Providing a defensible basis for allocating resources for critical infrastructure and key resource protection is an important and challenging problem. Investments can be made in countermeasures that improve the security and hardness of a potential target exposed to a security hazard, deterrence measures to decrease the likeliness of a security event, and capabilities to mitigate human, economic, and other types of losses following an incident. Multiple threat types must be considered, spanning everything from natural hazards, industrial accidents, and human-caused security threats. In addition, investment decisions can be made at multiple levels of abstraction and leadership, from tactical decisions for real-time protection of assets to operational and strategic decisions affecting individual assets and assets comprising a regions or sector.

The objective of this research is to develop a probabilistic risk analysis methodology for critical asset protection, called Critical Asset and Portfolio Risk Analysis, or CAPRA, that supports operational and strategic resource allocation decisions at any level of leadership or system abstraction. The CAPRA methodology consists of six analysis phases: scenario identification, consequence and severity assessment, overall vulnerability assessment, threat probability assessment, actionable risk assessment, and benefit-cost analysis. The results from the first four phases of CAPRA combine in the fifth phase to produce actionable risk information that informs decision makers on where to focus attention for cost-effective risk reduction. If the risk is determined to be unacceptable and potentially mitigable, the sixth phase offers methods for conducting a probabilistic benefit-cost analysis of alternative risk mitigation strategies. Several case studies are provided to demonstrate the methodology, including an asset-level analysis that leverages systems reliability analysis techniques and a regional-level portfolio analysis that leverages techniques from approximate reasoning.

The main achievements of this research are three-fold. First, this research develops methods for security risk analysis that specifically accommodates the dynamic behavior of intelligent adversaries, to include their tendency to shift attention toward attractive targets and to seek opportunities to exploit defender ignorance of plausible targets and attack modes to achieve surprise. Second, this research develops and employs an expanded definition of vulnerability that takes into account all system weaknesses from initiating event to consequence. That is, this research formally extends the meaning of vulnerability beyond security weaknesses to include target fragility, the intrinsic resistance to loss of the systems comprising the asset, and weaknesses in response and recovery capabilities. Third, this research demonstrates that useful actionable risk information can be produced even with limited information supporting precise estimates of model parameters.