Publications

Publications / Conference

Security risk assessment methodology for communities (RAM-C)

Jaeger, Cal

Sandia National Laboratories (SNL) has developed a number of security risk assessment methodologies (RAMs) for various infrastructures including dams, water systems, electrical transmission, chemical facilities and communities. All of these RAMs consider potential malevolent attacks from different threats, possible undesired events and consequences and determine potential adversary success. They focus on the assessment of these infrastructures to help identify security weaknesses and develop measures to help mitigate the consequences from possible adversary attacks. This paper will focus on RAM-C, the security risk assessment methodology for communities. There are many reasons for a community to conduct a security risk assessment. They include: providing a way to identify vulnerabilities, helping a community to be better prepared in the event of an adversary attack, providing justification for resources to address identified vulnerabilities and planning for future projects. RAM-C provides a systematic, risk-based approach useable by public safety and emergency planners to determine relative risk and provides useful information in making security risk decisions. RAM-C consists of a number of steps starting with a screening step which selects facilities based on a documented process; characterization of the community and facilities; determination of severity of consequences for identified undesired events; determination of the community protection goals and defining the threat; defining existing baseline safeguard measures; analyzing protection system effectiveness against identified scenarios, determining a relative risk and finally deciding if that risk is too high. If the risk is too high then possible countermeasures and mitigation measures are considered. RAM-C has been used by a number of communities within the United States. From these assessments there have been many results. Some communities have been surprised by the vulnerabilities that have been identified; have identified the need to test procedures and responses to many different situations; have identified the need to have redundancy in certain systems and have identified who within their community are valuable resources. The RAM-C process is a systematic way to assess vulnerabilities and make decisions based on risk. It has provided valuable information to community planners.