We have been hard at work finalizing the agenda for our annual conference next month, and are pleased to announce that we now have over 70 speakers scheduled!

In addition to a great lineup of keynote and plenary sessions and individual presentations, we also have put together some outstanding panel discussions:

• Our Critical Infrastructure team has assembled a variety of panels, including: 1) Mitigating Post-9/11 Security Risks to U.S. Public Transportation Systems -- Moderator: Polly Hanson, former Chief, Wash DC Metro Transit Police Department; Panelists: Steve Kral, Washington Metropolitan Area Transit Authority; Chief Paul MacMillan, Massachusetts Bay Transportation Authority; Brian Tynan, American Public Transportation Association. 2) Mitigating Post-9/11 Security Risks to U.S. Ports -- Moderator: Cosmo Perrone, Cosmo Perrone and Associates; Panelists: Steve Caldwell, GAO; Joseph Lawless, Massport; Anthony Regalbuto, Port Security Directorate, USCG; Kerry Thomas, ABS Consulting.

 

• Education and Training is another major theme of our conference this year, and we are pleased to be offering two panels focused on this important subject: 1) Homeland Security Risk Education Efforts and Training Requirements -- Moderator: Ed Jopeck, AcuTech; Panelists: Patrick Dunne, GMU Center for Infrastructure Protection and Homeland Security; Geoff French, Centra Technology; Jim Caverly, DHS. 2) A group of Penn State University professors with decades of prior experience in government and the private sector will be reviewing PSU's Curriculum Development Since 9/11 -- Moderator: Don Shemanski, Scenario Cased Based Teaching; Panelists: Stan Aungst: Analytic Games for Counterinsurgency, Evaluation and Assessment; Dennis Bellafiore: Geo-Spatial Intelligence; Ed Glantz: Risk Analysis Scenarios and Pedagogical Approach; Peter Forster: Online Delivery of SRA Courses for Homeland Security.

 

• From our Cybersecurity team we will be offering Cyber Risk: Current and Future Approaches -- Moderator: Phil Lacombe, Secure Mission Solutions; Panelists: Jim Jaeger, General Dynamics AIS; John Tritak, Good Harbor Consulting; Andy Wartell, Wartell Consulting.

 

• The Methodologies team has put together Adaptive Adversary Modeling for Terrorism Risk Management -- Moderator: Sara Klucking, Science & Technology Directorate, DHS ; Panelists: Tony Barrett, ABS Consulting; Rich Adler, DecisionPath; Barry Ezell, Innovative Decisions.

As previously announced, there will be additional panels on cybersecurity, community preparedness, government policy, methodologies, critical infrastructure protection, and a historical retrospective on terrorism risk since 9/11.

 

Our conference is once again being co-hosted by the George Mason University School of Law's Center for Infrastructure Protection and Homeland Security (CIP/HS). The two-and-a-half-day event will take place in a new building on GMU's Arlington campus known as Founders Hall (photo right).

The conference starts at 8:30 AM on Tuesday, September 13 and runs until 12:30 PM on Thursday, September 15. An Evening Welcome Reception will be held from 5:30 to 7:00 PM on Tuesday.

Important Links

 

Conference Summary Page

List of Confirmed Speakers

Registration Page

Fee Schedule

 

General Registration - $495

 

Government/Academic Registration - $375

 

Evening Welcome Reception - $60

-----

 

We look forward to seeing you at the conference in three weeks!

 

 

AcuTech Consulting Group, SARMA's newest Silver Sponsor, is an internationally recognized risk management consulting firm with a unique background in security and safety risk analysis, contingency planning and emergency planning for numerous infrastructure sectors and government agencies.

AcuTech is unique in both the depth and breadth of its security risk management experience and thought leadership. The company's President and CEO David Moore is internationally recognized as a leader in chemical and energy safety and security risk management. Working as a direct contractor with DHS after the September 11 attacks, AcuTech helped the department establish the Chemical Facility Antiterrorism Standards (CFATS) and has worked to develop several of the security risk analysis standards, methods and guidelines used by both government and the chemical industry.

Ed Jopeck, the founding president of SARMA, recently joined the company and serves as AcuTech's Vice President of Government Services. Ed has a 20 year history in security risk management, starting with the development of Analytical Risk Management (ARM) for the US intelligence community in the mid-1990s. He also played a key role in the development, modification and evaluation of numerous other security risk analysis models for DHS. His leadership and commitment to improving the process and application of security risk management and critical infrastructure protection -- in particular, his expertise in assessing security risks to water supplies, dams and hydropower plants, as well as government facilities -- continue to drive his efforts for AcuTech clients in the US and around the world.  

AcuTech is staffed by a diverse array of safety and security experts from both private industry and federal government agencies. Its expert staff provides a broad range of security consulting services, including security risk assessment, risk methodology review, design and implementation, training, audits and project management. AcuTech has an in-depth knowledge of numerous critical infrastructure sectors and continuously works with industry, trade organizations and government agencies involved with security, process safety and emergency management.

AcuTech believes the success of security risk management depends on taking a holistic view of security risk management that carefully considers the "fit" of a risk methodology or risk management program. This includes assessing the background of users and key stakeholders, the resource environment, decisions to be served and the integration of competing standards lexicons to reduce the need for future directional changes. AcuTech is pleased to support SARMA, and looks forward to a close working relationship in the future.

