Embed Size (px)
Citation preview
Antiterrorism / Force Protection Assessment Tool Training
Trainer: Caleb JonesContact: [email protected]
Supporting Joint Staff J33 via US Army Armament, Research, Development and Engineering Center
1
Course Overview• Scope
– Primary: Focus on terms related to AT/FP risk assessments– Secondary: Explain Mission Assurance (MA) risk assessments calculations, used in AT/FP
assessments
• Delivery method:– Lecture and demonstration
2
Terminal Learning Objectives (TLO)1. Understand the relevant risk terms and sources of definitions2. Understand mission assurance risk calculations
3
EPRM Functionality• Walks users though the life-cycle of risk assessments
4
& Hazards
Assets (TLO #3)• Assets are a distinguishable entity that provides a service or capability
– Assets are people, physical entities, or information located either within or outside the United States and employed, owned, or operated by domestic, foreign, public, or private sector organizations
• Must have quantified (or qualified) value to the unit’s / organization’s missions
5
Asset Criticality (TLO #3)Task Critical Assets (TCA) and Defense Critical Assets (DCA) are defined in DoDI3020.40 and have established criticality
Other assets are characterized by their criticality in 4 criteria (UFC 04-20-01 DoD Security Engineering Facilities Planning Manual):
• Criticality to the installation’s missions (including possible tenants)• Criticality to national defense• Replacement of function (time, level of effort) • Relative value (monetary, classification, population, etc.)
6
Threats (TLO #3)Threats are any circumstance or event with the potential to cause the loss of or damage to an asset• Threats are considered in terms of a threat source (sentient actor or natural hazard), a
threat tactic (threat method) and a severity or likelihood
7
Threat Severity (TLO #3)Threats are characterized by their severity (UFC 04-20-01 DoD Security Engineering Facilities Planning Manual)
• Local activity• Intentions and history • Local Operational Capability• Local Operating Environment
8
Vulnerabilities (TLO #3)Vulnerabilities are a situation or circumstance which, if left unchanged, may result in the loss of life or damage to mission-essential resources from a terrorist attack (DoDIO-2000.16-V1)Vulnerabilities can result from
– building characteristics– equipment properties– personal behavior– locations of people, equipment, and buildings– operational procedures and personnel practices
• List of potential AT/FP vulnerabilities are drawn from the 2018 DoD Mission Assurance Assessment Benchmarks https://intelshare.intelink.gov/sites/jmaap/SitePages/JMAA%20Home.aspx
• Each benchmark can reduce vulnerability to one or more threat tactics
9
Benchmark Contribution Towards Reducing Vulnerability• Each countermeasure is given a default weight (CMw) based on its
inherent characteristics:
• Countermeasures are associated with vulnerabilities that they have a propensity to mitigate, called CMeff
• CMeff is a .01-1 coefficient is used to further define the countermeasure’s weight against a specific vulnerability
• Vulnerability to specific threat tactics/hazards is modeled by a ratio of the weights of countermeasures in-place (CMeffip) to the weights of the total population of relevant countermeasures (CMeffap)
• The result is bounded to prevent calculation from allowing a “zero” vulnerability result.
10
CMw Preventative Corrective Detective
Technical 5 4 3
Administrative 2.5 2 1.5
Vulnerability Formula (simplified)
11
V𝑢𝑢𝑢𝑢 = % 𝑜𝑜𝑜𝑜𝑉𝑉𝑉𝑉𝑢𝑢𝑢𝑢𝑉𝑉 𝑜𝑜𝑜𝑜 𝑉𝑉𝑢𝑢𝑢𝑢 𝑡𝑡𝑡𝑉𝑉 𝐶𝐶𝐶𝐶𝐶𝐶 𝑡𝑡𝑡𝑉𝑉𝑡𝑡 𝑉𝑉𝑎𝑎𝑉𝑉 𝑖𝑖𝑖𝑖 𝑝𝑝𝑢𝑢𝑉𝑉𝑝𝑝𝑉𝑉𝑉𝑉𝑉𝑉𝑢𝑢𝑢𝑢𝑉𝑉 𝑜𝑜𝑜𝑜 𝑉𝑉𝑢𝑢𝑢𝑢 𝑡𝑡𝑡𝑉𝑉 𝐶𝐶𝐶𝐶𝐶𝐶 𝑡𝑡𝑡𝑉𝑉𝑡𝑡 𝑤𝑤𝑜𝑜𝑢𝑢𝑢𝑢𝑤𝑤 𝑡𝑉𝑉𝑢𝑢𝑝𝑝
It is a weight average for each vulnerability based on the values of the mitigating countermeasures
Vulnerability Formula
12
