When properly conducted, risk analysis enlightens, informs, and illuminates, helping management organize their thinking into properly prioritized, cost-effective action. Poor analysis, on the other hand, usually results in vague programs with no clear direction and no metrics for measurement. Although there is plenty of information on risk analysis, it is rare to find a book that explains this highly complex subject with such startling clarity. Very few, if any, focus on the art of critical thinking and how to best apply it to the task of risk analysis.

The first comprehensive resource to explain how to evaluate the appropriateness of countermeasures, from a cost-effectiveness perspective, Risk Analysis and Security Countermeasure Selection details the entire risk analysis process in language that is easy to understand. It guides readers from basic principles to complex processes in a step-by-step fashion, evaluating DHS–approved risk assessment methods, including CARVER, API/NPRA, RAMCAP, and various Sandia methodologies.

Using numerous case illustrations, the text clearly explains the five core principles of the risk analysis lifecycle—determining assets, threats, vulnerabilities, risks, and countermeasures. It also supplies readers with a completely adaptable graphic risk analysis tool that is simple to use, can be applied in public or private industries, and works with all DHS–approved methods. This reader-friendly guide provides the tools and insight needed to effectively analyze risks and secure facilities in a broad range of industries, including DHS designated critical infrastructure in the chemical, transportation, energy, telecommunications, and public health sectors.

Table of Contents


Risk Analysis—The Basis for Appropriate and Economical Countermeasures
Critical Thinking
Qualitative versus Quantitative Analysis
Theory, Practice, and Tools

Risk Analysis Basics and the Department of Homeland Security–Approved Risk Analysis Methods
Risk Analysis for Facilities and Structures
Many Interested Stakeholders and Agendas
Commercially Available Software Tools
Risk Analysis Basics
Risk Assessment Steps
Which Methodology to Use?

Risk Analysis Skills and Tools
Skill #1: Gathering Data
Skill #2: Research and Evidence Gathering
Skill #3: Critical Thinking in the Risk Analysis Process
Skill #4: Quantitative Analysis
Skill #5: Qualitative Analysis
Skill #6: Countermeasures Selection
Skill #7: Report Writing

Critical Thinking and the Risk Analysis Process
Overview of Critical Thinking
The Importance of Critical Thinking
Analysis Requires Critical Thinking
The Eight Elements that make up the Thinking Process
The Concepts, Goals, Principles, and Elements of Critical Thinking
Pseudo-Critical Thinking
Intellectual Traits
The Importance of Integrating Critical Thinking into Everyday Thinking
Applying Critical Thinking to Risk Analysis
More about Critical Thinking
The Root of Problems

Asset Characterization and Identification

Criticality and Consequence Analysis
Twofold Approach
Consequence Analysis
Building your Own Criticality/Consequences Matrix
Criticality/Consequence Matrix Instructions

Threat Analysis

Assessing Vulnerability
Review of Vulnerability Assessment Model
Define Scenarios and Evaluate Specific Consequences
Evaluate Vulnerability

Estimating Probability
Resources for Likelihood
Criminal versus Terrorism Likelihood Resources
Criminal Incident Likelihood Estimates

The Risk Analysis Process
Diagram Analysis
Asset Target Value Matrices
Probability Summary Matrix
Vulnerability Components

Prioritizing Risk
Prioritization Criteria
Natural Prioritization (Prioritizing By Formula)
Prioritization of Risk
Communicating Priorities Effectively
Best Practices Ranking Risk Results


Security Policy Introduction
The Hierarchy of Security Program Development
What are Policies, Standards, Guidelines, and Procedures?

Security Policy and Countermeasure Goals
The Role of Policies in the Security Program
The Role of Countermeasures in the Security Program
Why Should Policies Precede Countermeasures?
Security Policy Goals
Security Countermeasure Goals
Policy Support for Countermeasures
Key Policies

Developing Effective Security Policies
rocess for Developing and Introducing Security Policies
Policy Requirements
Basic Security Policies
Security Policy Implementation Guidelines
Regulatory-Driven Policies
Nonregulatory-Driven Policies


Countermeasure Goals and Strategies
Countermeasure Objectives, Goals, and Strategies
Access Control
Response (Including Delay)
Evidence Gathering
Comply with the Business Culture of the Organization
Minimize Impediments to Normal Business Operations
Safe and Secure Environment
Design Programs to Mitigate possible Harm from Hazards and Threat Actors

Types of Countermeasures
Baseline Security Program
Specific Countermeasures
Countermeasures Selection Basics
No-Tech Elements

Countermeasure Selection and Budgeting Tools
The Challenge
Countermeasure Effectiveness
Functions of Countermeasures
Countermeasure Effectiveness Metrics
Helping Decision Makers Reach Consensus on Countermeasure Alternatives
Helping Decision Makers Reach Consensus on Countermeasure

Security Effectiveness Metrics
Sandia Model
A Useful Commercial Model
What kind of Information Do We Need to Evaluate to Determine Security Program Effectiveness?
What Kind of Metrics Can Help Us Analyze Security Program Effectiveness?

Cost-Effectiveness Metrics
What Are the Limitations of Cost-Effectiveness Metrics?
What Metrics Can Be Used to Determine Cost-Effectiveness?
Communicating Priorities Effectively
Basis of Argument
Complete Cost-Effectiveness Matrix
Complete Cost-Effectiveness Matrix Elements

Writing Effective Reports
The Comprehensive Risk Analysis Report
Report Supplements

Each chapter begins with an "Introduction" and ends with a "Summary"

