All Hazards Risk and Resilience - Prioritizing Critical Infrastructure Using The RAMCAP Plus (SM) Approach

ALL-HAZARDS RISK AND RESILIENCE
Prioritizing Critical Infrastructures Using the RAMCAP PlusSM Approach
Copyright 2009 ASME Innovative Technologies Institute, LLC 1828 L Street, NW Suite 906 Washington, DC 20036 All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, or SM otherwise, without the prior permission of the copyright owner. RAMCAP and RAMCAP SM Plus are trademarks owned by ASME Innovative Technologies Institute. These trademarks are not to be used without the prior express written consent of ASME Innovative Technologies Institute, LLC. ASME Innovative Technologies Institute, LLC (ASME-ITI) is a not-for-profit, wholly-owned subsidiary of ASME (American Society of Mechanical Engineers). Published by ASME Three Park Avenue New York, NY 10016 www.asme.org ISBN: 978-0-7918-0287-8 ASME Order No.: 802878
DISCLAIMER
The RAMCAP Plus approach was prepared by the ASME Innovative Technologies Institute, LLC (ASME-ITI) which manages its continuing development. Information contained in this publication has been obtained from reliable sources, including experts in the field of risk analysis and management. The work is published with the understanding that ASME Innovative Technologies Institute, LLC (ASME-ITI), the American Society of Mechanical Engineers (ASME), and its authors and editors are supplying information, but are not attempting to render engineering or other professional services. If such engineering or professional services are required, the assistance of an appropriate professional should be sought. The ASME-ITI, the American Society of Mechanical Engineers (ASME), or any representatives or employees of those organizations do not make any warranty, expressed or implied, regarding any facts or opinions contained or expressed in this document. The ASME-ITI, the American Society of Mechanical Engineers (ASME), or any representatives or employees of those organizations do not make any warranty, expressed or implied, regarding the reliability or usefulness of any information, formula or process disclosed in this report. The ASME-ITI, the American Society of Mechanical Engineers (ASME), or any representatives or employees of those organizations do not assume any legal liability to any third party that reviews this report based upon the information, facts, opinions, formulas or processes expressed or disclosed in this report. The ASME-ITI, the American Society of Mechanical Engineers (ASME), or any representatives or employees of those organizations do not represent or provide any warranty, expressed or implied, that use of information, facts, opinions, formulas or processes expressed in this report would not infringe on any third party rights. In no event will the ASME-ITI, the American Society of Mechanical Engineers (ASME), or any representatives or employees of those organizations assume any liability to any third party for any consequential damages, economic damages, personal injuries or property damages incurred by any third party that may arise, either directly or indirectly, from any facts, opinions, information, formula or process disclosed in this report. Nor shall those parties be responsible for any errors, omissions, or damages arising out of the use of information contained or disclosed in the report. For additional information regarding the RAMCAP Plus process or to receive a copy of this publication, please contact: ASME Innovative Technologies Institute, LLC 1828 L Street, NW Suite 906 Washington, DC 20036 info@asme-iti.org www.asme-iti.org
SM
iii 3
PREFACE
The events of 9/11, Hurricane Katrina, terrorist attacks and natural disasters abroad have heightened the nations awareness of the risks to critical infrastructures in the United States. This awareness has stimulated the requirement that risks and risk-reduction options be assessed permitting the direct comparisons needed for rational decisions to allocate limited resources. A management process to meet this requirement would be characterized by the consistent application of common terminology, metrics and procedures that could be applied to the full variety of assets in diverse infrastructures. ASME Innovative Technologies Institute, LLC, has met this need by developing the Risk Analysis and Management for Critical Asset Protection SM (RAMCAP ) process for hazards due to terrorism, naturally occurring events and interruptions of supply chains on which they are dependent to carry out their essential functions. The purpose of this publication is to provide an understanding of the RAMCAP Plus process and its use to identify, prioritize and coordinate preparedness of the nations critical infrastructure, including protection (avoiding hazardous events or their consequences) and resilience (rapid return to full function after those events that occur). The RAMCAP Plus process is a high-level approach that can be tailored to various sectors, thereby providing a mechanism for comparing risk and risk-management benefits at scales ranging from assets to whole sectors of the economy. Sector-Specific Guidance documents (SSGs), which apply the RAMCAP process for seven critical infrastructure sectors and subsectors, have already been developed. The RAMCAP Plus process avoids unnecessary detail, precision and cost by focusing on the most critical assets at a facility and keeping the approach relatively simple and intuitive. There are numerous other risk methodologies in use by specific industries, but their results are generally not comparable with other industry sectors or, in some cases, with other facilities within the sector. Many are qualitative, producing relative results that can be compared only locally, if at all. Moreover, several of the available methods require the assistance of specialized consultants and/or considerable amounts of time, money and personnel resources, which discourages their use and makes them costly to use on a regular basis. The RAMCAP Plus process through the cost-effective application of common and consistent terminology and metrics provides a basis for using existing data and reporting results in a consistent, quantitative, directly comparable manner. This publication reflects changing circumstances and incorporates lessons learned in developing the seven Sector-Specific Guidance documents (SSGs). It is composed of three major parts: A. Executive Summary the high points of the RAMCAP Plus process B. The RAMCAP Plus Process in Overview background, logic and structure C. Using the RAMCAP Plus Process detailed instructions for organizing and carrying out the approach, with details on each of the seven steps.
SM
ASME Innovative Technologies Institute, LLC November 2008
v 5
ACKNOWLEDGEMENTS
The development of the RAMCAP Plus process, its application and evolution, are the result of the efforts of a great many people. From the earliest meetings between ASME volunteers and officials of the Federal government, through the many committee meetings, pilot studies, presentations and working group meetings, the RAMCAP Plus process has been crafted from the insight and experience of some of the leading scientists, engineers, academics, industry leaders, federal, state and local government officials working in the areas of risk and resilience management. Their numbers are too large to name them individually and the value of collaboration too great to single out any one name. It must be left to a generic thank you to all that have had a hand in the development of the RAMCAP Plus process. ASME-ITI extends its gratitude to one and all.
vii 6
TABLE OF CONTENTS
DISCLAIMER PREFACE ACKNOWLEDGEMENTS PART A. EXECUTIVE SUMMARY 1. Origin and Description 2. Progress and Evolution to Date 3. Benefits of Using the RAMCAP Plus Process PART B. THE RAMCAP PLUS PROCESS IN OVERVIEW 1. Introduction 2. Background 3. The RAMCAP Plus Process An Overview a. Risk and Resilience Defined b. The RAMCAP Plus Process c. The RAMCAP Framework Tailored Into Sector-Specific Guidance 4. The Seven Steps of the RAMCAP Plus Process Step 1 Asset Characterization Step 2 Threat Characterization Step 3 Consequence Analysis Step 4 Vulnerability Analysis Step 5 Threat Assessment Step 6 Risk and Resilience Assessment Step 7 Risk and Resilience Management 5. Preparing to Use the RAMCAP Plus Process a. Composition of the Evaluation Team b. Documents to be Assembled Prior to the Assessment 6. Benefits of Using the RAMCAP Plus Process a. Benefits of Using a RAMCAP Plus Assessment b. Benefits of Using RAMCAP Voluntary Consensus Standards as a National Strategy References and Further Reading PART C. USING THE RAMCAP PLUS PROCESS Step 1 Asset Characterization a. The Top Screening Phase b. The Asset Selection Phase Task 1.1 Identify Critical Functions iii v vi 1 1 1 2 4 4 4 7 7 8 11 12 12 13 15 17 19 21 22 24 24 25 27 27 28 29 32 32 32 33 34
vii 7
Task 1.2 - Identify Critical Assets Task 1.3 Identify Critical Infrastructures and Interdependencies Task 1.5 Identify Potential Consequences Task 1.6 Select Targets for Further Analysis Example Problem References and Further Reading Step 2 Threat Characterization a. Reference Threats b. Terrorism Threats c. Natural Hazards d. Dependency and Proximity Hazards e. Additional Screening Example Problem (Continued) References and Further Reading Step 3 Consequence Analysis Task 3.1 Estimate Terrorism Consequences Task 3.2 Estimate the Consequences of Natural Hazards Task 3.3 Estimate the Consequences of Dependency and Proximity Hazards Example Problem (Continued) References and Further Reading Step 4 Vulnerability Analysis Example Problem (Continued) References and Further Reading Step 5 Threat Assessment (Likelihood of Attack) a. Estimating the Likelihood of Terrorist Events b. General Considerations for RAMCAP Plus Likelihood Estimation Methods c. Additional Screening d. Three Approaches in Overview Method One Numerical Ratio Method Method Two Comparison of Risk Tolerance with Natural Hazard Risk Method Three Investment Break-Even Example Problem (Continued) References and Further Reading Step 6 Risk Assessment Example Problem (Continued) viii 8
34 35 36 38 38 40 41 41 45 46 47 48 49 51 52 52 58 59 59 60 62 65 70 71 71 72 73 75 76 79 81 83 84 85 89
Task 1.4 Identify Existing Countermeasures and Construction Codes and Standards 36
References and Further Reading Step 7 Risk and Resilience Management Task 7.1 Decide What Risk and Resilience Levels Are Acceptable Task 7.2 Define Countermeasures and Mitigation/Resilience Options Task 7.3 Evaluate Each Countermeasure and Mitigation/Resilience Option Task 7.4 Accumulate the Benefits of Each Option Task 7.5 Estimate Net Benefits and Benefit-Cost Ratios for Each Option Task 7.6 - Select Among the Options and Allocation of Resources Task 7.7 Implement, Monitor and Evaluate Performance of the Selected Options Task 7.8 Conduct Additional Risk Assessments Example Problem (Continued) References and Further Reading APPENDICES Appendix A: Terminology Appendix B: Abbreviations and Acronyms Appendix C: Compliance with the RAMCAP Plus Process Appendix D: Integrated Assessment of Natural Hazards D.1.0 Natural Hazards D.1.1 General Approach to Natural Hazards Assessment D.1.2 Earthquake D.1.3 Hurricane and Tornado/Wind Loading D.1.4 Flood D.1.5. Loads in Combination D.2.0 Estimating Consequences from Natural Hazards D.2.1 Estimating Consequences from Earthquake Events Example Problem Earthquake Risk Assessment D.2.2 Estimating Consequences from Wind Loading Events D 2.2.1 Hurricanes and Wind Loading Example Problem Hurricane Risk Assessment D.2.2.2 Tornadoes Example Problem: Wind and Tornado Risk D.2.3 Estimating Consequences from Floods D.2.3.1 Flood Loss Estimation Procedure References and Further Reading
91 92 94 95 98 99 100 101 102 102 103 106 108 117 118 120 120 121 123 126 128 128 130 132 137 140 140 146 147 150 151 151 154
ix 9
List of Tables
Table 1 Table 2 Table 3 Table 4 Table 5 Table 6 Table 7 Table 8 Table 9 Summary of RAMCAP Plus Reference Threat Scenarios Ranges for Estimating Fatalities, Injuries, and Economic Losses RAMCAP Plus Vulnerability Scale Suggested Composition of a RAMCAP Plus Assessment Team Checklist of Documents to be Assembled Prior to a RAMCAP Plus Assessment Tasks of Step 1, Critical Asset Identification Example Candidate Assets Characterization for the Chemical and Petrochemical Sectors RAMCAP Plus Consequence Parameters RAMCAP Plus Reference Threat Specifications 14 17 19 24 26 33 35 37 43 50 53 54 55 56 58 63 78 93 126 133 134 149
Table 10 Dams Asset/Threat Matrix Table 11 RAMCAP Plus Consequence Parameters Table 12 Consequence Scale for Fatalities Table 13 Consequence Scale for Serious Injuries Table 14 Consequence Scale for Financial Losses to the Owner/Operator Table 15 Consequence Scale for Economic Losses to the Regional Community Table 16 RAMCAP Plus Vulnerability Scale Table 17 RMS Target Type Groups Table 18 Tasks of Step 7, Risk and Resilience Management Table D.1 Saffir-Simpson Hurricane Scale Table D.2 Repair/Replacement Costs Table D.3 Earthquake Effects for Use in Estimating Damage to Assets Table D.4 Tornado Vulnerability
x 10
List of Figures
Figure 1 Figure 2 Figure 3 Figure 4 Figure 5 Figure 6 The Seven Steps of the RAMCAP Plus Process Vulnerability Logic Diagram Assault Team Attack on Dam Event Tree Analysis Attack on Dam Relative Likelihood of Terrorist Attack in Different City Tiers RAMCAP Plus Risk Analysis of Three Petroleum Refineries Identification of Robust and Synergistic Options 9 67 68 77 88 100 125 127 129 137 142 144 145
Figure D-1 Seismic Hazard Map of United States Figure D-2 Basic Wind Speed Fifty-Year Recurrence Interval Figure D-3 Earthquakes in the New Madrid Seismic Zone Since 1974 Figure D-4 Seismic Probability Map Figure D-5 Return Period in Years for Category 3 or Greater Hurricane Figure D-6 Return Period in Years for Category 4 or Greater Hurricane Figure D-7 Return Period in Years for Category 5 or Greater Hurricane
xi 11
Part A: Executive Summary

1. Origin and Description
RAMCAP Plus represents the most current stage of the continuing development of Risk SM Analysis and Management for Critical Asset Protection (RAMCAP 1). The development was initiated in response to the recommendation of a 2002 White House conference of more than one hundred senior executives from the private sector concerning the protection of the Nations critical infrastructure. The executives highest priority was an objective, consistent and efficient method for assessing and reducing infrastructure risks in terms directly comparable among the assets of a given sector and across sectors. The RAMCAP process allowed rational allocation of finite resources to protect the most important and vulnerable infrastructure assets. At the same time, the executives recognized that no universal process would fit the wide range of industries defined as critical infrastructures without some tailoring to fit the respective industries. To achieve the necessary consistency and comparability while recognizing the differences among industries, the RAMCAP approach was conceived as having two levels: a high-level and general method, periodically updated in a publication such as this, and as a series of SectorSpecific Guidance (SSG) documents, expressly tailored to the technologies, issues and cultures of the respective sectors and subsectors. The SSGs and adaptations of other tools would be RAMCAP-consistent if they met explicit criteria derived from the then-current approach. This assured that the results of applying SSGs would be directly comparable, regardless of the industry to which they were applied. The RAMCAP Plus process consists of seven steps (defined later in this publication) that are practical and robust rather than esoteric or overly theoretical. The goal is an efficient, straightforward process that can be carried out by on-site professionals within a week or less, with a modicum of special training. This design requirement dictates many of the specific trade-offs within in the RAMCAP Plus process.
SM
2. Progress and Evolution to Date

The philosophy of the RAMCAP process was adopted in the National Infrastructure Protection Plan. Three successive versions of the approach and SSGs for seven sectors and subsectors have been completed. The completed SSGs are: (1) nuclear power generation; (2) spent nuclear waste transportation and storage; (3) chemical manufacturing; (4) petroleum refining; (5) liquefied natural gas offloading terminals; (6) dams and navigational locks; and (7) water and wastewater systems. Through these developments, the original goal of reducing terrorism risks was augmented to include the enhancement of the organizations resilience and its ability to rapidly restore full functionality after an undesired event. The original suite of standard reference threats was limited to various types and intensities of terrorist attacks. Hurricanes Katrina and Rita and natural
1
RAMCAP and RAMCAP Plus are service marks held by ASME Innovative Technologies Institute. The service marks are implied in every use of RAMCAP and RAMCAP Plus in this volume.
SM
SM
disasters outside the United States broadened the focus of RAMCAP from terrorist-only attacks to so-called all hazards, which include hurricanes, tornadoes, earthquakes and floods. Increased understanding of vulnerabilities led to adding new threats to the standard suite: product contamination, interruptions in supply chains (dependencies) and the possibility of collateral damage from an attack on nearby facilities. The addition of the broader goal, these new hazards, new ways of estimating terrorist likelihood and the dual economic impact estimation (on asset owners and on the metropolitan area and other communities they serve) were among the changes that drove the development of the RAMCAP Plus process. The RAMCAP Plus process is meant to continually evolve based on experience in adapting it to new sectors and changing needs of the Nation. At the time of this writing, ASME-ITI has undertaken a project to develop a risk-based approach to aging infrastructure and requirements for new infrastructures as dictated by the growth and evolution of the economy. The RAMCAP Plus approach may be extended to address these cases as well as natural hazards, terrorism, and dependency/proximity risks.
3. Benefits of Using the RAMCAP Plus Process

Use of the RAMCAP Plus process generates benefits to the organization using it, the sector or industry that adopts it, the community served and public policy toward infrastructure security and resilience. For organizations using the RAMCAP Plus process, the direct comparability of consistently quantified risk and resilience levels, potential net benefit and benefit-cost ratios of means to enhance security and resilience can result in rational allocation of resources across sites, facilities assets and lines of business. The benefits of making decisions on this basis are more efficient management of capital and human resources and enhanced reliability in performance of its mission. The ability to define risk and resilience levels quantitatively at the community level enables the firm to partner with other firms and public agencies. Individual organizations will incur additional benefits if its sector adopts the RAMCAP Plus process, especially if adapted to be a voluntary consensus standard, as it becomes the vehicle for incentives, such as preferred supplier status, lower insurance costs, higher credit ratings and lower liability exposure. A sector adopting the RAMCAP Plus process will be able to identify the components with the greatest need and potential for improvement through the concrete, quantitative RAMCAP Plus assessments. They will have concrete, repeatable descriptions of the current levels of risk and resilience, the potential benefits and benefit-cost ratios of their sector. Adoption also permits direct comparison of the sectors risk and resilience level to other sectors for higher level resource allocation and policy-making. If the sector decides to make its RAMCAP Plusconsistent methods or SSG into a consensus standard, additional benefits can be gained, such as an affirmative defense in liability cases, preferential treatment by insurers, financial rating services and customers, the ability to substitute self-regulation by standards for bureaucratic regulation, and direct participation in federal regulatory, procurement or other action involving security and resilience of the sector. This version of RAMCAP Plus has been written as the basis for an overarching ANSI-approved American National Standard, applicable to any infrastructure and many industries not usually seen as infrastructures. The overarching standard will be
complemented by derivative, sector-specific voluntary consensus standards, developed by ASME in collaboration with individual sector standards developing organizations. For the community and public policy, the facilities using the RAMCAP Plus process will be routinely asked to estimate the potential for lost economic activity by the metropolitan region they serve, allowing that to become a salient criterion in both private and public decisions. Use of the RAMCAP Plus process will allow cooperative decision-making by providing risk and resilience analysis on a comparable, consistent basis, which may also support rational trade-offs should the community, metropolitan region or public-private partnership determine to enhance the regions security and resilience. Further, if a RAMCAP Plus consensus standard exists, a community might designate the standard as the local code of expected practice. And, finally, if state, multi-state regions or federal agencies seek to allocate resources rationally to maximize the security and resilience enhancement within a finite budget, widespread use of the RAMCAP Plus process could provide the required method of consistency and direct comparability needed to perform the assessment. The methods used to estimate economic losses to metropolitan regions can be extended to states, multi-state regions or the national economy whatever scales are relevant to the decisions to be made. In summary, use of the RAMCAP Plus process yields significant benefits to the asset owners who use it, the communities they serve and their role in local, regional and/or national economies.
PART B: The RAMCAP Plus Process in Overview

1. Introduction
Risk Analysis and Management for Critical Asset Protection, or the RAMCAP process, has been developed to facilitate the analysis and management of risk and resilience of critical facilities and infrastructures. It is based on the fundamental definition that risk is the expected value of the consequences of specific terrorist attacks and natural events, weighted by the likelihood of the event and the conditional likelihood accomplished by the estimated consequences. This is the definition of risk advanced by the U.S. Department of Homeland Security (DHS). The RAMCAP Plus process provides a system of common terms and metrics which allow any RAMCAP Plus-based analysis to be compared with any other RAMCAP Plus-based analysis. The RAMCAP Plus process can be applied to any asset, set of assets or system of assets. The RAMCAP Plus process is a quantitative method that estimates numeric values of risk, as well as resilience and benefits of improving risk and resilience based on expert-derived evaluations of vulnerability, threat likelihood and consequence. It also calls for descriptions of non-quantifiable consequences, such as psychological impacts, public confidence, and military preparedness. The use of RAMCAP Plus-based risk and resilience analysis provides decision makers the ability to make informed judgments of the value of options to reduce risk and/or enhance resilience relative to threats of hurricane, flood, tornado, earthquake, terrorism and dependencies on other systems.
2. Background
Following the attacks of September 11, 2001, ASME (the American Society of Mechanical Engineers) convened more than one hundred industry leaders, at the request of the White House, to define and prioritize the requirements for protecting our Nations critical infrastructure. The leaders primary recommendation was to create a risk analysis and management process to support decisions to allocate resources to initiatives to reduce risk and enhance resilience. This would necessitate a common and consistent terminology and metrics tailored to the technologies, practices and cultures of the respective industries to permit direct comparisons within and across industry sectors. Such direct comparisons were seen as essential to supporting rational decision-making in allocating limited private and public resources to reducing risk and enhancing resilience of critical infrastructures. In response to this recommendation, ASME convened a team of distinguished risk assessment experts from industry and academe to develop the Risk Assessment Methodology for Critical Asset Protection (RAMCAP). The parent organization, ASME, has been involved in probabilistic risk assessment for a number of years. Its many committees have developed a large body of knowledge and application, especially in the area of nuclear power generation plant design and operation. The newly convened team defined a seven-step process that enables asset owners to perform assessments of their risks and risk-reduction options relative to specific attacks. Risk is defined as a function of the likelihood of specific attacks, the assets
vulnerability to these attacks and the consequences of the attack. This definition was later adopted by the National Infrastructure Protection Plan. With this information, alternative riskreduction and resilience-enhancement initiatives can be evaluated for their ability to reduce the vulnerability, likelihood and/or consequences (including outages, blackouts and revenue losses key elements of resilience) related to risk. The reductions in risks and enhancements of resilience can be used in estimating the benefit-cost ratios to inform decisions allocating resources to specific initiatives. ASME Innovative Technologies Institute, LLC (ASME-ITI), a non-profit, wholly-owned subsidiary of ASME, was established to work on the application of the RAMCAP process to the specific critical infrastructures and key resource sectors. The initial version of the RAMCAP approach was the draft Risk Analysis and Management for Critical Asset Protection: General Guidance (2004), a generalized description. The University Consortium for Infrastructure Protection recommended this version as the preferred tool for supporting asset and system resource allocation decisions in protecting the National Capital Region. Based on an assessment of the majority of available tools, the initial version of the RAMCAP process was the only application that offered universality, essential direct comparability and a practical synthesis of the leading methodologies available at the time. The General Guidance was circulated in draft widely and reviewed extensively by panels of applied risk management and security experts. It was seen as a highly competent and comprehensive synthesis of the best available methods and highly appropriate for an academic or risk professional. It was not, however, as useful to key security and operating personnel at the facilities of concern. A key design criterion to encourage widespread application was that the process be appropriate for self-assessment by on-site staff in a relatively short period of time (typically 3-4 days of work by a team of 3-6 people, after assembly of the necessary documents). In response to this feedback and the design requirement, the General Guidance, which was never published, was streamlined and simplified into two documents: the semi-technical Introduction to Risk Analysis and Management for Critical Asset Protection (2005), and a non-technical Risk Analysis and Management for Critical Asset Protection (RAMCAP) Applied to Terrorism and Homeland Security (2005), written expressly for the intended audience. The approach described in these three initial RAMCAP documents was referenced in the various drafts of the National Infrastructure Protection Plan (NIPP) as RAMCAP Framework. The Framework upheld the NIPP requirements for a simple and efficient process to support consistent, quantitative assessments and provided results that could be systematically and directly compared. The 2006 version of the NIPP broadened the definition of the concerns from terrorism only to include natural hazards, which are included in later RAMCAP documents. The 2005 RAMCAP description became referred to as the RAMCAP Framework. The next version was updated as the RAMCAP Framework, Version 2.0 (2006), and is based on the experience of developing the first five sector-specific guidance documents (for nuclear power plants and spent fuel transportation and storage, petroleum refining, chemical manufacturing, liquefied natural gas off-loading ports). Version 2.0 was used to guide development of the next two sector-specific guidance documents (for dams and navigational locks and water and wastewater systems).
As with the earlier Framework, prior experience and the latest two sectors inform the drafting of the RAMCAP Plus approach, including the following revisions and additions: x x x x x x x Likelihood, vulnerability and consequences of natural hazards; Increased attention to immediate dependencies posed by supply chains and proximity; Explicit recognition of the role of resilience (the ability to withstand or rapidly restore function to critical assets after an attack or natural event), measured in duration and severity of denial and economic impact on the community; Dual-perspective economic impacts, estimating the impacts to both the owners of the infrastructures and the community they serve; Benefit-cost analysis at both owner and community levels; The general reference threat of product contamination (necessitated by the water sector, but applicable to food, pharmaceuticals, etc.); and Expanded discussions of several steps in the RAMCAP Plus process.
In September 2005, ASME-ITI convened a group of risk and security experts to help draft a voluntary, consensus-based risk management standard for terrorism based on RAMCAP Framework, Version 2.0. The work of this group was concurrent with the experience from the application of RAMCAP to two new sectors dams and navigational locks, and water and wastewater systems and from evolving events (e.g., Hurricanes Katrina and Rita). This experience recognized that a newer, more comprehensive standard was required, one that included natural disasters and resilience-oriented solutions, as well as the other improvements listed above. These considerations recognized that a standard based on RAMCAP Framework, Version 2.0 would be rendered obsolete even while it was being finished. To avoid this immediate obsolescence, the standard development committee was disbanded and its work was built into the current publication. A new standards development committee will take up the RAMCAP Plus approach to incorporate the knowledge from the most recent sectors, evolving policy and the popular environment. The current revision of the RAMCAP process demonstrates its generic application to natural and man-made hazards. Therefore, it has been renamed RAMCAP Plus to differentiate from the RAMCAP Framework Version 2.0. As mentioned earlier, the RAMCAP Plus process is meant to evolve based on accumulating experience with ever more diverse sectors and changing needs and concerns of the engineering and infrastructure communities and the Nation. ASME is developing an American National Standard based on this process, an overarching approach for analyzing and managing risk and resilience relative to natural and man-made threats directly to the assets in question and indirectly through dependencies and proximity. It will serve as the benchmark with which sector-specific RAMCAP standards must be consistent. In addition, ASME-ITI is developing American National Standards for higher education campuses and, jointly with the American Water Works Association, for water and wastewater systems.
3. The RAMCAP Plus Process An Overview

a. Risk and Resilience Defined There are many common, everyday terms which, when used by risk assessment professionals, take on very specific meanings. Throughout this document, it is important to keep these specific definitions in mind and resist using the more colloquial terms. In the National Infrastructure Protection Plan and the RAMCAP Framework, risk is defined as the product of threat likelihood, vulnerability and consequences, or: Risk = (Threat) x (Vulnerability) x (Consequence) or R = T * V * C Where: Risk (R) The potential for loss or harm due to an untoward event and its adverse consequences. It is measured as the combination of the probability and consequences of an adverse event. When the probability and consequences are expressed as numerical point estimates, the expected risk is computed as the product of those values. In the case of the RAMCAP Plus process and many other risk and resilience processes, risk is the product of threat, vulnerability and consequence. Threat (T) Any indication, circumstance or event with the potential to cause the loss of, or damage to, an asset or population. In the case of terrorism risk, threat is based on the analysis of the intention and capability of an adversary to undertake actions detrimental to an asset or population and the attractiveness of the asset or population relative to alternative assets or populations. In the case of natural hazards, threat refers to the historical frequency of the specific natural event to which the asset(s) may be subjected. In both cases, threat is summarized as the likelihood the event will occur. Vulnerability (V) Any weakness in an asset or infrastructures design, implementation or operation that can be exploited by an adversary or contribute to functional failure in a natural disaster. Such weaknesses can occur in building characteristics, equipment properties, personnel behavior, locations of people, equipment and buildings or operational and personnel practices. In risk analysis, vulnerabilities are usually summarized as the conditional probability that, given an attack or natural event, the estimated consequences will ensue, i.e., the attack will succeed or the natural event will cause the estimated damage. Consequence (C) The outcome of an event occurrence, including immediate, short and long-term, direct and indirect losses and effects. Loss may include human fatalities and injuries, financial and economic damages and environmental impacts, which can generally be estimated in quantitative terms. Consequences may also include less tangible and less quantifiable effects, including political ramifications, decreased morale, reductions in operational effectiveness or military readiness or other impacts. Another key concept, resilience, is not an element in the risk equation, but is central to the purposes of the RAMCAP Plus process. Resilience is broadly defined as the ability to function through an attack or natural event or the speed by which an asset can return to virtually full function (or a substitute function or asset provided). Resilience as a concept is still being formalized. Some prefer to measure resilience using time, from time of event until return to full
function, but this ignores partial service denial (severity), which is generally much more common than complete loss of function, and the value of the services denied. For the purposes of the RAMCAP Plus process, resilience is defined in different ways for the asset owner and community, respectively. For the asset owner, the level of resilience for a particular asset/threat pair is expressed as: Resilience Owner = Lost Revenue x Vulnerability x Threat For the community, the level of resilience for a particular asset/threat pair is expressed as:Resilience Community = Lost Economic Activity in the Community x Vulnerability x Threat Where: Lost revenue the product of the duration of service denial (in days), the extent of service denial (in units of service denied per day) and the price (in dollars per unit, estimated at preevent levels), which are all essential parts of estimating the owners financial loss. Lost Economic Activity in the Community the amount of decrease in the loss of output to direct customers and the indirect losses (multiplier effect) throughout the economy of a given region due to denial of service. It is estimated as a function of the assets lost revenue and the duration of the service denial using an economic model. One application used a static application of basic regional economic data and an input-output table, modified to reflect the resilience of the respective business sectors. b. The RAMCAP Plus Process The RAMCAP Plus process is composed of seven analytic steps, as illustrated in Figure 1. Each step is discussed in the next chapter. Taken as a whole, these steps provide a rigorous, objective and transparent foundation for data-collection, interpretation, analysis, and decision-making. The result is a valuable tool for understanding, allocating resources and managing risk and resilience. The RAMCAP Plus process utilizes this seven-step approach to risk analysis and management, of which the first five steps are fundamental to developing the baseline state of risk for an organization. The last two steps are the evaluation, analysis and decision-making steps based on the data gathered in the first five steps. Implicit in this sequence is a cooperative exchange of information between owner/operators and public agencies. In summary, the seven steps are: 1. Asset Characterization defining which facilities and assets are critical to the performance of the mission or function of the organization; 2. Threat Characterization defining what specific threats to consider for each asset; 3. Consequence Analysis estimating the worst reasonable outcomes of each threat to each asset; 4. Vulnerability Analysis estimating the probability that each attack on each asset will result in the estimated consequences, given that the event occurs and considering the effectiveness of existing security measures; 5. Threat Assessment estimating the probability or likelihood that the initiating event will occur; 6. Risk and Resilience Assessment estimating the risk and resilience associated with each event on each asset;
7. Risk and Resilience Management evaluating risk-reduction and resilience enhancement options for their value (usually benefit-cost) and selecting, implementing and managing those that are selected.
1) Asset Characterization 2) Threat Characterization 3) Consequence Analysis 4) Vulnerability Analysis 5) Threat Assessment 6) Risk/Resilience Assessment 7) Risk/Resilience Management
What assets do I have and which are critical? What threats and hazards should I consider? What happens to my assets if a threat or hazard happens? How much money lost, how many lives, how many injuries? What are my vulnerabilities that would allow a threat of hazard to cause these consequences? What is the likelihood that a terrorist, natural hazard or dependency/locational hazard will strike my facility? What is my total risk & resilience? Risk = Consequences x Vulnerability x Threat; Resilience = Service Outage x Vulnerability x Threat What options do I have to reduce risks and increase resilience? How much will each benefit in reduced risks and increased resilience? How much will it cost? What is the benefit/cost ratio of my options?
Figure 1. The Seven Steps of the RAMCAP Plus Process
In a RAMCAP Plus analysis, a suite of specific threat scenarios is provided. The use of common threat and hazard definitions is central to the comparability of the results of the analyses. The majority of the terrorism scenarios in this publication were specified by DHS.2 Naturally, the owner/operator may also want to apply threats other than those provided for its local use (but not included in the scenario set that is used in comparisons with other assets). With the consistent threats used in a RAMCAP Plus analysis, the consequence analysis estimates potential fatalities, injuries, financial losses to the facility and economic losses to the community. In addition, qualitative assessments include impact on public confidence and the ability of government to provide essential services. Vulnerabilities of critical assets to specific threats are estimated using tools such as failure trees, event trees, and path analysis and expressed as probabilities based on the occurrence of the threat event.
The only scenarios that have not appeared previously in one or more Sector-Specific Guidance are the dependency and proximity hazards, discussed below.
The likelihood (or probability) of a terrorist threat event occurring to an asset is estimated using the methods provided in this document. Whenever possible, consultation with intelligence and law enforcement officials is recommended so that any actionable intelligence of tendencies of known terrorist organizations can be incorporated into the estimates of the likelihood of an attack on the owner/operators facility. An understanding of the adversarys goals and capabilities, conditioned to the individual asset and based on local considerations (e.g., number of similar targets in the region, target attractiveness relative to alternative targets, deterrence) can contribute to a more accurate estimate. The likelihood of dependency hazards uses historical outage rates as a baseline and adjusts them to reflect their resilience levels. For naturally occurring events, the likelihoods are estimated directly from historical data compiled by federal agencies, the weather service and commercial forecasting services. In most SSGs to date, a design requirement was to complete the process in about three or four days (excluding assembling needed documents) and be conducted by on-site personnel with very limited training in risk analysis (i.e., not requiring expert consulting assistance). The exception is the water sector, which made existing, substantially more detailed and complex risk assessment tools RAMCAP process-consistent. These existing tools, which have been used for previous assessments, generally take weeks or months to complete and often require outside expert consultants. The brief RAMCAP Plus assessment does not replace more in-depth engineering-economic evaluations, but typically uses the results of the previous work to prioritize these assessments to the specific elements that pose the greatest risk or offer the greatest opportunity for risk reduction/resilience enhancement. The efficiency, quantification and comparability aspects also suggest that the RAMCAP Plus process could be used to evaluate ongoing risk-reduction and resilience-enhancement progress to recognize the evolving risk situation. The execution of a RAMCAP Plus assessment, whether for the first time or as an update on previously completed security analyses, engages the leaders and staff of the facility and their partners who respond to emergencies, such as fire and emergency medical personnel. Team study and evaluation raises the awareness of the systems vulnerabilities and resilience. The results of a structured and rigorous risk assessment are risk reduction and resilience enhancement. These results are directly comparable from asset to asset within the system, between firms in the same sector, and to other critical infrastructures. This direct comparability frequently results in the emergence of best practices and improved system practices. Quantification of both risks and benefits, in terms of fatalities, injuries, facility recovery costs and economic losses to the community, can provide a powerful foundation upon which to base resource allocation decisions. Because the RAMCAP Plus process is designed for quick selfassessment without outside expertise, it is best used to identify specific assets, threats and vulnerabilities that require more in-depth engineering risk assessment before directing major investments. The user-friendliness and efficiency of the RAMCAP Plus process makes it appropriate for periodic re-application to measure progress in reducing risks and enhancing resilience.
10
c. The RAMCAP Framework Tailored into Sector-Specific Guidance The developmental background that produced the RAMCAP Framework, described in Chapter 2, converts the general principles and methods of the Framework to more concrete and operational terms that fit the traditions, technology and culture of the respective industries in the Sector-Specific Guidance documents (SSGs). Historically, the project has been sponsored by DHS. An initial meeting of DHS, the relevant Sector Specific Agency (SSA) and ASME-ITI set the basic scope and boundaries. Subsequently, the activity is modeled on the ASME approach for developing voluntary consensus standards. (ASME is one of the worlds largest standard developing organizations.) Based on consultations with the Sector Coordinating Council (SCC), the Government Coordinating Council (GCC), major associations in the field, and leading practitioners, a panel of Subject Matter Experts (SMEs) is convened to conduct the technical work. In addition, a voluntary stakeholders committee is organized consisting of subject matter experts, risk experts, association representatives, recognized leaders from the industry and representatives of the SCC and GCC. This committee reviews and provides direction to the SMEs drafts and assists in locating appropriate pilot test sites. This is very similar to the role of the full committee in standards development. General consensus of this committee is sought at each step. The SMEs review relevant risk and vulnerability tools available in the sector and evaluate whether any can be made NIPP- and RAMCAP process-consistent. If so, they determine the pros and cons of adapting the existing tools versus developing an independent, stand-alone SSG. The stakeholders committee is consulted extensively and provides general direction on this critical decision. Once the decision is made, the SMEs provide an initial draft version of the SSG for review with the stakeholders committee, adapting the draft to the stakeholders suggestions. The resulting draft is pilot tested at an actual facility and worked through the process with the facilitys personnel. Subsequently, the local personnel are debriefed and provide their suggestions for improvement. Based on the pilot test results and the test facilitys recommendations, the SMEs revise the draft and again present it to the stakeholders committee for their review, critique and suggestions for improvement. This cycle is repeated two or more times, depending on the available time, and results in a SSG that represents both consistency with the RAMCAP Framework and the consensus of the SMEs and stakeholders. The entire process takes place under the discipline of explicit criteria for consistency with the Framework and previous SSGs (see Appendix C and the RAMCAP Plus Quality Assurance Manual). This is not idle recourse to precedent. Consistency with the principles and criteria defined is the essence of maintaining rigorous comparability of results. At the same time, the approach continues to mature with regard to the technologies, issues and cultures of additional sectors, changing decision requirements, evolving threat environments and increased insight. Consensus of a given sectors SMEs and stakeholders alone is not sufficient to diverge from these criteria. Any proposed change not consistent with previous work, as expressed in the criteria, must be thoroughly justified and efforts are then made to update the previous Sector Specific Guidance. The only significant changes since the first series of SSGs are the addition of natural hazards, product contamination, dependency and proximity hazards and dual-perspective economic impact estimation.
11
This approach enhances the validity, transparency, relevance, ease-of use and repeatability of the SSG, increasing the likelihood it will be used voluntarily and widely across the given sector.
4. The Seven Steps of the RAMCAP Plus Process

