CEA

CEA

Definition(s)


CEA

Cost -effectiveness analysis. Source: DHS Risk Lexicon, U.S. Department of Homeland Security, 2010 Edition. September 2010 Regulatory Guidance
Consequence Assessment

Consequence Assessment

Definition(s)


Consequence Assessment

Product or process of identifying or evaluating the potential or actual effects of an event, incident, or occurrence.

Source:API STANDARD 780, Security Risk Assessment Methodology for the Petroleum and Petrochemical Industries, First Edition, May 2013. Global Standards

Consequence Assessment

Product or process of identifying or evaluating the potential or actual effects of an event, incident, or occurrence. Sample Usage: The consequence assessment for the hurricane included estimates for human casualties and property damage caused by the landfall of the hurricane and cascading effects. Source: DHS Risk Lexicon, U.S. Department of Homeland Security, 2010 Edition. September 2010 Regulatory Guidance
Break-even Analysis

Break-even Analysis

Definition(s)


Break-even Analysis

Variant of cost-benefit analysis that estimates the threshold value at which a policy alternative's costs equal its benefits. Sample Usage: Break-even analysis showed that the proposed security policy would have to reduce the probability of attack by two orders of magnitude for its benefits to equal its costs; since this was judged unlikely, the proposed security policy was rejected. Annotation: Analysts have applied this technique to homeland security by calculating the minimum threat probability required for the risk reduction benefits of a security policy to exceed the costs. If decision makers believe the actual threat is greater than the calculated break-even threat level, then the expected benefits of the policy exceed the costs. The technique also may be applied to other uncertain parameters in the analysis. Source: DHS Risk Lexicon, U.S. Department of Homeland Security, 2010 Edition. September 2010 Regulatory Guidance
Bayesian Probability (Subjective Probability)

Bayesian Probability (Subjective Probability)

Definition(s)


Bayesian Probability (Subjective Probability)

Interpretation or estimate of probability as a personal judgment or ―degree of belief‖ about how likely a particular event is to occur, based on the state of knowledge and available evidence Sample Usage: Analysts use their knowledge of terrorist strategies, objectives, and capabilities in combination with evidence from operations to estimate a subjective probability of 10 percent for an attack to occur within the next five years. An analyst may use Bayesian probability to estimate likelihood based on a degree of belief. Annotation:
  1. Like all probabilities, subjective probability is conventionally expressed on a scale from zero to one where zero indicates the event is impossible and one indicates the event has or certainly will occur.
  2. Within the subjective probability interpretation, it is possible to estimate probabilities of events (using experts or models) that have not previously occurred or that have only rarely occurred, such as acts of terrorism. However, because subjective probabilities incorporate historical or trial data when available, the subjective probability will approximate the frequentist probability as data becomes more plentiful.
  3. Subjective probability is currently one of the most common uses of probability among statisticians and the risk analysis community.
  4. Bayesian probability is colloquially used as a synonym for subjective probability. In statistical usage, Bayesian probabilistic inference is an approach to statistical inference that employs Bayes’ theorem to revise prior information using evidence.
Source: DHS Risk Lexicon, U.S. Department of Homeland Security, 2010 Edition. September 2010 Regulatory Guidance
Bayesian Probability

Bayesian Probability

Definition(s)


Bayesian Probability

The process of evaluating the probability of a hypothesis through 1) the specification of a prior probability and 2) modification of the prior probability by incorporation of observed information to create an updated posterior probability. Sample Usage: The analyst applied Bayesian probability techniques to incorporate new evidence and update her estimate of the threat probability. Annotation: This concept is also referred to as Bayesian probabilistic inference. Bayesian probability evaluates likelihoods as probabilities rather than frequencies. Source: DHS Risk Lexicon, U.S. Department of Homeland Security, 2010 Edition. September 2010 Regulatory Guidance
Baseline Risk

Baseline Risk

Definition(s)


Baseline Risk

The normal operating condition level of risk that takes into account existing risk mitigation measures.

