November 2010
| 
|
Thanks to our Gold-Level Corporate Patron
|
|
Need Your Own Copy of The Risk Communicator?
|
|
Write for Us
|
| Have you seen a story you would
like to see included in The Risk Communicator? Do you have a research project you want to share with your colleagues? If so, please contact
the newsletter staff at newsletter@sarma.org. |
Legal Matters
|
Copyright 2010
SARMA
All Rights Reserved
Privacy Policy
The views expressed in The Risk Communicator reflect the views of their authors, and do not neccesarily reflect the views of SARMA, the US Government or the employers or clients of the contributors.
|
|
|
President's Corner
|
| Dear Fellow SARMA Members,
Earlier this month, I had the privilege of making the opening presentation at the 7th Annual Readiness and Homeland Security Seminar hosted by the Society of American Military Engineers' (SAME) Northern Virginia Post. Fittingly, the focus of this year's event was infrastructure resilience, and the SAME organizers asked me to focus on providing the historical context for this discussion.
As I reflected upon how best to do this, I was again struck by just how quickly we have moved to adopt enhanced resilience as both a goal and an acceptable outcome of our homeland security risk management efforts. As it relates to infrastructure protection, for example, resilience first emerged as a central theme in the 2009 update to the Department of Homeland Security's (DHS) National Infrastructure Protection Plan (NIPP). Its importance in this context was further underscored by DHS in the Quadrennial Homeland Security Review (QHSR), issued earlier this year. Similar discussions are also occurring in the context of how we prevent, prepare, respond to and recover from catastrophic events in our communities.
While this evolution in policy is overwhelmingly positive, a number of significant challenges remain. The first is establishing a convergence of public- and private-sector homeland security risk management interests as an essential element in achieving a higher level of national resilience. The private sector has been skeptical of federal efforts to promulgate voluntary standards, often viewing these as precursors to regulation while missing the potential benefits to the bottom line. Likewise, the public sector has done little to effectively communicate the value proposition of partnering to enhance community resilience. SARMA has focused considerable effort on establishing a dialogue in this area, and will continue to do so in the coming year.
Defining "success" in meaningful terms and measuring progress towards it also remains problematic. Numerous efforts aimed at accomplishing this have been attempted since the September 11, 2001 terror attacks, only to be supplanted by new initiatives, which themselves have proven imperfect. Let's be honest - it's a hard problem, and one that is fraught with both practical and political challenges. A critical element in crafting a solution is agreement on how to establish the baseline against which the effectiveness of investments in new capabilities can be measured. Personally, I believe this baseline should be risk-based, with measures of progress focused on the enhancement of capabilities needed to guarantee appropriate levels of resilience at the local, regional and national levels. Devising and implementing this construct, however, will require a holistic, dispassionate and focused effort - not an easy thing when millions of dollars hang in the balance, but something SARMA can and should lend its time and talents towards helping our nation's policy-makers address.
A third challenge lies in the artificial distinctions between efforts to enhance the resilience of our communities and those focused on the infrastructure that sustains them. As I noted in my remarks at the SAME conference, because the risks are shared, aligning our infrastructure protection and community resilience efforts is essential, but will require overcoming disaggregated responsibilities, coordination mechanisms and stakeholder groups. At the national level, for example, DHS's Federal Emergency Management Agency (FEMA) is charged with planning and program implementation related to community resilience, yet also administers grant programs that support security investments in ports, transit systems, chemical plants and the like. At the same time, another part of DHS, the Office of Infrastructure Protection (IP), is responsible for actually overseeing the nation's infrastructure protection efforts. Each uses different mechanisms to coordinate these efforts. FEMA works mostly through emergency management channels and, for the grants, with State Administrative Agencies. In doing so, it leverages both its headquarters and regional staff. IP employs a Government Coordinating Council/Sector Coordinating Council construct, along with its own headquarters and field-based personnel, to interact with the owners and operators of critical infrastructure. Similar examples exist with the efforts of the United States Coast Guard (USCG) to protect infrastructure in our ports and the Transportation Security Administration (TSA) to address the security of various transportation modes. What often gets lost is that these discrete infrastructures are part of a larger system of systems which exists to support the function and economic vitality of communities, regions and, ultimately, the nation.