Figure 1 (on page 9) shows the seven steps and also the iterative nature of the RAMCAP Plus process. The feedback arrows imply that the assessment of benefits is a reiteration and modification of some or all of the same logical steps as the initial risk estimate. Reducing risks and enhancing resilience require that the options being considered reduce consequences (including duration of service denial), vulnerability and/or the likelihood of occurrence. The process estimates the changes attributable to a countermeasure or mitigation option, in which the benefits are defined as the change in risk and/or resilience and the costs include the investment and operating costs of the option. This benefit-cost ratio can be used to rank the options by the risk reduction per dollar of cost. If the decision-maker prefers other measures of marginal merit (e.g., return on investment), the RAMCAP Plus quantitative assessments can be summarized to produce the other metrics. The feedback arrows also imply that the process is reiterated for three additional concepts: (1) for each relevant threat for a given asset; (2) for each asset critical to the mission of the organization; and (3) over time as part of continuous improvement and evaluating periodic progress (e.g., annually as part of budget development) or as needed based on changing threat circumstances. Below is a brief description of the seven steps: Step 1 Asset Characterization This step analyzes the organizations mission and operational requirements to determine which assets, if damaged or destroyed, would diminish the facilitys ability to meet its mission. Critical assets are identified and a preliminary estimate is made of the gross potential consequences from various threats or hazards. The assets evaluated include the plants, the infrastructure on which they depend, and the distribution and/or collection systems. These assets may include physical plant, cyber systems, knowledge base, human resources, customers or critical off-site suppliers. Since the number of assets owned by an organization can be substantial, it is imperative that the assessment team identify the high priority assets (typically those which, if successfully attacked, would severely affect the ability to operate) from an initial ranking and screening. High priority assets are typically addressed first and in the greatest detail. Many RAMCAP SSGs contain a Screening Guide, or Top Screen, to help identify which organizations have truly critical assets.3 For the organizations passing the top screen, there is a separate step to prioritize and select its truly critical assets. It should be noted that the term asset can be used to identify components of an organizations system. In the case of some Sector-Specific Plans, the term asset is used to identify and prioritize entire organizations, systems or facilities.
The water sector declined to develop a Screening Guide or Top Screen in order to urge all water and wastewater utilities to conduct risk assessments.
12
Step 2 Threat Characterization In this step, the threat scenarios used are identified and described in enough detail to estimate vulnerability and consequences. Threat scenarios may be potential terrorist attacks, defined natural hazards, interrupted dependencies, or hazardous neighbors in close proximity that may adversely affect a facility or system. Organizations that complete a RAMCAP Plus analysis strictly for their own internal decision-making may define threat scenarios as they choose. However, for risk knowledge to be useful and meaningful to others in the organization, sector and beyond, direct comparisons must be made based on a common set of defined reference threat scenarios. The original set of specific threat scenarios, suggested by DHS, relied on characterizations by law enforcement and intelligence organizations. The 2006 NIPP and the water sector SSG included two new types of threats natural hazards and product contamination. The water sector, together with others (food, pharmaceuticals, etc.), needed to address and characterize intentional or accidental contamination of its products. A fourth set of hazards was added to include risks due to supply chain breakdowns and collateral damage from attacks on nearby targets. The risks posed by dependencies and interdependencies were recognized as critically important by RAMCAP process developers and sector-specific experts. For example, as a result of the attack on the World Trade Center, the damage to the buildings, a primary target, also severely damaged the systems providing transportation, power, water and sanitation, telecommunications, banking, etc. The RAMCAP process had no systematic means for including these hazards until this current version, RAMCAP Plus. These hazards focus only on the facilitys direct relationships with suppliers, customers and neighbors, of which the facilitys management would have direct knowledge. Other dependency hazards that are the product of cascading failures across indirectly connected infrastructures require a more regional approach because the individual owner cannot be expected to know about these remote linkages. Proximity hazards are a dependency that results from occupying an adjacent geographic location to a site that is inherently hazardous (e.g., a rail yard where numerous cars containing toxic and explosive chemicals) or could become the target of terrorism. Table 1 summarizes the current suite of reference threats. DHS, in consultation with the RAMCAP process developers, provided the terrorism reference threat scenarios. These specified scenarios are not design basis threats, which implies that the organization should take steps to withstand the threat to continue operations. Rather, these are benchmark or reference threats which span a range of possible threats across all critical infrastructure sectors. These reference threat scenarios can be used to assess total risk to the nation and guide investments for risk reduction and resilience enhancement.4 The natural hazard threats are derived from data compiled over many years by several federal agencies and are based on the physical location of the review facility. Product contamination was added for sectors whose product is physically consumed by people, e.g., water, food, pharmaceuticals. Dependency and proximity hazards address the issue of being critically dependent on elements of the supply chain, especially basic infrastructures, and being located close to other assets posing the risk of collateral damage.
4
While in some cases, the severity of a specific type of threat attack is expected to increase from left to right on Figure 1 (e.g. marine, aircraft, land-based vehicles and assault), no such severity continuum is implied in others or their relative location of the threat in the table.
13
Table 1. Summary of RAMCAP Plus Reference Threat Scenarios Attack Type

Marine Aircraft Land-based Vehicle Assault Team Sabotage Theft or Diversion Product Contamination Natural Hazards Dependency & Location Hazards
Tactic/Attack Description
M1 Small boat A1 Helicopter V1 Car M2 Fast Boat A2 Small Plane (Cessna) V2 Van M3 Barge A3 Medium, Regional Jet V3 Mid-size Truck AT3 5-8 Assailants S(CI) Cyber-Insider T(CI) Cyber-Insider C(B) Biotoxin M4 Deep draft shipping A4 Large Plane Long-Flight Jet V4 Large Truck (18 wheeler) AT4 9-16 Assailants S(CU) Cyber- Outsider T(CU) Cyber- Outsider C(P) Pathogenic
AT1 AT2 1 Assailant 2-4 Assailants S(PI) S(PU) Physical-Insider Physical-Outsider T(PI) T(PU) Physical-Insider Physical- Outsider C(C) C(R) Chemical Radionuclide C(S) Weaponization of sewer system N(H) N(E) Hurricanes Earthquakes D(U) D(S) Loss of Utilities Loss of Suppliers D(T) Loss of Transportation
N(T) N(F) Tornadoes Floods D(S) D(C) Loss of Employees Loss of Customers D(L) Dangerous co-location with other targets
The organization must decide which of the defined scenarios represent real, physically possible threats for the facility being evaluated; some, such as a major marine attack in a desert, may be impossible. For those threats which are possible, the organization should assess the consequences of a successful attack by each threat against the target. A convenient way to do this is to array a matrix of the assets versus the threats for a qualitative estimation according to a three- or fivepoint scale (e.g., very low, low, moderate, high and very high). The organization can then determine to first examine the highest ranking threat/asset pairs and proceed to lower priorities until the consequences are acceptable or the time and resources available for the analysis are exhausted. Threat characterization involves more than assuming the specific threat is applied to a specific target or asset. It requires that the assessment team consider each threat scenario and its potential to cause the maximum credible consequences, i.e., the worst reasonable case. If a threat scenario can result in an asset causing greater consequences beyond the destruction of the asset or facility, then this combined scenario, or weaponizing of an asset, should be considered. For example, the destruction of a dam could release water downstream and inundate property below the dam. If this event were to occur at a time when the inundated area would be highly populated, for example on a holiday weekend, the water becomes a weapon to cause additional consequences and terror. Threat characterization requires that the assessors attempt to maximize the consequences while expending the minimum resources of the terrorist. The likelihood of occurrence of an event increases when the required resources are reduced.
14
Step 3 Consequence Analysis Consequence analysis identifies and estimates the worst reasonable consequences generated by each specific asset/threat combination. This step reviews facility design, layout and operation to identify the types of consequences that might result. Consequences that are quantified include fatalities, serious injuries and economic impacts. Fatalities and serious injuries include employees, customers and bystanders. Many organizations choose to keep these estimates separate from economic estimates, while others prefer to convert them to dollar terms and include them with the financial and economic terms discussed below. Regardless of this preference, it is correct to include all direct financial liabilities attributable to these casualties in the financial losses. Moreover, some organizations find it useful to differentiate employees from others who are harmed, so maintain separate metrics for each group. Economic impacts are widely recognized as key indicators of consequences in analyzing risks from terrorism, natural disasters and dependencies. Specifically defining the meaning of economic impacts is necessary for a risk management methodology to maintain consistency of terms and metrics. The RAMCAP Plus process defines economic impacts as appropriate for risk management decision-making at two levels: (1) the financial losses to the organization owning the asset; and (2) the economic losses to the regional metropolitan community the organization serves in both direct and indirect consequences. This latter estimate demonstrates the severity of lost organization functionality to its served community and serves as the principal measure of fragility and resilience on the metropolitan regional or larger scale. (Note: Economic consequences for communities larger than the metropolitan area, e.g., the state, multi-state region or the nation may also be of interest to the decision-makers and can be addressed using the same methods as used at the metropolitan level.) The current process addresses both financial and regional economic losses due to a successful terror attack, dependency hazard or natural disaster and the financial and economic losses avoided to the facility and the community, due to riskreduction and resilience-enhancement improvements. Financial consequences to the organization include all necessary costs to repair or replace damaged buildings and equipment, abandonment and decommissioning costs, site and environmental clean-up, revenue losses (including fines and penalties for failing to meet contractual production levels) while service is reduced, direct liabilities for casualties on and off the property, and environmental damages that cannot be fully mitigated. These costs are reduced by applicable insurance or restoration grants and must be corrected to account for tax effects for tax-paying organizations. The primary concern for the public or community is the length of time, quantity and sometimes quality of service denied, and the economic consequences of service denial to the organizations direct suppliers and customers. In addition to these direct losses, the community suffers indirect losses through reduced economic activity in general, i.e., to the suppliers suppliers and customers customers, and so on. The economic consequences ripple through the regional economy, with the total impacts being some multiple of the direct impacts, hence the term multiplier effect. When service denial is of short duration and/or customers cope through conservation, substitution, redundancies, making up lost production later through overtime or
15
added shifts, the region is said to be resilient. (See, e.g., Rose 2004 and 2006; Rose and Liao, 2005; Rose et al., 2007.) The publics objective is to enhance the resilience of critical infrastructures on which they depend. Assessment of direct and indirect business interruption losses resulting from damage to an infrastructure asset has only been developed for water and wastewater utility systems, but the same approach could work for any infrastructure. The direct and indirect losses to the community can be calculated by a straightforward, modified input-output algorithm, referred to as a HAZUS patch (MMC, 2006; Rose et al., 2007). The algorithm, originally developed to fill a gap in the computational ability of HAZUS, the Federal Emergency Management Agencys loss estimation software (FEMA, 2006), can be applied to any estimate of infrastructure service disruption to compute both the losses of output to direct facility customers and the indirect (multiplier effect) losses throughout the economy of a given region. Other methods of estimating direct and economic impacts at the metropolitan level exist and are undergoing continuing research. When a single estimate of risk, resilience or benefit of improvements is needed for decisionmaking (e.g., when allocating budget resources to a large portfolio of improvements), organizations often estimate the dollar equivalence of fatalities and serious injuries. If this combination of metrics is desired for the owners case, the legal liabilities in excess of insurance should be used. For the metropolitan regions impact, the value of a statistical life should be added to the estimated regional economic impacts. One or both of two estimation and recording options may be used for fatalities, injuries, financial losses to the owner and economic losses to the community. The first is to make single, point estimates for each of the four to use in reporting. Such an estimate represents the best or central estimate, but does not imply precision. A second method is to use ranges to reflect the inherent uncertainty in the estimates. The ranges are pre-specified to aid in consistency and comparability. These ranges are illustrated in Table 2A for fatalities and serious injuries and Table 2B for financial losses to the owner and economic losses to the community. Using these, the analyst can assign the consequence to one of fourteen ranges, or bins, each with a range of fatalities or injuries. Each bin increases by a factor of two over the next smaller bin. The use of a constant scaling factor is analogous to using a logarithmic scale. As will be seen later, the vulnerability scale also uses a scale factor of two. This will result in a convenient, qualitative display of results since the risk matrix will contain diagonal lines of constant risk.
16
Table 2. Ranges for Estimating Fatalities, Injuries, and Economic Losses A. Ranges for Estimating Fatalities and Injuries
Single Point Estimate RAMCAP Consequence Criteria (Bin Numbers) Ranges in Number of Injuries 0 0 25 1 26 50 2 51 100 3 101 200 4 201 400 5 401 800 6 801 1,600 7 1,601 3,200 8 3,201 6,400 9 6,401 12,800 10 12,801 25,600 11 25,601 51,200 12 51,201 102,400 13
102,401 +
B. Ranges for Estimating Losses to the Owners and to the Community

Single Point Estimate ($-million) RAMCAP Consequence Criteria (Bin Numbers) Owners Financial Loss (in $-million)
0 0 25
1 26 50
3 101 200
4 201 400
5 401 800
6 801 1,600
7 1,601 3,200
8 3,201 6,400
10 12,801 25,600
11 25,601 51,200
12
13
51 100
6,401 12,800
51,201 102,400
102,401 +
Other consequences are identified and described qualitatively, and include impact on iconic structures, governmental ability to operate, military readiness, citizen confidence in the organization, product, and/or the government. Step 4 Vulnerability Analysis Step 4 estimates the likelihood of each specific threat or hazard to overcome the defenses of the asset to the level identified in the consequence estimate for that threat/asset combination. In the case of a terrorist attack, this means the probability that the attack would be successful resulting in the estimated consequences. For other hazards, it means the probability that the estimated consequences would result if the specific hazard occurs. Vulnerability analysis involves an examination of existing security capabilities and structural components, as well as countermeasures and their effectiveness in reducing damages from threats and hazards. A variety of rigorous tools can be used to estimate vulnerability, e.g.: 1. Direct expert elicitation members of the evaluation team familiar with a facilitys layout and work flows and knowledgeable about the asset discuss the likelihood of success and their reasoning for their estimates. Sometimes trained facilitators, on staff or under contract, are used to elicit the judgments. In its more elaborate form, a statistical Delphi or Analytical Hierarchy Process can be used to establish a consensus.
17
2. Vulnerability logic diagrams (VLDs) the flow of events from the time an adversary approaches the facility to the terminal event in which the attack is foiled or succeeds, considering obstacles and countermeasures that must be surmounted, with each terminal event associated with a specific likelihood estimate. This is frequently complemented by time estimates for each segment and compared with an estimate of the reaction time of a counterforce once the attack has been detected. VLDs are often prepared in advance for use as heuristics to guide teams in making assessments in large or numerous facilities to enhance comparability. 3. Event trees (also called failure trees) the sequence of events between the initiation of the attack and the terminal event is described as a branching tree, where each branch represents the possible outcomes at that junction, e.g., a locked door may be breached or not. The evaluation team estimates the probability of each outcome. Multiplying the probabilities along each branch, from the initiating event to each terminal event, calculates the probability of each unique branch, while all branches together sum to unity (1.0). The sum of the probabilities of all branches on which the attack succeeds is the vulnerability estimate. 4. Hybrids of these often used by more sophisticated assessment teams. Direct elicitation often seems to be easier and less time-consuming, but the time to reason through each threat/asset pair can lead to long discussions and thus, it is difficult to maintain logical consistency across a number of such judgments. VLDs have the virtue of being predefined and able to guide discussions and estimates along relevant paths efficiently and consistently. The same can be said for event- or failure-trees, with the added advantage that a true conditional probability is estimated and the evaluation team is exposed to the uncertainties in their estimates. Either of the more structured methods (or the hybrids) produces a more reliable estimate in the sense that a different evaluation team (or the same team at another time) is more likely to make the same or very similar estimates, given the same threat/asset scenarios and the reasoning is documented in detail. This greatly increases the consistency and direct comparability of the assessments and permits them to be used over time to measure progress of security programs or assess evolving conditions. The vulnerability of an asset may be estimated as a single point or assigned a range on the scale shown in Table 3. This scale provides eight basic levels of vulnerability ranking that cover a range of possible likelihood values. As with the consequence scales, the vulnerability scales are logarithmic, base two. The respective scales show the same factor for each basic level, but provide different ways to think about it and to record it. Level 5 is further subdivided into three parts to provide more granularity as the likelihood of success approaches 1.0. This allows the organization to better estimate changes in security level.
18
Table 3. RAMCAP Plus Vulnerability Scale Bin 5 A B C Decimal Description 0.90 1.00 0.75 0.89 0.50 0.74 0.25 0.49 0.125 0.249 0.0625 0.124 0.0312 0.0624 < 0.0311 Percentage Range (%) 90 100 75 89 50 74 25 49 12.5 24.9 6.25 12.4 3.12 6.24 <3.11 Successes per Attempts 9/10 L 1 3/4 L < 9/10 1/2 L < 1/4 L < 1/8 L < 1/4 1/16 L < 1/8 1/32 L < 1/16 L < 1/32
4 3 2 1 0
Step 5 Threat Assessment Threat assessment estimates the likelihood of terrorist attack, dependency/proximity hazard or natural hazard. The threat assessment produces the probability (expressed as a positive value between 0.0 and 1.0) that a particular threat terrorist, dependency or natural will occur in a given timeframe (usually one year).5 Threat likelihood is addressed in each of the four components: terrorism, natural hazards, supply chain dependency and proximity hazards. Estimates of the likelihood of terrorist attacks are based on the terrorists objectives and capabilities and the attractiveness of the facility relative to alternative targets. Information on terrorists capabilities and intentions can be informed by intelligence and law enforcement agencies. The asset owner should estimate the relative attractiveness of the target by evaluating alternative target options, considering the terrorists objectives, the assets level of vulnerability, the likelihood of success and the cost/effectiveness of the attack. To the authors knowledge, no satisfactory method has been proposed to estimate terrorism risks at the level of specific assets. Three approaches are offered to gain insight into the issues and use judgment to approximate threat frequency: 1. Numerical Ratio Method assumes an estimable total number of attacks in a given year in the entire United States. This estimate can be based upon historical data, intelligence information or various assumptions felt to bracket the expected number of attacks. The likelihood of an attack can be given a numerical estimate based upon the total number of available targets, target attractiveness, perceived difficulty of success of the attack and difficulty of mounting the attack. This estimate is then judgmentally adjusted to account for differences among cities and types of assets.
It may be possible to combine the threats into a comprehensive probability set using Bayes theorem. This would require that the events are mutually exclusive, collectively exhaustive, with likelihoods that sum to one. The applicability of Bayes theorem to terrorist events is currently being explored. It is not clear that the events can be considered mutually exclusive or collectively exhaustive. The set of reference threats used in RAMCAP are clearly not exhaustive and may not be mutually exclusive. Since terrorist attacks may be performed at an opportunistic time to inflict the most damage, the possibility of an attack at the same time as a natural hazard, such as a flood, is a distinct possibility. Research is ongoing to determine if threat probabilities can be combined in the same manner as other probabilistic events, such as games of chance involving inanimate objects, such as cards or dice.
19
2. Comparison of Risk Tolerance with Natural Hazard Risk uses the notion of risk tolerance and a natural hazard risk to compare with a terrorist risk to deduce a threat likelihood equating the two risks. The analyst and decision-maker then judge whether the deduced likelihood is reasonable or not. If the likelihood in the deduced risk is equal to or less than the judged reasonable level, then the terrorism risk is as tolerable as the natural hazard risk and the likelihood is moot. If, on the other hand, the likelihood in the deduced risk is greater than the reasonable level, the judgment of the reasonable level sets a minimum and the asset/threat pairs risk justifies taking the next steps. This technique is used in some fields to obtain expert elicitation by comparing information of a similar nature. Building codes and standards typically use design parameters based upon recurrence intervals. For example, the use of hundred year flood values provides a standard for designing certain types of infrastructure such as levees, flood control systems of dams and flood channels.6 3. Investment Break-Even assumes the decision-makers choices are simple, go/no-go on individual options. This method can only be applied as part of Step 7 because it requires the calculation of a baseline risk, conceptual design and cost estimation of an investment option to materially reduce the risk, and an assessment of the risk with the option in place. Given the estimated consequences (with and without the option), vulnerability (with and without the option) and the option cost, the calculated breakeven likelihood may yield a net benefit of exactly zero and a benefit-cost ratio of exactly 1.0. Any likelihood greater than this would justify the project and anything less would condemn it. The decision-maker can then judge whether the break-even likelihood is plausible or not. If the decision-maker believes the actual likelihood exceeds the breakeven, the option has value and results in a go decision. If the decision-maker judges the actual likelihood is less than the break-even likelihood, the project would not be recommended. Estimates of the probability of natural hazards draw on the historical record for the specific location of the asset. Federal agencies collect and publish records for hurricanes, earthquakes, tornadoes and floods, which can be used as frequencies for various levels of severity of natural hazards. Initial estimates of the likelihood of dependency hazards are based upon local historical records for the frequency, severity and duration of service denials. These estimates may serve as a baseline estimate of business as usual, and may be incrementally increased if the analyst believes they may be higher due to terrorist activity on the required supply chain elements. Confidential conversations with local utilities and major suppliers of critical materials may inform these estimates. The likelihood of incurring collateral damage from an attack on a nearby asset is estimated based on the local situation, and using the same logic in estimating terrorist risks (above).
To design to a 500 or 1000 year flood would presumably increase the cost of the infrastructure to the point that the additional investment would not be justified by the reduced risk (a benefit/cost decision made by a standards development organization and the jurisdiction that adopted the codes both balancing the interests of the owners with those of the community).
20
As an exercise in evaluating risks to a particular asset, the organization may assume the threat likelihood is set to a value of 1.0, resulting in a conditional risk. It is noted that only when threat frequency is used in the risk equation does the risk become an absolute risk value for this facility. Absolute risks can be used to aggregate total risk, included in benefit-cost calculations, and rank orderings. Absolute risks can also be compared to risks for other assets, facilities and economic sectors, provided that the set of events is mutually exclusive, collectively exhaustive and sum to one. Conditional risk, however, can be useful in decision-making, especially in applying what-if assumptions about threat likelihood (e.g., What would be the risk if one assumes the attack could happen once every 100 years? 200? 1000?). Conditional risks can also estimate the threat likelihood that would set the riskreduction benefit-cost ratio to one a break-even likelihood and then consider whether that threat likelihood is plausible. If so, the investment in risk reduction may be worthwhile. And, finally, conditional risk can be used as an indicator of the attractiveness of a specific target because it captures both the consequences and likelihood of attack success. Step 6 Risk and Resilience Assessment Risk and resilience assessment creates the foundation for selecting strategies and tactics to defend against disabling attacks and events by establishing priorities based on this level of risk. The risk assessment step is a systematic and comprehensive evaluation of the previously developed estimates. The risk for each threat for each asset is calculated from the risk relationship: Risk = Consequences x Vulnerability x Threat Likelihood. Risk to the organization is the aggregation of the absolute risk for all individual components being analyzed, if the set of scenarios (including no incident) can be assumed to be mutually exclusive, represent all possible incidents, and the assigned probabilities sum to one. The method used to aggregate risk is currently under development (see previous footnote). Resilience is the ability of an organization, facility or asset to function despite and during an attack, natural event or dependency failure or to restore functionality in very short time. The opposite of resilience is brittleness, or the tendency to break down and cease to function during a traumatic event. For purposes of the RAMCAP Plus process, resilience is defined in different ways for the asset owner and community, respectively: For the asset owner, the level of resilience for a particular asset/threat pair is expressed as: Resilience Owner = Lost Revenue x Vulnerability x Threat For the community, the level of resilience for a particular asset/threat pair is expressed as: Resilience Community = Lost Economic Activity in the Community x Vulnerability x Threat
21
Where: Lost revenue the product of the duration of service denial (in days) and the extent of service denial (in physical units, e.g., thousand gallons per day) and price of the service (in dollars per unit, e.g., dollars per thousand gallons), all of which are essential parts of estimating the owners financial loss, i.e.: Lost revenue = Duration of Denial x Severity of Denial x Price per Unit Lost Economic Activity in the Community the amount in both the losses of output to direct customers and the indirect losses (multiplier effect) throughout the economy of the affected metropolitan region due to denial of service. It is usually estimated as a function of the assets lost revenue and the duration of the service denial using a static application of basic regional economics. The concept of resilience as applied to infrastructure is still evolving. Many analysts prefer to use the duration component of the above equations because it is the variable that most resilienceenhancement options act on. When comparing options, the product of duration and value (quantity denied times the unit price) provides a more useful and complete description. Step 7 Risk and Resilience Management This is the most important step in improving the risk level, resilience and reliability of the organization. Through the intelligent and informed management of risk, the organization is in a position to improve its level of service and security to its customers and the community. The RAMCAP Plus process provides the foundation to quantify risk in a defensible and reproducible basis for supporting resource allocation decisions (time, money, people, etc.) to reduce risk and enhance resilience. RAMCAP Plus assessment tools empower owners/operators of critical infrastructures to make difficult decisions, based on anticipated consequences and likelihoods that can be displayed and understood. This step actually reduces risk and increases resilience. It supports the decisions to select specific countermeasure and consequence-reduction options based on determining an acceptable level of risk and resilience at an acceptable cost. Risk and resilience management is the deliberate course of deciding upon and implementing options (e.g., establishing or improving security countermeasures, improving consequence mitigation tactics, building-in redundancy, entering into mutual aid pacts, creating emergency response plans, training and exercises in business continuity, etc.) to achieve an acceptable level of risk and resilience at an acceptable cost to the organization and the community. The initial risk and resilience analysis is based on the existing conditions at the asset. The reduction in risk and the increase in resilience, both weighted by their probabilities, are the benefit or value of the option, which can be compared to the cost of implementing it and the benefits of other options. The options may include countermeasures (directed toward reducing threat likelihood or vulnerability), or consequencemitigating actions (intended to reduce the economic and public health consequences of an attack and hasten a return to full functionality). Taking no action, i.e., accepting the current level of risk, is always a baseline option against which all others are compared.
22
The major tasks in risk management are: 1. Decide whether the risk and resilience levels for each asset/ threat pair are acceptable; 2. Define or develop countermeasures and mitigation/resilience options for each unacceptable asset/threat and estimate their investment and operating costs; 3. Evaluate the options by analyzing the facility or asset under the assumption that the option has been implemented revisiting RAMCAP Plus process steps 2 through 6 to re-estimate the risk and resilience levels, and the estimated benefits of the option (the difference between the risk and resilience with and without the option); 4. Accumulate the benefits of all asset/threat pairs for which a single option reduces risk and/or enhances resilience, so that the option is the sum of the benefits it would bring about; 5. Estimate the benefit-cost ratio (and/or other criteria relevant in the organizations resource decision-making) to estimate the marginal value of each option; 6. Select among the options considering all the dimensions benefit/cost ratios, fatalities, serious injuries, financial losses to the owner, economic losses to the community, and qualitative factors and rank and allocate resources to them; 7. Implement, monitor and evaluate the performance of the selected options; 8. Conduct additional risk assessments to monitor progress and adapt to changing conditions. The decision making used in tasks 1 through 3 relies on the recalculation of some or all the foregoing six steps in the RAMCAP Plus process, which will most likely result in an overall reduced risk of threat, vulnerability and/or the consequences of an attack. Risk reduction is recognized by comparing the current risk with the risk reduced, assuming the system changes and resilience-enhancement options have been implemented. The amount of risk reduction (lowered vulnerability, threat/hazard probability or reduced consequences) or resilience enhancement (reduction in the number of days and severity of lost service and the corresponding losses to the community) result in and define the benefits of the chosen options for the organization and the region, respectively. The costs of the options are determined by estimating the necessary investment and operating outlays. A net-benefit analysis calculates the benefits less the costs (as time-discounted present value) to indicate the value added to the organization or region by the options. The benefit-cost ratio or other metric of marginal value (e.g., rate of return or return on investment) indicate the efficiency of the option in generating that value. Either can be used to rank options for resource allocation, but both must be considered in any final selection of options. There are several distinct benefit metrics: (1) fatalities avoided absolutely or per unit of cost; (2) injuries avoided absolutely or per unit of cost; (3) the organizations financial net benefit and benefit-cost; (4) the communitys economic net benefit and benefit-cost; and (5) improvements in the qualitative consequences. Therefore, the choices among the options are seldom decided with a single metric until available resources are exhausted, but rather, a set of difficult trade-off decisions must be made. Some organizations apply explicit preferences to establish an initial portfolio of options and then adjust the selections as needed to balance the portfolio or program of risk-reduction and resilience-enhancement measures.
23
Ideally, the organization would consider all these risk-reduction and resilience enhancement options collectively as a mixed portfolio of risk and resilience management. In looking at the selection of options for the portfolio, it is important to consider whether some may synergistically amplify or reduce the benefits relative to their simple sum. For example, if the owner installs a double security fence with dogs or patrols between, hardening a door inside the second fence may have less benefit than without the fences. Similarly, there may be trade-offs between risk-reduction and resilience-enhancement options. Increasing the security of a facility alone may improve resilience by reducing the likelihood of an unwanted event or the vulnerability to the event. In such cases, the context of the portfolio should correct the benefit estimates. In this sense, an option can have different benefits depending on other options in its portfolio. Failure to look for these adjustments may lead to missed opportunities or over-valued options. For this reason, the final choice of options should be a portfolio of options, not simply a list. Once a portfolio of options is selected, risk management extends to implementation of the chosen options, monitoring their effectiveness and taking corrective actions as needed. Risk management is the essential part of continuous security improvement, repeated periodically (e.g., annual budgeting) or as necessitated by changes in the threats, vulnerabilities, consequences or technologies. Risk can also be managed by acquiring insurance, entering into cooperative agreements, or simply accepting the calculated risk when it compares favorably with other operational risks such as financial or investment alternatives.
5. Preparing to Use the RAMCAP Plus Process

a. Composition of the Evaluation Team A RAMCAP Plus risk assessment is a multi-disciplinary evaluation exercise that typically requires a risk assessment team composed of individuals with specialized expertise. Table 4 suggests the composition of the RAMCAP Plus assessment team. During the assessment, all team members will not be needed on a full-time basis, so it is useful to differentiate the core team members, listed at the top of the table, from members who will be needed on an on-call basis. Table 4. Suggested Composition of a RAMCAP Plus Assessment Team Role Expertise Core Team
Team Leader Knowledge of and experience with the RAMCAP Plus risk assessment process and familiarity with configurations and operations of facilities being evaluated. This individual generally has taken specific training in the RAMCAP Plus process and the sector-specific guidance for the asset to be assessed. Knowledge of and experience with the application of facility security procedures, technologies, methods and systems, including law enforcement issues. Knowledge of potential natural hazards and their resulting consequences to the asset, safety design requirements, procedures, methods, and safety systems analysis results.
Security Specialist
Safety Specialist
24
Risk Analyst
Knowledge in the analysis of security risk application and procedures, data collection formats for important information analysis and evaluation, and documentation of security risk factors and results. RAMCAP Plus process training would be beneficial for this individual. Knowledge of the full-asset operations and equipment management and system criticalities. Knowledge of critical operating equipment, its initial and replacement costs, identification of critical spares, work around procedures, and preventive maintenance programs.
Operations Manager/Design Engineer Maintenance Manager
Others, as Needed
Facility Manager Knowledge of the design of the asset and related systems under study including mission, customers served, asset value, functionality, critical assets, customer base and expectations, key suppliers, and operations and emergency action procedures. Knowledge of information systems technologies (including Supervisory Control and Data Acquisition (SCADA) and cyber security provisions. Knowledge of facility manual and remote control systems, business cyber and security systems, and security and emergency operations plans. Knowledge about state and federal regulatory requirements and status.
Information Technologist
Regulatory Compliance Specialist First Responders
Financial Specialist
Knowledge of the security program and its systems to include policies and procedures, emergency response plans, and evacuation procedures. May include representatives of local law enforcement, fire protection and emergency medical personnel. Knowledge of assets billing and financial accounting systems, enterprise asset management systems and databases, cost accounting and tax principles for the specific asset.
The RAMCAP Plus risk/resilience assessment focuses on potential adversarial, natural and dependency hazards that could cause severe impacts on supporting systems at the facility. The shipment, storage, and handling of any form of flammable and/or toxic substances could pose a vulnerability concern that may not be integrally associated with the asset, but should be part of the risk assessment. Therefore, the security risk assessment studies should be conducted by a team with skills in both security and safety procedures and operational and reliability concerns of the facility. The team will evaluate traditional asset security, safety-related consequences and vulnerabilities, and subsequently implemented countermeasures. Input from other specialized engineering and safety organizations at the facility or from outside should be solicited as needed for certain portions of the RAMCAP Plus risk assessment. b. Documents to Be Assembled Prior to the Assessment Compiling documents and databases needed in the RAMCAP Plus assessment ahead of time can save valuable time and avoid frustrating breaks in the continuity of the process while data are
25
retrieved. Table 5 provides a checklist of documents usually needed for a RAMCAP Plus assessment. The list is illustrative, not definitive. The team leader should define which of these items or others are likely to be required based on his or her knowledge of the facility.
Table 5. Checklist of Documents to be Assembled Prior to a RAMCAP Plus Assessment

1. Plot, schematic and/or aerial photo of the facility with defined dimensions, providing details of locations of major components and critical elements for further evaluation (at least a Google map or Google Earth image) Schematic of the major process flows in the facility or system System map or GIS representation, especially if the system being evaluated is geographically distributed Building codes and permits in effect at time of latest construction Annual report (at least balance sheet and income statement) for the most recent fiscal year Any recent submissions to the Securities and Exchange Commission and/or the cognizant public utility commission Most recent bond prospectus, if bond-financed Most recent rate hearing files, if price-regulated Most recent credit rating report
2. 3. 4. 5. 6. 7. 8. 9.
10. Cost data on any construction within the last five years 11. Identify the source and point of entry/egress for key infrastructures, e.g., power, water and wastewater services, telecommunications, key suppliers, major customers, employees 12. Data on local utilities reliability and outage frequency 13. Data on locally relevant natural hazard severity and frequency 14. Varieties of remote and manual control systems, including SCADA systems 15. Physical security and alarms 16. Any other relevant operations and protection equipment 17. Emergency operations and technical inventory data, including the following: a. Inventory of critical components and necessary replacement parts for critical assets and operational equipment, back-up power units and electronic systems b. Power generation and transmission requirements, including transformers, switchyard gear and relay systems, governors, control panel equipment, and other critical electrical components c. Metrics for environmental and ecological requirements 18. Insurance coverage for capital and business interruption expenses, including potential loss of revenue, impacts on user rates, and critical customer base 19. Previous risk assessment(s), SVA(s), or other security risk analysis reports completed for the facility (if available) 20. Existing and planned operator and asset security operations systems, procedures, countermeasures, and physical security plans that describe security systems in-place to include: barriers, closed-circuit television (CCTV), access controls, intrusion detection system (IDS), as well as protective measures 21. Emergency preparedness, protocols and action plans, studies and maps, drills or exercises conducted with law enforcement authorities, and response procedures and agreements (those of the facility and of off-site responders), including on-site consequence mitigation systems and response times for local or state law enforcement and fire-rescue 22. Security incident reports (physical and cyber), ongoing or on-file 23. Cyber security policies, plans, and procedures, including password controls
26
24. SCADA system design and operational characteristics (e.g., how systems are connected, use of data historian reports, remote access capability, etc.) 25. Information systems, including flow diagrams and management policies 26. Facility operator and occupancy rates (typically found in project studies) 27. Buffer Zone Protection Plan (BZPP) description and application for facilities 28. U.S. Census Data* (e.g., LandView 5 or 6, or other source) 29. HAZUS-MH data** 30. EPA Risk Management Plan (RMP) or other risk-related reports required by regulations
* LandView is a DVD and CD-ROM publication of data and maps, jointly issued by the Census Bureau, EPA, USGS, and NOAA. For more information, see the Official LandView website http://www.census.gov/geo/landview. ** http://www.fema.gov/plan/prevent/hazus/hz_app.shtm
6. Benefits of Using the RAMCAP Plus Process

a. Benefits of a RAMCAP Plus Assessment Many benefits are realized when an organization conducts a RAMCAP Plus assessment. These can include enhanced security and resilience; quantification of potential consequences and the benefits of their avoidance; and enhanced public policy. Each of these examples provides the organization and its decision-makers with critical information for the effective allocation of resources and is discussed further below. However, it should also be recognized that the completion a RAMCAP Plus assessment can also provide invaluable secondary benefits. Among these added benefits are the increase in staff awareness of the security threats and vulnerabilities faced by all organizations in todays tense environment. Enhanced Security and Resilience. Upon completion of a RAMCAP Plus assessment, the organization will have identified its most significant threats, its most important vulnerabilities and the potential consequences it may face should an attack be successful. The organization will also have developed a prioritized set of options for the reduction or elimination of the risk and resilience enhancements to component parts and to the organization overall. The result can be a significant improvement in the security of the system to prevent or repel an attack, as well as an increase in the systems resilience to continue operations and recover and restore full service to its customers after a successful attack or other undesirable event. Improved Decision-Making from Quantification of Potential Fatalities, Injuries and Losses. While many security improvements may require significant capital as well as operating and maintenance expenditures, substantial improvement in security can be achieved through minimal investment. Unlike some other investments in the organization, many security and resilience investments are not immediately offset by an identifiable revenue stream. Therefore, it can be difficult for an organization to place security investments in their proper perspective along with its other investment and operating demands. A significant output of a RAMCAP Plus assessment is the quantification of possible negative consequences should the investment not be made in risk reduction or resilience enhancement, and the value of reduction in these consequences if they are made. This analysis includes complete and directly comparable estimates of benefits, costs and benefit-cost ratios (or other metric of marginal value per dollar of investment) which are directly comparable to other options -- the information needed for rational
27
allocation of resources. These decisions create a prioritized plan to enhance security and resilience integral to the organizations overall investment and operating plans. The ability to provide credible benefit-cost ratios or similar metrics allows security and resilience concerns to enter the boardroom to compete with other investments. Over time, security and resilience considerations will take their place with health and safety, environmental protection, equal opportunity and even strategic profitability as investment criteria. To the extent that insurance companies, financial rating organizations, lenders and investors begin to place value on security and resilience (business continuity) concerns, these trends will accelerate. Enhanced public policy. No government agency can know all of the pertinent details of any other organizations relevant risk and resilience posture. Likewise, few organizations other than government agencies are in a position to understand the intentions and capabilities of a terrorist adversary and only the most sophisticated adequately plan for natural events or dependency hazards, even with historical statistics. The consistent terminology of RAMCAP Plus provides the common language for organizations and government agencies to have a meaningful dialogue. By working together and sharing appropriate knowledge, the participants have an ability to achieve their goals. The common language used by a RAMCAP Plus analysis, based on carefully defined and agreed-upon terminology, specific and focused threats and structured consequence metrics, provides the basis for an organization to compare itself with others similarly situated. From a more aggregate perspective, the rigorously comparable results of the RAMCAP Plus process permit rational resource allocation across all sectors for the facility manager, the business executive with multiple facilities, the mayor or regional public-private partnership with municipal and metropolitan risks and resilience issues, similarly for governors and legislators at all levels of government, and ultimately the Federal government, which must annually allocate billions of dollars to a myriad of competing claims. There can be no solution to these issues without rigorous comparability and transparency in the estimates of risk and risk reduction, fragility and resilience. b. Benefits of Using RAMCAP Plus Voluntary Consensus Standards as a National Strategy ASME, alone or with other major standards developing organizations (as recognized by the American National Standards Institute), has suggested a program that would convert any sectorspecific guidance that is RAMCAP Plus-consistent into a voluntary consensus standard and maintain it without cost to taxpayers. Maintenance would include standing committees of experts to evaluate, enhance and evolve the standards over time, continued consistency across sector-specific standards, provision of publications, training, accreditation and certification, and conformance assurance. The Technology Transfer and Advancement Act of 1995 (P.L. 103-113), and the complementary Office of Management and Budget (OMB) Circular 119 require that, if a voluntary consensus standard on a specific subject exists, it must be used in federal regulations, procurements, etc., unless a waiver is expressly granted by the Director of OMB. Title IX of the 9/11 Commission Recommendations Act (P.L. (PL 110-53) directs the use of consensus standards in the national pursuit of preparedness protection, response and resilience and creates voluntary accreditation and certification mechanisms.
28
This body of law and policy has been effective in substituting general private-sector standards for uniquely federal standards in an ever-growing trend, according to the National Institute for Standards and Technology, which conducts an annual survey of the use of private sector consensus standards in government. The number of voluntary consensus standards in use by the Federal government rose from fewer than 2000 in 1997, the first year of the survey, to more than 6000 in 2005, the latest year published. The number of government-unique standards replaced by voluntary consensus standards grew from a negligible number to more than 2000 in the same period (U.S. Dept. of Commerce, 2006). ASMEs suggestion to develop consistent but industry-specific standards provides numerous benefits, among which are: x x Maintains consistency and comparability of results within and across sectors of the economy and between public and private assets. Provides continuity through changing circumstances. Provides an accepted standard to be referenced by insurance agencies, credit agencies, major customers, etc., to specify and reward preparedness. Institutionalizes the consensus process of all relevant stakeholders, including, but not driven by, the Federal government. Uses existing mechanisms for implementation most decision-makers in industry and the public sector understand codes and standards. Provides evidence of compliance with best industry practices and standards, an affirmative defense in tort cases. Supports effectiveness of the process through publications, training, certification, accreditation, conformance assurance, evaluation of effectiveness, regular updates, etc. Provides for continuous improvement while maintaining consistency and comparability. Costs the Federal government nothing other than perhaps SSG development.
These benefits result in dynamic, effective risk and resilience management driven by the private sector in true partnership with all other stakeholders interests including public and nonprofit concerns for as long as there is demand for the standard.
References and Further Reading

