1

INSE 6320 -- Week 1

Risk Analysis for Information and Systems Engineering

Go over Course Outline

What is Risk?
Introduction to Risk Analysis

Dr. B. Khosravifar Concordia University

 2

Instructor: Dr. Babak Khosravifar

Office: EV 7.XXXX

Lectures: Wednesdays & Fridays

6:30 - 9:00 PM

Office Hours: Monday 1:30 - 3:30 PM

E-Mail: Babak.Khosravifar@Mentorina.com
 3

What is INSE 6320?

INSE 6320 is an Information and Systems Engineering course
You will learn how to:
Assess risk for systems engineering using probability theory and statistics
Use the basic tools of risk analysis: fault trees, event trees, simulation models,
and influence diagrams
Model uncertainty and measure risk through various methods
Implement quantitative risk analyses, and develop strategies to identify, assess,
monitor and mitigate risk.
 4

Roadmap of the Course?

INSE 6320

Risk & Uncertainty Fault & Event Decision Theory

Trees

Probability Statistical Influence Risk

Reliability Expert Opinion Diagrams
Distributions Inference Management

Weibull Risk
Analysis Measurement

Midterm Exam Final Exam

 5

Administration
Course web page:
MyConcordia Portal (Moodle)
Its highly advised to check Moodle regularly.
Syllabus, Slides, Assignments, Projects, etc
Go to MyConcordia Portal (Moodle).

Preliminary exam dates and project due date:

Midterm Exam
May 26th, 2017 (in class)
Project due
June 16th, 2017 (Friday by midnight)
Final Exam
June ---, 2017 (TBA)
 6

Recommended Textbook
Probabilistic Risk Analysis: Foundations and Methods
Authors: T. Bedford and R. Cooke
Publisher: Cambridge University Press, 2001
ISBN-13: 978-0521773201
 7

Grading Policy
Course Modules Portion Important Dates:
Two Quizzes 5%
May 19th, 2017: Assignment #1 due
Two Assignments 10% May 24th, 2017: Quiz #1 (in class)
Midterm Exam 30% May 26th, 2017: Midterm Exam
Project 20% June 9th, 2017: Assignment #2 due
Final Exam 35% June 14th, 2017: Quiz #2 (in class)
June 16th, 2017: Project Report due
June ---, 2017: Final Exam

Final Project
Final reports due on June 16th, 2017 before midnight.
A final project report should be completed in groups.
The term project will have only one component: written report.
More details will be posted on: MyConcordia Portal (Moodle)
 8

What this course is about?

This course is about Risk Analysis for Information and Systems Engineering.
Engineering systems are almost always designed, constructed, and operated
under unavoidable conditions of risk and uncertainty.

Risk perception of uncertainty in It seems every week there is a new

events that occur and actions taken. story about some type of security
Risks encountered in everyday breach
decision-making That new story says that the security
Multiple ways to consider risks: breach costs the organization
Risk as feelings thousands or millions of dollars.
Risk as analysis Recent Sony security breach cost is
Risk as politics $100 million
We primarily evaluate risk intuitively
(as feelings) The question is: how do they come up
with those numbers?
 9

What is Risk?
Risk as a science was born in the sixteenth century Renaissance, a time of
discovery
The word risk is derived from the early Italian risicare, which means to dare
Today, risk is defined as the possibility of loss
Loss Unless there is potential for loss, there is no risk
The loss can be either a bad outcome or a lost opportunity
Choice Unless there is a choice, there is no risk management

Definition:
The likelihood that a particular threat using a specific attack, will
exploit a particular vulnerability of a system that results in an
undesirable consequence.
(Definition from National Information Systems Security (INFOSEC) Glossary,
NSTISSI No. 4009, Aug. 1997)
 10

What is Risk?
The probability that a particular threat will exploit a particular vulnerability

Risk can be described in terms of probability (the possibility of risk),

consequence (the loss), and time frame

Probability is the likelihood that the consequence will occur

Consequence is the effect of an unsatisfactory outcome

Time Frame refers to when the risk will occur during the product lifecycle, e.g.
long, medium, short, ...

