T H E  R I S K  C O M M U N I C A T O R

The Monthly Newsletter of the
Security Analysis and Risk Management Association
September 2009

In This Issue
News: Preparedness Funding, Improving Triage, and More
Pattakos: What Makes a Threat a Threat?
SARMA at ASIS
Key Reports: An Emergency Response Round-Up
Many Thanks to the Gold Level Sponsor of our Third Annual Conference
ABS Logo
Need Your Own Copy of The Risk Communicator?
Join Our Mailing List
Write for Us
Have you seen a story you would like to see included in The Risk Communicator? Do you have a research project you want to share with your colleagues? If so, please contact the newsletter staff at newsletter@sarma.org.
Get Involved, Get More from SARMA
SARMA Website
SARMApedia
Volunteer to Serve
Feedback/Input
Join SARMA
Legal Matters
Copyright 2009
SARMA
All Rights Reserved

Privacy Policy

The views expressed in The Risk Communicator reflect the views of their authors, and do not neccesarily reflect the views of SARMA, the US Government or the employers or clients of the contributors.
President's Corner

Dear Fellow SARMA Members,

As many of you know, September is National Preparedness Month. I note this for several reasons.  
 
First, it's a time to remember and honor those lost to terrorism on 9/11, as well as in subsequent natural disasters like Hurricanes Katrina, Rita and Ike. One way we can do this, and one of the primary reasons for the creation of National Preparedness Month, is to ensure each of us has done everything we can to be personally prepared to deal with a catastrophic event. I still vividly recall when one of our own board members, George Foresman, then serving as the nation's first under secretary for preparedness at the Department of Homeland Security, urged all of us at DHS to take responsibility for ourselves and our families by helping to institute a "culture of preparedness." The wisdom behind this, as well as the need, are no less critical today. In fact, I would argue that preparedness, whether at a personal, regional or national level, is fundamental to a sound risk management strategy. To that end, DHS, via its READY Program, provides some excellent recommendations for what each of us can do, and I encourage you to visit the READY Program's website.
 
Secondly, I mention National Preparedness Month because we are currently in the midst of the first declared pandemic of the 21st century. The H1N1 virus, or swine flu, has been relatively mild to date in the United States, but has still sickened tens of thousands of Americans and resulted in several hundred deaths. There are simple steps we can all take to manage the risks posed by this outbreak, including covering our mouths when we cough or sneeze, washing our hands frequently and, above all, staying home when we are sick. Here, too, the federal government has established a very useful website where citizens can go to obtain factual information and locate the latest recommended actions.
 
Finally, National Preparedness Month is also time to reflect on what we have done as a nation in the eight years since 9/11, and the four years since Katrina, to become better risk managers. To that end, I was pleased to see the Senate Appropriations Committee include funding for a "State, Local and Tribal Preparedness Task Force" in its version of the FY2010 homeland security appropriations bill. The issue of how our nation's preparedness efforts are helping to reduce risk and improve resiliency has not been examined holistically since 2004. With billions of dollars invested in state, regional, port and transit preparedness since that time, such a comprehensive analysis is long overdue, and it is my sincere hope that funding for this important initiative will survive the pending conference that will reconcile the House and Senate versions of the bill. For more on this issue, please see the separate article included in this edition of The Risk Communicator.
 
With these thoughts in mind, I will leave you to enjoy the rest of our September issue!
 
Warm regards,

Kerry

Kerry L. Thomas
President
Security Analysis and Risk Management Association
News
FY2010 Federal Homeland Security Appropriations Bill May Include Funds for Preparedness Task Force
by Kerry L. Thomas
 
The Senate version of the next fiscal year's homeland security appropriations bill provides $2.25 million to "establish and operate a state, local and tribal preparedness task force." Should this initiative survive the pending conference that will reconcile the House and Senate versions of the bill, it would mark the first time since 2004 that the nation's state, local and tribal preparedness initiatives have been comprehensively evaluated. 
 
A previous review of this issue by the Homeland Security Advisory Council determined that the range of identifiable issues were so interconnected that only an enterprise solution could address them. The Senate language appears to uphold this conclusion and goes so far as to suggest that not only the individual grant programs but also other related mandates and guidance should be considered collectively in terms of their impact. The bill further notes that the task force should include a broad cross-section of stakeholders from all levels government, as well as the preparedness and first responder communities. As currently written, however, it does not require the use of enterprise risk management principles as a unifying framework for the analysis -- something that SARMA would, of course, strongly endorse. 
 