American Petroleum Institute and the National Petrochemical and Refiners Association. October 2004. Security Vulnerability Assessment Methodology for the Petroleum and Petrochemical Industries, Second Edition (includes reporting form templates). Baker, Arnold, et al. 2002. A Scalable Systems Approach for Critical Infrastructure Security, Sandia National Laboratories, SAND 2002-0877, www.sandia.gov/scada/documents/020877.pdf. Brealey, R. and Myers, S., 2000. Principles of Corporate Finance, Sixth Edition, Boston, MA: Irwin McGraw-Hill.
29
Brigham, E., L. Gapenski and M. Ehrhardt, 1999. Financial Management: Theory and Practice, Ninth Edition, Fort Worth, TX: The Dryden Press. Center for Chemical Process Safety, 1995. Tools for Making Acute Risk Decisions: with Chemical Process Safety Applications, American Institute of Chemical Engineers. Center for Risk and Economic Analysis of Terrorism Events, University of Southern California, http://create.usc.edu/ (contains terrorism risk analysis papers from various CREATE symposia). Fishhoff, B. 2002. Assessing and Communicating the Risks of Terrorism in Science and Technology in a Vulnerable World, A. H. Teich, S. D. Nelson, and S. J. Lita (eds.), AAAS, Washington, D.C., pp. 51-64. Hutchinson, Harry. January 2005. Calculating Risks: Can the Science that Judges the Safety of Nuclear Plants Secure the Infrastructure of a Nation, Mechanical Engineering. Kirkwood, Craig W. 1997. Strategic Decision Making: Multiobjective Decision Analysis with Spreadsheets, Wadsworth Publishing Co., New York. Moteff, John. September 2, 2004. Risk Management and Critical Infrastructure Protection: Assessing, Integrating and Managing Threats, Vulnerabilities, and Consequences, Congressional Research Service, Library of Congress (order code RL32561). Multihazard Mitigation Council. December 2005. Natural Hazard Mitigation Saves: Independent Study to Assess the Future Benefits of Hazard Mitigation Activities, Volume 2 Study Documentation. Prepared for the Federal Emergency Management Agency of the U.S. Department of Homeland Security by the Applied Technology Council under contract to the Multihazard Mitigation Council of the National Institute of Building Sciences, Washington, D.C. National Research Council. 2002. Making the Nation Safer: The Role of Science and Technology in Countering Terrorism, The National Academic Press, Washington, D.C. (esp. Chapter 10, with its extensive bibliography). Rose, A. 2004. Economic Principles, Issues, and Research Priorities in Natural Hazard Loss Estimation in Okuyama Y. and Chang S. (eds.), Modeling the Spatial Economic Impacts of Natural Hazards, Heidelberg: Springer, 2004, pp.13-36. Rose, A. 2006. Economic Resilience to Disasters: Toward a Consistent and Comprehensive Formulation, in Paton D. and Johnston D. (eds.), Disaster Resilience: An Integrated Approach, Springfield, IL: Charles C. Thomas, 2006, pp. 226-48. Rose, A. 2007. Macroeconomic Modeling of Catastrophic Events, in Quigley J. and Rosenthal L. (eds.), Real Estate, Catastrophic Risk, and Public Policy, Berkeley, CA: Berkeley Public Policy Press, forthcoming.
30
Rose, A. and Liao, S., 2005. Modeling Regional Economic Resilience to Disasters: A Computable General Equilibrium Analysis of Water Service Disruptions, Journal of Regional Science, Vol. 45, No. 1, 2005, pp. 75-112. Rose, A., Oladosu G., and Liao S., 2007. Business Interruption Impacts of a Terrorist Attack on the Water System of Los Angeles: Customer Resilience to a Total Blackout, in Richardson, H., Gordon, P., and Moore, J. (eds.), Economic Costs and Consequences of Terrorist Attacks, Cheltenham, UK, pp. 291-316. U.S. Department of Commerce. 2006. National Institute of Standards and Technology. Ninth Annual Report on Federal Agency Use of Voluntary Consensus Standards and Conformity Assessment. Washington, D.C.: Government Printing Office. U. S. Department of Homeland Security. February 2004. DHS Interim Rule on Procedures Associated with Sharing and Handling of Information Designated as Critical Infrastructure Information. Federal Register, Vol. 69, No. 34, pp. 8074-8089. U. S. Government Accountability Office. October 12, 2001. Homeland Security: Key Elements of a Risk Management Approach, GAO-02-150T. U. S. Nuclear Regulatory Commission, November 1995, Regulatory Analysis Guidelines of the U.S. Nuclear Regulatory Commission, Final Report, NUREG/BR-0058, Revision 2.
31
Part C. Using the RAMCAP Plus Process

Step 1. Asset Characterization
The first step in the RAMCAP Plus process, Asset Characterization, has two purposes: x x To determine whether a specific facility is sufficiently critical to justify embarking on a RAMCAP analysis the top screen phase7; and To decide which specific assets within a facility to include in the assessment the asset selection phase.
Both phases are concerned primarily with potential consequences, asking whether they are large enough to justify including the facility or asset, respectively, in the analysis. Their purpose is efficiency, to focus attention on the important facilities and assets rather than spending the time and cost of analyzing those that are less significant. These decisions are central to an efficient and effective assessment because each individual asset selected for inclusion will be analyzed against all feasible reference threats, with estimates of all metrics. The total number of analyses is the number of assets included times the number of reference threats, currently as many as thirty-nine referenced threats. In order to keep the number of threat/asset combinations manageable, significant discretion is required in this step. a. The Top Screening Phase The top screening phase eliminates whole sites or major facilities because their potential consequence is not enough to justify a follow-on assessment. The phase includes gathering basic facility data that documents the low potential. The chemical sector, for example, has facilities that range from small warehouses or storage sites to extremely large processing facilities. A top screening method could be used to eliminate the low consequence facilities. This evaluation can be performed on the basis of the types of materials, maximum potential fatalities, serious injuries, major financial losses to the owner, economic impacts on the community or other metrics, which would be easily estimated. Great precision is not required in these screening estimates because if the facility screens in, all the estimates will be refined. In general, the facilities selected for further analysis are those that inherently could have very serious consequences or are critical to systems that could have very significant consequences.
7
Some sectors, such as the water and wastewater sector, have chosen to forego the top screen phase in favor of encouraging universal application of RAMCAP process-consistent tools to all water systems.
32
The first level screen will greatly reduce the number of facilities, assets or venues that require further evaluation. The top screening method is developed further and tailored for the specific sectors in the Sector-Specific Guidance documents, developed in collaboration with representatives of the respective sectors. The specific criteria and approach are dependent upon the technical aspects and cultures of the individual sectors. The SSG documents provide insight into how the sites and facilities of the sector should be characterized and address the threat scenarios that should be evaluated for consequences for top screening. Facilities that have not been screened out during the top-level screening method should conduct a vulnerability/risk assessment. The first step is to characterize individual assets within the facility. b. The Asset Selection Phase The asset selection phase consists of the six tasks summarized in Table 6. The results of this characterization will be a list of candidate critical assets that should be further considered by applying the RAMCAP Plus process. Note that the first two tasks could be taken in the reverse order and are most effectively performed in an iterative, simultaneous fashion, considering critical functions and the assets necessary to perform them. Table 6. Tasks of Step 1, Asset Characterization Task 1.0
1.1 Identify critical functions Identify critical assets
Issue
Activity Assets Characterization

Identify the critical functions of the facility, those that are essential to its success in carrying out its mission. Identify critical assets of the facility, including people, equipment, systems, chemicals, products and information necessary to performing the critical functions. Identify the critical internal and external infrastructures and their interdependencies (e.g., electric power, petroleum fuels, natural gas, telecommunications, transportation, water, emergency services, computer systems, air handling systems, fire systems and SCADA systems) that support the critical operations of each asset or function. Identify which of these have readily available alternatives should they be needed. Identify what protects and supports the critical functions and assets. Identify the relevant layers of existing security systems, including physical, cyber, operational, administrative and business continuity planning; as well as the process safety systems that protect each asset. Identify the potential consequences or impacts to the assets and the critical functions of the facility from the disruption, damage, or loss of each of the critical assets or functions. Develop a list of critical functions and assets for further study.
1.2
1.3
Identify critical infrastructures and interdependencies
1.4
Identify existing countermeasures
1.5
Identify potential consequences
1.6
Select targets for further analysis
33
Depending upon the type of facility being evaluated, any type of asset, human, mechanical, cyber or other may be considered in the evaluation. For example, the process control system may be designated as critical, since protection of it from physical or cyber attack may be important to prevent a catastrophic release or other event of concern. The full range of both material and nonmaterial aspects that enable a facility to operate should be included. Table 7 is an example from the petrochemical sector of specific assets that could be designated as critical at any given site. Assets include the full range of both material and non-material resources that enable a facility to operate. Task 1.1 Identify Critical Functions. The evaluation team identifies the critical functions that define the facilitys purpose or core mission to determine which assets perform or support these critical functions. For example, the steam power plant of a refinery may be critical since it is the sole source of steam supply to the refinery. In other sectors (such as dams and drinking water reservoirs, transportation and bridges, etc.), there will be other critical functions that should be considered. Task 1.2 Identify Critical Assets. The evaluation team identifies critical assets for the site being studied. Critical assets are those on which the core mission or function of the facility depends and whose damage or destruction would lead to the degradation or cessation of the facility to function. Assets may also be considered critical if their damage or destruction could pose a significant danger to the public or employees of the facility, result in major financial loss to the owner or economic loss to the surrounding community, reduce military readiness, etc. The definition of criticality is a central step in a RAMCAP Plus analysis. It can vary with the specific decisions to be made or the level of the decision-maker, e.g., plant manager, governor or the Secretary of Homeland Security.
34
Table 7. Example Candidate Assets Characterization for the Chemical and Petrochemical Sectors
Security Event Type Candidate Critical Assets
Process equipment handling petroleum and hazardous materials, including processes, pipelines, storage tanks Marine vessels and facilities, pipelines, other transportation systems Employees, contractors, visitors in high concentrations Hydrocarbons or chemicals processed, stored, manufactured or transported Metering stations, process control and inventory management systems Critical business information from telecommunications and information management systems, including Internet accessible assets Raw material, intermediates, catalysts, in processes, storage tanks, pipelines Product contamination Critical business or process data Processes containing petroleum or hazardous chemicals Business image and community reputation Utilities (electric power, steam, water, natural gas, specialty gases) Telecommunications systems Business systems Utilities service interruption Key suppliers service interruption Employees unable/unwilling to come to work Key customers unable to take production Transportation into and/or out of the facility Location near another attractive target facility an attack on which could cause significant collateral damage
Loss of Containment, Damage or Injury
Theft
Contamination
Degradation of Assets
Dependency & Location Hazards
Task 1.3 Identify Critical Infrastructures and Interdependencies. The evaluation team identifies the critical internal and external infrastructures and their interdependencies. The infrastructures may include electric power, fuels, natural gas, telecommunications, transportation, water and wastewater, emergency services, computer systems, air handling systems, fire systems and Supervisory Control and Data Acquisition (SCADA) systems and other systems that support the critical operations of each asset. For each infrastructure, it is necessary to identify what fall-back alternative supplies or suppliers exist. For example, an electrical substation may be the sole electrical supply to the plant, or a supplier delivers raw material to the facility via a single pipeline or terminal. Some of these issues may be beyond the control of the owner/operator, but it is necessary to understand and identify the dependencies and interdependencies of the facility, as well as the consequences of loss of these systems. Many of these infrastructures are interdependent, i.e., failure of one may cause failure of others.
35
An example would be the interruption of water pressure, which might endanger water-cooled processes and fire control systems that protect the SCADA system and personnel that manage the whole plant. Task 1.4 Identify Existing Countermeasures and Construction Codes and Standards. The evaluation team identifies and documents the existing security and process-safety protection. This may include physical security, cyber security, administrative controls and other safeguards. The objective is to gather information on the types of safety and security strategies available, their design basis, and their completeness and effectiveness. The objectives of the physical security portion of the survey are to identify measures that protect the entire facility and/or each critical asset of the facility and to determine the effectiveness of the protection. In addition to the features of the facility explicitly designed as protective countermeasures, the evaluation team should compile the construction codes and standards of the time the facility (including updates and modifications) was permitted. Many of these codes and standards relate to the health and safety of the public and employees, and thereby indirectly constitute countermeasures against certain threats, especially natural hazards. Task 1.5 Identify Potential Consequences. Potential consequences may be the determining factor in deciding whether a specific asset is sufficiently critical to be included in the next steps. In this context, potential refers to the worst reasonable damage that any successful attack could achieve. Without the high potential for consequence that a decision-maker would seek to avoid, the potential risk is negligible. The criteria for differentiating between consequence levels for inclusion depend on the decision-makers purpose and role, so are typically set lower for an inhouse assessment than for an assessment to identify the major critical assets of a state or the nation. For those analyses, conducted to improve the knowledge needed for government decision making, many assets and scenarios will be screened out as having insufficiently high potential for consequence. An estimate of the potential consequences of the damaging or loss of an asset, without regard to the attack method, is the most reliable way to quickly and efficiently screen out assets that are of insufficient concern to warrant further attention. Table 8 displays the dimensions on which consequences can be estimated, either qualitatively or quantitatively. This approach to screening based on potential consequences should be applied to all assets under consideration. The consequence screening looks at the same factors considered in the follow-on risk analysis, making it possible to develop the knowledge in the screening process and modify it appropriately during consideration of a defined threat scenario.
36
Table 8. RAMCAP Plus Consequence Parameters
1. Human Health & Safety Impacts a. Fatalities on site/off site* b. Serious injuries on site/off site* c. Acquisition of dangerous materials/ weapons of mass destruction d. Contamination to water, food or pharmaceutical products 2. Financial & Economic Impacts a. Asset replacement costs* b. Remediation costs* c. Business interruption costs* d. Negligence liability costs* e. National/regional economic losses/multiple sector impacts* f. Loss of critical data g. Loss of reputation or business viability 3. National Security & Government Functionality Impacts a. Military mission importance and readiness b. Delivery of public health services c. Contamination of/disruption to critical potable water or sanitation services d. Interruption of governance, public safety or law enforcement 4. Environmental Impacts a. Permanent or long-term damage to the ecosystem b. Pollution of air, water or soil 5. Psychological Impacts a. Impact to iconic/symbolic assets b. High profile and/or symbolic casualties c. Loss of consumer confidence d. Loss of confidence in governmental institutions
* Quantitative estimates should be broadly estimated; these will be refined in Step 3, Consequence l i f h d d ii l
The consequence identification task includes the determination of the asset being compromised as well as the general magnitude of the consequences to be estimated, as indicated in Table 8. The intent is to develop a list of target assets that require further analysis based, in part, on the degree of hazard and its associated consequences. Both terrorist attacks and natural hazards should be considered. The consequence analysis is done in a general manner. For example, in the chemical or water sectors, if the security event involves a toxic or flammable release to the atmosphere, a starting point could use the EPAs Risk Management Plan (RMP) offsite consequence analysis guidance.
37
The consequences of a security or natural event at a facility are generally expressed in terms of the degree of acute health effects, e.g., immediate fatalities and serious injuries, as well as property damage, environmental effects, etc. This definition of consequence is the same as that used for accidental releases and is appropriate for security and natural hazards. The key difference is that security or natural hazards may involve effects that are more severe than expected with accidental releases. This difference has been considered in the tasks of the evaluation. The economic consequences identified through the RAMCAP Plus process include direct repair and replacement costs, business interruption, the cost of cleanup and restoration, and lost regional economic activity due to service denial. The evaluation team should evaluate the potential consequences of an attack using the bestcombined judgment of its members. If scenarios are generated, the specific consequences should be described in scenario worksheets. Team members knowledgeable of the asset and skilled in its technology should review any offsite consequence analysis data previously developed for safety analysis purposes or prepared for adversarial attack analysis. The consequence analysis data may include a wide range of release scenarios as appropriate. Proximity to off-site population is a key factor because it is a major influence on both those selecting a target and on those defending it. In terms of attractiveness to a terrorist, a target that could expose a large number of persons to harm is likely to be a high value, high payoff target relative to one located in an area of lower population density. Task 1.6 Select Targets for Further Analysis. For each asset identified, the critical nature of each asset must be understood, i.e., its contribution to performing the mission or function of the facility and its potential for severe consequences. This depends on the value of the asset, the hazards to the asset, and the consequences if the asset is damaged, stolen, or misused. For hazardous chemicals, consideration may include toxic exposure to workers or the community, the potential use of the chemical to produce a weapon, or the properties of the chemical that might contaminate public resources. For a water utility, it might include the possibility of product contamination or denial of service for a significant duration. The evaluation team should develop a target asset list, the facilitys assets that are likely to be attractive targets or result in major consequences if damaged. During the Vulnerability Analysis (Step 3), the target assets will be paired with specific reference threats and evaluated against the potential types of attack that could occur. *****
Example Problem
The following example is presented to illustrate the application of the RAMCAP Plus process. The example uses a hydro-electric dam that provides power, flood control, water supply and recreation to a sizable population. This example will be revisited at the end of each succeessive step, adding additional information until the example is complete.
38
This portion of the example describes Step 1, the Asset Characterization. The dam is critical to the regional power supply and holds back water that would cause widespread flooding, fatalities and property damage if breached. For these reasons, it was assigned the highest classification in the facility top screen. Next is the phase in which the entire dam and possibly lock or locks, is broken down into its respective functions (power generation, flood control, etc.) and each function into the individual assets that support the functions. The concept of identifying individual assets is particularly relevant to how the threat scenarios are applied to the facility. For example, an assault team does not attack the entire dam, but rather the dam complex is attacked by destroying individual components. As an example, the switchyard can be the focus of the attack. By disabling the switchyard, electricity cannot be provided to the grid. This can have serious economic consequences. Thus, the individual components or assets of the infrastructure facility are attacked rather than the entire facility. In this example problem a partial list of assets would consist of the following: x x x x x x Spillway gates Turbines Switch Yard Transformers Control room Navigation locks.
This list contains only some of the major components. The assessment team should further break down the asset list to include individual parts of major components that could be attacked. For example, the spillway gates, assumed here to be radial arm gates, consist of a pinion, pinion bearing, radial arms, and circular plate steel water barrier gate. The attacker would seek to destroy a component of the gate and allow the water pressure to destroy the gate. An explosive charge on the pinion could result in the loss of support and the force from the water would cause the gate to buckle or become detached from the anchor points. The more detailed knowledge the adversary possesses about each critical component, the greater likelihood of success. For this reason, it is essential to have knowledgeable individuals on the assessment team. It must be assumed that the adversary is highly informed and competent.
39

American Petroleum Institute and the National Petrochemical and Refiners Association. October 2004. Security Vulnerability Assessment Methodology for the Petroleum and Petrochemical Industries, Second Edition. Balkey, K. R., Ayyub, B.M., Chapman, V.O.J., Gore, B.F. 1992. Risk-Based Inspection Development of Guidelines, Vol. 1 General Document, CRTD Vol. 20-1, ASME International (also published by the Nuclear Regulatory Commission with report number NUREG/GR-0005), Washington, DC. Center for Chemical Process Safety. June 2003. Guidelines for Analyzing and Managing the Security Vulnerabilities of Fixed Chemical Sites. National Institute of Justice. November 2002. A Method to Assess the Vulnerability of U.S. Chemical Facilities, U.S. Department of Justice.
40
Step 2. Threat Characterization
a. Reference Threats This chapter provides the approach for characterizing the risk scenarios currently used in the RAMCAP Plus approach. The goal is to provide a process that facilitates the consistent, objective calculation of risk associated with terrorist, dependency and natural hazards across all assets within an economic sector and across diverse economic sectors. This common framework, when properly constructed and deployed, allows its users to quantitatively compare risks across a variety of infrastructure assets. The use of common terminology is required to ensure that all users understand the steps for applying the process. A common set of metrics or scales is defined so all risk calculations are performed in the same way and reported using calibrated and consistent rules. The risk calculated for any given asset can be compared to the risk of any other asset only if the risk value is determined using the same method, the same metrics and considering the same threats. Finally, all assets must be evaluated for the same threat scenarios. One of the more difficult problems in defining the parameters for a security risk analysis is defining the types of threats to be considered. Without a common set of threats, the risk estimate of any given facility is bound only by the imagination of the evaluation team and cannot be used to compare assets. The RAMCAP Framework addressed this problem by establishing a predefined set of reference threats thoroughly specified threats to be used in all assessments for which they are feasible. The reference threats must encompass all manner of hazards that could confront a facility or asset. Hazards that would result in total devastation, however, are not included among the reference threats because no countermeasures or mitigation strategies can be implemented at the level of the facility or asset. For total catastrophes, risk management at a higher level of organization or government is needed. The reference threat is not to be confused with a design-basis threat, which is defined as a threat the asset or facility can withstand due to its design, construction and/or countermeasures. A reference threat, by contrast, does not imply it can be withstood, but is rather a series of diverse and often graduated threats that permit calibration of the overall risk to the asset. The purpose of the defined reference threat scenarios is to establish a common set of events to which the estimates of consequence, vulnerability and threat can be tied.
41
For the purposes of decision-making at various levels of government and in multi-facility corporations or other organizations (e.g., multi-campus universities), there is great benefit in identifying the capacity limits of the facility operators to deal with a common set of reference threat scenarios. This facilitates judgments regarding allocation of private sector resources, as well as whether government resources can and should be brought to bear. Thus, the full set of defined threat scenarios of interest to corporate or government decision-makers would not necessarily be those selected by facility operators, who might normally rule out a scenario that their intuition tells them is too unlikely, or beyond their ability to defend. However, including these scenarios is essential whenever direct comparisons are needed. (Totally infeasible scenarios would be excluded, e.g., marine attacks on desert facilities.) This is especially pressing for large corporations and public/private partnerships to help higher levels of government officials learn about risks that exceed the management capabilities of facility operators. The RAMCAP Framework uses a set of reference threats developed in consultation with DHS and other Sector-Specific Agencies, as identified in the National Infrastructure Protection Plan The RAMCAP Plus approach addresses three types of threat, as detailed in Table 9: 1. Terrorism threats one or more adversaries seek to damage or destroy an asset, facility or system to inhibit its ability to perform its mission or function, to inflict significant economic damage and/or to kill or injure a significant population; 2. Natural hazards threats posed by nature that are significant enough to materially degrade or terminate the ability of the asset, facility or system to perform its function or mission (developed in collaboration with DHS); and 3. Dependency and proximity hazards threats that could inhibit performance of the function or mission due to the depravation of key inputs or outputs (e.g., utilities, suppliers, employees, customers) and the threats posed by co-location with other assets the damage or destruction of which would seriously impact the asset being assessed. Terrorism threats are applied to each critical asset, as determined in Step 1, but natural hazards and dependence/proximity hazards are generally assessed as they affect the facility site as a whole.
42
Table 9. RAMCAP Plus Reference Threat Specifications Terrorism Reference Threat Scenarios
M1 Small Boat (Pleasure or Zodiac) <10 ft draft Explosive charge 400 lbs (TNT equivalent) Maritime (boat as weapon) M2 M3 Fast Boat Large <10 ft draft Vessel Explosive charge 2,000 lbs (TNT equivalent) Explosive charge 20,000 lbs (TNT equivalent) M4 Deep Draft Shipping/Barge Explosive charge > 20,000 (TNT Equivalent)
Delivery
Explosive
Air (plane as weapon)

Aircraft Fuel Capacity Weight Max Air Speed Pilot Experience Explosives A1 - Helicopter A2 - Small A3 - Medium A4 Large 184 56 gal 1,200 12,000 N/A N/A 12,500 450,000 117 123 465 530 TBD TBD TBD TBD 800 lbs 800 lbs N/A N/A Land VBIED (w/out assault team) Van Bomb Mid-size Truck Large Truck Bomb (V4) Car bomb (V1) (V2) Bomb (V3) (18 wheeler) Single VBIED 400 lbs TNT 4,000 lbs TNT 10,000 lbs TNT 40,000 lbs TNT equivalent equivalent equivalent equivalent Attempt to maximize death/destruction through most productive direct means. For example, aiming at critical assets in hard targets, or clusters of people for open populated areas, or structural supports that would bring down people. Assault Teams Assault force AT 1 AT 2 AT 3 AT 4 size 1 assailant 2-4 assailants 5-8 assailants 9-16 assailants Pedestrian, allAll-terrain All-terrain vehicles, terrain vehicle, vehicles, All-terrain vehicles, Delivery motorcycles, over the motorcycle, over motorcycles, over motorcycles, over the system the road personnel the road personnel road personnel road personnel Land transport, cargo truck transport, cargo transport, cargo transport, cargo truck, truck truck Delivery 1 Helicopter 2 Helicopters 3 Helicopters system N/A Pilot + 1-3 attack 2 pilots + 4-6 attack 3 pilots + 7-13 attack Air force force force 1 x small boat (Zodiac) 2 x small boat Zodiac (personnel) Delivery Medium cargo 1 x small boat Lone swimmer 1 x small/medium system watercraft (Zodiac) cargo watercraft Water (equipment) (equipment) Pistols, submachine Pistols, submachine Pistols, assault guns, assault rifles, guns, assault rifles, Pistol, assault rifle, rifles, sniper rifles sniper rifles (.50 sniper rifles (.50 Weapons light machine gun (.50 caliber), light caliber), light machine caliber), light machine machine guns guns, rocket propelled guns, rocket propelled grenades (RPG) grenades (RPG)
43
Terrorism Reference Threat Scenarios

Grenades (H.E. & Incendiary) Bulk explosives, VBIED (400 lb TNT equivalent) for access or attack Specialized Explosive charges (Breaching charges, shape charges, ballistic discs) Mechanical breaching tools, quick saws, chainsaws, sledge hammers, required hand tools Grenades (H.E. & Incendiary) Bulk explosives, 2 VBIEDs (400 lb TNT equivalent) for access or attack Specialized Explosive charges (breaching charges, shape charges, ballistic discs), anti-personnel mines Mechanical breaching tools, quick saws, chainsaws, sledge hammers, required hand tools
Grenades (H.E. & Incendiary) Explosives Explosive vest/or satchel.
Grenades (H.E. & Incendiary) Bulk explosives, VBIED (400 lb TNT equivalent) for access or attack
Tools
Minimal breaching tools
Mechanical breaching tools, required hand tools
Weight of explosives per 65 pounds 65 pounds 65 pounds 65 pounds person Attempt to maximize death/damage through most productive direct means. For example, in a nuclear plant, they try to sabotage the reactor and breach containment. For the mall, they try to kill as many as possible directly. Assume suicidal intent. Process Sabotage S(PI) Physical Insider S(PU) Physical Outsider/Unauthorized access S(CI) Cyber Insider S(CU) Cyber Outsider/Unauthorized access Cause harm by damaging, disabling or destroying process control systems. Diversion or Theft T(PI) Physical Insider T(PU) Physical Outsider/Unauthorized access T(CI) Cyber Insider T(CU) Cyber Outsider/Unauthorized access Steal or divert information, dangerous substances, valuable resources, etc. Contamination of Product C(C) Chemical contamination of the product with a detection Class 4 contaminant C(R) Radionuclide contamination of the product with a detection Class 7 contaminant C(B) Biotoxin contamination of the product with a detection Class 9 contaminant C(P) Pathogenic contamination of the product with a detection Class 11 contaminant C(S) Weaponization of the product.
44
Natural Hazard Reference Threat Scenarios

N(H) Hurricanes Graduated damage from each Saffir-Simpson categories above Uniform Building Code (UBC) for region and construction date; frequency from National Hurricane Center. (Note: often applied in conjunction with N(F) since the effect of high tides and hurricane winds produce storm surge in low-lying areas near the coast that are often more destructive than high velocity wind.) N(E) Earthquakes Graduated damage from each Richter magnitude above UBC design basis for earthquake zone and construction date; frequency from USGS data N(T) Tornadoes Total destruction assumed in area hit by tornado (averaging about 25 acres); frequency from actual number of tornadoes in county/parish in last 50 years and area of county/parish N(F) Floods Graduated damage based on FEMA flood zones for 100-year floods
Dependency & Proximity Hazard Reference Threat Scenarios

D(U) Utilities Unable to provide service for v days, where v is the organizational resilience standard D(S) Key Suppliers Service interruption for w days, where w is the supplier resilience standard D(E) Key Employees Unable/unwilling to come to work for x days, where x is the employee resilience standard D(C) Key Customers Unable to take production for y days, where y is the customer resilience standard D(T) Transportation Facilities into and/or out of the site are inoperable for z days, where z is the transportation resilience standard D(P) Proximity Near others assets which, if damaged by human or natural causes would impair function or mission of the asset being assessed
b. Terrorism Threats Terrorism threat characterization identifies specific modes and scales of attack that may be used by adversaries against a specific target. Asset owners/operators, who implement the RAMCAP Plus process strictly for their own decision-making, may define terrorist scenarios as they choose. However, for risk knowledge to be useful to multi-asset companies and various levels of government and public/private partnerships, comparisons must be made based on a common set of defined threat scenarios. The set of terrorist threats used in this publication is provided by DHS, based on the collective activities of law enforcement, intelligence organizations and other sector specific agencies that developed an understanding of the means, methods and motivations of terrorists. These efforts are augmented by the in-depth facility knowledge and perspective of the facility operator, whose own analysis may identify threats not readily recognized by DHS. These threats include various modes of attack (e.g., air, land, and water), and various scales of attack (e.g., small, medium, and large). When necessary, the set of defined scenarios is scaled with force levels to help distinguish among the risks. There are several reasons these distinctions might be warranted. It is clear that harder targets, e.g. military bases and nuclear power plants, would require a higher force level within a general attack type to produce significant damage. To estimate the risk at these facilities with a weak attack force would not help determine limits of the facilities capability to defend themselves. To assess softer targets with the same high force level within a general attack type would not facilitate the discrimination among risks having a lower security profile. Using a scaled approach, selecting the scenarios appropriate for analysis, and documenting the reasons other levels were not analyzed (i.e., existing stand off distance prevents significant
45
consequence or maximum consequence results from lower force level), results in finer discrimination and better comparisons among the risks in a diverse set of asset/threat pairs. The definition of threats is not the same as the assessment of threats. Threat definitions (Table 9) are predetermined for all targets in order to maintain consistency over all facilities and economic sectors. Threat characterization (Step 2 of the RAMCAP Plus process) is the method of assessing how each of the threats should be applied to each asset at a facility. Threat assessment (Step 5 of the RAMCAP Plus process) involves determining the likelihood that a particular threat scenario will occur, including terrorism, natural hazards and dependency/proximity hazards. c. Natural Hazards A risk analysis of any asset is incomplete unless natural hazards are considered. In the RAMCAP Plus approach, natural hazards include, at a minimum, earthquake, hurricane, tornado, and flood. The risk of each of these events can be estimated for any particular asset or facility by determining the expected frequency of the event and an estimate of its consequences. The vulnerability of the asset will be included in the estimation of consequences; thus, in the risk equation, the value for vulnerability is taken to be 1.0. Other natural hazards, such as ice storms, extreme cold weather, avalanche, tsunami, landslide, or mud slide, wildfires and others may be included if the probability of occurrence and the consequences are as high or higher than the four basic natural hazards. Unlike terrorism events, natural hazards are normally included in the design specifications that are required for buildings and structures. In almost all areas of the United States, the local, state, or national statutes require new construction to meet the structural requirements of the Uniform Building Code (UBC)7. Every municipality or county typically has a building department that reviews and approves plans for new construction and revisions to existing structures. Once the plan is approved, a building permit is issued. In cases that are not covered by local statutes, the institutions providing financing and/or insurance will ordinarily require the building be designed and constructed in accordance with the UBC or, more recently, the International Building Code (IBC)8. These codes provide the basis for estimating the consequences of a natural hazard of various and specific levels of severity. If the severity is less than required by the code, little or no damage is expected. Damage estimates increase with levels of severity greater than code requirements. The severity and frequency of natural hazards depends upon the geographic location of the facility or asset. Earthquakes are much more likely to occur on the West Coast and Alaska, whereas hurricanes are more severe along the Atlantic and Gulf Coasts. When considering natural hazards, the magnitude and expected frequency must be determined from maps and frequency data. Fortunately, federal agencies have been systematically gathering such data for decades, permitting a relatively precise estimation of frequency, provided the analyst believes the future will repeat the past. If the analyst believes that global climate change may change the frequency or severity of certain natural hazards, the historical record provides a baseline for comparison.
7 8
International Conference of Building Officials, 5360 Workman Mill Road, Whittier, CA 90601-2298 International Code Council, 500 New Jersey Avenue, Sixth Floor, Washington, D.C 20001-2070
46
Because of the close relationship of location, building codes and statistical hazard frequency, an integrated approach is presented as Appendix D. d. Dependency and Proximity Hazards Dependency and proximity hazards generally affect whole facilities performance rather than a specific asset so, like natural hazards, they are generally assessed at the facility level in a holistic fashion. Dependency hazards are threats imposed by the vital dependencies most facilities have on utilities, supplies, employees, customers and transportation facilities, to name only the most obvious and universal. These are essential to perform the facilitys missions or functions; without any one of these critical infrastructures, many facilities are unable to function. Unlike terrorist and natural threats, these hazards usually impose only lost revenue on the asset and service denial to the community; few of them cause physical damage to the facility being analyzed. Proximity hazards occur when the facility being analyzed is located near or with another facility on which a terror attack or a natural event could inflict significant collateral damage on the facility being analyzed. The collateral damage could have similar consequences to those due to terrorist or natural threats. A special case of proximity hazards would occur with systems that co-locate or share transmission or distribution rights of way, water crossings, etc., where many infrastructures could be damaged by an attack on one. An example would be an attack on a bridge or tunnel, designed to disrupt transportation, which could sever gas, water, telecommunications and electric power lines as well. As with dependency hazards, recognition of proximity hazards often suggests measures to reduce vulnerability or abbreviate outage conditions, e.g., re-routing some of the rights-of-way, building redundant or adaptive transmission and distribution systems, adding countermeasures to reduce the threat, re-locating the analyzed facility. Both dependency and proximity hazards are largely a matter of the facilitys resilience in the face of attacks on others. The greatest losses are lost revenue and lost economic activity in the community due to service denial. Sometimes, owner/operators can do little more about these hazards than merely recognizing them and taking steps to shorten the down time caused by them. In dealing with these classes of hazards, reducing risk and increasing resilience can often be accomplished by developing more robust, redundant and alternative supplies, and in all cases, development of testing and drilling on continuity of operations and contingency plans. Moreover, cooperation and collaboration with other facilities, institutions and government agencies can amplify these benefits. For example, a critical dependency on water could be reduced by installing a water storage tank, negotiating priority treatment with the water utility, arranging for a second or third independent source or building a water plant at the facility (as many computer chip manufacturers do). Similarly, if a critical dependency on electric power is noted, a facility might arrange for a second or third independent power source, might install an emergency generator and fuel supply,
47
or might generate its requirement on site, using solar power or burning a combustible by-product. In addition, as utility customers understand their vulnerabilities to these hazards, they may seek to cooperate with the utilities to reduce their mutual vulnerability. The most cost-effective resilience measures may be at the suppliers or utilitys site, with benefits to multiple customers facilities. The recognition of unacceptable dependency or proximity hazards requires the owner/operator to establish resilience requirements or resilience standards for each of the five dependency hazards a defined duration, severity or extent (and sometimes quality) of service denial the facility could withstand or recover from without unacceptable loss to the owner/operator or to the community served. This is a critical management decision, generally made by the assets owner/operator, but may also include consultation with the most immediately or heavily impacted outside stakeholders, e.g., major customers or local governments. Outage events of shorter duration than the requirement would have consequences that are acceptable. Outage events of greater duration would have consequences that grow proportionally or greater with the duration of the outage. For example, a water utility might have a resilience standard that states a maximum duration of outage, the maximum number of customers, and/or the level of quality of the water (non-potable water could be used for fire suppression, building cooling, etc.), or combinations of all three. These standards should be developed considering lost revenue, the value of a reputation for reliability, etc. In addition to establishing a process to evaluate defined terrorist threat, natural and dependency hazard scenarios, the RAMCAP Plus approach allows facility owner/operators to evaluate any other relevant scenarios, the results of which can be communicated to corporate management or government if the owner/operators choose to do so. In general, such extra analyses would not be included in aggregating risks because the total risk would not be comparable with the risks of other facilities. Results of additional analyses should be reported as special cases. Having considered the defined set of reference threats, an asset owner might learn of a scenario of greater risk than they anticipated. For example, the knowledge of the owner/operator may identify an innovative attack approach that could produce significant consequences. The contribution of the owner/operators insight and knowledge of the risks involved is very valuable to both the owner/operators and the governments decision processes. This is an added benefit to engaging in the RAMCAP Plus approach. e. Additional Screening Top screening and asset characterization screening reduced the number of assets to be assessed in-depth for cost-effectiveness and focusing. As part of this step, it is advisable to conduct a third screening, this time of asset/threat pairs. The general logic of the RAMCAP Plus approach is to analyze all asset/threat combinations that are feasible and could have significant consequences for the asset itself, the mission of the organization or the community it serves. A matrix of the assets, identified in Step 1, against the reference threats defined in this Step, provides a way to eliminate some asset/threat pairs as infeasible or having insignificant consequences (see the example below). There is no necessity to analyze asset/threat pairs that initial judgment suggests have such small consequences as to be insignificant.
48
In addition to deleting some asset/threat pairs from analysis, the matrix sets priorities for the remaining feasible, potentially significant asset/threat pairs. This further increases the costeffectiveness of the procedure and assures that the most important pairs are addressed first. For example, some attacks would be simply ineffectual or irrelevant against certain assets, e.g., a small aircraft being crashed into a nuclear plant based on prior in-depth analysis, so, while feasible, this asset/threat pair would be assigned a very low priority for further analysis and probably ignored as insignificant. ****
Example Problem (Continued)

The example begun in the discussion of Step 1 is continued here. Threat Characterization (Step 2 of the RAMCAP Plus process) is added to further illustrate how the assessment is performed. The further screening of asset/threat pairs is facilitated by laying out a matrix of respective threats against the assets identified in Step 1. Table 10 contains a portion of this matrix for the dam in the example. The top row defines the respective attack scenarios (A for Aircraft, AA for Armed Attack, etc.), and the first column provides a partial list of the dams assets. Using the matrix, the assessment team eliminates all asset/threat pairs that are infeasible or ineffectual from further consideration. The team ranks the remaining pairs, according to the apparent magnitude of the consequences. This example uses only three levels of priority for clarity, but many assessment teams will find a more granular scale useful. The most useful relative categories would generally be five to seven levels, e.g., very high, high, moderately high, moderate, moderately low, low, and very low. At the assessment teams discretion, asset/threat pairs in the low and very low categories may be eliminated. This analysis is intended to be conducted quickly, without bogging down in detailed discussions. If there is disagreement among the assessment team, the asset/threat pair should be assigned the highest priority for which any reasonable case can be made. Then more detailed analysis will resolve any such early differences of opinion. Once this assessment is concluded, the highest apparent consequence groups are analyzed first, then the next highest, and so forth, until all asset/threat pairs with apparently significant consequences have been analyzed or the time and resources available for the analysis are exhausted. For this example, the selected reference threat is of an assault team consisting of two to four assailants (AT2); the asset selected as target of the attack is the spillway gates with the intent of releasing the reservoir water. This scenario was selected because of its high potential for consequences, including downstream inundation, loss of power generation, loss of navigation, and loss of water supply. This tactic would require modest resources and skill by the adversary but could result in major impact on replacement costs, downtime, loss of revenue from electric power generation, losses to the local economy, and potential loss of life. When considering an attack scenario, it is desirable to consider the attack that requires the least amount of resources to obtain the greatest consequence. The fewer adversaries required to execute the attack, the lower the likelihood of detection both before and during the attack. Further, if the attack is not suicidal, there is a greater likelihood of recruiting capable assailants. In this example, greater numbers of assailants could be assumed, but the consequences would not
49
necessarily have been greater and the smaller force is harder to detect. The attack scenario is sketched as follows: x Assault team attack scenario An assault team (AT2) drives a land-based vehicle to the recreation area, parks as close as possible to the fence, penetrates the fence using bolt cutters, crosses the earthen dam to the spill gates and places six packages of explosives (two on each spill gate) with preset timers to initiate the explosives. They leave the spillway gate area, return to their vehicle and make their escape. Table 10. Dams Asset/Threat Matrix
Asset Threat Dam Structure Power Plant SCADA & Cyber Systems Control Center Switch Yard Equipment Control Tower Spillway Turbines Spillway Gates Pipelines and Pumping Equipment Main Lock Structures Lock Chamber Lock Gates Culvert Valves Lock Control buildings/facility Station Service Emergency Generator(s) Auxiliary Structures Visitor Center Fish Ladders/Barges Communications Infrastructure(s) N/ A N/ A M M H H N/ A N/A A A A A AT AT AT AT V1 V2 V3 V4 M1 M2 M3 M4 S(PI) S(PU) 1 2 3 4 1 2 3 4 N/ A
N/ A
L L M H
N/ A
50
Adversarial attack path details It is estimated that it will take the assault team 15 seconds to cut the fence and pass through the opening, 20 seconds to cross the dam, 100 seconds to place the explosives, and 30 seconds to return to their vehicle. The total adversarial attack path time is 165 seconds just under three minutes total. Protection system assumptions An occasional guard patrols the areas accessed by the assault team. These areas are covered by CCTV surveillance from the control room in the powerhouse. The console operator is responsible for the CCTV observation and for monitoring all the operating and measuring parameters for the dam. Operations personnel are occasionally present on the dam top and carry radios to communicate to the powerhouse. The on-site response force is composed of three officers assigned to various patrols in and around the dam. They carry a handgun and a shotgun. Their orders are to go to the area where a problem is reported as soon as possible. After an alarm is set off by the console operator or other observers, the first officer arrives at this location in 3 minutes, with the second arriving in 5 minutes and the third in 10 minutes. Consequences Significant amounts of water will be released immediately. After the detonation is initiated, water flow control is lost and there are no backup systems available to shut off the river flow over the spillway. Attempts are made upstream to reduce the release of river water and divert some to other channels or alternative areas. However, the amount of release causes temporary inundation of downstream land areas, including significant flooding of commercial and residential areas. Emergency plans are activated and repairs are initiated with limited resources available for reconstruction of the spillway gates destroyed. An estimated minimum of nine months is required to complete the repairs. The navigation lock is considered closed for that period and alternative means of cargo transportation are re-routed through rail and roadway. Power generation is reduced to less than one-half of capacity and is difficult to maintain because of the loss of upstream pool and water level required to operate the generators. Fish migration issues are discovered and emergency measures for fish management are implemented. The assessment team assigns a high to this asset/threat pair.

