Quality Management Risk Assessment Analysis
In order to reduce vulnerability, it is necessary to consider various risk analysis methodologies of some different specific risk analysis models for making a decision for determining threats, and consequence values. MSRAM, CARVER, and KDAS are the three popular assessment tools for analyzing and protecting infrastructure. CARVER and MSRAM are multi-criteria analytical tools. They include from one to ten various criteria to asset rank of vulnerability, costs, threats, and so on. According to Flammini, CARVER is marked as a risk and vulnerability assessment tool that has seen widespread use across a large number of sectors . CARVER was developed to prevent damage of the U.S. Special Forces during the Vietnam War. Therefore, it had been tested by the war time, and approved to use as a reliable security tool to assess risks and prevent damage of the homeland infrastructure. CARVER is the simplest user interface. It has drop-down menus for six categories, and the user can analyze and made a report for a few minutes. It is an asset-level tool. On the one hand, it gives the opportunity to score targets to be eliminated, and on the other hand, it does not consider various interconnections and series of failures caused by them. It is necessary to keep in mind that the score in this case is not grounded on risk. Therefore, CARVER calculates the sum of risks by six key categories, and it was designed to make an assessment of criticality, accessibility, recuperability, vulnerability, effect, and recognizability concerning people. CARVER helps the user to make a decision of risks. At the same time, the user cannot be aware of the connection between the scores and what they represent, and how they are assigned. CARVER is used to obtain the assessment of the single-asset vulnerability.
The MSRAM (Maritime Security Risk Analysis Model) was designed by the U.S. Coast Guard to assess risks within all areas of its deployment and for assessing all American ports and waterways, as well. According to the MSRAM, risk consists of such elements as threat, vulnerability and consequences. Therefore, risk is determined by estimating of each element, and a Risk Index Number (RIN) is associated with a dollar equivalent of cost of consequences. Therefore, there are four levels of the determination various risks to set the dates in a single database: the Captain of the Port, the District, Areas, and Headquarters. A single methodology of MSRAM allows analyzing risks under response of the U.S. Coast Guard jurisdiction. The disadvantage is that the MSRAM can be applied within the U.S. Coast Guard. At the same time, the MSRAM is the very tool applied all over the United States and is the most popular analytical tool. It identifies 23 attack modes, which are used by expectable enemies, and 62 target classes by means of drop-down windows. Users are unable to change scenarios (a pair of the target class attack mode) because they are factory installed. Moreover, the Intelligence Coordination Center installed the threat number for each scenario, and users have the number of threat probabilities, calculated by the MSRAM tool. This feature is absent in other tools, and it makes the MSRAM approximate to the standards of the risk analysis. Therefore, the MSRAM analyses are the most important for making decisions on allocations of investments and resources.
KDAS (Knowledge Display and Aggregation System) was designed to model interdependency for analyzing failures. KDAS is an operational tool in the U.S. Pentagons Global Situational Awareness Facility (GSAF). KDAS is used to support the Office of the Assistant Security of Defense for Homeland Defense and Americas Security Affairs for modeling various risks for DIBs (Defense Industrial Base) from various natural and man-made real-time events. Units of KDAS act like a single mechanism in a nod-link configuration to define relations and dependencies between them. Users can analyze both a visual state of nodes and possible behaviors of them depending on the behaviors of others. Thus, users can see the entire chain of events, which may emerge as a result of the change of the situation. The system displays the operational states of affairs in the nodes, but users can analyze various possible behaviors depending on the selected regime. Moreover, this system gives the opportunity to analyze any third-party simulation and its influence the asset objects, the time-stepped propagation of any plume event, and its total influence. Such important national organizations as Federal Emergency Management Agency (FEMA), the Arizona Counter Terrorism information Center (ACTIC), and Amtrak used the KDAS technology.
CARVER, MSRAM, and KDAS are three the most useful tools for risk analyzing. CARVER is not based on risks, but it offers to make quick prioritization concerning targets. MSRAM is the authoritative method to provide the rigorous assessment of risks with the appropriate quality control to set standards for such activities. KDAS is a system for risk and situation analyzing, but it has some lack as the absence of standardization, infancy in defining dependencies, and scalability as a limiting factor in large systems. At the same time, KDAS combines theory and practice to be applied in real situations.
Read also: "Academic Book Review: How to Complete It"
According to the DHS policy, there are four types of threats: direct, indirect, veiled, and conditional. It is necessary to evaluate the CI/KR systems for identifying risks. Then, investments for risk reduction are calculated by risk managers to reduce system risks. According to the MBRA strategy, the certain investments into prevention of risks reduce the vulnerability: vi(Di)=Vi(0)exp(-?iDi/maxDi), where
Vi (0) initial vulnerability;
maxDi maximum vulnerability elimination cost;
?i a constant determined by the minimum vulnerability, ?i = -ln(0.05/Vi(0)).
Thus, to minimize risk is to allocate investments according to gTVC:
Di = maxDi.
Therefore, gTVC/maxD is an optimal allocation of the risk investments, and maxDi determines return-on-investment.
Risk is reduced by reducing vulnerability and is maximized by increasing threat. When equilibrium between main factors of risk is reached, it is possible to calculate risk value:
maxAi a maximum threat cost, close to 1.0
?i a constant determined by the maximum threat. As a rule, ?i = -ln(0.05).
Therefore, it is necessary to calculate costs of threat, vulnerability, and consequences for eliminating risks.