfactors:threat
vulnerability
andconsequence.ConditionalriskAmeasureofriskthatfocusesonconsequences
vulnerability
andadversarycapabilities
butexcludesintent.Itisusedasabasisformakinglong-termriskmanagementdecisions.Theadversarycapabilities
countermeasures
andresidualvulnerabilityareoftencombinedintoameasureoflikelihoodofadversarysuccess.ConsequenceTheoutcomeofaneventoccurrence
includingimmediate
short-andlong-term
directandindirectlossesandeffects.Lossmayincludehumancasualties
monetaryandeconomicdamages
andenvironmentalimpact
andmayalsoincludelesstangibleandthereforelessquantiÃableeffects
includingpoliticalramiÃcations
decreasedmorale
reductionsinoperationaleffectiveness
orotherimpacts.ThreatAnyindication
circumstance
oreventwiththepotentialtocausethelossof
ordamageto
anassetorpopulation.Intheanalysisofrisk
threatisbasedontheanalysisoftheintentionandcapabilityofanadversarytoundertakeactionsthatwouldbedetrimentaltoanassetorpopulation.VulnerabilityAnyweaknessinanassetÃsorinfrastructureÃsdesign
implementation
oroperationthatcanbeexploitedbyanadversary.Suchweaknessescanoccurinbuildingcharacteristics
equipmentproperties
personnelbehavior
locationsofpeople
equipmentandbuildings
oroperationalandpersonnelpractices.OnepurposeofthisarticleistoshowhowtheconceptofÃreasonableworstcaseÃcanbemademorepreciseinsomeapplicationsbyassumingthatintelligentattackersoptimize(and
wherenecessary
adaptinlightofnewinformation)theirattackplanstomaximizetheexpecteddamageachieved.How-ever
modelingtheoptimizingbehaviorsofattack-ersrequiresriskassessmentmodelsdifferentfromEquation(1).ThefollowingsectionssurveysomeimportantlimitationsonapproachesthatattempttodirectlyestimateRisk=ThreatÃVulnerabilityÃConsequenceforpurposesofallocatingdefensivere-sources
withoutmodelingintelligentplanningandoptimizationbyattackers.2.RAMCAPTMQUALITATIVERISKASSESSMENTBeforeconsideringmorefundamentallimita-tionsofEquation(1)
weÃrstconsidersomeÃawsinthespeciÃcimplementationoftheequationinRAMCAPTM.RAMCAPTMproposestwooptionsforriskassessment
whichitcallsÃqualitativeÃandÃquantitative
Ãalthoughbotharebasedonsemiquantitative(orderedcategorical)ratingsofThreat
Vulnerability
andConsequence.TheÃqual-itativeÃapproach(whichmightalsobecalledsemi-quantitative)categorizeseconomicconsequencesus-ingthefollowingratingscale:0=$0Ã25Mloss;1=$25Ã50M;2=$50Ã100M;…;13=$102Ã401Mandabove.Fatalitiesandinjuriesarescoredsimilarly:0=0Ã25fatalities
1=25Ã50fatalities
…
13=102
401fatalitiesormore
withasimilarratingscalefornum-berofinjuries.(Severityofinjuriesisnotincludedintheinjuryscore.)(TheRAMCAPTMtablesactu-allyleavesmallgapsbetweenintervals
e.g.
$0Ã25M
$26Ã50M
$51Ã100M
etc.
sothatconsequencessuchas$25.4Mor$50.7Mdonotfallinanycategory.WeassumethatÃ26Ãincludesvaluesgreaterthan25andlessthan26
andsimilarlyforothergaps.)Vulnerabilityisassessedsimilarly
usingaÃlike-lihoodofattacksuccessscaleÃthatassignsascoreof0tosuccessprobabilitiesbelow0.0312;1toproba-bilitiesfrom0.0312to0.0625;2toprobabilitiesfrom0.0625to0.125;3toprobabilitiesfrom0.125to0.25;4toprobabilitiesfrom0.25to0.5;and5toprobabil-itiesabove0.5.(ProbabilitiesinÃbinÃ5arefurthersubdividedinto0.5Ã0.75
0.75Ã0.9
andgreaterthan0.9.)TheRAMCAPTMdocumentationsuggestsus-ingeventtreeanalysistoestimatethelikelihoodofattacksuccess.Ineventtreeanalysis
differ-entpossiblesequencesofeventsarerepresentedbycorrespondingsequencesofnodesinatree(adirectedacyclicgraphinwhicheachnodehasauniqueparent
exceptfortheÃrstorÃrootÃnode
whichrepresentsaninitiatingeventsuchasÃAttackattemptedÃ).Nodesrepresentevents
multiplearcs
Menu
