Embed Size (px)
Citation preview
June 2013
Institute for Defense Analyses
4850 Mark Center Drive Alexandria, Virginia 22311-1882
NSD-4943 The Common Risk Model for Dams: A Portfolio Approach to Security
Risk Assessments
Yev Kirpichevsky Yazmin Seda-Sanabria, U.S. Army Corps of Engineers
Enrique E. Matheu, U.S. Department of Homeland Security Jason A. Dechant
M. Anthony Fainberg J. Darrell Morgeson
Victor A. Utgoff
Approved for public release; distribution is unlimited. IDA Log No. H 13-000889
I N S T I T U T E F O R D E FE N S E A N A L Y S E S
The Institute for Defense Analyses is a non-profit corporation that operates three federally funded research and development centers to provide objective analyses of national security issues, particularly those requiring scientific and technical expertise, and conduct related research on other national challenges.
About This Publication The views, opinions, and findings should not be construed as representing the official position of either the Department of Defense or the sponsoring organization.
Copyright Notice © 2013 Institute for Defense Analyses 4850 Mark Center Drive, Alexandria, Virginia 22311-1882 • (703) 845-2000.
June 2013
NSD-4943 The Common Risk Model for Dams: A Portfolio Approach to Security
Risk Assessments
Yev Kirpichevsky Yazmin Seda-Sanabria, U.S. Army Corps of Engineers
Enrique E. Matheu, U.S. Department of Homeland Security Jason A. Dechant
M. Anthony Fainberg J. Darrell Morgeson
Victor A. Utgoff
In 2005, the Institute for Defense Analyses (IDA)initiated the development of the Common RiskModel (CRM) for evaluating and comparing risks
associated with the nation’s critical infrastructure. Thismodel incorporates commonly used risk metrics thatare designed to be transparent, simple, and mathemat-ically justifiable. The model also enables comparisonsof calculated risks to assets and systems within andacross critical infrastructure sectors.
A modified version of this model has been underdevelopment by IDA in collaboration with the USArmy Corps of Engineers (USACE) and the USDepartment of Homeland Security (DHS). The modi-fied model, the Common Risk Model for Dams (CRM-D), takes into account the unique features of dams andnavigation locks, and provides a systematic approachfor evaluating and comparing risks from adaptivethreats across a large portfolio [Seda-Sanabria et al.,20111].
At the most basic level, risk is estimated for an attackscenario, defined as: • a specific adversary (for example, a highly-capabletransnational terrorist group); • a specific target (for example, the main impound-ment structure of a specific dam); and,• a specific attack vector (for example, a cargo vanloaded with explosives).
Risk is defined as the expected value of loss and is afunction of three variables: threat (T), vulnerability(V), and consequences (C):
R = f (T, V, C) ... (1)
Threat is defined as the probability of an attack sce-nario being attempted by the adversary, given theattack on one of the targets in the portfolio underassessment, or P(A); vulnerability, as the probabilityof defeating the target’s defences, given that the attack
is attempted, or P(S|A); and, consequences, as theexpected consequences of the attack, given that the tar-get’s defences are defeated, C. Because of the way inwhich CRM-D estimates these three variables, it isappropriate to calculate risk as their product:
R = P(A) × P(S|A) × C(*) ... (2)
CRM-D also defines ‘conditional risk’, or RC, as riskfor the attack scenario, given that this scenario is cho-sen(**):
RC = P(S|A) × C ... (3)The consequence and risk metrics currently consid-
ered in the CRM-D are loss of life and total economicimpacts. The sum of risks for all the attack scenariosunder consideration is termed ‘portfolio risk’.Minimizing portfolio risk, subject to availableresources, is often the focus of risk managers.
Fundamental concepts of CRM-DThe CRM-D methodology integrates the outputs ofthree separate models: consequences (external toCRM-D), vulnerability, and threat. Using modelling isa natural choice for estimating the outcomes of com-plex physical and economic processes, such as conse-quences from attack, but is equally important for esti-mating vulnerability and threat, that is, variableswhich require more subjective input from subject mat-ter experts (SMEs). This is because there are manypossible attack scenarios, and the set is continuouslychanging. It is prohibitively costly and time-consum-ing to elicit expert judgements on vulnerability andthreat for every scenario, and to repeat the elicitationprocess every time a new scenario is introduced or oldscenarios are modified. This makes modelling crucialwhen developing risk estimates in support of return oninvestment (ROI) analyses, because the impacts onrisk of potential risk-mitigation improvements need tobe assessed quickly.
