Risk Assessment Methodology

Risk Assessment Methodology

Definition(s)


Risk Assessment Methodology

Set of methods, principles, or rules used to identify and assess risks and to form priorities, develop courses of action, and inform decision making.

Source:API STANDARD 780, Security Risk Assessment Methodology for the Petroleum and Petrochemical Industries, First Edition, May 2013. Global Standards

Risk Assessment Methodology

Set of methods, principles, or rules used to identify and assess risks and to form priorities, develop courses of action, and inform decision making. Sample Usage: The Maritime Security Risk Analysis Model (MSRAM) is a risk assessment methodology used to assess risk at our Nation's ports. Source: DHS Risk Lexicon, U.S. Department of Homeland Security, 2010 Edition. September 2010 Regulatory Guidance
Return On Investment (Risk)

Return On Investment (Risk)

Definition(s)


Return On Investment (Risk)

Calculation of the value of risk reduction measures in the context of the cost of developing and implementing those measures. Sample Usage: Although the installation of new detection equipment was expensive, the team concluded that the return on investment for the new equipment was positive because of the significant reduction in risk. Source: DHS Risk Lexicon, U.S. Department of Homeland Security, 2010 Edition. September 2010 Regulatory Guidance
Relative Risk

Relative Risk

Definition(s)



Relative Risk

Measure of risk that represents the ratio of risks when compared to each other or a control.

Source:API STANDARD 780, Security Risk Assessment Methodology for the Petroleum and Petrochemical Industries, First Edition, May 2013. Global Standards

Relative Risk

Measure of risk that represents the ratio of risks when compared to each other or a control. Sample Usage: Although the site is prone to frequent low level flooding, the relative risk posed by a hurricane is greater than that posed by a flood. Annotation:
  1. The relative risk value of a scenario is meaningful only in comparison to other similarly constructed risk values.
  2. Due to inherent uncertainties in risk analysis, relative risk may be more useful to decision makers than risk measured in expected annualized dollars lost or lives lost.
  3. Using relative risk might convey the necessary meaning to decision makers while avoiding the disclosure of sensitive or classified information.
Source: DHS Risk Lexicon, U.S. Department of Homeland Security, 2010 Edition. September 2010 Regulatory Guidance
Quantitative Risk Assessment Methodology

Quantitative Risk Assessment Methodology

Definition(s)


Quantitative Risk Assessment Methodology

Set of methods, principles, or rules for assessing risks based on the use of numbers where the meanings and proportionality of values are maintained inside and outside the context of the assessment Sample Usage: Engineers at the plant used a quantitative risk assessment methodology to assess the risk of system failure. Annotation: While a semi-quantitative methodology also involves the use of numbers, only a purely quantitative methodology uses numbers in a way that allows for the consistent use of values outside the context of the assessment. Source: DHS Risk Lexicon, U.S. Department of Homeland Security, 2010 Edition. September 2010 Regulatory Guidance
Qualitative Risk Assessment Methodology

Qualitative Risk Assessment Methodology

Definition(s)


Qualitative Risk Assessment Methodology

Set of methods, principles, or rules for assessing risk based on non-numerical categories or levels Sample Usage: The qualitative risk assessment methodology allows for categories of ―low risk,‖ ―medium risk,‖ and ―high risk. Source: DHS Risk Lexicon, U.S. Department of Homeland Security, 2010 Edition. September 2010 Regulatory Guidance
Psychological Consequence

Psychological Consequence

Definition(s)


Psychological Consequence

Effect of an incident, event, or occurrence on the mental or emotional state of individuals or groups resulting in a change in perception and/or behavior.

Sample Usage: A psychological consequence of the disease outbreak could include the reluctance of the public to visit hospitals, which may make it more difficult for experts to control the outbreak.

Annotation: In the context of homeland security, psychological consequences are negative and refer to the impact of an incident, event, or occurrence on the behavior or emotional and mental state of an affected population.