American Petroleum Institute and the National Petrochemical and Refiners Association. October 2004. Security Vulnerability Assessment Methodology for the Petroleum and Petrochemical Industries, Second Edition. National Institute of Justice. November 2002. A Method to Assess the Vulnerability of U.S. Chemical Facilities, U.S. Department of Justice. U. S. Coast Guard. July 1, 2003. Implementation of National Maritime Security Initiatives, Federal Register, Vol. 68, No. 126, pp 39240-39250.
51
Step 3. Consequence Analysis
Consequence analysis consists of estimating the worst reasonable case results of each relevant reference threat scenario on each asset defined as critical in Steps 1 and 2, using a common set of metrics. In other words, this step estimates worst reasonable case scenarios for every asset/threat pair designated as important at the end of Step 2. Consequences of interest include both those that can be quantified and losses that can only be described in qualitative terms, as shown in Table 11. For estimating terrorist consequences, the worst reasonable case assumption serves two purposes: (1) it reflects the fact that, in the case of terrorist attacks, the assailants are knowledgeable about the facility and its technologies and intend to inflict the maximum damage; and (2) where a reference threat could be placed in multiple locations, it permits the evaluation team to decide which to use in the assessment. In the case of natural hazards, all levels of threat that exceed the building codes under which the facility was constructed are used. For example, if the building code for a Gulf Coast structure specified a design wind velocity of 110 miles per hour (a Category Two hurricane), it is assumed the facility is undamaged by a Category One or Two hurricane, but would incur damages if stricken by a Category Three or higher, the amount of damage increasing with each higher category. When considering dependency hazards, a resilience requirement or standard should be established by the facilitys management. The resilience standard is the length of time the facility could operate with the loss of utilities, key suppliers, key employees, key customers and transportation, respectively, before incurring significant, unrecoverable financial losses to the owner, economic losses to the community or threats to the health and safety of the employees and/or the community. The consequences of each of the three types of hazards are estimated in separate tasks, as described below. Task 3.1 Estimate Terrorism Consequences Steps 1 and 2 applied the use of potential (worst reasonable case) consequence estimates which were used broadly as a screening tool. This step applies methods for refining consequences estimates for use in the terrorism risk analysis. These methods concentrate on determining values for the worst reasonable consequence. As a time-saving and simplifying convention, the RAMCAP Plus process disregards uncertainties in consequence estimates, although it is well recognized that this can be misleading. Sensitivity analysis of key estimates and assumptions are
52
strongly recommended in Step 7, Risk Management. (Later versions of the RAMCAP Plus process will introduce more systematic treatment of uncertainties as an option.)
Table 11. RAMCAP Plus Consequence Parameters 1. Human Health & Safety Impacts a. Fatalities on site/off site* b. Serious injuries on site/off site* c. Acquisition of dangerous materials/ weapons of mass destruction d. Contamination to water, food or pharmaceutical products 2. Financial & Economic Impacts a. Asset replacement costs* b. Remediation costs* c. Business interruption costs* d. Negligence liability costs* e. National/regional economic losses/multiple sector impacts* f. Loss of critical data g. Loss of reputation or business viability 3. National Security & Government Functionality Impacts a. Military mission importance and readiness b. Delivery of public health services c. Contamination/disruption to critical potable water or sanitation services d. Interruption of governance, public safety or law enforcement 4. Environmental Impacts a. Permanent or long-term damage to the ecosystem b. Pollution of air, water or soil 5. Psychological Impacts a. Impact to iconic/symbolic assets b. High profile and/or symbolic casualties c. Loss of consumer confidence d. Loss of confidence in governmental institutions
* Quantitative estimates; all others are quantitatively described.
The worst reasonable case consequence should consider that the adversary is intelligent, wellinformed about the facility and its technologies and work-flows, and adaptive and will attempt to optimize or maximize the consequences of a particular attack scenario. However, it is not appropriate to assume that all uncontrollable variables that could exacerbate the damages (such as wind speed, direction and unpredictable events) occur simultaneously. Judgment is necessary in defining the worst reasonable case.
53
The following is more detailed guidance on estimating and reporting consequences: Fatalities and Serious Injuries. At the asset level, human safety and health consequences should be expressed in number of fatalities and number of serious (acute) injuries that occur immediately or within a short period of time, as opposed to health problems revealed over the span of more than a few weeks. Serious injuries are those that result in lost work time or disability. A number of tools can assist in estimating fatalities and injuries due to specific events, such as the U.S. Army Corps of Engineers blast effects simulations. Based on empirical experiments and detailed numerical simulators, the Corps has developed simplified, user-friendly versions for several sectors, including dams, water systems and structures of various types. Given a Google Earth image of the facility site, it scales the image, allows placement of specific equipment and people on the site and estimates the damage, fatalities and injuries as a function of the size of an explosive device (defined in TNT equivalents). The models are in controlled release to parties who need them. Other examples include the contamination and toxic gas release models developed for the water sector Sector-Specific Guidance (SSG) document. While it is generally desirable to estimate a discrete number of fatalities and injuries, it is difficult to estimate exactly. For this reason, the RAMCAP Plus process provides pre-specified ranges for estimating fatalities (Table 12) and injuries (Table 13), respectively, for a particular attack scenario and a particular asset. Here, the analyst can assign the consequence to one of fourteen ranges, or bins, each with a range of fatalities or injuries. In Tables 12 and 13, the range in each bin increases by a factor of two over the next smaller bin. The use of a constant scaling factor produces a logarithmic scale, in this case one at base 2. As will be seen later, the vulnerability scale recommended in Step 4 also uses a scale factor of two, enabling construction of a conditional risk table of consequence and vulnerability logarithms with the sum of their bin numbers being the logarithm of the conditional risk. This will result in a convenient, qualitative display of results since the conditional risk matrix will contain diagonal lines of constant risk. Table 12. Consequence Scale for Fatalities
CONSEQUENCE SCALES FATALITIES Number of . Fatalities RAMCAP Consequence Criteria (Bin Numbers) Ranges in Number of Fatalities 0 0 25 1 26 50 2 51 100 3 101 200 4 201 400 5 401 800 6 801 1,600 7 1,601 3,200 8 3,201 6,400 9 6,401 12,800 10 12,801 25,600 11 25,601 51,200 12 51,201 102,400 13
102,401 +
54
Table 13. Consequence Scale for Serious Injuries

CONSEQUENCE SCALES INJURIES Number of Injuries RAMCAP Consequence Criteria (Bin Numbers) Ranges in Number of Injuries 0 0 25 1 26 50 2 51 100 3 101 200 4 201 400 5 401 800 6 801 1,600 7 1,601 3,200 8 3,201 6,400 9 6,401 12,800 10 12,801 25,600 11 25,601 51,200 12 51,201 102,400 13
102,401 +
Financial and Economic Losses. Economic impacts are widely recognized as key indicators of consequences in analyzing risks from terrorism and natural disasters. Specifically defining the meaning of economic impacts is necessary for risk management. Estimating financial and economic losses requires specification of the stakeholders and their decisions. Different stakeholders bring different perspectives and use different metrics for their decisions. The perspectives of a variety of stakeholders could be relevant, depending upon the decisions, but the perspectives of the following two groups of stakeholders are particularly germane to virtually all decisions pertaining to security, reliability and resilience: x The owners/operators of the critical infrastructures, who are responsible for maintaining the security of their facilities, the reliability of their services and their financially sustainable operation. They must address issues of risk and risk management for their facilities and networks, such as how to reduce the vulnerabilities, threat likelihood or consequences of attack. They must also address the facilitys resilience, or how to maintain continuity of operations through an attack or, if operations are interrupted by the attack, how quickly the organization recovers its ability to provide the basic services and quality demanded of it. The general public of the regional community (or the regional economy, the community, the metropolitan area, etc.), particularly, but not limited to, the suppliers and customers served by the facility, usually represented or overseen by public authorities or by public/private partnerships. The public is generally more concerned with reliability, quality and resilience how often service is interrupted and how quickly service is restored after an interruption at the quality they expect (so they can resume their own normal functioning), as well as how best they can cope with the lack of services during an interruption (Rose, 2006; Rose and Liao, 2005).
These perspectives differ, in part, because of externalities impacts on the community not included in the usual revenue-and-cost decision context of facility operators. Such externalities are the economic consequences of direct and indirect (ripple effect) to customers and their customers, suppliers and their suppliers (ad infinitum) and to the general economy caused by the denial of lifeline services. These are not included in the facilitys economics, so generally are not included in the facilitys decision-making, but these considerations can be central to the decisions of the relevant public and public/private organizations responsible for the well-being of the community. The existence of externalities is indicative of market failures to allocate
55
resources optimally. Utilities providing essential lifeline services should always examine both perspectives in their risk/resilience management decision-making. Others providing infrastructure services would generally be well served to examine both in security and continuity investment decision-making. Other stakeholders, e.g., neighbors of major facilities, suppliers, customers, etc., also have relevant issues and perspectives that may need to be analyzed separately. Similarly, higher order communities (e.g., state, multi-state regions, the nation as a whole) are also relevant stakeholders. However, for the RAMCAP Plus approach, only the perspectives of the facility and the metropolitan region it serves will be evaluated. Owners financial losses. In estimating owners losses, the principle is that value, whether gain or loss, is the incremental (decremental in losses) discounted net present value of future cash flows. Net present value implies that only future cash flows are relevant, prior cash flows are sunk, and inflation is treated (choosing real or nominal) consistently for all estimates. The owners net loss is estimated as a decrement from a business-as-usual base case, in which there is no incident. If the owner/operator is a taxable entity, the estimates are adjusted to an after-tax basis in a later chapter. The elements of the owners loss are: x Repair and replacement costs for assets damaged or destroyed in the attack, estimated with an emergency premium, when relevant, to reflect the higher costs of urgent construction compared to business as usual construction; x Business interruption costs, including revenue net of avoidable variable costs, emergency operations costs, plus any penalties for service interruption; x Environmental remediation and personal liability costs (after any insurance payments); x Abandonment costs, if any; and x Other costs directly attributable to the attack. The time-weighted present value of the sum of these losses is entered into Table 14. A single, discrete estimate may be used or the provided ranges may be used. Table 14. Consequence Scale for Financial Losses to the Owner/Operator
CONSEQUENCE SCALE FINANCIAL LOSSES TO THE OWNER/OPERATOR ($-million) Owners Financial Loss ($-million) RAMCAP Consequence Criteria (Bin Numbers) Owners Financial Loss (in $-million)
0 0 25
1 26 50
3 101 200
4 201 400
5 401 800
6 801 1,600
7 1,601 3,200
8 3,201 6,400
10 12,801 25,600
11 25,601 51,200
12
13
51 100
6,401 12,800
51,201 102,400
102,401 +
56
Regional community losses. In considering critical infrastructure from the public perspective, the primary concern is the length of time and quantity of service denied and the economic consequences of service denial to the critical facilitys direct suppliers and customers. In addition to these direct losses, the community suffers indirect losses through reduced economic activity in general, i.e., to the suppliers suppliers and customers customers, and so on. Because infrastructures serve other infrastructures, failure of one can cause a cascade of others failing. The economic consequences ripple through the regional economy, with the total impacts being some multiple of the direct impacts, hence the term multiplier effect. When the service denial is of short duration and/or customers are able to cope through conservation, redundant sources of service, emergency systems, etc., the facility is considered resilient from the customers point of view. The publics objective is to enhance the resilience of the lifeline infrastructures on which they depend, so a measure of consequences to the community reflecting the duration and quantity of service denial is needed. Estimating these community economic impacts requires a regional simulator and/or economic model. To fully capture cascading failures and the full direct and indirect consequences requires a systems model that simulates the interactions or the respective infrastructure systems. Several researchers are working to develop such a systems simulator. However, because great precision is unnecessary for the present purposes, quite simple models and approximations are available or can be acquired at nominal cost. To compute the direct losses, information on individual business or economic sector production is needed. To approximate the indirect losses, a modified input-output (I-O) table is needed.9 The key inputs for the I-O models are (1) the facilitys lost gross revenue due to a service interruption; (2) the length of the disruption; and (3) the input-output data of the metropolitan region being served. The first and second of these are necessary to calculate the owners loss, so the only new data are the I-O models and data. It is especially important to account for customer resilience. The principal modification to input-output regional modeling is an adjustment for customers ability to cope with the service interruption (Rose 2004, 2006, 2007, Rose and Liou, 2005 and Rose et al., 2007). For example, durable goods purchases may be deferred because customers may engage in resilience or continuity plans, e.g., emergency conservation or emergency supplies from alternative sources, relocation of production to other facilities, or making up losses through overtime production after service is restored, etc. The community economic loss can be as much as three orders of magnitude greater than the assessed facilitys gross revenue loss. This is especially true if the infrastructure is an essential lifeline, such as power, water, natural gas, telecommunications, for which there are few or no available alternatives. By contrast, if the facility produces a commodity for which alternatives are numerous and varied, the community economic impact can be quite small. An example of the simplified I-O modeling is provided in the water sector SSG.
Conventional input-output models used in estimating the consequences of a major disruption can lead to major errors for several reason, e.g., historical, linear relationships are unlikely to hold in a major disruption as those customers who can take self-protective, resilience options; the product of some infrastructures, e.g., water and wastewater, may not reflect their full economic value, etc. Input-out-put models can be modified to at least roughly accommodate these limitations (see Rose references in the text).
9
57
As with the other quantitative estimates, community economic losses may be reported as either single point estimates or ranges, as shown in Table 15.
Table 15. Consequence Scale for Economic Losses to the Regional Community
CONSEQUENCE SCALE ECONOMIC LOSSES TO THE REGIONAL COMMUNITY ($-million) Economic Losses to the Regional Community ($-million) RAMCAP Consequence Criteria (Bin Numbers) Regional Community Economic Loss (in $-million) 0 0 25 1 26 50 2 51 100 3 101 200 4 201 400 5 401 800 6 801 1,600 7 1,601 3,200 8 3,201 6,400 9 6,401 12,800 10 12,801 25,600 11 25,601 51,200 12 13
51,201 102,400
102,401 +
The regional community economic loss estimate can serve as a baseline for the resilience of the region because it includes all the necessary elements: the severity and duration of service denial and the full economic consequences. Reductions in the facilitys downtime or the provision of alternative sources of service would directly reduce the economic loss, i.e., increase the regions resilience to disruption. The RAMCAP Plus Consequence Assessment step is completed by considering and noting any of the qualitative consequences displayed in Table 11 (on page 53). Of particular interest are mission interruption of government and military functions and psychological impacts on populations both directly and indirectly affected. Some of these concerns will not apply to all infrastructure sectors and assets. It is likely that some sectors will require one or more categories to be added as better knowledge of risk is developed and when more detailed characteristics of the systems need to be described, such as the throughput of a transportation system. Task 3.2 Estimate the Consequences of Natural Hazards Unlike terrorism threats, which are targeted on high value assets within a facility, natural hazards strike the facility as a whole, so require a slightly modified approach. All assets and the facility as a whole can be affected, although, in a complex facility, an asset-by-asset approach may still be more accurate. In general, the RAMCAP Plus process assumes that the permitting and inspection in effect at the time the principal assets were constructed or significantly updated have assured conformance with the codes. This assumption allows that consequences will occur only from natural hazards that exceed the design basis threat as defined in the codes in effect. For hazards for which no relevant codes existed at the time, the analyst must conduct the consequence assessment for all levels of the natural hazard, from least to greatest. For efficiency, the analyst may prefer to start with the most severe of each natural hazard and go toward the less severe. As the severity decreases, the point of where no significant damage is reached, so the analysis for that hazard and asset is complete.
58
For each sector, an assessment of the facility-scale consequences is developed through Sector Specific Guidance. Appendix D provides a description of the general method of determining consequences caused by natural hazards. This approach can be applied to specific sectors by considering the type of infrastructure in that sector and how various natural events will cause damage. For example, nuclear power plants are designed to survive virtually any natural hazard that could be expected at that location. Chemical plants are relatively hardened to natural hazards, but are more vulnerable than nuclear plants. Agriculture is particularly prone to damage by natural hazards, as are certain types of buildings and open gathering places. Electrical distribution networks are often disrupted by natural hazards. Thus, sector-specific characteristics should be considered when developing guidelines for estimating consequences due to natural hazards. Task 3.3 Estimate the Consequences of Dependency and Proximity Hazards In most cases, dependency hazards have only economic consequences, primarily lost revenue and lost reputation for reliability (which may affect future business as much as current). For outages or service denials of less than the pre-established resilience requirements, there are no material consequences, or at least they can be accommodated in conventional business continuity planning. For outages greater than the resilience requirements, lost revenue, as well as emergency supply costs and any penalties for non-delivery are the principle near-term consequences. Over the longer term, reliability-sensitive customers may seek alternative suppliers in industries where those options exist. Proximity hazards are different since they may have fatality and injury consequences as well as financial and economic ones. These must be estimated on a case-by-case basis, but generally follow the consequence estimation procedure for terrorist threats of large magnitude. For both dependency and proximity hazards, estimation of losses to both the asset owner and the community are necessary to assure that the decision needs of the owner and those who represent the community are met. *****

The example begun earlier is continued here, adding Consequence Assessment (Step 3 of the RAMCAP Plus process) to further illustrate how the overall assessment is performed. The consequences of the attack, assumed to be successful, are estimated using expert elicitation and any economic impacts available regarding electric power revenue, navigation losses, loss of life, acute injuries caused by downstream inundation effects and regional economic impacts. A summary of the immediate consequences follows: After the detonation is initiated, significant amounts of water will be released immediately. Water flow control is lost and no backup systems are available to shut off the river flow over the spillway. Attempts are made upstream to reduce the release of river water and divert some to other channels or alternative areas. However, the amount of release causes temporary inundation of all local land areas and significant flooding of commercial and residential areas. Emergency
59
plans are activated and repairs are initiated with limited resources available for reconstruction of the destroyed spillway gates. An estimated minimum of nine months is determined for completing the repairs. The navigation lock is also closed for that period and alternative means of cargo transportation are initiated through rail and roadway. Power generation is reduced to less than one-half of capacity and is maintained with challenges because of the loss of upstream pool and water level to operate the generators. Fish migration issues are discovered and emergency measures for fish management are implemented. The financial loss to the owner of the dam is estimated by expert elicitation and includes the costs of repairing the dam, loss of revenue and emergency steps required of the operator and repair and remediation costs for downstream property. Economic losses to the regional community were estimated by modified input-output modeling. Loss of life due to downstream inundation is estimated using Population at Risk (PAR) data, the warning time relative to the time needed for an effective evacuation and the degree of shelter available for those people who do not successfully evacuate relative to the flood severity. Acute injuries are estimated from historical information relating the ratio of fatalities to serious injuries. Consequences of the above are summarized as follows: x x x x x Fatalities 665, consequence bin 5 Acute injuries 75, bin 2 Financial impacts on the owner of the dam, $780 million, bin 5 Losses to the regional economy -- $ 45 billion, bin 11 Consequences of damages to the fishery -- environmental, ecological, and psychological. These are addressed in the final report but are not quantified.

Brealey, R. and S. Myers, 2000. Principles of Corporate Finance, Sixth Edition, Boston, MA, Irwin McGraw-Hill. Brigham, E., Gapenski. L. and Ehrhardt, M. 1999. Financial Management: Theory and Practice, Ninth Edition, Fort Worth, TX: The Dryden Press. Cadmus Group, Inc., The. June 2006. 2003 Drinking Water Infrastructure Needs Survey: Modeling the Cost of Infrastructure, Office of Water (4606), EPA 816-R-06-007, www.epa.gov/safewater.
60
Clemen, Robert. 1996. Making Hard Decisions: An Introduction to Decision Analysis, Second Edition, Duxbury Press. Multihazard Mitigation Council. December 2005. Natural Hazard Mitigation Saves: Independent Study to Assess the Future Benefits of Hazard Mitigation Activities, Volume 2 Study Documentation. Prepared for the Federal Emergency Management Agency of the U.S. Department of Homeland Security by the Applied Technology Council under contract to U. S. Department of Defense. July 2002. DoD Unified Facilities Criteria-DoD Minimum Antiterrorism Standards for Buildings, UFC 4-010-01. The Multihazard Mitigation Council of the National Institute of Building Sciences, Washington, D.C. Rose, A. 2004. Economic Principles, Issues, and Research Priorities in Natural Hazard Loss Estimation, in Okuyama Y. and Chang S. (eds.), Modeling the Spatial Economic Impacts of Natural Hazards, Heidelberg: Springer, 2004, pp.13-36. Rose, A. 2006. Economic Resilience to Disasters: Toward a Consistent and Comprehensive Formulation, in Paton D. and Johnston D. (eds.), Disaster Resilience: An Integrated Approach, Springfield, IL: Charles C. Thomas, 2006, pp. 226-48. Rose, A. 2007. Macroeconomic Modeling of Catastrophic Events, in Quigley J. and Rosenthal L. (eds.), Real Estate, Catastrophic Risk, and Public Policy, Berkeley, CA: Berkeley Public Policy Press, forthcoming. Rose, A. and Liao, S. 2005. Modeling Regional Economic Resilience to Disasters: A Computable General Equilibrium Analysis of Water Service Disruptions, Journal of Regional Science, Vol. 45, No. 1, 2005, pp. 75-112. Rose, A., Oladosu, G., and Liao, S. 2007. Business Interruption Impacts of a Terrorist Attack on the Water System of Los Angeles: Customer Resilience to a Total Blackout, in Richardson, H., Gordon, P., and Moore, J. (eds.), Economic Costs and Consequences of Terrorist Attacks, Cheltenham, UK, pp. 291-316. U. S. Federal Aviation Administration. 2003. Economic Values for Evaluation of Federal Aviation Administration Investment and Regulatory Decisions, FAA-APO-98-8. U. S. Federal Emergency Management Administration. Reference Manual to Mitigate Potential Terrorist Attacks Against Buildings, (FEMA 426). See also related FEMA manuals 427, 428.
61
Step 4. Vulnerability Analysis
Vulnerability analysis consists of estimating the conditional likelihood a threat will have on the consequences estimated in Step 3, given that the threat occurs. In the case of a terrorist attack on a specific asset, vulnerability assessment estimates the likelihood that the adversary will be successful in executing a specific attack mode at a facility or asset. In forming this estimate, the owner/operator must assume that all the adversarys preliminary activities necessary to prepare the attack have successfully taken place. For natural hazards, consequences depend upon the type of asset, the initiating event and the severity of the event, as detailed in Appendix D. A particular asset or type of asset may be more vulnerable to certain natural hazards than others; hence, the vulnerability of an asset can be dependent upon both the type of asset and the type of and magnitude of the initiating event. For example, hardened control rooms in refineries are designed to withstand blast overpressure and would have low vulnerability to wind loads. The vulnerability for a particular asset type for natural hazards is provided in Appendix D. In the case of dependency hazards, the vulnerability is zero up to the resilience requirement, but 1.0 above it. For proximity hazards, the vulnerability is always 1.0 because the physical site constitutes the hazard (although moving either the asset or the cause of the proximity hazard would remain as options to be evaluated in Step 7). Estimating the likelihood of an adversarys success involves the consideration of the facility or assets vulnerability (sometimes called exposure or susceptibility) to a pre-defined attack scenario. Each threat/asset pair is assessed taking into consideration: x x x x Detailed specification of the threats, including number of assailants, weapons, mode of transport, etc. Details of the asset/facilitys construction, systems, and layout. Details of the facilitys existing countermeasures designed to detect, deny, defend and disrupt such an attack at all stages. Information, power, personnel and material flows within the facility.
62
The vulnerability of an asset or system is estimated as a point value, which is then located on the Likelihood of Attack Success Scale, shown in Table 16, or is estimated directly as one of the ranges shown, by using the bins in the table.
Table 16. RAMCAP Plus Vulnerability Scale (Repeated from Table 3) Bin 5 A B C Decimal Description 0.90 1.00 0.75 0.89 0.50 0.74 0.25 0.49 0.125 0.249 0.0625 0.124 0.0312 0.0624 < 0.0311 Percentage Range (%) 90 100 75 89 50 74 25 49 12.5 24.9 6.25 12.4 3.12 6.24 <3.11 Successes per Attempts 9/10 L 1 3/4 L < 9/10 1/2 L < 1/4 L < 1/8 L < 1/4 1/16 L < 1/8 1/32 L < 1/16 L < 1/32
4 3 2 1 0
This scale provides eight basic categories for vulnerability ranking that cover the entire range of possible likelihood values. The scale shown utilizes the same factor of two between successive categories, as used in consequence ranking. This is useful for plotting a resulting risk matrix. Category 5 is further subdivided into three parts to provide more granularity as the likelihood of success approaches 1.0. This allows the owner/operator to estimate changes in security level in Step 7, Risk Management. As illustrated in the table, likelihood of success can be expressed as a fraction range, a probability range or in terms of chance. Since many asset evaluations will rely upon expert elicitation, it is often convenient to use a scale familiar to the user. While some individuals prefer a decimal fraction representation (such as in the range of .125 to .249 likelihood of success), others are more comfortable using a probability range (e.g., between 12.5% and 24.9% likelihood). Another way of expressing the same value range is to estimate as the odds of success are somewhere between one in four and one in eight. Any of these descriptions can be used, as they are mathematically equivalent. Numerous methodologies have been advanced for vulnerability assessments. The most commonly used in RAMCAP Plus assessments are: 1. Direct expert elicitation members of the evaluation team who are familiar with a facilitys layout and work flows and are knowledgeable about the asset discuss the likelihood of success and the reasoning for their estimates. Sometimes trained facilitators, on staff or under contract, are used to elicit the judgments. In its more elaborate form, a statistical Delphi or Analytical Hierarchy Process can be used to establish a consensus.
63
2. Vulnerability logic diagrams (VLDs) the flow of events from the time an adversary approaches the facility to the terminal event in which the attack is foiled or succeeds, considering obstacles and countermeasures that must be surmounted, with each terminal event associated with a specific vulnerability bin. This is usually complemented by time estimates for each segment and compared with an estimate of the reaction time of a counterforce once the attack has been detected. If the adversarys time to reach the specific point in the flow of events is less than or equal to the reaction time, the adversary can be assumed to have succeeded to that point. In many of the RAMCAP SectorSpecific Guidance documents, VLDs are prepared in advance as heuristics to guide the team in making its assessment. 3. Event trees (also called failure trees) the sequence of events between the initiation of the attack and the terminal event is described as a branching tree, where each branch represents the possible outcomes at that junction, e.g., a locked door may be breached or not. The evaluation team estimates the probability of each outcome. Multiplying the probabilities along each branch, from the initiating event to each terminal event, calculates the probability of each unique branch, while all branches together sum to unity (1.0). The sum of the probabilities of all branches on which the attack succeeds is the vulnerability estimate. This estimate can either be used as a discrete estimate or assigned to the corresponding range on Table 5.1. 4. Hybrids of these often used by more sophisticated assessment teams. Each of the first three methods is illustrated in the example. Direct elicitation often seems to be less time-consuming, but the time to reason through each threat/asset pair can lead to long discussions and it is difficult to maintain logical consistency across a number of such judgments. VLDs have the virtue of being pre-defined (in the RAMCAP SSGs) and able to guide discussions and estimates along relevant paths efficiently and consistently, but run some risk of failing to capture precisely the conditions at the specific site. Consistency and efficiency are also attributes of event- or failure-trees, with the added advantage that a true conditional probability is estimated and the evaluation team is exposed to the uncertainties in their estimates. The more precise and quantitative approaches are also easier to use when re-estimating vulnerabilities as changed by more security options and measuring improvements over time. Either of the more structured methods (or the hybrids) produces a more reliable estimate in the sense that a different evaluation team (or the same team at another time) is more likely to make the same or very similar estimates, given the same site and threat/asset pairs. This greatly increases the consistency and direct comparability of the assessments and permits them to be used over time to measure progress of security programs or assess evolving conditions. As stated previously, it is assumed that the goal of the terrorist is to cause the most damage possible for a given threat scenario upon a given target. The adversary is assumed to be intelligent, resourceful and have detailed knowledge of the facility. The vulnerability assessment procedure should be performed using a common sense approach to determine the worst reasonable case for consequences and vulnerability. The procedure should maximize
64
consequences with the greatest expectation of attacker success, given the details of the threat/asset pair. For example, if the vulnerability of a plant is being evaluated and the scenario of a car bomb is being considered, it is reasonable to assume that the attack could be staged during a change of shift when traffic through the entry gate is greatest. This could increase the consequences of an explosion at the gate and possibly provide a greater opportunity of the terrorist to gain entry to the facility. It also should be assumed that the terrorist could time the event to coincide with favorable wind direction for spreading vapor clouds over the most populous areas around the plant, if this is reasonably predictable. However, the evaluator should not assume that rare events (such as earthquake or tornado, wind storms, or other events, outside the ability to anticipate) will occur which would have a significant effect on the consequences of the attack. This compounds the probability of occurrence and is not statistically representative. It illustrates the concept of worst reasonable case. Worst-case scenarios are not compounded to create an unreasonable combination of events. The asset owner should balance the rigor of analysis against the severity of the consequences, the complexity of the system and the requirements of the decision. To estimate damage to the facility, the evaluation team is encouraged to utilize existing damage models developed by others. This can help to quickly identify the most severe outcomes for a given threat scenario, which will greatly reduce the effort required to estimate vulnerability. Begin with the simplest possible model. It may be prudent for the asset owner to perform a more detailed assessment of a high-risk/high-potential consequence facility. For example, probabilistic risk analyses have been carried out for all nuclear power plants and may be adapted and applied to parts of the assessment. RAMCAP Plus assessments can focus and prioritize more in-depth and costly detailed engineering risk analyses and design projects. The more detailed analyses could be used for evaluating and prioritizing significant security upgrades or for cost-benefit analyses. *****

The example presented in the previous three steps is continued, adding Vulnerability Analysis, Step 4 of the RAMCAP Plus process, to further illustrate how the overall assessment is performed. To summarize, an assault team of two to four assailants (AT2) drives a land-based vehicle to the recreation area, dismounts as close as possible to the fence, penetrates the fence using bolt cutters, crosses the earthen dam to the spill gates and places six packs of explosives (two on each spill gate) with preset timers to initiate the explosives. They leave the spillway gate area and return to their vehicle. It is estimated that it will take the assault team 15 seconds to cut the fence and pass through the opening, 20 seconds to cross the dam, 100 seconds to place the explosives, and 30 seconds to return to their vehicle. The total adversarial attack path time is 165 seconds.
65
The areas accessed by the assault team have occasional guard patrols and are covered by CCTV surveillance from the control room in the powerhouse, but at dusk, visibility is limited too dark to see well and not dark enough for the floodlights to effectively illuminate the area. The console operator is responsible for the CCTV observation and monitoring all the operating and measuring parameters for the dam. Operations personnel are present occasionally on the dam top and carry radios to communicate to the powerhouse. The on-site response force is composed of three officers assigned to various patrols in and around the dam. They carry a handgun and a shotgun. Their orders are to go to the area where a problem is reported as soon as possible. After the console operator or other observers activates an alarm, the first officer arrives at this location in 3 minutes, with the second arriving in 5 minutes and the third in 10 minutes. Unless the assailants were observed at the moment of placing the explosives, the officers would not be able to locate and disarm them before detonation. The evaluation team may use any of several methodologies or may be directed to use certain methods by the relevant SSG. Below are examples of the three basic methods described above: 1. 2. 3. Direct expert elicitation Vulnerability logic diagram Event tree method.
1. Direct expert elicitation The security personnel familiar with the plant, which normally consists of the security supervisor and working guards, estimate the vulnerability of the facility directly from their experience. The attack scenario is presented to the team for discussion. In this example, the team decides that the greatest issue presented to the attack success is the possibility of timely detection crossing the dam. They decide that an attack at dusk, just before the shift change by the dam personnel, would maximize the probability of a successful attack. If conducted at dusk, the threat is judged by the experts to be 70% likely to succeed. The team discusses the reasoning behind these assumptions and judgments. It is concluded that if the attack were carried out in broad daylight, there is a high likelihood of being detected and intercepted, and if it were carried out after nightfall, the assailants would take unnecessarily long to traverse the dam due to poor visibility. In addition, at dusk prior to the shift change, the day shift personnel would be fatigued and looking forward to leaving, so might be less likely to be on patrol as well as less vigilant. The estimated 70% chance of success is then recorded for use in the risk evaluation and assigned to vulnerability bin 5A (50-75%) in Table 16. The team moves on to another threat/asset pair. 2. Vulnerability logic diagram (VLDs) This method of estimating the likelihood of adversary success is similar to expert elicitation methods, except it does not involve the formal use of statistical analysis, such as the Delphi method. However, in order to make this method repeatable by multiple users in multiple sectors, it is necessary to provide detailed guidance for each threat scenario. This would include assigning levels of effectiveness to various onsite and offsite security countermeasures, process safeguards and emergency response/mitigation capabilities. For example, Figure 2 is used to determine the spill gates vulnerability level to attack AT2 following these steps: Step 1: Is the target accessible from outside the perimeter? No.
66
Step 2: What is the likelihood of being detected at the perimeter? Low, if at dusk. Step 3: Can the response force prevent them from getting to the target? No, they wont arrive in time. Step 4: What is the likelihood of being detected while crossing the dam and accessing the gates? Low at dusk. Figure 2. Vulnerability Logic Diagram Assault Team Attack on Dam
Step 5: Can the response force prevent them from placing the explosives or from detonating the explosives? No, the first one will arrive after the pre-timed explosives are set, with insufficient firepower. However, there is a small chance the response team could reach and disarm the explosives before detonation.
67
Step 6: Determine the vulnerability level: V= high, or bin 5, but at the lower end due to the chance of the responders disarming the explosives prior to detonation, so the estimate is modified to 5A, 50-75% likely to succeed. Other considerations: The first response force may be able to intercept the team as they return to the vehicle. In this situation, they could be confronted with force-on-force and the response force could neutralize the assault team. At this point, the explosive charges set by the timers will detonate whether or not a confrontation by the response force is successful. Probabilities, time intervals and finer gradations of the events could be added for greater precision in the estimates and would be appropriate in a more detailed assessment. 3. Event Tree Method In estimating the likelihood of success for a specific attack scenario, an event tree can be helpful. Figure 3 illustrates an event tree for the example of attack on a dam. As discussed earlier, the team of experts estimates individual event probabilities to determine the most likely strategy of the adversary. Figure 3. Event Tree Analysis Attack on Dam
Conditional Probabilities Attack Attack Succeeds Fails Bomb placement OK 0. 9 Detonates 0.9 Doesnt detonate 0.1 0.656 0.073 0.081 0.045 0.018 0.022
Not detected on dam 0.9 Not detected at fence 0.9 Detected on dam 0.1
Two-to-four man assault force attack 1.0
Bomb placement not OK 0.1 Stopped on dam 0.5 Placement not OK 0.4 Not stopped Detonates on dam 0.8 0.5 Placement OK Doesnt detonate 0.6 0.2
0.005 0.020
Stopped at fence 0.2 Detected at fence 0.1 Not stopped at fence 0.8 Stopped on dam 0.6 Not stopped on dam 0.4 Placement not OK 0.5 Detonates 0.8 Placement OK 0.5 Doesnt detonate 0.2 Total Conditional Probability
0.048 0.016 0.013 0.013
0.003 0.691 + 0.309 = 1.000
68
The event tree (sometimes called a failure tree) approach is an important tool for probabilistic risk assessment in the nuclear industry and in many other applications involving complex systems. In this case, it is used to estimate the conditional probability the attack will succeed, given that the attack happens. The root or left-most branch represents the initiating event in this case, an attempt to bomb a dam by two to four assailants. The branches of the tree represent all possible outcomes and are mutually exclusive requirements for the probabilities to be calculated as shown. The analysis reflects the uncertainties in the situation, given the attack plan and the protective measures. The assessment team estimates the uncertainties by considering the combination of attack scenario and protective measures. The team made the following estimates for the top set of branches: x x x x The assailants may be detected at the fence (probability of 0.1) or not (0.9). If not detected at the fence, they may be detected on the dam (0.1), assuming a dusk attack, or not (0.9). If not detected at either point, they may place the bombs improperly to damage the spillways (0.1). If the bombs are correctly placed, they may not detonate (0.1) or they may (0.9).
At each node of the diagram, the probabilities always add to unity, or 1.0. Multiplying the probabilities along the top branch produces the probability of that full branch they are not detected at the fence or on the dam, they place the bombs properly and the bombs detonate, causing the estimated consequences is 0.9*0.9*0.9*0.9 = 0.656. The remaining branches are estimated similarly. Note that the estimates at the branches that are similar do not need to have the same probabilities. For example, the probability of proper bomb placement if the assailants have not been detected (0.9) is estimated to be higher than if detected on the dam but not stopped (0.6) or detected at the fence and not stopped at the fence or the dam (0.5). These differences are caused by the assailants being forced to rush and defend themselves while putting the bombs in place. Similar reasoning led to the probability of detonation if undetected (0.9) than if detected but not stopped (0.8) because they would have less time and greater duress to set the timers and prime the bombs. After estimating all the event probabilities, the product of all events along a branch from the original root to the end yields the compound probability for the whole branch. These will always add to 1.0 because they are probability estimates, and are a collectively exhaustive and mutually exclusive set of outcomes and the branches from each node total 1.0, given the attack. The probabilities of the three cases in which the attack succeeds are added for the desired vulnerability estimate (the probability of attack success) and are shown in the example, 0.656+0.022+).013 = 0.691. The sum of the nine cases in which the attack fails is the complement, or 0.301. The vulnerability estimate is recorded as both a raw number and in the bin to which it corresponds, in the example, Bin 5A. Discussion. In this particular example, the event tree method did not materially change the results of the first estimate generated by expert elicitation, 0.7 or the value estimated by the vulnerability logic diagram, Bin 5A, between 50% and 75%. The overall probability of success
69
for the attack, using the event tree analysis, is 0.691. These differences are not meaningfully significant compared to the uncertainty in the estimated values assigned by the experts. In this case, any of the three methods gives adequate results. However, the event tree identifies potential failure modes that may not be obvious without a detailed analysis of the overall security system. When changes are made to upgrade security (for example, the addition of sensors on the fence) the lower probability branches become more important and numerically larger. As the security system becomes increasingly complex, the event tree method is necessary to understand the overall failure scenario.

