-
7/25/2019 W1INSE632
1/12
1
INSE 6320 -- Week 1
Risk Analysis for Info rmation and Systems Engineering
Go over Course Outline
What is Risk? Introduction to Risk Analysis
Dr. A. Ben Hamza Concordia University
2
Instructor: Dr. A. Ben Hamza
Office: EV 7.631
Lectures: Thur sday 5:45 - 8:15 PM
Office Hours: Thursday 1:30 -3:30 PMor by appointment
E-Mail: [email protected]
3
What is INSE 6320?
INSE 6320 is an Information and Systems Engineering course
You will learn how to: Assess risk for systems engineering using
probability theory and statistics
Use the basic tools of risk analysis: fault trees, event trees,
simulation models,
and influence diagrams
Model uncertainty and measure risk through various methods
Implement quantitative risk analyses, and develop strategies to
identify, assess,
monitor and mitigate risk.
4
Roadmap of the Course?
Risk
Management
Risk & Uncertainty Decision TheoryFault & Event
Trees
Probability
Distributions
Statistical
Inference
Weibull
An aly sis
Rel iabi li ty Expert OpinionInfluence
Diagrams
INSE 6320
Risk
Measurement
Midterm Exam Final Exam
-
7/25/2019 W1INSE632
2/12
5
Administration
Course web page: MyConcordia Portal (Moodle)
Its highly advised to checkMoodle regularly.
Syllabus, Slides, Assignments, Projects, etc Go to MyConcordia
Portal (Moodle).
Preliminary exam dates and project due date: Midterm Exam
February 19, 2015 (in class)
Project due
April 16, 2015
Final Exam
April ??, 2015 (TBA)
6
Recommended Textbook
Probabilistic Risk Analysis: Foundations and Methods
Authors: T. Bedford andR. Cooke
Publisher: Cambridge University Press, 2001
ISBN-13: 978-0521773201
7
Grading Policy
Important Dates:
February 12, 2015: Assignment #1 due February 19, 2015: Midterm
ExamAp ril 9, 2015: Assignment #2 dueAp ril 16, 2015: Project
Report dueApr il ?? , 2015: Final Exam
Final Project
Final reports due on April 16, 2015 A final project report,
completed individually or in pairs, is required. The term project
will have only one component: written report. For more details:
MyConcordia Portal (Moodle)
Two Assignments 10%
Midterm Exam 30%
Project 15%
Final Exam 45%
8
What this course is about?
This course is about Risk Analysis for Information and Systems
Engineering .Engineering systemsare almost always designed,
constructed, and operated
under unavoidable conditions of risk and uncertainty.
Risk perception of uncertainty inevents that occur and actions
taken.
Risks encountered in everydaydecision-making
Multiple ways to consider risks: Risk as feelings
Risk asanalysis
Risk aspolitics
We primarily evaluate risk intuitively(as feelings)
It seems every week there is a newstory about some type of
securitybreach
That new story says that the securitybreach costs the
organizationthousands or millions of dollars.
Recent Sony security breach cost is$100 million
The question is: how do they come up
with those numbers?
-
7/25/2019 W1INSE632
3/12
9
Systems Engineering
Science: Determines what is
Component Engineering: Determines what can be
Systems Engineering: Determines what should be
So what is Systems Engineering?
Many different definitions All define aprocessof developing
goals and requirements,
designing the system and development, verifying therequirements
are met at each step.
All include successive refinements and iteration on the
abovesteps.
The important thing is that security analysis be integrated
intowhatever systems engineering process you use.
10
What is a System? There is no standard definition. Vague
definition from a systems engineers perspective:
Asystemis a combination of interacting componentsoperating
within an external logical and physicalenvironment.
Eachcomponenthasattributesthat describe what itdoes and how it
does it.
Components have relationshipswith othercomponents which describe
how the componentsinteract to form a system.
A system also interacts with other elements in
itsenvironment
For the Systems Engineer (SE), a system is the part
the SE has some control over; the environment is whatyou have to
take as is.
A system has relationships with external componentsin its
environment. These are critical in the SE process
11
Systems Engineering--One View
Definition of Systems Engineering(NASA SE Handbook)
Systems Engineering is a robust approach tothe design, creation,
and operation of systems.
Systems Engineering consists of
Identification and quantification of system goals
Creation of alternativesystem design concepts
Performance of design trades
Selection and implementation of the best design(balanced and
robust)
Verificationthat the design is actually built and properly
integrated inaccordance with specifications
Assessmentof how well the system meets the goals
12
Information Systems Security (ISS) Engineering
Includes architecture, design, development, deployment System
Architecture: where are the security functions performed? Where are
new
external interfaces required to support security? System design
includes selection of commercial products: platforms, operating
systems, networks, etc.
