Risk Assessment Methodology

The likelihood of a detrimental consequence from a course of action or activity is how the probability risk assessment methodology is typically defined. Using the approach, a risk is represented by two numbers. The intensity of the likely negative impacts is one of the amounts, and the possibility that the negative effects will materialize is the other. By using the probability risk assessment methodology, the consequences are expressed in numerical terms, and the likelihood that the consequences will occur is quantified using frequencies or probabilities. The intended audience for the analysis of probability risk assessment methodology is the team that manages nuclear plants in the country as well as the all the staff who work in the nuclear reactors environment.

Probability risk assessment methodology can be credited largely to Norman Rasmussen who was a professor at MIT. The professor is recognized for his contribution as a pioneer in the nuclear risk assessment field. In 1975, the professor authored Reactor Safety Study that covered the risk that nuclear power plant accidents posed to the public. Rasmussen became the first person to apply the probabilistic approach of assessing risk covering the nuclear industry. A report that was submitted to Nuclear Regulatory commission attracted global attention and was later referred to as the Rasmussen report. The report by Rasmussen has been used as the basis for licensing and nuclear safety internationally. The probabilistic risk assessment methods championed by the report are regularly used to assess the safety of nuclear plants across the globe today and have extended to other industries. By the time Rasmussen authored the report, there was a big debate between those who supported the use of nuclear power and those who were strongly opposed to the production of nuclear energy. The group of people that supported nuclear energy used the probability risk methodology in nuclear risk assessment to prove that the probability of a nuclear power plant failing was minimal. On the other hand, the group that was opposed to the nuclear power harshly criticized the probability risk assessment model and argued that the conclusions derived from the methodology were invalid (Frogatt, 2005).

According to risk assessment experts, there is a lot of effort that goes into coming up with even the simplest probability risk assessment methodology for a nuclear power plant. However, the experts appreciate the fact that with modern computers and software development, people can utilize the power and speed of computers to improve the probability risk assessment methodology to provide answers to different questions that relate to the risk and the consequences. Probability risk assessments for nuclear plants focus on the internal events that can take place in the electric system the nuclear plant serves or inside the power plant itself. On the other hand, the probability risk assessments also consider the external events including earthquakes and other natural disasters that can impact on the nuclear plants. Apart from the internal and external events probability risk analysis is also applied to address exceptional situations like designing probable sites that can be used to store highly radioactive wastes permanently (Fenton & Griffiths, 2008)

When performing a probability risk assessment, some steps are followed. The first step is to specify the hazard that is being dealt with. Specifying the hazard involves the outcomes that are being reduced or prevented. For nuclear plants specifying the hazard mainly involves looking at ways that the radioactive materials can be blocked from leaking to the environment by decreasing the chances of the fuel in the reactor getting damaged. The other step is the identification a spectrum events that can initiate the hazard. The final step involves estimating the frequency of individual initiating events. The experts involved in analyzing the risk usually assume that each initiating event takes place and then from the response generated from the event persuasively point out each possible combination of failures.

Probability risk assessments for nuclear power plants are categorized into three core levels. A level 1 Probability risk assessment estimates the probability of a nuclear reactor core getting damaged. The process begins with clearly understood conditions mostly the nuclear reactor operating using optimal power. Risk assessment experts have a vast knowledge of the accident mitigation systems of the nuclear reactor core to the extent that a level 1 probability assessment poses minimal uncertainties. When doing a level 2 probability risk assessment, the experts will usually assume that the core has been damaged and then approximates the amount of radioactive material will reach the environment and the speed of the radioactive material release (Fenton& Griffiths, 2008). Compared to the level 1 probability risk assessments, the level 2 probability risk assessments are less accurate due to the higher degree of uncertainty of the quantity of the radioactive material will escape to the environment as well as dynamics of how the behavior of the containment structure for the reactor. Finally, the methodology has a level 3 probability risk assessment that deals with predicting the economic effects as well as the health problems associated with the radioactive material escaping into the environment. Among the three levels of probability risk assessments, the level 3 probability risk assessment is least accurate because it deals with factors that can highly vary. For example, it is almost impossible for the experts to predict accurately the speed and the direction of the wind in the event of a nuclear disaster-taking place.