Source: DHS Risk Lexicon, U.S. Department of Homeland Security, 2010 Edition. September 2010 Regulatory Guidance
Probabilistic Risk Assessment

Probabilistic Risk Assessment

Definition(s)


Probabilistic Risk Assessment

Type of quantitative risk assessment that considers possible combinations of occurrences with associated consequences, each with an associated probability or probability distribution. Sample Usage: The engineers conducted a probabilistic risk assessment to determine the risk of an accident resulting from a series of compounding failures. Annotation:
  1. Probabilistic risk assessments are typically performed on complex technological systems with tools such as fault and event trees and Monte Carlo simulations to evaluate security risks and/or accidental failures.
  2. For some types of risk, like those involving human volition, the probability of occurrence of an event may not be independent of the consequences and, in fact, may be a function of the consequences.
Source: DHS Risk Lexicon, U.S. Department of Homeland Security, 2010 Edition. September 2010 Regulatory Guidance
Primary Consequence

Primary Consequence

Definition(s)


Primary Consequence

Effect that is an immediate result of an event, incident, or occurrence. Sample Usage: Property damage and injuries were among the primary consequences resulting from the flood. Source: DHS Risk Lexicon, U.S. Department of Homeland Security, 2010 Edition. September 2010 Regulatory Guidance
Operational Risk

Operational Risk

Definition(s)


Operational Risk

Risk that has the potential to impede the successful execution of operations. Sample Usage: Given that none of the security guards had the flu vaccine, influenza posed an operational risk to provision of security for the facility. Source: DHS Risk Lexicon, U.S. Department of Homeland Security, 2010 Edition. September 2010 Regulatory Guidance
Non-adaptive Risk

Non-adaptive Risk

Definition(s)


Non-adaptive Risk

Category of risk that includes threats caused by natural and technological hazards Sample Usage: The suspected path of a tornado can be categorized as a non-adaptive risk. Annotation: Threats from non-adaptive risks are caused by physical characteristics and dimensions that do not change in reaction to measures taken. Source: DHS Risk Lexicon, U.S. Department of Homeland Security, 2010 Edition. September 2010 Regulatory Guidance
Normalized Risk

Normalized Risk

Definition(s)


Normalized Risk

Measure of risk created by mathematically adjusting a value in order to permit comparisons.

Sample Usage: The risk assessment report displayed the normalized risk of the three biological agents to facilitate comparison and avoid sharing sensitive information.

Annotation:

  1. Typically, normalized risk divides the risk of each scenario by the sum of the risk across the set of scenarios under consideration. For example, if you are considering the expected number of fatalities from three different biological agents A, B and C, then the total risk posed by these biological agents is the sum of the risk posed by each of them. If agent A has expected fatalities of 10,000, Agent B has 7,000, and Agent C has 3,000, then the total risk is 20,000 fatalities and the normalized risks are 0.5 for Agent A, 0.35 for Agent B, and 0.15 for Agent C. This particular way of normalizing risk is commonly referred to as ―normalizing to 1‖ because now the risk from all the scenarios in the considered set sums to 1.
  2. Risk can be normalized by dividing by an existing sample space value. For example, if there were 100 car accidents this year and 800 last year, then normalizing these values with respect to the total vehicle trips each year permits a more appropriate comparison of the risk of last year versus this year. If there were 10,000 vehicle trips this year then 100/10,000, or 1% of all trips ended in accidents, whereas if last year there were 100,000 vehicle trips then 800/100,000, or 0.8% of all trips ended in accidents. Without normalization it would appear that it was more risky to drive last year, but in reality the opposite is the case.

Source: DHS Risk Lexicon, U.S. Department of Homeland Security, 2010 Edition. September 2010 Regulatory Guidance

Net Assessment

Net Assessment

Definition(s)


Net Assessment

Multidisciplinary strategic assessment process used to provide a comparative evaluation of the balance of strengths and weaknesses. Sample Usage: A key aspect of net assessment involves analyzing technological influences on the security environment. Annotation: Net assessment often involves the combined use of business principles, scenarios, crisis gaming and path gaming, conflict situations, and other tools. Source: DHS Risk Lexicon, U.S. Department of Homeland Security, 2010 Edition. September 2010 Regulatory Guidance
Natural Hazard

Natural Hazard

Definition(s)


Natural Hazard

Source of harm or difficulty created by a meteorological, environmental, or geological phenomenon or combination of phenomena. Sample Usage: A natural hazard, such as an earthquake, can occur without warning. Source: DHS Risk Lexicon, U.S. Department of Homeland Security, 2010 Edition. September 2010 Regulatory Guidance
Mission Consequence

Mission Consequence

Definition(s)


Mission Consequence

Effect of an incident, event, operation, or occurrence on the ability of an organization or group to meet a strategic objective or perform a function. Sample Usage: The inability to ensure the public’s access to clean drinking water could be a mission consequence of the earthquake. Annotation: Valuation of mission consequence should exclude other types of consequences (e.g., human consequence, economic consequence, etc.) if they are evaluated separately in the assessment. Source: DHS Risk Lexicon, U.S. Department of Homeland Security, 2010 Edition. September 2010 Regulatory Guidance
Joint Probability