For several years now, these distinctions have been reinforced by two separate Homeland Security Presidential Directives - HSPD-7 and HSPD-8. The good news is that both are currently being updated by the White House. The widely anticipated re-issuance of these foundational policy documents presents an ideal opportunity to align our homeland security efforts within a common risk management construct that focuses on enhanced resilience for the sum of the parts. Perhaps such a convergence will also create the clarity necessary for better public- and private-sector collaboration and the implementation of metrics that can help us better understand the impact of our investments across the homeland security enterprise. Consider the possibilities in terms of providing the security the nation needs at a price it can afford...
As we head into the holiday season, I challenge each of you to think about ways SARMA can contribute to this important discussion. I've mentioned a few, but I would also like to hear your ideas, as well.
Wishing you and your families a safe and enjoyable Thanksgiving!
Kerry
Kerry L. Thomas
President
|
News
|
| Conference Round-Up: A Look at Vulnerability
How does one measure vulnerability? That was the question at SARMA's recent Fourth Annual Conference on Security Analysis and Risk Management, with speakers and participants exchanging views on how to measure this key component of risk. Two presentations, one by Dr. Kevin Borden of Digital Sandbox, and the other by Dr. Ronald Fisher of the Argonne National Laboratory, deserve particular attention for their innovative technical approaches to the issue.
Dr. Borden began his presentation by laying out a simple definition of vulnerability: the characteristics of a situation that turn a hazard into a disaster. These can be both elements of the physical landscape and social circumstances of the population. For instance, while there have been larger tropical storms than Hurricane Katrina, New Orleans suffered from a tragic combination of poverty and lack of transportation infrastructure that turned a destructive weather event into one of the largest natural disasters in American history.
Numerous efforts have been made to study social vulnerability to disasters. Geographic information systems are useful, Dr. Borden explained, because layering different types of information on top of one another can show critical variations within a jurisdiction and help guide the distribution of resources. But the approach fails in assessing vulnerability because it combines the concept with threat into a single metric. Principal component analysis, another approach to vulnerability analysis, has its own complications, in particular a heightened sensitivity to input data that can make the results unreliable.
Dr. Borden instead advocated a "constrained top-down approach" to creating a metric for social vulnerability. This method relies on 13 key vulnerability indicators such as poverty, race, gender and education but then drills down deeper to understand why each of them increases the likelihood of disaster. Having developed a domain model with discrete categorizations -- access to resource, political power, lack of mobility, etc. -- each is then reduced even further into descriptive categories. Lack of mobility, for instance, is broken down into physical mobility and transportation access. Eventually, a weighting scheme can be applied to understand how much each input impacts overall vulnerability.
While Dr. Borden's presentation focused on the social aspects of vulnerability, Dr. Fisher introduced a vulnerability assessment tool focused on critical infrastructure. The Argonne National Laboratory project was prompted by government interest in analyzing data about multiple sites in order to develop methods of identifying and prioritizing key areas of vulnerability. The final outcome is a dashboard for owner-operators to drill deeply into their own security operations, take advantage of comparative data and follow up with specialized assessment.
"Instead of being judgmental, we give them data to explore what's happening in your industry and let you make decisions based on an overall look," Dr. Fisher explained. The Argonne assessment program looks at 1,500 different variables, but unlike similar methods asks detailed questions about the nature and quality of each. So instead of simply asking owner-operators whether their facility has a fence, the assessment requires them to detail the type of fence material used, its height and other relevant characteristics.
In addition to receiving an overall vulnerability index score, the user also receives feedback comparing the site's approach to those of similar sites, and also receives relative importance ratings for different components of a larger infrastructure. In the case of a large pipeline complex, for instance, this allows the analyst to make tradeoffs between spending and security initiatives at the origination point, compressor stations and interconnection points.
|
Analysis
|
| The Inclusion of Recovery Processes and Costs in Resilience Assessments
by Dr. Eric D. Vugrin, Dr. Drake E. Warren, Nathanael Brown and
Dr. Mark Turnquist
The concept of resilience is being integrated into critical infrastructure protection policies and practices. In the public sector, federal, state, and local governments are developing a coordinated set of resilience initiatives to identify features that create resilience in critical infrastructures, and have issued calls to agencies to begin measuring the resilience of their infrastructure systems.
