T H E  R I S K  C O M M U N I C A T O R

The Monthly Newsletter of the
Security Analysis and Risk Management Association
April 2010

In This Issue
Events: Risk Management and Info-Sharing Conference Summary
Training: Analytical Risk Management Course From NSTI
Talbot: Using Statistics to Communicate Risk
Reports: Simulating a New Osiraq Attack, AQ Command & Control, and More
Job Board: SRA Security Risk Analyst Position
Need Your Own Copy of The Risk Communicator?
Join Our Mailing List
Write for Us
Have you seen a story you would like to see included in The Risk Communicator? Do you have a research project you want to share with your colleagues? If so, please contact the newsletter staff at newsletter@sarma.org.
Get Involved, Get More from SARMA
SARMA Website
SARMApedia
Volunteer to Serve
Feedback/Input
Join SARMA
Legal Matters
Copyright 2010
SARMA
All Rights Reserved

Privacy Policy

The views expressed in The Risk Communicator reflect the views of their authors, and do not neccesarily reflect the views of SARMA, the US Government or the employers or clients of the contributors.
President's Corner
Dear Fellow SARMA Members,

The snow may have kept us away the first time, but SARMA and George Mason University, with the support of sponsor PricewaterhouseCoopers (PwC), came roaring back on March 30 with our rescheduled policy forum, The Relevance of Risk Management and Information Sharing to Homeland Security. I am pleased to report that the event was a great success, and I would like to extend my personal thanks to all who contributed. I also believe there were a number of takeaways: for me, several interesting themes emerged.

First, it was clear that there remains a divergence between traditional enterprise risk management (ERM), which focuses on business risks, and security risk management as a key decision-support tool for investing scarce homeland security resources. While there are many commonalities between the two, integrating these applications of ERM appears destined to require more work -- perhaps the subject of a future forum...?

Likewise, while recent events like the attempted bombing of Northwest Flight 253 on Christmas Day have underscored the need for more effective information sharing, it seemed clear that challenges also remain in striking an appropriate balance between protecting the sources and methods associated with gathering this critical intelligence and ensuring the information is appropriately shared across the homeland security enterprise.

A summary of this timely policy forum is contained later in this issue of The Risk Communicator, and I encourage you to read more! In addition, I would also like to take this opportunity to underscore the continuing need for someone to fill of our most critical vacancies -- the role of Conference Committee Chair. With our goal of having several events this year in addition to the annual conference, this position offers a significant opportunity to shape the public face of SARMA and also its impact on the key issues of the day. I urge anyone with an interest in taking on this key assignment to contact our Executive Director, John Boatman, at john.boatman@sarma.org.

My best,

Kerry


Kerry L. Thomas
President
Security Analysis and Risk Management Association
Events
Risk Management and Info-Sharing Conference -- Part I

SARMA had the recent pleasure of co-hosting, with the George Mason University's Center for Infrastructure Protection and Homeland Security (CIP/HS), a one-day policy forum entitled The Relevance of Risk Management and Information Sharing to Homeland Security.

Delayed by the largest blizzard to hit the Washington area in 50 years, the March 30th event brought together a wide range of experts from academia, government and the private sector. What follows is a summary of the morning's panel discussions and presentations on risk management. In the May issue we will recap the afternoon sessions on information sharing.

Morning Keynote: The View from GAO
David Maurer, Director of Homeland Security and Justice programs at the U.S. Government Accountability Office (GAO), was the day's first keynote speaker. In discussing the application of effective risk-management and information-sharing principles to homeland security, Mr. Maurer noted that the Department of Homeland Security has improved its cohesiveness and matured as a department, but that many of its 22 agencies still maintain their own institutional cultures. He stressed the importance of finding a unified mission for DHS, fostering a common internal culture and improving coordination between agencies.

Drawing from a 2008 GAO report entitled Risk Management: Strengthening the Use of Risk Management Principles in Homeland Security, Mr. Maurer advocated the adoption of five risk management phases:
  1. Setting strategic goals and objectives, and determining constraints;
  2. Assessing risks;
  3. Evaluating alternatives for addressing these risks;
  4. Selecting appropriate alternatives; and
  5. Implementing the alternatives and monitoring the progress made and results achieved.
Mr. Maurer stated that the first three phases relate to "mission risk" -- defined as the desired end state, the threats the US faces and how resources are allocated. The latter two fall under "program risk", or the resources needed and how to achieve results.

In his concluding remarks, Mr. Maurer emphasized that the federal government lacks an information-sharing roadmap, and a system of responsibility for dealing with security issues. Although DHS agencies have made some progress in trying to implement such a roadmap, he noted, there are also currently no metrics, accountability or clear lines of authority. He also noted the need for guidelines and training, and for better sharing of terrorism intelligence.