Risks are future events with a probability of occurrence and a potential for loss

Many problems that arise in software development efforts were first known as
risks by someone on the project staff

Caught in time, risks can be avoided, negated or have their impacts reduced
 11

Risk Applications
Finance
Risk in investments, insurance etc.,
Industrial
Plant failures, accidents, competitive risks
Political
Impact of decisions, probabilities of success etc.
Nuclear
Plant operation, fuel storage, proliferation of fissile material
Aviation
Safety of airplanes, weather conditions, terrorism impact
Medicine
Weighing different treatment options
 12

Probability
Probability and risk surround us. Elements of this underlie every decision we
make, as simple as crossing a road or as major as buying a car or house.
How likely is a future problem to occur?
Often difficult to define precisely

Probability can be defined as a percentage, a phrase or a relative number:

Probability Uncertainty Rank

> 80% Almost certainly, highly likely 5

61%-80% Probable, likely, probably, we believe 4
41%-60% We doubt, improbable, better than even 3
21%-40% Unlikely, probably not 2
< 21% Highly unlikely, chances are slight 1
 13

Risk
Opposing Views (Life is risky. The future is uncertain).

Statisticians
Probabilities
Consequences of Adverse Events
Quantifiable
Social scientists
Invented to cope with uncertainties
Dependent on perception
Risk perception: blending of science and judgment with important
psychological, social, cultural, and political factors
Risk estimation depends on risk definition
Needs to be a consistent and universally
accepted definition of risk per domain

Our risk domain is information security

 14

Risk
Human Factors
Uncertainty in computing risk is unavoidable
Reactions to risk based on emotion, rather than scientific evidence.
When people become outraged, they may overreact.
If people are not outraged, they may under-react.

Risk comparisons may be more clear than using absolute numbers

Emotions must be considered with scientific evidence.
People become uneasy when scientists are
not certain about the risk posed by a hazard
(effect, severity, or prevalence).
Rather than diminish legitimate concerns
or heighten illegitimate ones,
psychological factors must be addressed
to encourage constructive action.
 15

The Risk Equation

Risk = Probability x Consequence
= Function(Threat, Vulnerability, Consequence)

Threat : Any person, circumstance or event with the potential to cause

loss or damage.

Vulnerability: Any weakness that can be exploited by an adversary or

through accident.

Consequence: The amount of loss or damage that can be expected from a

successful attack. Also refereed to as impact, loss or cost
 16

What is Risk Analysis?

The process of identifying, assessing, and reducing risks to an
acceptable level
Defines and controls threats and vulnerabilities
Implements risk reduction measures

An analytic discipline with three parts:

Risk assessment: determine what the risks are
Risk management: evaluating alternatives for mitigating the risk
Risk communication: presenting this material in an
understandable way to decision makers and/or the public

Risk analysis = Risk assessment + Risk management + Risk communication

Risk Management Process
17
 18

Benefits of Risk Analysis

Assurance that greatest risks have been identified and addressed

Increased understanding of risks
Mechanism for reaching consensus
Support for needed controls
Means for communicating results
 19

Basic Risk Analysis Structure

Evaluate
Value of computing and information assets
Vulnerabilities of the system
Threats from inside and outside
Risk priorities
Risk = Probability x Impact
= Function(Threat,Vulnerability,Impact)

Examine
Availability of security countermeasures
Effectiveness of countermeasures
Costs (installation, operation, etc.) of countermeasures
Implement and Monitor
 20

Example Critical Assets

People and skills
Goodwill
Hardware/Software
Data
Documentation
Supplies
Physical plant
Money

Threats
An expression of intention to inflict evil injury or damage
Attacks against key security services
Confidentiality, integrity, availability
 21

Vulnerabilities
Flaw or weakness in system that can be exploited to violate
system integrity.
Security Procedures
Design
Implementation
Threats trigger vulnerabilities
Accidental
Malicious
 22

Controls/Countermeasures
Mechanisms or procedures for mitigating vulnerabilities
Prevent
Detect
Recover
Understand cost and coverage of control
Controls follow vulnerability and threat analysis
Cost of control should never exceed the expected loss assuming no control
 23

Types of Risk Analysis: How to Calculate Risk?

Quantitative
Assigns real numbers to costs of safeguards and
damage
Annual loss exposure (ALE)
Probability of event occurring
Can be unreliable/inaccurate

Qualitative
Judges an organizations risk to threats
Based on judgment, intuition, and experience
Ranks the seriousness of the threats for the sensitivity
of the asserts
Subjective, lacks hard numbers to justify return on
investment
 24

Qualitative Risk Analysis

Generally used in Information Security
Hard to make meaningful valuations and meaningful probabilities
Relative ordering is faster and more important
Many approaches to performing qualitative risk analysis
Same basic steps as quantitative analysis
Still identifying asserts, threats, vulnerabilities, and controls
Just evaluating importance differently

Example:
The system is weak in this area and we know
that our adversary has the capability and
motivation to get to the data in the system so the
likelihood of this event occurring is high.
 25

Qualitative Representation of Risk

Qualitative risk representations are often used for quick evaluations and screening.

