Terrorism Risk Assessment and Management TRAM Methodology Overview

Terrorism Risk Assessment and Management (TRAM) Methodology Overview Briefing June 6, 2008 For Official Use Only

Introduction to Hazard Risk Management Objectives of Hazard Risk Management: § Develop and implement structured, risk-based analysis practices to enable emergency planning § Support investment decision making § Establish processes and metrics for continuous risk monitoring Three Distinct components to Risk Management 1. Continuous Risk Assessment - Current Risk 2. Historical Risk Monitoring - Looking Back 3. Risk Mitigation - Looking Forward Current methodology established for terrorism risk. However, structure is general in approach, in order to facilitate assessment and comparison of other risk types. For Official Use Only 2

History of PANYNJ / DHS Collaboration Methodology originally developed, applied, and validated by DHS in conjunction with the Port Authority of New York and New Jersey § PANYNJ sought technical assistance from DHS to develop risk management capabilities for critical infrastructure protection § DHS sought to allow the use of risk-based needs assessment as an effective means of making defensible homeland security investments § DHS/PANYNJ/SAIC developed and continue to refine a “best-practice” model for conducting risk/needs assessment § Serves as a model for other agencies across the nation For Official Use Only 3

Risk Analysis Continuous Assessment For Official Use Only 4

Risk Assessment Goals: § Produce a relative measurement of the risk of different hazard scenarios occurring at jurisdictional assets § Use common risk metrics across business areas, asset types, and hazard types § Employ data that is collectible in a real-world environment with reasonable effort § Methods must be discrete enough to enable evaluation of the effectiveness of specific security, response, and recovery capabilities For Official Use Only 5

Overview of the Risk Assessment Process For Official Use Only 6

Criticality Assessment u Criticality describes the overall importance of an asset to the organization, to the region, and to the nation. Critical Asset Factors Contribution of Asset Criticality u Critical Asset Factors describe the broad mission(s), both internal and external: u Casualty Impact u Economic Impact u Agency Business Continuity u Emergency Response Functions u National Strategic Importance u Replacement Cost u Environmental Impact u Contribution of Asset specifies the extent that each asset contributes to the accomplishment of the mission(s) of the jurisdiction For Official Use Only 7

Example Criticality Results For Official Use Only 8

Threat Assessment For Official Use Only 9

Threat Assessment § Risk assessment is scenario-based. Evaluates the likelihood and consequence of specific scenarios (attack type and target asset) § Threat describes the likelihood of a specific type of event occurring or being directed at a specific asset. Intent Capability Threat § Capability captures the general likelihood (not specific to an asset) that a terrorist organization would execute a given attack based on the complexity of obtaining a weapon and executing the attack § Intent describes the likelihood that a terrorist organization would execute a given attack against a specific asset based on the asset’s target attractiveness and level of deterrence For Official Use Only 10

Capability § u. Attack Likelihood answers the question: “What is the Attack Likelihood (capability) answers the question: “What is the relative likelihoodthata aterrorist organization would execute relative likelihood organization would execute a giveninattack in the jurisdiction based on the of complexity of attack the jurisdiction based on the complexity obtaining the executing the attack? ” weapon andobtaining executing and the attack? ” Attack Type Attack Likelihood Small Conventional Explosive 10 Large Conventional Explosive 6 Chemical Agent 2 Radiological Weapon 1 Biological Agent 0. 5 Improvised Nuclear / Nuclear For Official Use Only - 11

Target Attractiveness (Intent) Target Value Factors For Official Use Only Deterrence Factors 12

Example Threat Results For Official Use Only 13

Scenario Discussion/Development Goal is to select a complete set of scenarios that are important and plausible: § § § High Scenario Likelihood High perceived Vulnerability High Criticality Specific threats to asset History of attacks on assets of similar type or function What are the attack scenarios that keep you up at night? Scenarios are not overly detailed – they describe an asset an attack type, intended to encompass all potential vulnerabilities at an asset. For Official Use Only 14