Panel I: Federal Program Risk Management
Moderator:Jack Johnson, Principal, PricewaterhouseCoopers
Panelists:Jack Kelly, Policy Analyst, Office of Management and Budget; Joseph Kull, Director, PricewaterhouseCoopers; Kerry Thomas, Senior Director, ABS Consulting/SARMA President

Mr. Kelly opened with a discussion of OMB Circular No. A-123, which defines management responsibilities for internal controls in federal agencies. Regarding risk management, he made the point that risk management has become too specialized and mysterious, when in fact it is essentially regular management "with a special focus on the consequences of failure."

In a subsequent discussion of internal controls, Mr. Kull noted their vital role in the development of policies and procedures, which in turn allow an organization to fulfill its mission, strategy and objectives. In the case of DHS, Mr. Kull also noted that there are cultural issues that affect the agency's mission. He further stressed that, in order to succeed, an agency must have a clear mission, an objective (long-term goals and the activities needed to achieve them), benchmarks, metrics, policies and procedures in place. It also must constantly monitor and fine-tune its programs, and employ grants as an important means of gauging results in measurable ways that can be communicated to key stakeholders.

Elaborating on this discussion of grant programs and metrics, Mr. Thomas stated that today there is an inability to answer the following question: how much safer are we? He asserted that since 9/11, there have been more than $30 billion in grants to secure the homeland, yet the grant-making progress still does not have an effective means of determining the effectiveness of these funds on reducing risk.

Mr. Thomas also suggested several approaches for doing things differently. First, he indicated there is a need for a common risk management framework and lexicon. Second, there is a need for a common governance structure to prevent "stovepiping." Challenges include the need to better communicate risk and the need to better manage resources. Mr. Thomas concluded by articulating a vision for future risk management, which includes:
  1. A risk baseline that leverages the information collection and analysis capabilities of state/regional fusion centers;
  2. The performance of a gap analysis between existing capabilities and those required to effectively mitigate the identified risks;
  3. An effective strategic planning process for prioritizing the allocation of grant dollars to mitigate identified capability gaps;
  4. Standardized metrics for measuring the risk reduction achieved;
  5. A robust monitoring program; and
  6. Proper feedback mechanisms.

Panel II: Cyber Risk Mitigation/Management
Moderator:Timothy Clancy, Senior Program Director, Cybersecurity, CIP/HS
Panelists: Rear Adm. Michael Brown, Deputy Assistant Secretary for Cybersecurity and Communications, DHS; Pablo Martinez, Assistant Special Agent in Charge, Criminal/Investigative Division, U.S. Secret Service; Gen. Robert Elder, Research Professor of Electrical & Computer Engineering, GMU

Adm. Brown stated that the mission of his office is tied to the intelligence community, the Department of Defense and the private sector, and noted that cyber-security is one of five mission areas highlighted in the Quadrennial Homeland Security Review (QHSR). He also mentioned the need for technical expertise, the need to take advantage of changes in technology, a skilled and trained workforce that understands the threat and the technology, and the freedom to allow the workforce to innovate.

With regard to transnational threats, Adm. Brown stressed the need for global situational awareness; the need to work with law enforcement and intelligence partners; international cooperation; the involvement of the private sector in public-private partnerships; and the establishment of rules and responsibilities and the ability to deal with cyber threats.

Concerning the recent establishment of the DoD Cyber Command, Adm. Brown stated that it was good to have a unified command, and that DHS's mission is to work with DoD and the National Security Agency to ensure success. With regard to information sharing, he said the public sector works well with the private sector, but there is an information-sharing problem between entities in the private sector.

Mr. Martinez asserted that because cyber crime is transnational, it poses logistical challenges to law enforcement agencies trying to investigate such crimes. He called for developing relationships with law enforcement counterparts overseas and with the private sector. He also talked about the role of the Internet in cyber crime, and about how every Secret Service Academy student now receives several weeks of instruction in the subject. He mentioned that the Secret Service is working with and providing key resources to state and local officials, and he stressed the importance of teaching people how to use technology and of using clear terminology to help judges and juries understand the nature of cyber crimes.

Gen. Elder talked about the need to acknowledge the vulnerabilities and the current lack of resiliency in systems. He discussed how the military studies previous incidents in order to understand their causes as part of a broader risk management process. When discussing the transnational threat, he suggested the need to focus on the behaviors of the system. He supported the establishment of a unified Cyber Command structure at DoD, but also expressed concern about the magnitude of the challenges facing its leaders.

Coming next month, Part II: information-sharing panel summaries, Gen. Michael Hayden, and more.
Training
Analytical Risk Management Course From NSTI

The National Security Training Institute in Chantilly, VA will hold a four-day course on analytical risk management the week of 24 May 2010. The deadline for registration is 24 April 2010.