Security requirements should be a part of all product selection
criteria (not justselection of security specific components such as
firewalls and crypto)
Security design includes designing the management processes and
procedures forindividuals that are required to maintain a secure
system throughout its life cycle
Risk analysis is a key part of the requirements
prioritization--it lets you know what youmight be losing if you
relax a security requirement
Part of overall systems engineering process In a simple sense,
security is just another source of requirements
-
7/25/2019 W1INSE632
4/12
13
Finance Risk in investments, insurance etc.,
Industrial Plant failures, accidents, competitive risks
Political Impact of decisions, probabilities of success etc.
Nuclear Plant operation, fuel storage, proliferation of fissile
material
Aviation Safety of airplanes, weather conditions, terrorism
impact
Medicine Weighing different treatment options
Risk Applications
14
What is Risk?
Risk as a science was born in the sixteenth century Renaissance,
a time ofdiscovery
The word riskis derived from the early Italian risicare, which
means to dare Today, risk is defined as the possibility of loss
Loss Unless there is potential for loss, there is no risk
The loss can be either a bad outcome or a lost opportunity
Choice Unless there is a choice, there is no risk management
The likelihood that a particular threat using a specific attack,
willexploit a particular vulnerability of a system that results in
anundesirable consequence.
(Definition from National Information Systems Security (INFOSEC)
Glossary,
NSTISSI No. 4009, Aug. 1997)
Definition:
15
What is Risk?
The probability that a particular threat will exploit a
particular vulnerability
Risk can be described in terms of probability (the possibility
of risk),consequence (the loss), and time frame
Probability is the likelihood that the consequence will
occur
Consequence is the effect of an unsatisfactory outcome
Time Frame refers to when the risk will occur during the product
lifecycle, e.g.long, medium, short, imminent ...
Risks are future events with a probability of occurrence and a
potential for loss
Many problems that arise in software development efforts were
first known asrisks by someone on the project staff
Caught in time, risks can be avoided, negated or have their
impacts reduced
16
Probability
How likely is a future problem to occur? Often difficult to
define precisely Probability can be defined as a percentage, a
phrase or a relative number:
Probability Uncertainty Rank
> 80% Almost certainly, highly likely 5
61%-80% Probable, likely, probably, we believe 4
41%-60% We doubt, improbable, better than even 3
21%-40% Unlikely, probably not 2
< 21% Highly unlikely, chances are slight 1
-
7/25/2019 W1INSE632
5/12
17
Risk is theprobability that aspecific
threatwillsuccessfullyexploit avulnerability
causing a loss.
RiskRisk Management Process
What can go wrong
(Initiating Events)?
How Bad
(Consequences)?
How Often
(Likelihood of failure)?
Aggreg ate Ri sk
(Likelihood of consequences calculated for every
possible combination of precipitating events)
Measures to reduce the consequences of ri sk until t hey
reach acceptable levels (Benefits > Aggregated Risk)
18
RiskExample: Driving to Work
Potential Accidents
Head on Collision
Side/Rear-end impact
Hit pedestrian
Overturn Car
Carjacking
Hazard Control
(Reduce likelihood of damage)
License
Proper road & signal construction
Safety Barriers
Police Surveillance & speed control
Obeying traffic rules
Protection & Damage Limitation
(Reduce Consequences) Having Airbags Installed in Vehicle
Wearing Seatbelts
First Aid & Hospitalization
How Bad
(Consequences)
Vehicle Damage
Traffic Ticket
Risk
=ConsequencexLikelihood
Cost-Benefit Analysi s
Death
Insurance PremiumHike
Injury
Causes Fatigue
Poor Judgment
EnvironmentalConditions
Failure to see trafficsignals
EmploymentTotal
Risk
Total
Benefit
19
Threat : Any person, circumstance or event with the potential to
causeloss or damage.
Vulnerability: Any weakness that can be exploited by an
adversary orthrough accident.
Consequence: The amount of loss or damage that can be expected
from asuccessful attack. Also refereed to as impact, loss or
cost
The RiskEquation
Risk = Probability x Consequence
= Function(Threat, Vulnerability, Consequence)
20
What is Risk Analysis?
