Defensibility and Risk Management   [open pdf - 69KB]

"A common problem in risk management is to characterize the overall security of a system of valuable assets (e.g., government buildings or communication hubs), and to suggest measures to mitigate any security threats. Currently, analysts rely on a combination of security indices, such as resilience (the ability of a system to return to normal rapidly); robustness (the ability to function despite damage); redundancy (spare capacity); security (barriers to limit access); and vulnerability (susceptibility to hazards and/or intentional threats). However, these indices are not always actionable; i.e., they are not themselves sufficient to indicate whether policy makers should invest in improving a given system.  Indeed, it has been observed that some vulnerable systems cannot be improved cost-effectively [1]. Motivated by this gap, we recently proposed an index, defensibility [2], which characterizes how easily the damage to a system can be reduced. A system is highly defensible if a modest investment of resources can significantly reduce the damage from an attack or disruption (Fig. 1). Defensibility is defined in such a way that incommensurable systems can be compared to each other using a single measure.  The most defensible system would then receive the highest priority for defensive resources. […] To summarize, security analysis to date has been focused on existing notions such as vulnerability and resilience.  Our analysis here is based on the observation that some at-risk systems may be much easier to improve than others. We argue that risk analysts and managers would benefit by considering defensibility in their risk management plans."

2017 by the author(s). Posted here with permission. Documents are for personal use only and not for commercial profit. See document for full rights information.
Retrieved From:
Homeland Security Affairs Journal: http://www.hsaj.org/
Media Type:
Homeland Security Affairs (October 2017), v.13
Help with citations