0:33

In lesson 20 we examined the application of a risk analysis method called RAMCAP.

We saw how RAMCAP estimated risk as the product of estimates for consequence,

threat, and vulnerability.

Using RAMCAP, we estimated the risk reduction worth of each countermeasure,

then calculated the corresponding return on investment

by dividing risk by estimated cost.

Cost benefit analysis consisted of choosing the countermeasure that provided

the highest calculated return on investment.

1:06

As we noted in lesson 20, RAMCAP was developed by the American Society of

Mechanical Engineers at the request of the White House, shortly after 9/11.

RAMCAP was specifically formulated to help assess risk

across all infrastructure assets and

sectors, to help prioritize protective investments at the national level.

Unfortunately, RAMCAP fell into obscurity, shortly after it was

introduced in the 2006 National Infrastructure Protection Plan.

One of the reasons RAMCAP fell into disuse,

was that many believe there is no one size fits all when it comes to risk analysis.

Indeed, there are an estimated 250 critical infrastructure risk

methodologies, which begs the question, why so many?

The answer lies in the fact that each methodology

is the result of a different set of tradeoffs.

RAMCAP itself is uniquely distinguished by its own set of tradeoffs.

It begins with the question of completeness.

Do you analyze the network or the nodes?

In other words, do you also include interdependencies in your risk analysis?

RAMCAP does not include interdependencies in its risk analysis.

RAMCAP risk analysis focuses on the individual asset.

Many researchers justifiably argue

that risk analysis is incomplete without considering interdependencies.

There are at least 30 models specializing in interdependency analysis.

Interdependency models though,

must be highly detailed to yield reasonable results.

Since assets are part of the network detail, they must be assessed,

at some level, individually.

Thus it is reasonable to begin with risk analysis with an asset.

But understand, the analysis is incomplete without including the network.

3:30

RAMCAP chose a quantitative approach in order to attain

higher confidence in the risk results compared to qualitative methods.

The quantitative approach, however, is tempered by precision.

Various methods are advocated to achieve a high level of precision in

estimating risk.

Including Bayesian networks, conditional linear Gaussian networks, stochastic

models ,and other formal quantitative methods with proven records of performance

in diverse fields of engineering, finance, health care and meteorology.

What trips up these methods with critical infrastructure is the lack of data for

statistical analysis of man made catastrophic incidents.

RAMCAP encourages precision at every step in the risk analysis process, but

accepts that in the absence of complete data, precision is an unattainable goal.

RAMCAP is satisfied, therefore,

that the corresponding risk results must necessarily be relative and not absolute.

4:30

In a similar manner, the absence of hard data has forced the adoption of informal

means for estimating risk, compared to the previous cited formal means.

Thus RAMCAP estimates risk as the product of consequence, threat, and vulnerability.

This approach is acceptable, so

long as the risk results can be made consistent across assets and sectors.

RAMCAP achieves consistency by systematically applying

the same risk formulation across assets and sectors.

Consistency can be further improved by applying rigorous methods for

estimating terms in the RAMCAP formulation.

Rigorous methods for estimating consequence, threat, and

vulnerability values, encompass various means of elicitation and modeling.

The Delphi method is perhaps the best known rigorous system

among elicitation methods.

Faultries, eventries, reliability block diagrams and other causal analysis

methods are well respected on reliability and safety engineering.

Such rigorous methods though, requires substantial investments, and

time, and resources, making them impractical for a large scale application.

Alternatively, RAMCAP employs a bounded system to elicit consequence, threat,

and vulnerability values, based on a standard set of reference scenarios.

These scenarios currently include 41 different natural and man-made hazards.

Using these same reference scenarios also promotes interoperability by facilitating

comparison of RAMCAP risk results across infrastructure assets and sectors.

The ability to compare risk results, apples to apples, across assets and

sectors, perfectly suited the purpose for which RAMCAP was designed.

Specifically, to make strategic decisions about

national investments in critical infrastructure protection.

The point of this lesson, with respect to cybersecurity, is that infrastructure

owners and operators may undergo a similar exercise to develop their own risk

analysis methodology that's tailored to their own unique set of circumstances.

Okay, let us review what we have learned here.

1, there is no absolute security, all security entails risk.

2, risk analysis provides a means for

assessing the cost-benefit return on security investments.

3, all risk formulations are a product of the tradeoffs chosen in making them.

4, when it comes to critical infrastructure,

the first tradeoff is the choice of analyzing the network or the asset.

No risk analysis is complete without considering the network.

5, quantitative risk analysis offers more confidence

in results compared to qualitative risk analysis, but at the expense of time.

6, the precision of a quantitative risk analysis

is determined by the choice of absolute or relative values.

7, the accuracy of a quantitative risk analysis

is determined by the choice of using formal or informal methods.

8, the consistency of results will be enhanced

by taking a systematic versus, an ad hoc, approach to risk analysis.

9, the time needed to conduct a risk analysis will be reduced

by taking a bounded approach versus a rigorous approach.