www.vanguardcanada.com FEBRUARY/MARCH 2018 15
C4isr
But why is it important to estimate the
probability distribution of disruption ar-
rivals and severity? When these distri-
butions are available, for a given DES de-
sign or a potential MA solution, standard
simulation techniques (known as Monte
Carlo methods) can be used to derive
cost-benefit loss distributions for each so-
lution considered. This is, in fact, the only
reliable approach available to compare the
value and risk of alternative designs or MA
solutions. It has been shown that rating
the risk of alternatives based on qualita-
tive frequency-severity matrices, as is often
done in practice, usually leads to poor de-
cisions (see Cox Jr., What's Wrong with
Risk Matrices? Risk Analysis, 28-2, 2008).
The effect of MA capabilities on
disruptions
MA capabilities (often called risk controls)
are implemented to favorably alter the be-
haviour of incidents and disruptions, and
to lessen their negative consequences. Sev-
eral MA capability layers can be applied.
The initial layers involve preemptive mea-
sures that act directly on mission failure
risk sources either to eliminate the source
altogether or to deter risk agents from act-
ing. The following layers are defensive.
Their aim is to prevent detected incidents
from becoming harmful disruptions – for
instance, by the addition of DES asset
protections. The final layers are curative.
They ensure that mission essential func-
tions (MEFs) can continue, even if some
assets are damaged, and that harmed
DESs can be returned to their normal
state as quickly and efficiently as possible.
The MA framework displayed in Fig. 4
illustrates how different MA capabilities
are entangled with risk sources, incidents,
disruptions and consequences.
Shape and deter capabilities affect in-
cident arrival processes. They reduce the
frequency of incidents. Protections de-
crease the DES vulnerability level – that
is, the conditional probability that an in-
cident/incapability becomes a loss disrup-
tion. Vulnerabilities are DES/MA flaws
or weaknesses that could inhibit services
or be exploited by threat-hazard agents.
Protections may also reduce the severity
of the impact when a penetration occurs.
The overall consequences of a disruption
depend on the DES response when hit.
Consequences are measured in terms of
cost-benefit loss. Relevant costs include
Sin título-2 1 16/02/2017 14:19:46
Figure 3: Failure Frequency Distribution
