Risk Management and Critical Infrastructure Protection: Assessing, Integrating, and Managing Threats, Vulnerabilities and Consequences [Updated January 19, 2007] [open pdf - 196KB]
"The Homeland Security Act of 2002 (P.L. 107-296) and other Administration documents have assigned the Department of Homeland Security specific duties associated with coordinating the nation's efforts to protect its critical infrastructure, including using a risk management approach to set priorities. Many of these duties were delegated to the Information Analysis and Infrastructure Protection (IA/IP) Directorate, now called the Preparedness Directorate. Risk assessment involves the integration of threat, vulnerability, and consequence information. Risk management involves deciding which protective measures to take based on an agreed upon risk reduction strategy. Many models/methodologies have been developed by which threats, vulnerabilities, and consequences are integrated to determine risks and then used to inform the allocation of resources to reduce those risks. For the most part, these methodologies consist of the following elements, performed, more or less, in the following order: identify assets and identify which are most critical; identify, characterize, and assess threats; assess the vulnerability of critical assets to specific threats; determine the risk (i.e., the expected consequences of specific types of attacks on specific assets); identify ways to reduce those risks; and prioritize risk reduction measures based on a strategy."
CRS Report for Congress, RL32561