The purpose of the Analytical Risk Management (ARM) course is to provide a systematic approach to acquiring and analyzing the information necessary to support decisions regarding the protection of assets (people, information, equipment, facilities, activities and operations) and the allocation of resources. The ARM methodology aids the trained user to define risk by analyzing impact to assets from undesirable events, while also considering the threats to and vulnerabilities of these assets based on the events. This provides the user a supportable, defendable and repeatable systems approach to establishing risk.
 
Attendees of the ARM course will be able to:
  • Use a systems approach to risk management when performing risk assessments.
  • Identify critical assets, assess threats, identify vulnerabilities and determine the consequence/impacts of undesirable events.
  • Identify risk mitigation strategies and physical countermeasures as required to reduce unacceptable risks to acceptable levels.
  • Recommend risk-based options to decision makers.
  • Develop site-specific and cost effective options for security enhancements and risk reduction.
  • Provide assessments and recommendations to senior managers responsible for accepting risk and funding of security programs and other related problem sets for senior managers.
  • Apply accountability and audit trails for decisions at all levels.
Additional information and registration materials are available on the course website. Interested readers will receive a 10 percent discount off the $1,625 course fee by using the following code: SARM1.
Analysis
Using Statistics to Communicate Risk
by Julian Talbot

It's reasonable to say that communication is intrinsic to the risk management process, yet it's all too easy to get caught up with risk analysis and forget to adequately communicate the results of that analysis. This is perhaps especially true for complex risks such as terrorism and national security where we require specialist knowledge to understand the issues in any depth. So how in fact do specialists communicate risk?  

"Badly" is unfortunately often the answer to that question. Consider that most people are more afraid of terrorism than driving, yet in the United States an average of 100 Americans are killed each year from terrorism while 40,000 to 45,000 Americans are killed on the roads. Similar statistics can be found for preventable medical errors and tobacco-related deaths, and yet both the level of fear and expenditure of funds to redress these risks are broadly speaking inversely proportional to the actual consequences. Clearly, given that these numbers are relatively consistent across most of the developed nations, effective risk communication is not one of humankind's strong points.

The key challenge lies in the way our brains are programmed to consider risks. Our brains are finely tuned instruments for assessing immediate fight-or-flight risks, but our ability to consider more complex risks is a relatively recent invention of the mammalian neocortex. Saying that next year 40,000 out of 300 million people will probably die on the roads while 19,000 will be murdered and 100 will die from terrorism simply doesn't register in any meaningful way for us. The numbers are simply too large and too abstract for us to comprehend.

A better way to present complex risk information is to break it down into natural frequencies. To illustrate this concept, imagine that you have to produce a leaflet for patients who are about to undertake an HIV test. By way of background, a small number of cases (roughly 0.01 percent) can yield false positives or false negatives. Yet most HIV information does not mention this and even health professionals have been shown remarkably ignorant of the risk of incorrect results. In a 1998 German study of pre-test counseling for HIV tests, 5 out of 20 HIV counselors incorrectly claimed that false negatives never occur and 16 incorrectly claimed that false positives never occur. 

To understand why these otherwise knowledgeable health professionals should be so consistently ill-informed, consider a recent study where researchers first presented the following question to HIV counselors as a matter of probabilities:  

"About 0.01 percent of men with no known risk behavior are infected with HIV. If such a man has the virus, there is a 99.99 percent chance that the test result will be positive. If a man is not infected, there is a 99.99 percent chance that the test result will be negative. What is the chance that a man with no known risk behavior who tests positive actually has the virus?"  

Most of the counselors in the study thought that it is 99.99 percent or higher. Now consider the same question worded differently.

"Imagine 10,000 men who are not in any known risk category. One is infected and will test positive with practical certainty. Of the 9,999 men who are not infected, one will test positive.  So we can expect that two men will test positive."

From this latter question, you can easily see that the odds are roughly 1 in 2 or 50 percent that someone from a low-risk category who has a positive test result is actually HIV positive.  

The significance of this information for low risk individuals should not be underestimated. Countless people have endured traumatic psychological stress, lost jobs, separated from spouses, participated in unprotected sex with HIV positive persons or committed suicide as a result of false positive tests. The downstream impacts of poor risk communication are not confined to the recipients of the communication either. The potential for legal action against doctors or government agencies is just one example of a potential cascading spiral of risk begetting risk.  

As you can see from the example above, the way in which we communicate risk can have a significant impact. An example of how the above information could be better communicated would be to provide patients and counselors with the same information presented in terms of natural frequencies:

"Depending on the exact procedure used, an HIV test is likely to be positive for about 998 of 1,000 people infected with HIV. About one in 10,000 persons will generate a false positive result. False positives can be reduced by repeated testing using different methods but not completely eliminated as certain medical conditions and laboratory errors can still generate false positives.