When it comes to producing the risk assessment results using the probabilistic risk assessment methodology, it is not possible to quantify it using one number due to its complex nature. Distribution of values is done to provide the frequency. Natural hazards are the hardest to deal with using the probability risk assessment because they mostly lie at level 3 probability risk assessment where the experts are blinded in determining some variables in the environment. On the other hand, the probability risk assessment can deal effectively with man-made hazards because the experts can determine almost every possible scenario.

In my opinion, one of the greatest advantages of using the probability risk assessment for nuclear plants is that it can help the risk analysts as well as the plant managers how big or small the risk for an outcome might be in a real-world situation. The probability risk assessment model is also critical as it helps the plant designers concentrate on reducing the vulnerabilities as much as they that would have been difficult without the insights provided by the probability risk assessment. The existing nuclear plants can also use the results of the probability risk assessments to find out they key weaknesses in their reactor and possibly rectify the situation instead of waiting for an actual disaster. One of the key weaknesses in the probability risk assessment model is that reality is complicated irrespective of the computer model used. As a result, risk analysts do not have the full information to accurately predict the outcome as they sometimes have to rely on chance especially when doing the level 2 and level 3 probability risk assessments. The application of the probability risk assessment also requires experts for implementation due to its complexity and would prove challenging to an ordinary officer. The design of the methodology also involves knowledge in interacting with computers and their software so as to stimulate the possible outcomes of an event.

Conclusively, probability risk assessment is critical especially in the US where nuclear reactors are major sources of power and risk assessment is critical to reduce vulnerabilities of nuclear reactors as well as improve their design and resilience.

Maritime Security Risk Analysis Model

The risk assessment models are used by organizational decision-makers in their quest to prevent, mitigate and protect risks from damaging the business processes. Risk analysis is important in the respond and recovery processes. The Maritime Security Risk Analysis Model (MSRAM) is one of the key methods of risk assessment in an organization. The method was established by the United States Coast Guard (USCG) in attempts to deliver all-inclusive and uniform approach in gauging risks as well as in the allocation of resources in areas concerning the USCG (Chemweno et al, 2016). MSRAM replaced the Port Security risk tool, and it provides a comprehensive risk-based approach to the assessment of the country’s waterways and ports. Therefore, this risk model supports the mission of the United States Coast Guard of understanding and mitigating risks associated with attacks from terrorists on the boarders of the ports. The port security risk analysis was developed shortly after the September 9, 2001 terrorist attack. This attack deemed to be detrimental to the nation and it created great harm that fueled the need for risk assessment method at the ports. However, in 2005, MSRAM was established to provide the officers with a more comprehensive analysis of risks. More importantly, MSRAM was enacted to respond to the lessons that were learned in the initial attacks. Therefore, the MSRAM has been a milestone in response strategy of threats at the coast. The risk is computed as: Risk = Threat * Consequence * Vulnerability

Quality assurance is provided by paralleling new data to the averages from the national databases when an attack occurs. When the entered information is outside the range, an alerts provides information to the user that new data is outside of the recommended ranges. However, when the user insists on entering the information that is outside the ranges recommended by the software, the system requires the user to provide a detailed explanation that would enable the process to continue. MSRAM comprises of 23 modes of attack which define the methods that are used by terrorists to cause damages. Also, the MSRAM system comprises of 62 target classes that are based on specific functionality of risk assessment. A pair of attack target mode is called a scenario are generated and represent the reasonable sampling of plausible events scenarios. The Intelligence Coordination Center (ICC) provides the numbers of each scenario and this is done through the MSRAM tool.