American Petroleum Institute and the National Petrochemical and Refiners Association. October 2004. Security Vulnerability Assessment Methodology for the Petroleum and Petrochemical Industries, Second Edition. Ayyub, B. M. 2003. Risk Analysis in Engineering and Economics, Chapman & Hall/CRC Press, Boca Raton, FL. Center for Chemical Process Safety. June 2003. Guidelines for Analyzing and Managing the Security Vulnerabilities of Fixed Chemical Sites. National Institute of Justice. November 2002. A Method to Assess the Vulnerability of U.S. Chemical Facilities, U.S. Department of Justice. U. S. Coast Guard. July 1, 2003. Implementation of National Maritime Security Initiatives, Federal Register, Vol. 68, No. 126, pp 39240-39250.
70
Step 5. Threat Assessment (Likelihood of Attack)
The fifth step of the RAMCAP Plus process estimates the probability, frequency or likelihood10 of each initiating event specified in the set of reference threats. With respect to terrorism threats, this step is one of the most difficult; with all types of threats, it will profoundly influence later decision-making. The approach differs somewhat among the respective classes of threats: x In the case of terrorism, risk assessment consists of weighing available evidence about an adversary and the asset to estimate the likelihood that the adversary will attack the target asset in question; several approaches are suggested to assist in making these estimates. With natural hazards, historical frequency data for similar events at the specific location are used, although may be modified for sound reasons, such as global climate change affecting the frequency and strength of hurricanes and floods. Dependency hazards arise from interruptions of the immediate supply chain, so estimating their likelihood begins with the historical frequency of interruptions for that element and modifies it if there are reasons to believe the supply chain component will be more or less reliable in the future than in the past. Proximity hazards, reflecting the likelihood that neighboring facilities will encounter negative events that spill over to the asset of interest, rely on threat assessment to estimate the likelihood of an incident at the neighboring facility.
Each of these is discussed below. a. Estimating the Likelihood of Terrorist Events Terrorism threat assessment is the estimation of the likelihood of a specific attack occurring. It reflects the consideration of two contributing elements: 1. The likelihood that an adversary would conduct an attack of that type on an asset of the type being assessed; and
The terms probability, frequency and likelihood of attack are used interchangeably in this section. Practitioners of risk analysis often have a distinct preference for one of these terms. The reader is encouraged to use the term he or she prefers.
10
71
2. The likelihood that an adversary would target the particular facility and asset within that facility for that attack. To address the first, the Department of Homeland Security, in concert with other federal, state and local law enforcement and intelligence agencies, conducts terrorism threat assessments. These threat assessments include an evaluation of an adversarys capability to mount a specific threat, the intent of the adversary and the attractiveness of particular targets or classes of targets to the adversary. Owner/operators of infrastructure components, however, should not expect federal agencies to provide likelihood information at the facility and asset level. Their information can rarely be that specific. At best, actionable information may be available when a terrorist plot is uncovered or information concerning terrorist planning is recovered by military or intelligence agencies. It is far more likely that any hard information will be of the form that indicates that attacks are planned for certain sectors or geographical regions. There are simply too many targets that could be attacked and, further, the likelihood of an attack will continuously change over time depending upon geopolitical conditions. b. General Considerations for RAMCAP Plus Likelihood Estimation Methods Undoubtedly, the most difficult of the three basic risk parameters (T, V, and C) to estimate when considering a terrorist attack is the attack likelihood (T). This has been termed by some as an unknowable number. To the authors knowledge, there is no fully acceptable method for making this estimate. It is the authors hope more definitive and rigorous procedures will be developed and specific, documented and academically vetted methodology will be defined. Until then, the RAMCAP Plus process provides three approximation methods, described in this chapter, to estimate frequency of a terrorist attack. Some have proposed using only conditional risk, the product of consequences and vulnerability, to estimate the likelihood of attack success. The authors reject that solution. Lacking threat likelihood as an active parameter in the risk equation, conditional risk is a measure of the reward (consequences) if an attack is successful tempered by the likelihood that, if mounted, the attack will succeed in causing the consequences (vulnerability). Conditional risk is very useful when confronted with a number of potential targets for possible attack and the targets are being prioritized. This logic is the core of the method by which the U.S. ranks enemy targets and allocates available resources, i.e., attacking forces and materiel. The method, called CARVER,11 is often erroneously considered a risk methodology. While it does not produce true risk estimates, it does include the elements the RAMCAP Plus process uses to address consequences and vulnerability: Criticality (C), Accessibility (V), Recoverability (C), Vulnerability (V), Effect (C)
C.A.R.V.E.R. analysis includes an evaluation against the following factors: Criticality measure of public health and economic impacts of an attack; Accessibility ability to physically gain access and egress from target; Recuperability ability of system to recover from an attack; Vulnerability ease of accomplishing attack; Effect amount of direct loss from an attack as measured by loss of production; and Recognizability ease of identifying target.
11
72
and Redundancy (C). The benefits of attacking a particular target are weighted against the difficulty and costs of achieving the goal. Terrorist adversaries must be assumed to be intelligent and rational in the sense of considering the consequences and likelihood of a successful attack, striving to cause the largest possible damage while optimizing use of resources. From the adversarys perspective, a useful indicator of the value of an attack might be the conditional risk, while an indicator of attack efficiency might be the conditional risk divided by the amount of resources required to mount the attack. This strategy is very useful for selecting the best target given the resources available. The assumption implicit in this overall strategy is that at least one attack will be mounted. This is equivalent to assuming a likelihood of one, i.e., there will be an attack. A true risk mythology, however, must contain the element of likelihood; otherwise it is impossible to compare risk across a wide variety of similar targets and, even more importantly, across dissimilar targets. Further, benefit-cost analysis cannot be calculated unless the likelihood of an event is known. Thus, risks and risk-reduction options cannot be prioritized and anything approaching optimal risk management is impossible. Recognizing the likelihood of a terrorist attack is an unknowable number that must be known for a particular asset, the RAMCAP Plus process suggests three approaches for examining the likelihood or expected attack frequency for terrorist attack. It is recommended that at least two of the approaches be applied and their results compared for insight. Terrorist events are not random events. A tornado presumably does not target an asset. A random event is, in many ways, easier to predict theoretically. A roll of the dice is a random event and the laws of probability can be applied with great precision. As the number of rolls of a die increases, the predicted probability will be born out. A complete set of probabilities can be determined. Terrorist events cannot be considered random events, therefore, the rules for calculating probabilities for random events do not apply. It is not possible to determine all possible attack scenarios that should be considered. Even more problematic, the likelihood of a terrorist event changes over time in unpredictable ways that are influenced by politics, economic conditions, the rise and fall of charismatic leaders, etc. The list could be continued indefinitely. Thus, the logical, rational conclusion is that likelihood is truly an unknowable number, but one that must be approximated. It is possible, however, to place limits on an unknowable number. Age at death, for example, can be bounded based upon historical data and logical reasoning. The RAMCAP Plus process provides logically reasoned approaches for estimating risk bounds and comparing terrorist risk to other risks. c. Additional Screening One major impediment to estimating likelihood or frequency of occurrence of a terrorist event is the large number of possible event scenarios considered in the assumed set of threats discussed in Step 2, Threat Characterization. There is a variety of attack modes, as well as sizes of attack. Assault teams may have only one or two members or up to twenty members. Aircraft attacks are
73
assumed to vary from small to large planes. This raises the logical question, How do you determine the frequency of attack for all possible attacks considered for every asset? The short answer is You dont. RAMCAP Plus likelihood estimates are predicated on the assumption the terrorist will attempt to optimize available resources. For every target it is assumed the terrorist would choose the attack mode most effective and efficient in destroying the target. Further, since the terrorist's resources are limited, it is assumed the smallest expenditure of resources would be used that result in a successful mission. Thus, the terrorist is assumed to optimize available resources. An assault on an asset using twenty trained, armed and motivated perpetrators requires much greater resources than an attack consisting of one or two people. Further, the chance of detection and interdiction before the attack is mounted is greater when more people are involved. The first step in determining a value for likelihood is to estimate the value of the target and assume the most efficient type and size of attack that would be used by a terrorist on that target. The risk analyst, using security and operations experts, should assume a Red Team mentality and determine the most logical attack mode and size of attack. The minimum size attack that will achieve the objective should be used in selecting the most likely attack scenario for a given asset. This greatly reduces the number of calculations. A practical approach for doing this screening analysis is to return to the matrix constructed in Step 2 of assets by threats (illustrated in Table 10 on page 50), replacing the judgments of consequence significance with the conditional risk (the product of consequences and vulnerability) as calculated in Steps 3 and 4. Fatalities and economic losses to the community would best reflect the general understanding of terrorists objectives, whether combined or used as two indicators. The work here is to judgmentally divide each conditional risk by the resources required to get a sense of the efficiency of the threat from the adversarys perspective. The resources of personnel, money, and other resources (e.g., coordination effort) should be considered. Only ordinal judgments of the resources required are made because they have no common metric across all the attack modes. For threats with a magnitude continuum, e.g., marine attacks, airplanes, Vehicle-Borne Improvised Explosive Devices (VBIEDs) and assault teams, the magnitudes in Table 9 (in Step 2) provide a resource magnitude indicator. In most cases, the larger the attack, the more likely it is to be detected and interdicted before the attack is mounted. For example, it is much easier to acquire a small boat or plane than a deep draft ship or a jumbo jet. In addition, the conditional risk may reach a maximum well before the largest attack is needed, so the optimal attack will be the smallest that achieves that consequence. For terrorist threats that do not have a magnitude continuum, e.g., sabotage, diversion or theft, and product contamination, the judgments must be made individually. When the resource judgments have been made, the ratios of conditional risk divided by resources required are compared. Relatively higher ratios indicate the asset/threat pair that would be more attractive to the adversary than pairs with lower ratios. Those with materially lower ratios are assigned lower analytical priority and can be deleted from the rest of the assessment so that priority can be given to those with higher efficiency ratios.
74
d. Three Approaches in Overview With the above-stated caveats, three methods for estimating the probability of a terrorist attack on an asset are presented. Some of the factors used to estimate frequency are not completely quantified. For example, Method 1, the numerical ratio method, provides information indicating that New York City or Washington, D.C. is much more likely to be attacked than other city. No attempt has been made to convert this information into numerical coefficients for the user to apply. Rather, this information is presented (as well as the source of the information) for the user to consider when making and adjusting estimates. Eventually, these factors may be quantified when additional research provides a logical, defensible and transparent approach accepted by the risk community. The three RAMCAP Plus methods are: 1. Numerical Ratio Method estimates a total number of attacks in a given year in the entire United States. This estimate can be based upon historical data, intelligence information or various assumptions that are felt to bracket the expected number of attacks. A numerical estimate of the likelihood of an attack can be estimated based upon the total number of available targets, target attractiveness, perceived difficulty of success of the attack and difficulty of mounting the attack. This estimate is then judgmentally adjusted to account for differences among both cities and types of assets. 2. Comparison of Risk Tolerance with Natural Hazard Risk uses the notion of risk tolerance and a natural hazard risk to compare with a terrorist risk to deduce a threat likelihood to equate the two risks. The analyst and decision-maker then judge whether the deduced likelihood is reasonable or not. If the likelihood in the deduced risk is equal to or less than the judged reasonable level, the terrorism risk is as tolerable as the natural hazard risk and the likelihood is moot. If, on the other hand, the likelihood in the deduced risk is greater than the reasonable level, the judgment of the reasonable level sets a minimum and the asset/threat pairs risk justifies taking the next steps. This technique is used in some fields to obtain expert elicitation by comparing information of a similar nature. Building codes and standards typically use design parameters based upon recurrence intervals. For example, the use of hundred year flood values provides a standard for designing certain types of infrastructure, such as levees and flood control systems of dams and flood channels.12 3. Investment Break-Even assumes the decision-makers choices are simple, go/no-go on individual options. This method can only be applied as part of Step 7 because it requires the calculation of a baseline risk, conceptual design and cost estimation of an investment option to materially reduce the risk, and an assessment of the risk with the option in place. Given the estimated consequences (with and without the option), vulnerability (with and without the option) and the option cost, the break-even likelihood may be calculated that yields a net benefit of exactly zero and a benefit-cost
12
To design to a 500 or 1000 year flood would presumably increase the cost of the infrastructure to the point that the additional investment would not be justified by the reduced risk (a benefit/cost decision made by a standards development organization and the jurisdiction that adopted the codes both balancing the interests of the owners with those of the community).
75
ratio of exactly 1.0. Any likelihood greater than this would justify the project and any thing less would condemn it. The decision-maker can judge whether the break-even likelihood is plausible or not. If the decision-maker believes the actual likelihood exceeds the break-even, the option has value and a go decision is taken for the option. If the decision-maker judges the actual likelihood is less than the break-even, the project would not be recommended. The following is a more detailed explanation and an example of how each of these methods is used: Method 1 - Numerical Ratio Method. This method provides a direct calculation of the likelihood of attack using information that can be obtained from a variety of commonly available sources. The method can be quite simple or it can be embellished to include expert elicitation. In the simplest form, a baseline probability of an attack on a particular asset within a particular facility located anywhere in the United States is estimated. This is then adjusted by judgment to reflect accepted intelligence that certain metropolitan regions and certain types of facilities have higher priority for terrorists. The baseline likelihood could be estimated as follows: a) Assume that N attacks are attempted in the U.S. in a calendar year. b) Assume, for the baseline, that of the 18 infrastructure sectors identified by the National Infrastructure Protection Plan, the likelihood of attack is equal for all sectors. This results in a likelihood of (N/18) or 0.0556 N that a particular sector will experience an attack. c) Assume, for the baseline, that all facilities in that infrastructure sector have an equal likelihood of being attacked. From available data sources it is determined there are Y facilities. For example, assume there are 15,000 potential targets in the sector that meet the criteria for selection. Then the likelihood of attack on any particular target would be (N/18)/Y = 0.0556 N/15,000 or 0.0000037 N. d) Assume the particular target being evaluated has 10 major assets (A = 10) in the facility complex. The likelihood of any particular asset being attacked is (N/18)/ (Y x A) 0.0000037 N/10 = 0.00000037N or N x 3.7 x 10-7. If it is assumed that a maximum of 10 attacks (N = 10) could occur (a very generous assumption) the probability of an attack on a particular target in a particular facility would be 3.7 x 10 -6 events/year. This likelihood can also be expressed as a chance of approximately four out of a million events per year.
76
The assumption that all potential targets have an equal chance of being attacked, however, is far too simplistic and incorrect. Recent studies indicate there are certain areas of the country more likely to be attacked than others, so this baseline must be adjusted by judgment to reflect those findings. Figure 4. Relative Likelihood of Terrorist Attack in Different City Tiers (RAND Corporation 2007, Reprinted with Permission)
RAND (2007) found risk modeling combined with expert elicitation indicates terrorist attacks are more likely to occur in some cities than others. Figure 4, taken from this study, indicates that New York and Washington DC have a much higher risk of being attacked than other cities approximately double the likelihood of the second tier (Chicago, Los Angeles and San Francisco), and approximately four times greater than the third tier, and so forth. The RMS model13used in this study was developed to predict risk for the insurance industry. This model determined city groups and attack mode likelihood for each tier. This information was developed using expert elicitation from an expert advisory network. The figure shows that the
13
The RMS model refers to the Probabilistic Terrorism Model developed by Risk Management Solutions, Inc. For more information, go to the RMS web site (www.rms.com). RMS provides the insurance and reinsurance industry with products and services for quantifying and managing catastrophic risk.
77
RMS model concentrates terrorist attack risks in a small number of cities in the United States. The 2005 threat assessment by this organization concluded that an attack is most likely to occur in the five highest-ranking cities. Based upon this work, it can be concluded that the likelihood of attack on a facility located in Austin, Texas, is much lower than an identical facility located in Chicago, which in turn is less likely than an identical one in Washington, DC. This type of information can and should be used to adjust the calculated likelihood based completely on the number of facilities without regard to location. In addition to location, other factors identified in the study will affect likelihood. These include the attack mode and the target type, to name just two. Table 17 (also from the RAND report) indicates the target type groups. The likelihood of attack for each group is indicated by numbers 1 through 8, with Target Type 1 being the most likely target of attack and number 8 being the least likely target. The table provides hierarchy of threat levels based upon the target type.
Table 17. RMS Target Type Groups (RAND Corporation 2007, Reprinted with Permission)
Numerous other factors can affect likelihood of attack, including the perceived difficulty of the attack, the resources available to the terrorist, the iconic value of the target, etc. As reasoned in the screening portion of this step, the conditional risk (or the conditional risk/resources required) conceptual ratio might be used as an indicator of attractiveness in comparing assets within the facility. Defining the details of the numerical likelihood method is a work in progress. The simplified baseline approach can be used with caution and a generous helping of common sense adjustments to obtain likelihood estimates. Note that the location of an asset (Figure 4) can greatly increase the threat frequency if the asset is located in one of the cities deemed more attractive to terrorists or decrease it if the location of the asset is located in a lower risk city. Similarly, the type of asset listed in Table 17 will affect the likelihood of attack. Government
78
buildings have an increased likelihood and power plants have a lower likelihood of being attacked, assuming the RAND data are correct. When more definitive studies are available it will be possible to obtain better estimates for use in risk assessment and risk management applications. In the opinion of the authors, the uncertainty in calculating the likelihood is larger than the numerical value obtained for the likelihood. The user should be wary of ascribing too much credence in the resulting values and use judgment when using these values for decision-making. A range of likelihood values should, perhaps, be developed based upon various assumptions. If a more stochastic approach were being used in the RAMCAP Plus approach, a distribution of threat likelihood could be used.14 Method 2 - Comparison of Risk Tolerance with Natural Hazard Risk Historical information has recorded the frequency of occurrence of natural hazards for many years. While predicting an event has proven to be difficult and may never be accomplished, the probability of an event can be derived based upon known data and predictions of patterns of change due to cyclic weather patterns, global warming and other variables. The codes and standards used to design critical infrastructure use this information to establish a design basis for construction. For example, the Uniform Building Code and the International Building Code both contain maps that provide design wind speeds for all geographical locations in the United States. These wind velocities are based upon the observed data available and judgment factors provided by experts. The design wind speed is not normally the highest speed expected to occur for a particular location. If all infrastructure were constructed to withstand the highest wind velocity possible for a particular location the cost of construction would increase to intolerable levels. More practically, a design value is adopted such that the structures are expected to withstand the loading for all but the most severe cases. The design value includes a risk residual that is assumed by the owner/operator or its insurance company. For example, when designing to a hundred year earthquake, there is always the risk of an occurrence that exceeds the design value. In this case, there may be considerable damage or even total destruction of the asset depending upon the extent to which the design bases are exceeded A strategy used by decision makers attempting to prioritize investments involves comparing the risk for certain known events to the risk of a postulated event. For example, it can be instructive to compare the risk one incurs when driving to work with the risk of a terrorist attack. The reasoning is if you can show the risk due to a terrorist attack is less than a known risk tolerated on a daily basis, then one can decide if that level of risk is acceptable or should be reduced by investment. Of course, it is well known that some types of risk are more acceptable to the average person than others. Higher levels of risk, which one considers under their control, such as driving or riding a bicycle, are known to be more acceptable than risks controlled by others, such as flying in a commercial aircraft. The level of acceptance for terrorism risk (called risk tolerance) is known to be a personal matter that differs greatly among individuals and organizations and perhaps by country and other demographics. However the results are
The prospect of developing a stochastic version of the RAMCAP Plus analysis, which captures and uses the uncertainties in the estimates, is under discussion.
14
79
interpreted, this approach can provide a comparison of terrorism risk to risk posed by known events. One such comparison that may be useful is to calculate the frequency of a terrorist event that would result in the same risk due to a natural event, which presumably is tolerated and certain expenditures may or may not be made to buy down on the level of risk. For example, if the seismic design criteria for an infrastructure component are based upon a hundred year event, it is useful to compare the risk of a terrorist event with the same likelihood. Assuming the same time frame for both events, the risk of the seismic event, calculated from available data, can be equated to the risk of a terrorist attack (where only the consequence and vulnerability can be directly estimated) by solving for the frequency that causes the two to be equal. If the backcalculated frequency is equal to or less than what the analyst and decision-maker deem reasonable, the threat requires no risk-reduction because it is no greater than the natural hazard risk which is tolerated. The asset/threat pair need be analyzed no further. If, on the other hand, the back-calculated frequency is greater than deemed reasonable, the threat to the asset is higher than tolerated and additional analysis is justified. A useful step would be to apply the first method, recognizing the threat likelihood test has placed a floor under the threat likelihood estimated by that method. Example. Consider the basic risk equation: R=CxVxT If a level of risk, R, is assumed, and the vulnerability (V) to a particular attack is estimated, then the likelihood or frequency (T), can be determined as T = R / (C x V) This frequency or likelihood can then be used to compare other ways of estimating the likelihood or used as a context for making a decision regarding investment in increasing security or mitigation measures. An example problem will serve to illustrate how a decision-maker can use this method. Refinery Replacement cost: $8.5B Net cash flow after taxes = $1 B per year Hurricane Risk: Design wind speed = 120 mph (located on Gulf Coast) Using the methods of analysis contained in Appendix D, the hurricane risk for this plant was calculated to be $34,202,700. The risk for each level of hurricane category exceeding the design basis wind loading is as follows: 1) Category 3 and lower = negligible losses 2) Category 4: Estimated loss to owner: $1,335 million in lost cash flow and repair/replacement costs Recurrence period = 69 years (from Weather Service data) Likelihood = 1/69 = 0.0145
80
Risk from a Category 4 hurricane = $19.3575 million. 3) Category 5: Estimated loss to owner: $2,670 million Recurrence period = 180 years (from Weather Service data) Likelihood = 1/180 = 0.00556 Risk from a Category 5 hurricane = $14.8452 million. 4) Total hurricane risk = $34.2027 million, the sum of the risks of Categories 4 and 5. Now, consider terrorist risk. Assume that four well-equipped terrorists attack the tank farm of the refinery. Using rocket propelled grenades and other incendiary devices, the terrorists succeed in setting the tanks afire and the entire tank farm is destroyed. The replacement cost is estimated at $1.25B. The refinery is shut down for a year while the tanks are being replaced and collateral damage is repaired, losing $1B, for a total owners loss of $2.25B. The vulnerability for this asset/threat pair is estimated at 0.95 because it is relatively easy for armed assailants to gain assess to the premises and the conflagration will spread once several tanks are ignited. Assume that the owner/operator determines the frequency of attack resulting in terrorist risk equal to the hurricane risk. The frequency of attack that would result in equal risk can be calculated as: T (terrorist) = R (hurricane) / (C (terrorist) x V (terrorist)). T (terrorist) = $34.2027 million/( ($2.25B) (.95)) = 0.016 events/year. The period of the attack frequency is 1/ (0.016) = 62.5 years. Thus, if a terrorist attack of this type occurred once in approximately 63 years, the risk would be the same as the tolerated hurricane risk. If the analyst and decision-maker believe the true likelihood of this attack on this asset is less than 0.016 (or 63 years recurrence period), the risk of the asset/threat pair falls below the risk tolerance threshold and no further analysis is needed. If, conversely, they think the likelihood is greater than 0.016, additional analysis is needed, perhaps refining the estimate using Method 1, with the constraint that the estimated likelihood must exceed 0.016. Method 3 - Investment Break-Even. Like the second method, this approach back-calculates a threat likelihood, which, based on the judgment of the analyst and decision-maker, is judged as falling in a reasonable range, with direct decision consequences. As noted earlier, the method can only be applied as part of Step 7, Risk and Resilience Management, because it depends on the contrast of the baseline risk and the specification and costing of a risk-reduction option. In Step 6, risk is calculated for each asset/threat pair remaining in the analysis after all the respective screenings. Prior steps provided the needed terms, consequences, vulnerability and at least a provisional threat likelihood based on one of the first two methods. In Step 7, a risk or resilience improving option is specified well enough to analyze its effects and estimate the costs
81
of implementing and operating the option. For the option to reduce risk, it must reduce the consequences, vulnerability and/or threat likelihood. Since threat likelihood is uncertain, this analysis focuses on reduced consequences and/or vulnerability, assuming that threat likelihood remains unchanged by the option. The benefit of the option is the difference in risk that the option produces by reducing consequences and vulnerability. If the options benefit exceeds its cost, the option meets the minimum requirement for selection. Algebraically: Basic risk equation: Risk = Consequences x Vulnerability x Threat Likelihood = R = C x V x T Minimum benefits to justify the options cost: (Baseline Risk Option Risk)/ CostOption > 1.0 Substituting: {[(CBaseline x VBaseline) (COption x VOption)] x T}/ CostOption = 1.0 Re-arranging: T = CostOption / [(CBaseline x VBaseline) (COption x VOption)] The calculated threat likelihood is the lowest that would justify the investment in the option. If the true likelihood is judged to be less than the calculated T, the option is not funded; if it is judged to be equal to or greater than the calculated T, the project is funded. Continuing the refinery example from above, a series of countermeasures and mitigation steps were defined, priced at $43.9 million and assessed by repeating Steps 3 and 4, assuming the options implementation. The option was estimated to reduce the vulnerability of the tank farm from 0.95 to 0.45 and reduce the consequences to the owner from $2.25 billion to $0.65 billion. Substituting these into the last equation and solving for T: T = $43.9 million / [($2.25 billion x 0.95) ($ 0.65 billion x 0.45)] T = $43.9 million/ $1.845 billion = 0.0238 or a recurrence period of 1/0.0238 = 42 years The analyst and decision-maker judge the calculated likelihood is plausible because the refinery is in one of the high-risk metropolitan areas and is upwind from the major population center of that region and numerous world-class iconic structures. The option is accepted. Estimating the Likelihood of Natural Hazards Estimates of the probability of natural hazards draw on the historical record for the specific location of the asset. Federal agencies collect and publish records for hurricanes, earthquakes, tornadoes and floods, which can be used as frequencies for various levels of severity of natural hazards. The majority of risk analysts would use these frequencies directly. The advent of global climate change suggests to some analysts that they adjust the frequencies upward slightly for a
82
more accurate view of the future. Either approach is acceptable, so long as the assumptions are documented. Appendix D contains a description of the method used to determine the likelihood of a natural hazard of a particular magnitude. The approach has been developed for hurricanes, earthquakes, tornadoes, and floods. Estimating the Likelihood of Dependency and Proximity Hazards Estimates of the likelihood of dependency hazards start with the local historical record for the frequency, severity and duration of service denials. This may serve as a baseline estimate of business as usual, and incrementally increased if the analyst believes they may be higher due to terrorist activity or natural events affecting required supply chain elements. Likelihood of incurring collateral damage from an attack on a nearby asset is estimated based on the local situation, but using the same logic as in estimating terrorist risks, above, applied to the proximate asset.
****

The example of a dam, developed earlier, is continued here. Threat assessment (Step 5 of the RAMCAP Plus process) is added to further illustrate how the overall assessment is performed. The threat assessment for this facility requires a numerical value for the likelihood of attack. The example will utilize the Numerical Ratio Method to determine threat likelihood: x x x Assume that 5 attacks are anticipated to be attempted in the United States in the calendar year. Assume that, of the 18 infrastructure sectors identified by the NIPP, the likelihood of attack is equal for all sectors. This results in a likelihood of (5/18) or 0.278 that a particular sector will experience an attack. Assume that all similar facilities in that infrastructure sector have an equal likelihood of being attacked. From available data sources, it is determined there are 7,000 dams approximately equivalent to this dam. Then the likelihood of attack on any particular target would be = 0.278 /7,000 or 0.0000397 or 3.97 x 10-5. Assume the particular target being evaluated has 5 major assets that could cause major consequences if destroyed. The likelihood of any particular asset being attacked is 3.97 x 10-5 /5 = 7.9 x 10-6.
If the dam is located in an area of high risk, as indicated by the RAND study, the threat frequency should increase accordingly. If the dam is located in a remote area with a low downstream population and minimal value as a navigational facility, the threat frequency may be reduced. The owner/operator and security and law enforcement personnel knowledgeable about the facility should make these decisions.
83
The RAND data indicates that dams have a low target type rating. This information may be used to further adjust the threat frequency used in the assessment. For purposes of this example, the threat value, T, will be taken as the raw baseline numeric value calculated above, i.e., T = 7.9 x 10-6 events/year. Looking at the same dam from using the break-even method, however, adds insight to the above. The baseline consequences were the loss of 665 lives, 75 acute injuries and $45 billion in regional product. To keep the assessment simple, the analyst decides to value the fatalities using the value of a statistical life of $3.5 million and acute injuries at $1.5 million, adding $2.49 billion to the economic loss, for a total of $47.49 billion. The vulnerability analysis led to about a 0.7 using all three methods. A package of countermeasures and mitigation steps was designed, priced at $ 215 million, and, repeating Steps 3 and 4 for the option, were found to reduce the consequences to $ 18.55 billion and the vulnerability to 0.33. The calculation of the threat likelihood would be: T = CostOption / [(CBaseline x VBaseline) (COption x VOption)] T = $215 million / [($47.49 x 0.7) (18.55 x 0.33)] = 0.0104, or a recurrence period of 96 years The analyst and decision-maker judged the calculated likelihood to be a reasonable approximation of the true likelihood, based in part on the fact that the dam lies in a high probability area based on the RAND results, so the option would be funded.

Hall, Randolph W. June 2005. Assessment Guidelines for Counter-Terrorism: CREATE Terrorism Modeling System (CTMS), a CREATE Report. (http://create.usc.edu/). Pate-Cornell, M. Elisabeth and Guikema, Seth D. December 2002. Probabilistic Modeling of Terrorist Threats: A Systems Analysis Approach to Setting Priorities Among Countermeasures, Military Operations Research, Vol. 7, No. 4. Terrorism Risk Modeling for Intelligence Analysis and Infrastructure Protection, Henry H. Willis, Tom LaTourrett, Terrance K. Kelly, Scot Hickey, Samuel Neill, RAND Center for Terrorism Risk Policy, 2007.
84
Step 6. Risk Assessment
Risk Assessment is the step of the RAMCAP Plus process that integrates the results of the five previous steps (Asset Characterization, Threat Characterization, Consequence Analysis, Vulnerability Analysis, and Threat Assessment). The RAMCAP Framework, in accord with the National Infrastructure Protection Plan, adopted straightforward multiplication of the estimates of consequences, vulnerability and threat likelihood as the definition of risk: Risk = Consequence x Vulnerability x Threat Where: x Risk (R) The potential for loss or harm due to the likelihood of an unwanted event and its adverse consequences. It is measured as the combination of the probability and consequences of an adverse event. When the probability and consequences are expressed as numerical point estimates, the expected risk is computed as the product of those values. In the case of RAMCAP and many other risk and resilience processes, risk is the product of threat, vulnerability and consequence. x Threat (T) Any indication, circumstance or event with the potential to cause the loss of, or damage to, an asset or population. For risk analysis, threat is the likelihood the event will occur. Vulnerability (V) Any weakness in an asset or infrastructures design, implementation or operation that can be exploited by an adversary or that can contribute to functional failure in a natural disaster. In risk analysis, vulnerabilities are estimated using a variety of methods, but usually summarized as the probability that, given an attack or natural event, the estimated consequences will ensue, i.e., the attack will succeed or the natural event will cause the estimated damage. Consequence (C) The outcome of an event occurrence, including immediate, short and long-term, direct and indirect losses and effects. Loss may include human fatalities and injuries, monetary and economic damages, and environmental impact, which can generally be estimated in quantitative terms. In addition, consequences may include less tangible and therefore, less quantifiable effects, including political ramifications, decreased morale, reductions in operational effectiveness or military readiness or other impacts.
85
Another key concept, resilience, is not an element in the risk equation, but is central to the purposes of the RAMCAP Plus approach. Resilience is the ability to withstand a hazardous event without loss of function or the speed by which an asset can return to virtually full function (or a substitute function or asset provided) after the event. The concept of resilience is still being formalized, but candidate metrics include reductions in the duration and severity of service denial (both estimated as elements of lost revenue among the economic consequences to the owner) and/or economic losses to the community due to service denial (estimated directly from the severity and duration, or lost revenue). For the purposes of the RAMCAP Plus approach, resilience is defined in different ways for the asset owner and community, respectively: For the asset owner, the level of resilience for a particular asset/threat pair is expressed as: Resilience Owner = Lost Revenue x Vulnerability x Threat For the community, the level of resilience for a particular asset/threat pair is expressed as: Resilience Community = Lost Economic Activity in the Community x Vulnerability x Threat Where: x Lost revenue the product of the duration of service denial and the extent of service denial. Both are essential parts of estimating the owners financial loss. x Lost Economic Activity in the Community the amount that the denial of service decreases both the output to direct customers and the indirect (multiplier effect) losses throughout the economy of a given region. It is estimated as a function of the assets lost revenue and the duration of the service denial using a static application of basic regional economic data and an input-output table, modified to reflect the resilience of the respective business sectors (Rose citations).
These are the simplest definitions of risk and resilience. The multiplication of single-point estimates implies a precision that is not possible. There is a high degree of uncertainty in all the terms in these equations. Alternative definitions that explicitly incorporate uncertainty into the estimates are possible. These definitions estimate the key terms not as single point estimates but as distributions that capture the uncertainties. Such distributions can be combined (multiplied) by Monte Carlo simulation (a well-established method for combining distributions to capture their aggregate uncertainties). This method could readily be incorporated into the RAMCAP Plus approach by using distributions in lieu of point estimates and combining them by simulation rather than simple multiplication. The resulting estimates of risk and resilience would be in the form of distributions of risk and resilience. Unless all the input distributions were symmetrical, the expected value would be different from the value calculated as the product. Assessing risk expressed as distributions can provide substantial additional insights, but the whole process is substantially more difficult to disseminate and requires skills in estimation and interpretation unlikely to be present in many of the facilities for which the RAMCAP Plus approach is designed. For especially risky targets, a Monte Carlo RAMCAP Plus method could be developed very quickly; however, to meet the current design criteria (on-site personnel being able to complete the assessment in a week or less without assistance of specialized consultants), the multiplication of single point estimates is preferred.
86
There are ways to consider uncertainties without resorting to Monte Carlo analysis, the most direct of which is the sensitivity analysis. In assessing any asset/threat pair, a number of uncertainties are unavoidable. Assumptions must be made because of missing information; the probability estimates of vulnerability and, especially threat likelihood are inherently uncertain; and, in some cases, there can be a wide range of possible consequences. To understand the influence of these uncertainties on the estimates of risk and resilience, the analysis team can, while estimating the point values requested in the respective steps, also estimate the reasonable high case and the reasonable low case. These are not the absolute outside extremes, but reasonable in the sense that they enclose the most likely values of the uncertain quantity. Many analysts find it useful to estimate the 80-percent range by estimating the values that have 10 percent chance of being too low or too high, i.e., the 10th and 90th percentiles. For the 90-percent interval, the judgment is the 5 and 95 percent values. These are also estimates, but they allow the analysts and the decision-maker to understand and communicate the level of comfort and perceived accuracy in the data. These values can be substituted into the calculation of risk and resilience to see the impact on the final values. If one component is seen to have inordinate uncertainty, additional data, analysis or consideration may be warranted. A sensitivity analysis varies one element of the risk or resilience equation at a time to gauge the effect on the result. It does not vary multiple terms at the same time: to do so is to examine the most extreme points of uncertainty, well beyond relevant consideration. For example, to multiply the five percent estimates yields the 0.0125 percent case (0.05 x 0.05 x 0.05 = 0.000125), which is not interesting. Risk and resilience are estimated for each relevant asset/threat pair and passed forward to Step 7 for further analysis. Figure 6 summarizes the high points of the application of the RAMCAP Plus process to three very diverse petroleum refineries.
87
Risk Comparison
All Refineries
$9.0 Risk (Expected Value in Millions) $8.0 $7.0 $6.0 $5.0 $4.0 $3.0
Refinery C - Hydrocracker Refinery C - Cat Cracker Refinery C - Tank Farm
$2.0
Refinery B - Tank Farm
$1.0
Refinery B - Hydrocracker
$0.0
Armed Attack 1 person 1000lb Vehicle Bomb Refinery A - Cat Cracker Refinery A - Tank Farm Armed Attack 4 people 400lb Vehicle Bomb
Hazard
Refinery A - Hydrocracker
Refinery and Asset
Figure 5. RAMCAP Plus Risk Analysis of Three Petroleum Refineries This analysis demonstrates a number of the valuable features of the RAMCAP Plus process: x x It is clear that the consistent terms and methods, combined with the quantitative orientation, yields directly comparable results across these three sites. These results could also be validly and directly compared with assets in other, very different sectors. The analysis reveals that the largest risk, by far, is a terrorist attack on the tank farm, much larger than any of the natural hazards assessed, contrary to the casual impressions of those in the industry. The consistency of this finding suggests that it affects many or most refineries and would also apply to hydrocarbon storage and fuel terminal sites. Such a finding could well mobilize an industry-wide program to find ways to reduce this risk.
The next chapter addresses risk reduction and resilience enhancement.
88
Refinery B - Cat Cracker
Earthquake
Hurricane
Flood
*****

The example begun earlier is continued here. Risk assessment (Step 6 of the RAMCAP Plus process) is added to further illustrate how the overall assessment is performed. The risk equation Risk = Consequence x Vulnerability x Threat can now be evaluated since all of the variables have been calculated. Consequences: From Step 3, the consequences of an armed attack on the dam have been estimated. The following summary is provided: Consequences are summarized as follows: x Fatalities 665 x Acute injuries 75 x Financial impacts on the owner of the dam -- $780 million x Losses to the regional economy -- $45 billion x Consequences of damages to the fishery -- environmental, ecological, and psychological. These are addressed in the final report but are not quantified. Vulnerability: From Step 4, the vulnerability of the dam, assuming an armed attack by two well-equipped and trained assailants, was determined by several methods to be approximately 0.7. Threat: From Step 5, the probability of having an attack at this particular dam was estimated to be approximately 7.9 x 10-6. The uncertainty in this number is very large since it is based primarily on numerical averaging with little or no actionable intelligence provided to the asset owner. Thus, risk values should be carefully evaluated and a range of threat frequencies should be used in making the final decision concerning investment in changes to the security posture of the site. Risk: Risk = Consequence x Vulnerability x Threat 1) Fatalities Rf = 665 x .7 x (7.9 x 10-6) = 0.004 lives/year
89
2) Acute Injuries Ri = 75 x .7 x (7.9 x 10-6) = 0.0004 acute injuries/year 3) Financial impact to owner R O $ = $780MM x .7 x (7.9 x 10-6) = $4,313 4) Losses to regional economy R Region $ = $45B x .7 x (7.9 x 10-6) = $249,000. The results of the risk analysis of this infrastructure component indicate that the consequences are relatively small. Even though the sudden release of water resulting in inundation of the downstream area could result in very significant loss of life and numerous acute injuries, the threat frequency is so low that the risk is quite small. Even if the threat frequency is increased by three orders of magnitude, (T = 7.9 x10-3), which is 7.9 times in 1000 years) the risk is still low compared to other risks, such as automobile accidents, drowning, and other types of accidental death and injury. It is difficult to justify large expenditures to reduce this level of risk. The financial impact to the owner is also small. The break-even expenditure is only $4,300 per year. There are few changes that can be made for such a low payback. Even if the threat frequency is increased by one or two orders of magnitude, the case for increased spending based upon one year of operation is difficult to justify. Investment strategies are discussed in more detail in the next chapter. The regional economy will suffer a reasonably large impact. However, since this consequence would be spread over a large number of individuals, there could be a case for investment at the regional level. This option is addressed in the next chapter on Risk and Resilience Management.
90