Source: API RP 781 Security Plan Methodology for the Oil and Natural Gas Industries.1st Ed. September 2016. Global Standards

Baseline Risk

Current level of risk that takes into account existing risk mitigation measures.

Source:API STANDARD 780, Security Risk Assessment Methodology for the Petroleum and Petrochemical Industries, First Edition, May 2013. Global Standards

Baseline Risk

Current level of risk that takes into account existing risk mitigation measures. Sample Usage: Risk analysts for the locality calculated a baseline risk value before analyzing the risk reduction potential of two alternative strategies. Annotation: Often, the word ―risk‖ is used to imply ―baseline risk‖ with the unstated understanding that the reference is the current circumstances. It should not be confused with risk as a measurement, which can change with the substitution of different variables. Source: DHS Risk Lexicon, U.S. Department of Homeland Security, 2010 Edition. September 2010 Regulatory Guidance
Alternative Futures Analysis

Alternative Futures Analysis

Definition(s)


Alternative Futures Analysis

Set of techniques used to explore different future states developed by varying a set of key trends, drivers, and/or conditions. Sample Usage: Strategic analysts used alternative futures analysis to investigate the effectiveness of a proposed policy in different possible futures. Extended Definition: includes forecasts, scenario analysis, and visioning. Annotation:
  1. This type of analysis can be used to test assumptions about future conditions, as well as identify ―weak signals‖ of trends that could be significant in the future and ―wildcard events‖ that – while unlikely – would have high impact should they occur.
  2. Alternative futures analysis can also test the robustness of alternative strategies, policies, or capabilities by evaluating the effectiveness of each, and evaluating trade-offs or complementarities among them, in a variety of potential future states ranging from the highly challenging to the visionary.
  3. Similar methods can be used to develop a statement of vision to motivate an organization to create the future it prefers in light of changes taking place in the environment.
Source: DHS Risk Lexicon, U.S. Department of Homeland Security, 2010 Edition. September 2010 Regulatory Guidance
Adaptive Risk

Adaptive Risk

Definition(s)


Adaptive Risk

Category of risk that includes threats intentionally caused by humans. Sample Usage: A terrorist plot to attack a public transportation system can be categorized as an adaptive risk. Annotation: Adaptive risks can include insider threats, civil disturbances, terrorism, or transnational crime. Those threats are caused by people that can change their behavior or characteristics in reaction to prevention, protection, response, or recovery measures taken. Source: DHS Risk Lexicon, U.S. Department of Homeland Security, 2010 Edition. September 2010 Regulatory Guidance
Accidental Hazard

Accidental Hazard

Definition(s)


Accidental Hazard

Source of harm or difficulty created by negligence, error, or unintended failure. Sample Usage: The chemical storage tank in the loading area without a concrete barrier may present an accidental hazard. Source: DHS Risk Lexicon, U.S. Department of Homeland Security, 2010 Edition. September 2010 Regulatory Guidance
Acceptable Risk

Acceptable Risk

Definition(s)


Acceptable Risk

Level of risk at which, given costs and benefits associated with risk reduction measures, no action is deemed to be warranted at a given point in time. Sample Usage: Extremely low levels of water-borne contaminants can be deemed an acceptable risk. Source: DHS Risk Lexicon, U.S. Department of Homeland Security, 2010 Edition. September 2010 Regulatory Guidance
Absolute Risk (Unmitigated)

Absolute Risk (Unmitigated)

Definition(s)


Absolute Risk (Unmitigated)

