1.1 Introduction.

1.2 Security Risk Equation.

1.3 Security Risk Assessment and Management Process.

1.3.1 Facility Characterization.

1.3.2 Threat Analysis.

1.3.3 Consequence Analysis.

1.3.4 System Effectiveness Assessment.

1.3.5 Risk Estimation.

1.3.6 Comparison of Estimated Risk Levels.

1.3.7 Risk Reduction Strategies.

1.4 Presentation to Management.

1.5 Risk Management Decisions.

1.6 Information Protection.

1.7 Process Summary.

1.8 References.

1.9 Exercises.

2. Screening Analysis.

2.1 Introduction.

2.2 Screening Analysis Methods.

2.3 Summary.

2.4 References.

2.5 Exercises.

3. Facility Characterization.

3.1 Introduction.

3.2 Undesired Events.

3.3 Facility Description.

3.3.1 Physical Details.

3.3.2 Cyber Information System.

3.3.3 Facility Operations.

3.3.4 Security Protection Systems.

3.3.5 Workforce Description.

3.3.6 Restrictions, Requirements, Limitations.

3.4 Critical Assets.

3.4.1 Generic Fault Tree.

3.4.2 Identifying Critical Assets.

3.5 Protection Objectives.

3.6 Summary.

3.7 References.

3.8 Exercises.

4. Threat Analysis.

4.1 Introduction.

4.2 Sources of Threat Information.

4.2.1 Local and State Sources.

4.2.2 National Sources.

4.3 Adversary Spectrum.

4.4 Adversary Capability.

4.5 Threat Potential for Attack.

4.5.1 Outsider Threat.

4.5.2 Insider Threat.

4.6 Summary.

4.7 References.

4.8 Exercises.

5. Consequence Analysis.

5.1 Introduction.

5.2 Reference Table of Consequences.

5.3 Consequence Values for Undesired Events.

5.4 Summary.

5.5 References.

5.6 Exercises.

6. Asset Prioritization.

6.1 Introduction.

6.2 Prioritization Matrix.

6.3 Summary.

6.4 References.

6.5 Exercises.

7. System Effectiveness.

7.1 Introduction.

7.2 Protection System Effectiveness.

7.2.1 Adversary Strategies.

7.2.2 Physical Protection System Effectiveness.

7.2.3 Cyber Protection System Effectiveness.

7.3 Summary.

7.4 References.

7.5 Exercises.

8. Estimating Security Risk.

8.1 Introduction.

8.2 Estimating Security Risk.

8.2.1 Conditional Risk.

8.2.2 Relative Risk.

8.3 Summary.

8.4 References.

8.5 Exercises.

9. Risk Reduction Strategies.

9.1 Introduction.

9.2 Strategies for Reducing Likelihood of Attack.

9.3 Strategies for Increasing Protection System Effectiveness.

9.3.1 Physical Protection System Upgrades.

9.3.2 Cyber Protection System Upgrades.

9.3.3 Protection System Upgrade Package(s).

9.4 Strategies for Mitigating Consequences.

9.4.1 Construction Hardening.

9.4.2 Redundancy.

9.4.3 Optimized Recovery Strategies.

9.4.4 Emergency Planning.

9.5 Combinations of Reduction Strategies.

9.6 Summary.

9.7 References.

9.8 Exercises.

10. Evaluating Impacts.

10.1 Risk Level.

10.2 Costs.

10.3 Operations/Schedules.

10.4 Public Opinion.

10.5 Other Site-Specific Concerns.

10.6 Review Threat Analysis.

10.7 Summary.

10.8 References.

10.9 Exercises.

11. Risk Management Decisions.

11.1 Introduction.

11.2 Risk Assessment Results.

11.2.1 Executive Summary.

11.2.2 Introduction.

11.2.3 Threat Analysis.

11.2.4 Consequence Analysis.

11.2.5 System Effectiveness Assessment.

11.2.6 Risk Estimation.

11.2.7 Risk Reduction Strategies and Packages.

11.2.8 Impact Analysis.

11.2.9 Supporting Documentation.

11.2.10 Report Overview.

11.3 Risk Management Decisions.

11.4 Establish Design Basis Threat (DBT).

11.5 Summary.

11.6 References.

11.7 Exercises.

12. Summary.

12.1 Facility Characterization.

12.2 Threat Analysis.

12.3 Consequence Analysis.

12.4 System Effectiveness Assessment.

12.5 Risk Estimation.

12.6 Comparison of Estimated Risk Level to Threshold.

12.7 Risk Reduction Strategies.

12.8 Analysis of Impacts Imposed by Risk Reduction Upgrade Packages.

12.9 Presentation to Management.

12.10 Risk Management Decisions.