𝑉𝑉𝑢𝑢𝑢𝑢𝐴𝐴 = 1 −∑(𝐶𝐶𝐶𝐶𝑤𝑤𝑖𝑖𝑖𝑖 × 𝐶𝐶𝐶𝐶𝑉𝑉𝑜𝑜𝑜𝑜𝑖𝑖𝑖𝑖)∑(𝐶𝐶𝐶𝐶𝑤𝑤𝑎𝑎𝑖𝑖 × 𝐶𝐶𝐶𝐶𝑉𝑉𝑜𝑜𝑜𝑜𝑖𝑖𝑖𝑖)
× 𝑉𝑉𝑢𝑢𝑢𝑢𝑚𝑚𝑖𝑖𝑚𝑚
Item Definition
VulAVulnerability Score for vulnerability category A- Repeated for all applicable vulnerabilities
Cmwip
Countermeasure Weight for In-place Countermeasures- “In-place” means that this countermeasure is implemented at the assessed site- CMwip is always a subset of CMwap- Current metric: 1.5-5 scale
Cmeffip
Countermeasure Effectiveness Factor for In-place Countermeasures- Used to prorate a countermeasure’s effectiveness to a vulnerability- Current metric: 0.1-1, a percentage
CMwapCountermeasure Weight for All Applicable Countermeasures- Same as CMwip but it includes all countermeasures that have a propensity to mitigate this vulnerability, not just in-
place countermeasures
CmeffapCountermeasure Effectiveness Factor for All Applicable Countermeasures- Same as CMeffip but it includes all applicable countermeasures, not just in-place countermeasures
Vulmin
Minimum Vulnerability- A minimum vulnerability level used to prevent the application from indicating a “zero” vulnerability- Usually set at .11
Vulnerability Results as Displayed on Screen
13
Mitigated by countermeasures that were originally there –
In Place
No plans to mitigate –
Not In Place
Will be mitigated by countermeasures on remediation plan –
Proposed
Mitigated by countermeasures that were implemented on
remediation plan –Implemented
13
“Status” affects color (R,Y,G) in the bar, above “Weight” affects how
much it moves the bar, above
Risk Scenarios (TLO #3) • Risk is a calculation that is based on ‘risk scenarios’ • A risk scenario has:
– Asset with a criticality (C) on a 0-1 scalelinked to a:
– Threat adversary-tactic combination (T) on a 0-1 scale of severity/likelihoodwith a:
– Vulnerability to the tactic (V) calculated on a 0-1 scale
𝑅𝑅𝑖𝑖𝐶𝐶𝑅𝑅 = 3 𝑇𝑇 ∗ 𝑉𝑉 ∗ 𝐶𝐶
Risk =
14
Risk Associated with Each Vulnerability
• Risk is calculated on a scenario-based construct.
• Risk = Criticality of Vulnerable Asset * Threat Tactic Likelihood & Severity * Vulnerability to Tactic
• The contribution of individual countermeasures to reduce risk and vulnerability is accounted for in the vulnerability levels to individual threat tactics/hazards
• The aggregate contribution of individual countermeasures towards risk reduction across all risk scenarios is demonstrated by the proportional amount the countermeasures reduce the exploited vulnerabilities
15
Risk Formula
16
𝑅𝑅𝑖𝑖𝐶𝐶𝑅𝑅 = AC × 𝑇𝑇𝑇𝑇 × 𝑇𝑇𝑇𝑇 × 𝑉𝑉𝑢𝑢𝑢𝑢Item Definition
Risk
Risk is a real number based on asset criticality (or consequence) * Threat * Vulnerability- Ultimately a summation of all of the asset to threat to vulnerability combinations- Can be organized to parse risk by:
- Assets that absorb risk- Threats that introduce risk- Vulnerabilities that are exploited by threats to introduce risk- Countermeasures that can mitigate risk (and vulnerability)
AC Asset Criticality- Current criticality metric: 5 levels distributed across a 0-100 scale
TH Threat Harmony- Current metric: 0.1-1, a percentage scale determining worst case threat-asset pairing
TF
Threat Frequency- Based on annual rate of occurrence (natural hazards), or- Estimate of capability and intent (sentient threats)- Current metric: 0.1-1 scale
Vul Vulnerability- Current vulnerability metric: 0.1-1, a percentage scale indicating worst case
Analysis of Risk Scenarios (TLO #3)• Risk is understood by evaluation of “risk scenarios” in accordance with approved metrics
17
Benefits – Risk-based Assessments (TLO #4)• Provides standardized/common analytical
framework
• Converges multiple protection disciplines into a common sight picture
• Allows roll-up of multiple units into a single analysis
• Supports commanders in making better informed decisions on where to best allocate security resources
18
CJCSM 3105.01, Figure 7
