After only three days of immersion in the security and risk management (SRM) community and culture at the 2008 Security Analysis and Risk Management conference, I saw the ongoing problems with SRM that must be solved in order to advance the profession. Firstly, The comparison between risk analysis methodologies is impossible without collectively defining a “methodology of methodologies.” Decision makers commonly fail to understand and intelligently differentiate between security and risk analysis methodologies. There are many methodologies out there, but each has been developed for its own purpose and been tailored to its own decision maker. By developing a system of classification, a taxonomy of risk methodologies, SRM professionals and decision makers can discuss the differences and similarities between the methodologies in order to determine the right one for the situation. However, even before this step can be achieved the SRM community needs to establish a common lexicon. The terminology of security analysis has never been definitive. Every government agency and SRM company has a different definition of risk, threat, consequence, vulnerability, and other words related to SRM.

Fundamental in their nature, these problems need to be answered, at least to some degree of common understanding, so that every SRM professional is on the same page. Without a common lexicon or a “methodology of methodologies” security risk management as a profession will face many barriers to advancement and great frustration.

The Security Analysis and Risk Management Association made an attempt to tackle these problems head on head with SARMApedia. SARMApedia is a common knowledge base for security risk management. The site is based on mediawiki, a wiki technology originally developed for Wikipedia. SARMApedia allows any professional to document definitions and analysis methods for discussion. There are also separate pages on who’s who in SRM. The site currently is in need of more content and participation from the professionals, but even students are allowed to sign up and contribute. SARMApedia could prove to be a great resource for SRM and also unify the profession.

Two plenary speakers spoke early this morning. Dirk Mauer, Deputy Assistant Secretary of Defense of the Crisis Management and Defense Support of Civil Authorities, detailed the ongoing development of the DoD’s Defense Critical Infrastructure Program. The DCIP ensures the availability of assets deemed necessary for DoD missions and operations. It focuses on domestic and foreign assets and their dependencies on one another. It is not possible or feasible to protect the entire critical infrastructure, so the DCIP lays out a model of identifying, prioritizing, and mitigating risk of critical infrastructure assets essential to the DoD. The DCIP aims to collaborate with all of the federal departs, conduct vulnerability assessments, and promote risk management. The DCIP is a new iteration of a ten-year critical infrastructure program in the DoD. In a Q&A immediately following his presentation, Dirk explained how the DCIP will work closely with the risk analysis and management programs in the DHS. The DoD adheres to the DHS’s national framework for critical infrastructure protection.

Cathleen Berrick, Director of Homeland Security and Justice Team in the Government Accountability Office spoke next on a GAO forum on risk management practices. The forum brought together key players in risk management from the private and government sectors to address homeland security risk management problems and challenges. The forum found that the top three issues that needed to be solved were improving risk communication, overcoming political obstacles, and improving strategic thinking. By the end of the forum there were talks about a special advising committee on risk management to Congress. You can read the complete findings of the forum on the GAO-08-627SP document.

There are still three technical sessions left and also the SARMA networking reception this evening. At the reception the SRA club will be meeting Edward Joepeck, the President of SARMA, to talk about how the College of IST and SARMA can work together to better educate the future generation of risk mangers.

More coverage later today.

The first day of the SARMA conference was absolutely mind blowing. The commute down from Olney to Arlington, however, was a challenge in itself. We woke up around 4:30 in the morning to beat the morning DC traffic and arrive at the conference in time for registration and breakfast. We actually ended up getting there a little early even after dealing with bad directions from a rouge Tom Tom GPS device.

As undergraduate students, it was an amazing opportunity to see the current problems and issues that the industry faces. The knowledgebase of the professionals that attended was rich from the years in their respected fields. The seven students representing Penn State’s SRA club were the only undergraduates at the conference. During the welcome speech, Edward J. Jopeck, SARMA’s president , recognized the the club for taking the initiative to attend the conference and formally introduce us to the SARMA members.

He briefly touched base on the importance of passing on the lessons learned and knowledgebase to future generations, so that new professionals would start where the more experienced security and risk professionals would stop. He essentially stressed the need for upcoming professionals to completely absorb the current knowledge of the industry before they enter the workforce. Hopefully this relationship between the SRA club and SARMA will continue to grow in the future years and also highlight the immense value of exchanging information between SRA students and their professional counterparts.