Joint Probability

Definition(s)


Joint Probability

Joint probability is the probability of two events occurring in conjunction -that is, the probability that event A and event B both occur, written as ) or P(AB) and pronounced A intersect B. The probability of someone dying from the pandemic flu is equal to the joint probability of someone contracting the flu (event A) and the flu killing them (event B). Joint probabilities are regularly used in Probabilistic Risk Assessments and Event Trees. Sample Usage: The probability of developing a fever from influenza is equal to the joint probability of someone contracting influenza and developing a fever. Source: DHS Risk Lexicon, U.S. Department of Homeland Security, 2010 Edition. September 2010 Regulatory Guidance
Intentional Hazard

Intentional Hazard

Definition(s)


Intentional Hazard

Source of harm, duress, or difficulty created by a deliberate action or a planned course of action. Sample Usage: Cyber attacks are an intentional hazard that DHS works to prevent. Source: DHS Risk Lexicon, U.S. Department of Homeland Security, 2010 Edition. September 2010 Regulatory Guidance
Indirect Consequence

Indirect Consequence

Definition(s)


Indirect Consequence

Effect that is not a direct consequence of an event, incident, or occurrence, but is caused by a direct consequence, subsequent cascading effects, and/or related decisions. Sample Usage: In the following months, decreased commerce and tourism were among the indirect consequences resulting from the hurricane. Annotation:
  1. Examples of indirect consequences can include the enactment of new laws, policies, and risk mitigation strategies or investments, contagion health effects, supply-chain economic consequences, reductions in property values, stock market effects, and long-term cleanup efforts,
  2. Accounting for indirect consequences in risk assessments is important because they may have greater and longer-lasting effects than the direct consequences.
  3. Indirect consequences are also sometimes referred to as ripple, multiplier, general equilibrium, macroeconomic, secondary, and tertiary effects.
  4. The distinction between direct and indirect consequences is not always clear but what matters in risk analysis is a) capturing the likely effects – be they designated as direct or indirect – that should be part of the analysis, b) clearly defining what is contained as part of direct consequences and what is part of indirect consequences, and c) being consistent across the entire analysis. Such consistency and clarity is important for comparability across scenarios and risk analyses.
  5. Induced consequences are occasionally estimated separately from indirect consequences but should be contained within indirect estimates.
Source: DHS Risk Lexicon, U.S. Department of Homeland Security, 2010 Edition. September 2010 Regulatory Guidance
Human Consequence (Health)

Human Consequence (Health)

Definition(s)


Human Consequence (Health)

Effect of an incident, event, or occurrence that results in injury, illness, or loss of life Sample Usage: The human consequence of the attack was 20 fatalities and 50 injured persons. Annotation: When measuring human consequence in the context of homeland security risk, consequence is assessed as negative and can include loss of life or limb, or other short-term or long-term bodily harm or illness. Source: DHS Risk Lexicon, U.S. Department of Homeland Security, 2010 Edition. September 2010 Regulatory Guidance
Horizon Scanning

Horizon Scanning

Definition(s)


Horizon Scanning

Process of identifying future trends, drivers, and/or conditions that may have an effect on future events, incidents, or occurrences. Sample Usage: In alternative futures analysis of potential attacks on transportation systems, horizon scanning indicated that future availability of technology for adversaries could provide more options for carrying out an attack. Source: DHS Risk Lexicon, U.S. Department of Homeland Security, 2010 Edition. September 2010 Regulatory Guidance
Game Theory

Game Theory

Definition(s)


Game Theory

Branch of applied mathematics that models interactions among agents where an agent’s choice and subsequent success depend on the choices of other agents that are simultaneously acting to maximize their own results or minimize their losses. Sample Usage: Analysts used game theory to model terrorist behavior in response to potential security measures. Annotation:
  1. Game theory can be used in the context of risk analysis to model strategic decisions and interactions of agents with conflicting interests to predict likely decision outcomes.
  2. A basic application of game theory involves two players and two strategy alternatives.
Source: DHS Risk Lexicon, U.S. Department of Homeland Security, 2010 Edition. September 2010 Regulatory Guidance
Frequentist Probability

Frequentist Probability

Definition(s)