Vulnerability Assessment For Official Use Only 15

Vulnerability Assessment § Likelihood of Successful Attack (LSA) measures an asset’s vulnerability to attack, based on existing and proposed physical security. § It is determined through an analysis based on onsite assessments of the asset using a standardized security capability survey. § The survey includes general countermeasure types (i. e. , fencing, barriers, etc. ) and effectiveness classes. Security Survey Security Countermeasures & Classes: Fencing/Gates Barriers CCTV IDS Patrols/Guards Vehicle Screening Personnel Screening CBRNE Detection Access Control Public Notification LSA Guidelines Likelihood of Access Denial Likelihood of Detection Likelihood of Interdiction Vulnerability (LSA) Attack Type For Official Use Only 16

Evaluation of Security Countermeasures Example Likelihood Reduction Ratings L 1 = 0. 8 L 1 = 0. 6 L 1 = 0. 4 L 1 = 0. 1 For Official Use Only 17

Decision Tree Analysis Question 1 L 1 (access denied) 0. 2 Question 3 L 3 (attack interdicted) 0. 05 Question 2 L 2 (attack detected) 0. 7 Y Y Attacks Detected 56 Access Gained N N 100 Y Access Denied Attack Fails N 80 Attacks Interdicted 3 Attacks Not Detected Attacks Not Stopped 53 Attack Successful 24 Attack Successful 20 Attack Fails For Official Use Only Success: 77 Failure: 23 LSA: 77% 18

Example Vulnerability Results For Official Use Only 19

Response & Recovery Capabilities Assessment For Official Use Only 20

Response & Recovery Capabilities Assessment § The Response Assessment provides the jurisdiction and local emergency response agencies a “self-assessment” tool to identify capabilities, gaps and shortfalls, to include: § § § § Staffing & Personnel Training Equipment & Systems Planning Exercise, Evaluation & Corrective Actions Organization & Leadership The Recovery Assessment reviews agency functions and capabilities, in an effort to manage recovery elements and business continuity following a terrorist attack to include: § § § Plans & Procedures Alternate Facilities Operational Capacity Communications Vital Records & Databases Tests, Training and Exercises For Official Use Only 21

Example RRCA Ratings For Official Use Only 22

Impact Assessment For Official Use Only 23

Impact Assessment § The Impact assessment leads to the calculation of Consequence for a particular scenario, based upon the initial asset Criticality rating. § While the Criticality rating represents the asset’s total contribution to the jurisdiction’s mission, the Impact rating represents that portion of the asset’s criticality that is lost as a result of a successful terrorist attack. Vulnerability to Failure • Structural Asset Criticality Failure • Casualties, • Downtime, • Etc. Response & Recovery Capabilities Consequence For Official Use Only 24

Example Impact Calculations For Official Use Only 25

Risk Assessment For Official Use Only 26

Overview of the Risk Assessment Process Threat Vulnerability Likelihood of an Event Occurring Likelihood that Event would Impact Asset Likelihood of Event Occurring and Impacting the Asset Relative Risk Consequence Portion of Criticality Eliminated as a Result of the Event Criticality Importance of Asset Overall Impact Fraction of Asset Criticality Lost For Official Use Only 27

Risk Diagram Relative Risk Diagram Downtown Bus Terminal Heart Bridge Memorial Tunnel Heart Bridge Likelihood n Headquarters Building Memorial Tunnel - Large Conventional Explosive - Small Conventional Explosive n Risk Communication Tool Identifies relative risks to jurisdiction Helps prioritize risk management activities - Radiological Ø- Biological Consequence For Official Use Only 28

Cost-Benefit Analysis Risk Monitoring For Official Use Only 29

Benefit Analysis Deterrence Improvements to Operational Security Threat Modified Vulnerability Likelihood Risk Reduction Consequence Criticality Modified Impact Improvements to Site Hardening or Response and Recovery For Official Use Only 30

Risk Reduction Relative Risk Diagram Downtown Bus Terminal Heart Bridge Memorial Tunnel Likelihood ØRisk Reduction Headquarters Building Security improvements at an asset Memorial Tunnel - Large Conventional Explosive - Small Conventional Explosive - Radiological - Biological Consequence For Official Use Only 31

Risk Reduction Relative Risk Diagram Downtown Bus Terminal Heart Bridge Memorial Tunnel Likelihood Hardening improvements at an asset ØRisk Reduction Headquarters Building Memorial Tunnel - Large Conventional Explosive - Small Conventional Explosive - Radiological - Biological Consequence For Official Use Only 32