Level of risk that exists without risk controls. Sample Usage: An absolute risk value for the facility, assuming no security measures, was determined at the outset of the analysis. Extended Definition: a hypothetical condition that would exist if risk mitigation measures were absent. Annotation:
  1. The application of absolute risk to natural hazards is straightforward. It is a reasonable approximation of what the risk would be if all countermeasures were actually removed. It is commonly used as a step in calculating the risk-reduction value of existing or prospective countermeasures.
  2. The use of absolute risk for crime and terrorism involves limitations. In this context, absolute risk involves imagining that no countermeasures are in place. However, it does not involve imagining the response of adaptive intelligent adversaries in this absence of countermeasures. As a result, it is a poor approximation of what the actual risk would be if the countermeasures were removed.
  3. It is critical to be transparent about these assumptions when comparing any crime-or terrorism-related absolute risk (or calculation derived therein) to any other absolute risk-derived calculation.
Source: DHS Risk Lexicon, U.S. Department of Homeland Security, 2010 Edition. September 2010 Regulatory Guidance
Absolute Risk

Absolute Risk

Definition(s)


Absolute Risk

Level of risk expressed with standard units of measurement that allows for independent interpretation without comparison to estimates of other risks. Sample Usage: Analysts used the absolute risk estimate for a particular scenario to determine if a mitigation measure was cost effective. Annotation:
  1. The absolute risk value of a scenario has a meaningful independent interpretation in contrast to relative risk that is meaningful only in comparison to other similarly constructed risk values. 2) Can be measured using annualized lives lost, expected economic impact, or other metrics but it is not a ratio of risks.
  2. Can measure absolute level of risk pre-or post-risk reduction measures.
Source: DHS Risk Lexicon, U.S. Department of Homeland Security, 2010 Edition. September 2010 Regulatory Guidance
Risk Mitigation

Risk Mitigation

Definition(s)


Risk Mitigation

Application of measure or measures to reduce the likelihood of an unwanted occurrence and/or its consequences.

Source:API STANDARD 780, Security Risk Assessment Methodology for the Petroleum and Petrochemical Industries, First Edition, May 2013. Global Standards

Risk Mitigation

Application of measure or measures to reduce the likelihood of an unwanted occurrence and/or its consequences. Sample Usage: Through risk mitigation, the potential impact of the natural disaster on the local population was greatly reduced. Annotation: Risk mitigation measures may be implemented prior to, during, or after an incident, event, or occurrence. Source: DHS Risk Lexicon, U.S. Department of Homeland Security, 2010 Edition. September 2010 Regulatory Guidance

Risk Mitigation

The application of one or more measures to reduce the likelihood of an unwanted occurrence and/or lessen its consequences. Extended Definition: Implementing appropriate risk-reduction controls based on risk management priorities and analysis of alternatives. Adapted from: DHS Risk Lexicon, CNSSI 4009, NIST SP 800-53 Rev 4 Source: NICCS™ Portal Cybersecurity Lexicon, National Initiative for Cybersecurity Careers and Studies (https://niccs.us-cert.gov/glossary) as of 11 November 2015, Global Standards
Attack Path

Attack Path

Definition(s)


Attack Path

Steps that a threat takes or may take to plan, prepare for, and execute an attack.

Source:API STANDARD 780, Security Risk Assessment Methodology for the Petroleum and Petrochemical Industries, First Edition, May 2013. Global Standards

Attack Path

Steps that an adversary takes or may take to plan, prepare for, and execute an attack. Sample Usage: Part of the attack path for the car bombing involved dozens of individuals moving money, arms and operatives from the terrorist safe haven to the target area. Annotation: An attack path may include recruitment, radicalization, and training of operatives, selection and surveillance of the target, construction or procurement of weapons, funding, deployment of operatives to the target, execution of the attack, and related post-attack activities. Source: DHS Risk Lexicon, U.S. Department of Homeland Security, 2010 Edition. September 2010 Regulatory Guidance

Attack Path

The steps that an adversary takes or may take to plan, prepare for, and execute an attack. Adapted from: DHS Risk Lexicon, NCSD Glossary Source: NICCS™ Portal Cybersecurity Lexicon, National Initiative for Cybersecurity Careers and Studies (https://niccs.us-cert.gov/glossary) as of 11 November 2015, Global Standards
Attack Method

Attack Method

Definition(s)


Attack Method

Manner and means, including the weapon and delivery method, a threat may use to cause harm on a target.

