Towards a Comparable Cross-Sector Risk Analysis: RAMCAP Revisited

  • Richard White
  • Aaron Burkhart
  • Terrance Boult
  • Edward Chow
Conference paper
Part of the IFIP Advances in Information and Communication Technology book series (IFIPAICT, volume 485)


The search for a uniform risk analysis approach for critical infrastructures has prompted a reexamination of the Risk Analysis and Management for Critical Asset Protection (RAMCAP) methodology to see if it can accommodate emerging threats from climate change, aging infrastructure and cyber attacks. This chapter examines the challenges involved in taking a site-specific formulation and turning it into a general model capable of analyzing performance under a full range of simulated conditions. The AWWA J100-10 standard provides the blueprint for a basic RAMCAP model that calculates risk as an attenuation of consequences via probability estimates of vulnerability, threat, resilience and countermeasures. The RAMCAP model was subjected to varying scenario loads in deterministic simulations that examined all hypothetical conditions and probabilistic simulations that examined likely conditions. RAMCAP performance was measured by the average net benefit and represented by the distribution of component values. Contrary to expectations, RAMCAP performance did not improve as the number of scenarios increased in the simulations. The methods and results of this study may hold implications for other critical infrastructure risk methodologies that are based on consequence, threat and vulnerability.


Lifeline infrastructures Risk analysis RAMCAP methodology 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Adar, E., Wuchner, A.: Risk management for critical infrastructure protection challenges, best practices and tools, Proceedings of the First IEEE International Workshop on Critical Infrastructure Protection, pp. 90–100 (2005)Google Scholar
  2. 2.
    American Water Works Association, Risk and Resilience Management of Water and Wastewater Systems. Denver, Colorado (2010)Google Scholar
  3. 3.
    Carreras, B., Newman, D., Gradney, P., Lynch, V., Dobson, I.: Interdependent risk in interacting infrastructure systems, Proceedings of the Fortieth Annual Hawaii International Conference on System Sciences (2007)Google Scholar
  4. 4.
    Cooke, R., Goossens, L.: Expert judgment elicitation for risk assessments of critical infrastructures, Journal of Risk Research, vol. 7(6), pp. 643–656 (2004)Google Scholar
  5. 5.
    Cox, L.: What’s wrong with risk matrices? Risk Analysis, vol. 28(2), pp. 497–512 (2008)Google Scholar
  6. 6.
    Cox, L., Babayev, D., Huber, W.: Some limitations of qualitative risk rating systems, Risk Analysis, vol. 25(3), pp. 651–662 (2005)Google Scholar
  7. 7.
    Creese, S., Goldsmith, M., Adetoye, A.: A logical high-level framework for critical infrastructure resilience and risk assessment, Proceedings of the Third Workshop on Cyberspace Safety and Security, pp. 7–14 (2011)Google Scholar
  8. 8.
    Daniels, D., Ware, B.: State/local CIP risk analysis: First results and emerging trends in the data, Proceedings of the IEEE Conference on Technologies for Homeland Security, pp. 393–400 (2009)Google Scholar
  9. 9.
    Ghazel, M.: Using stochastic Petri nets for level-crossing collision risk assessment, IEEE Transactions on Intelligent Transportation Systems, vol. 10(4), pp. 668–677 (2009)Google Scholar
  10. 10.
    Giannopoulos, G., Filippini, R., Schimmer, M.: Risk AssessmentMethodologies for Critical Infrastructure Protection, Part 1: A State of the Art, JRC 70046, European Commission Joint Research Centre, Ispra, Italy (2012)Google Scholar
  11. 11.
    Lee, S.: Probabilistic risk assessment for security requirements: A preliminary study, Proceedings of the Fifth International Conference on Secure Software Integration and Reliability Improvement, pp. 11–20 (2011)Google Scholar
  12. 12.
    Lewis, T., Darken, R., Mackin, T., Dudenhoeffer, D.: Model-based risk analysis for critical infrastructures, WIT Transactions on State-of-the-Art in Science and Engineering, vol. 54, pp. 3–19 (2012)Google Scholar
  13. 13.
    Masse, T., O’Neil, S., Rollins, J.: The Department of Homeland Security’s Risk Assessment Methodology: Evolution, Issues and Options for Congress, CRS Report for Congress, RL33858, Congressional Research Service, Washington, DC (2007)Google Scholar
  14. 14.
    McGill, W., Ayyub, B., Kaminskiy, M.: Risk analysis for critical asset protection, Risk Analysis, vol. 27(5), pp. 1265–1281 (2007)Google Scholar
  15. 15.
    Moteff, J.: Critical Infrastructures: Background, Policy and Implementation, CRS Report for Congress, RL30153, Congressional Research Service, Washington, DC (2015)Google Scholar
  16. 16.
    National Research Council, Review of the Department of Homeland Security’s Approach to Risk Analysis, National Academies Press, Washington, DC (2010)Google Scholar
  17. 17.
    Newman, D., Nkei, B., Carreras, B., Dobson, I., Lynch, V., Gradney, P.: Risk assessment in complex interacting infrastructure systems, Proceedings of the Thirty-Eighth Annual Hawaii International Conference on System Sciences (2005)Google Scholar
  18. 18.
    Pederson, P., Dudenhoeffer, D., Hartley, S., Permann, M.: Critical Infrastructure Interdependency Modeling: A Survey of U.S. and International Research, INL/EXT-06-11464, Idaho National Laboratory, Idaho Falls, Idaho (2006)Google Scholar
  19. 19.
    Resurreccion, J., Santos, J.: Stochastic modeling of manufacturing-based interdependent inventory for formulating sector prioritization strategies in reinforcing disaster preparedness, Proceedings of the IEEE Systems and Information Engineering Design Symposium, pp. 134–139 (2012)Google Scholar
  20. 20.
    Schechtman, E.: Odds ratio, relative risk, absolute risk reduction and the number needed to treat - Which of these should we use? Value in Health, vol. 5(5), pp. 431–436 (2002)Google Scholar
  21. 21.
    Stamatelatos, M.: Probabilistic Risk Assessment: What is it and Why is it Worth Performing it? NASA Office of Safety and Mission Assurance, National Aeronautics and Space Administration, Washington, DC (2000)Google Scholar
  22. 22.
    U.S. Department of Homeland Security, National Infrastructure Protection Plan, Washington, DC (2006)Google Scholar
  23. 23.
    U.S. Department of Homeland Security, National Infrastructure Protection Plan: Partnering for Critical Infrastructure Security and Resilience, Washington, DC (2013)Google Scholar
  24. 24.
    Volkanovski, A., Cepin, M., Mavko, B.: Application of fault tree analysis for assessment of power system reliability, Reliability Engineering and System Safety, vol. 94(6), pp. 1116–1127 (2009)Google Scholar
  25. 25.
    Woo, G.: The evolution of terrorism risk modeling, Journal of Reinsurance, vol. 10(3), pp. 1–9 (2003)Google Scholar

Copyright information

© IFIP International Federation for Information Processing 2016

Authors and Affiliations

  • Richard White
    • 1
  • Aaron Burkhart
    • 2
    • 3
  • Terrance Boult
    • 2
  • Edward Chow
    • 2
  1. 1.Security EngineeringUniversity of Colorado Colorado SpringsColorado SpringsUSA
  2. 2.Computer ScienceUniversity of Colorado Colorado SpringsColorado SpringsUSA
  3. 3.Software EngineerLockheed Martin in Colorado SpringsColorado SpringsUSA

Personalised recommendations