American Petroleum Institute. October 2004. Security Vulnerability Assessment Methodology for the Petroleum and Petrochemical Industries, Second Edition. Apostolakis, George (ed.), 1991. Probabilistic Safety Assessment and Management (Volumes 1 and 2), Elsevier. Baker, Arnold, et al. 2002. A Scalable Systems Approach for Critical Infrastructure Security, Sandia National Laboratories, SAND 2002-0877, www.sandia.gov/scada/documents/020877.pdf. Kaplan, S. and Garrick, B. J. 1981. On the Quantitative Definition of Risk, Risk Analysis, Volume I, pp.11-28. Morgan, M. Granger and Henrion, Max. 1995. Uncertainty: A Guide to Dealing with Uncertainty in Quantitative Risk and Policy Analysis, Cambridge University Press. Rose, A. 2004. "Economic Principles, Issues, and Research Priorities in Natural Hazard Loss Estimation," in Okuyama Y. and Chang S. (eds.), Modeling the Spatial Economic Impacts of Natural Hazards, Heidelberg: Springer, 2004, pp.13-36. Rose, A. 2006. "Economic Resilience to Disasters: Toward a Consistent and Comprehensive Formulation," in Paton D. and Johnston D. (eds.), Disaster Resilience: An Integrated Approach, Springfield, IL: Charles C. Thomas, 2006, pp. 226-48. Rose, A. 2007. "Macroeconomic Modeling of Catastrophic Events," in Quigley J. and Rosenthal L. (eds.), Real Estate, Catastrophic Risk, and Public Policy, Berkeley, CA: Berkeley Public Policy Press, forthcoming. Rose, A. and Liao, S. 2005. "Modeling Regional Economic Resilience to Disasters: A Computable General Equilibrium Analysis of Water Service Disruptions," Journal of Regional Science, Vol. 45, No. 1, 2005, pp. 75-112. Rose, A., Oladosu, G., and Liao, S. 2007. "Business Interruption Impacts of a Terrorist Attack on the Water System of Los Angeles: Customer Resilience to a Total Blackout," in Richardson, H., Gordon, P. and Moore, J. (eds.), Economic Costs and Consequences of Terrorist Attacks, Cheltenham, UK, pp. 291-316.
91
Step 7. Risk and Resilience Management
Risk and Resilience Management (Risk Management for brevity) is the culminating activity of the RAMCAP Plus approach the step that actually reduces risk and enhances resilience. Risk and resilience management is the deliberate course of deciding upon and implementing options (e.g., establishing or improving security countermeasures, improving consequence mitigation tactics, building-in redundancy, entering into mutual aid pacts, creating emergency response plans, training and exercises in business continuity, etc.) to achieve an acceptable level of risk and resilience at an acceptable cost to the organization and the community. The initial risk and resilience analysis is based on the existing conditions at the asset. The reduction in risk and the increase in resilience, both weighted by their probabilities, are the benefit or value of the option, which can be compared to the cost of implementing it and to the benefits of other options. The first five steps of the RAMCAP Plus process developed information that is combined in the sixth step to estimate the level of risk and resilience that the facility exhibits with its current level of security and resilience measures a baseline for comparison of options to improve. This last step of the process is fundamentally concerned with optimizing resource allocation decisions selection of investment options in support of increasing security and resilience to terrorist threats, natural hazards and dependency/proximity hazards and implementing those decisions in the most effective way. Once the existing baseline risk assessment is established, a key executive decision must be made for each threat/asset pair: Is the estimated risk and resilience acceptable to the organization? For those pairs deemed acceptable, no additional work is required. For those deemed unacceptable, it is necessary to consider ways to reduce the risk and/or enhance resilience. To accomplish this, define and evaluate possible options to change the facility, system, processes or staff to reduce the risk or increase resilience. The reduction of risk is the result of reducing any of its three components, i.e., consequences, vulnerability or the likelihood of an attack or hazard. Reducing any of these will also enhance resilience, as will accelerating the return to baseline levels of service delivery. Unless there are mandated legal or regulatory actions to consider, the option of taking no action the baseline option should always be included. Improvements over the baseline define the benefits of the options. Alternatives to doing nothing are broadly classified as either countermeasures or consequence-mitigation options. Countermeasures, also called protective measures, can be viewed as reducing threat likelihood and vulnerability, while consequence-
92
mitigation actions are intended to reduce economic losses, fatalities and serious injuries should an attack or event take place. A special, but extremely important, case of consequence mitigation is resilience enhancement: the reduction of service downtime between an incident and full restoration of service to the previous level. Especially in the lifeline infrastructures upon which the very viability of a community depends, resilience enhancements can minimize the loss of region-wide economic activity and major public health consequences. Consequencemitigation can also have an effect on threat likelihood by reducing the attractiveness of the asset target. Eight discrete tasks, listed in Table 18, are necessary for risk management. Each task is discussed below.
Table 18. Tasks of Step 7, Risk and Resilience Management Task Issue 7.0
7.1 Decide acceptance criteria Define options
Activity Risk and Resilience Management

Decide what risk and resilience levels are acceptable and which must be dealt with further. Prepare conceptual designs for countermeasures and mitigation/ resilience options and estimate its investment and operating costs. Evaluate the options by analyzing the facility or asset under the assumption that the option has been implemented revisiting RAMCAP Plus process Steps 2 through 6 to re-estimate the risk and resilience levels, and determine the estimated benefits of the option. Add the benefits from each asset/threat pair for which the option reduces risk or enhances resilience.
7.2
7.3
Evaluate each option
7.4
Accumulate the benefits of each option Estimate net benefits and marginal value of each option Choose and allocate resources to options
7.5
Estimate the net benefit and benefit-cost ratio (and/or other criteria relevant in the organizations resource decision-making) to estimate the marginal value of each option.
7.6
Select among the options considering all the dimensions fatalities, serious injuries, financial losses to the owner, economic losses to the community, and qualitative factors and allocate resources to them. Implement, monitor and evaluate the performance of the selected options. Conduct additional risk assessments to monitor progress, adapt to changing conditions and to support continuous improvement.
7.7 7.8
Manage the options Recycle the process
93
Task 7.1 Decide What Risk and Resilience Levels Are Acceptable Step 6 of the RAMCAP Plus process, Risk Assessment, estimates the magnitude of the probability-weighted consequences of a number of threats and hazards in terms of the following: loss of life, serious injuries, financial losses to asset owners, loss of economic activity in the community. Also included are losses that cannot easily be quantified, such as damage to national icons, loss of public confidence and impairment of ability to govern or defend the Nation. This first task of Risk and Resilience Management poses a difficult but necessary managerial decision: What level of risk and resilience is acceptable to the organization? Answering this question can be difficult for owners and top executives. Making these decisions explicit will direct much of the rest of this step. Threat/asset pairs can usefully be divided into four groups: 1. Acceptable business risks Some specific risks and resilience levels are obviously acceptable to the organization; in a sense, self-insuring that it can bear the consequences of the event without breaching trust with the public or the stakeholders of the organization. 2. Unacceptable, but insurable risks Some risks are sufficiently predictable to allow insurance companies to write policies that make the owner of the asset partially or fully whole if the incident occurs. Storm and flood insurance are of this sort. Note that this insurance protects owners from economic losses, but does not protect the community that depends on the asset. 3. Survival and mission-critical risks Other risks have consequences that are so horrendous or so threatening to the organizations survival and most critical mission(s) that management is simply compelled to examine them further for means of enhancing security and resilience. 4. Potentially manageable risks In between these last two groups are those for which senior decision-makers would like to examine the benefits and costs, with an eye to selecting security or resilience options if they are not too costly. Once the initial sorting into these categories is made, it behooves management to review the implicit criteria to make these distinctions and the boundaries of the resulting three groups of asset/threat combinations. The criteria for each of the quantitative estimates can be interpreted as implicitly weighting the non-monetary losses relative to the monetary one i.e., implicitly setting dollar values to fatalities and/or serious injuries. Explicit examination of the implicit criteria allows management to challenge, discuss, refine and communicate them, at least internally. This task can identify inconsistencies and clarify the priorities of the organization regarding risk and resilience. It is also an opportune time to address methods by which the analyst can present the results to aid in management decision-making. The implicit criteria in this initial sorting strongly suggest the underlying weighting or monetization among financial losses and human losses (fatalities and serious injuries). Some managers and risk analysts find it useful to combine the respective quantitative criteria by weighting them, assigning economic value (monetizing) to them or by converting them to utilities and employing utility theory. In practice, many management
94
teams prefer to see the respective criteria displayed explicitly, so they can make the trade-offs relative to the concrete choices before them. Combining them for initial sorting can save time when a large number of threat/asset pairs are placed in the last three categories above, with consideration of all the respective criteria in the final trade-offs. The difficulty often arises because quantifying the value of a human life or serious injury is abhorrent to some in management; while others may see such monetization as essential for comprehensive benefit-cost analysis. For example, if human lives and dollars are involved in the trade-offs, many decision-makers prefer to see the raw estimates of each instead of seeing a rolled-up weighted ranking that includes both. The prudent analyst will present the information in both weighted and unweighted formats, with explicit estimates of fatalities and injuries.. Task 7.2 Define Countermeasures and Mitigation/Resilience Options Countermeasures and consequence-mitigation actions are developed for each attack- or hazardasset pair (later, options addressing multiple threat-asset pairs are considered). For efficiency, it is preferable to address the highest-risk pairs first. Not infrequently, options designed for these high-risk pairs will also reduce risks for lower risk pairs as well. Alternative actions or strategies should be developed in a way that directly compares their projected effectiveness at reducing risks and enhancing resilience. During the foregoing risk analysis for a particular threat or hazard to a specific asset, facility or site, estimates of current vulnerabilities were made, given the effectiveness and reliability of the existing countermeasures and mitigation plans against each threat or hazard. For the third and fourth categories of threat-asset pairs, enhanced countermeasures should be considered to improve the existing security systems. Countermeasures. Examples of protective measures or countermeasures include the following: x x x x x x x x x x x x x x Physical security, including extension of security perimeter beyond the limits of facility to create a buffer zone. Roving security inspections. Sensors or closed circuit television at key points. Access control. Background checks for employees, temporary workers, contractors, subcontractors, security force and potential first responders. Loss prevention, material control and inventory management. Delivery service verification, e.g., request delivery worker identity card. Control-room security. Policies and procedures. Cyber security. Training on security plans. Drills involving employees, contractors, public and media. Crisis management and emergency response, including incident command system. Communication of hazards by asset owners to public sector protection forces.
95
Security enhancements at a facility can include one or more of the following strategies: x x x x Devalue, deter, detect and delay principles. Physical or cyber layers of protection and rings of protection. Procedures and administrative controls. Inherently safer systems.
One of the classic approaches for countermeasures is to devalue, deter, detect and delay the adversary. This approach is often used in the protection of a fixed facility and involves wellaccepted methodologies of conventional security in the form of physical restraints, uniformed guards, warning systems, detection and identification systems and delaying tactics. More specifically, they are defined as follows: x Devalue is a countermeasure intended to make the asset less attractive to the adversary as a target for attack. Many devaluation countermeasures are designed to increase the terrorists estimation of the costs of attacking, reduce their estimates of the chances of success or achieving the public relations value of the attack. Examples would be the more conspicuous forms of hardening, demonstration of determination to resume functioning (as did the London mass transit system after being attacked by al Qaeda), and forms of deterrence. Deterrence is a countermeasure strategy intended to prevent or discourage the occurrence of a breach of security by means of fear or doubt. Examples of deterrence countermeasures include physical security systems, such as warning signs, lights, uniformed/armed guards, dogs, cameras and bars across windows or other access points. Detection is a countermeasure strategy intended to identify an adversary attempting to commit a security breach or other criminal activity. Detection may involve real-time observation, e.g., using video-surveillance equipment, motion detectors, or security personnel, as well as post-incident analysis of the activities to determine the identity of the adversary. Delay is a countermeasure strategy intended to provide various barriers to slow the progress of an adversary in penetrating a site, preventing an attack, leaving a restricted area, or assisting in apprehension. An example is the positioning of jersey barriers to preclude direct line-of-sight vehicle access to an asset.
Consequence-mitigation and resilience enhancement. Selection of consequence-mitigation strategies, like countermeasures, is highly dependent upon the asset or target and the threats to which they are exposed. Countermeasures can be seen as one form of mitigation measure: if the threat is thwarted, there are few or no consequences. In general, the term mitigation refers to reducing consequences of an event, given that it occurs. A special form of consequence-mitigation is resilience enhancement. While consequencemitigation refers to reducing any or all negative consequences, resilience options are specifically designed to reduce the duration or severity of denial of service to the community served by the infrastructure. For example, a mutual aid plan between neighboring water utilities would
96
provide for one utility to share its peak capacity to assist another whose base load capacity is damaged. This would result in consequence-mitigation or resilience to the community. In practice, the distinction between consequence-mitigation and resilience enhancement options is merely semantic; the RAMCAP Plus approach considers them together. Elements of a consequence-mitigation strategy may include the following: x x x x x x x Well-developed and well-exercised continuity of operations and continuity of government plans. Remote back-up of vital data. Automatic equipment responses, such as actuation of fire-suppression equipment or actuation of an emergency source of electrical power. Physical mitigation systems, which limit the effects of an attack (e.g., structural elements designed to withstand temperature and pressure effects of specified blasts). State and federal resources for evacuation management or cleanup of toxic material. Early detection so that first responders can be mobilized and mitigation programs activated. On-site first responders taking immediate action to minimize the consequences. These first responders would include employees who can shut down situations that are out of control, provide immediate first aid to casualties and activate continuity of operations or continuity of government plans. Emergency responders (local police, fire and emergency medical) trained in the appropriate initial steps to control or shut down out-of-control situations (when possible) and treatment of casualties for injuries that might occur at the facility, especially if they involve unusual materials, e.g., heavier-than-air toxic gases, burning chemicals. Pre-positioning spare parts, tools and transportation for rapid dispatch to damaged areas of the distributed facilities or network. Preparation of the public to respond appropriately in the aftermath of an attack by developing and exercising evacuation plans for neighboring residences and businesses, encouraging private stockpiling of water, food, medical supplies, etc., for at least 72 hours (e.g., www.ready.gov). Developing and exercising mutual aid agreements among neighboring utilities and competitors to restore service as rapidly as possible. Investing in back-up capabilities to meet service denial during crises, such as emergency generators (with ample fuel supplies), water storage towers, and enlarged inventories of critical raw and semi-finished materials to continue operations. Developing significant levels of flexibility in networked systems, so damaged areas can be quickly isolated and bypassed to maintain service in as much of the system as possible while the damaged portion is being repaired.
x x
x x
For each countermeasure and mitigation/resilience option, the effect on each element of risk and resilience is defined carefully. To reduce risk or enhance resilience, it is necessary to improve one or more of threat likelihood, vulnerability, consequences, or time to resume functioning. These are the key variables for the next step.
97
In addition, for each option it is necessary to estimate the investment and operating costs. These estimates are made considering only present and future cash outlays (prior costs are ignored even if they contribute to the options effectiveness). For-profit organizations need to adjust their costs for tax effects. Consequence-mitigation and resilience enhancement options can often be more robust than countermeasures because many countermeasures address only one of a small number of threats, whereas mitigation and resilience options address numerous and highly diverse threats. This difference in robustness frequently translates into greater cost-effectiveness. This is a major motivation for the continuity and resilience movements that have become more and more prominent in many industries and communities. Task 7.3 Evaluate Each Countermeasure and Mitigation/Resilience Option Evaluating the options for reducing risk and enhancing resilience requires metrics generally accepted as indicating value and costs. Net benefits (benefits minus costs) and benefit/cost ratio are widely used in public and non-profit organizations to evaluate options promising positive results for the organization and/or its stakeholders. Public executives are advised to invest in options with the greatest net benefits (benefits minus costs) and/or the highest benefit/cost ratios (a measure of efficiency, the marginal gain per unit cost). The benefits are those incurred by the public served and, in theory, are estimated on the basis of their willingness to pay for these outcomes. In principle, fatalities and injuries are monetized by setting dollar values on each and including them with the economic benefits. (Whether to combine casualties and economic losses is discussed elsewhere in this publication.) At higher levels of government, costs are estimated as opportunity costs, or the value of other benefits, public and private, forgone by using resources for the present option. Willingness to pay and opportunity costs are very difficult to estimate, so this section evaluates public benefits as avoided fatalities, serious injuries and community economic losses; and costs as the budgetary cash outlays to implement the option. This definition of costs is used almost universally by private businesses, non-profit utilities, and local and state governments. For-profit businesses and many non-profit utilities use seemingly different metrics to evaluate the merits of investment and expenditure options. They use the same estimates of fatalities and injuries as the public sector analysis, but use the financial losses to the owner as the economic metric. These include such metrics as maximizing net earnings (akin to net benefits) and/or return on investment or internal rate of return (both akin to benefit/cost ratios.) The private benefits are revenues and avoided losses and the private costs are the cash outlays of the organization to acquire those benefits, usually used in the public sector by default. While the respective conventions use different definitions of who pays and who benefits and the metrics seem to be very different, they share fundamental principles (e.g., net present expected value of both benefits and costs, after taxes and side-payments, if any.) Except for the whobenefits/who-pays issue, it is little more than a straightforward algebra exercise to convert one to another. This section uses the language and methods of benefit-cost analysis, since it is a bit more intuitive than business accounting terms.
98
Evaluating countermeasure and mitigation/resilience options requires re-estimating the terms in the risk and resilience equations changed by the option and re-calculating the level of risk and resilience. x Risk-reduction benefits of the option are the amount that risk (= C * V * T) is reduced by reducing any or all of likelihood of the hazards occurrence, the assets vulnerability or the consequences of the hazard and is measured by the difference in the risk with and without the option. Resilience benefits are the amount that the duration or severity of service denial is reduced and can be valued by the economic losses to the community that are weighted by the possibly revised likelihood of the hazard and vulnerability. They are measured by the difference in weighted community losses with and without the option.15
Making these estimates entails serious consideration of which of the elements of risk and resilience is changed by the option and returning to one or more of Steps 1 through 5 to estimate consequences, vulnerability and/or likelihood of the hazard given the option, then recalculating risk and resilience in Step 6 of the RAMCAP Plus process. Task 7.4 Accumulate the Benefits of Each Option Once the benefits of each option of the individual asset/threat pairs are determined, the options are examined for instances in which one option (or a design variation) reduces the risks or enhances the resilience of other asset/threat pairs. A matrix, such as in Figure 6, will help identify these robust options. The matrix is constructed by listing all threat/asset pairs deemed unacceptable risks as row labels, generally in the order of highest risk first. The procedure to this point will have identified and evaluated at least one option with apparently positive net benefits. This creates the shaded diagonal in the figure. Then, each option is reviewed to determine whether it would also reduce risk or increase resilience for other asset/threat pairs, wholly or in part. In some cases, it may be necessary to revise the estimates of risk and resilience for the asset/threat pair with both the original option and the newly identified ones. The combination with the greatest net-benefit improvement in security or resilience is entered in the column for that option. This may require a limited tradeoff comparison of the options. Where there are synergies among the options (i.e., the total of the combined options is greater than the sum of their individual benefits), special note should be taken and the synergistic options considered as a combined option, as well as individually, as exemplified in the Table entry Option B & D. Such synergistic options are treated as separate, new options with their unique benefits. For these robust options, the benefits are added together, but generally, the costs remain the same. As noted earlier, many of these robust options are designed to mitigate consequences and/or enhance resilience
Algebraically, risk-reduction benefits of an option = (C*V*T)no option (C*V*T)with option; and resilienceenhancement benefits of an option = (Community economic loss*V*T)no option (Community economic loss*V*T)with option.
15
99
Figure 6. Identification of Robust and Synergistic Options (Entries are Net Benefits) Options Option A Asset/ threat pairs Asset/threat 1.1 Asset/threat 1.2 Asset/threat 1.3 Asset/threat 2.1 Asset/threat 2.1 Asset/threat Total benefits, each option Option B Option C Option D Option B&D Option
XXX XXX XXX XXX XXX XXX ZZZ ZZZ ZZZ XXX
XXX
XXX XXX XXX
XXX
XXX XXX XXX XXX ZZZ XXX ZZZ
XXX ZZZ
Task 7.5 Estimate Net Benefits and Benefit-Cost Ratios for Each Option For a government or a private asset owner, resources are always finite, requiring rational, carefully crafted ways to allocate the resources for maximum expected gain within the constraint. This is true when allocating scarce resources among competing uses in general, and especially between alternative countermeasure and mitigation options for dealing with terrorist threats, natural hazards, etc. Benefit-cost analysis is an established means for arraying options considering both benefits and costs. For each option, the benefits are the sum of benefits calculated, as in Figure 6, and the costs are those estimated when the option was defined and designed. Two key indicators are used: x x Net benefits this is the gross benefits minus the costs of the option, an indicator of the value added to the organization of choosing the option. Benefit/cost ratio the gross benefits divided by the costs, an indicator of the efficiency of the option in generating benefits
No option having negative net benefits or a benefit/cost ratio less than 1.0 need be considered. The options can be ranked by net benefits to maximize value or by benefit/cost ratio to maximize efficiency. At this point, a sensitivity analysis of the leading candidate options for selection should be considered. By systematically examining the uncertainties in the benefit and cost estimates, the
100
analyst can help the decision-maker understand the true range of values the selected options might bring. Some options that appear to yield high benefits may also have very high uncertainty. In this case, the benefits can be factored down to reflect the uncertain outcomes of the option.
Task 7.6 Select Among the Options and Allocation of Resources to Them As discussed earlier, at least two highly relevant perspectives of the decision-makers are that of the owner of the asset and that of the community it serves. To the owner, risk is the consequence (threat- and vulnerability-weighted) incurred by the owner. Resilience for the owner is a rapid return to full function to minimize lost revenue, reputation for reliability, etc. From the communitys perspective, the risk and resilience are the same metric: the lost economic activity (threat- and vulnerability-weighted) due to service denial. The public policy literature has long used the consequences to the public (or society or the economy), while the business literature has stressed the consequences to the owner/operator. Because the RAMCAP Plus process is designed to support decision-makers in both public and private sectors, both perspectives are included as separate metrics. Insights can be gained by decision-makers in both sectors by examining both metrics. The owner makes decisions to maximize the value for the stockholders, while recognizing a civic duty; a public official or members of a public-private partnership are more interested in maximizing the value to the community, but need to know whether a case can be made for private investment in options that also benefit the public. Either party may or may not consider fatalities and injuries separately from the economic losses and benefits. Regardless of the perspective of the decision-maker, the method for selecting options to be included in the budget is the same. It relies on ranking, with adjustments at the margin among the last-chosen options. The net-benefit rankings from the previous task are explained to the decision-makers, so they fully understand the estimates before them. The most effective way to develop a final ranking of options that falls within the budgetary constraints is to tentatively accept all options as they are ranked by net benefits until their cumulative cost reaches the available budget. This list includes a number of the options that ranked high on the benefit/cost ratio ranking. Those are clearly accepted. The remaining unselected options with the greatest benefit/cost ratio are compared with the option(s) that are lowest-ranked by net benefit but still included within the budget constraint. Judgment is required to make the trade-offs among largebenefit options and high-efficiency options, but this need only be done near the cut-off point, i.e., at the margin. The approach is repeated until all the highest benefit/cost options have been considered with all the lowest net benefit options still within the budget. Use of this method forces the trade-offs to be only at the margin, the last few options selected. Judgment is also required to weigh the respective consequence metrics fatalities, serious injuries, financial losses to the assets owner, lost economic activity to the community and the qualitative consequences, such as public confidence, military readiness, etc. Many decisionmakers prefer to see all the consequence metrics so they can make additional marginal trade-offs. These choices are perfectly reasonable, especially made at this point, when the actual trade-offs are determined as adjustments to enhance a numerically near-optimal selection.
101
Finally, as the selection process approaches its conclusion, certain practical considerations also play a role, including: x x x Are there risks the option might not work as planned? What is the track record with this option? Are there any non-financial constraints the option violates? Will the option accord with the organizations core technology, values, culture and public image? Will any of the organizations stakeholders be offended by the option?
At this point, the collection of options selected constitutes a tentative security and resilience portfolio. A review of the selected options as a portfolio will further improve the selection of options. In reviewing the selection of options, it is important to consider whether some options may interact with others in ways not identified in the robustness test. For example, if the owner installs a double security fence with dogs or patrols between, hardening a door inside the second fence may have significantly less benefit than without the fences. Similarly, there may be tradeoffs between risk-reduction and resilience-enhancement options. Increasing the security of a facility alone may improve resilience by reducing the likelihood of an unwanted event or the vulnerability to the event. In such cases, the benefit estimates should be corrected for the context of the portfolio in which they appear. In this sense, an option can have different benefits depending on what other options are in its portfolio. Failure to look for these adjustments may lead to missed opportunities or over-valued options. The final choice of options should, for this reason, be as a portfolio of options, not simply a list. The final decision step, in enterprise asset management, is to consider security and resilience options as elements in the organizations overall portfolio of investments and operations. Few organizations have the capacity to undertake this review, but added benefits and efficiencies await those who do. Task 7.7 Implement, Monitor and Evaluate Performance of the Selected Options Once the portfolio for enhancing security and resilience has been selected, it must be implemented with the same management direction and oversight as other important activities these elements were selected expressly because they address important aspects of the vitality of the organization and the community. They must be planned in detail and implemented in an orderly manner, with the effectiveness of their implementation assured at the beginning and the effectiveness of their operation periodically evaluated. Mid-course corrections may be required, especially if the options contain novel elements. Task 7.8 Conduct Additional Risk Assessments Risk and resilience management is a continuous process. New risk and resilience assessments should be undertaken periodically for a variety of reasons, including: x x A way to measure progress and accountability in reducing and enhancing resilience, based on previously implemented programs; As part of the organizations commitment to continuous improvement; and
102
To update the security and resilience posture to address new or emerging conditions, e.g., climate change, new intelligence on terrorists plans, and new threats, such as pandemics.
Generally, organizations find it useful to revise and update their risk and resilience assessments on a periodic basis, coordinated with their internal budgeting. The RAMCAP Plus approach is objective and quantitative enough to measure progress and accountability of implemented options. Because it is relatively inexpensive and non-disruptive to apply, annual updates are feasible, but most organizations schedule them for every second or third year, with interim updates if conditions warrant. *****

The example carried through the previous steps is continued here, demonstrating calculation of risk assessment values and risk management procedures (Steps 6 and 7 of the RAMCAP Plus process) to further illustrate how the overall assessment is performed. Conditional risk can be determined from the results of Steps 3 and 4, Consequence and Vulnerability Assessments, respectively. Conditional risk is the product of the consequences and the vulnerability of a given attack scenario on a particular asset at a particular facility. Conditional risks can be very informative as the strategy for risk reduction is to migrate (shift) the risk from high to low consequence levels and from high vulnerability to a lower vulnerability. A graphical representation of conditional risk can be useful for presenting the results of the analysis to stakeholders and to demonstrate the effects of mitigation strategies and security upgrades to reduce the overall conditional risk. Conditional risk is tantamount to assuming that the likelihood of an attack is 100% and the goal of the owner/operator is to reduce the risk as low as possible. This strategy is sometimes employed at assets that are extremely high value, such as nuclear weapons storage facilities, critical military installations, and the protection of government officials, such as the President of the United States. In these cases, it is deemed that the asset must be protected at all costs. The commercial sector rarely contains such targets and to evaluate and determine the best strategy, it is necessary to use a quantifiable risk management strategy. In the commercial sector it is often concluded that the calculated risks are acceptable and nothing is done to further reduce the existing risk level. Quantifiable risk management cannot be performed using only conditional risk assessment results. It is not possible to calculate a return on investment or a benefit-cost ratio without knowing the actual likelihood of an attack. This technique is illustrated below. The risks calculated for various consequences were determined in Chapter 6 and are summarized as follows: 5) Fatalities
103
Rf = 665 x .7 x (7.9 x 10-6) = 0.004 lives/year
6) Acute Injuries Ri = 75 x .7 x (7.9 x 10-6) = 0.0004 acute injuries/year 7) Financial impact to owner R O $ = $780MM x .7 x (7.9 x 10-6) = $4,313 8) Losses to regional economy R Region = $45B x .7 x (7.9 x 10-6) = $248,000 As discussed previously, the results of the risk analysis of this infrastructure component indicate that the consequences are relatively small. Even of the threat frequency is increased by three orders of magnitude, (T = 7.9 x10-3) which is 7.9 in 1000 years, the likelihood is still low compared to other risks, such as automobile accidents, drowning, and other types of accidental death and injury. It is difficult to justify large expenditures to reduce this level of risk. Impact to Owner. The financial impact to the owner is very large, $780 million, but low likelihood of occurrence makes the risk relatively small, at $4310. This allows consideration of only relatively low-cost options. Because of the large potential loss of life and financial losses to the owner, some improvements might be justified. CCTV cameras focused on the parking lot and point of access to the dam would cost about $1,700 installed and could be monitored by the existing staff. It would cost nothing to close public access well before dusk, the period of poor visibility. The combined effect of these two simply steps would be to reduce vulnerability from 0.7 to 0.4. This would decrease the risk from $4,310 to $3,120, a reduction of $1,190 not enough to justify even the simple risk-reduction program from the owners perspective. If the threat frequency were increased by one or two orders of magnitude, the case for increased spending based upon one year of operation is still difficult to justify. For example, assuming the threat frequency was T = 1.0 x10-3 to 1 x 10-2, as hypothesized in the break-even analysis in Step 5, the annualized risk for the financial impact to the owner would be $431,000 to $4,310,000. These risk levels would begin to support additional security guards capable of protecting the facility against well-trained and well-armed assailants on a 24/7 basis. However, at that level of risk, a case could be made for adding significant security improvements, such as better fences or additional electronic detection devices. The aforementioned changes are normally referred to as countermeasures. Countermeasures reduce the vulnerability of an asset. In this example problem, the vulnerability of the asset was determined to be 0.7. In other words, the assailants have a 70% chance of being successful in an attempt on this asset. Additional security could reduce the vulnerability significantly, making this a worthwhile investment. However, a change to security may not reduce all types of attack
104
equally, and another attack mode, for example a barge or boatload of explosives, could now supplant the armed attack scenario as the highest risk event. Effective risk management must consider all modes of attack when performing benefit cost studies. It is also important to realize that the likelihood of an attack can also be affected when security measures are implemented. If it appears to the terrorist that the facility is more difficult to attack, the likelihood that an attack will be mounted will be lower. Another option for reducing risk is to implement mitigation measures that will reduce the consequences of the attack. In this example, a significant number of lives are lost due to downstream flooding. Presumably, the terrorist will attack when the potential for loss is greatest. Thus, on a Fourth of July holiday weekend, it is expected there will be more pleasure craft on the river, and more picnickers and campers in areas subject to inundation. Local law enforcement agencies could devise warning systems and evacuation plans to mitigate the effects of the attack. Since this is a highly time-dependent and relatively rare circumstance, the cost could be quite low compared to full-time measures. In this case, mitigation could have a higher benefit/cost ratio than countermeasures. The decision-making would include estimating the reductions in consequences and vulnerability and an estimated cost of the options that achieve these reductions, as illustrated at the regional level, below. Risk management is a complex exercise with many possible options to consider. The value of the RAMCAP process is that these options can be compared rationally using quantifiable rules. Impact to Region. The risk calculations in Steps 5 and 6 indicate that, for the threat frequency estimated using the break-even method of about 0.01, the regional economy could suffer a reasonably large impact of more than $47 billion, with an estimated risk of approximately $3 million to $330 million, based on the range of likelihoods being considered. Since the risk to the region could be high enough (especially at the high end of the threat frequency range) to justify expending resources to buy down the risk, regional planners should consider ways to prevent or mitigate the consequences of such an attack. Countermeasures could include adding law enforcement officers, such as sheriff officers, city policemen, upgrading the SWAT team, etc. This could have a dual purpose in reducing normal crime and preparing for a terrorist event. Regional resilience studies could identify ways to mitigate the effects of an attack on the dam and greatly reduce the consequences of the event. A package of countermeasures and mitigation steps was designed, priced at $ 215 million, and, repeating Steps 3 and 4 for the option, were found to reduce the consequences to $18.55 billion and the vulnerability to 0.33. This would result in a net benefit of: Net benefit = (Riskbaseline Riskoption) Costoption = [(Cbaseline x Vbaseline x Tbaseline) (Coption x Voption x Toption)] - Costoption = [(47.49 billion x 0.7 x 0.01) (18.55 billion x 0.33 x 0.01)] - $215 million = $56 million
105
Benefit/cost ratio = (Riskbaseline Riskoption)/Costoption = [(Cbaseline x Vbaseline x Tbaseline) (Coption x Voption x Toption)] / Costoption = [(47.49 billion x 0.7 x 0.01) (18.55 billion x 0.33 x 0.01)]/ $215 million = 1.27 Based on this analysis, the option is justified and would be funded, if resources were available. At the regional level, the dam scenario is just one of many infrastructure attack scenarios at many possible locations. Regional Risk Management must include the effect of infrastructure interdependencies, cooperation of numerous communities, political and jurisdictional agencies, commercial businesses, law enforcement, and other first responders. The additional complexity in modeling and understanding the interaction of these diverse components necessitates a quantitative risk calculation approach and regional models of the infrastructure networks and their interdependencies, an area of future development for the RAMCAP process.

