Professional Documents
Culture Documents
What is Risk?
Introduction to Risk Analysis
Concordia University
2
INSE 6320
Office:
EV 7.631
Lectures:
Thursday
5:45 - 8:15 PM
Risk & Uncertainty
Office Hours:
E-Mail:
hamza@ciise.concordia.ca
Statistical
Inference
Probability
Distributions
Weibull
Analysis
Reliability
Expert Opinion
Decision Theory
Influence
Diagrams
Risk
Management
Risk
Measurement
Midterm Exam
Final Exam
Grading Policy
Administration
Course web page:
Important Dates:
Two Assignments
10%
Midterm Exam
30%
Project
15%
Final Exam
45%
Final Project
Midterm Exam
February 19, 2015 (in class)
Project due
April 16, 2015
Final Exam
April ??, 2015 (TBA)
Recommended Textbook
Probabilistic Risk Analysis: Foundations and Methods
Authors: T. Bedford and R. Cooke
Publisher: Cambridge University Press, 2001
ISBN-13: 978-0521773201
Risk as feelings
Risk as analysis
Risk as politics
Systems Engineering
11
What is a System?
10
12
Risk analysis is a key part of the requirements prioritization--it lets you know what you
might be losing if you relax a security requirement
13
What is Risk?
Risk Applications
Finance
Risk in investments, insurance etc.,
Industrial
Plant failures, accidents, competitive risks
Political
Impact of decisions, probabilities of success etc.
Nuclear
Plant operation, fuel storage, proliferation of fissile material
Aviation
Safety of airplanes, weather conditions, terrorism impact
Medicine
Weighing different treatment options
15
Time Frame refers to when the risk will occur during the product lifecycle, e.g.
long, medium, short, imminent ...
Risks are future events with a probability of occurrence and a potential for loss
Many problems that arise in software development efforts were first known as
risks by someone on the project staff
Caught in time, risks can be avoided, negated or have their impacts reduced
14
Probability
What is Risk?
16
Probability
Uncertainty
Rank
> 80%
61%-80%
41%-60%
4
3
21%-40%
< 21%
17
Risk
19
How Bad
(Consequences)?
How Often
(Likelihood of failure)?
Risk is the
probability that a
specific threat will
successfully
exploit a
vulnerability
causing a loss.
Aggregate Risk
(Likelihood of consequences calculated for every
possible combination of precipitating events)
18
Risk
Example: Driving to Work
How Bad
Cost-Benefit Analysis
Causes
Head on Collision
Side/Rear-end impact
Hit pedestrian
Overturn Car
Carjacking
Fatigue
Poor Judgment
Environmental
Conditions
Failure to see traffic
signals
Death
Hazard Control
(Reduce likelihood of damage)
License
Proper road & signal construction
Safety Barriers
Police Surveillance & speed control
Obeying traffic rules
Total
Risk
Employment
Total
Benefit
Potential Accidents
20
21
23
Threats
22
Evaluate
Examine
Availability of security countermeasures
Effectiveness of countermeasures
Costs (installation, operation, etc.) of countermeasures
24
Vulnerabilities
25
Controls/Countermeasures
Prevent
Detect
Recover
27
Example:
The system is weak in this area and we know
that our adversary has the capability and
motivation to get to the data in the system so the
likelihood of this event occurring is high.
26
28
Qualitative Assessment
Criteria Development
Quantitative
Assigns real numbers to costs of safeguards and
damage
Annual loss exposure (ALE)
Probability of event occurring
Can be unreliable/inaccurate
Qualitative
Judges an organizations risk to threats
Simplified criteria
Severity of Consequence
Low, Medium or High
Probability of Occurrence
Use number between 0 and 1
or L, M or H
Probability of Occurrence
Low or 1
Examples:
One occurrence per 1000 years
One occurrence per 50,000 units produced
29
Qualitative Assessment
31
Qualitative Assessment
Probability of Occurrence
Severity of Consequence
Medium or 2
= medium or somewhat likely chance of occurrence
Examples:
One occurrence per 10 years
One occurrence per 1000 units produced
Severity of Consequence
Probability of Occurrence
High or 3
= maximum or very likely chance of occurrence
Examples:
One occurrence per year
One occurrence per 50 units produced
30
Qualitative Assessment
32
Consequence of Occurrence
Statement that defines actual impacts of risk occurring
Qualitative risk representations are often used for quick evaluations and screening.
Example:
Project/System = House
Risk = Direct hit from F-4 tornado
Consequence/Impact = People are injured or killed; house is severely
damaged or completed destroyed
Probability
of Occurrence
Consequence of Occurrence
Very Low
Very Low
Low
Severity of Consequence
Value that assigns a level of severity to the event
Low or 1 = Minor or no injuries, minimal or no structural
damage, cost impact of <$50,000, schedule impact of <30 days
Moderate
High
Very High
Low Risk
Medium Risk
High Risk
33
35
Assets
Vulnerabilities
Threats
Impacts
Likelihoods
Controls
Single loss Expectancy (SLE): how much loss for one event?
34
36
4.
5.
6.
Compute frequency of each attack (with & w/o controls) using statistical
data
Compute exposure of each asset given frequency of attacks
37
39
Likelihood of Exploitation
38
40
Likelihood of Exploitation
Delphi Approach
Frequency
Ratings
10
Once a day
Once a week
Once a month
Once a year
Subjective probability
technique originally devised to
deal with public policy
decisions
Assumes experts can make
informed decisions
Results from several experts
analyzed
Estimates are revised until
consensus is reached among
experts
41
43
Risk Exposure
Summary
42
44
45
47
46
48
Reading: Textbook
Assignment #1