Critical Infrastructure Protection: Metrics and Tools

Workshop organized by The Naval Postgraduate School Center for Homeland Defense and Security

Monterey, CA                    5-7 June 2008

One of the fundamental missions of the department of homeland security, in partnership with state and local governments and tribal authorities, is to protect the critical infrastructure and key resources of the United States against terrorist attacks. The executive summary of the National Infrastructure Protection Plan states:

"The National Infrastructure Protection Plan (NIPP) and supporting Sector-Specific Plans (SSPs) provide a coordinated approach to critical infrastructure and key resources (CI/KR) protection roles and responsibilities for federal, state, local, tribal, and private sector security partners. The NIPP sets national priorities, goals, and requirements for effective distribution of funding and resources which will help ensure that our government, economy, and public services continue in the event of a terrorist attack or other disaster.

Brandon Wales, Deputy Director, HITRAC, DHS

The plan is based on the following:

• Strong public-private partnerships which will foster relationships and facilitate coordination within and across CI/KR sectors.
• Robust multi-directional information sharing which will enhance the ability to assess risks, make prudent security investments, and take protective action.
• Risk management framework establishing processes for combining consequence, vulnerability, and threat information to produce a comprehensive, systematic, and rational assessment of national or sector risk."

However, 5 years after the creation of the requirement, a robust risk management framework has yet to be created. More troublesome is that, among the various constituents, there is no universally accepted definition of risk, and no standards for assessing vulnerability or consequences. This has led to a patchwork of conflicting and confusing methods that make it impossible to allocate resources efficiently to best protect the Nation.

In response to this need to reach a consensus on the underlying fundamentals of risk assessment to substantiate any tools or methods currently in use, the Center for Homeland Defense and Security (CHDS) sponsored a three-day workshop beginning on 5 July, 2008 where experts in risk assessment assembled to overview the state of the art in risk assessment metrics, methods, and tools.

Maksim Tsvetovat, Faculty, George Mason University

Key topics of the conference included (1) Metrics: a discussion of how risk, consequence and vulnerability should be defined and measured and (2) tools: descriptions of implementations of various methodologies in the form of procedures, software applications, and case studies that a practitioner could directly apply to the problem of risk assessment of critical infrastructure.

The conference was a three-day event that began on the evening of 5 July 2008. Presenters submitted scholarly papers and delivered oral presentations to the participants during the workshop. Successful papers from the workshop will be assembled for publication in a special edition of the Homeland Security Affairs Journal devoted to this topic.