Risk Reduction Relative Risk Diagram Downtown Bus Terminal Heart Bridge Likelihood Heart Bridge Memorial Tunnel Response/Recovery improvements at an asset ØRisk Reduction Headquarters Building Memorial Tunnel - Large Conventional Explosive - Small Conventional Explosive - Radiological - Biological Consequence For Official Use Only 33

Historical Risk Reduction Performance Relative Risk Diagram Downtown Bus Terminal Heart Bridge Memorial Tunnel Likelihood Heart Bridge Headquarters Building Memorial Tunnel - 2002 Baseline Risk - 2004 Baseline Risk - 2006 Baseline Risk Consequence For Official Use Only 34

Tracking of Project Specific Results Relative Risk Diagram Downtown Bus Terminal Heart Bridge Memorial Tunnel Heart Bridge IDS at tunnel entrances Likelihood Hardening of Tunnels Headquarters Building Memorial Tunnel - 2002 Baseline Risk - 2004 Baseline Risk Consequence For Official Use Only 35

Risk. Tracking Mitigation For Official Use Only 36

Risk Mitigation § Risk Mitigation is a process of identifying and evaluating potential projects to reduce the Risk profile of the agency. § Primarily a cost-benefit analysis effort, comparing the risk reduction benefit of potential projects with the estimated costs. § Goal is to select a set of projects that result in the maximum possible risk reduction for the amount invested - greatest Return on Investment (ROI). § Risk 1. Mitigation is an on-going iterative process: Initial projects identified through high-level analysis effort § Generalized § ROM § § project descriptions Costs Candidate projects are refined and more accurate estimates developed Cost-benefit analysis updated and continually reevaluated as project descriptions mature For Official Use Only 37

Cost Analysis § Produce comparable cost estimates for proposed solutions § § Initial estimates are relative “national-average” rough costs to enable comparison Not actual jurisdictional costs Next step should always be to produce “real” cost estimates Lifecycle costs § § Capture true long-term cost of implementation and operation Allow comparison of infrastructure projects versus manpower projects For Official Use Only 38

Return on Investment § 1/2/3/ 4 1/2/4 Cost Per Unit of Risk Reduction = $42 M § Comparison of cost versus benefit for proposed solution sets Identifies projects that result in maximum benefit for different levels of investment at a specific asset Identifies marginal Return on Investment (ROI) for each set 1/2/3 1/2 1/3/4 1/3 2/3/ 4 1 2/4 2/3 2 isk of R Unit 65 K r e t P n = $5 Cos 4 Reductio Co Re st P du er cti Un on it = $ of R 3. 1 is M k § Marginal Cost = $5. 1 M Marginal Risk Reduction = 0. 1 Marginal Cost = $3. 1 M Options 1 - Class 3 Law Enforceme 2 - Class 1 IDS 3 - Cable Hardening 4 - Class 3 CCTV 3/4 Marginal Risk Reduction = 1. 0 nit of Risk Marginal Cost = $1. 3 M Cost Per U f. R o = $200 K nit 1. 0 M 3 Reduction U Marginal Risk Reduction = 2. 3 r $ Pe n = Marginal Cost = $550 K st o Marginal Risk Reduction = 2. 8 Co ducti Re Marginal Cost = $1. 3 M Marginal Risk Reduction = 1. 3 For Official Use Only 39

All-Hazards Risk Management § Risk methodology is extendible to other (non-terrorism) hazards § Applicable to a wide-range of hazard types: Human-Initiated Hazards § Theft Sabotage Vandalism Etc. Failure Hazards Structural Failure Equipment Failure Operational Failure Etc. Natural Hazards Hurricane Earthquake Blizzard Etc. § Allows comparison of relative risk across all hazards § Allows for the assessment of total risk reduction benefits for proposed solutions For Official Use Only 40

Backup June 6, 2008 For Official Use Only

Intent Target Value (TV) Target Attractiveness (TA) Attack Elasticity (AE) Scenario Likelihood (SL) For Official Use Only Deterrence (D) 42

Attack Elasticity § The Attack Elasticity specifies the relative likelihood that different attack types might be used against particular assets/targets based on intent SCE LCE Chemical Bio Rad Target Attractiveness For Official Use Only 43