Risk Assessment. Marvin Rausand
An exception is MIL‐STD‐882E (2012), where safety is defined as “freedom from those conditions that can cause death, injury, occupational illness, damage to or loss of equipment or property, or damage to the environment.” According to this definition, safety implies that all hazards are removed and that no assets will be harmed. This implies that risk is zero. For most practical systems, safety is therefore not attainable, and may be considered a Utopia.
Many risk analysts feel that the definition of safety in MIL‐STD‐882E is not of any practical use and that we need a definition such that safety is an attainable state. The following definition is therefore proposed:
Definition 2.31 (Safety)
A state where the risk has been reduced to a level that is as low as reasonably practicable (ALARP) and where the remaining risk is generally accepted.
This definition implies that a system or an activity is safe if the risk related to the system/activity is considered to be acceptable. Safety is therefore a relative condition that is based on a judgment of the acceptability of risk. The meaning of acceptable risk and ALARP is discussed further in Chapter 5.
From Definition 2.31 , safety is closely dependent on risk because it is the risk level that determines whether a system is safe or not. An important distinction between risk and safety, as defined above, is that safety is a state that either is reached or not, whereas risk is measured on a continuous scale and can be high, medium, or low or measured or expressed in other ways. This means that even if a system is safe, there will still be risk.
2.6.3 Safety Performance
In this book, we use the word risk to describe our uncertainty about adverse events that may occur in the future. Sometimes, decision‐makers may be wondering “whether the estimated risk in the coming period (e.g. five years) is higher or lower than the risk was in the past period.” With our definition of risk, speaking of risk in the past has no meaning. This is because when a period is over, there is no uncertainty related to what happened in that period. We therefore need another term that can be used to describe what happened in a past period – and we use the term safety performance.
Definition 2.32 (Safety performance)
An account of all accidents that occurred in a specified (past) time period, together with frequencies and consequences observed for each type of accident.
In this way, the estimated risk in the coming period can be compared to the safety performance in the past period.
Remark 2.7 (Was the risk analysis wrong?)
Observe that the occurrence of events and accidents is – at least partly – a random process. If the risk in the coming period is estimated to be rather high, and by the end of that period, we find that the safety performance in the period showed no accidents, this does not necessarily mean that the risk analysis was wrong. The same argument can also be used the other way around. In particular for major accident risk, it can be claimed that risk analyses are hardly ever wrong (although they may not always be right)!
2.6.4 Security
In risk analysis, it is important to identify all the relevant hazardous events. The hazardous events may be (i) random, such as technical failures and natural events (e.g. lightning, flooding), (ii) systematic, such as software bugs or erroneous installation, or (iii) due to deliberate actions, such as computer hacking and arson. The term safety is often used when we talk about random events, whereas security is used in relation to deliberate actions. The term total safety is sometimes used to cover both safety and security. Security assessment is discussed in Chapter 17.
Definition 2.33 (Security)
Freedom from, or resilience against, harm committed by hostile threat actors.
Security is, as safety, a relative concept that is closely related to risk acceptability. The principal difference between safety and security is intentionality; security is characterized by adversary intent to do harm. Assessing security risk therefore changes the first question of Kaplan and Garrick (1981) into how someone can make something happen. This complicates risk assessment, as the range of possible events is restricted only by the assessor's imagination and ability to put herself in the situation of a potential enemy or criminal.
Central to an understanding of the concept of security are the terms threat, threat actor, and vulnerability:
Definition 2.34 (Threat)
A generic category of an action or event that has the potential to cause damage to an asset.
The deliberate hostile action can be a physical attack, such as arson, sabotage, and theft, or a cyberattack. The generic categories of attacks are called threats, and the entity using a threat is called a threat actor or a threat agent. Arson is therefore a threat, and an arsonist is a threat actor. The threat actor may be a disgruntled employee, a single criminal, a competitor, a group, or even a country. When a threat actor attacks, she seeks to exploit some weaknesses of the item. Such a weakness is called a vulnerability of the item. Weak passwords and heaps of combustible materials close to the item are examples of vulnerabilities.
There are two categories of threats, (i) physical threats and (ii) cyber threats. Cyber threats include hacking, worms, viruses, malware, trojan horses, password cracking, and many more. With our increasing dependency of computers and communication networks, our fear of cyber threats is steadily increasing.
Remark 2.8 (Natural threat)
The word “threat” is also used for potential natural events, such as avalanche, earthquake, flooding, hurricane, landslide, lightning, pandemic, tsunami, and wildfire, to name a few. We may, for example, say that earthquake is a threat to our system. No threat actor is involved for this type of threats.
The term threat actor is used to indicate an individual or a group that can manifest a threat. When analyzing security risk, it is fundamental to identify who could want to exploit the vulnerabilities of a system, and how they might use them against the system.
Definition 2.35 (Threat actor)
An individual, a group or a thing that acts, or has the power to act, to cause, carry, transmit, or support a threat.
A threat actor is sometimes called a threat agent. An example of a threat agent is a hacker who breaks into computers, usually by gaining access to administrative controls.
To cause harm, a threat agent must have the intention, capacity, and opportunity to cause harm. Intention means the determination or desire to achieve an objective. Capacity refers to the ability to accomplish the objective, including the availability of tools and techniques as well as the ability to use these correctly. Opportunity to cause harm implies that the asset must be vulnerable to attack.
Vulnerability may be defined as follows:
Definition 2.36 (Vulnerability)
A weakness of an asset or control that can be exploited by one or more threat actors.
A