Measuring and Managing Systemic Resiliency
by J. Michael Barrett

Choosing where to focus limited resources is never easy but it is nonetheless necessary. While in the past decade we have gotten better at managing routine risks, we cannot lose sight of the fact that certain key nodes of our economy are ultimately more important than others. Identifying and ensuring the survivability of the systems these nodes support is the essence of a focus on resiliency, and it remains today perhaps the least well-managed form of risk we face.  
    
Background

The United States thrives on global trade, economic opportunity and extremely high levels of consumption. Consider that with less than 5 percent of the world's population the U.S. consumes some 25-30 percent of total resources. While that may not be equitable, it is an undeniable part of our relative per capita wealth. Protecting the American way of life therefore means ensuring the interdependent critical infrastructure (CI) systems that enable global trade are able to continue operating, come what may. It therefore follows that the homeland security community's most important job in today's resource-constrained environment is to find effective and efficient ways to reduce, manage or otherwise deal with the potential impacts of catastrophic events upon those systems that ensure the secure and free flow of commerce both domestically and internationally.  

Simply put, we should focus first on addressing catastrophic failure and ensuring we survive worst-case scenarios and unforeseeable "black swan" disruptions. Recent work in this area centers on creating practical approaches to protecting CI and promoting overall systemic security by protecting what matters most. It takes a bottom-line approach to ensuring the survival and operation of the system -- and as such complements and completes traditional risk management approaches by ensuring the ability to enact pre-event safeguards that help manage catastrophic events and minimize CI impacts.  

Where Current Risk Models Fall Short

Risk models used in homeland security are almost uniformly probabilistic in their approach, meaning they emphasize estimated likelihood (or "probability") as their first step in examining adverse events and how to allocate resources to minimize overall impacts. When it comes to today's hyper-complex systems, however, by design these models are forced to use assumptions with a degree of precision that is illusory at best. This is because most modelers believe that through an alchemy of estimation, historical analysis and complex Monte Carlo and other simulations they can divine a number close enough to be, for all practical purposes, "exactly correct." In turn, these models are believed to produce answers that are "exactly correct." This approach works well enough where immutable laws of physics dictate cause and effect or where linear changes are phased in over time and historical precedents adjusted to reflect today's reality. Yet probability-based risk models are of much less value in today's environment of radical changes across the global system.
 
Why Resiliency Works Better

It is becoming clear that there is a need to complement traditional risk models with "resiliency models," or models examining not the likelihood and severity of an event but rather how best to minimize the cascading impacts of an event and ensure that the critical infrastructure system continues to operate at a minimally acceptable level. This approach maps out the interconnectedness and cascading effects of the loss of any given system upon the rest of the CI systems.

This approach to measuring and managing resiliency is comprised of three sequential phases. The first examines CI systems in terms of vulnerability, criticality and interdependence. Often conducted at the regional level, this process uses scenarios and expert elicitation to model the role of various CI systems in that specific location. Phase two of the process is to establish minimally acceptable throughputs for specific CI systems and identify where bottlenecks occur not only during normal operations but also during a given type of disruption. Finally, in the third phase experts assess gaps and seams by focusing on four main thrusts: Decreasing an event's likelihood of occurrence; increasing the given CI sector's overall redundancy/capacity; addressing regulatory and governance issues that limit flexibility and resiliency; and improving substitute systems that can provide similar services if the primary system falters.

Of note, this approach enables rational resource allocation in terms of small pre-event investments that minimize the down side of a future catastrophic event. While many of the solutions will impose small routine costs, these costs are akin to insurance premiums where daily costs are balanced against how well pre-event investments enable better post-event operations. Furthermore, this resiliency model relies less on elegant mathematical formulas and more on expert elicitation about experiences in having worked with disrupted systems and which ones are most important at specific levels of functional capacity (i.e., is electricity disruption a problem if there are adequate back-up generators, or can alternative routes be used for transporting certain hazardous materials, etc). While this qualitative approach makes some mathematicians uncomfortable, it allows for clarity of assumptions and also for real-world practitioners to more readily follow their inputs and the transparent process by which systems are evaluated and ranked, and it also forces reality into the models.   

Conclusion

Without actively measuring and managing resiliency the only option when allocating resources is to draw out discrete, singular risks and protect against either or both the most likely and the worst of them. However, such approaches require a precision which is just not possible in today's world of rapid change and broad-ranging threats where it is not sufficient merely to strengthen the weakest points or to spread resources thinly across every possible point of attack or failure. Instead, we must determine what is critical to ensuring the interconnected CI systems are flexible and durable enough to continue to operate at acceptable levels and then take measures to implement solutions that address current gaps. We can do this by using new models that enable us to better measure and manage systemic resiliency.

Mike Barrett is a former naval intelligence officer and Director of Strategy for the White House Homeland Security Council and currently a founding partner of Diligent Innovations, a national security consulting firm in Washington, DC. Mike will be a speaker at SARMA's 5th Annual Conference in mid-September. He may be reached at mbarrett@diligentinnovations.com.