List of Abbreviations
Chapter 2. Literature Review
2.7 Risk and Vulnerability Management
2.7.1 Vulnerability and Risk Assessment Techniques
There are a number of techniques and methodologies to conduct risk and vulnerability assessment.
This section provides a summary of the techniques that are relevant to this dissertation; the majority of techniques are taken from Habegger (2008), who provides a more extensive list. These techniques will be used when developing and proposing the new framework in Chapter 5, and implementing the framework in Chapter 8. Aspects of this section were previously published in van Niekerk and Maharaj (2011a).
2.7.1.1 Risk Matrices
The risk rating matrix is shown in Table 2.11 above. A slight variation of this is the risk level matrix, illustrated in Table 2.13. An example of a qualitative risk matrix is shown in Table 2.14.
Table 2.13: Risk Level Matrix, Adapted from (Wenger, Metzger, & Dunn, 2002)
Impact Probability
Low (0.1) Medium (0.5) High (1.0)
Low (10) Low
(0.1x10=1)
Low (0.5x10=5)
Low (1x10=10)
Medium (50) Low
(0.1x50=5)
Medium (0.5x50=25)
Medium (1x50=50)
High (100) Low
(0.1x100=10)
Medium (0.5x100=50)
High (1x100=100)
Key: High >50-100 Medium >10-50 Low >1-10
Table 2.14: Qualitative Risk Matrix Impact
Probability
Very Low Low Medium High Very High
Very High Medium High High Very High Very High
High Low Medium High High Very High
Medium Low Low Medium High High
Low Very Low Low Low Medium High
Very Low Very Low Very Low Low Low Medium
2.7.1.2 Delphi Technique
The Delphi Technique is an information-gathering technique which is used to reach a consensus of experts on a subject. This technique aids in reducing bias in data and prevents any one person from
70
having a strong influence on the outcome, as the subject experts participate anonymously. Thoughts on the subject in question are solicited by means of a questionnaire. The responses of the participants are summarized and then re-circulated or further comment in order to achieve consensus, which may be reached in several rounds (Habegger, 2008). The follow-up interviews may also be used to gain deeper insight into previous responses. Expert assessment and interviews may be used to assess critical infrastructure (Wenger, Metzger, & Dunn, 2002); this technique may be employed in this role. The interviews may also be conducted via electronic means, such as email and instant messengers; this is known as the E-Delphi technique (Lindqvist & Nordanger, 2007).
2.7.1.3 Focus Groups
Focus groups can be considered as a group interview, consisting of an open-ended, structured discussion with a representative group. Focus groups explicitly use group interaction as part of the technique; people are encouraged to talk to one another and may ask questions, exchange anecdotes, and comment on each participant's experiences and points of view. One or more interviews with small groups of participants are conducted (Habegger, 2008). This is another technique that may be used to gain expert assessment of critical infrastructures.
2.7.1.4 Simulation
Simulation use models that translate uncertainties that are specified at a detailed level into their potential impact on processes or systems; usually computer models and estimates of risk are used to conduct the simulation (Habegger, 2008).
2.7.1.5 Monte-Carlo Simulation
Monte-Carlo simulations are a type of “what-if” simulation that measures the effects of uncertainty on a process or system through the use of random numbers. Traditional “what-if” simulations reveal what is possible, whereas a Monte-Carlo simulation reveals what is probable (Habegger, 2008).
2.7.1.6 Trend Analysis
Trend analysis is an analytical technique that attempts to forecast future outcomes based on historical results. It is a method for predicting the variance from a baseline parameter by using collected data from earlier periods, and projects how much a parameter might diverge from the baseline at some future point assuming no changes are made and the underlying patterns from the previous periods will continue to exist in the future (Habegger, 2008).
71 2.7.1.7 PESTEL
PESTEL is an analytical tool used to systematically analyse an organisation's environment and to structure identified factors for specified categories. The PESTEL framework uses six different categories of factors that may affect the organisation under consideration: Political, Economic, Societal, Technological, Environmental/Ecological, and Legal factors (Habegger, 2008).
2.7.1.8 Strengths, Weaknesses, Opportunities, Threats (SWOT) Analysis
A SWOT assessment structures information and generates strategic planning alternatives by analysing both internal and external factors that influence an organisation. The organisation's strengths and weaknesses form the internal factors, while opportunities and threats constitute the external factors (Habegger, 2008).
2.7.1.9 The Threats-Vulnerabilities-Assets Worksheet
A Threats-Vulnerabilities-Assets (TVA) worksheet is used at the beginning of a risk assessment process in order to identify and list the vulnerabilities that associate specific threats with assets (Whitman & Mattord, 2010). A threat may have multiple associated vulnerabilities for an asset.
While this worksheet considers assets, it could be easily adapted to consider an infrastructure, and is a useful tool to present the vulnerabilities and their associated threats.
2.7.1.10 Graph Theory Analysis
Graph theory may be used to analyse networks and infrastructures; it is useful in identifying critical nodes, and possible singularities of choke points; destruction of these nodes may result in segmentation or failure of a network or infrastructure. Lewis (2004) discusses the model-based vulnerability analysis (MBVA), where an infrastructure is represented as a graph; once the critical nodes are identified they are analysed using fault-tree and event-tree analysis. The critical nodes are identified by performing a scale-free network test. A network is scale-free if the node distribution for each degree of node (a node degree is the number of edges that connect to it) is approximated by degree -p, where p > 1. For scale-free networks the critical nodes are the one of the highest degree; if the network is not scale-free then it may be a small world network, where there are critical clusters or neighbourhoods of nodes of high degree (Lewis, 2004).
Shake, Hazzard, and Marquis (1999) model links in fibre-optic network as an electronic resistive circuit, where each edge has a vulnerability value. The overall vulnerability value between two nodes may then be calculated as one would calculate the value of the equivalent resistance; the vulnerability of links in series is the sum of their individual vulnerabilities, while the vulnerability
72
of links in parallel is the product of the individual values divided by the sum of the individual values (Shake, Hazzard, & Marquis, 1999).