Q. As CSO, I recently had a meeting with the head of our Environmental Health & Safety group regarding a security risk assessment that we recently completed for them. They do not think that the validity and sophistication of our risk assessment is on par with what they are doing in EH&S. Where might I be missing the boat?
A. Although some older security risk assessment models are not on par with EH&S standards, many EH&S programs use the identical qualitative models as security.
The Nuclear Regulatory Commission (NRC) and Department of Energy (DOE) national laboratories advise against using formal quantitative risk assessment processes – widely termed probabilistic risk assessments (PRAs) – for security because it is virtually impossible to predict the frequency of malevolent initiating events, e.g., cyber attacks such as Stuxnet, terrorist attacks or insider disruptions. The best practice is to conduct a qualitative risk assessment that relies on expert judgment, with a "light touch" of quantitative analysis. EH&S has the flexibility to use models that are more quantitative in nature because they have quantitative data on potential initiating events and their consequences; for example, the mean time between failures, pressure capacity, heat factors, feedstock dynamics, maintenance dynamics, etc.
The models in use now troughout the US and in many foreign countries for security and safeguards risk assessments (including cyber security risk assessments) are derived from expert agencies such as the American Petroleum Institute, American Chemistry Council, National Petroleum Refiners Association, Sandia National Laboratory, Argonne National Laboratory, National Petroleum Refiners Association, DOE laboratories and the NRC. The European Union has recently issued an energy sector security risk assessment model that is qualitative in approach.
From a historical perspective, in 1990, DOE tasked the National Institute of Standards and Technology (NIST) to analyze options other than quantitative risk assessment in the security arena because quantitative assessments were perceived as being too costly, too time consuming and the results deemed unnecessarily complex. NIST concluded that qualitative risk assessment, if properly executed, yielded virtually the same result with significantly lower expenditure of resources. A more recent example of this shift was the 2005 Department of Homeland Security (DHS) RAMCAP model. This highly quantitative model – written by the American Society of Mechanical Engineers (ASME)—was discarded by DHS and the critical infrastructure community in favor of CCPS-equivalent qualitative methodologies for the same reasons.
I highly recommend that you visit the websites of the organizations identified above and do your research prior to conducting EH&S or security risk assessments. Then, take the time to communicate with the EH&S staff and management to get a thorough understanding of their risk management expectations and why they take exception to qualitative approaches. You may find that they, in fact, use qualitative tools—such as HAZOPS, FMEA, scenario analysis, etc. You may also be able to format your security qualitative model to more closely align with other organizational qualitative models so that your process virtually mirrors theirs. This can be critical to achieving organizational buy-in.
Answer provided by John Piper, Security Executive Council Subject Matter Expert Faculty Member.