Regional Risk: A Coordinated Effort

Christopher Geldart, the Director of the Office of National Capital Region Coordination in FEMA, gave a plenary session shortly after the welcome speech about regional risk assessment, analysis, and mitigation in the national capital region (DC area). The office’s main focus is to promote the education of risk analysis to decision makers and also serve as a pilot program to eventually develop a regional risk analysis program that can be refined and altered to suit the individual needs of other regions in the US. The NCR worked in cooperation with strategic and regional leaders to determine their deepest concerns, and then use that information alongside with empirically based models, black boxes, analytical processes, historical data, and probabilities to create a scatter plot graph of likelihood (Y) versus consequences (X). Decision makers would then be able to use this graph to make informed decisions based on process’s mitigation options and recommendations. The Office of NCRC still has a lot of groundwork to cover in the successful development and implementation of this program.

Challenges for the Infrastructure Risk Analysis Community

The second plenary session was presented by Brandon Wales, Deputy Director of the Homeland Infrastructure Threat and Risk Analysis Center (HITRAC) from the DHS. He manages the day to day operations of a $150 million program to monitor and analyze the threats and risks posed to the Nation’s critical infrastructure and key resources by man-made and natural hazards. HITRAC has emerged as one of the leading providers of classified and unclassified, infrastructure-related threat and risk analysis to Federal, State and local authorities, and the private sector. Below is an overview map of the panel session.

Keynote Speaker

The Honorable Joel B Bagnal, the Deputy Assistant to the President for Homeland Security, gave a compelling overview of the Department of Homeland Security’s history since it stood up in 2002.

Cyber Warefare and Governments’ Awakening

Paul Kurtz, COO of Good Harbor, and recognized cyber security and homeland security expert, discussed the recent events in cyberspace that has led to an awakening in the government and gave way to a classified executive directive resulted in the creation to many programs to address the cyber security situation. This was my personal favorite technical session for the day. Paul Kurtz had a lot to say about the government’s plans on protecting the nation’s cyberspace, but he also kept the session informal enough to allow discussion between him and the attending SARMA members. One of the big debates in this session was the responsibility that the US government had to private industries when they had intelligence or information on a imminent or future cyber attack on company’s critical infrastructure asset that could result in the harm (physical or economic) to the company’ s customers. Paul cited the Pan Am Flight 103 incident in 1989. The US Government knew about the impending attacks, but chose to not disclosure the information so they would not undermine their sources or reveal their capabilities. Congress eventually enacted legislation to promote sharing relevant information about possible or ongoing attacks with private sector on an ad hoc basis. Below is an overview map of the panel session.

Risk Methods for Security and Intelligence Analysis

The speaker for the third and final technical session of the day never showed, so newly hired SRA Professor William McGill gave a back-up presentation on his Graduate dissertation entitled, “Risk Methods for Security and Intelligence Analysis.” Professor McGill developed an interface with sound mathematical underlying equations to make risk assessments that would easily be presentable to decision makers. I look forward to taking his SRA 311 class on risk management. He will actually be officially presenting a technical session on Thursday.

I apologize for not being able to live blog on the first day of this conference. It took a good portion of the morning to get internet access sorted out at George Mason University. Tomorrow I will be to post live updates throughout the day.

Also, you can find more information about the SARMA conference at Russ Beck’s blog and IST Building.

STAY TUNED FOR ONGOING COVERAGE OF THE SARMA CONFERENCE!

You can also follow my twitter account as well.

The Security Analysis and Risk Management Association will be hosting their 2nd annual conference at George Mason University of Law in Arlington, Virgina tomorrow. The Security and Risk Analysis Club will be formally introduced by Edward J. Jopeck, the Chairman of SARMA, at the welcome meeting in the morning. Hopefully, we will get some publicity for the club and Penn State’s College of Information Sciences and Technology.

I drove down this afternoon with Caroline Furey and Panos Koutsikos to stay the night at Chris Wisor’s house, another SRA club member, in Olney, MD. Another group of club members met up with us from State College, PA. The conference will last three days and bring the top security and intelligence professionals from the government and private industries under one roof.

There are nine different panel sessions each day (in three, one-hour slots). Deciding which of the three sessions to see will be a tough decision, but the seven of us attending the conference will split up for each session so we can cover all of the events. They all seemed interesting, and many of the speakers are renowned experts in their respected fields. You can check out the schedule of events to see what is available.

I’ll be live blogging throughout the conference, so expect daily updates. Russ Beck, the Director of Intelligence for SRA and fellow blogger, will also be live blogging.

I strongly urge everyone to go to the IST Halloween Madness Social on Oct. 29. It’s from 7pm to 9pm in the Warning Commons study lounge.

FOOD!
MUSIC!
FUN!
PUMPKINS!
PIE YOUR PROF!

Check out the SRA club website for other cool events!