HLSS505Wk5

Risk Management Models The concept of risk management is the process of "identifying analyzing, and responding to project risk," which is based on a modeling program: - Risk identification - Qualitative risk analysis - Quantitative risk assessment - Risk response planning - Risk monitoring and control (JISC, 2014). Another five-step risk management model that is predicated on a security management policy based on organization's need includes the following: identify the risk, analyze the risk, evaluate or rank the risk, treat the risk, and monitor and review the risk (CPD, 2014, para. 1). This week, we are going to focus on specific models that discuss how companies assesses, analyze, and interprets risks. Risk analysis and modeling frameworks provide proper methodologies and tools for risk assessments. Such procedures are based on quantitative analysis and measures the criticality of vulnerability and threats that can harm an organization's resources and assets. Risk analysis models are also used to assess physical events (i.e. manmade and natural disasters) and social and governmental security policies. One of the most popular risk analysis models discussed is the MSRAM, or the Military Security Risk Analysis Model. This is a model used by the U.S. Coast Guard to prevent terrorist attacks and other security risk from American ports and waterways. It was a risk analysis model that was developed in response to the September 11th attacks and inspired by the lessons learned on how the federal government and field/headquarter agencies to better improve security management methodologies through innovative approaches.

The formula for assessing risks (i.e. MSRAM) is risk = threat x consequence x vulnerability (Government Accountability Office [GAO], 2011; U.S. Coast Guard, n.d.). The mode of attack is predicated on general attack modes against certain specific targets, which is indicative of analysis derived from consequences and vulnerabilities from the initial assessment. Targets can be financial institutions, educational institutions, schools, colleges/universities, federal/state/local government agencies, and other building targets. All calculations are based on consequential scoring, which incorporates all security considerations.