The process of identifying, assessing, and reducing risks to
anacceptable level Defines and controls threats and vulnerabilities
Implements risk reduction measures
An analytic discipline with three parts: Risk assessment:
determine what the risks are Risk management: evaluating
alternatives for mitigating the risk Risk communication: presenting
this material in an
understandable way to decision makers and/or the public
Risk analysis = Risk assessment + Risk management + Risk
communic ation
-
7/25/2019 W1INSE632
6/12
21
Benefits of Risk Analysis
Assurance that greatest risks have been identified and addressed
Increased understanding of risks Mechanism for reaching consensus
Support for needed controls
Means for communicating results
22
Basic Risk Analysis Structure
Evaluate Value of computing and information assets
Vulnerabilities of the system
Threats from inside and outside
Risk priorities
Examine Availability of security countermeasures
Effectiveness of countermeasures
Costs (installation, operation, etc.) of countermeasures
Implement and Monitor
Risk = Probability x Impact
= Function(Threat,Vulnerability,Impact)
23
Example Critical Assets
People and skills Goodwill Hardware/Software Data
Documentation
Supplies Physical plant Money
Threats
An expression of intention to inflict evil injury or damage
Attacks against key security services
Confidentiality, integrity, availability
24
Vulnerabilities
Flaw or weakness in system that can be exploited to
violatesystem integrity.
Security Procedures
Design Implementation
Threats trigger vulnerabilities Accidental
Malicious
-
7/25/2019 W1INSE632
7/12
25
Controls/Countermeasures
Mechanisms or procedures for mitigating vulnerabilities
Prevent
Detect
Recover
Understand cost and coverage of control Controls follow
vulnerability and threat analysis
26
Types of Risk Analysis: How to Calculate Risk?
Quantitative Assigns real numbers to costs of safeguards and
damage
Annual loss exposure (ALE)
Probability of event occurring
Can be unreliable/inaccurate
Qualitative Judges an organizations risk to threats
Based on judgment, intuition, and experience
Ranks the seriousness of the threats for the sensitivityof the
asserts
Subjective, lacks hard numbers to justify return
oninvestment
27
Qualitative Risk Analysis
Generally used in Information Security Hard to make meaningful
valuations and meaningful probabilities
Relative ordering is faster and more important
Many approaches to performing qualitative risk analysis Same
basic steps as quantitative analysis
Still identifying asserts, threats, vulnerabilities, and
controls
Just evaluating importance differently
Example:
The system is weak in this area and we knowthat our adversary
has the capability andmotivation to get to the data in the system
so thelikelihood of this event occurring is high.
28
Criteria Development
Simplified criteria
Severity of Consequence
Low, Medium or High
Probability of Occurrence
Use number between 0 and 1
or L, M or H
Qualitative Assessment
Probability of Occurrence
Low or 1
= minimal or unlikely chance of occurrence
Examples:One occurrence per 1000 years
One occurrence per 50,000 units produced
-
7/25/2019 W1INSE632
8/12
29
Probability of Occurrence
Medium or 2
= medium or somewhat likely chance of occurrence
Examples:
One occurrence per 10 years
One occurrence per 1000 units produced
Qualitative Assessment
Probability of Occurrence
High or 3
= maximum or very likely chance of occurrence
Examples:
One occurrence per year
One occurrence per 50 units produced
30
Consequence of Occurrence
Statement that defines actual impacts of risk occurring
Example:
Project/System = HouseRisk = Direct hit from F-4 tornado
Consequence/Impact = People are injured or killed; house is
severelydamaged or completed destroyed
Qualitative Assessment
Severity of Consequence
Value that assigns a level of severity to the event
Low or 1 = Minor or no injuries, minimal or no structuraldamage,
cost impact of 90 days
32
Qualitative Representation of Risk
Consequence of OccurrenceProbabilityof Occurrence
Very Low
Lo w
Moderate
High
Very High
Very Low Low Mo derat e High Very High
Low Risk High RiskMedium Risk
Qualitative risk representations are often used for quick
evaluations and screening.
-
7/25/2019 W1INSE632
9/12
33
Risk analysis involves the identification and assessmentof the
levels of risks calculated from the known values ofassets and the
levels of threats to, and vulnerabilities of,those assets.
It involves the interaction of the following elements: Assets
Vulnerabilities
Threats
Impacts
Likelihoods
Controls
Quantitative Risk AnalysisRisk Analysis Definition
34
Quantitative risk analysis methods are based on statisticaldata
and compute numerical values of risk. They assign adollar value to
risk.
By quantifying risk, we can justify the benefits of
spendingmoney to implement controls.
It involves three steps Estimation of individual risks
Aggregation of risks
Identification of controls to mitigate risk
Quantitative Risk AnalysisDefinitions
35
Quantitative Risk Analysis
Risk = Risk-impact x Risk-Probability Loss of car: risk-impact
is cost to replace car, e.g. $10,000
Probability of car loss: 0.10
Risk = 10,000 x 0.10 = 1,000
Risk Management is about controlling risk. To control a risk
Reduce the Probability
and/or Reduce the Impact
Single loss Expectancy (SLE): how much loss for one event?