Source:API STANDARD 780, Security Risk Assessment Methodology for the Petroleum and Petrochemical Industries, First Edition, May 2013. Global Standards

Attack Method

Manner and means, including the weapon and delivery method, an adversary may use to cause harm on a target. Sample Usage: Analysts have identified weaponization of an aircraft as an attack method that terrorists may use. Annotation: Attack method and attack mode are synonymous. Source: DHS Risk Lexicon, U.S. Department of Homeland Security, 2010 Edition. September 2010 Regulatory Guidance

Attack Method

The manner or technique and means an adversary may use in an assault on information or an information system. Adapted from: DHS Risk Lexicon, NCSD Glossary Source: NICCS™ Portal Cybersecurity Lexicon, National Initiative for Cybersecurity Careers and Studies (https://niccs.us-cert.gov/glossary) as of 11 November 2015, Global Standards  

Attack Method

The steps that an adversary takes or may take to plan, prepare for, and execute an attack. Adapted from: DHS Risk Lexicon, NCSD Glossary Source: NICCS™ Portal Cybersecurity Lexicon, National Initiative for Cybersecurity Careers and Studies (https://niccs.us-cert.gov/glossary) as of 11 November 2015, Global Standards
Adversary

Adversary

Definition(s)


Adversary

An individual, group, organization, or government that conducts or has the intent to conduct detrimental activities. From: DHS Risk Lexicon Source: NICCS™ Portal Cybersecurity Lexicon, National Initiative for Cybersecurity Careers and Studies (https://niccs.us-cert.gov/glossary) as of 11 November 2015, Global Standards

Adversary

Individual, group, organization, or government that conducts or has the intent to conduct detrimental activities Sample Usage: Al-Qaeda is an adversary of the United States. Annotation:
  1. An adversary can be hypothetical for the purposes of training, exercises, red teaming, and other activities.
  2. An adversary differs from a threat in that an adversary may have the intent, but not the capability, to conduct detrimental activities, while a threat possesses both intent and capability.
Source: DHS Risk Lexicon, U.S. Department of Homeland Security, 2010 Edition. September 2010 Regulatory Guidance  

Canadian Standards Association

Any individual, group, organization, or government that conducts activities detrimental to an operator’s assets or has the intention and capability to conduct such activities. Note: An adversary can include political and terrorist groups, criminals, disgruntled employees, and private interests; an adversary can also include site insiders, site outsiders, or the two acting in collusion. (Source: Security Vulnerability Assessment Methodology for the Petroleum and Petrochemical Industries). Source: Canadian Standards Association, Z246.1-09, Security management for petroleum and natural gas industry systems, August 2009, Regional Standards

Risk Control

Risk Control

Definition(s)


Risk Control

Deliberate action taken to reduce the potential for harm or maintain it at an acceptable level. Sample Usage: As a risk control measure, security guards screen items to reduce the likelihood of dangerous articles getting inside of office buildings. Annotation: Risk control is one of a set of four commonly used risk management strategies, along with risk avoidance, risk acceptance, and risk transfer. Source: DHS Risk Lexicon, U.S. Department of Homeland Security, 2010 Edition. September 2010 Regulatory Guidance

Risk Control

A barrier implemented within an activity designed to eliminate or mitigate a risk or range of risks. A risk control may take the form of" hard" barriers based on engineered, physical solutions to prevent or avoid a risk, or "soft:" barriers relying on compliance with operating plans, procedures and competence of the workforce. Normally, multiple risk controls or "layers of protection" are implemented to achieve risk acceptance. Source: IOGP Report No. 510, Operating Management System Framework for controlling risk and delivering high performance in the oil and gas industry, International Association of Oil & Gas Producers, June 2014. Global Standards
Capability