Brealey, Richard A. and Myers, Steward C. 2003. Principles of Corporate Finance (Seventh Edition), McGraw Hill/Irwin, Boston. Center for Chemical Process Safety, 1995. Tools for Making Acute Risk Decisions: with Chemical Process Safety Applications, American Institute of Chemical Engineers. Chapman, Robert E. and Leng, Chi J. March 2004. Cost-Effective Responses to Terrorists Risks in Constructed Facilities, National Institute of Standards and Technology, Report No. NISTIR 7073. Clemen, Robert. 1996. Making Hard Decisions: An Introduction to Decision Analysis (Second Edition), Duxbury Press. Howard, Ron. June 1988. Decision Analysis: Practice and Promise, Management Science, Vol. 34, No. 6 (introduces the use of the strategy table technique for generating alternatives). Keeney, R. 1992. Value-Focused Thinking, Cambridge, MA: Harvard University Press. Kirkwood, Craig W. 1997. Strategic Decision Making: Multiobjective Decision Analysis with Spreadsheets, Wadsworth Publishing Co., New York. National Research Council. 1995. Protecting Buildings from Bomb Damage, National Academy Press. Office of Management and Budget, November 10, 1992. Benefit-Cost Analysis of Federal Programs: Guidelines and Discounts, Circular No. A-94, Federal Register, Vol. 57, pp. 5351953528.
106
Pate-Cornell, M. Elisabeth and Guikema, Seth D. December 2002. Probabilistic Modeling of Terrorist Threats: A Systems Analysis Approach to Setting Priorities Among Countermeasures, Military Operations Research, Vol. 7, No. 4. Starr, Chauncy. March 19, 1969. Social Benefit versus Technological Risk, Science, 166:1232. U. S. Federal Emergency Management Administration (FEMA). Reference Manual to Mitigate Potential Terrorist Attacks Against Buildings, (FEMA 426). See also related FEMA manuals 427, 428. U. S. General Services Administration. 2001. GSA Security Reference Manual: Part 3, Blast Design and Assessment Guidelines. U. S. Nuclear Regulatory Commission, November 1995, Regulatory Analysis Guidelines of the U.S. Nuclear Regulatory Commission, Final Report, NUREG/BR-0058, Revision 2. U. S. Nuclear Regulatory Commission, October 1995, Cost-Benefit Consideration in Regulatory Analysis, (prepared by Brookhaven National Lab for the NRC), NUREG/CR-6349 (BNL-NUREG-52466).
107
Appendix A: Terminology
The sets of terms and definitions provided in this Appendix should be viewed as working definitions, subject to modification as additional input is obtained from various sector-based methods and experts. Additional terms may be added as the RAMCAP Plus approach evolves. Adversary Any individual, group, organization, or government that conducts activities, or has the intention and capability to conduct activities, detrimental to critical infrastructure or key assets. Adversaries may include intelligence services of host nations or third party nations, political and terrorist groups, criminals, rogue employees and private interests. Adversaries can include site insiders, site outsiders, or the two acting in collusion. Analysis The separation of an intellectual or material whole into its constituent parts for individual study. In the context of risk management, a broad, unconstrained consideration of risk and its component factors aimed at improving ones ability to make better decisions. Assessment The application of a method or procedure to measure or produce a decisionsupport product, with specific constraints in scope. Asset An item of value or importance. Assets may include physical elements (tangible property), cyber elements (information and communication systems), and human or living elements (critical knowledge and functions of people). Critical asset An asset whose absence or unavailability would significantly degrade the ability of an organization to carry out its mission. The criticality of an asset can vary depending on the decisions to be made and perspective of the analyst. Functional context for asset owner An asset whose absence or unavailability would represent an unacceptable business consequence, i.e., for which the sum of the consequences of its loss represents an unacceptable financial or political impact on the owner. Attractive asset An asset that, in the perspective of the adversary, appears to be a desirable target. The nature and magnitude of the value of an asset, i.e., what makes it attractive to an adversary, may differ from the value perceived by the owner. Buffer Zone The outside area around an asset created by the combination of physical distance, barriers, security measures and other protective features that contributes to its protection from physical attack. Capability The ability to cause an unwanted event or undertake an attack. In security analysis, capability is one factor of a threatening adversary. Conditional Probability Probability of an event based on the assumption/condition that a previous event has occurred. For example, in an event tree branch, at any node, the sum of the
108
conditional probabilities associated with each of the events/branches immediately following that node should equal 1. Conditional Risk A measure of risk that focuses on consequences, vulnerability and adversary capabilities but excludes threat frequency. It is used as a basis for making long-term risk management decisions. The adversary capabilities, countermeasures and residual vulnerability are often combined into a measure of likelihood of adversary success. Consequence The outcome of an event occurrence, including immediate, short and long-term, direct and indirect losses and effects. Loss may include human fatalities and injuries, monetary and economic damages and environmental impact, which can generally be estimated in quantitative terms. In addition, consequences may also include less tangible and therefore, less quantifiable effects, including governance impacts, political ramifications, morale and psychological effects, reductions in operational effectiveness or military readiness, or other impacts. Consequence-mitigation The planned and coordinated actions or system features designed to: reduce or minimize the damage caused by attacks or natural hazard events (consequences of an attack or event); support and complement emergency forces (first responders); facilitate fieldinvestigation and crisis management response; and facilitate rapid recovery, reconstitution and resumption of function (resilience). Consequence-mitigation may also include steps taken to enhance resilience by reducing short- and long-term impacts, such as providing alternative sources of supply for critical goods and services. Consequence-mitigation actions and strategies are intended to reduce the consequences/impacts of an event, whereas countermeasures are intended to reduce the probability of the event occurring, and/or the probability that an attack will succeed in causing a failure or significant damage. Consequence-mitigation Features Those attributes, e.g., planned responses of system operators or automatic responses of engineered safety systems, of the asset or system that limit the impacts of a threat that has occurred. Consequence-mitigation Strategies The set of both internal consequence-mitigation features and other responses, e.g., by agencies outside the boundaries of the asset, such as emergency response or first responders, that limit the impacts of a threat that has occurred. Countermeasure An action taken or a physical capability provided for the principal purpose of reducing or eliminating vulnerabilities or reducing the likelihood of occurrence of attacks. Countermeasures are often elements in a comprehensive and holistic security system designed to defend, detect, delay, deter or devalue an attack, i.e., x x x Defend against attack by delaying or preventing an aggressors movement toward the asset or use of weapons and explosives; Detect an aggressor who is planning or committing an attack or the presence of a hazardous device or weapon; Delay or slow the actions of an adversary to the point that a successful attack takes longer than expected or desired, during which time, defenses may intervene;
109
x x
Deter an event from happening (i.e., through warning signs, physical barriers, cameras, and security guards); and/or Devalue a target by making it less attractive or more costly for an aggressor to attack.
Crisis Management For the private sector, crisis management is that transition from normal business decision-making to a highly streamlined activity aimed at containing the initiating event, maintaining essential operations and recovery of normal business conditions as quickly as possible. Critical Asset An asset considered to be essential to the function of a facility or infrastructure component. In the context of national critical infrastructure and key resource (CI/KR) protection, a CI/KR asset is something of importance or value which, if targeted, exploited, destroyed, or incapacitated could result in large scale injury, death, economic damage, destruction or property, or could profoundly damage a nations prestige and confidence. Decision Criteria The set of information and assumptions on which a decision is based. These generally include both technical and political factors, and typically involve significant uncertainty. Domestic Incident Management For the Federal Government, domestic incident management is predominantly a DHS function to coordinate federal operations within the United States to prevent, prepare for, respond to and recover from terrorist attacks, major disasters and other emergencies. It includes measures to identify, acquire and plan the use of resources needed to anticipate, prevent and/or resolve a threat or act of terrorism. State and local authorities participating in this response may view it as crisis management, which includes traditional law enforcement functions, such as intelligence, surveillance, tactical operations, negotiations, forensics and investigations. Emergency Response A response to emergencies, including both natural disasters, e.g., hurricanes, floods, earthquakes, etc., and human-induced events, e.g., civil commotion, adversary attacks, etc., in order to protect lives and limit damage to property and impact on operations. Event Tree Analysis An inductive analysis that utilizes a graphical tree construct to analyze the logical sequence of the occurrence of events in, or states of, a system following an initiating event (often called the top event). Event Trees (also called failure trees) The sequence of events between the initiation of an event and the termination of the event is described as a branching tree, where each branch represents the possible outcomes at that junction (e.g., a locked door may be breached or not). The evaluation team estimates the probability of each outcome. Multiplying the probabilities along each branch, from the initiating event to each terminal event, calculates the probability of each unique branch, while all branches together sum to unity (1.0). The sum of the probabilities of all branches on which the attack succeeds is the vulnerability estimate.
110
Expert Elicitation (aka direct expert elicitation) Using experts to provide information not readily available is often subjective or cannot be obtained from historical records. For example, members of the RAMCAP Plus evaluation team familiar with a facilitys layout and work flows and knowledgeable about the asset being assessed discuss the likelihood of success of an attack of a particular type and provide logic and reasoning for their estimates. Sometimes trained facilitators, on staff or under contract, are used to elicit the judgments. Facility This term is commonly used to describe a fixed manufacturing or operating site or installation. However, the more general term asset as used in this document includes facilities as well as other types of assets. Assets may also be constituent elements of a facility. Failure Mode A way that failure can occur, described by the means or underlying physics by which element or component failures must occur to cause loss of the sub-system or system function. Fault Tree Analysis A specific form of event tree (see above). Frequency The rate of occurrence of an event measured in terms of the number of a particular type of event expected to occur in a particular time period of interest, usually one year, or in a particular number of iterations, e.g., one defect per million products. Hazard A condition, which may result from either an external cause (e.g., earthquake, flood, or human agency) or an internal vulnerability, with the potential to initiate a failure mode. It is a source of potential harm or loss. Incident Analysis A retrospective analysis of incidents at a particular site, among assets within a particular site or assets within a category in a particular area, which indicates patterns of potential adversarial activities or intentions. Incident analyses should include an assessment of countermeasures sufficiency based on the ability to assess and respond to the suspicious activities in such a way as to reduce the likelihood of success if an actual attack occurred. Initiating Event An event that appears at the beginning of a chain of events or a sequence of events which, directly or indirectly, has the potential to cause harm or loss. Such events may include major disasters, emergencies, terrorist attacks, terrorist threats, wildland and urban fires, floods, hazardous material spills, nuclear accidents, aircraft accidents, earthquakes, hurricanes, tornadoes, tropical storms, war-related disasters, public health and medial emergencies, and other occurrences requiring an emergency response. Intent An adversarys goals and the value that the adversary would ascribe to achieving these goals through a particular means, as determined by expert judgment. In terrorism, intent can be to inflict economic damage, mass fatalities, mass terror, symbolic goals, i.e., attacks against cultural symbols or against targets where there was a prior failure. This type of intent can be focused on types or categories of assets as targets (e.g., buses in Israel, or U.S. embassies) or with the demonstration of an adversarys capability (e.g., certain weapons of mass destruction).
111
Likelihood The chance, frequency or degree of belief that a particular outcome or event will occur in a specific time frame, usually one year. Loss Prevention The set of activities undertaken to preclude or mitigate the effects of adverse impacts on assets due to natural and adversarial threats. Mitigation see Consequence Mitigation (above) Preparedness The combination of risk analysis and management, response planning, and resilience planning (which includes recovery planning and continuity of operations) for rapid restoration of function. Probability A quantitative measure of the likelihood that a particular event, i.e., terrorist attack or natural event, will occur. This is usually expressed as a mean value between 0 and 1, and can include a minimum and maximum range or distribution (density function). However, probability can also be expressed in qualitative terms (e.g. low, moderate, high) if there is a common understanding of the qualitative terms among all the stakeholders. The probability must be associated with a specific event and either a defined time frame (e.g., range of probability that a threat occurs in one year), or set of trials (e.g., range of probability of detecting a particular type of intrusion given 10 attempts or range of probability that a consequence mitigation action is successful given a demand). Qualitative Concepts that cannot be communicated through a natural metric, such as national security consequences or judgments of potential interactions between adaptive humans. Such concepts must sometimes be stated descriptively and specifically, but wherever possible should be couched in a measure that allows comparisons. Qualitative measures can be linguistic (e.g., high, medium, low) or quantified (e.g., a scale of 1 to 10). Qualitative Risk Assessment An appraisal of risk that uses linguistic terms and measurements to characterize the factors of risk. Wherever possible, qualitative assessments should be couched in terms of a consistent measure that allows comparisons between assets. Qualitative measures can be linguistic (e.g., high, medium, low) or quantified (e.g., a scale of 1 to 10). Quantified A quantitative measure that uses numbers as a proxy for language. This enables greater precision in communication of items that fall within ranges, and facilitates the use of mathematics to calculate decision-relevant terms (e.g., risk, risk reduction, resilience and benefitcost ratio). Quantify To apply numerical ratings to things that do not have natural metrics, such as threat and vulnerability. Quantitative Concepts that are easily communicated through a natural metric, such as numbers of lives, dollars, frequency, etc.
112
Quantitative Risk Assessment An appraisal of risk that uses numerical measures to describe factors in the analysis. Wherever possible, quantitative measures should be used to allow clear, defensible and precise comparisons among assets. Reference Threat A particular attack, specified in terms of intensity or magnitude, mode and medium of delivery, to be used in a consistent fashion across numerous assets to facilitate direct comparisons. It is not to be confused with design basis threat, which is the type and intensity of threat a facility is designed to withstand. Resilience The capability to maintain function during an event or to recover function rapidly after an event, including provision of a substitute function or asset provided after an attack or natural event. The concept of resilience is still being formalized, but candidate indicators include reductions in the duration and severity of service denial and/or economic losses to the community due to service denial. Resilience Management The deliberate process of understanding resilience as both a function of loss of infrastructure components and the ability of the community to cope with the loss and recover in the shortest practical time. Resilience management includes the ability to model the interdependencies of infrastructure components and decide upon and implement actions that will increase the resilience of the community given the loss of a subset of infrastructure. Response The reactive use of emergency response capabilities to deal with the immediate consequences of an incident or attack. Often used in conjunction with proactive measures to create a more comprehensive and holistic protection system. Residual Risk The amount of risk remaining after the net effect of risk reduction actions are taken. The residual reflects the impact of threats not deterred, consequences not avoided and vulnerabilities not reduced through other countermeasures. The concept can also include the risks from threats not included in a risk analysis. Risk The potential for loss or harm due to the likelihood of an unwanted event and its adverse consequences. It is measured as the combination of the probability and consequences of an adverse event. When the probability and consequences are expressed as numerical point estimates, the expected risk is computed as the product of those values. In the case of the RAMCAP Plus process and many other risk and resilience processes, risk is the product of threat (likelihood or frequency of the event occurring), vulnerability (likelihood that the event will cause the estimated consequences, given that the event occurs), and consequence. Risk Analysis The technical and scientific activity of estimating the components of risk and combining them into the estimate of risk. Risk analysis provides the processes for identifying hazards or hazard scenarios, event-probability estimation, vulnerability assessment and consequence estimation. The risk analysis process answers three basic questions: (1) What can go wrong and how can it happen? (2) What is the likelihood that it will go wrong? (3) What are the consequences if it does go wrong? Risk analysis often includes estimating the impact of changes to a system to reduce risks by reducing the likelihood of attack, the vulnerability to attack, and/or the magnitude or duration of consequences given a successful attack. Reductions
113
in risk due to such changes are the benefits of those changes. Risk analysis generally contains the following steps: scope definition, hazard identification, risk estimation, risk-reduction option evaluation and communication of information useful in risk management resource allocation. Risk Assessment see Risk Analysis (above) Risk Communication An interactive exchange of information and opinion among stakeholders designed to convey understanding of risks and risk-reduction options to support resource allocation and other decisions to manage risks. It often involves multiple exchanges about the nature of risk and expressing concerns, opinions, or reactions of risk managers, legal experts and management. Risk communication greatly affects risk acceptance, safety and security standards and the allocation of resources to risk reduction. Risk Management The deliberate process of setting security and resilience goals; identifying assets, systems, networks, and functions; understanding risk; and deciding upon and implementing action (e.g., defining security countermeasures, consequence mitigation features or characteristics of the asset) to achieve an acceptable level of risk and resilience at an acceptable cost. Risk management identifies, estimates and controls risks to a level commensurate with an assigned or accepted value; it also measures performance and takes corrective action. Public and private sector entities often include risk management frameworks in their business continuity plans. Scenario A combination of events and system states that lead to an outcome of interest. A scenario defines a suite of circumstances of interest in a risk assessment. In the present context, a scenario includes at least a specific attack threat on a specific asset, with the associated probabilities and consequences. System An integrated combination of people, property, environment and processes integrated to work in a coordinated manner to achieve a specific desired output under specific conditions. As used in this document, a system encompasses the set of one or more assets and their associated environment (e.g., threats, vulnerabilities, consequences, buffer zone attributes) considered in a risk analysis. Systems should be defined based on the decision-specific analytical objectives, which may lead to different types of definitions, such as functional systems, management systems, and engineering systems. Target see Asset (above) Terrorism Premeditated, politically motivated violence perpetrated against noncombatant targets by sub-national groups or clandestine agents, usually intended to influence an audience (Title 22 of the United States Code, Section 2656f(d)). Terrorist An agent of a sub-national group who uses premeditated, politically motivated violence against non-combatant targets, usually intended to influence an audience (Title 22 of the United States Code, Section 2656f(d)).
114
Threat Any indication, circumstance or event with the potential to cause the loss of, or damage to, an asset or population. In the case of terrorism risk, threat represents intention and capability of an adversary to undertake actions detrimental to an asset or population and also the attractiveness of the asset or population relative to alternative assets or populations. In the case of natural hazards, threat refers to the historical frequency of the specific natural event to which the asset(s) may be subjected. In both cases, for risk analysis, threat is defined as the likelihood the event will occur. Threat Analysis The study or assessment of threats, including adversary capability, intent and incidents that may be indicators of adversary activities. Threat Likelihood The probability that an undesirable event will occur. With natural hazards, the threat likelihood is the historical frequency of similar events unless there is a belief that the future will differ from the past. With terrorist threats, the likelihood is a function of available intelligence, the objectives and capabilities of the terrorist, and the attractiveness, symbolic or fear-inducing value of the asset as a target. The terms threat likelihood and threat probability are used interchangeably in this publication. Uncertainty A measure of unpredictability or knowledge incompleteness. In quantitative risk assessment, uncertainty includes chance events, measurement and estimation error, and simple lack of knowledge about the models and parameter values used. Uncertainties can be expressed as levels of confidence, ranges or probability distributions. Vulnerability Any weakness in an asset or infrastructures design, implementation or operation that can be exploited by an adversary or can contribute to functional failure in a natural disaster. Such weaknesses can occur in building characteristics, equipment properties, personnel behavior, locations of people, equipment and buildings or operational and personnel practices. In risk analysis, vulnerabilities are estimated using a variety of methods, but usually summarized as the probability that, given an attack or natural event, the estimated consequences will ensue, i.e., will cause the estimated damage. Vulnerability Analysis/Vulnerability Assessment A systematic examination of an assets ability to withstand a specific threat using current security and emergency preparedness procedures and controls. A vulnerability assessment often suggests countermeasures, mitigation features, and other security improvements. A vulnerability analysis may be used to: compute the probability a particular attack will succeed; compute the probability of significant damage, destruction or incapacitation of part or all of an asset resulting from a given threat; identify weaknesses that could be exploited, and; predict the effectiveness of additional security measures in protecting an asset from attack. Vulnerability Estimate The conditional probability that an attack or natural event will cause specifically estimated consequences. Vulnerability Logic Diagrams (VLDs) VLDs are used to illustrate the flow of events from the time an adversary approaches the facility to the terminal event in which the attack is foiled or succeeds, considering the obstacles and countermeasures that must be surmounted, with each
115
terminal event associated with a specific vulnerability bin. This is frequently complemented by time estimates for each segment and compared with an estimate of the reaction time of a counterforce once the attack has been detected. In many of the RAMCAP Sector-Specific Guidance documents, VLDs are prepared in advance as a heuristic to guide the team in making its assessment. Worst Reasonable Case An operating assumption for estimating consequence values that utilizes the most severe but reasonable consequences for a specific adversarial threat but does not combine unlikely coincidences. It directly reflects the assumption that an adversary is knowledgeable about the asset to be attacked and adaptive given emergent conditions.
116
Appendix B: Abbreviations and Acronyms

Below is a list of abbreviations and acronyms for terms judged to be important for understanding the development and application of the RAMCAP Plus process. Abbreviation or Acronym ASME-ITI BPD CARVER DHS EPA LNG NADB NRC RAMCAP RMP SCADA SSG SVA TNT VBIED Meaning
ASME - Innovative Technologies Institute, LLC Barrels Per Day Criticality-Accessibility-Recuperability-Vulnerability-EffectRecognizability United States Department of Homeland Security United States Environmental Protection Agency Liquefied Natural Gas National Asset Database (DHS) Nuclear Regulatory Commission Risk Analysis and Management for Critical Asset Protection Risk Management Plan (EPA) Supervisory Control and Data Acquisition Sector-Specific Guidance Security Vulnerability Assessment Tri-Nitro Toluene (explosive) Vehicle-Borne Improvised Explosive Device
117
Appendix C: Compliance with the RAMCAP Plus Process

Numerous methods exist that provide security, risk and vulnerability assessments of assets and facilities. Many of these have been applied to existing infrastructure for the purpose of prioritizing risk management activities. The objective of the RAMCAP Plus process is to provide owners/operators of critical infrastructure a sound method of assessing risk that is also meaningful for government decision-making. This results in a common framework and partnership with consistent methods that allow DHS to compile and prioritize a database of critical assets to support risk management decisions. Some existing processes will conform to the RAMCAP Plus approach and easily adapt to the use of common assumptions, common scenarios, common metrics, and common scales. Other methods will produce information needed for a RAMCAP Plus-compatible approach, but their results require indexing, alignment or additional analysis to achieve a full risk assessment. Finally, some methods are not suitable for providing risk information that can be compared with other assessments. In order for a tool or a method to be identified as RAMCAP Plus-compliant, it must contain the following: 1. Common Terminology The definitions contained in Appendix A of the RAMCAP Plus publication must be employed. 2. Common Metrics The metrics used to report the results of a risk assessment must be the same as those used for the RAMCAP Plus process. For example, the consequences of a terrorist attack should be reported using a set of common concerns between owners/operators and the government (e.g., casualties, economic, etc.), as defined in the RAMCAP Plus process. Additional consequence scales may be added by the owner/operator for issues of special concern (e.g., public confidence in the brand, etc.). Scales must be consistent for all similar assets and across sectors. Natural scales are preferred where they are obvious (e.g., dollars of economic risk, fatalities for safety risk). These may be grouped into a limited number of categories, with the latter given constructed names (e.g., high, medium, low); however, a link between categories and underlying natural scales should be transparent. Where natural scales are not obvious, such as measuring the iconic value of an asset, constructed or proxy scales not commensurate with other scales may be necessary. A definition of categories should be developed to allow different parties to relate to the scale in a comparable way. 3. Screening Process The process must provide for screening out assets that do not warrant continued assessment. The screening process must focus on the identification of critical assets/potential high consequences, rather than likelihood. 4. Common Threat Scenarios A common set of threat scenarios, as defined within the RAMCAP Plus approach and contained in RAMCAP Sector-Specific Guidance documents, shall be used to evaluate vulnerability, calculate consequences and assess the applicability of the threat to the
118
asset/facility in question, for communication to government. Additional scenarios of owner/operator concern may be assessed as well. 5. Common Assumptions In conducting an assessment for communication to government for cross sector comparisons, assumptions must be normalized to facilitate the comparisons. 6. Vulnerability Evaluation The method must determine the vulnerability of an asset to a given threat scenario to estimate the likelihood that the threat scenario is successful in achieving the goal, resulting in the calculated consequences. Vulnerability is calculated on a scale of zero to one. Alternatively, ranges for the value of vulnerability can be used if it is not possible to assign a single value. Qualitative descriptions must be capable of being converted to numeric values or ranges. There may be numerous possible outcomes for a single threat scenario, each of which could result in a different value of calculated consequences. Vulnerability may be estimated by expert elicitation or more complex procedures, such as fault and event tree analyses, which also typically depend heavily on expert judgment. 7. Threat Assessment The method is used to facilitate the owner/operators assessment of the attractiveness of the asset to an adversary with the given threat scenario. It must also allow for the communication of a government assessment of other elements of threat to be combined in support of owner/operators decision-making. 8. Reporting of Results The RAMCAP Plus approach provides guidance on how results of the evaluations should be reported to DHS. Tools compliant with RAMCAP Plus will allow communication with appropriate protection of sensitive information with regard to both legal liability and security classification considerations. 9. Sector-Specific Modules Sector-specific modules are being developed that tailor the RAMCAP Plus process to particular economic or industrial sectors. Examples include commercial nuclear power plants, spent nuclear fuel storage, chemical plants, petrochemical plants, liquefied natural gas facilities, freight rail transportation, the electric power grid, etc. In the development of such sector-specific procedures, industry experts will provide information including industry practices, procedures, existing assessment methodologies and additional insight not addressed in this RAMCAP publication. Sector-specific approaches based upon the RAMCAP Plus process must meet the requirements of items 1-8, above. It is anticipated that existing vulnerability assessment data and processes can be used or adapted to develop a RAMCAP Plus-compliant approach.
119
Appendix D: Integrated Assessment of Natural Hazards

D.1.0 Natural Hazards A risk analysis of any asset is not complete unless natural hazards are considered. Natural hazards include, at a minimum, the effects of earthquake, hurricane, tornado, and flood. Each of these events can be considered for any particular asset by determining the expected frequency of the event and estimating the consequences. The vulnerability of the asset is dependent upon the type of structure and how it will be affected by the initiating event. Additional natural hazards, such as ice storms, extreme cold weather, wildfire, avalanche, tsunami, landslide, mudslide, and others, should be included if the probability of occurrence and the consequences are higher than the four basic natural hazards. Sector Specific Guidance documents will discuss how to report hazards not included in the basic set. Unlike terrorism events, the ability to withstand natural hazards of a specified intensity are normally included in the design specifications required for buildings and structures. In almost all areas of the United States, the local, state, or national statutes require new construction to meet the structural requirements of the Uniform Building Code (UBC)16. Every municipality or county typically has a building department that performs a plan check for new construction and revisions to existing structures. Once the plan check is approved, a building permit will be issued. In cases not covered by local statutes, the financial institution providing the loan or the insurance carrier will require that the building be designed and constructed in accordance with the UBC or, more recently, the International Building Code (IBC)17. The analysis methods, described in this Appendix, are conceptual and require significant additional effort to be considered as a standardized or acceptable practice for estimating losses due to natural events. Work is ongoing to improve the methodology. The following areas are under development: 1) 2) 3) 4) 5) Inclusion of seismic event magnitudes and damage factors. Improvement and automation of hurricane maps. Inclusion of the effect of hurricane dissipation with distance from coming ashore. Incorporation of the effect of storm surges accompanying hurricanes. Tabulation and automation of tornado frequency data for all counties and parishes in the United States. 6) Development of a computer program to help automate the calculations. As these improvements become available, they will be incorporated into the RAMCAP Plus approach. A multidisciplinary peer review to evaluate the natural hazards calculation methods and contribute additional expertise would be highly desirable. As a RAMCAP standards committee
16 17
International Conference of Building Officials, 5360 Workman Mill Road, Whittier, CA 90601-2298 International Code Council, 500 New Jersey Avenue, Sixth Floor, Washington, D.C 20001-2070
120
is reconvened to consider the RAMCAP Plus approach, it is anticipated that a subset of the group would assume this task. The severity and frequency of natural hazards depends upon the geographical location of the facility or asset. Earthquakes are much more likely to occur on the West Coast and Alaska, whereas hurricane risk is greater along the Gulf Coast and Florida. When considering natural hazards, the magnitude and expected frequency of the event must be determined from historical data. The geographical distribution and frequency of occurrence data of these initiating events are obtained from various governmental agencies. Source information will be discussed in the following sections. D.1.1 General Approach to Natural Hazards Assessment The knowledge that the assets being evaluated were designed to the requirements of the UBC or IBC provides a baseline for damage calculations. Damage estimates are based upon the following logic: 1) Assume that only initiating events that exceed the design basis would cause damage. It is assumed that an initiating event that is lower than or equal in magnitude to the design basis event would result in little or no significant structural damage. This should be a reasonable assumption since building codes include a safety margin for all design loads. It is also assumed that the building or structure has been maintained. The occurrence of an event (e.g., earthquake or hurricane) that is greater in magnitude than the design basis event would be expected to cause damage to the structure but the structure would be expected to remain stable up to some point. If the magnitude is further increased, the structure may be totally destroyed. When the repair or replacement value equals the current asset value based on future net cash flow18, the asset is assumed to be a total loss. For low-end events, damage might include cracks and broken windows, loss of content on shelves and broken awnings, parapets and other ancillary attachments, but the basic structure would be expected to remain intact and not collapse on the inhabitants. 2) Assume that, the greater the difference between the design basis event and the actual event, the greater the expected damage. The logic here is obvious. If a building is designed to withstand an earthquake of Richter 5.5 in magnitude, there would be little or no damage for seismic events lower than or equal to 5.5. A 6.0 earthquake would be expected to cause some damage but not as much as a 6.5. Further, since the Richter scale is logarithmic, the damage would not be expected to be linear with Richter magnitude. (An earthquake of magnitude 6.0 is ten times as powerful as a 5.0) Hurricane damage is estimated in a similar way. If a building or structure is designed for a Category 4 hurricane (wind speed in the range of 131155 mph), the structure would be expected to survive, if the wind speed reached 160 mph, with some relatively minor damage. Experience
18
Future net cash flow can be estimated as annual net profit after tax plus depreciation for the life of the facility, discounted at the organizations cost of capital.
121
indicates there is considerable resilience in infrastructure equipment. Refineries in the path of Hurricane Katrina were back on line soon after the storm passed through and employees could return to the area to restart their work. Wind forces are proportional to the square of the wind speed; thus, if wind speed is increased by 50%, the forces on the structures are more than doubled (225%). Loss would be expected to increase rapidly as the wind velocity exceeds design values. 3) Estimate risk based on the extent to which the magnitude of the initiating event exceeds the design basis of the asset. A damage factor is assigned based on the fact that the amount of damage expected for different types of structures depends on how susceptible that type of construction is to the event. For discussion purposes, consider earthquakes and hurricanes as initiating events. Earthquakes result in lateral loads on structures (other loads may be developed as well, but this discussion will be limited to equivalent static lateral forces on simple, semi-rigid, structures). In an earthquake, cantilevered structures, e.g., tall buildings and tall pressure vessels such as found in refineries and towers, are subjected to bending moments because of the lateral loading. If the loads are increased beyond the design basis load, the structure will eventually fail. Structures of this type are more susceptible to damage due to lateral force loads than equipment, such as buried pipes or pumps and valves that are bolted to heavy foundations. The difference in structural susceptibility is introduced by defining a damage factor applied to the owners loss consequences to account for the type of equipment. Consistent with RAMCAP Plus notation, this coefficient is defined as vulnerability. This term defines how vulnerable the equipment is to the event on a scale of zero to one. Thus, the standard risk equation can be used to estimate the consequences of an initiating event. The risk to an asset is defined as: Ri = Ci x Vi x Ti Where: Ri = risk (measured in dollar losses, deaths or severe injuries) of an initiating event i. Ci = consequences of initiating event i. This could be fatalities, severe injuries, losses to the facilitys owner or losses to the community. Losses to the owner would consist of either repair or replacement cost depending upon the severity of damage, lost net revenue due to down time, liability costs, etc., and other direct losses as a result of damage to the asset by the initiating event i. Fatalities, injuries and community losses are estimated in the same way they are for other hazards, as described in the main text. Estimating losses to the owner is described in this Appendix. Vi = vulnerability of the structure or equipment for the type of event considered. For example, the vulnerability of underground piping to a hurricane would be very low. Pumps mounted on concrete foundations and reinforced concrete or explosion-resistant control rooms in refineries are more susceptible to hurricane force winds, but not as vulnerable as
122
towers, such as radio transmission towers and tall stacks. The vulnerability of various types of equipment for various initiating events will be defined in tabular form. Ti = frequency of the initiating event. This frequency is determined from historical data. The frequency of an event correlates inversely to the magnitude of the event. The larger the hurricane, earthquake or flood, the less frequent their occurrence. The subscript i indicates that losses are a function of the initiating event. For example, assume an asset is designed to hurricane Category 2 wind speeds. A Category 3 hurricane acting on this asset would be expected to cause a 50% loss. Hurricanes larger than a Category 3 are assumed to result in 100% loss for equipment designed to Category 2 events. 4) Total the natural hazard risk by summing the risks across all initiating events. The total risk to a particular asset from all natural hazards is the sum of the risks from each initiating event. This is written as follows: RT = R1H + R2H + R3H +R4H + +R1E + R2E + R3E + R4E + +R1F + R2F + R3F + R4F + +RTOR Where: RnH = Risk to the asset due to hurricane of Category n (n = 1 through N) Similarly, E = Earthquake, F = flood and TOR = tornado. Simply stated, the risk due to hurricane is the sum of the risk due to categories 1 through 5; the risk due to earthquake is the sum of the risks for each magnitude of earthquake, etc. The total risk is the sum of all levels of risk over all types of natural hazards. The incremental risk does not necessarily decline with event magnitude. While the frequency of the initiating event declines as the magnitude increases, the consequence will typically increase with magnitude. The product of frequency, vulnerability and consequence could increase or decrease. All credible levels of event magnitude must be included in the summation to obtain an accurate risk estimate. The next sections contain additional details concerning how to apply this conceptual approach to each type of natural hazard. D.1.2 Earthquake Figure D-1 presents a seismic zone map of the United States. The current UBC and IBC provide more detailed seismic maps and the requirements for seismic design in the current codes are more complex. The older seismic zone approach is used because most of the existing infrastructure was designed and built before the current method was adopted. The map was taken from the 1997 version of the UBC. The seismic zone method of design has been utilized extensively from the outset of seismic design. This method consists of determining an equivalent static lateral force that is applied to the structure. The seismic force is combined with
123
dead weight and other loads. Even this equivalent static force coefficient method can become quite complex for multi-story buildings and non-building structures. It was decided this simpler method would be adequate to estimate first-order damages. The more complex method, found in the current IBC, has not yet been adopted by all of the building code officials. The design of buildings and structures, which comprises the vast majority of the existing infrastructure, is based upon the equivalent static acceleration method. The design procedure was initially developed in the second half of the twentieth century. The Structural Engineers Association of California has been the driving force behind the design rules. This procedure, which is contained in the UBC, calculates the expected lateral force on a structure or equipment as a result of a seismic event. The magnitude of the calculated lateral seismic force depends upon a number of site dependent factors and the configuration of the structure. The design loading naturally depends upon the location of the structure. Figure D-1 shows the different zones in the United States. As one would expect, for example, the design requirements for California are different from Florida. This difference is realized by using a higher coefficient for lateral force in California than for Florida. (The lateral force is calculated by taking a percentage of the weight of the structure, thus the higher the seismic coefficient; the greater percentage of the weight is applied to the structure in the horizontal direction). The design of the resisting members is based upon the lateral force requirement. The expected lateral force on a structure is calculated by first determining the weight of the structure (not including the foundation, which is assumed to be attached directly to ground), and contents. The lateral force is the product of this weight multiplied by the lateral force coefficient, which is tantamount to the lateral static acceleration. (This is a highly simplified explanation of how the design engineer would use the UBC to perform earthquake design. However, the underlying principle presented is fundamental to seismic design. Understanding the basic design is very useful in evaluating assets for most natural hazards.)
124
Figure D-1. Seismic Hazard Map of United States Once the lateral loading is determined, the load is applied to the structure at the center of gravity for one-story structures. For multi-story structures, the load is applied along the height. As a result of the seismic loading, there will be shear loads on the walls of the structure as well as an overturning moment. The designer must provide sufficient strength to withstand these forces and moments. The taller the structure requires a more complex design. High-rise buildings will be more flexible than a one-story structure. When a building or structure is flexible, it will exhibit a lower period of vibration. Flexible structures may be subjected to more or less acceleration than rigid structures, depending on the frequency of the earthquake motion. Thus, the natural frequency of the structure can affect the design of flexible structures. Additional complexities include soil properties, attachment details, joint construction, and other construction and design details. The UBC also provides for dynamic analysis of structures using computerized dynamic analysis techniques. The approach used here is based on the simplest principle (equivalent static load design) contained in the Code. It is not the purpose of this guidance document to explain the detailed earthquake design methodologies, but rather to provide enough understanding for the user to make a damage assessment.
125
D.1.3 Hurricane and Tornado/Wind Loading Figure D-2 provides a wind velocity map for the United States that indicates the maximum expected wind velocity for a fifty-year Table D-1. Saffir-Simpson Hurricane Scale recurrence interval. The requirements of the Uniform Building Code for wind Category Wind speed Storm surge design are based upon data of this type. mph ft The UBC has a rather complex (km/h) (m) procedure for wind design that includes factors for gust effects, nearby buildings, 156 >18 (>5.5) 5 trees, and ground effects that could (250) reduce the local wind velocity. 131155 1318 Consideration is also given to uplift 4 (210249) (4.05.5) forces due to aerodynamic effects, the height of the structure, etc. Wind 111130 912 3 velocity is converted to a design pressure (178209) (2.73.7) in pounds per square foot (psf) of a 96110 68 projected area. The wind pressure is 2 (154177) (1.82.4) then applied to the structure as a static load. The largest component of wind 7495 45 1 load is always lateral, i.e., perpendicular (119153) (1.21.5) to the force of gravity. Therefore, the Additional classifications wind load is treated similar to the earthquake load, with the effect of the 3973 03 Tropical (63117) (00.9) storm hazard converted to lateral and vertical forces typically applied to the structure 038 0 Tropical as static loading (as opposed to dynamic (062) (0 depression loading). Wind loads seldom exceed the design basis in the UBC except for hurricanes and tornadoes. For the purposes of the hazards loss estimate, it is assumed that structures and equipment designed in accordance with the UBC (which includes most, if not all, critical infrastructures) do not suffer damage unless there is a hurricane that exceeds the design basis for that region or a tornado. While there are different categories of tornadoes, it is conservatively assumed that any category tornado that occurs will result in a total loss of the buildings and equipment. The frequency of occurrence for tornadoes is low and the area affected is normally small, compared to a hurricane or windstorm, thus the probability of being affected by a tornado is small resulting in low risk. To estimate tornado loss, assume the vulnerability of the asset is based upon the type of structure. For example, underground piping and hardened structures, such as blast resistant control rooms, are expected to survive intact. Most above ground structures would be vulnerable to a tornado. The vulnerability of asset types to tornado is provided in Table D-8. The loss or cost estimate would be the replacement or repair costs. Cascading effects are estimated based upon lost production for the time necessary to replace the asset. The frequency of occurrence is estimated based upon the number (N) of tornadoes in a given location (i.e. in a given county), multiplied by the ratio of the average affected area (AAA) for a single tornado, divided by the total area of the location under consideration. Typically, data are reported by the number of
126
tornadoes in a given county per year. In that case, N would be the number of observed tornadoes, and Area would be the area of the county in which the asset resides. In equation form: Frequency = N x (AAA)/(Total Area of Interest). Hurricane damage is somewhat more difficult to characterize. If a building or structure is designed for a Category 4 hurricane (wind speed in the range of 131155 mph), the structure itself would be expected to survive if the wind speed reached 160 mph. Experience indicates there is considerable resilience in infrastructure equipment. Refineries in the path of Hurricane Katrina were back on line soon after the storm passed through. A 50% rule is proposed to estimate damage, which is defined as follows: If an asset is designed for a Category N hurricane and is struck by a Hurricane of Category N+1, the damage is estimated at 50% of the lesser of replacement or repair value. If the asset is struck by a hurricane of Category N+2, the asset is 100% lost. Thus, 50% damage is assumed for each Category in excess of the design level.
Figure D-2. Basic Wind Speed Fifty-Year Recurrence Interval
127
Storm surge and wave data associated with tropical storms and hurricanes are not yet included in the RAMCAP Plus approach, but research is ongoing to add them. Many localities where hurricanes are likely to threaten have conducted storm surge and wave studies that estimate water levels associated with each hurricane category. If these are available, the analyst can use them to assess whether the asset is likely to be affected by the surge. If so, the analysis can proceed as with a flood. If no such storm surge study is available, the analyst is advised to consult a topographic map of the asset to determine if a reasonable surge from seaward would affect the asset in question and, if so, the depth of inundation. Consequences would be estimated for water damage using the same approach as for general flooding. Storm surge and wave damage would be added to wind damage in a hurricane. D.1.4 Flood Estimating flood loss is somewhat different from losses from either seismic events or wind events. Wind and seismic events have the potential for destroying or severely damaging the entire structure. Floods, on the other hand, normally cause water damage only. (Extreme disasters, such as the Johnstown Flood of 1889, are the exception to this generalization. In the Johnstown Flood, the failure of a dam released a wall of water that destroyed the entire town, carrying away many houses and commercial buildings. This risk assessment does not apply to disasters such as the Johnstown Flood or tsunami events. The probability of these rare events is extremely small compared to other naturally occurring events and will not be addressed.) Flood loss is assumed to consist primarily of severe electrical damage to wiring and motors, switch gear, telephone and communication equipment, residual mud and debris, mold, rot and damage to carpets, drapes, furniture, and equipment that is sensitive to oxidation (rusting). Thus, the flood results in water damage to the structure and its contents rather than forces acting on the structures causing structural damage to the integrity of the asset. Flood damage is estimated by using FEMA flood maps (available from http://www.fema.gov/), which show flooded land areas and water depth. The flood data are based upon recurrence interval. Thus, a fifty-year flood would result in a smaller flooded area and lower water levels than a hundred-year flood. Once flood inundation information is found for the asset location, an assessment of the water damage to the asset is performed. Loss of production and other firstorder events are included in the damage assessment to determine the loss. The vulnerability of the asset to water damage must be determined on a case-by-case basis. If the asset contains electrical components that will be severely damaged by inundation, equipment repair and replacement will be greater and outage time will be longer. If the structure is fairly impervious to water damage, repair costs could be minimal but there still may be significant losses due to deprivation of the asset function during the time of flooding. D.1.5 Loads in Combination Infrastructure components typically are designed for both wind and seismic loadings. However, the lateral force component will normally be dominated by either one or the other. The UBC does not require simultaneous application of both wind and seismic loads. In addition to the lateral force components, load combinations include weight, live load (i.e. personnel) and other occasional loads such as snow, etc. As can be seen from Figures D-1 and D-2, most locations in the United States are subjected to either high seismic hazard and relatively low wind loading or
128
the inverse. For example, the Gulf Coast has little seismic activity (Figure D-1) but is subject to high wind loading since major hurricanes often strike this area. On the other hand, the West Coast is known for high risk due to earthquake but the Pacific Ocean does not tend to spawn hurricanes containing high wind velocity. A study of the figures indicates that Alaska and Hawaii are areas which are at or near the extremes for both hazards. Figure D-2 shows that the highest wind velocity occurs near the coastline, as hurricanes tend to lose energy once they come ashore. What is somewhat less intuitive is that earthquakes are more severe along the western coast of the U.S. and in Hawaii. This is the so-called Pacific Rim activity, which includes the U.S., Japan, and other parts of Asia. Some exceptions exist in areas in the western United States where high volcanic activity is present. The other notable exception is the New Madrid Seismic Zone, also known as the Reelfoot Rift or the New Madrid Fault Line. This is a major seismic zone in the Southern and Midwestern United States. The New Madrid fault system was responsible for the 1812 New Madrid Earthquake and has the potential to produce damaging earthquakes on an average of every 300 to 500 years. The 150-mile (240 km) long fault system, which extends into four states, stretches southward from Cairo, Illinois, through Hayti-Caruthersville and New Madrid, Missouri, through Blytheville, to Marked Tree, Arkansas. It also covers a part of Tennessee, near Reelfoot Lake, extending southeast into Dyersburg.
Credit: USGS
Figure D-3. Earthquakes in the New Madrid Seismic Zone Since 1974
This zone has had four of the largest North American earthquakes in recorded history, with magnitude estimates greater than 7.0 on the Richter scale, all occurring within a 3-month period between 1811 and 1812. Many of the published accounts describe the cumulative effects of all the earthquakes, known as the New Madrid Sequence; thus, finding the individual effects of each quake can be difficult.
129
This series of temblors caused permanent changes in the course of the Mississippi River, which flowed backward temporarily, and were felt as far away as New York City and Boston, where church bells rang. Large areas sank into the earth, fissures opened, lakes permanently drained, new lakes were formed, and forests were destroyed over an area of 150,000 acres (600 km). Many houses at New Madrid were destroyed. "Houses, gardens, and fields were swallowed up," one source notes. However, fatalities and damage were low, because the area was sparsely settled. Hundreds of aftershocks followed over a period of several years. D.2.0 Estimating Consequences from Natural Hazards The philosophy of the RAMCAP Plus approach is to estimate damage to an asset using the most severe set of reasonable assumptions. This is usually expressed as the worst reasonable case. For example, it is assumed that terrorists will strike at a time when the most people would be affected or the maximum possible damage would be caused. An attack on a stadium would be expected to occur during a game. An attack on a rail car carrying toxic chemicals would occur when the train is passing through a city with high population density in proximity to the railroad tracks. However, one should not necessarily assume that the wind is blowing at the most treacherous speed and direction at the exact time of the attack unless this is the typical or expected condition most of the time. A similar rule is proposed for estimating consequences due to natural hazards. If a structure is designed to withstand an earthquake with a lateral g loading of 0.25 gs, the structure is assumed standing and functional after an earthquake of that magnitude. Similarly, if a refinery on the Gulf Coast is designed to withstand winds of 120 miles/hour, then little or no damage would be expected for a hurricane or wind storm producing winds of that magnitude. In order to test the reasonableness of this hypothesis, it is instructive to review the effects of the most recent major hurricane to hit the Gulf Coast of the United States. Hurricane Katrina was the costliest and one of the deadliest hurricanes in the history of the United States. It was the sixth-strongest Atlantic hurricane ever recorded and the third-strongest hurricane on record that made landfall. Katrina formed on August 23 during the 2005 Atlantic hurricane season and caused devastation along much of the north-central Gulf Coast of the United States. It formed over the Bahamas, crossed southern Florida as a moderate Category 1 hurricane, causing some deaths and flooding there, before strengthening rapidly in the Gulf of Mexico and becoming one of the strongest hurricanes on record while at sea, reaching Category 5 status with 175 MPH winds. A day later, it made landfall as a larger but weaker Category 4 storm. This large diameter hurricane inflicted tremendous damage to structures along the coast and for several miles inland. The storm weakened before making its second and third landfalls as a Category 3 storm on the morning of August 29 in southeast Louisiana and at the Louisiana/Mississippi state line, respectively. The most severe loss of life and property damage occurred in New Orleans, which flooded as the levee system failed catastrophically, in many cases hours after the storm had moved inland. The hurricane caused severe destruction across the entire Mississippi coast and into Alabama, as far as 100 miles (160 km) from the storm's center. However, most refineries in the path of this hurricane were able to return to full operation within weeks of the storm because the major
130
refinery components were designed to withstand high winds. The effects of flooding and lack of access to the site by construction crews were the major causes of loss to the refinery operators. Information obtained from Hurricane Katrina Situation Reports, issued by the U.S. Department of Energy, provides the following description of damage to critical energy infrastructure. September 2, 2005 (five days after coming ashore): Colonial Pipeline - Operating 66% normal capacity. Pumps not operating due to lack of electricity. Major mechanical components undamaged. Plantation Pipeline - 95% capacity - Electricity restored ConocoPhillips Alliance Refinery - No electrical power Exxon Mobile Refinery - No electrical power Chalmette Refinery - No electrical power Murphy Oil Refinery - No electrical power Most Gulf Coast refineries reported limited damage. Most were shut down because of lack of power and water damage due to flooding. September 13, 2005 (Sixteen days after coming ashore): Colonial Pipeline - Operating 100% normal capacity Plantation Pipeline - 100% capacity ConocoPhillips Alliance Refinery - No electrical power; shut down waiting for workmen to arrive Exxon Mobile Refinery - No electrical power; water damage Chalmette Refinery - No report; assumed to be up and running Murphy Oil Refinery - No electrical power; water receding Only four refineries reported being shut down, with two more reporting reduced capacity. November 21, 2005 (85 days after coming ashore): ConocoPhillips Alliance Refinery - Remains shut down Murphy Oil Refinery - Remains shut down Discussions with ConocoPhillips indicate there was no major damage to equipment due to hurricane winds. They experienced loss of insulation and wind damage to auxiliary structures, but the mechanical equipment was not damaged. Extensive flooding to the refinery resulted in loss of electrical equipment which required repair and replacement. Access to the refinery was prevented by the flooding and lack of facilities for workers. The September 13, 2005 DOE Situation Report noted that the 565 foot training ship Empire State VI will be used to berth up to 700 ConocoPhillips employees and contract workers as they begin repairs on strategic
131
infrastructure and facilities at ConocoPhillips oil refinery in Belle Chasse, Louisiana. The ship should arrive in New Orleans on September 16th. These situation reports and communications with owners of critical infrastructure installations indicate that facilities, as designed to meet building code and company developed engineering specification wind requirements, will not suffer significant mechanical damage even if the wind exceeds the design basis winds by a reasonable amount. The damage factors proposed in this process are judged conservative and should overestimate the losses incurred. A common misconception by the public is that risk due to natural hazards is always much greater than the risk associated with terrorism. This misconception may be based upon the widespread damage that can result from a hurricane. It should be noted that the damage shown in media coverage is typically the result of the large area affected by the storm and the relatively soft infrastructure affected. Critical infrastructure, such as chemical plants, refineries, power plants, hospitals and other facilities, is designed to withstand natural hazards. Terrorist attacks are typically infrequent, isolated events that affect a single infrastructure target. Widespread damage to literally thousands of targets, as is the case in large natural events, would not be anticipated unless there is an all-out war. Further, the terrorist agent must be considered intelligent, resourceful, and capable of causing the maximum possible damage in an attack. Thus, when calculated on an asset-by-asset basis, terrorism risk may well exceed risk due to natural hazards, even though the frequency of a terrorist attack is much lower than the frequency of experiencing naturally occurring events, which also cause greater total destruction to the area. D.2.1 Estimating Consequences from Earthquake Events The damage to structures and other assets should be estimated as follows. First, calculate the estimated seismic replacement/repair cost of the infrastructure target. Note that this cost is not the same as the replacement cost assuming complete destruction. The loss assumes the equipment can be repaired and reused in many cases, depending upon the damage and whether a fire follows the earthquake, which is often the case. The loss of production will be calculated separately. Loss Coefficient. The loss coefficients in Table D-2 should be used to calculate the basic repair/replacement costs. For example, experience has shown that piping systems are quite robust and will survive a seismic event, in most cases. The piping systems used in chemical plants and refineries are generally well-supported, welded systems constructed of ductile metals. A seismic event may cause large deflections, loss of hangers and snubbers, etc., but the basic piping, valves and pumps are not severely damaged. However, underground pipe may be severely damaged. It is assumed that large, heavy walled vessels will be reusable. The cost is primarily the repair and replacement of the plant equipment. Buildings will generally suffer more damage due to a seismic event than equipment and piping. Frame structures are normally flexible and will deform significantly. This causes damage to masonry, veneer and internal walls, etc. Normally, the damage can be repaired but the cost is a higher percent of the total replacement cost. Newer buildings, presumably built to modern standards, should fare better than older buildings. Structures with seismic upgrades should be
132
considered recent for costing purposes. Buildings not designed to code and portable buildings are expected to incur the greatest damage. These effects are reflected in Table D-2.
Table D-2. Repair/Replacement Costs
Vulnerability 0.2 x x x x x x x x x
Equipment Types and Mountings Slab Mounted Equipment pumps, valves, compressors, meters, electric motors, electrical controls, consoles, etc. Buried piping Hot water heaters and similar equipment equipped with seismic restraints Automobiles and trucks, heavy equipment Above ground piping designed to accepted codes and standards such as ANSI B31.1, ANSI B31.3 Pressure Vessels designed to ASME Codes and Standards Buildings designed to UBC Code or equivalent Buildings not designed to codes Portable buildings and trailers
0.3
0.5 0.75 1.0
133
Table D-3. Earthquake Effects for Use in Estimating Damage to Assets

