Exposure: A New Decision Metric for Selecting Effective Sets of Security Upgrades

January, 2015
IDA document: D-5324
FFRDC: Systems and Analyses Center
Division: Strategy, Forces and Resources Division
Kevin E. Burns, Jason A. Dechant, J. Darrell Morgeson, Yazmin Seda-Sanabria, Enrique E. Matheu See more authors
The United States Army Corps of Engineers (USACE) conducts Security Risk Assessments (SRAs) at its most consequential dam projects. The Common Risk Model for Dams (CRM-D) provides a mathematically rigorous and easy-to-implement way to conduct SRAs. The CRM-D quantifies risk as the product of the probability of a successful attack and consequences. Referred to as conditional risk, this decision metric is the expected loss given a specified attack is attempted on a particular target. A specified attack (consisting of an attacker type and an attack vector) carried out on a particular target comprises a scenario. The CRM-D considers three attacker types and 32 attack vectors identified by USACE Headquarters. A dam with only a modest number of critical assets could thus have several hundred scenarios and consequently several hundred conditional risk estimates. This paper introduces a decision metric, exposure, which allows the analyst to aggregate conditional risk estimates across scenarios. The analyst can use exposure to compare risks by attack type, by target or for any useful set of scenarios. These comparisons can guide an analyst in determining a proposed set of security upgrades. A standard set of graphics and return-on-investment calculations based on exposure are introduced that summarize the current level of risk at a dam project as well as the reduced level of risk should the set of recommended security upgrades be implemented.