The vulnerability and threat models are based on dataelicited from SMEs in a way that makes it possible toapply elicited SME judgement to any set of attack sce-narios. The elicitations were conducted for estimatingrisk from highly capable, transnational adversarygroups. Elicitations in support of estimating risk fromother types of adversary are currently under develop-
78 Hydropower & Dams Issue Four, 2013
A portfolio approach to security risk assessments
Y. Seda-Sanabria, US Army Corps of Engineers, USAE.E. Matheu, Department of Homeland Security, USA
J.D. Morgeson, Y. Kirpichevsky, M.A. Fainberg, J.A. Dechant and V. Utgoff, Institute for Defense Analysis, USA
The Common Risk Model for Dams (CRM-D), described here, was developed as a result of collaboration between the US Army Corps ofEngineers and the US Department of Homeland Security. It is used for security risk assessment of dams, navigation locks, hydro projects,and similar infrastructure. The method provides a systematic approach for evaluating and comparing security risks across a large portfolio.Risk is calculated for attack scenarios (specific adversary using a specific attack vector against a specific target) by combining consequence,vulnerability, and threat estimates in a way that accounts for the relationships among these variables. The CRM-D can effectively quantifythe benefits of implementing a particular risk mitigation strategy and, consequently, enable return-on-investment analyses for multiple
mitigation options across a large portfolio.
*The functional relationships among the variables are accounted for byestimating P(A) as a function of the other two variables, but there is nostochastic relationship because P(S|A) and expected consequences areestimated as point values, and not random variables. This justifies theuse of the product function [Cox, 20082].**Note that the risk metric in Eq. 2 is also conditional on the attackwithin a portfolio under assessment. The “conditional risk” metric isfurther conditioned on the particular attack being chosen.
ment. Because the adversaries’ capabilities and/orintent are likely to change with time, elicitationsshould be repeated every few years or as deemedappropriate.
Vulnerability To evaluate the vulnerability of a target to a specificattack by a specific adversary, a model of layereddefences is adopted. The defensive layers protecting agiven target could potentially include national defences(for example, national counter-terrorism activities),local defences (for example, local law enforcementcapabilities to detect and respond to potential attacks),and target defences (for example, on-site security sys-tems and protective measures). The methodology forproducing vulnerability estimates accounting for targetdefensive layers is described in detail by Seda-Sanabriaet al. [20113]. The methodology for producing vulnera-bility estimates for national and local defensive layersis currently under development.
In CRM-D, an attack is considered ‘successful’ ifevery defensive layer is breached successfully, and theattack reaches the target. Therefore, for the conceptualattack scenario shown in Fig. 1, P(S|A) can be deter-mined using the following expression:
P(S|A) = P(B1|A) × P(B2|B1) × P(B3|B2,B1) ... (4)
where: P(B1|A) is the probability of successfullybreaching the first layer given the specific attackerunder consideration attempts this attack; P(B2|B1) isthe probability of successfully breaching the secondlayer given that the attacker has successfully breachedthe first layer; and, P(B3|B2,B1) is the probability ofsuccessfully breaching the third layer given that theattacker has successfully breached the first and thesecond layers.
Each layer is defined by its defensive attributes. Fora national defensive layer, these can be the character-istics of relevant programmes and activities imple-mented at the national scale, such as the securityscreening conducted at airports; for a local defensivelayer, these can be the level of participation in intelli-gence information-sharing of local law enforcementagencies and their prevention/response capabilities;and for the target defensive layers, these can be thecharacteristics of site security measures, such as vehi-cle barriers, access control systems, security force,and so on.
Regarding target defensive layers, there is a rela-tively small number of combinations of defensiveattributes that are typically implemented on dams andrelated facilities. These commonly used configura-tions are called layer-defensive configurations, orLDCs. Because of the small number of LDCs, it isfeasible to elicit probabilities of success for each ref-erence attack vector against each LDC for each typeof attacker under consideration. The vulnerabilityestimate for a given LDC reflects subject-matterexpert (SME) judgement on how the defensive attrib-utes of that LDC would perform against a particularattacker using a particular attack vector, based on theattacker’s capabilities and intent and the attack vec-tor’s characteristics.