Frequentist Probability

Definition: interpretation or estimate of probability as the long-run frequency of the occurrence of an event as estimated by historical observation or experimental trials. Sample Usage:
  1. Based on empirical evidence from repeated experimental trials, the frequentist probability of getting a three when rolling a fair six-sided die is 1/6 or 16.7%.
  2. Based on historical evidence, scientists can provide a frequentist probability of experiencing a category 5 hurricane in a given year.
Annotation:
  1. Within the frequentist probability interpretation, precise estimation of new or rarely occurring events, such as the probability of a catastrophic terrorist attack, is generally not possible.
  2. Frequentist probabilities generally do not incorporate ―degree of belief‖ information, such as certain types of intelligence information.
Source: DHS Risk Lexicon, U.S. Department of Homeland Security, 2010 Edition. September 2010 Regulatory Guidance
Economic Consequence

Economic Consequence

Definition(s)


Economic Consequence

Effect of an incident, event, or occurrence on the value of property or on the production, trade, distribution, or use of income, wealth, or commodities. Sample Usage: The loss of the company's trucking fleet was an economic consequence of the tornado. Annotation: When measuring economic consequence in the context of homeland security risk, consequences are usually assessed as negative and measured in monetary units. Source: DHS Risk Lexicon, U.S. Department of Homeland Security, 2010 Edition. September 2010 Regulatory Guidance
Direct Consequence

Direct Consequence

Definition(s)


Direct Consequence

Effect that is an immediate result of an event, incident, or occurrence.

Source:API STANDARD 780, Security Risk Assessment Methodology for the Petroleum and Petrochemical Industries, First Edition, May 2013. Global Standards

Direct Consequence

Effect that is an immediate result of an event, incident, or occurrence. Sample Usage: Property damage and loss of life were among the direct consequences resulting from the hurricane. Annotation:
  1. Direct consequences can include injuries, loss of life, on-site business interruption, immediate remediation costs, and damage to property and infrastructure as well as to the environment.
  2. The distinction between direct and indirect consequences is not always clear, but what matters in risk analysis is a) capturing the likely effects – be they designated as direct or indirect – that should be part of the analysis, b) clearly defining what is contained as part of direct consequences and what is part of indirect consequences, and c) being consistent across the entire analysis. Such consistency and clarity is important for comparability across scenarios and risk analyses.
Source: DHS Risk Lexicon, U.S. Department of Homeland Security, 2010 Edition. September 2010 Regulatory Guidance
Deterrent

Deterrent

Definition(s)


Deterrent

Measure that discourages, complicates, or delays an adversary’s action or occurrence by instilling fear, doubt, or anxiety. Sample Usage: Robust countermeasures can serve as a deterrent to some adversaries, causing them to change, delay, or abandon their plans. Annotation:
  1. A deterrent reduces threat by decreasing the likelihood that an attack (or illegal entry, etc.) will be attempted.
  2. One form of deterrent is a prospective punitive action intended to discourage the adversary from acting (e.g., massive nuclear retaliation, Mutual Assured Destruction during the Cold War, or prison for conventional crimes). Another form of deterrent is a measure or set of measures that affects the adversary's confidence of success (e.g., fences, border patrols, checkpoints).
  3. A deterrent may cause an adversary to abandon plans to attempt an attack (or illegal entry, etc).
  4. A deterrent may cause the adversary to react by "threat shifting" in any of several domains: shift in time (delay); shift in target; shift in resources (additional resources); and/or a shift in plan or method of attack.
  5. Resilience, in terms of both critical economic systems and infrastructure and in societal resilience (e.g., the famed British ―stiff upper lip‖ of WWII, advance preparation for effective consequence reduction response operations, etc.), also has a potential deterrent value achieved when terrorist groups perceive that the strategic impact they seek through a particular attack or type of attack will not be achieved.
Source: DHS Risk Lexicon, U.S. Department of Homeland Security, 2010 Edition. September 2010 Regulatory Guidance
Decision Analysis

Decision Analysis

Definition(s)


Decision Analysis

Techniques, body of knowledge, and professional practice used to provide analytical support for making decisions through a formalized structure. Sample Usage: Decision analysis can be used to more effectively allocate resources to various risk reduction measures. Annotation: Decision analysis can be used in the context of risk analysis to evaluate complex risk management decisions. Decision analysis can be applied to strategic, operational, and tactical decisions. Source: DHS Risk Lexicon, U.S. Department of Homeland Security, 2010 Edition. September 2010 Regulatory Guidance
Criticality Assessment

Criticality Assessment

Definition(s)


Criticality Assessment

Product or process of systematically identifying, evaluating, and prioritizing based on the importance of an impact to mission(s), function(s), or continuity of operations.

