August 2009
|
|
Need Your Own Copy of The Risk Communicator?
|
|
Write for Us
|
| Have you seen a story you would
like to see included in The Risk Communicator? Do you have a research project you want to share with your colleagues? If so, please contact
the newsletter staff at newsletter@sarma.org. |
Thanks to Our Sponsor
|
|
Legal Matters
|
Copyright 2009
SARMA
All Rights Reserved
Privacy Policy
The views expressed in The Risk Communicator reflect the views of their authors, and do not neccesarily reflect the views of SARMA, the US Government or the employers or clients of the contributors.
|
|
|
President's Corner
|
|
Dear Fellow SARMA Members,
In this final lull before our busy fall season begins, I'd like to take a moment to acknowledge an esteemed colleague and some particularly valuable recent contributions from some of our members -- and call your attention to a similarly valuable contribution we can all make to the broader security risk profession in the very near future.
The esteemed colleague is none other than our long-serving Conferences & Events Committee Chair Chris Miller. Sadly, Chris is relinquishing the chair after two outstanding annual conferences and innumerable other contributions. Despite increasingly demanding work and family responsibilities, Chris has graciously agreed to continue advising the committee, but the vacant chair must be filled. So... if you are a SARMA member with a natural talent for event management, we'd like to hear from you!
Still on the subject of conferences, I would next like to extend a heartfelt thanks to the dozens of conference attendees who took time out of their busy schedules to complete the online survey we posted in the wake of our 3rd Annual Conference in mid-June. SARMA's Board has been closely studying the survey results, and I must say we've been very impressed by the thoughtful and detailed responses. The survey report has already become an invaluable reference as we map out our longer-term education and outreach agendas.
It's always very gratifying to hear "keep up the good work" and to know that you consider our annual conference "the premier activity for anyone in the security risk management field". And, yes, we also hear you about the lack of decent parking... all I can say is we share your pain! There was also one other remarkably consistent message that caught our attention -- the near-unanimous request that we deliver significantly more scientific and technical content to balance and complement the high-level policy briefings and theoretical discussions. As we finalize our event schedule for the coming year, rest assured you will see that message clearly reflected.
In last month's letter I noted that one of SARMA's signal accomplishments this past year has been the successful cultivation of new relationships among key elements of the Department of Homeland Security. I bring it up again here to draw your attention to the "digital dialogue" now underway as DHS prepares its Quadrennial Homeland Security Review (QHSR), described in greater detail below. SARMA has always been guided by the belief that engagement is the best policy -- and that it produces the best policy outcomes. Accordingly, we urge all members to contribute their expertise and insights during the second and third phases of the QHSR dialogue over the coming weeks and months. Meanwhile, we will keep everyone posted on our own QHSR outreach efforts as these evolve.
The QHSR is only one piece of the "busy fall season" I referred to above. Also on our list of key activities is ASIS International's 55th Annual Seminar, to be held in Anaheim, California, from September 21-24. Under the direction of Executive Vice President and Board Member John Paczkowski, SARMA is organizing and moderating a panel of experienced public- and private-sector practitioners who will discuss security risk management practices across a variety of organizations. Topics to be addressed include the evolution of the field and recent federal efforts to advance security risk management policies and programs. Our session will be from 1:30 pm - 3:00 pm on Tuesday, September 22. If you are planning to be at the ASIS conference, please consider attending this session. It promises to be an informative and lively dialogue.
Later in the fall, SARMA, PricewaterhouseCoopers and the George Mason University School of Law's Center for Infrastructure Protection (CIP) are jointly organizing a risk management forum, and we hope to see you there as well. We will provide more details as this event is finalized, but one of the prominent themes will be cyber-security. Therefore, it is fitting to close out with a plug for TRC Editor Avi Klein's excellent report on some of the cyber-related presentations at our annual conference, which was also co-hosted by our friends and colleagues at CIP.
And with that, I invite you to read on for more news, analysis and insights. I hope you enjoy this issue of The Risk Communicator. And as the song says, "'see you in September."