Probabilities of success against individual LDCs arecombined into a P(S|A) for a scenario as shown inEq. 4. The probability of success against a layer isconditional on which layers have already been
breached, since some layers can degrade attackers’capabilities in various ways. Further, P(S|A) incorpo-rates the possibility that some layers may or may notbe encountered (for example, response forces may ormay not arrive in time to engage the adversary beforethe attack succeeds). The process of estimatingP(S|A) in light of these factors is discussed in detailby Morgeson et al. [20134].
ThreatModelling threat from goal-oriented, adaptive adver-saries is fundamentally different from modellingpotential hazards associated with forces of nature.Adversaries evaluate potential attacks based on criteriathat are important to them and then choose the attackwhich suits their objectives best. When the adversarydecision criteria change, their choice may change aswell. Unlike consequence or vulnerability estimates, athreat estimate for an attack scenario depends not onlyon the characteristics of that scenario, but on the char-acteristics of all attack scenarios that the adversary ischoosing from.
To account for these concepts, the CRM-D includesa ‘probabilistic adversary decision model’ (PADM),which is composed of two sub-models: the ‘adversaryvalue model’ (AVM) and the ‘attack choice model’(ACM). The decision model is probabilistic becauseno aspect of the adversary’s future decision processcan be known with certainty.
Adversary value model This quantifies expert judgement about how adver-saries evaluate the relative attractiveness of attack sce-narios, based on the scenarios’ characteristics that theadversary is likely to take into account. These fea-tures, related to the adversary capabilities and intent,reflect the various expected benefits, costs, and risksassociated with each attack scenario. The adversaryvalue model also quantifies the underlying uncertain-ty about the value system, which stems from the dif-ferences of opinion among experts and the uncertain-ty of each individual expert about the attacker valuesystem.
To model the attack scenario evaluation process fol-lowed by an adversary, it is first necessary to identi-fy the adversarial goals driving the selection of a par-ticular attack scenario. For the type of adversaryunder consideration (highly capable, transnationalterrorist organization), this was conducted throughliterature review and interviews with selected groupsof terrorism experts from various government andresearch organizations. It was found that an idealattack for these adversaries would cause grave physi-
Hydropower & Dams Issue Four, 2013 79
Fig. 1.Conceptualmodel of layereddefences.
cal and psychological damage while having a relative-ly low chance of failure [Ackerman et al., 20075;Davis et al., 20096; Libicki et al., 20077].
Based on the assumed goals, the following variableswere identified as the controlling factors influencingthe attack scenario evaluation process from the adver-sary’s perspective:• adversary’s perception of the probability of success-fully defeating the national and local defensive layers;• adversary’s perception of the probability of success-fully defeating the target defensive layers, given suc-cess against the national and local defences;• adversary’s perception of the expected level of con-sequences in terms of the loss of life resulting from asuccessful attack; and,• adversary’s perception of the expected level of con-sequences in terms of the economic impacts resultingfrom a successful attack.
These key variables, the quantification of which isrelatively straightforward, were selected from a largerset of variables identified as potentially relevant forattack scenario evaluation purposes. For example,according to background research, the adversary wasdeemed to value spectacular attacks on iconic targets.However, how spectacular an attack might be is noteasily quantifiable, and iconicity is only consideredwhen it varies across targets in a portfolio. In addition,an event deemed as spectacular may exhibit a strongcorrelation with loss of life and economic damage, andtherefore it may be captured by the key variablesselected above.
A comprehensive expert elicitation was conductedwith participation of representatives from multiplefederal agencies, owners and operators, state fusioncentres, and other state agencies responsible for lawenforcement and public safety. The elicitation wasconducted using a self-paced, interactive, online inter-view process using the Sawtooth software for conjoint(trade-off) analysis [Orme, 20108].
In the main elicitation task, each SME was presentedwith 10 or 20 different sets of four hypothetical attackoptions. The options were created by systematicallyvarying the values of the key attack features in a waythat makes a statistical estimation of the adversary’svalue system more efficient. For each set of options,each expert was asked to provide the probability thateach of the options in the set would be chosen by
adversaries, given that one of them would be chosen.Eliciting probabilities provides a way of incorporatingeach SME’s uncertainty. Fig. 2 shows an example ofone of the sets of hypothetical attack options used inthe elicitation.