The Risk Communicator will continue to monitor this issue and provide updates as the legislation progresses.
Swine Flu Outbreak Has Planners Thinking Creatively About Managing Scarce Resources

Concerns about an accelerating swine flu outbreak have forced public health authorities to adjust long-standing emergency response plans to prevent hospitals and other health services from being overwhelmed.
 
Since the worldwide swine flu epidemic began, more than 49,000 cases have been identified in the United States, with more than 9,000 resulting in hospitalization and 593 in death, according to the Centers for Disease Control and Prevention (CDC). Just as worrisome, however, are the thousands of people flooding emergency rooms who mistakenly believe they have the swine flu. Those cases waste money and pull resources away from those who really are at high risk of dying.
 
Keeping emergency services open and available is now a high priority for the federal government, which this year will spend $90 million helping hospitals prepare for a flood of victims as the infection rate peaks next month, as well as an additional $260 million on direct federal activity, including monitoring, communication and the growth of the Strategic National Stockpile. That resource now contains more than 116 million masks, more than 52 million doses of antiviral drugs and 4,500 ventilators, the Washington Post reported.
 
Conference Small

Image by alvi2047 via a Creative Common license.

In order to ensure these resources are being used by those who need them most, federal authorities are beginning to insist on better and speedier communication from local hospitals about their available resources. By identifying areas of critical need, scarce tools like ventilators can be transferred to hospitals that really need them.
 
Another critical element of the government's strategy is to encourage a two-step triage system that begins with prompting citizens not to panic and rush to the emergency room just because they have flu symptoms. In coming weeks, federal, state and local health officials will roll out a communications campaign to help citizens distinguish between typical and serious flu symptoms and to assist them in finding appropriate care.
 
The second step is to create systems to quickly triage the patients who do show up. Officials expect long lines at community health care centers and doctors' offices, and so are developing screening techniques to quickly identify the most worrying cases and send home the less dire.

"What you do is identify patients who are at high risk and do a very focused set of questions that includes things like: 'Are you dehydrated? Are you short of breath?' It's very much a large-scale screening, like a mass vaccination in the schools where you line them up and keep them moving," James M. Chamberlain of the Children's National Medical Center in Washington told the Washington Post. Authorities are also considering an automated diagnostic tool that could be used over the phone to help concerned citizens decide whether to go the emergency room.
Analysis
What Makes a Threat a Threat?
by Arion (Pat) Pattakos

To derive a level of risk requires characterizing the threat and ascribing it some value. In brief, we need to know how threatening something is to our people, information, equipment, facilities, operations or activities. Most analysts rely on at least two descriptive elements to evaluate threat: intent and capability. But these two simple phrases have many definitions. Most come down to something like this: intent is the desire, need or motivation to take action. Capability is the knowledge, skills and resources necessary to take effective action.
 
But which of the two is most important? Over the years, I have asked this exact question of some 30 security practitioners in various classroom settings. Although an admittedly unscientific survey, their responses tilted slightly toward intent. Of course, the question deliberately excluded the possible response that both are necessary to characterize a threat -- my respondents had to choose one or the other.
 
Interestingly, once they made a choice, they were firm in their conviction. Those who chose intent assumed that 'where there's a will there's a way' -- in other words, that with even a small amount of effort a motivated adversary can gain the capability to execute an attack. Those choosing capability emphasized that an adversary's intent can change literally overnight: An incident can motivate an adversary to act, and so immediately deploy their existing skills, knowledge and resources. Given intent and time, you can obtain a capability, and, given an existing capability, intent may develop with the passage of time.
 
The point of this classroom exercise was to emphasize that understanding intent and capability can be treated independently, depending upon your analysis. You do not need both intent and capability to be concerned about a potential threat. If your analysis suggests intent without capability, then you calculate on that basis. If you observe only capability without evidence of intent, then you use that to characterize a threat value. If you see both intent and capability, of course, the threat value will be higher than that derived from either attribute alone.
 
Analysts also consider history. Has an adversary taken action against the same or similar assets in the past? What methods did they employ? What were their strengths and weaknesses? What degree of success did they achieve? History provides insights into future adversary actions. It may provide a basis for understanding and disclosing vulnerabilities that had not been previously considered. It is also of value to convince decision-makers and motivate them to take action. But relying on history has a potential downside: dismissing a threat on the basis of its lacking a history of causing a certain type of harm. There always has to be a first time, and an analyst would be remiss in not considering this.
 
Targeting is yet another attribute to consider as part of a threat assessment. Do we have intelligence that an asset is a target? For example, is an asset under surveillance? Are there requests for information about a critical technology from suspicious sources? These types of activities among many others are indicators of targeting. These activities, of course, also suggest that an adversary may already intend an attack. Our next step is to determine an adversary's capability to do us harm, and thus estimate the immediacy of the threat. 
 