Warm regards,
Kerry
Kerry L. Thomas
President
Security Analysis and Risk Management Association
|
News
|
|
Conference Panel: Cyber Infrastructure Modeling Remains A Continuing Challenge
Computer
modeling of infrastructure protection remains a significant challenge
for the homeland security sector, experts told attendees at SARMA's
3rd Annual Conference. The inability both to organize multiple agencies and
convince lawmakers that the results will be useful have set back
critical projects and left the nation vulnerable, they said.
The
comments came as part of a wider discussion on cyber infrastructure, a
field that would appear to be perfectly suited to computer modeling.
But the growing trends of cheap computation and sensing technology have
actually made much modern technology inadequate to the task,
participants said. Tools that only a few years ago would have been
useful for mapping the nation's cyber infrastructure -- or any other
aspect of critical infrastructure -- are swiftly becoming overwhelmed by
the massive amount of dispersed data available.
As with many
homeland security challenges, getting the multiple agencies involved to
cooperate in modeling programs remains difficult. A
recent working group from DHS's Science and Technology Directorate took
a look at the cyber modeling issue as recently as January, Jim Kadke, a
critical infrastructure protection fellow at George Mason University,
told the panel. "The capability exists," Kadke said, "but most people
have only an awareness of a small area. Nobody has an enterprise level
view of how they might fit in."
Even if the vision existed, the
government's efforts at computer modeling have not inspired much
confidence. The Department of Defense has relied mainly on models
developed "in-house," said Greg Knapp, executive director of the U.S.
Joint Forces Command, Joint Warfighting Center. "But what they haven't
been able to do is match the current environment," he said. Earlier
failures have made it harder to get funding. "DoD has been burned on
some modeling contracts, and there is no stomach to make major
investment in modeling and simulation," Knapp explained.
|
DHS Goes Digital for Quadrennial Homeland Security Review
Those interested in making their voices heard on important national security issues will get a chance later this month when the Department of Homeland Security begins the second phase of its National Dialogue for the Quadrennial Homeland Security Review (QHSR).
The first phase of the online dialogue, which was hosted by the National Academy of Public Administration and ended on 9 August 2009, included over 8,000 people from all 50 US states and 68 other countries. Participants saw a presentation of the initial output generated by six QHSR study groups, and then commented on proposed enhancements to two key processes: the Homeland Security National Risk Assessment and Homeland Security Planning and Capabilities.
Archived results of the first round of dialogue can be found in the initiative's website.
The second phase, which will be open from 31 August 2009 to 6 September 2009, promises to be even more collaborative. As part of the dialogue, participants will be shown various proposals or definitions on their computer screens. They can then indicate whether they agree or not, rate the proposals and suggest tags to organize them digitally. The initiative is a high-water mark for digital collaboration in the security field.
A final dialogue will begin 28 September 2009 and will seek a final review of the mission, goals, objectives, key strategic outcomes and final proposed enhancements to the two key processes.
|
START Releases Updated Terrorism Database Covering More Than 80,000 Incidents
The National Consortium for the Study of Terrorism and Responses to Terrorism (START) has released a long-awaited update to its Global Terrorism Database (GTD). An "open-source" database including information on terrorist events around the world, the GTD not only includes dates and locations but also the weapons used, the nature of the target, the number of casualties and -- when identifiable -- the perpetrator.
All told, the GTD -- the most comprehensive "classified" database available -- now features over 80,000 terrorist incidents, including more than 27,000 bombings, 12,000 assassinations and 2,900 kidnappings since 1970. The database, which was supervised by an advisory panel of 12 terrorism research experts, also includes information on at least 45 variables for each case, with more recent incidents containing information on more than 120 variables.
START is housed at the University of Maryland and is a DHS Center of Excellence.
|
Projects
|
|
Exploring Reciprocal Net Assessment
by Mark Mateski
In the past few months, I have built and refined an approach to analysis I have dubbed reciprocal net assessment (RNA). It is based on principles inherent in hypergame analysis
and is designed to encourage analysts and decision makers to avoid
decision breakdowns and create and exploit decision opportunities.
Although I am still refining the approach, I now believe it is ready
for testing. To that end, I am currently offering a pro bono analysis of either a military/security-related or business-related case. If you might be interested in submitting a case for
consideration, read on.
The need for an RNA is rooted in the following conditions: - Competition and conflict involve a continuous, dynamic interaction, sometimes described as the reciprocal nature of conflict.