Statistical modelling provides a way of aggregatingthe judgements of individual SMEs into a cumulativejudgement, and of quantifying the trade-offs the SMEsbelieve the adversaries would make among the differ-ent attack features. It also quantifies uncertainty aboutthe value system, which stems from SME uncertaintyand differences of opinion. Estimating the value sys-tem involves running a regression, where the depend-ent variable is the expert’s judgement about an attackalternative, and the independent variables are values ofthe features of the corresponding attack option. Theregression is a version of conditional logit (a regres-sion model appropriate when the data reflects choicesamong options) which is modified to analyse proba-bilistic choice data [Blass et al., 20109; Kirpichevskyet al., 201210].
The adversary value system takes the form of a func-tional relationship among the key decision variables,which is chosen to best fit the elicited data. The effectof each of the variables on the value assigned by theadversary to attack scenarios (utility) was found tohave a concave pattern: increases at the lower end ofthe variable ranges result in greater utility increases.This indicates decision-making consistent with thresh-olding: for example, once a certain level of probabili-ty of success or consequences can be expected, sce-nario attractiveness does not change much, whereaschange is significant below the threshold. This is con-sistent with the narrative answers provided by SMEsduring the elicitation. In those answers, SMEs alsostressed that the most important decision criterion forthe adversary was aversion to failure, and that loss oflife was the more important of the two consequencevariables, which was reflected in the estimated valuesystem(*).
Attack choice model The attack choice model uses the estimated adversaryvalue system to calculate P(A) for any set of attackscenarios and to carry out ROI analyses for risk miti-gation options. To make the P(A) calculation possible,attack scenarios in the portfolio need to be formulatedin terms that the adversary value model can accommo-date. This involves using the CRM-D consequence andvulnerability models to estimate the values for loss oflife, total economic impacts, and the probabilities ofdefeating the national/local and target defences forevery scenario in the portfolio. These variables areused as proxies for the adversary perceptions of thesevariables.
The attack choice model then uses the estimatedadversary value function and the uncertainty around itto simulate the possible utility values for a set of attackscenarios. The current CRM-D assumption is that the
80 Hydropower & Dams Issue Four, 2013
**If the adversary believes that risk mitigation might involve deceptionor randomization, they might not necessarily choose a scenario that isperceived to have the highest value. A game theory module is underdevelopment to address this issue.***Because P(A) is conditional on attack within a portfolio, deterrenceis not modelled, in response to risk mitigation, the P(A) can only shiftamong the scenarios, and the sum of P(A) will always be no less than 1.Future work on the AVM elicitation will enable estimating the deterrenceeffect of investments.
*For example, suppose scenario consequences in terms of loss of lifeand economic damage are equal to 10 and $10 million respectively, andthe combined P(S|A) is equal to 0.2. If P(S|A) were to drop to 0.1, itwould require an offsetting increase in consequences equal to either 400lives or $2.5 billion, for the adversary to retain roughly the same overallutility for the scenario.
Fig. 2. Example ofa set ofhypothetical attackalternatives.
adversary selects the attack scenario perceived to havethe highest value, and so P(A) for an attack scenario iscalculated as the fraction of the simulations, in whichthe scenario has the highest value in the set(**).
Because CRM-D models adversaries as adaptivedecision-makers, it is important to note that some riskmitigation investments may decrease P(A) for somescenarios, while causing an increase for other scenar-ios(***). Therefore, it is theoretically possible for aninv est ment aimed at risk mitigation actually toincrease the portfolio risk if the threat shifts to attackscenarios which pose more risk. Risk managers shouldbe mindful of the complex interactions associated withthe target selection process used by adaptive adver-saries.
Pilot implementation at USACE projectsIn 2011, the USACE initiated a pilot implementationof the CRM-D at selected of dam and navigation lockprojects in the USACE Northwestern Division(Columbia river, Willamette river tributary, andMissouri river basins), Mississippi Valley Division(Mississippi river basin), and Great Lakes and OhioRiver Division (Ohio river basin). Each project hadunique features, functions, and operational conditionswhich offered ideal conditions to test the capabilitiesof the methodology and its applicability to a large port-folio.
Risk was estimated in terms of expected loss of lifeand total economic damage for 16 attack scenariosassociated with nine dams and two attack vectors. Fig.3 shows the product of P(A) and P(S|A) plotted againsteconomic consequences for attack scenarios (the tar-gets are indexed by letters, and the attack vectors bynumbers). Thus, risk in terms of economic conse-quences could be determined by multiplying the twocoordinates together.