Risk calculation (per year): Annual Loss Expectancy (ALE) = SLE
x Annual Rate of Occurrence (ARO)
36
Security risks can be analyzed by the following steps:
1. Identify and determine the value of assets2. Determine
vulnerabilities3. Estimate likelihood of exploitation
Compute frequency of each attack (with & w/o controls) using
statisticaldata
4. Compute Annual Loss Expectancy Compute exposure of each asset
given frequency of attacks
5. Survey applicable controls and their costs6. Perform a
cost-benefit analysis
Compare exposure with controls and without
controls to determine the optimum control
Quantitative Risk AnalysisRisk Analysis Steps
37 39
-
7/25/2019 W1INSE632
10/12
37
Identification of Assets and Vulnerabilities is the same forboth
Qualitative and Quantitative Risk Analysis
The differences in both of these is in terms of valuation:
Qualitative Risk Analysis is more subjective and relative
Quantitative Risk Analysis is based on actual numerical costsand
impacts.
Quantitative Risk AnalysisDetermining Assets &
Vulnerabilities
38
Likelihood relates to the stringency of existingcontrols i.e.
likelihood that someone or something will evade
controls
Several approaches to computing probability of anevent
classical, frequency and subjective
Probabilities hard to compute using classicalmethods Frequency
can be computed by tracking failures that
result in security breaches or create new vulnerabilitiescan be
identified
e.g. operating systems can track hardware failures, failed
login attempts, changes in the sizes of data files, etc.
Quantitative Risk AnalysisLikelihood of Exploitation
39
Difficult to obtain frequency of attacksusing statistical data.
Why? Data is difficult to obtain & often inaccurate
If automatic tracking is not feasible,expert judgment is used to
determine
frequency Approaches
Delphi Approach: Probability in terms ofintegers (e.g. 1-10)
Normalized: Probability in between 0 (notpossible) and 1
(certain)
Quantitative Risk AnalysisLikelihood of Exploitation
40
Subjective probabilitytechnique originally devised todeal with
public policydecisions
Assumes experts can makeinformed decisions
Results from several expertsanalyzed
Estimates are revised untilconsensus is reached amongexperts
Quantitative Risk AnalysisDelphi Approach
Frequency Ratings
More than once a day 10
Once a day 9
Once every three days 8
Once a week 7
Once in two weeks 6
Once a month 5
Once every four months 4
Once a year 3
Once every three years 2
Less than once in three years 1
41 43
-
7/25/2019 W1INSE632
11/12
41
Risk is usually measured as $ per annum and is quantified byrisk
exposure. ALE (Annual Loss Expectancy, expressed as: $/year)
If an event is associated with a loss LOSS = RISK IMPACT ($)
The probability of an occurrence is in the range of: 0 (not
possible) and 1 (certain)
Quantifying the effects of a risk by multiplying risk impact
byrisk probability yields risk exposure. RISK EXPOSURE = RISK
IMPACT x RISK PROBABILITY
= Function(Threat,Vulnerability,Impact)
Quantitative Risk AnalysisRisk Exposure
42
Incorporating intangible assets within QuantitativeRisk Analysis
is difficult as it is hard to put a price onthings such as trust,
reputation, or human life.
However, it is necessary to put an as accurate a valueas
possible when factoring these assets within riskanalysis as they
may be even more important thantangible assets.
Quantitative Risk AnalysisIntangible Assets
43
Quantitative Risk AnalysisSummary
Quantitative risk analysis involves statistical data and
numericalvalues and can be used to justify the benefit of
controls.
While asset and vulnerability identification are the same
forqualitative and quantitative methods, qualitative is more
subjective and quantitative is more absolute. Probabilities can
be calculated in multiple ways. This can be
done using calculated values or the Delphi Approach (1-10) anda
Normalized Approach (1,0), which are more subjective.
44
How to start and quit MATLAB?
On both system leave a MATLAB session by typing :
>> quit
or by typing
>> exit
at the MATLAB prompt.
PC - a double click on the MATLAB icon on
your desktop
unix system - setup MATLAB (return)
MATLAB
45 47
-
7/25/2019 W1INSE632
12/12
45
Getting started with MATLAB
46
Statistics with MATLAB
Online help for Statistics Toolbox is available from the Matlab
prompt (>> a
double arrow), both generally (listing of all available
commands):
>> help stats
[a long list of help topics follows]
and for specific commands:
>> help distool
[a help message on the disttool function follows].
>> help disttool
DISTTOOL Demonstration of many probability distributions.
DISTTOOL creates interactive plots of probability
distributions.
This is a demo that displays a plot of the cumulative
distribution
function (cdf) or probability distrib ution function (pdf) of
the distributions
in the Statistics Toolbox.
47
Plotting Probability Distributions
>> disttool
48
Tips for success
Start every assignment early Dont fall behind
Ask if you dont know Do your own work
Expect to spend enough time studying the material of the
course
Reading: Textbook
Assignment #1 To be posted soon on Moodle
