Tilnærminger til risikovurderinger for tilsiktede uønskede handlinger

The Norwegian Defence Research Establishment (FFI) has assessed different approaches to security risk assessments for protection against intentional unwanted actions (security). The work was funded by the Norwegian Defence Estates Agency (FB). The objective was to compare FBs operationalization of two approaches. One approach is based on the Norwegian Standard (NS) 5814: 2008, in which risk is defined as an “expression for the combination of likelihood and consequences of an unwanted event”. The second approach is based on the new standard NS 5832: 2014, where security risk is defined as “the relationship between threats towards a given asset and this asset’s vulnerability to the specified threat”. This approach is often called the threefactor model, and the assessment of the likelihood of a scenario is intentionally omitted. FBs operationalization of the two approaches has many similarities, but also differences. The operationalization of NS 5814 has a separate assessment of the possibility of an attack, and to what extent the attack is successful, based on a knowledge-based likelihood assessment. Another difference is how risk is visualized and communicated to decision makers. In this case both approaches have weaknesses. A classic Boston Square risk matrix is easy to understand, but can simplify and give the impression of greater accuracy than is justified. The triangle, or the three circles of the three-factor model, illustrates only which factors that are used. It can be argued that FBs one-dimensional visualization of risk in this approach is sufficient, but does not communicate uncertainty. It is essential in both approaches that the results must be documented and communicated in a report that provides the basis for decision making. In both approaches the uncertainty of the assessments must be clearly communicated. Here, improvements are suggested. FB should consider including sensitivity analyses. FB could also explore whether bow-tie analysis and bowtie diagrams can be used to convey the variety of possible causes and consequences of a given undesirable event. Here, it may also be useful to use Event Tree Analysis and Fault Tree Analysis. The NS 5814 approach has a clearer and broader scientific basis than NS 5832. A disadvantage of NS 5832 is that it apparently does not include an assessment of likelihood. FFI argues that a knowledge-based likelihood assessment is necessary and inevitable in a security risk assessment for intentional unwanted actions, even if this is challenging, and even when choosing an approach based on NS 5832. There is no agreed best practice, internationally or nationally, for security risk assessment. Scientific articles and interviews support this conclusion. Although no best practice has been identified, the following characteristics may enhance and strengthen security risk assessments: One should (i) have a structured process, (ii) establish a working group with broad expertise, (iii) map the knowledge strength among the experts in the working group, (iv) base the assessment on knowledge of the system and be concrete, (v) have a holistic perspective, (vi) communicate risks and uncertainties, and (vii) be transparent, traceable and verifiable.