Fig. 3 shows iso-curves that could represent thresh-olds of risk as determined by a decision-maker, forexample, a portfolio owner. The curves trace thosepoints for which risk is greater than $50 million (abovethe red line), and greater than $20 million (above thegreen line). Decision makers could hypothetically usesuch information to identify more readily those damsthat they choose to focus on for developing investmentoptions. The risk values that would define these curvescould be chosen in accordance with decision makers’priorities.
A portfolio risk manager might wish to assess animpact of a particular investment on risk. For exam-ple, the addition of K12-rated vehicle barriers atseven of the projects where they had not been previ-ously installed at a total cost of less than $1 millioncould reduce portfolio risk given attack by $66 mil-lion in expected economic damage and 34 lives. Todecide whether this is a worthy investment, a riskmanager would have to assume or elicit from SMEsa predicted annual frequency of attacks in the portfo-lio and then use it to compare this and other invest-ments with the time-discounted values of the result-ing risk reductions.
ConclusionThe Common Risk Model for Dams (CRM-D) is a con-sistent, mathematically rigorous, and easy to imple-ment method for security risk assessment of dams, nav-igation locks, hydro projects, and similar infrastructure.This methodology, the result of collaborative efforts
between the US Army Corps of Engineers and the USDepartment of Homeland Security, provides a system-atic approach for evaluating and comparing securityrisks across a large portfolio. ◊
References1. Seda-Sanabria, Y., Fainberg, M.A., and Matheu, E.E.,
“A Consistent Approach for Vulnerability Assessment ofDams,” Proceedings, 31st US Society of Dams AnnualMeeting and Conference, San Diego, California, USA;2011.
2. Cox Jr, L.A., “Some Limitations of “Risk = Threat ×Vulnerability × Consequence” for Risk Analysis ofTerrorist Attacks,” Risk Analysis, Vol. 28, No. 6; 2008.
3. Seda-Sanabria, Y., Fainberg, M.A., Matheu, E. E.,Tressler, J. D., and Bowen, M. L., “Implementation of theCommon Risk Model for Dams for Security Assessments ofUSACE Critical Infrastructure,” Proceedings, Dam Safety2011 Conference, Washington, DC, USA; 2011.
4. Morgeson, J.D., Seda-Sanabria, Y., Matheu, E.E. andKeleher, M.J., “Incorporating Uncertainties in the Esti -mation of Vulnerabilities for Security Risk Assessments,”Proceedings, 33rd US Society of Dams Annual Meetingand Conference, Phoenix, Arizona, USA; 2013.
5. Ackerman, G., Abhayaratne, P., Bale, J., Bhattacharjee,A., Blair, C., Hansell, L., Jayne, A., Kosal, M., Lucas, S.,Moran, K., Seroki, L., and Vadlamudi, S., “AssessingTerrorist Motivations for Attacking Critical Infrastructure,”UCRL-TR-227068, Center for Nonproliferation Studies,Laurence Livermore National Laboratory, 2007.
6. Davis, P. K. and Cragin, K., (Eds.) “Social Science forCounterterrorism: Putting the Pieces Together,” RandMonograph; 2009.
7. Libicki, M.C., Chalk, P., and Sisson, M., “ExploringTerrorist Targeting Preferences,” Rand Monograph; 2007.
8. Orme, B.K., “Getting Started with Conjoint Analysis”,Research Publishers LLC, Madison, Wisconsin, USA;2010.
9. Blass, A.A., Lach, S. and Manski, C.F., “Using ElicitedChoice Probabilities to Estimate Random Utility Models:Preferences for Electricity Reliability,” InternationalEconomic Review, Vol. 51, No. 2; May 2010.
10. Kirpichevsky et al., “Estimating Threat from AdaptiveAdversaries: Probabilistic Decision Modeling in the CRM-D”, Draft Paper, Institute for Defense Analyses, Alexandria,VA, USA; May 2012.
BibliographyDechant, J., et al., “The common risk model for dams:
Methodology and application”, IDA Paper P-4761, Institutefor Defense Analyses, Alexandria, VA, USA; April 2012.
Hydropower & Dams Issue Four, 2013 81
Fig. 3. Scenariosby economicconsequences ofsuccess andprobability ofsuccess.
