Development of a decision support tool to inform resource allocation for critical infrastructure protection in Homeland Security

Abstract

Analysis of risk in critical infrastructure is one of the major problems facing Homeland Security today. Defining risk and applying it to systems, as opposed to individual assets, is a relatively new idea in Homeland Security policy. Thus, there is a need for a decision support tool to inform decision makers in Homeland Security of resource allocation strategies to harden assets that reduce overall network risk. Model Based Risk Assessment (MBRA) is a quantitative method designed to (1) identify the most critical assets of the network in such a way as to reduce expected loss over the entire network, (2) quantify allocation strategies that strategic planners and risk managers can apply across multi-sector systems, and (3) compute vulnerability and total risk reduction of the network. We formalized the definition of network risk in terms of the connectivity of the network as an extension to the accepted risk equation R=f(T,V,C). We use node degree as a heuristic for criticality of an asset to the overall function of the network. We then modeled the relationship between budget and vulnerability reduction and show how an exponential reduction model compares to a linear or random model. Using the stated definition of network risk, all models rank order assets exactly the same but they reduce risk differently. Lastly, we introduce a twoparty model that combines both the defender's and attacker's points of view using a game theory approach. We show the results of this model and compare them to a similar model we refer to as the "arms race model" where we allow both attacker and defender to know each other's budget. Results show that the techniques developed here are useful in conducting a systematic and repeatable analysis of an infrastructure network of assets for risk and then informing resource allocations that serve to reduce risk on the entire network, not just the selected assets.