The picture following depicts the CIRAS Conceptual Decision Model. Initial input parameters are needed to properly define the scenario where decision-makers are required to select the most suitable alternative among several available options. This information comprises the assets to be protected, the threats that may harm these assets, the budget to buy or maintain security measures and societal criteria to be taken into account for acceptance
Then several assessments are performed in parallel:
- Risk Reduction Assessment
- Cost-Benefit Assessment
- Qualitative Criteria Assessment: it may be done by means of UFBA and/or MAHP.
The same set of security measures alternatives are compared in all the assessments and specific results are achieved by each kind of assessment.
Finally, a set of reports are generated providing a summary of the key results which were concluded in the previous analysis, in a simple or more thorough way according to the end-user´s preference.
The shortest version of the summary report is just one-page long and it makes it possible to have at a glance a comparison of the security measure alternatives considering all assessments carried out. It displays the results in tables where alternatives are ranked and makes it possible to have a quick idea at a glance with bar charts showing the values got. An alternative could be the best according to an assessment but the worst according to another one. It will be up to the decision-maker to balance the ranks and choose wisely. For instance, if there is a clear threat the RRA results should be prioritized no matter the costs.