Googling on some of the terms from the ABC pdf turned up some documents that suggest at least some of the people involved have made an effort to do a professional analysis. The definition of 'Asset Risk' that they claim to be using, "Threat times Vulnerability times Consequences", is an oddball set of terms but a reasonable way to perform the calculation.
Unfortunately, I still can't see any way they can be honestly be performing that calculation and coming up with the judgment that the city's 'Postal and Shipping' resources face a larger terror risk, by a factor of almost 200, than its entire banking industry. The only hint I've found is in the callout in the bottom of the HSGP white paper. "Many geographic asset types outlined above have specific thresholds that trigger the inclusion of related data in the risk analysis model." Maybe the Statue of Liberty and the Brooklyn Bridge were dropped from the tally because an analyst made the determination that the product of threat, vulnerability, and consequence was too low? I don't see how a reasonable person could reach that conclusion, but at least there's an assertion that someone, somewhere, examined the right factors. The truth of that assertion remains in some doubt, if only because of the obvious disconnect from the results they've published. If anyone can find a copy of the Risk Analysis for Fiscal Year 2006 Homeland Security Grants technical paper, which claims to have more details, would you please make it public?
What really floors me now, though, was the very proud statement that the DHS Introduces Risk-based Formula for Urban Areas Security Initiative Grants. For 2006. If these are the results from their best new efforts to include a robust risk model, just what exactly were they basing their decisions on last year?
Oh, my dear ghod. Please tell me this pdf is just a summary of some much, much more thorough piece of work? Somethig that actually demonstrates that someone in DHS has some trace of a clue what they're doing?
What this form is pretty clearly trying to be is a risk assessment. It's a pefectly normal process caried out thousiands of times a day in businesses all across the country. There are nice, simple calculations to make. Standard procedures. Terms of art. Single Loss Expectancy equals Asset Value times Exposure Vactor. Annualized Rate of Occurance equals Threat Rate times Vulnerability. It's all simple stuff, if complicated in execution; a bit like double-entry bookkeeping, perhaps. The authors of this show no sign of familiarity with any of it. They seem to be considering most of the right factors, but nothing's called by the usual name, and all the calculations are described from back to front. It's like opening the books for a megabuck corporation and finding them all written in the format and terms from your home check register
I wish I could be convinced that the differences are just a matter of prospective. There's no reason there couldn't be a completely different way to describe the necessary information and and relationships, as long as the tight numbers went through the right calculations in the end. Unfortunately, they've managed to ignore, apparently without even realizing it, the most basic requirement: a definition of value.
Those of us who deal in business risk have a simple way of measuring what we can afford to lose. We count dollars. I assume that those unfortunate or brave enough to balance life and death the same way have some more sanguinary metric. And of course we all have to cheat and fudge and estimate, because the real answer to "how much is this computer worth" isn't just "$3,000 from Dell" but "$10k in unbacked data during production, any outage will cost us 4 days productivity to these three departments, and if we the data on it gets hacked we face at least a hundred thousand in fines" Including all the factors is hard enough for those of us who measure dollars, far worse for those who weigh bodies and blood, and has to be nearly impossible for those who have to try to understand which images of carnage or missing pieces of skyline will more severly traumatise the country.
Unfortunately, that doesn't mean that the need can be ignored, and that's exactly what whoever wrote this has done. All they've bothered to do is count up the total number of 'assets'. There's no differentiation at all. A neighborhood Post Office in Staten Island is weighted the same as Mt. Sinai hospital. Any of 4,000 'Commercial Assets' is as heavy a loss to the country as Chase Manhattan. There are two nuclear plants listed, but any of 111 other energy facilities is just as much in need of protection.
I don't even begin to know what to make of this. Is it deliberate? Assigning the same value to every post office, medical facility, and electrical plant in the country is certainly one way of seeing to it that that the pork dollars flow to to those who need them least. On the other hand, if they were going to try and cheat, you'd think they'd have at least bothered to hire someone who knows the rules of the game. More than anything else, this looks like the work of another "Hevkuva Job" Brown, who not only doesn't know or care how to do his job, but hasn't bothered to discover that there are other people out there who do.
| Year | Number of comments posted |
|---|---|
| 2006 | 3 |
Total: 3 comments. View all these comments on a single page.
The most recent 20 comments posted to Making Light by Red (Chris Holdredge):
Show all comments by Red (Chris Holdredge).