Doctrinal Guidelines for Quantitative Vulnerability Assessments of Infrastructure-Related Risks. Volume I
INSTITUTE FOR DEFENSE ANALYSES ALEXANDRIA VA
Pagination or Media Count:
The objective of this document is to provide doctrinal guidelines for operationalizing a framework for quantifying risk, with a specific focus on quantitatively estimating the vulnerability of assets and systems comprising the nations critical infrastructure. IDA focused on vulnerability for three reasons. First, its definition and how it is applied to critical infrastructure is far less understood than the concepts of threat and consequence. Second, a sound approach for quantifying vulnerability will improve the methodologies for quantifying risk for critical infrastructure. Third, clearly defining vulnerability is key to developing commensurate risk metrics across the 18 critical infrastructure and key resources CIKR sectors. When systems vulnerability and asset vulnerability protected by layered defenses are compared side-by-side, the overall recommendation is to define vulnerability as the expected value of loss given a scenario occurrence in both cases. This requires that vulnerability for layered defenses be reinterpreted as the product of the joint probability of successfully penetrating all relevant defensive layers, and consequences. IDA sought to define a set of concepts and computational methods for quantifying vulnerability in a way that the resulting risk calculations produce commensurable risk metrics regardless of whether the risks are related to systems or isolated assets, or due to natural hazards or adversarial threats.
- Statistics and Probability
- Civil Defense