Elements like intent and capability must obviously be ranked and scaled when we conduct a threat assessment. How firm is the adversary's intent? How much capability do they have? How much history? Intent, target attractiveness, symbolism, casualty potential, economic or operational value, may be significant in evaluating and grading intent. The degree of an attack's complexity, existence of demonstrable methods, availability of weapons and understanding of the target may help determine the degree of capability.
 
The Department of Justice in its Chemical Facility Vulnerability Analysis used the following rankings in making a threat assessment. Note that in its schema capability is ranked more important than intent, but that capability, intent (or history) and targeting must be present for the top ranking.

    1. Threat exists, is capable, has intent or history and has targeted 
        the facility.

    2. Threat exists, is capable, has intent or history but has not
        targeted the facility.

    3. Threat exists, is capable, but has no intent, history or targeting
        of the facility.

    4. Threat exists, but not capable of causing the undesired event.

Another attribute a threat analyst may consider in characterizing the threat is presence. Are threat entities present near the assets of concern? Presence enhances capability.
 
The following Department of Defense table of threat factors was developed following the Khobar Towers attack in June 1996. It uses the five threat factors displayed below when making a threat assessment.

Pattakos4

Observe that capability is again considered more important than intent. Also note, however, that the table suggests an asset may be a target, but that intent may or may not be present. This may be intuitively hard to accept. On the one hand, targeting an asset would suggest that an adversary is displaying the intent to do something to that asset. On the other, threat surveillance and/or friendly counter-surveillance may disclose a tough target thus deterring attack.
 
More recently the Department of Defense in its Antiterrorism Standards advised that threat "[a]ssessments shall be tailored to local conditions and address terrorist group's operational capability, intentions and activity, and whether the operational environment is conducive to terrorist activity." Once again, this gives a slightly different twist to what an analyst should consider when making an assessment. Operational environment is a concern especially in a foreign deployment, where it includes the anticipated cooperation, support and responsiveness of foreign governmental entities.
 
Finally, threat analysts must establish and make known the elements they use to make a threat assessment. Evaluative criteria must be identified and rankings established for each, including their relevance in relation to one another. An analyst should not dismiss a potential adversary as a threat because they do not display all of the identified attributes. A strong display of even one attribute makes a threat a threat -- perhaps not an immediate threat, and perhaps initially a low-grade one at that, but it remains a threat nonetheless.
 
Arion (Pat) Pattakos is a former president of the Operations Security Professionals Society (OPS) and a former founding board member of SARMA. While on active duty with the US Army he was the commander of strategic level intelligence organizations for collection, analysis and counterintelligence.
Events
SARMA Panel at ASIS

Are you attending ASIS International's 55th Annual Seminar in Anaheim next week? If so, please join SARMA for a panel discussion on security risk management, Tuesday afternoon from 1:30 pm - 3:00 pm in Room 206B.

SARMA Chairman Phil Lacombe will moderate the dialogue. He will be joined by a panel of distinguished security practitioners and decision-makers, including:
  • Kristine Poptanich - Chief, Risk Integration and Analysis Branch, Homeland Infrastructure Threat and Risk Analysis Center (HITRAC), DHS
  • David Moore - President and CEO, AcuTech Consulting
  • Anthony Beverina - President, Digital Sandbox

We plan to have a fast-paced and wide-ranging discussion -- and, as always, we will encourage plenty of audience participation.

Among the issues to be addressed are:
  • The proper role of security analysis and risk management in enterprise security;
  • How to persuade corporate leadership to dedicate precious staff time and resources to security risk management in a lean budget environment;
  • Real-world experiences applying risk management in specific sectors of the nation's critical infrastructure;
  • Challenges faced by state and local governments in adopting security risk management policies and procedures;
  • The expected evolution of risk management technologies and methodologies;
  • Perspectives on the future of the security risk management profession.

Hope to see you in Anaheim on the 22nd.
 
Analytical Risk Management Course from NSTI

The National Security Training Institute in Chantilly, VA will hold a four-day course on analytical risk management (ARM) from 13-16 October 2009.

The ARM methodology helps the trained user to define risk by analyzing impacts to assets from undesirable events, while also considering the threats to and the vulnerabilities of these assets based on the events. This provides the user a supportable, defendable and repeatable systems approach to establishing risk.

