Risk Management for DoD Security Programs

Job Aid – Risk Management Tables/Charts/Worksheets

Risk Management Tables/Charts/Worksheets

This job aid provides examples of each of the tables, charts and worksheets that are referenced in the courseware and
are an integral part of the risk management process. This job aid can be used as quick reference material or as a starting
point in your own risk management analysis using the blank worksheets located at the end.

Impact/Risk and Threat/Vulnerability Scales

During the analysis process; values are assigned corresponding to the impact of asset loss, threats, and vulnerabilities,
and then a resulting risk value is calculated. (See tables below).

Impact and Risk Scale

Low Medium High Critical
Range 0-3 4-13 14-50 51-100
Mid-point 2 8 31 75

Threat and Vulnerability Scale

Degree of Low Medium High Critical
Threat
Range .01-.24 .25-.49 .50-.74 .75-1.00
Mid-point .12 .37 .62 .87

1 of 18
Risk Management for DoD Security Programs
Job Aid – Risk Management Tables/Charts/Worksheets

Asset Category Tables

Assets can be assigned to one of five categories: people, information, equipment, facilities, and activities & operations.
These can be broken into multiple levels to assist with capturing details about each asset. Each level within the categories
is then used during the asset analysis. Asset analysis studies are done at a Level I, II, III, and IV, or deeper as necessary.
(See tables below)

People

2 of 18
Risk Management for DoD Security Programs
Job Aid – Risk Management Tables/Charts/Worksheets
Information

Equipment

3 of 18
Risk Management for DoD Security Programs
Job Aid – Risk Management Tables/Charts/Worksheets
Facilities

Activities & Operations

4 of 18
Risk Management for DoD Security Programs
Job Aid – Risk Management Tables/Charts/Worksheets

Adversary Categories
Group the identified adversaries into categories to help in the analysis and organization of your assessment. Examples of
categories include individuals, groups & organizations and governments. (See tables below)

INDIVIDUALS
Categories Adversaries Goals Strategies
Common Criminals • Muggers • Survival • Steal money or valuables for sale
• Burglars • Excitement • Do destructive, but exciting things
• Petty thieves
• Vandals
Insiders • Spies • Live better • Sell secrets
• Saboteurs • Exact revenge • Sabotage equipment
• Problem • Excitement • Cause bad public relations
employees • Act violently
Disturbed Individuals • Assassins • Gain attention • Harm or kill very important people (VIPs)
• Stalkers • Get relief • Approach VIPs or select organizations to
• Harmless • Respond to delusions obtain help
individuals • Suicide • Express beliefs/ideas
• Commit suicide

GROUPS & ORGANIZATIONS

Categories Adversaries Goals Strategies
Terrorists • Hezbollah • Force change • Steal money or valuables for sale
• HAMAS • Gain publicity for • Do destructive but exciting things
• Nov. 17th cause
• Others
Corporate • Any foreign • Capture market share • Gather proprietary info legally
Competitors or domestic • Gain advantage • Gather proprietary info illegally
competitor • Make money • Exploit competitor info
Narco-traffickers • Cali Cartel • Continue business • Intimidate politicians and law enforcement
• Medellin • Stay out of jail • Co-opt key politicians and law enforcers
Cartel • Make money
• Others

5 of 18
Risk Management for DoD Security Programs
Job Aid – Risk Management Tables/Charts/Worksheets
GOVERNMENTS
Categories Adversaries Goals Strategies
Foreign • SVRR Multiple Multiple
Intelligence • DGI
Entities
Foreign Militaries • N. Korean Army To further political, • HUMINIT
• Iraqi Rev. Guard economic, military, • SIGINT
• Cuban Brigades ethnic or religious • IMINT
• Russian GRU agendas as defined by • MASINT
State-sponsored • Hezbollah national leaders • OSINT
Entities • MITI • Other technical collection attacks
• Others • Conventional warfare
• Information Operations
• Terrorism

Intent Assessment Chart

Once you have grouped the adversaries, create an Intent Assessment Chart to summarize the data. Use “yes” or “no”
responses for knowledge of an asset, need and each adversary’s demonstrated interest level. This is generally the
weakest link in the overall risk management process because access to this type of information is often limited.

Based on the number of “yes” responses, assign a high, medium, or low intent level for each adversary. Typically, three
“yes” responses equate to a high intent level, two “yes” responses translate to a medium, and one “yes” response
indicates a low overall intent level.

Intent Assessment Chart

Adversary Intent
Insider, Terrorist, FIE, Knowledge of Need Demonstrated Overall Intent Level
Criminal Asset Interest
Adversary 1 Yes Yes Yes High
Adversary 2 Yes Yes No Medium
Adversary 3 Yes No No Low

6 of 18
Risk Management for DoD Security Programs
Job Aid – Risk Management Tables/Charts/Worksheets

Collection Capability Assessment Chart

Use the Collection Capability Assessment Chart to record findings when researching an adversary’s capabilities.
Adversaries may use overt or covert methods/activities to collect information. Some of these may include: SIGINT,
HUMINT, IMINT, MASINT and OSINT.