CARVER Risk Assessment Method

CARVER stands for Criticality, Accessibility, Recuperability, Vulnerability, Effect, and Recognizability. Criticality is the target value and determines the extent of risk on the overall organizational processes. When the criticality of the risk is not assessed, it could have significant impacts on the operations of the organization. Accessibility refers to the easiness for which the risk can reach the target. The accessibility of the risk also stipulates the defensive measures to be employed in the process of mitigating the risk (Makhutov & Baecher, 2013). Recuperability refers to the time it takes for an organization to address the risk that is caused on the target. On the other hand, vulnerability defines the degree of knowledge that is required to exploit the target casing harm. Effect is the impact of the attack on the organization and recognizability is the easiness of identifying the target.

The United States special operations forces developed the CARVER matrix during the Vietnam War. CARVER is used to identify the specific targets and rank them in order to make sure that resources are efficiently utilized in mitigating risks in order of preference. This mode of risk evaluation was developed as a simple, uniform and a quantifiable measure used to select targets for the possibility of interdiction (Chemweno et al, 2016). CARVER is used for offensive purpose considering what to attack and defensive dimension defining what to protect. In fact, the United States Special Forces used this system to rank potential targets during the Vietnam War and thus provide appropriate response. Hence, the sole purpose of CARVER matrix was to rank the target risk to determine which ones were more vulnerable. Simply put, The CARVER method is used to identify which risk needs to be addressed first.

Since the establishment of the CARVER risk evaluation method, the method has proved to be important in many security organizations including Department of State (DOS), Department of Energy (DOE), Special Operations Forces (SOF) and Department of Homeland Security (DHS). Also, other commercial and private entities that are concerned with security matters use the CARVER method in target selection along with vulnerability assessment. The risk is found through calculating the value of a certain potential target and assessing its probability. In offensive cases, application of the CARVER matrix helps in identifying the targets that are susceptible to attacks and thus require additional security assets that are allotted to them. Notably, the CARVER method is not only used in the military scenarios as it was when it was developed (Makhutov & Baecher, 2013). Currently, this risk assessment method is also applied in the management of risk in organizations and proves to be efficient in setting achievable goals. Organizations apply the method on clear sets of goals and objectives such as increasing sales and profit within a given time period.

OCTAVE Risk Assessment Method

OCTAVE stands for Operationally Critical Threat, Asset, and Vulnerability Evaluation. This method of risk assessment is practically significant in streamlining and optimizing the processes of evaluating security risk information in an effort to make an organization obtain sufficient results using a small investment in a given time. The analysis is also limited to a given workface and resources. In this case, an organization has to consider the relationship between the three key variables to design the mitigation process. Therefore, the OCTAVE management analysis defines risk-based strategic assessment and the planning technique for the security evaluation. The method is self-directed, and this makes the organizational workforce to assume that it has a key responsibility of setting the security strategy that would be deemed beneficial to the business. Again, OCTAVE method is tailored towards analyzing the information generated and producing a protection strategy for mitigating the risks (Valsamakis et al., 2010). Hence, a team conducting this risk methodology approach should have important knowledge that concern the business risk attacks to effectively conduct the process. The security needs of the organization are assessed in depth. The focus is driven at the information asset, and it eliminates potential confusions on the scope of risk together with reducing the possibility of the harm.

In assessing the risk, first, one has to develop the risk measurement criteria that is consistent with the objectives, success, and mission of the organization. The profile of each criteria information asset is then created, and this establishes clear boundaries for the asset as well as identifying each security requirements (Tsanakas & Millossovich, 2015). The threats are then recognized from the information given in the context of the containers. Analysis of the risks is then done and the mitigation approaches determined. This method is flexible and thus appropriate for security management practices and determination of the operational risks. Thus, it allows the organization to manage security risk and avoid threats that could hinder it from attaining its goals (Khan, 2017). Also, an organization is able to make suitable decisions basing on the unique risk identified and hence focus on way of protecting the key information assets from the attacks. For this reason, the OCTAVE method is effective in informing the organization on the security measures to be implemented.