Capability

Definition(s)


Capability

The potential to accomplish a mission, function, or objective. Source: API RP 781 Security Plan Methodology for the Oil and Natural Gas Industries.1st Ed. September 2016. Global Standards

Capability

The means to accomplish a mission, function, or objective. Adapted from: DHS Risk Lexicon. Source: NICCS™ Portal Cybersecurity Lexicon, National Initiative for Cybersecurity Careers and Studies (https://niccs.us-cert.gov/glossary) as of 11 November 2015, Global Standards  

Capability

The means to accomplish a mission, function, or objective. Adapted from: DHS Risk Lexicon Source: IOGP Report No. 510, Operating Management System Framework for controlling risk and delivering high performance in the oil and gas industry, International Association of Oil & Gas Producers, June 2014. Global Standards  

Well Barriers

Means to accomplish a mission, function, or objective.

Source:API STANDARD 780, Security Risk Assessment Methodology for the Petroleum and Petrochemical Industries, First Edition, May 2013. Global Standards

Capability

Means to accomplish a mission, function, or objective. Sample Usage: Counterterrorism operations are intended to reduce the capability of terrorist groups. Annotation: Adversary capability is one of two elements, the other being adversary intent, that are commonly considered when estimating the likelihood of terrorist attacks. Adversary capability is the ability of an adversary to attack with a particular attack method. Other COIs may use capability to refer to any organization's ability to perform its mission, activities, and functions. Source: DHS Risk Lexicon, U.S. Department of Homeland Security, 2010 Edition. September 2010 Regulatory Guidance
Usability Testing

Usability Testing

Definition(s)


Usability Testing

Evaluation methods and techniques used to support Human-Centred Design (HCD) and used for the purpose of increasing the usability of a system. Source: IMO MSC.1/Circ.1512, Guideline on Software Quality Assurance and Human-Centred Design for e-navigation, 8 June 2015, International Maritime Organization. Regulatory Guidance
Usability

Usability

Definition(s)


Usability

The extent to which systems can be used by users to achieve specified goals with effectiveness, efficiency and satisfaction, in a specified context of use. Source: IMO MSC.1/Circ.1512, Guideline on Software Quality Assurance and Human-Centred Design for e-navigation, 8 June 2015, International Maritime Organization. Regulatory Guidance  

Usability

Extent to which a system, product or service can be used by specified users to achieve specified goals with effectiveness, efficiency and satisfaction in a specified context of use.
  • Note 1 to entry: Systems, products or services are part of work systems (2.2) and used by workers (2.4) within those systems.
  • Note 2 to entry: In this International Standard, the context of use is within a work system.
[SOURCE: ISO 9241-210:2010, 2.13]. Source: ISO 6385:2016, Ergonomics principles in the design of work systems, Third Edition, September 2016. Global Standards
System Life Cycle (Life Cycle)

System Life Cycle (Life Cycle)

Definition(s)


System Life Cycle (Life Cycle)

The stages containing the processes activities and tasks spanning the life of the system and/or product from the definition of its requirements to the termination of its use; life cycle covers its conception, design, operation, maintenance, support and disposal. Source: IMO MSC.1/Circ.1512, Guideline on Software Quality Assurance and Human-Centred Design for e-navigation, 8 June 2015, International Maritime Organization. Regulatory Guidance
Software Quality in Use

Software Quality in Use

Definition(s)


Software Quality in Use

Capability of a software product to enable specific users to achieve specific goals with effectiveness, productivity, safety and satisfaction in specific contexts of use. Source: IMO MSC.1/Circ.1512, Guideline on Software Quality Assurance and Human-Centred Design for e-navigation, 8 June 2015, International Maritime Organization. Regulatory Guidance
Software Quality Evaluation

Software Quality Evaluation

Definition(s)


Software Quality Evaluation

A systematic examination of the extent to which a software product is capable of satisfying stated and implied needs. Source: IMO MSC.1/Circ.1512, Guideline on Software Quality Assurance and Human-Centred Design for e-navigation, 8 June 2015, International Maritime Organization. Regulatory Guidance
SQA

SQA

Definition(s)


SQA

Software Quality Assurance.