82 Hydropower & Dams Issue Four, 2013
Ms Yazmin Seda-Sanabria serves as the National Program Managerof the Critical Infrastructure Protection and Resilience Program,Office of Homeland Security, US Army Corps of Engineers,Headquarters. She leads policy, technical guidance, and supervision ofthe development and implementation of a national risk managementstrategy for the protection, security, and improved resilience ofUSACE’s civil works portfolio of critical dams, navigation locks, andhydro facilities. She holds BS and MS degrees in Civil Engineeringfrom the University of Puerto Rico at Mayagüez, and a second MSdegree in Engineering Mechanics from the Mississippi StateUniversity, USA.Critical Infrastructure Protection and Resilience Program, Office ofHomeland Security, US Army Corps of Engineers, Headquarters,Washington, DC 20314, USA.Dr. Enrique Matheu serves as Chief of the Critical Lifelines Branch in the Sector Outreach and Programs Division,Office of Infrastructure Protection, National Protection ProgramsDirectorate, US Department of Homeland Security. Dr Matheu leadsthe national programme for development, implementation, andcoordination of risk management activities conducted under avoluntary partnership framework, aimed at improving the security andresilience of dams, levees, hydropower projects, and nuclear facilitiesas important components of the critical infrastructure in the USA. Dr Matheu holds a BS degree in Civil Engineering from theNational University of Córdoba, Argentina, an MS degree in CivilEngineering from the University of Puerto Rico at Mayagüez, and aPhD in Engineering Mechanics from the Virginia PolytechnicInstitute and State University, USA.Critical Lifelines Branch, Office of Infrastructure Protection,National Protection and Programs Directorate, Department ofHomeland Security, Washington, DC 20598, USA.J. Darrell Morgeson graduated from West Point in 1971 and earnedhis Master’s Degree in Operations Research from the Naval PostGraduate School in 1981. Following 13 years in the active duty inthe Army, he spent 18 years at Los Alamos National Laboratory,focusing the last few years on simulations of US criticalinfrastructure. From 2001 until 2003, he served in the Office ofHomeland Security in the White House as the Director of CriticalInfrastructure Protection. He has spent the last 10 years focusing ondeveloping risk models and analyses on the nation’s criticalinfrastructure.
Dr Yevgeniy Kirpichevsky graduated from the University of Illinoisat Urbana-Champaign, USA, with degrees in Finance and PoliticalScience, in 2001. He received his PhD in Government from HarvardUniversity in 2009. As a research analyst at the Institute for DefenseAnalyses, he has applied statistical and mathematical modelling tovarious problems in national security, including terrorism risk analysisand nuclear deterrence. Dr M. Anthony Fainberg earned his PhD in Elementary ParticlePhysics from the University of California, Berkeley, USA, in 1969.After 12 years in basic research, he changed fields to focus on areaswhere national security and science intersect. He has worked fornational laboratories and the US Government in areas includingnuclear non-proliferation, aviation security, nuclear smuggling, andcounter terrorism. For the past eight years, he been a staff memberat the Institute for Defense Analyses, working on risk methodologiesrelated to the protection of the nation’s critical infrastructure.Dr Jason A. Dechant graduated from Kansas State University in1997 and earned his Master’s degree in Diplomacy and InternationalCommerce from the University of Kentucky, USA, in 1999. He laterreceived his PhD in Public Policy from George Mason University,USA. Since January 2000, Dr Dechant has been on the research staffat the Institute for Defense Analyses, specializing in resourcemanagement, strategic planning, and risk assessment. From 2001until 2004, he served in the Office of the Under Secretary ofDefense for Policy in the Pentagon as a Special Assistant forStrategy. Since 2009, Dr Dechant has been involved withdeveloping and implementing risk assessment methods for criticalinfrastructure and defense resource decision-making.Dr Victor A. Utgoff is a graduate of the Massachusetts Institute ofTechnology, and earned a PhD in Electrical Engineering from PurdueUniversity. Until mid-2007, he was a Deputy Director of the Strategy,Forces, and Resources Division at the Institute for Defense Analyses(IDA). From 1977 to 1981, Dr Utgoff was a senior member of theNational Security Council Staff. Prior to those assignments heworked for various research and aerospace organizations. Since 2002,he has worked on a series of counter-terrorism studies, mostlydeveloping analytical methods to support decision-making oninvestments to protect critical infrastructure. In 1999, he receivedIDA’s Andrew J. Goodpaster Award for Excellence in Research.Strategy, Forces and Resources Division, Institute for DefenseAnalysis, Alexandria, Virginia 22311, USA.
