Risk assessments and future challenges

FBI Law Enforcement Bulletin,The, July, 2005 by W. Dean Lee

Assessing threats involves identifying and assessing all of the threats associated with each asset. For example, law enforcement officers might face two main street hazards: criminals and irate citizens. First, a department identifies the specific potential adversaries for each threat. Criminal adversaries could include local street gangs and organized crime figures, whereas irate citizens could comprise spouses engaged in chronic and escalating domestic violence. Next, the risk managers write a brief statement highlighting each adversary's intent, capability, and history of violence. Then, they assign a linguistic rating (value/criticality) to each danger based on the adversary's overall intent, capability, and history. The risk managers assess a threat according to one of the following four defined criticality ratings and then further refine it into three values of low, medium, or high. The definitions for threats differ greatly from those for assets and vulnerabilities.

* Critical: a definite danger as the adversary has both the intent and capability to launch an assault and a history of conducting similar incidents.

* High: a credible danger as the adversary has either the intent or capability to launch an assault and a history of conducting similar incidents.

* Medium: a potential danger as the adversary has the intent and the potential to receive the capability through a third party to launch an assault and has a history of similar incidents.

* Low: little or no credible evidence of the adversary's intent or capability to launch an assault and no history of conducting similar incidents.

In the example of street gangs as a threat, the department might assign a threat rating of medium/critical, meaning that a department considers the threat as overall critical and at the center of the category. Finally, the risk managers convert the linguistic ratings into numeric threat values and record the results for each identified adversary. The numeric value will be threat (T) in the equation I X T X V = R. Table B and Chart 2 illustrate this process.

VULNERABILITIES

Vulnerabilities represent weaknesses that an adversary can exploit to gain access to an asset. In essence, vulnerabilities are pathways leading to PIOEFS assets that include people, information and information systems, operational procedures and personnel practices, equipment characteristics, facility locations and building features, and social-psychological weaknesses.

Assessing vulnerabilities involves first identifying the specific potential weaknesses for each asset. For example, law enforcement officers might experience human temptations to misbehave or become hampered by obsolete departmental policies and procedures. Next, the risk managers determine the existing countermeasures for each asset and their level of effectiveness in reducing vulnerabilities. Then, the risk managers assign a linguistic rating (value/criticality) for each according to one of the following four defined criticality ratings and further refine the vulnerability into three values of low, medium, or high, which differ significantly from those for assessing assets and threats.