ACHIEVING A RISK INFORMED SECURITY POSTURE

摘要

The U. S. Department of Energy (DOE) has long sought to "right size" its security posture by establishing a formal method to identify and evaluate the risks associated with malevolent actions directed toward the national security assets. Identifying and prioritizing risks allows managers to apply risk management techniques to control and monitor overall operational risks, including security risks. This paper will briefly summarize the evolution of the Department's approach to risk assessment, beginning with the initial availability of the IBM Personal Computer in 1981 to the present computational capacity available to security professionals. As computing capacity has increased, so has the complexity of the analyses that can be performed. This paper will also discuss whether these increasing complex analyses and the associated expectations of DOE regulators and managers have actually enhanced management's understanding of the risk environment and advanced its ability to effectively manage risk.