Collection Capability Assessment Chart

Adversary Collection Capabilities
Insider, Terrorist, HUMINT SIGINT IMINT MASINT OSINT Overall Capability Level
FIE, Criminal
Adversary 1 High High Medium Medium High High
Adversary 2 High Medium Low Medium High Medium
Adversary 3 Medium Medium Low Low Medium Medium

History Assessment Chart

Use the History Assessment Chart to document an adversary’s history with regards to suspected, attempted, or
successful incidents.

History Assessment Chart

Adversary History
Insider, Terrorist, Suspected Incidents Attempted Incidents Successful Incidents
FIE, Criminal
Adversary 1 2 technical devices found 2 attempted forced entries Unknown
Adversary 2 5 alarm activations; 2 attempted forced entries Unknown
adversary sighted in area
Adversary 3 None None None

7 of 18
Risk Management for DoD Security Programs
Job Aid – Risk Management Tables/Charts/Worksheets

Threat Assessment Summary Chart

Use the Threat Assessment Summary Chart to summarize intent (from Intent Assessment Chart), capability (from
Collection Capability Assessment Chart), and history (from History Assessment Chart) and assign an overall threat level
rating. The intent and capability columns are populated with high, medium, or low ratings and the history column is
populated with a “yes” or “no” response.

Threat Assessment Summary Chart

Adversary Intent Capability History Overall Threat
Insider, Terrorist, (Interest/Need) (Methods) (Incidents/Indicators) Level
FIE, Criminal
Adversary 1 High High Yes High
Adversary 2 Medium Medium Yes Medium
Adversary 3 Low Medium No Low

Threat Level Decision Matrix

Once the overall threat level is determined, create a second chart, the Threat Level Decision Matrix. Assign “yes” or “no”
ratings for each adversary’s intent, capability, and history. A threat level is assigned based on the number of “yes”
ratings. The greater number of “yes” ratings, the higher the threat level.

For example,

yes + yes + yes = critical,

no + no + no = low.

Threat Level Decision Matrix

Intent Capability History Threat Level
(Interest/Need) (Methods) (Incidents/Indicators)
Yes Yes Yes Critical
Yes Yes No High
Yes No Yes/No Medium
No Yes No Medium
No No No Low

8 of 18
Risk Management for DoD Security Programs
Job Aid – Risk Management Tables/Charts/Worksheets

Countermeasure Classification Chart

Countermeasures are classified according to their implementation requirements. Countermeasures can be procedural,
involve equipment/devices, and involve personnel.

Countermeasure Classification Chart

Procedures Equipment Manpower
(Physical/Technical)
• Security Policies • Locking Mechanism • Contractor Guard Force
• Security Procedures • Window Bars • Special Police Officers
• Training • Doors • Local Guards
• Awareness Programs • Fences • Military Guards
• Legal Prosecution • Alarms/Sensors
• Security Investigations • Hardware/Software
• Polygraph • Badges
• Disclosure Statements • Lighting
• Personnel Transfer • TEMPEST Devices
• Contingency/Emergency Response • Paper Shredder
Planning • Weapons
• OPSEC Procedures • Closed-circuit TV
• Cover Procedures • Safe Haven/Vault

9 of 18
Risk Management for DoD Security Programs
Job Aid – Risk Management Tables/Charts/Worksheets

Countermeasure Worksheet
Use the Countermeasure Worksheet to categorize projected vulnerability-reducing countermeasures along with estimated
costs.

Countermeasure Worksheet

Undesirable Procedures Equipment Manpower

Events
Surreptitious Entry Procedures to secure facilities Doors, locks, bars - $5000 Contractor Guards - $100K
after hours IDS - $20,000 SPOs - $250K
Cost: moderately inconvenient Military Guards - $250K

Kidnapping an Official Vary travel route Doors, locks, bars - $5000 Contractor Guards - $100K
Cost: moderately inconvenient IDS - $20,000 SPOs - $250K
Relocate official - $10000 Bullet proof car - $40K
Residential: CCTV - $170K

Compromised Security awareness briefing System audit trail - $125K N/A

Documents Cost: negligible Password/user ID software -
$50K
Strict control procedures
Costs: moderately inconvenient

10 of 18
Risk Management for DoD Security Programs
Job Aid – Risk Management Tables/Charts/Worksheets

Countermeasure Effectiveness Table

This table can be used for tracking countermeasure effectiveness against potential threats of undesirable events. A ten-
point scale is used to indicate the relative level of effectiveness for each countermeasure with 1 being extremely low and
10 being highly effective.