By the end of the course, attendees will be able to:
  • Use a systems approach to risk management when performing risk assessments.
  • Identify critical assets, assess threats, identify vulnerabilities, and determine the consequence/impacts of undesirable events.
  • Identify risk mitigation strategies and physical countermeasures as required to reduce unacceptable risks to acceptable levels.
  • Recommend risk-based options to decision-makers.
  • Develop site-specific and cost effective options for security enhancements and risk reduction.
  • Provide assessments and recommendations to senior managers responsible for accepting risk and funding of security programs and other related problem sets for senior managers.
  • Apply accountability and audit trails for decisions at all levels.
Additional information and registration materials are available on the course website. Interested readers will receive a 10-percent discount off the $1,625 course fee by using the following code: SARM1.
Essay-Writing Contest a Prime Opportunity for Risk Professionals

Attention, aspiring wordsmiths! The Naval Postgraduate School Center for Homeland Defense and Security has unveiled the theme of its third annual essay-writing contest.

The competition, which offers a top prize of $1,500, is an excellent forum for those in the risk management and security analysis professions to contribute to the national dialogue. In its first two years of existence, essays on risk management and risk communication issues won the top prize.

This year's theme is: "How can, or should, the United States make homeland security a more layered, networked, and resilient endeavor involving all citizens?"

According to the contest guidelines, essays may be general or focus on a specific aspect (e.g., organizational, policy, strategy, practice, technological innovation, or social impact) or discipline, (e.g., emergency management, public health, law enforcement, critical infrastructure, or intelligence). Writers may adopt the perspective of either a government or private sector actor.

Details regarding page length, formatting and other related matters may be found on the school's website.
Key Reports
FEMA: Considerations for Fusion Center and Emergency Operations Center Coordination

Despite shared responsibilities for handling crises, fusion centers and emergency operations centers continue to struggle to communicate effectively, according to draft guidelines released for comment this month by the Federal Emergency Management Agency. In addition to making detailed recommendations, the report includes a draft memorandum of understanding to guide future cooperative efforts.

Get the report

DHS: Homeland Security Advisory Task Force Report and Recommendations

In this September report, the Homeland Security Advisory Task Force recommends a "national threat warning system" separate from those used for natural disasters and infectious disease. It also recommends a forcing system to lower threat levels down to "guarded" once imminent dangers have been resolved.

Get the report

RAND: New Tools for Assessing State and Local Capabilities for Countermeasure Delivery

A recently-released report from RAND describes new tools for assessing the readiness of state and local health departments to carry out countermeasure-delivery operations. The report also includes details of an innovative approach for measuring development for public health emergency preparedness that can be applied more broadly, as well as guidance on assessing a jurisdiction's countermeasure-delivery capabilities.

Get the report

FCC Preparedness for Major Public Emergencies: 30-Day Review

In a review of its own emergency planning, the Federal Communications Commission identifies a number of areas of potential improvement, including the need to enhance the capacity and capability of emergency personnel for remote access to essential FCC applications and databases.

Get the report
Job Board
Risk Analyst: ABS Consulting

General Summary:

Perform research and analysis to solve problems in homeland security risk management in support of DHS clients. Tasks focus primarily on methodology development, metrics design, qualitative and quantitative analysis, modeling and simulation. Services client needs as necessary and coordinates the successful completion of tasks and projects to client specifications. Performs other internal assignments as necessary to meet business objectives and conform to ABS quality standards and procedures. Builds pragmatic and creative solutions to complex technical problems. Active security clearance required.

Principal Duties and Responsibilities:
  • Handles client requests in a professional, timely, and accurate manner.
  • Manages small projects in a manner consistent with ABS Group / Client standards and procedures.
  • Performs specific technical tasks on specific projects as directed by applicable program managers.
  • Develops creative, technically sound solutions to problems in homeland security risk management.
  • Presents analysis and technical findings in clear, accessible, and concise prose.
  • Produces high-quality, client-ready deliverables for tasks and ad hoc requests with minimal oversight.
Minimum Knowledge, Skills, and Abilities Required
  • Must hold a bachelor's degree in a homeland security-related field, or bring at least one year of practical experience in a homeland security-related field along with a Bachelor's degree in a related technical discipline. Master's degree in a homeland security-related field preferred.
  • Must be technically competent in homeland security risk analysis, methods and research design.
  • Must possess strong written and verbal communications skills.
Additional Knowledge, Skills, and Abilities
  • Modeling and simulation.
  • Advanced mathematics and statistics.
  • Program evaluation and metrics design.
  • Knowledge of terrorism.
For more information on applying for this position, please contact Micah McCutchan via email or at (703) 682-7373.