A 2010 study by the National Research Council determined that the U.S. Department of Homeland Security (DHS) lacks adequate risk measures to guide strategic investment decisions for protecting the critical infrastructure. Current threat-driven approaches are hampered by a dearth of historical data that could support robust statistical analysis. This paper presents an asset vulnerability model (AVM) that is designed to address the problem and to provide a strategic risk measure. The AVM risk formulation is predicated on 0, the probability of failure of an attacker, based on earlier work in game theory. Working within the DHS Risk Management Framework, AVM supports baseline analysis, cost-benefit analysis and the development of decision support tools that convey current risk levels, evaluate alternative protection measures, demonstrate risk reduction across multiple assets, and measure and track improvements over time. Moreover, AVM supports a computational approach for evaluating alternative risk reduction strategies. Seven strategies are examined using AVM: least cost, least protected, region protection, sector protection, highest protective gain, highest consequence and random protection. Experimental results indicate that the highest consequence investment strategy achieves the best protection over time. This paper also summarizes AVM research and demonstrates how it can help guide the strategic protection of the critical infrastructure. (C) 2014 Elsevier B.V. All rights reserved.