Countermeasure Effectiveness Table

Countermeasures Surreptitious Kidnapping Documents Terrorist Attack
Entry Stolen
Doors, Locks, Bars 4
Alarms, Sensors 5
Contractor Guards 6
Special Police Officers 9
Military Guards 9
Vary Travel Routes 5
Relocate Official 8
Residence Locks, Bars 4
Residence Alarms 5
Residence Sensors 5
Bullet-proof Car 4
Residence CCTV 7
Security Awareness 7
Strict Media Controls 6
System Audit Trail 6
Passwords 6
Defensive Driving 4
Vehicle Checks 7

11 of 18
Risk Management for DoD Security Programs
Job Aid – Risk Management Tables/Charts/Worksheets
Emergency Procedures 4
Metal Detectors 5
Fences, Barriers 5

Countermeasure Analysis Chart

The Countermeasure Analysis Chart is used to determine appropriate countermeasures for mitigating an asset’s
vulnerabilities. All the information acquired to this point in the risk management process will be used in conducting a
countermeasure analysis.

Countermeasure Analysis Chart

Undesirable Existing Related Countermeasure Cost (5) New New Risk
Events (1) Risk (2) Vulnerability (4) Vulnerability Level (7)
Level & Level (6)
Vulnerability (3)
Motorcade 75.27 .80 – Cars not Car inspection $5,000 .40 (Medium) 37.6 (High)
Attack – (Critical) inspected program
assassination
of VIP
Information 46.03 .65 – Ineffective Document control $8,000 .15 (Low) 10.6 (Medium)
Loss – Mission (High) document control system
Failure

Existing Risk 60.7 Total Cost = > $13,000 New Risk Level 24.1 (High)
=> =>

12 of 18
Risk Management for DoD Security Programs
Job Aid – Risk Management Tables/Charts/Worksheets

Risk Formula

The three risk factors are incorporated in the formula below to determine a more precise risk rating:

Risk = Impact x (Threat x Vulnerability) or (R = I [T x V])

“Impact” represents the consequence of the asset loss to the asset owner.

The “Threat x Vulnerability” value represents the probability of the undesirable event occurring.

13 of 18
Risk Management for DoD Security Programs
Job Aid – Risk Management Tables/Charts/Worksheets

Risk Assessment Worksheet

Once the impact of an undesirable event is defined, create a worksheet for organizing and later analyzing the information.
Columns are completed during each step of the risk management process. (See below for an example of a completed
worksheet).

Risk Assessment Worksheet

Asset Undesirable Ling. Num. Threat Ling. Num. Vulnerability Ling. Num. Risk
Event/Impact Value Rating Category Value Rating Category Value Rating Rating
(Impact) (Impact) (Threat) (Threat) (Vuln) (Vuln)
People Motorcade attack -> H/C 97 Terrorist H/C .97 Cars not C .80 75.27
assassination of VIP inspected
Criminal activity -> L/C 51 Terrorist L/H .50
employee kidnapping
Information Loss -> mission failure H/C 97 FIE/Insider H/H .73 Ineffective H .65 46.03
document
control
Unauthorized release-> H/M 13 Insider M/M .37
capability disclosures
Equipment Theft->loss of H/H 48 Criminal L/M .30 No IDS H .55 7.92
computers System
Implant -> compromise L/M 4 FIE H/H .70
information
Facilities Mail bomb -> M/H 25 Terrorist L/M .25 No patrols at M .35 2.19
destruction of property building
Technical attack -> loss L 3 Terrorist H/H .74
of information
Activities & Disrupt R&D -> M/M 10 FIE/Insider L .12 No backup M .40 ,48
Operations schedule attack power supply
Poor OPSEC-> L/H 15 Militant M/M .37
operational disclosure

14 of 18
Risk Management for DoD Security Programs
Job Aid – Risk Management Tables/Charts/Worksheets

Sample Asset Assessment Worksheet (Step 1)

Critical Asset Potential Undesirable Impacts Impact

Event Rating
Activities/Operations

Equipment

Facilities

Information

People

15 of 18
Risk Management for DoD Security Programs
Job Aid – Risk Management Tables/Charts/Worksheets

Sample Threat Assessment Worksheet (Step 2)

Critical Asset Potential Undesirable Threat/ Impact

Event Adversary Rating
Activities/Operations

Equipment

Facilities

Information

People

16 of 18
Risk Management for DoD Security Programs
Job Aid – Risk Management Tables/Charts/Worksheets

Sample Risk Assessment Worksheet (Step 4)

Asset Undesirable Ling. Num. Threat Ling. Num. Vulnerability Ling. Num. Risk
Event/Impact Value Rating Category Value Rating Category Value Rating Rating
(Impact) (Impact) (Threat) (Threat) (Vuln) (Vuln)
People

Information

Equipment

Facilities

Activities &
Operations

17 of 18
Risk Management for DoD Security Programs
Job Aid – Risk Management Tables/Charts/Worksheets

Sample Cost-Benefit Analysis Worksheet (Step 5)

Undesirable Events Countermeasures Risk Level Cost Comments

Reduced
From To

18 of 18