Report Reviews DHS Approach To Risk Analysis

The Department of Homeland Security (DHS) is responsible for mitigating a range of threats, including terrorism, natural disasters, and pandemics -- and risk analysis is an essential part of fulfilling that responsibility. This report, undertaken by units across the National Research Council, evaluates risk assessment methods employed by the DHS, concluding that risk analysis capabilities are strong in the area of natural disaster response, but substantial improvement is needed in other areas.

Although the conceptual framework used by DHS to analyze risk appears generally appropriate, the deployment of that framework is frequently deficient. The DHS' risk analysis with regard to natural disasters is mature, employing techniques that are subject to quality assurance and control, as well as verification and validation procedures. Risk analysis capabilities with regard to areas beyond natural disasters, however, are not yet adequate for supporting DHS decision-making because their validity and reliability are untested. Recommendations for addressing these deficiencies are offered, including expanding beyond the quantitative approach that has defined DHS risk analysis to this point.

Key Findings

1. A fully integrated analysis that aggregates widely disparate risks by use of a common metric is not a practical goal and in fact is likely to be inaccurate or misleading given the current state of knowledge of methods used in quantitative risk analysis. The risks presented by terrorist attack and natural disasters cannot be combined in one meaningful indicator of risk, and so an all-hazards risk assessment is not practical. The science of risk analysis does not yet support the kind of reductions in diverse metrics that such a purely quantitative analysis would require. Qualitative comparisons can help illuminate the discussion of risks and thus aid decision makers.

2. DHS has established a conceptual framework for risk analysis (risk is a function of threat (T), vulnerability (V), and consequence (C), or R = f(T,V,C)) that, generally speaking, appears appropriate for decomposing risk and organizing information, and it has built models, data streams, and processes for executing risk analyses for some of its various missions.

3. DHS's risk analysis models for natural hazards are near the state of the art. These models -- which are applied mostly to earthquake, flood, and hurricane hazards -- are based on extensive data, have been validated empirically, and appear well suited to near-term decision needs.

4. The basic risk framework of Risk = f(T,V,C) used by DHS is sound and in accord with accepted practice in the risk analysis field. DHS'operationalization of that framework -- its assessment of individual components of risk and their integration into a measure of risk -- is in many cases seriously deficient and is in need of major revision. More attention is urgently needed at DHS to assessing and communicating the assumptions underlying and the uncertainties surrounding analyses of risk, particularly those associated with terrorism. Until these deficiencies are improved, only low confidence should be placed in most of the risk analyses conducted by DHS.

5. With the exception of risk analysis for natural disaster preparedness, the committee did not find any DHS risk analysis capabilities and methods that are yet adequate for supporting DHS decision making, because their validity and reliability are untested. Moreover, it is not yet clear that DHS is on a trajectory for development of methods and capability that is sufficient to ensure reliable risk analyses other than for natural disasters.

For more information, visit http://www.nap.edu/catalog.php?record_id=12972.

Featured

  • Video Surveillance Trends to Watch

    With more organizations adding newer capabilities to their surveillance systems, it’s always important to remember the “basics” of system configuration and deployment, as well as the topline benefits of continually emerging technologies like AI and the cloud. Read Now

  • New Report Reveals Top Trends Transforming Access Controller Technology

    Mercury Security, a provider in access control hardware and open platform solutions, has published its Trends in Access Controllers Report, based on a survey of over 450 security professionals across North America and Europe. The findings highlight the controller’s vital role in a physical access control system (PACS), where the device not only enforces access policies but also connects with readers to verify user credentials—ranging from ID badges to biometrics and mobile identities. With 72% of respondents identifying the controller as a critical or important factor in PACS design, the report underscores how the choice of controller platform has become a strategic decision for today’s security leaders. Read Now

  • Overwhelming Majority of CISOs Anticipate Surge in Cyber Attacks Over the Next Three Years

    An overwhelming 98% of chief information security officers (CISOs) expect a surge in cyber attacks over the next three years as organizations face an increasingly complex and artificial intelligence (AI)-driven digital threat landscape. This is according to new research conducted among 300 CISOs, chief information officers (CIOs), and senior IT professionals by CSC1, the leading provider of enterprise-class domain and domain name system (DNS) security. Read Now

  • ASIS International Introduces New ANSI-Approved Investigations Standard

    • Guard Services
  • Cloud Security Alliance Brings AI-Assisted Auditing to Cloud Computing

    The Cloud Security Alliance (CSA), the world’s leading organization dedicated to defining standards, certifications, and best practices to help ensure a secure cloud computing environment, today introduced an innovative addition to its suite of Security, Trust, Assurance and Risk (STAR) Registry assessments with the launch of Valid-AI-ted, an AI-powered, automated validation system. The new tool provides an automated quality check of assurance information of STAR Level 1 self-assessments using state-of-the-art LLM technology. Read Now

New Products

  • Camden CM-221 Series Switches

    Camden CM-221 Series Switches

    Camden Door Controls is pleased to announce that, in response to soaring customer demand, it has expanded its range of ValueWave™ no-touch switches to include a narrow (slimline) version with manual override. This override button is designed to provide additional assurance that the request to exit switch will open a door, even if the no-touch sensor fails to operate. This new slimline switch also features a heavy gauge stainless steel faceplate, a red/green illuminated light ring, and is IP65 rated, making it ideal for indoor or outdoor use as part of an automatic door or access control system. ValueWave™ no-touch switches are designed for easy installation and trouble-free service in high traffic applications. In addition to this narrow version, the CM-221 & CM-222 Series switches are available in a range of other models with single and double gang heavy-gauge stainless steel faceplates and include illuminated light rings.

  • QCS7230 System-on-Chip (SoC)

    QCS7230 System-on-Chip (SoC)

    The latest Qualcomm® Vision Intelligence Platform offers next-generation smart camera IoT solutions to improve safety and security across enterprises, cities and spaces. The Vision Intelligence Platform was expanded in March 2022 with the introduction of the QCS7230 System-on-Chip (SoC), which delivers superior artificial intelligence (AI) inferencing at the edge.

  • EasyGate SPT and SPD

    EasyGate SPT SPD

    Security solutions do not have to be ordinary, let alone unattractive. Having renewed their best-selling speed gates, Cominfo has once again demonstrated their Art of Security philosophy in practice — and confirmed their position as an industry-leading manufacturers of premium speed gates and turnstiles.