New tool for analyzing risk

Researchers at the Air Force Research Laboratory’s Airbase Technologies Division here have developed a new security risk-assessment methodology and are developing a supporting software tool that integrates and transforms the traditional vulnerability assessment into a true risk-management process. The new methodology, for use at all military installations, accomplishes key elements of the installation antiterrorism program as required by Department of Defense and Air Force standards. “All military bases have valuable assets, whether those assets are buildings, equipment or personnel,” said Walt Waltz, the Robotic Group lead, “Each base is required to perform antiterrorism vulnerability assessments to identify areas for security improvement. Due to the size of military bases and the large number of assets they possess, this can prove to be a time-consuming and difficult task.”

According to Waltz, officials at Air Force bases currently use a standards-based security approach that applies the same standards across the board, whether the base is in the relatively secure United States or in a less stable foreign country. The researchers developed a tool which helps implement effects-based security. This approach looks at each base’s risks locally and individually, and employs security tactics, techniques and procedures specific to that base and its assets. The researchers’ methodology helps installation security officers answer three questions:

• What are an installation’s key assets?
• What genuine threats are there that can damage or destroy these assets
• What vulnerabilities exist allowing the threats to successfully attack each asset?

By answering these questions in an organized and structured way, security officers can determine which threats and tactics present the most risk and can develop targeted security activities to prevent those attacks.

“To conduct the risk assessments in a less time-consuming and more accurate manner, researchers developed a database program that assigns standardized numerical values to each asset, to each threat to the asset, and to each vulnerability allowing an attack against the asset,” Waltz said. “The program, using these numerical values, calculates the risk factors to the installation and ranks them in order, from risks that are totally unacceptable and must be reduced, to those that are tolerable. With this information, base commanders can make informed decisions about where to spend money to improve security.”

Officials say the subsequent software tool is similar to commercial off-the-shelf income tax preparation software, walking base security specialists through a series of questions to elicit the data required to complete a useful risk assessment and report. AFRL researchers estimate the software will be available in late 2009.