Source: IMO MSC.1/Circ.1512, Guideline on Software Quality Assurance and Human-Centred Design for e-navigation, 8 June 2015, International Maritime Organization. Regulatory Guidance

SQA

A set of processes that ensures software meets and complies with required quality specifications. Designated SQA processes align with a system design life cycle. Source: IMO MSC.1/Circ.1512, Guideline on Software Quality Assurance and Human-Centred Design for e-navigation, 8 June 2015, International Maritime Organization. Regulatory Guidance
Software Quality Assurance (SQA)

Software Quality Assurance (SQA)

Definition(s)


Software Quality Assurance (SQA)

A set of processes that ensures software meets and complies with required quality specifications. Designated SQA processes align with a system design life cycle. Source: IMO MSC.1/Circ.1512, Guideline on Software Quality Assurance and Human-Centred Design for e-navigation, 8 June 2015, International Maritime Organization. Regulatory Guidance
Software Quality

Software Quality

Definition(s)


Software Quality

The degree to which a software product (system, component or process) meets specified requirements with the aim of also meeting stakeholder expectations. Source: IMO MSC.1/Circ.1512, Guideline on Software Quality Assurance and Human-Centred Design for e-navigation, 8 June 2015, International Maritime Organization. Regulatory Guidance
Socio-technical System

Socio-technical System

Definition(s)


Socio-technical System

A system that includes interaction between people, technology (i.e. equipment and systems) and their physical and organizational environments. Source: IMO MSC.1/Circ.1512, Guideline on Software Quality Assurance and Human-Centred Design for e-navigation, 8 June 2015, International Maritime Organization. Regulatory Guidance
Satisfaction

Satisfaction

Definition(s)


Satisfaction

Freedom from discomfort along with positive attitudes towards the use of the system. Source: IMO MSC.1/Circ.1512, Guideline on Software Quality Assurance and Human-Centred Design for e-navigation, 8 June 2015, International Maritime Organization. Regulatory Guidance
Product Quality

Product Quality

Definition(s)


Product Quality

The degree to which a product or system meets functional suitability, performance efficiency, compatibility, usability, reliability, security, maintainability and portability as defined by ISO/IEC 25010 or relevant standards. The overall product quality is a result of quality of hardware, software and data. Source: IMO MSC.1/Circ.1512, Guideline on Software Quality Assurance and Human-Centred Design for e-navigation, 8 June 2015, International Maritime Organization. Regulatory Guidance
Human-Centred Design (HCD)

Human-Centred Design (HCD)

Definition(s)


Human-Centred Design (HCD)

An approach to system design and development that aims to make interactive systems more usable by focussing on the use of the system; applying human factors, ergonomics and usability knowledge and techniques. Note: The term "human-centred design" is used rather than "user-centred design" in order to emphasize that this process also addresses impacts on a number of stakeholders, not just those typically considered as users. However, in practice, these terms are often used synonymously. Usable systems can provide a number of benefits including improved productivity, reduction in training needs, enhanced user well-being, avoidance of stress, increased accessibility, and reduced risk of harm. Source: IMO MSC.1/Circ.1512, Guideline on Software Quality Assurance and Human-Centred Design for e-navigation, 8 June 2015, International Maritime Organization. Regulatory Guidance  

Human-Centred Design

Approach to systems design and development that aims to make interactive systems more usable by focusing on the use of the system and applying human factors/ergonomics (2.3) and usability (2.12) knowledge and techniques. [SOURCE: ISO 9241-210:2010, 2.7, modified — Notes 1 and 2 to entry omitted]. Source: ISO 6385:2016, Ergonomics principles in the design of work systems, Third Edition, September 2016. Global Standards