- Within this domain, participants will seek to achieve a differential advantage over their opponents.
- Rarely do all participants in a conflict or competition perceive precisely the same situation.
- All perceptions are open to manipulation.
- Understand and respect the potentially complex interplay of opposing strategies and perceptions.
- Manipulate the opponent's perceptions and biases.
- Exploit seams and opportunities.
- Exploit the elasticity of risk.
- Resist their opponents' efforts to do the same in reverse.
Presuming a static opponent is the main decision-making flaw that drives the need for red teaming, yet the red team
itself may also presume it faces a static opponent. To complete the
loop, the analyst or decision maker should "red team the red team" or,
in other words, account for the actual and perceptual interplay between
the attacker and defender (roles which themselves may be dynamic).
Traditional forms of red teaming, I believe, do not address this issue
adequately. A more complete form of analysis would emphasize what
each participant could or might do to the other, and how awareness
of this interplay offers advantages to the participant who possesses
this awareness. I view RNA as one possible form of this more complete
analysis.
RNA is based on five basic concepts, each of which is either
stated or implied within the game theoretic structure of hypergame
analysis: - Any player may perceive or misperceive the other player's options, preferences and intent.
- What each player perceives or misperceives influences each player's intent.
- Perceptions are based on information and awareness.
- Perceptions can be manipulated.
- A player who perceives an opponent's misperception secures an advantage.
To submit a case for consideration, draft a
one-page description and email it directly to me. The deadline for submissions is 31 August 2009.
Mark Mateski is the founder and managing editor of Red Team Journal (www.redteamjournal.com). He currently consults and teaches systems analysis and system engineering part-time.
|
| Key Reports |
|
DHS: Efforts to Identify Critical Infrastructure Assets and Systems
In this recent report, DHS's inspector general makes 10 recommendations to improve DHS efforts to identify and catalog critical infrastructure assets and systems -- with a significant focus on distinguishing between assets which, if lost, would have major consequences and those which have been identified in the past as critical based entirely on size or seating capacity.
Get the report
ASCE: Guiding Principles for Critical Infrastructure in the U.S.
This new report from the American Society of Civil Engineers, in the course of making a series of recommendations, argues that "risk analysis, risk management, and risk communication represent a new approach to infrastructure design, construction, and operation that is now viewed as the best way to bring decision makers and stakeholders to a common, informed state of reference."
Get the report
Understanding Why Terrorist Operations Succeed or Fail
A report from RAND finds that the success or failure of a terrorist attack depends on three factors: terrorist group capabilities and resources, the requirements of the operation it attempted or is planning to attempt, and the relevance and reliability of security countermeasures.
Get the report
|
Job Board
|
|
Risk Analyst: ABS Consulting
General Summary:
Perform research and analysis to solve problems in homeland security risk management in support of DHS clients. Tasks focus primarily on methodology development, metrics design, qualitative and quantitative analysis, modeling and simulation. Services client needs as necessary and coordinates the successful completion of tasks and projects to client specifications. Performs other internal assignments as necessary to meet business objectives and conform to ABS quality standards and procedures. Builds pragmatic and creative solutions to complex technical problems. Active security clearance required.
Principal Duties and Responsibilities:
- Handles client requests in a professional, timely, and accurate manner.
- Manages small projects in a manner consistent with ABS Group / Client standards and procedures.
- Performs specific technical tasks on specific projects as directed by applicable program managers.
- Develops creative, technically sound solutions to problems in homeland security risk management.
- Presents analysis and technical findings in clear, accessible, and concise prose.
- Produces high-quality, client-ready deliverables for tasks and ad hoc requests with minimal oversight.
Minimum Knowledge, Skills, and Abilities Required
- Must hold a bachelor's degree in a homeland security-related field, or bring at least one year of practical experience in a homeland security-related field along with a Bachelor's degree in a related technical discipline. Master's degree in a homeland security-related field preferred.
- Must be technically competent in homeland security risk analysis, methods and research design.
- Must possess strong written and verbal communications skills.
Additional Knowledge, Skills, and Abilities
- Advanced mathematics and statistics.
- Program evaluation and metrics design.
For more information on applying for this position, please contact Micah McCutchan via email or at (703) 682-7373.
| |
|
|
|
