0:33

In lesson 20 we examined the application of a risk analysis method called RAMCAP.

Â We saw how RAMCAP estimated risk as the product of estimates for consequence,

Â threat, and vulnerability.

Â Using RAMCAP, we estimated the risk reduction worth of each countermeasure,

Â then calculated the corresponding return on investment

Â by dividing risk by estimated cost.

Â Cost benefit analysis consisted of choosing the countermeasure that provided

Â the highest calculated return on investment.

Â 1:06

As we noted in lesson 20, RAMCAP was developed by the American Society of

Â Mechanical Engineers at the request of the White House, shortly after 9/11.

Â RAMCAP was specifically formulated to help assess risk

Â across all infrastructure assets and

Â sectors, to help prioritize protective investments at the national level.

Â Unfortunately, RAMCAP fell into obscurity, shortly after it was

Â introduced in the 2006 National Infrastructure Protection Plan.

Â One of the reasons RAMCAP fell into disuse,

Â was that many believe there is no one size fits all when it comes to risk analysis.

Â Indeed, there are an estimated 250 critical infrastructure risk

Â methodologies, which begs the question, why so many?

Â The answer lies in the fact that each methodology

Â is the result of a different set of tradeoffs.

Â RAMCAP itself is uniquely distinguished by its own set of tradeoffs.

Â It begins with the question of completeness.

Â Do you analyze the network or the nodes?

Â In other words, do you also include interdependencies in your risk analysis?

Â RAMCAP does not include interdependencies in its risk analysis.

Â RAMCAP risk analysis focuses on the individual asset.

Â Many researchers justifiably argue

Â that risk analysis is incomplete without considering interdependencies.

Â There are at least 30 models specializing in interdependency analysis.

Â Interdependency models though,

Â must be highly detailed to yield reasonable results.

Â Since assets are part of the network detail, they must be assessed,

Â at some level, individually.

Â Thus it is reasonable to begin with risk analysis with an asset.

Â But understand, the analysis is incomplete without including the network.

Â 3:30

RAMCAP chose a quantitative approach in order to attain

Â higher confidence in the risk results compared to qualitative methods.

Â The quantitative approach, however, is tempered by precision.

Â Various methods are advocated to achieve a high level of precision in

Â estimating risk.

Â Including Bayesian networks, conditional linear Gaussian networks, stochastic

Â models ,and other formal quantitative methods with proven records of performance

Â in diverse fields of engineering, finance, health care and meteorology.

Â What trips up these methods with critical infrastructure is the lack of data for

Â statistical analysis of man made catastrophic incidents.

Â RAMCAP encourages precision at every step in the risk analysis process, but

Â accepts that in the absence of complete data, precision is an unattainable goal.

Â RAMCAP is satisfied, therefore,

Â that the corresponding risk results must necessarily be relative and not absolute.

Â 4:30

In a similar manner, the absence of hard data has forced the adoption of informal

Â means for estimating risk, compared to the previous cited formal means.

Â Thus RAMCAP estimates risk as the product of consequence, threat, and vulnerability.

Â This approach is acceptable, so

Â long as the risk results can be made consistent across assets and sectors.

Â RAMCAP achieves consistency by systematically applying

Â the same risk formulation across assets and sectors.

Â Consistency can be further improved by applying rigorous methods for

Â estimating terms in the RAMCAP formulation.

Â Rigorous methods for estimating consequence, threat, and

Â vulnerability values, encompass various means of elicitation and modeling.

Â The Delphi method is perhaps the best known rigorous system

Â among elicitation methods.

Â Faultries, eventries, reliability block diagrams and other causal analysis

Â methods are well respected on reliability and safety engineering.

Â Such rigorous methods though, requires substantial investments, and

Â time, and resources, making them impractical for a large scale application.

Â Alternatively, RAMCAP employs a bounded system to elicit consequence, threat,

Â and vulnerability values, based on a standard set of reference scenarios.

Â These scenarios currently include 41 different natural and man-made hazards.

Â Using these same reference scenarios also promotes interoperability by facilitating

Â comparison of RAMCAP risk results across infrastructure assets and sectors.

Â The ability to compare risk results, apples to apples, across assets and

Â sectors, perfectly suited the purpose for which RAMCAP was designed.

Â Specifically, to make strategic decisions about

Â national investments in critical infrastructure protection.

Â The point of this lesson, with respect to cybersecurity, is that infrastructure

Â owners and operators may undergo a similar exercise to develop their own risk

Â analysis methodology that's tailored to their own unique set of circumstances.

Â Okay, let us review what we have learned here.

Â 1, there is no absolute security, all security entails risk.

Â 2, risk analysis provides a means for

Â assessing the cost-benefit return on security investments.

Â 3, all risk formulations are a product of the tradeoffs chosen in making them.

Â 4, when it comes to critical infrastructure,

Â the first tradeoff is the choice of analyzing the network or the asset.

Â No risk analysis is complete without considering the network.

Â 5, quantitative risk analysis offers more confidence

Â in results compared to qualitative risk analysis, but at the expense of time.

Â 6, the precision of a quantitative risk analysis

Â is determined by the choice of absolute or relative values.

Â 7, the accuracy of a quantitative risk analysis

Â is determined by the choice of using formal or informal methods.

Â 8, the consistency of results will be enhanced

Â by taking a systematic versus, an ad hoc, approach to risk analysis.

Â 9, the time needed to conduct a risk analysis will be reduced

Â by taking a bounded approach versus a rigorous approach.

Â