CRAMM Risk Assessment Method

CRAMM is a methodology that is used in risk analysis and has a wide application within the spheres of the organization. The method helps in the management of risks and was developed basing on the British governmental agency CCTA enacted in 1985. The method covers the phases of risk management comprising of generating outputs for security documentation. CRAMM method helps in assessing the efficiency of the cost that is given to risk management. The method comprises of three critical stages that identifies and analyzes the risks that could be done to the system. Specifically, the first stage defines how risks can be managed. It explains the boundary of the study of risk assessment, identification, and valuation of the physical assets which form part of the system along with determining the value of the data used in identify the risk. The second stage is the evaluation of risks done to the proposed system. Under this stage, there is identification and assessment of the type of risk and level of threat that is able to affect the system (Valsamakis et al., 2010). The extent of the vulnerability is calculated, and later on the threats and the vulnerabilities are combined to calculate measures of risks. In the last stage, there is identification and selection of countermeasure which are proportionate to the measures of risks that are calculated in the second stage.

In an organization practices, the information system including consortiums, partnerships, and outsourcing as well as the establishment of new technologies mean that the business faces new risks and threats which require additional controls. It thus becomes important to use CRAMM in stages of information cycles from the planning and feasibility stages to the development and implementation of an operation. CRAMM method is essentially used to identify the security and contingency requirements in managing risks. In the strategy planning process, the risk is high and therefore needs to be recognized and defined correctly for broad contingency or security measures to be put in place. This will enable the organization to find out the approaches that will use relatively low-cost in the implementation process. During the feasibility stage, potential solutions to the identified security requirements along with the associated costs are determined. In the analysis stage, options are investigated in detailed to ensure that the required personnel, procedural and physical factors are present (Wang et al., 2014). Management audit and changes in the management programs helps in monitoring the compliance of new requirements.

The usefulness of this method makes CRAMM be a widely adopted method in the information security, analysis, and management of risks. It serves as an appropriate approach that embraces both the technical and the nation-technical factors of security (Makhutov & Baecher, 2013). The components include asset identification, valuation, vulnerability assessment and also countermeasure selection and recommendation. The stages value each asset regarding and stipulates cost of replacement. The threat vulnerability assessment covers the full range of deliberate threat such as hacking, failure of equipment or software, human error and viruses.

References

Chemweno, P., Pintelon, L., De Meyer, A., Muchiri, P., Van Horenbeek, A., & Wakiru, J. (2016). A Dynamic Risk Assessment Methodology for Maintenance Decision Support. Quality and Reliability Engineering International, 33(3), 551-564. http://dx.doi.org/10.1002/qre.2040

Fenton, G. A., & Griffiths, D. V. (2008). Risk assessment in geotechnical engineering (Vol. 461). Hoboken, NJ: John Wiley & Sons.

Frogatt, A. (2005). Nuclear Reactor Hazards. Nuclear Issues Paper, (2).

Khan, M. (2017). Efficacy of OCTAVE Risk Assessment Methodology in Information Systems Organizations. International Journal of Computer Applications Technology And Research, 6(6), 242-244. http://dx.doi.org/10.7753/ijcatr0606.1001

Makhutov, N., & Baecher, G. (2013). Comparative Analysis of Technological and Intelligent Terrorism Impacts on Complex Technical Systems. Amsterdam: IOS Press.

Tsanakas, A., & Millossovich, P. (2015). Sensitivity Analysis Using Risk Measures. Risk Analysis, 36(1), 30-48. http://dx.doi.org/10.1111/risa.12434

Valsamakis, A., Vivian, R., & Du Toit, G. (2010). Risk management. Sandton: Heinemann.

Wang, T., Mousseau, V., Pedroni, N., & Zio, E. (2014). Assessing the Performance of a Classification-Based Vulnerability Analysis Model. Risk Analysis, 35(9), 1674-1689. http://dx.doi.org/10.1111/risa.12305