Source:API STANDARD 780, Security Risk Assessment Methodology for the Petroleum and Petrochemical Industries, First Edition, May 2013. Global Standards

Criticality Assessment

Product or process of systematically identifying, evaluating, and prioritizing based on the importance of an impact to mission(s), function(s), or continuity of operations Sample Usage: A criticality assessment determined that the county's chemical plants required greater attention than previously determined. Source: DHS Risk Lexicon, U.S. Department of Homeland Security, 2010 Edition. September 2010 Regulatory Guidance
Criticality

Criticality

Definition(s)


Criticality

Importance to a mission, function, or continuity of operations.

Source:API STANDARD 780, Security Risk Assessment Methodology for the Petroleum and Petrochemical Industries, First Edition, May 2013. Global Standards

Criticality

Importance to a mission or function, or continuity of operations. Sample Usage: The criticality of the asset was determined based upon the number of people to whom it provided service. Source: DHS Risk Lexicon, U.S. Department of Homeland Security, 2010 Edition. September 2010 Regulatory Guidance
Countermeasure

Countermeasure

Definition(s)


Countermeasure

An action, measure, or device intended to reduce an identified risk.

Source:API STANDARD 780, Security Risk Assessment Methodology for the Petroleum and Petrochemical Industries, First Edition, May 2013. Global Standards  

Countermeasure

Means of managing risk, including policies, procedures, guidelines, practices or organizational structures, which can be administrative, technical, management, or legal in nature. [ISO/IEC 27000:2009]
  • NOTE: ISO Guide 73:2009 defines control as simply a measure that is modifying risk.
Source: ISO/IEC 27032:2015, Information technology — Security techniques — Guidelines for cybersecurity, First Edition, July 2012. Global Standards

Countermeasure

Action, measure, or device intended to reduce an identified risk. Sample Usage: Some facilities employ surveillance cameras as a countermeasure. Annotation: A countermeasure can reduce any component of risk -threat, vulnerability, or consequence. Source: DHS Risk Lexicon, U.S. Department of Homeland Security, 2010 Edition. September 2010 Regulatory Guidance  

Countermeasure

Action, device, procedure, or technique that reduces a threat, a vulnerability, or an attack by eliminating or preventing it, by minimizing the harm it can cause, or by discovering and reporting it so that corrective action can be taken [11].
  • NOTE: The term “Control” is also used to describe this concept in some contexts. The term countermeasure has been chosen for this standard to avoid confusion with the word control in the context of “process control.”
Source: ANSI/ISA–99.00.01–2007, Security for Industrial Automation and Control Systems, Part 1: Terminology, Concepts, and Models, 29 October 2007. National Standard
Cost-benefit Analysis (CBA)

Cost-benefit Analysis (CBA)

Definition(s)


Cost-benefit Analysis

The decision-making process in which the costs and benefits of each countermeasure alternative are compared and the most appropriate alternative is selected.

Source:API STANDARD 780, Security Risk Assessment Methodology for the Petroleum and Petrochemical Industries, First Edition, May 2013. Global Standards

Cost-benefit Analysis (CBA)

Definition: Analytic technique used to compare alternatives according to the relative costs incurred and the relative benefits gained Sample Usage: Cost-benefit analysis allowed risk practitioners to make recommendations between two different screening systems. Extended Definition: typically measured in monetary terms. Annotation: The analysis can incorporate discounting calculations to take into account the time value of money. Source: DHS Risk Lexicon, U.S. Department of Homeland Security, 2010 Edition. September 2010 Regulatory Guidance
Cost-effectiveness Analysis (CEA)

Cost-effectiveness Analysis (CEA)

Definition(s)


Cost-effectiveness Analysis (CEA)

Analytic technique that compares the cost of two or more alternatives with the same outcome. Alternatively: analytic technique that evaluates an alternative by how much it delivers per unit cost, or how much has to be spent per unit benefit. Sample Usage: Cost-effectiveness analysis supported selection of a new screening technology for detecting contraband items because its cost per item detected is less than that of the current s creening method. Source: DHS Risk Lexicon, U.S. Department of Homeland Security, 2010 Edition. September 2010 Regulatory Guidance