Sandia National Laboratories
Security Risk Assessment Methodologies

Overview | History | Bio-RAM | RAM-C | RAM-CF | RAM-CI | RAM-D | RAM-E | RAM-P | RAM-T | RAM-W | Training | Licensing | Licensed Instructors | References | Contacts | Websites of Interest



Various RAM references materials are available that can help the general reader with a deeper understanding of a risk assessment and/or vulnerability assessment and how to apply the concepts in a rigorous systematic approach. Several references are listed below with directions on how to obtain the documents.

Before undertaking a security assessment, it is strongly recommended that security managers and assessment teams receive training. The RAM training has been specifically designed for each specific facility/critical infrastructure and will provide additional information, examples, and hands-on experience. The reference materials are intended to complement the training.

The Design and Evaluation of Physical Protection Systems: The textbook written by Mary Lynn Garcia provides a description of the overall process of security system design and integration. All RAMs have been based on the fundamental principles presented in this textbook. The textbook is arranged in three major parts: 1. determining the security objectives, 2. designing/evaluating the security system, and 3. evaluating the security system. The textbook can be obtained through the publisher Butterworth Heinemann at

Vulnerability Assessment of Physical Protection Systems: The second textbook written by Mary Lynn Garcia guides the reader through performing an effective vulnerability assessment (VA) from planning through final analysis. Relying on principles introduced in the first textbook, this practical text addresses the full spectrum of the VA, including negotiating tasks with the customer, project management and planning, team membership, step-by-step details for performing the VA, data collection and analysis, and important notes on how to use the VA to suggest design improvements and generate multiple design options. Several new tools are introduced to help users organize and use the information garnered by the VA at their sites to reduce risk to an acceptable level at an affordable cost and with the least operational impact.

RAM-WTM and Case Study for Large Water Utilities: In October 2002 the RAM-WTM methodology was issued. Included as a separate document, to go hand-in-hand with the methodology, is a worked example entitled "Case Study - Risk Assessment Methodology for Water Utilities (RAM-WTM )", which demonstrates the application of the methodology to a large water utility. The documentation can be obtained through AWWA.

RAM-WTM for Small/Medium Water Utilities: In 2003 RAM-WTM Small and Medium Water Utility Case Study was issued. The case study was specifically developed to provide guidance through a worked example for assessing small and medium water utilities. The documentation can be obtained through AWWA.

Results from the Water Utility Vulnerability Assessment Lessons Learned Study: This report was the first opportunity to review at a high-level the results of the vulnerability assessments completed for large water utilities and try and gain an understanding of what worked, what needed to be improved, and what could be done to help the process. The goal of the project was to help the water community better understand what had been learned and what was needed in terms of security improvements. The report can be obtained through AwwaRF at .

White paper on Physical Security RAM:
RAM for Physical Security

Back to top of page
Sandia National Laboratories

© Sandia Corporation | Site Contact | Privacy and Security