+Adapted from U.S. Geological Survey documents. *Worldwide
Earthquake Description
Micro Zone 0 Very minor
Richter Magnitudes
Less than 2.0
Earthquake Effects & Damage Factors+

Micro-earthquakes, not felt
Frequency of Occurrence*
About 8,000 per day
Range 2.0-2.9 Zone0 Minor Range 3.0-3.9 Zone 0 Light Range 4.0-4.9 Zone 1 Moderate Zone 2A Zone 2B Strong Range 5.0-5.9 M > 5.0Zone2(A) M > 5.5Zone2(B) Range 6.0-6.9
Generally not felt, but recorded
About 1,000 per day 49,000 per year (est.) 6,200 per year (est.)
Often felt, but rarely causes damage Noticeable shaking of indoor items, rattling noises. Significant damage unlikely Can cause major damage to poorly constructed buildings over small regions. At most slight damage to well-designed buildings. Before 1988 D = 20%, after 1988 D = no damage Before 1988 D = 40%, after 1988 D = 20% Can be destructive in areas up to about 100 miles across in populated areas. Before 1988 D = 60%, after 1988 D = 30% Before 1988 D = 80%, after 1988 D = 60% Can cause serious damage over larger areas Before 1988 D = 100%, after 1988 D = 80% Before 1988 D = 100%, after 1988 D = 100% Can cause serious damage in areas several hundred miles across Before 1988 D = 100%, after 1988 D = 100%
800 per year
120 per year
Zone 3(A) Zone 3(B) Major Zone 4(A) Zone 4(B) Great Zone 4(C)
M > 6.0 Zone 3 M > 6.5 Zone 3 Range 7.0-7.9 M > 7.0 Zone 4 M > 7.5 Zone 4 Range 8.0-8.9 M > 8 Zone 4
18 per year
1 per year
Damage Coefficient. The next step is to determine the damage coefficient for the asset. Table D-3 provides a list of damage coefficients. The damage coefficients are based upon the severity of the earthquake that would be expected; the larger the magnitude of the earthquake (M in the table), the larger the amount of damage. Damage coefficients (D in the table) are also dependent upon the age of the structure. It can be shown that the lateral static acceleration used for designing buildings and structures has increased over the past fifty years. The typical design value for most building structures in California was approximately 0.1 g from the inception of the seismic design criteria back in the 1940s until the 1970s. By 1988, the lateral force coefficients had increased by 50% or more, in most cases. The science of earthquake engineering had improved and better methods of designing structures had evolved. Structures built in later years are more earthquake resistant and the cost of repairing them after a seismic event will be much less. The result is fewer injuries and fewer lives lost due to the collapse of
134
the newer buildings or structures for the same level of event. This effect is included in the damage coefficient, shown in Table D-3. The values in Table D-3 are based upon the experience of a structural/mechanical engineer working in this field for over 30 years. These values should be reviewed and comments are welcomed. The seismic zones, as indicated on Figure D-1, are 0, 2A, 2B, 3 and 4. In Table D-2, the damage factors are provided for zones 2A, 2B, 3(A), 3(B), 4(A), 4(B) and 4(C). The seismic zone map does not differentiate inside zones 3 and 4 but the damage factors are increased to account for the increased magnitude of the event. The Richter scale is logarithmic (base 10) and the difference between a magnitude 5.0 and 6.0 earthquake is a factor of 10, i.e., the 6.0 earthquake is ten times as strong as the 5.0 earthquake. For small earthquakes, in the 0 and 1 zones, this is not a significant difference since little or no damage is expected. However, when the magnitudes become greater and considerable damage is expected, it is prudent to subdivide the range to obtain a better loss estimate. The author arbitrarily subdivided zones 3 and 4. This is indicated in Table D-3 by the use of parenthetical designations for the subdivisions. The seismic zone map is used to obtain the correct zone (either 3 or 4) for use in Table D-3, but the calculations are performed using the subdivided properties provided in Table D-3. This procedure is illustrated in the example problem on page 137. Frequency Determination. The next step in determining the risk to an asset is to estimate the frequency of occurrence of an event of a particular size. The following web site, maintained by the United States Geographical Survey (USGS), is used to determine the probability of having a seismic event equal to or greater than a particular input value (see http://eqint.cr.usgs.gov/eqprob/2002/index.php). Within the website, the zip code of the asset or plant can to provide the location or, alternatively, the latitude and longitude can be input. The USGS site returns a map of the area which contains color-coded contours of the probability of occurrence. Typically, the recurrence interval used as input is fifty years. The color of the contour, in which the asset is located, is used to determine the frequency. For example, if one enters the zip code 92708 into the site, 7.1 for the magnitude and 50 for the recurrence interval, the results produce the map shown in Figure D-4. The asset is located at the small triangle shown on the map in Figure D-4 (look just to the right of Huntington Beach). The probability of occurrence can be obtained from the map. In this case, the color-coding provided in the plot finds the probability in the range between 0.01 and 0.15. Using the higher value for conservatism, calculate the frequency as the recurrence interval divided by the probability the event will occur during that time period. For this case, find F = 50/.15 = 333.3 years. This is an approximate estimate of the recurrence period. Thus, the probability of occurrence in one year is the reciprocal of 333.3 or .003 events/year. This is the frequency (also known as the likelihood) associated with an earthquake of Richter magnitude 7.01 or greater occurring in this zip code location. Next, repeat the procedure for a magnitude of 7.5 or greater. This will result in a frequency of approximately .001. The frequency or likelihood of an earthquake having a magnitude greater that 7.01 and less than 7.5 is F(7.0-7.5) = F(7.0) F(7.5) = .003 - .001 = .002 events/year. This method can be repeated to obtain the frequency of an earthquake between 7.5 and 8.0. Finally, the frequency of an earthquake having a magnitude of 8.0 or greater can be obtained directly
135
from the USGS site. The frequency data will then be used along with the damage coefficients to determine the risk for the asset. The total risk is the sum of the risks for all seismic events over the full range of magnitude covered by the zone, as indicated in Table D-3. For example, for zone 3 events, consider the sum of risks for M = 5.0 to 6.0. The probability of an earthquake larger than 6.0 occurring in zone 2 is so small that the risk contribution is negligible. Thus, risk is summed for the magnitude ranges (5.0-5.5) plus (5.5-6.0). Having determined the frequency for various ranges of earthquake magnitude, the next step is to determine the damage associated with the earthquake. The damage coefficient, D in Table D-4, provides a measure of how much destruction to expect from an event of a particular size. It is assumed that a building in zone 4 would not be significantly damaged by an earthquake less than 7.0. If the earthquake has a magnitude of 7.5 there would be significant damage, but not total destruction. As the earthquake magnitude increases, the damage would be more severe until at some point complete loss of the asset value would be assumed. Note, however, the method of calculating replacement/repair costs, used in the asset value calculations, accounts for the survival of some components especially resilient. Thus, even if there were a total loss of an asset, there is significant scrap value. This effect is approximated by using the vulnerability of the asset in calculating the owners loss. As discussed previously, the risk associated with the individual losses (Ri) is calculated using the standard risk formula as: Ri = Ci x V x Ti And the total risk due to earthquake is: RT =R1E + R2E + R3E + R4E + The definitions of the terms have already been provided. In summary, the total risk, RT, due to an earthquake event, for a particular asset of interest, is the sum of the risks due to all possible earthquake magnitudes that has a finite probability of occurring in the zone where the asset is located. The range of magnitudes is divided into finite segments and the integration, i.e. the summation of risk, is performed numerically.
136
Example Problem - Earthquake Risk Assessment The approach is best explained by example. Refer to Table D-3. Assume that the asset is located in Zone 3. It is assumed the UBC provides adequate design strength for structures and buildings to resist moderate size earthquakes. Figure D-3 defines a moderate size earthquake as one which can cause major damage to poorly constructed buildings over small regions. At most, slight damage to well-designed buildings. Thus, it is assumed that only strong earthquakes would result in significant damage for buildings designed for Zone 3. In Zone 3, strong earthquakes are events greater than 6.0 up to (but not including) 7.0 maximum. Since the magnitudes are logarithmic, break the range into two parts, 6.0 to 6.5 and 6.51 up to 7.0. The process yields risk R1 for the first range and R2 for the second range. The total risk in zone 3 is the sum of R1 + R2. As noted earlier, it has been shown that seismic events greater than 7.0 in Zone 3 are so infrequent that they do not add significantly to the total risk.
Figure D-4. Seismic Probability Map
137
Asset 1- Pump station: water delivery system located in 92708 zip code. Components: One-story building constructed to 1960 UBC, reinforced for earthquake loadings in 1992. 1. Holding tank, horizontal 2. Slab mounted equipment: x Diesel Motor and Generator x Piping (Underground) x Control System x Pump Solution: 1. Calculate loss value of infrastructure for purposes of determining the consequences due to earthquake. Assets: Horizontal Tank - total replacement cost $500,000. From Table D-2, find vulnerability = .3, thus, loss for horizontal tank is (.3) ($500,000) = $150,000. One-Story Building - built in 1975 to then current building code. Total replacement cost = $1.2M. From Table D-2, find vulnerability = .5 for buildings built to UBC. The loss for the building is (.5) ($1.2M) = $600,000. Slab Mounted Equipment - Total replacement cost of all components is $2.5M. From Table D-2, find vulnerability = .2 for slab-mounted equipment of this type. The loss for the slab mounted equipment is (.2) ($2.5M) = $500,000. Total Loss for Earthquake = $150,000 + $600,000 + $250,000 = $1,000,000. 2. Determine lost revenue/profitability for facility. Assume loss of net revenue of $1,000,000 while replacement and repairs are being performed. 3. Determine Seismic Zone and Earthquake Magnitudes. Use location of asset, from risk map, (Figure D-1) to determine earthquake zone. From Figure D-1: Find Z = 4 (Major Earthquake Zone) From Table D-3 it can be seen that seismic Zone 4 is designed for major earthquakes. Thus, it is assumed that earthquakes less than magnitude 7.0 would not cause significant damage. Risk to the asset is calculated for seismic events of magnitude 7.0 or greater. a) Determine probability of exceeding a 7.0 earthquake From web site http://eqint.cr.usgs.gov/eqprob/2002/index.php, find:
138
P = 0.15 in 50 years. Thus, the recurrence interval is = 50/.15 = 333 years. Since one event would be expected every 333 years, the probability of occurrence can be approximated as (1/333) = .003 events per year. b) Determine probability of exceeding a 7.5 earthquake From web site http://eqint.cr.usgs.gov/eqprob/2002/index.php, find: P = 0.05 in 50 years. Frequency = 50/.05 = 1000 years or .001 per year. c) Determine probability of exceeding an 8.0 earthquake From web site http://eqint.cr.usgs.gov/eqprob/2002/index.php, find: P = 0.00 in 50 years. Frequency = 0.0 d) Determine damage factors (D) from Table D-3 Assume current UBC codes are in effect because the asset underwent a seismic upgrade in 1995. For M = 7.0 to 7.5 D = 80% For M > 7.5 D = 100% 4) Calculate Risk RT =R1E + R2E + R3E + R4E + a) Find net threat frequency for R1 and the risk associated with R1 The net threat frequency for the range 7.0 to 7.5 is the frequency of exceeding a 7.0 earthquake less the frequency of exceeding a 7.5 earthquake, thus NTF1 = TF1 TF2 = .003 -.001 = .002 The risk associated with an earthquake between 7.0 and 7.5 is thus: R1 = (Loss) x (Damage factor) x (Net threat frequency) ($1,000,000) x (.8) x (.002) = $1,600 per year b) Find net threat frequency for R2 and the risk associated with R2 The net threat frequency is the frequency of exceeding a 7.5 earthquake less the frequency of exceeding an 8.0 earthquake, thus: NTF1 = TF2 TF3 = .001 0.00 = .001 R2 = (Loss basis) x (Damage factor ) x (Net threat frequency) ($1,000,000) x (1.00) x (.001) = $1,000 per year
139
c) Find net threat frequency for R3 and the risk associated with R3 The net threat frequency is the frequency of exceeding an 8.0 earthquake. NTF1 = TF3 = 0.0 R3 = (Loss basis) x (Damage factor) x (Net threat frequency) ($1,000,000) x (1.00) x (0.0) = $0.0 per year d) Find the total risk for the asset due to earthquake in seismic zone 4 RT = R1E + R2E + R3E RT = $1,600 + $1,000 + 0 = $2,600 per year D.2.2 Estimating Consequences from Wind Loading Events A general discussion of how wind loading is characterized is provided in Section D.1.3. The details of how to calculate risk due to wind loading is provided in this section. D.2.2.1 Hurricanes and Wind Loading Figure D-2 provides a wind velocity map for the United States that indicates the maximum expected wind velocity for a fifty-year recurrence interval. The requirements of the Uniform Building Code for wind design are based upon data of this type. The UBC has a rather complex procedure for wind design that includes factors for gust effects, nearby buildings, trees, and ground effects that could reduce the local wind velocity, uplift due to aerodynamic effects, the height of the structure, etc. Wind velocity is converted to a design pressure in pounds per square foot (psf) of projected area. Wind loads seldom exceed the design basis in the UBC, except for hurricanes and tornadoes. For the purposes of the hazards loss estimate, it is assumed that structures and equipment, designed in accordance with the UBC, which includes most, if not all, critical infrastructure, do not suffer damage unless there is a hurricane or strong wind that exceeds the design basis for that region. (It will be assumed that damage due to tornado will cause complete destruction of the asset, buildings and equipment. Tornado loss is discussed in Section D.2.2.) Hurricane damage is somewhat more difficult to characterize than tornado loss. If a building or structure were designed for a Category 3 hurricane (wind speed in the range of 111130 mph), the structure would be expected to survive even if the wind speed was 150 mph, which would be classified as a Category 4 hurricane. Experience indicates there is considerable resilience in infrastructure equipment. Refineries in the path of Hurricane Katrina were back on line soon after the storm passed through and workers could return to the area. Wind forces are proportional to the square of the wind speed; thus, if wind speed is increased by 50%, the forces on the structures are more than doubled (approximately 225%). Losses would be expected to increase rapidly as the wind velocity exceeds the design value of the UBC.
140
It is assumed that hurricanes and tornadoes are the only significant risk events attributable to high velocity wind. The probability of exceeding the UBC design basis for windstorms not associated with hurricanes or tornadoes is considered small enough to be ignored in comparison with other natural hazards. Further, freak windstorms that cause significant local damage are often categorized as tornadoes. The risk assessment procedure for hurricanes and high winds is as follows: 1) Determine the design wind velocity used for the infrastructure asset in question. If this cannot be determined, use the minimum wind speed map, provided in Figure D-2, to estimate the most likely design wind speed. 2) Determine the hurricane category from the Saffir-Simpson Scale (see Table D-1). Assume the wind speed exceeds the design speed by one category. For example, if the design speed is 110 mph (Category 2 hurricane) assume a Category 3 hurricane. 3) Find the frequency of occurrence for the higher category hurricane velocity. To estimate the approximate frequency a hurricane can be expected within 75 nautical miles (86 miles) of a given location, shown on the frequency maps contained in this section. 4) Determine the consequences by selecting the appropriate vulnerability or damage coefficient (see Table D-2) and calculating the asset repair/replacement cost. 5) Select the magnitude multiplier to a given category hurricane. For hurricanes one category above design speed, use 0.50; for hurricanes two categories or more above design speed, use 1.0. 6) Calculate the risk associated with this hurricane using the risk equations described previously. Repeat as necessary for all category hurricanes above the design speed. 7) Calculate the total risk to hurricane damage as the sum of the risks calculated in steps 5 and 6. Thus, the risk for a given category hurricane is: Ri = Ci x Vi x Ti The total risk is the sum of all Rn for all categories above the design speed. RT = R1H + R2H + R3H +R4H + Calculating Consequences. The loss coefficients in Table D-2 should be used to calculate the basic repair/replacement costs. The loss includes the repair and replacement of the plant equipment, plus the first-order cascading effects. The total consequences are: Loss = (Repair and replacement costs) x (vulnerability) + Owners first-order operating losses
141
Buildings will generally suffer more damage due to a hurricane than equipment and piping. Frame structures are normally flexible and will deform significantly. This causes damage to masonry, veneer, internal walls, etc. Normally, the damage can be repaired but the cost is a higher percent of the total replacement cost. Newer buildings, presumably built to modern standards, should fare better than older buildings. Structures with structural upgrades should be considered recent for costing purposes. Buildings not designed to code and portable buildings are expected to incur the greatest damage. These considerations are reflected in Table D-2. Frequency Maps. The National Hurricane Center Risk Analysis Program (HURISK) provided the return period used in the risk calculations. Using historical hurricane data, a mathematical function is used to smooth out the data, fill in holes, and approximate the time period over which to expect a hurricane of a given Saffir-Simpson category or greater. Thus, an area with a return value of 35 should expect a hurricane of that level once every 35 years. The maps are divided into three areas (South and South East, Mid-Atlantic and New England) for each category of hurricane. Figure D-5. Category 3 or Greater South
142
Southeast
Mid-Atlantic and New England
143
Figure D-6. Category 4 or Greater South
Southeast
144
Figure D-7. Category 5 South
Southeast
145
Example Problem Hurricane Risk Assessment Location: Miami, Florida Referencing Figure D-2, find the design basis wind that is 110 mph. From Table D-1 (SaffirSimpson Hurricane Scale), find that a Category 2 hurricane would be expected to have wind speeds up to 110 mph. Therefore, Category 3 and greater hurricanes are of concern since they would exceed the design basis loading. Assume the asset in question is a slab-mounted pump. Therefore, from Table D-2., find that the damage coefficient is 0.2. The repair/replacement cost of the pump is $2.5M. The first-order production loss is determined to be $500,000. Hurricane Category 3 Risk From Figure D-5, find the return period for a Category 3 hurricane is once every 5 years, or 0.2/year Damage Factor = 0.5 (one category above design basis) Loss: the slab mounted pump is fairly impervious to hurricane winds. Flooding will be checked later. Since the pump is not highly vulnerable, a factor of 0.2 is used to reduce the potential loss of the entire asset cost. Thus, Loss for C3 = (Equipment Cost) x (Damage Factor) x (vulnerability to initiating event) + production loss = $2.5M x (0.5) x (.2) + $500,000 = $0.25M + $0.5M = $.75 Million Ri = Ci x Vi x Ti R3 = Ci x Vi x Ti = $750,000. x Ti = $750,000. x (0.2) = $150,000 Hurricane Category 4 Risk From Figure D-6, find T = 1 every 11 years, or 0.091/year The damage factor for two categories above design basis is 100% of the asset. Loss basis for C4 = (Equipment value) x (Damage Factor) x (vulnerability to initiating event) + production loss = $2.5M x (1.0) x (.2) + $500,000. = $0.5M + $0.5M = $1.0 Million
146
Ri = Ci x Vi x Ti R4 = C4 x V4 x T4 = $1M. x Ti = $1M. x (0.2) = $200,000 Hurricane Category 5 Risk F = 1 every 33 years, or 0.03/year The damage factor for two categories or more above design basis is 100% of the asset. C5 = C4 = = $1.0 Million R5 = C5 x V5 x T5 = $1M. x Ti = $1M. x (0.03) = $30,000 Total Risk Total Risk is the sum of R3, R4, and R5 RT = R3 + R4 + R5 = $150,000 + $200,000 + $30,000 = $110,000
D.2.2.2 Tornadoes Damage caused by a tornado is of a significantly different nature than the damage caused by hurricanes or strong winds. Tornadoes typically exhibit wind speeds much higher than hurricanes or even freak windstorms. Additionally, a tornado derives its destructive force from a combination of effects. Hurricanes, in the area affected, consist primarily of unidirectional winds. While a hurricane does rotate about the eye, in a counterclockwise direction in the northern hemisphere, the radius of the storm is so large that the barometric pressure is essentially constant over the local area affected by the wind. A tornado is a violently rotating column of air, which is in contact with both a cumulonimbus (or, in rare cases, cumulus) cloud base and the surface of the earth. Tornadoes can come in many sizes, but are typically in the form of a visible condensation funnel, with the narrow end touching the earth. Often, a cloud of debris encircles the lower portion of the funnel. Most tornadoes have winds of 110 mph or less, are approximately 250 feet across, and travel a few miles before dissipating. However, some tornadoes can have winds of more than 300 mph, are more than a mile across, and stay on the ground for dozens of miles. The damage caused by a tornado is due to two effects. The first is the direct result of the wind impinging upon an object. The velocity of the air is suddenly reduced significantly when it encounters the object and the stagnation pressure results in a force on the exposed surface.
147
The second effect causing damage is due to the small rotation radius of the tornado. The funnel of the tornado is typically only 250 feet in diameter. Thus, the high velocity air that circles the center of the funnel will produce a partial vacuum inside the funnel. This effect is due to the socalled Bernoulli effect. Daniel Bernoulli derived the following equation that provides the relationship between velocity and pressure:
Where v = fluid velocity along the streamline g = acceleration due to gravity h = height of the fluid p = pressure along the streamline = density of the fluid In the case of a tornado, this equation explains why the higher the velocity of the moving air, the lower the pressure inside the funnel. The local pressure inside the funnel is quite low compared to normal atmospheric pressure because of the extremely high winds in a tornado and the small diameter. The tornado is a local phenomenon and moves at a relatively high velocity along its path of destruction. Thus, the tornado can quickly reduce the external pressure around an object without allowing time for the internal pressure to equalize with the lowered external pressure. A closed structure, such as a house, will literally explode when the tornado passes over it. The higher internal pressure inside the house will cause the walls and roof to be exploded outward, destroying the integrity of the structure. The high velocity winds can then demolish the remaining structure. The previous discussion explains why certain types of structures are more likely to be demolished by a tornado than others. Open space-frame type structures, like piping and slab mounted equipment, pipe racks, beam and column frames, free standing pressure vessels and machinery will be affected by the high velocity winds, but the pressure differential does not typically cause damage. Closed structures are much more likely to be demolished. However, blast-resistant structures, such as control rooms for refineries, underground storage for water treatment facilities, bunkers used for storing explosives and military equipment, etc., have the capability to survive tornados. For the purposes of this analysis, it is assumed that damage due to any category or magnitude tornado will cause complete loss to buildings and equipment. However, the economic loss, explained above, will be used to estimate the maximum reasonable consequences, so there may be considerable residual scrap value. The vulnerability factor for tornados is provided in Table D-4. The frequency of tornadoes is low and the area affected by a tornado is normally small, compared to a hurricane or windstorm, so the probability of tornado damage is small resulting in low risk.
148
For estimating tornado loss, the vulnerability of the asset, based upon the loss factor cost estimate, is assumed as 1.0 and the frequency is based upon the number (N) of tornadoes in a given location multiplied by the ratio of the average affected area (AAA) for a single tornado divided by the total area of interest. In equation form: Frequency = N x (AAA) / (Total Area of Interest). For the United States, the average tornado has a 4.4 mile length (standard deviation of 9.38 miles), .073 mile width (standard deviation of .12 miles) and 1.04 square mile area (standard deviation of 4.32 square miles). These measurements must be positive and since the standard deviations are larger than the mean values, highly skewed distributions exist. Many more small tornadoes occur than large tornadoes. Thus, in many ways the median tornado is more representative than the average; this typical United States tornado is .994 miles long, 141 feet wide and devastates 0.06 square miles.19 The affected area due to one tornado was taken to be 0.10 km2 or 0.062 square miles. The area of all counties in the United States is provided for reference. The average number of tornadoes occurring each year has also been tabulated by county. The frequency is determined by the preceding equation, using the data described. This information has been incorporated into an Excel database used for making risk calculations. The database is available from the authors. Table D-4. Tornado Vulnerability Tornado Vulnerability x 0.4 x x x x 0.5 1.0 1.0 1.0 x x x x Equipment Types and Mountings Slab Mounted Equipment pumps, valves, compressors, meters, electric motors, electrical controls, consoles, etc. Buried piping Hot water heaters and similar equipment equipped with seismic restraints Automobiles and trucks, heavy equipment Above ground piping designed to accepted codes and standards such as ANSI B31.1, ANSI B31.3 Pressure Vessels designed to ASME Codes and Standards Buildings designed to UBC Code or equivalent Buildings not designed to codes Portable buildings and trailers
19
Schaefer, Joseph T., Kelly, Donald L., and Abbey, Robert F. A Minimum Assumption Tornado-Hazard Probability Model, Journal of Climate and Applied Meteorology, Vol. 25, pp 1934-1945.
149
Example Problem: Wind and Tornado Risk The loss is calculated using the same method as described in the preceding example problems. The loss of production is estimated and included as part of the potential loss estimate. These loss estimates are based upon the following assumptions: 1) Total replacement cost = $2.5 million. 2) Loss of operating revenue is estimated to be $1,000,000. 3) For the purposes of this analysis, it is assumed that damage due to tornado will not result in complete loss to buildings and equipment. Table D-4 indicates that for slab mounted equipment, such as the pump and ancillary equipment considered in this example problem, the vulnerability of this asset is 0.4, or that the repair/replacement cost for this event would amount to 40% of the value of replacing the whole unit. 4) The estimate for frequency (F) is the expected number (N) of tornadoes per year in a given county multiplied by the Average Affected Area (AAA) for a single tornado and divided by the total area of the county (Ac). In equation form: F = N x (AAA)/(Ac) Where AAA is estimated to be 0.0386 mi2. Givens for this problem: Location: El Paso County, Colorado Asset: Slab mounted pump and controls Cost to replace: $2.5M Vulnerability: 0.4 (Table D-4) Average affected area: 0.0386 mi2 It was determined from the ASME-ITI tornado frequency database that the probability of a tornado hitting this asset is 0.0000243 events/year. Data: (From ASME-ITI database) El Paso County averages 1.34 tornados each year The area of the county is 2,126 mi2 The average area affected by a tornado is .0386 mi2 Frequency = 1.34/year x (0.0386 mi2/ 2,126 mi2) = 0.0000243/year. The risk is calculated as: R=CxVxF R = (($2.5M x 0.4) + 1.0M) x 0.0000243/year R = $48.60/year Thus, the risk due to tornado is very low.
150
D.2.3 Estimating Consequences from Floods Estimating flood loss is somewhat different from losses from either seismic events or wind events. Wind and seismic events have the potential for destroying or severely damaging the entire structure. Floods, on the other hand, normally cause water damage only. Water loss consists primarily of severe electrical damage to wiring and motors, switch gear, telephone and communication equipment, residual mud and debris, mold, rot and damage to carpets, drapes, furniture, and equipment that is sensitive to oxidation (rusting). In order to assess the loss, the following information will be required: x x x x x x x x Is the building/asset constructed using flood-resistant materials (concrete, ceramic, pressure-treated lumber)? Is the building/asset sealed so that water cannot enter ("dry flood-proof")? Are electrical system components (circuit breakers, meters, outlets) raised from the floor? Are all gas storage tanks and gas cylinders anchored? Is all HVAC equipment located on an upper floor as opposed to a basement level? Are sewer backflow valves installed on drainage pipes? Does the building/asset have alternative power sources available if it loses power? Are spare parts or critical equipment inventory available for use in the event of an attack/hazard?
It is also necessary to know the risk of flood and expected flood depth. Flood zone information can be obtained from a Flood Insurance Rate Map (FIRM), which can be accessed online from: http://msc.fema.gov/webapp/wcs/stores/servlet/CategoryDisplay?catalogId=10001&storeId=100 01&categoryId=12001&langId=-1&userType=G&type=1. In general, all flood zones should consider a 1% annual chance of flooding. Use the descriptions below to determine the likely depth of floods and then calculate consequences. The vulnerability table provided will help determine your organizations vulnerability. D.2.3.1 Flood Loss Estimation Procedure Flood loss or consequence is highly dependent upon the details of the buildings and equipment subjected to the floodwater. The questions in Section D.2.3, above, should be addressed to determine the vulnerability of the facility. For example, if the building is constructed of water tolerant materials, then much less damage is expected than for materials that are ruined when water soaked. Similarly, if electrical components are subjected to inundation, such as in underground conduit, manholes and trenches, and are not waterproof, then it must be assumed there will be extensive damage.
151
Mechanical equipment, such as piping, pumps, valves, and tanks, may not be damaged but the controls, motors, and electrical and communication equipment, thermocouples, etc. may need replacement or repair. Tall buildings typically sustain a smaller damage fraction than one-story buildings for obvious reasons. It is clear that flood damage is not easily characterized or generalized. The loss estimation procedure is as follows: First, using the FEMA FIRM (see above), determine the flood level for the site. The water heights are estimated in increments of one foot, 1.5 feet, and three feet. Note that the FEMA data may be incomplete and may not specifically cover all parts of the site. It is recommended that common sense be used in estimating water height. Historical information for the site and ground elevation should be included in the loss estimate. Second, using the insight gained from answering the above questions, determine which components will be damaged or completely ruined by standing water and their replacement costs. This will provide the best possible basis for estimating the flood loss. Third, estimate the down time required to repair or replace the assets. Knowing the down time and considering contingency plans, resilience and redundancy, estimate the loss due to down time. The total loss will consist of the sum of the repair and replacement cost plus the loss due to lost production capability and other first-order effects, such as denial of service to other assets, loss of access to the building during flood and clean-up, etc. The flood risk will then be the product of the likelihood, normally 1/100 years or 0.01 events per year, times the total estimated loss. In equation form: Ri = Fi x (total loss from step three). FEMA nomenclature should be interpreted as follows to maintain consistency: Moderate to Low Risk Areas Zones B, C, and X Assume average flood depths are less than 1 foot. High Risk Areas Zone A Assume flood depth of at least 1 foot. Zone AE and A1-A30 Assume flood depth of at least 1 foot. In most instances, base flood elevations derived from detailed analyses are shown at selected intervals within these zones. Zone AH Assume average flood depth ranging from 1 to 3 feet.
152
Zone AO Assume average flood depth ranging from 1 to 3 feet. Zone AR Assume flood depth of at least 1 foot due to the building or restoration of a flood control system (such as a levee or a dam). Zone A99 Assume flood depth of at least 1 foot. High Risk - Coastal Areas and Zone V Assume flood depth of at least 1 foot with an additional hazard associated with storm waves. Zone VE and V1 30 Assume flood depth of at least 1 foot with an additional hazard associated with storm waves. Undetermined Risk Area Zone D Areas with possible but undetermined flood hazards. Use best judgment on case-by-case basis.
153

ASME, July 30, 2004. Risk Analysis and Management for Critical Asset Protection: General Guidance, Washington, D.C. ASME Innovative Technologies Institute, August 30, 2005. Risk Analysis and Management for Critical Asset Protection (RAMCAP) Applied to Terrorism and Homeland Security, Washington, D.C., August 30, 2005. ASME Innovative Technologies Institute, May 2006. RAMCAP: The Framework, Version 2.0, Washington, D.C. Baker, Arnold, et al. 2002. A Scalable Systems Approach for Critical Infrastructure Security, Sandia National Laboratories, SAND 2002-0877, www.sandia.gov/scada/documents/020877.pdf. Brealey, R. and S. Myers, 2000. Principles of Corporate Finance, Sixth Edition, Boston, MA: Irwin McGraw-Hill. Brigham, E., Gapenski L., and Ehrhardt, M., 1999. Financial Management: Theory and Practice, Ninth Edition, Fort Worth, TX: The Dryden Press. Fishhoff, B. 2002, Assessing and Communicating the Risks of Terrorism, in Science and Technology in a Vulnerable World. Teich, A.H., Nelson, S.D., and Lita, S. J. (eds.), AAAS, Washington, D.C., pp. 51-64. Hutchinson, Harry, 2005. Calculating Risks: Can the Science that Judges the Safety of Nuclear Plants Secure the Infrastructure of a Nation, Mechanical Engineering, January 2005. Kirkwood, Craig W., 1997. Strategic Decision Making: Multiobjective Decision Analysis with Spreadsheets, Wadsworth Publishing Co., New York. Moteff, John, September 2, 2004. Risk Management and Critical Infrastructure Protection: Assessing, Integrating and Managing Threats, Vulnerabilities, and Consequences, Congressional Research Service, Library of Congress, (order code RL32561). Multihazard Mitigation Council, December 2005. Natural Hazard Mitigation Saves: Independent Study to Assess the Future Benefits of Hazard Mitigation Activities, Volume 2 Study Documentation. Prepared for the Federal Emergency Management Agency of the U.S. Department of Homeland Security by the Applied Technology Council under contract to the Multihazard Mitigation Council of the National Institute of Building Sciences, Washington, D.C. National Research Council, 2002. Making the Nation Safer: The Role of Science and Technology in Countering Terrorism, The National Academic Press, Washington, D.C. (esp. Chapter 10, with its extensive bibliography).
154
Rose, A., 2004. Economic Principles, Issues, and Research Priorities in Natural Hazard Loss Estimation, in Okuyama Y. and Chang S. (eds.), Modeling the Spatial Economic Impacts of Natural Hazards, Heidelberg: Springer, 2004, pp.13-36. Rose, A., 2006 Economic Resilience to Disasters: Toward a Consistent and Comprehensive Formulation, in Paton D. and Johnston D. (eds.), Disaster Resilience: An Integrated Approach, Springfield, IL: Charles C. Thomas, pp. 226-48. Rose, A., 2007. Macroeconomic Modeling of Catastrophic Events, in Quigley, J. and Jaffee, D. (eds.), Real Estate, Catastrophic Risk, and Public Policy, Berkeley, CA: University of California Press (in preparation). Rose, A. and Liao, S., 2005. Modeling Regional Economic Resilience to Disasters: A Computable General Equilibrium Analysis of Water Service Disruptions, Journal of Regional Science, Vol. 45, No. 1, pp. 75-112. Rose, A., Oladosu, G., and Liao, S., 2007. Business Interruption Impacts of a Terrorist Attack on the Water System of Los Angeles: Customer Resilience to a Total Blackout, in Richardson, H., Gordon, P., and Moore, J. (eds.), Economic Costs and Consequences of Terrorist Attacks, Cheltenham, UK, forthcoming. U.S. Department of Homeland Security, February 2004. DHS Interim Rule on Procedures Associated with Sharing and Handling of Information Designated as Critical Infrastructure Information. Federal Register, Vol. 69, No. 34, pp. 8074-8089. U.S. Government Accountability Office, October 12, 2001. Homeland Security: Key Elements of a Risk Management Approach, GAO-02-150T.
155

All Hazards Risk and Resilience - Prioritizing Critical Infrastructure Using The RAMCAP Plus (SM) Approach

Enviado por

Dados do documento

Descrição original:

Título original

Direitos autorais

Formatos disponíveis

Compartilhar este documento

Compartilhar ou incorporar documento

Opções de compartilhamento

Você considera este documento útil?

Este conteúdo é inapropriado?

Direitos autorais:

Formatos disponíveis

All Hazards Risk and Resilience - Prioritizing Critical Infrastructure Using The RAMCAP Plus (SM) Approach

Enviado por

Direitos autorais:

Formatos disponíveis

ALL-HAZARDS RISK AND RESILIENCE

Prioritizing Critical Infrastructures Using the RAMCAP PlusSM Approach

ASME Innovative Technologies Institute, LLC November 2008

Part A: Executive Summary

2. Progress and Evolution to Date

3. Benefits of Using the RAMCAP Plus Process

PART B: The RAMCAP Plus Process in Overview

3. The RAMCAP Plus Process An Overview

Figure 1. The Seven Steps of the RAMCAP Plus Process

4. The Seven Steps of the RAMCAP Plus Process

Table 1. Summary of RAMCAP Plus Reference Threat Scenarios Attack Type

B. Ranges for Estimating Losses to the Owners and to the Community

5. Preparing to Use the RAMCAP Plus Process

Operations Manager/Design Engineer Maintenance Manager

Regulatory Compliance Specialist First Responders

Table 5. Checklist of Documents to be Assembled Prior to a RAMCAP Plus Assessment

6. Benefits of Using the RAMCAP Plus Process

References and Further Reading

Part C. Using the RAMCAP Plus Process

Activity Assets Characterization

Identify critical infrastructures and interdependencies

Identify existing countermeasures

Identify potential consequences

Select targets for further analysis

Loss of Containment, Damage or Injury

Dependency & Location Hazards

Table 8. RAMCAP Plus Consequence Parameters

References and Further Reading

Step 2. Threat Characterization

Air (plane as weapon)

Terrorism Reference Threat Scenarios

Grenades (H.E. & Incendiary) Explosives Explosive vest/or satchel.

Minimal breaching tools

Mechanical breaching tools, required hand tools

Natural Hazard Reference Threat Scenarios

Dependency & Proximity Hazard Reference Threat Scenarios

Example Problem (Continued)

References and Further Reading

Step 3. Consequence Analysis

Table 13. Consequence Scale for Serious Injuries

Example Problem (Continued)

References and Further Reading

Step 4. Vulnerability Analysis

Example Problem (Continued)

Two-to-four man assault force attack 1.0

0.048 0.016 0.013 0.013

0.003 0.691 + 0.309 = 1.000

References and Further Reading

Step 5. Threat Assessment (Likelihood of Attack)

Example Problem (Continued)

References and Further Reading

Step 6. Risk Assessment

Refinery and Asset

The next chapter addresses risk reduction and resilience enhancement.

Refinery B - Cat Cracker

Example Problem (Continued)

References and Further Reading

Step 7. Risk and Resilience Management

Activity Risk and Resilience Management

Evaluate each option

Manage the options Recycle the process

XXX XXX XXX