Академический Документы
Профессиональный Документы
Культура Документы
Office: EV 7.XXXX
E-Mail: Babak.Khosravifar@Mentorina.com
3
Weibull Risk
Analysis Measurement
Administration
Course web page:
MyConcordia Portal (Moodle)
Its highly advised to check Moodle regularly.
Syllabus, Slides, Assignments, Projects, etc
Go to MyConcordia Portal (Moodle).
Recommended Textbook
Probabilistic Risk Analysis: Foundations and Methods
Authors: T. Bedford and R. Cooke
Publisher: Cambridge University Press, 2001
ISBN-13: 978-0521773201
7
Grading Policy
Course Modules Portion Important Dates:
Two Quizzes 5%
May 19th, 2017: Assignment #1 due
Two Assignments 10% May 24th, 2017: Quiz #1 (in class)
Midterm Exam 30% May 26th, 2017: Midterm Exam
Project 20% June 9th, 2017: Assignment #2 due
Final Exam 35% June 14th, 2017: Quiz #2 (in class)
June 16th, 2017: Project Report due
June ---, 2017: Final Exam
Final Project
Final reports due on June 16th, 2017 before midnight.
A final project report should be completed in groups.
The term project will have only one component: written report.
More details will be posted on: MyConcordia Portal (Moodle)
8
What is Risk?
Risk as a science was born in the sixteenth century Renaissance, a time of
discovery
The word risk is derived from the early Italian risicare, which means to dare
Today, risk is defined as the possibility of loss
Loss Unless there is potential for loss, there is no risk
The loss can be either a bad outcome or a lost opportunity
Choice Unless there is a choice, there is no risk management
Definition:
The likelihood that a particular threat using a specific attack, will
exploit a particular vulnerability of a system that results in an
undesirable consequence.
(Definition from National Information Systems Security (INFOSEC) Glossary,
NSTISSI No. 4009, Aug. 1997)
10
What is Risk?
The probability that a particular threat will exploit a particular vulnerability
Time Frame refers to when the risk will occur during the product lifecycle, e.g.
long, medium, short, ...
Risks are future events with a probability of occurrence and a potential for loss
Many problems that arise in software development efforts were first known as
risks by someone on the project staff
Caught in time, risks can be avoided, negated or have their impacts reduced
11
Risk Applications
Finance
Risk in investments, insurance etc.,
Industrial
Plant failures, accidents, competitive risks
Political
Impact of decisions, probabilities of success etc.
Nuclear
Plant operation, fuel storage, proliferation of fissile material
Aviation
Safety of airplanes, weather conditions, terrorism impact
Medicine
Weighing different treatment options
12
Probability
Probability and risk surround us. Elements of this underlie every decision we
make, as simple as crossing a road or as major as buying a car or house.
How likely is a future problem to occur?
Often difficult to define precisely
Risk
Opposing Views (Life is risky. The future is uncertain).
Statisticians
Probabilities
Consequences of Adverse Events
Quantifiable
Social scientists
Invented to cope with uncertainties
Dependent on perception
Risk perception: blending of science and judgment with important
psychological, social, cultural, and political factors
Risk estimation depends on risk definition
Needs to be a consistent and universally
accepted definition of risk per domain
Risk
Human Factors
Uncertainty in computing risk is unavoidable
Reactions to risk based on emotion, rather than scientific evidence.
When people become outraged, they may overreact.
If people are not outraged, they may under-react.
Examine
Availability of security countermeasures
Effectiveness of countermeasures
Costs (installation, operation, etc.) of countermeasures
Implement and Monitor
20
Threats
An expression of intention to inflict evil injury or damage
Attacks against key security services
Confidentiality, integrity, availability
21
Vulnerabilities
Flaw or weakness in system that can be exploited to violate
system integrity.
Security Procedures
Design
Implementation
Threats trigger vulnerabilities
Accidental
Malicious
22
Controls/Countermeasures
Mechanisms or procedures for mitigating vulnerabilities
Prevent
Detect
Recover
Understand cost and coverage of control
Controls follow vulnerability and threat analysis
Cost of control should never exceed the expected loss assuming no control
23
Qualitative
Judges an organizations risk to threats
Based on judgment, intuition, and experience
Ranks the seriousness of the threats for the sensitivity
of the asserts
Subjective, lacks hard numbers to justify return on
investment
24
Example:
The system is weak in this area and we know
that our adversary has the capability and
motivation to get to the data in the system so the
likelihood of this event occurring is high.
25
Qualitative risk representations are often used for quick evaluations and screening.
Consequence of Occurrence
Probability
of Occurrence Very Low Low Moderate High Very High
Very Low
Low
Moderate
High
Very High
Single loss Expectancy (SLE): how much loss for one event?
System
Vulnerabilities
Misinterpretation: Coding
Behavioral: Poorly-defined Problems: Physical
Disgruntled employee, procedures, Security ignorance, Vulnerabilities:
uncontrolled processes, employee error, poorly-defined Fire, flood,
poor network design, Insufficient staff, requirements, negligence, theft,
improperly configured Inadequate mgmt, defective software, kicked terminals,
equipment Inadequate compliance unprotected no redundancy
enforcement
communication
33
Quantitative Risk
Countermeasure
Base
Case A
Asset Value (AV) $100,000 $100,000
Exposure Factor (EF) 80% 20%
Single Loss Expectancy (SLE): = AV*EF $80,000 $20,000
Annualized Rate of Occurrence (ARO) 50% 50%
Countermeasure
Base
Case B
Asset Value (AV) $100,000 $100,000
Exposure Factor (EF) 80% 80%
Single Loss Expectancy (SLE): = AV*EF $80,000 $80,000
Annualized Rate of Occurrence (ARO) 50% 25%
Countermeasure
Base
Case A B
Asset Value (AV) $100,000 $100,000 $100,000
Although Countermeasure A reduces the ALE more,
Exposure Factor (EF) Countermeasure B is much less expensive.
80% 20% 80%
Single Loss Expectancy (SLE): =
The annualized netAcountermeasure
V*EF $80,000 $20,000
value for B is larger. $80,000
Annualized Rate of Occurrence (ARO) 50%
The company should select countermeasure B. 50% 25%
Question
Risk
Assessment
includes:
1. The
steps:
risk
analysis,
risk
treatment,
risk
acceptance,
and
risk
monitoring
2. Answers
the
question:
What
risks
are
we
prone
to,
and
what
is
the
financial
costs
of
these
risks?
3. Assesses
controls
after
implementation
4. The
identification,
financial
analysis,
and
prioritization
of
risks,
and
evaluation
of
controls
38
Question
Risk
Management
includes:
1. The
steps:
risk
analysis,
risk
treatment,
risk
acceptance,
and
risk
monitoring
2. Answers
the
question:
What
risks
are
we
prone
to,
and
what
is
the
financial
costs
of
these
risks?
3. Assesses
controls
after
implementation
4. The
identification,
financial
analysis,
and
prioritization
of
risks,
and
evaluation
of
controls
39
Question
Question
The
risk
that
is
assumed
after
implementing
controls
is
known
as:
1. Accepted
Risk
2. Annualized
Loss
Expectancy
3. Quantitative
risk
4. Residual
risk
41
Question
The
primary
purpose
of
risk
management
is
to:
1. Eliminate
all
risk
2. Find
the
most
cost-effective
controls
3. Reduce
risk
to
an
acceptable
level
4. Determine
budget
for
residual
risk
42
Reading: Textbook
Assignment #1
To be posted soon on Moodle