The process of institutionalizing resilience in the critical infrastructure protection community faces many challenges. In particular, effective integration requires the development of comprehensive, broadly applicable, objective methods for measuring resilience. Such methods enable the determination of the effectiveness of resilience-enhancing investments and practices. Additionally, application of a single measurement approach for multiple types of systems allows consistent comparison of different systems.
Most quantitative resilience measurement techniques estimate the impacts of a disruption on the performance of the disrupted system. These approaches typically evaluate the difference between disrupted and undisrupted performance levels to estimate resilience. Although performance impacts are essential to measuring resilience, in general these approaches have a common limitation: they do not explicitly consider the important role that recovery processes and costs have in determining system resilience. Resource allocation can be a critical concern during crisis events, and emergency responders must decide how limited resources should be directed to minimize deleterious impacts and maximize response efficiencies. To address this issue, Sandia National Laboratories developed a new framework for assessing the resilience of infrastructure and economics systems. This essay describes how that framework measures resilience costs.
The foundation of the assessment framework is a new definition of resilience that prescribes the quantities that must be measured to calculate resilience costs:
Given the occurrence of a particular disruptive event (or set of events), the resilience of a system to that event (or events) is the ability to reduce efficiently both the magnitude and duration of the deviation from targeted system performance levels.
In addition to noting that resilience is a contextual concept and thus resilience measurement should be considered in the context of a particular disruption (for example, an electric grid's resilience to a blizzard would likely be different than its resilience to a hurricane because the two different events would affect the system differently and necessitate different recovery strategies), the definition indicates two quantities that should be considered when measuring resilience costs:
- Systemic Impact (SI), shown below, is the cumulative impact that a disruption has on system performance. SI is measured using the difference between targeted system performance levels and actual system performance levels. Systemic impact is measured by calculating the shaded area under the curve.
- Total Recovery Effort (TRE), shown below, is the cumulative amount of resources expended during the recovery effort. This term provides the efficiency measure for the system recovery and is unique to Sandia's resilience assessment framework. The inclusion of this term enables the consideration of recovery resource constraints and comparison of recovery costs. Systemic impact is measured by calculating the shaded area under the curve.
Rather than directly calculating resilience, Sandia's resilience assessment framework indicates how to calculate two types of resilience costs. The first type of cost is termed Recovery-Dependent Resilience (RDR). These are the total disruption costs to the system under a specified recovery strategy. That is, if α is a weighting term that assigns the relative importance of SI and TRE and |TSP| represents the magnitude of the targeted system performance levels, the RDR costs for a specific recovery strategy (RS) are calculated as:
The denominator is a normalizing term that allows comparison of systems of differing magnitudes. Sandia's framework also includes the concept of Optimal Resilience (OR) costs. OR costs are the resilience costs when the optimal recovery strategy that minimizes the value of the above equation (i.e., the linear combination of SI and TRE) is employed.
Because the RDR and OR costs are dimensionless quantities, they are most informative when used in a comparative manner. For example, they can be used to compare the resilience of different systems to the same disruption. The system with lower resilience costs will be the more resilient system. Resilience costs can also be used to compare the resilience of the same system to different types of disruptions. The system is more resilient to the disruption that results in smaller resilience costs. Moreover, they can be used to compare the resilience of a system to a disruption under different recovery strategies. Each different recovery strategy will result in different SI and TRE values. The recovery strategy that results in the smallest costs will provide maximal resilience for the system.
Sandia has applied this resilience measurement approach to such infrastructure systems as chemical production supply chains, military munitions production facilities and rail transport systems. For the rail transport study, Sandia researched how various restoration sequences affected the resilience of the national freight rail transportation system following a hypothetical flooding event that disabled four bridges on the Mississippi River. Under the assumption that recovery resources were limited and rail carriers had multiple restoration modes available to them, Sandia identified a restoration sequence that decreased resilience costs by 34 percent relative to the conventional-wisdom restoration process.
