Methodology for Asset Prioritization

Prioritization: A Tool for Informed Decision Making

Our nation’s critical infrastructures and key resources are comprised of a multitude of physical, human, and cyber assets both privately and publicly owned. These assets include the buildings, bridges, power lines, river vessels, pipelines, cables, power plants, stadiums, schools, and many other facilities that contribute to our daily life.

DHS' Office of Infrastructure Protection (OIP) has responsibility to prioritize both individual assets and aggregate entities such as ports, cities, and states for protective measures.   This task requires defensible methodologies that are logically consistent, objective, and applicable across domains of various scale.
To support OIP, the MAP team is developing a framework for risk-based prioritization, utilizing numerous information sources and integrating existing infrastructure models. The framework is based on rigorous statistical techniques to manage uncertainty.

The Methodology for Asset Prioritization Task

A multi-year research and development effort, the MAP project also provides analytical capabilities to assist in year-to-year improvements of the methodologies.  Efforts have included:

• Improvements in the mathematical soundness and defensibility of the risk formulations
• Analysis of the model sensitivity to adjustable parameters
• Integration of NISAC interdependency and cascading effect simulations into risk calculations

Long-term efforts focus on the development of advanced mathematical models:

• State of the art probabilistic treatment of uncertainty in all components of risk
• Integration of incomplete data from diverse sources
• Framework for mitigation investment strategies and analysis of adversary response

As part of the long-term effort, MAP also helps specify future data capabilities to enable operation of sophisticated infrastructure asset risk calculations.

The MAP Prioritization Process

MAP has separated the risk analysis process into five modeling stages to support investment decision making. The five stages are applied to the three components of risk: Threat, Vulnerability and Consequence.  

• The Missing-Data model estimates value distributions for unknown asset attributes imputed from existing data.   Assets are categorized according to an established taxonomic hierarchy.  Unknown attribute value distributions are estimated based on the distribution of attribute values from the family of assets in the corresponding category.
• The Regression model associates risk information with asset attributes.  This allows the estimation of risk when simulation data or expert assessment is not available.
• The Data Fusion model provides a mathematically sound mechanism for combining infrastructure data from different simulations and databases in a consistent and coherent way.
• The Aggregation model will enable the summation of risk within common geographic regions.  This capability is necessary to support inclusion of data that is specified at different scales.  Threat values, for example, may be specified for city, state or regional areas as well as for individual assets.
• The Prioritization model uses the results of the previous four models combined with established prioritizations data to prioritize in new situations.   The addition provided by this model is the ability combine consequence information with differing units.