Welcome to lesson 20, our last lesson in part 2. Let's continue with our exercise and finish looking at the Electricity Subsector Cybersecurity Capability Maturity Model. Step three in the ES-C2M2 process is prioritize and plan. The idea behind this step is that you may not have enough funds necessary in this budget cycle to implement all the domain objectives necessary to achieve your target maturity levels. Accordingly, whenever faced with more tasks than resources, you must prioritize, but how do you prioritize? Domain one of the ES-C2M2 cybersecurity practices advocates a risk management approach, but it doesn't specify any particular risk methodology. There are certainly many out there to choose from, at least 250 by 1 estimate. I personally have only seen about 40. In 2006, the first National Infrastructure Protection Plan advocated a risk methodology called RAMCAP, the Risk Analysis and Management for Critical Asset Protection. RAMCAP was developed by the American Society of Mechanical Engineers at the request of the White House shortly after 9/11. RAMCAP assesses risk as the product of threat, vulnerability and consequence. RAMCAP uses this risk estimate to calculate return on investment and perform cost-benefit analysis. RAMCAP calculates the return on investment by dividing the estimated risk of a given countermeasure by its estimated cost. RAMCAP performs cost-benefit analysis by giving highest priority to the countermeasure offering the highest return on investment. Unfortunately, RAMCAP is a very involved process which probably contributed to its rapid disappearance shortly after it was introduced in 2006. RAMCAP was not mentioned in either the 2009 or 2013 National Infrastructure Protection Plans. RAMCAP's sole surviving role is as the foundation for the American Waterworks Association J100-10 standard for risk and resilience management of water and waste water systems. Still, it does offer a methodology and one with a pedigree that no other methodology can match. So let's take a look at how we might apply RAMCAP to the Electricity Subsector Cybersecurity Capability Maturity Model. First, let us consider that each domain objective identified in step two of the Electricity Subsector Cybersecurity Capability Maturity Model is each a countermeasure. Accordingly, we need to estimate the cost of each identified domain objective. That's not too difficult. We need only estimate the time and materials required to implement each domain objective, and combine them into a single dollar cost for that objective. Next, we need to estimate a risk value for each domain objective. Using RAMCAP, we will estimate risk as the product of threat, vulnerability and consequence. First, we will need to estimate the value of each term before multiplying them together. Let us begin by estimating the consequence term. RAMCAP estimates the worst reasonable consequence that might result from a specific component failure. We will do the same by estimating the worst reasonable consequence of not implementing each identified domain objective. RAMCAP derives a consequence value by extrapolating the estimated losses due to deaths and damages from a finite exponential scale. We don't need to be nearly so elaborate. For simplicity, we will assign a consequence value of one, two or three based on our estimation of whether the failure to implement a specific domain objective could result in low, medium or high losses to the electric utility. Now, let us estimate a value for the vulnerability term. For vulnerability, we will assign a value of one, because we know that we are 100% vulnerable to the absence of the identified domain objective. Makes sense. Finally, let us estimate a value for the threat term representing the likelihood this particular vulnerability will be exploited. Again, for simplicity's sake, we'll assign a threat value of 0.0001, 0.001 or 0.01 based on our estimation that the absence of this particular domain objective will likely be exploited is low, medium or high. Using these data values will result in calculated risk ranging from 0.1% to 3% when we multiply the threat, vulnerability and consequence values. Now remember, this is the risk from not implementing a given domain objective which means we can expect an equivalent amount of risk reduction by implementing that same given domain objective. In other words, the higher the risk, the greater the reward by eliminating it. Therefore, we may consider the calculated risk for each domain objective as equivalent to its risk reduction worth. We are now closer to assigning priorities. For each identified domain objective necessary to achieve our next maturity level, we now have two pieces of important information. One, the estimated cost of implementation. And two, its estimated risk reduction worth. We now calculate the RAMCAP return on investment for each domain objective. So let's say we have two different domain objectives, D01 and D02 and we have estimated the respective implementation cost at $10 and $100 respectively. By the same token, we have conducted RAMCAP risk analysis on each domain objective and estimated both the risks at 3%. Which domain objective gives us the highest return on investment? Let me organize this information in to a table as shown. We calculate the return on investment by dividing the estimated risk by the estimated cost. In the case of our example, the calculated return on investment is 0.003 for D01 and 0.0003 for D02. According to RAMCAP Cost Benefit Analysis, the countermeasure with the highest return on investment receives the highest priority. In our example, D01 has a higher return on investment than D02 and therefore receives the highest priority. Do you follow me? I know, math, but this is simple arithmetic. I think you've got it, but let's do just a few more examples to make sure. So let's say this time, we have domain objective three and domain objective four. Except this time, we estimate the risk for each at 2% and 3% respectively. That is to say that the estimated risk reduction worth of D03 is 2% and the risk reduction worth of D04 is 3%. However, as before, D03 is significantly cheaper than D04. D03 costs $10 while D04 costs $100 to implement. Again, let me organize this information into a table as shown. Now, which domain objective provides the highest return on investment? Did you say D03? You are correct. The return on investment is 0.002 for D03, but only 0.0003 for D04. The return on investment is higher for domain objective three than for domain objective four. Accordingly, D03 receives a higher priority than D04. Is this making sense? Good. If not, please take the time to rewind and review. Otherwise, let's try our hand at one last example. Let's say, you now have domain objectives D05 and D06 with estimated cost and risk terms as shown in the table. Which domain objective offers the highest return on investment? Take a moment to do the calculations before you give your answer. Pause the video, if necessary. Did you answer D06? If so, then you are correct. How did you calculate it? Well, first, you had to estimate the risk for each domain objective. You estimate the risk using the RAMCAP method by multiplying the threat, vulnerability and consequence terms for each domain objective. Accordingly, you estimated risk for D05 at 1% and the risk for D06 at 2%. Remembering that these are also the estimated risk reduction to be gained by implementing those corresponding domain objectives. Once you've estimated risk, you divide it by the corresponding estimated cost for each domain objective. So for D05, you divide 1% by $20. And for D06, you divide 2% by $10. The results indicate that you receive a 0.00 05 return on investment D05, but a 0.002 return on investment for D06. Accordingly, D06 provides the higher return on investment. I know this was tedious, but it's also an important concept. I hope you will try your hand at the challenge questions until you become confident in your understanding. This concludes part two of this course. Please join me for part three where we will examine cybersecurity methods for the aviation and internet infrastructures. See you there and good luck on your exam.