Given that recovery processes are a foundational component of resilience, it is important that these processes and their associated costs are considered in resilience assessment and measurement. Resilience assessment frameworks like Sandia's that include these factors can be used to develop better emergency preparations and enhance continuity of operations plans.
Dr. Eric Vugrin, Dr. Drake Warren and Nathanael Brown are members of the technical staff at Sandia National Laboratories. Dr. Mark Turnquist is a professor at Cornell University and a member of the Transportation Research Board.
|
Key Reports
|
| NGA: A Governor's Guide to Homeland Security
A new report from the National Governors Association "gives governors an overview of their homeland security roles and responsibilities and offers guidance on how to approach issues like developing mutual aid agreements, sharing information, obtaining assistance from the military and protecting critical infrastructure."
Get the report
DHS: Perspective on Preparedness: Taking Stock Since 9/11
A new report from DHS's Local, State, Tribal, and Federal Preparedness Task Force recommends "incentives for jurisdictions to take pre-event steps that will reduce the length and magnitude of disaster recovery ... [and encourages efforts to] ensure national cybersecurity efforts address Local, State, Tribal, and Territorial preparedness implications."
Get the report
DHS: American Samoa 2009 Earthquake and Tsunami: After-Action Report
A new report from DHS's inspector general finds significant weakness in American Samoa's ability to manage disaster assistance grants from FEMA and suggests that the agency "should consider formally designating the American Samoa government as a high-risk grantee in accordance with federal regulations."
Get the report
|
Jobs
|
| ABS Consulting: Senior Cyber Security Consultant
ABS Consulting is seeking seeking qualified individuals to provide chemical security analyses of vulnerability assessments and security plans for chemical facilities regulated by the Department of Homeland Security.
View the notice
ABS Consulting: Senior Chemical Security Consultant
ABS Consulting is seeking qualified individuals to provide chemical security analyses of vulnerability assessments and security plans for chemical facilities regulated by the Department of Homeland Security.
View the notice
ABS Consulting: Chemical Facility Security Consultant
ABS Consulting is seeking talented individuals to provide physical security, chemical security, and/or cyber security analyses of vulnerability assessments and security plans for chemical facilities regulated by the Department of Homeland Security.
View the notice
ABS Consulting: Senior Physical Security Consultant
ABS Consulting is seeking qualified individuals to provide physical security analyses of vulnerability assessments and security plans for chemical facilities regulated by the Department of Homeland Security.
View the notice
NMR Consulting: Senior Risk Officer
NMR Consulting is seeking candidates for a position responsible for developing and managing a risk management program in support of a large government contract involving infrastructure upgrades and enhancements at Ft. Meade, Maryland.
View the notice
NMR Consulting: Senior Risk Officer
NMR Consulting is seeking candidates for a position responsible for moving a project from Northern Virginia to the Ft. Meade, Maryland area. The successful applicant may also support efforts on other contracts.
View the notice
SRA: Security Risk Analyst Position
SRA International Inc. is seeking candidates for a security risk analyst position. The successful candidate will use their experience to plan, organize and carry out analytical studies of complex security risk management problems, as well as plan and implement potential technical or programmatic solutions to those problems.
View the notice
Corporate Security Analyst Position in Switzerland
SMR Group, an international executive search firm whose global practice is focused exclusively on professional- and executive-level corporate security positions, is seeking candidates for the position of Corporate Security Analyst, located in Switzerland. The Corporate Security Analyst will be responsible for protecting business operations and associates throughout the organization from external threats by the collection, analysis and dissemination of strategic and tactical threat assessments, and production of both analytical and intelligence products designed to support investigations and protective security operations.
View the notice
Risk Analyst Position With Centra Technology
Arlington, VA-based CENTRA Technology, Inc. is seeking talented professionals to provide technical and national security analysis for the U.S. Government, especially in the area of homeland security risk analysis. Successful candidates will perform security risk analysis; threat, vulnerability, and consequence analysis supporting risk analysis; and security risk management. They also will develop, assess, document, institutionalize, and apply risk management processes and methodologies to inform policy and programmatic decisions.
View the notice
|
|
|
|
|
