UNCLASSIFIED

Developing Risk Assessments

The ability to illustrate and articulate Risk Assessments is a critical factor in leveraging limited resources. The following will help in building a Risk Assessment (RA) Profile.

Jonathan Greenstein (jonathan.greenstein@leo.gov)

UNCLASSIFIED

CLASSIFICATION
This information is UNCLASSIFIED. The processes and procedures utilized are also UNCLASSIFIED. When conducted, RAs are classified SENSITIVE to a higher level. Ensure working documents and supportive information is appropriately marked and protected.

UNCLASSIFIED

Step 1: Identify Threats

Identification of threats is the first step in the RA process. Through reviews of classified, law enforcement sensitive and open source intelligence, the threats facing your enterprise will be identified. The potential to become an overly extensive list of every possible threat exists, as such, it may be best to limit the threats to a top 5.

UNCLASSIFIED

Threats
When conducting threat research, ensure you are able to cite authoritative references used to quantify the top threats used in the RA. It may be helpful to devote a stand-alone file to maintain copies of threat reporting and intelligence.

UNCLASSIFIED

Quantifying Threats
For the purpose of this training, focus on criminal/terrorism based threats. While other threats exist, to maintain focus; this RA should be based on the these.

UNCLASSIFIED

Step 2: Assess Vulnerability

As part of a regular vulnerability assessment, there should be process in which the activity is assessed for vulnerabilities. These vulnerabilities are identified through systematic assessments.

UNCLASSIFIED

Vulnerability to Threat
Once the Threat Assessment is completed, match those threats against Vulnerabilities. What threat has the greatest probability of success against an identified vulnerability.

UNCLASSIFIED

Step 3: Determine Criticality

As part of the overall RA process, the criticality of a particular asset must be determined. In general, criticality applies to the impact on overall operations that would occur if that asset was impacted to the point of failure. Short-term or minor impact would lower criticality rating, while long-term or major impact would raise the criticality rating.

UNCLASSIFIED

Step 3: Computation
Once the Threat Probability (TP), Vulnerability (V) and Criticality (C) are quantified, the next step in the Risk Assessment process is the computation of the Relative Risk. Multiply TP x V x C to resolve the Relative Risk

TP (times) V (times) C = RR

UNCLASSIFIED

Illustrating the Risk Assessment

Threat Probability (TP) 1-5 1-5 1-5 1-5 1-5 Vulnerability (V) 1-5 1-5 1-5 1-5 1-5 Criticality (C) 1-5 1-5 1-5 1-5 1-5 Relative Risk Sum Value Sum Value Sum Value Sum Value Sum Value

Threat Probability (Numeric Value) 1-5: Lower the value, higher the threat Vulnerability (Numeric Value) 1-5: Lower the value, higher the vulnerability Criticality (Numeric Value) 1-5: Lower the value, higher the criticality Relative Risk (Computation of TP (times) Vulnerability (times) Criticality.

TP x V x C= Relative Risk.

EXAMPLE
Threat Probability (TP) Threat of XYZ (3) Threat of WYR (2) Threat of TRW (1) Threat of HGT (4) Threat of UFO (5) Vulnerability (V) 1 2 3 4 5 Criticality (C) 1 2 3 4 5

UNCLASSIFIED
Relative Risk (TP x V x C) 3 8 9 64 125

In the example depicted above, the threat probability(TP) with the greatest vulnerability (V) that shares the highest criticality (C) and which equates to the greatest relative risk (RR) is listed first. This method easily illustrates the Probability, Vulnerability, Criticality and overall Relative Risk in an easy to follow format, while not revealing details related to specific vulnerabilities or criticality. When articulating the Threat Probability, you may want to consider a generic statement such as : VBIED versus a detailed definition of the particular threat.

UNCLASSIFIED

Threat 5

Based on IIR 123.21, 435.998

Threat 4

EXAMPLE

Based on IIR 948363.093

Threat 3

Based on IIR 4532.3937

Threat 2

Based on IIR Based on IIR 12345.342 12345.342 Threat 1

Significant

Moderate

High

Low

UNCLASSIFIED

UNCLASSIFIED

Review
Ensure your Threat Probability is supported by authoritative references; Vulnerability should be based on current assessments; Criticality is the relative impact to mission; Relative Risk is the sum of TP, V and C;

UNCLASSIFIED

Review
When articulating threat, vulnerability and criticality, attempt to keep the information at the lowest level of classification. This will ensure dissemination is not unduly hampered; Keep definitions and illustrations as simple as possible, while conveying clear information.

About

UNCLASSIFIED

This product was developed as part of a professional development exercise. It is being freely distributed for the benefit of the law enforcement and force protection community. Commercial use, application or distribution without the authors express consent is prohibited.

UNCLASSIFIED

Questions / Comments
Please direct questions or comments to:
Jonathan Greenstein
Creator and Author

jonathan.greenstein@leo.gov