Consequence of Occurrence
Probability
of Occurrence Very Low Low Moderate High Very High

Very Low
Low
Moderate
High
Very High

Low Risk Medium Risk High Risk

 26

Quantitative Risk Analysis

Risk Analysis Definition

Risk analysis involves the identification and assessment

of the levels of risks calculated from the known values of
assets and the levels of threats to, and vulnerabilities of,
those assets.
It involves the interaction of the following elements:
Assets
Vulnerabilities
Threats
Impacts
Likelihoods
Controls
 27

Quantitative Risk Analysis

Definitions

Quantitative risk analysis methods are based on statistical

data and compute numerical values of risk. They assign a
dollar value to risk.
By quantifying risk, we can justify the benefits of spending
money to implement controls.
It involves three steps
Estimation of individual risks
Aggregation of risks
Identification of controls to mitigate risk
 28

Quantitative Risk Analysis

Risk = Impact x Probability
Loss of car: risk-impact is cost to replace car, e.g. $10,000
Probability of car loss: 0.10
Risk = 10,000 x 0.10 = 1,000
Risk Management is about controlling risk. To control a risk
Reduce the Probability
and/or
Reduce the Impact

Single loss Expectancy (SLE): how much loss for one event?

Risk calculation (per year):

Annual Loss Expectancy (ALE) = SLE x Annual Rate of Occurrence (ARO)
ARO is Probability or frequency of the threat occurring in one year. For
example, if a fire occurs once every 25 years, then ARO=1/25
 29

Quantitative Risk Analysis

Step 1: Estimate Potential Loss.
Single Loss Expectancy (SLE): Loss to an asset if event occurs
Value of the lost asset (Asset Value $) = AV is the replacement cost and/or income
derived through the use of an asset
Impact on the Asset (if event occurs) or Exposure Factor (%) = EF is the portion of
assets value lost through a threat (also called impact)
SLE = AV ($) x EF (%)

Step 2: Conduct Threat Likelihood Analysis.

Annualized Rate of Occurrence (ARO) characterizes, on an annualized basis, the frequency
with which a threat is expected to occur. Its the number of times per year an incident is likely
to happen.

Step 3: Calculate Annual Loss Expectancy.

Annualized Loss Expectancy (ALE) computes risk using the probability of an event occurring
over one year.
ALE = SLE x ARO
 30

Quantitative Risk Analysis

Risk Analysis Steps

Security risks can be analyzed by the following steps:

1. Identify and determine the value of assets
2. Determine vulnerabilities
3. Estimate likelihood of exploitation
Compute frequency of each attack (with & w/o controls) using statistical
data
4. Compute Annual Loss Expectancy
Compute exposure of each asset given frequency of attacks
5. Survey applicable controls and their costs
6. Perform a cost-benefit analysis
Compare exposure with controls and without
controls to determine the optimum control
 31

Determine Value of Assets

$ Value $ Value Confidentiality, Integrity, and
Asset Name Direct Loss: Consequential Availability Notes
Replacement Financial Loss
Registration $10,000 Breach Not. Affects: Confidentiality,
Server Law=$804,000 Availability.
Registration loss per day Conf=> Breach Notification Law
=$16,000 =>Possible FERPA Violation
Forensic help = $100,000 =>Forensic Help
Availability=> Loss of
Registrations
Grades Server $10,000 Lawsuit = $1 million Affects: Confidentiality, Integrity.
FERPA = $1 million Integrity => Student Lawsuit
Forensic help = $100,000 Confidentiality => FERPA violation
Both => Forensic help

Student(s) $2,000 per Lawsuit= $1 Million (E.g.,) School Shooting:

and/or student (tuition) Investigation costs= Availability (of persons lives)
Instructor(s) $8,000 per $100,000 Issues may arise if we should
instructor (for Reputation= $400,000 have removed a potentially
replacement) harmful student, or did not act
fast.
 32

Determine Threats Due to Vulnerabilities

System
Vulnerabilities

Misinterpretation: Coding
Behavioral: Poorly-defined Problems: Physical
Disgruntled employee, procedures, Security ignorance, Vulnerabilities:
uncontrolled processes, employee error, poorly-defined Fire, flood,
poor network design, Insufficient staff, requirements, negligence, theft,
improperly configured Inadequate mgmt, defective software, kicked terminals,
equipment Inadequate compliance unprotected no redundancy
enforcement
communication
 33