"About one in 10,000 heterosexual men with low-risk behavior are infected with HIV. Of those 10,000 low-risk men, one is likely to be infected and will almost certainly test positive (99.8 percent likelihood). Of the 9,999 non-infected men, one will also test positive. Thus we expect that of 1 of 2 men who test positive, only one has HIV. This is the situation you would be in if you were to test positive and are in a low-risk group. Your chance of having the virus would be about one in two.

"Therefore, for persons with no known risk behaviors, a second HIV test should be conducted before confirming the positive diagnosis."

The reason that the above wording appears so much clearer is because our brain absorbs the information in a distinctly different way. Presenting the data using natural frequencies means that we are evaluating it using numbers that we can intuitively understand. It yields the same result but is much easier for our brains to calculate that result. (To see an illustration of this principle, please refer to Figure 1 in the online versionof this essay.)

Given what you now know, is it any wonder that our political leaders and the general public have trouble understanding and prioritizing risks such as terrorism, crime, health, national security and hundreds of other risks? It seems that even in the 21st century we have a long way to go to master the simple act of communication risk in any meaningful fashion. The groundwork on how to present risks using natural frequencies has been done for us by practitioners in areas such as medicine, psychology and statistics. Perhaps it is time that we as security and risk professionals started to look more closely at the data we already have in our field and exactly how we choose to present it?

Julian Talbot is an international risk management consultant, lead author of the Security Risk Management Body of Knowledge, and Chair of SARMA's International Affairs Committee. He is a Fellow of the Risk Management Institution of Australasia and Research Associate with the Australian Homeland Security Research Centre. This article is based on excerpts from his latest book, Snapshot Guide to ISO 31000:2009 Risk Management Fast! due for publication in 2010. Mr. Talbot can be contacted at info@juliantalbot.com.
Key Reports
Brookings: Osiraq Redux: A Crisis Simulation of an Israeli Strike on the Iranian Nuclear Program

In December 2009, the Saban Center for Middle East Policy at the Brookings Institution conducted a day-long simulation of the diplomatic and military fallout that could result from an Israeli military strike against the Iranian nuclear program. In this memo, Kenneth M. Pollack analyzes the critical decisions each side made during the wargame.

Get the report

Jane's: The Evolution of Command

A new report from Jane's Strategic Advisory Services raises questions about Al Qaeda's organizational coherence and examines the evolving dynamics of the group's command and control structures and processes.

Get the report

CRS: DHS Intelligence Enterprise: Operational Overview and Oversight Challenges for Congress

The Congressional Research Service examines DHS's intelligence enterprise, including organizational issues and how it supports key departmental activities such as homeland security analysis and threat warning, border security, critical infrastructure protection and the sharing of information with state, local, tribal and private sector partners

Get the report
Jobs
SRA: Security Risk Analyst Position

SRA International Inc. is seeking candidates for a security risk analyst position. The successful candidate will use their experience to plan, organize and carry out analytical studies of complex security risk management problems, as well as plan and implement potential technical or programmatic solutions to those problems.

View the notice

DHS: Six Analyst Positions Open at RMA

The Office of Risk Management and Analysis (RMA) has six vacancies for Management and Program Analysts at the GS-11/13 grades.

View the notice

Analyst Position with the Federal Emergency Management Agency (FEMA)

ABS Consulting is seeking a talented professional to provide technical and management consulting services to the federal government, specifically in the area of homeland security risk analysis for grant allocation at FEMA. Education and experience with economics or a related field is a key requirement. An active security clearance is preferred.

View the notice

Corporate Security Analyst Position in Switzerland

SMR Group, an international executive search firm whose global practice is focused exclusively on professional- and executive-level corporate security positions, is seeking candidates for the position of Corporate Security Analyst, located in Switzerland. The Corporate Security Analyst will be responsible for protecting business operations and associates throughout the organization from external threats by the collection, analysis and dissemination of strategic and tactical threat assessments, and production of both analytical and intelligence products designed to support investigations and protective security operations.

View the notice

Infrastructure Analyst Position With the Las Vegas Metropolitan Police Department

The Las Vegas Metropolitan Police Department is seeking candidates for a senior analyst position with their Critical Infrastructure Protection program. Incumbents perform complex and extensive analytical work, formulate recommendations with important policy and operational implications, and/or audit and oversee significant programs, including grant management, in support of senior
management staff. In this position incumbents will oversee the Critical Infrastructure Protection program, which will
require traveling nationally and throughout the state.

View the notice

Risk Analyst Position With Centra Technology

Arlington, VA-based CENTRA Technology, Inc. is seeking talented professionals to provide technical and national security analysis for the U.S. Government, especially in the area of homeland security risk analysis. Successful candidates will perform security risk analysis; threat, vulnerability, and consequence analysis supporting risk analysis; and security risk management. They also will develop, assess, document, institutionalize, and apply risk management processes and methodologies to inform policy and programmatic decisions.

View the notice