J.D. MorgesonY. Seda-Sanabria V.A. UtgoffE. Matheu Y. Kirpichevsky J.A. DechantM. A. Fainberg
R E P O R T D O C U M E N TAT I O N PA G E Form Approved OMB No. 0704-0188
Public reporting burden for this collection of information is estimated to average 1 hour per response, including the time for reviewing instructions, searching existing data sources, gathering and maintaining the data needed, and completing and reviewing this collection of information. Send comments regarding this burden estimate or any other aspect of this collection of information, including suggestions for reducing this burden to Department of Defense, Washington Headquarters Services, Directorate for Information Operations and Reports (0704-0188), 1215 Jefferson Davis Highway, Suite 1204, Arlington, VA 22202-4302. Respondents should be aware that notwithstanding any other provision of law, no person shall be subject to any penalty for failing to comply with a collection of information if it does not display a currently valid OMB control number. PLEASE DO NOT RETURN YOUR FORM TO THE ABOVE ADDRESS.
1 . R E P OR T D ATE (D D -M M - Y Y ) 2 . R E P OR T T YP E 3 . D ATE S C OV E R E D ( Fr om – To )
June 2013 Final 4 . T IT L E A N D S U B T I T LE 5 a . C O N TR A C T N O.
The Common Risk Model for Dams: A Portfolio Approach to Security Risk Assessments DASW01-04-C-0003 5 b . GR A N T N O.
5 c . P R O G R AM E LE M E N T N O (S ) .
6 . A U TH O R ( S ) 5 d . P R O JE C T N O.
Yev Kirpichevsky, Yazmin Seda-Sanabria, Enrique E. Matheu, Jason A. Dechant, M. Anthony Fainberg, J. Darrell Morgeson, Victor A. Utgoff
5 e . TAS K N O.
BA-6-3075 5 f . W O R K U N I T N O.
7 . P E R F OR M IN G OR G A N I Z ATI O N N A M E (S ) A N D A D D R E S S ( E S ) Institute for Defense Analyses 4850 Mark Center Drive Alexandria, VA 22311-1882
8 . P E R F OR M IN G OR G A N I Z ATI O N R E P OR T N O . IDA NS Document D-4943
9 . S P O N S OR IN G / M O N I TOR IN G A GE N C Y N AM E ( S ) A N D A D D R E S S (E S ) 1 0 . S P O N S OR ’S / M ON I TO R ’ S A C R ON YM (S )
Critical Infrastructure Protection & Resilience (CIPR) Program U.S. Army Corps of Engineers Headquarters Office of Homeland Security 441 G Street NW Washington, DC 20314-1000
11 . S P O N S OR ’S / M O N I TOR ’S R E P OR T N O (S ) .
1 2 . D IS T R I B U T IO N / AVA I L A B I L I T Y S TATE M E N T
Approved for public release; distribution is unlimited.
1 3 . S U P P LE M E N TARY N O T E S
1 4 . A B S T R A C T
The Common Risk Model for Dams (CRM-D) is a consistent, mathematically rigorous, and easy to implement method for security risk assessment of dams, navigation locks, hydropower projects, and similar infrastructures. The methodology provides a systematic approach for evaluating and comparing security risks across a large portfolio. Risk is calculated for attack scenarios (specific adversary using a specific attack vector against a specific target) by combining consequence, vulnerability, and threat estimates in a way that properly accounts for the relationships among these variables. The CRM-D can effectively quantify the benefits of implementing a particular risk mitigation strategy and, consequently, enable return-on-investment analyses for multiple mitigation alternatives across a large portfolio.
1 5 . S U B JE C T TE R M S
Risk Assessment, Common Risk Model, Dams Sector, Homeland Security, Portfolio Analysis
1 6 . S E C U R I T Y C L AS S I F IC AT IO N O F:
1 7 . L IM I TATI ON O F A B S T R A C T
UU
1 8 . N O . O F PA G E S
10
1 9a . N AM E O F R E S P ON S IB L E P E R S O N Jason A. Dechant
a . R E P OR T b . A B S T R A C T c . TH IS PA GE 1 9 b . TE LE P H ON E N U M B E R ( I n c l u d e A r e a C o d e )
703-845-2489 U U U
Standard Form 298 Back (Rev. 8/98)