Quantitative Risk

Asset Threat Single Loss Annualized Annual Loss

Expectancy (SLE) Rate of Expectancy
Occurrence (ALE)
(ARO)
Registra- System or System failure: $10,000 0.2 $42,000*0.2=
tion Server Disk Failure Registration x 2 days: $32,000 (5 years) $8,400

Registra- Hacker Breach Not. Law: $804,000 0.20 $936,000x.2

tion Server penetration Forensic help: $100,000 (5 years) =$187,200
Registration x 2days: $32,000
Grades Hacker Lawsuit: $1 million 0.05 $2110,000x0.0
Server penetration FERPA: $1 million (20 years) 5
Forensic help: $100,000 =$105,500
Loss of Reputation = $10,000
 34

Example: Risk Analysis Calculation

Countermeasure
Base
Case A
Asset Value (AV) $100,000 $100,000
Exposure Factor (EF) 80% 20%
Single Loss Expectancy (SLE): = AV*EF $80,000 $20,000
Annualized Rate of Occurrence (ARO) 50% 50%

Annualized Loss Expectancy (ALE): =

SLE*ARO $40,000 $10,000
ALE Reduction for Countermeasure NA $30,000
Annualized Countermeasure Cost NA $17,000
Annualized Net Countermeasure Value NA $13,000

Countermeasure A should reduce the exposure factor by 75%

 35

Example: Risk Analysis Calculation (continued)

Countermeasure
Base
Case B
Asset Value (AV) $100,000 $100,000
Exposure Factor (EF) 80% 80%
Single Loss Expectancy (SLE): = AV*EF $80,000 $80,000
Annualized Rate of Occurrence (ARO) 50% 25%

Annualized Loss Expectancy (ALE): =

SLE*ARO $40,000 $20,000
ALE Reduction for Countermeasure NA $20,000
Annualized Countermeasure Cost NA $4,000
Annualized Net Countermeasure Value NA $16,000

Countermeasure B should cut the frequency of

compromises in half
 36

Example: Risk Analysis Calculation (continued)

Countermeasure
Base
Case A B
Asset Value (AV) $100,000 $100,000 $100,000
Although Countermeasure A reduces the ALE more,
Exposure Factor (EF) Countermeasure B is much less expensive.
80% 20% 80%
Single Loss Expectancy (SLE): =
The annualized netAcountermeasure
V*EF $80,000 $20,000
value for B is larger. $80,000
Annualized Rate of Occurrence (ARO) 50%
The company should select countermeasure B. 50% 25%

Annualized Loss Expectancy (ALE): =

SLE*ARO $40,000 $10,000 $20,000
ALE Reduction for Countermeasure NA $30,000 $20,000
Annualized Countermeasure Cost NA $17,000 $4,000
Annualized Net Countermeasure Value NA $13,000 $16,000
 37

Question
Risk Assessment includes:

1. The steps: risk analysis, risk treatment, risk acceptance, and risk
monitoring
2. Answers the question: What risks are we prone to, and what is
the financial costs of these risks?
3. Assesses controls after implementation
4. The identification, financial analysis, and prioritization of risks,
and evaluation of controls
 38

Question
Risk Management includes:

1. The steps: risk analysis, risk treatment, risk acceptance, and risk
monitoring
2. Answers the question: What risks are we prone to, and what is
the financial costs of these risks?
3. Assesses controls after implementation
4. The identification, financial analysis, and prioritization of risks,
and evaluation of controls
 39

Question

Single Loss Expectancy refers to:

1. The probability that an attack will occur in one year

2. The duration of time where a loss is expected to occur (e.g.,
one month, one year, one decade)
3. The cost when the risk occurs to the asset once
4. The average cost of loss of this asset per year
 40

Question
The risk that is assumed after implementing controls is
known as:
1. Accepted Risk
2. Annualized Loss Expectancy
3. Quantitative risk
4. Residual risk
 41

Question
The primary purpose of risk management is to:
1. Eliminate all risk
2. Find the most cost-effective controls
3. Reduce risk to an acceptable level
4. Determine budget for residual risk
 42

Tips for success

Expect to spend enough time studying the material of the course
Start every assignment early
Dont fall behind
Ask if you dont know
Do your own work

Reading: Textbook

Assignment #1
To be posted soon on Moodle