quantitative risk analysis sanjay goel university at albany, suny

83
1 Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information Quantitative Risk Analysis Sanjay Goel University at Albany, SUNY

Upload: sheng

Post on 05-Jan-2016

25 views

Category:

Documents


0 download

DESCRIPTION

Quantitative Risk Analysis Sanjay Goel University at Albany, SUNY. Course Outline. > Unit 1: What is a Security Assessment? Definitions and Nomenclature Unit 2: What kinds of threats exist? Malicious Threats (Viruses & Worms) and Unintentional Threats - PowerPoint PPT Presentation

TRANSCRIPT

Page 1: Quantitative   Risk Analysis Sanjay Goel University at Albany, SUNY

1Sanjay Goel, School of Business/Center for Information Forensics and AssuranceUniversity at Albany Proprietary Information

Quantitative Risk Analysis

Sanjay GoelUniversity at Albany, SUNY

Page 2: Quantitative   Risk Analysis Sanjay Goel University at Albany, SUNY

2Sanjay Goel, School of Business/Center for Information Forensics and AssuranceUniversity at Albany Proprietary Information

Course Outline> Unit 1: What is a Security Assessment?

– Definitions and Nomenclature

Unit 2: What kinds of threats exist?– Malicious Threats (Viruses & Worms) and Unintentional

Threats

Unit 3: What kinds of threats exist? (cont’d)– Malicious Threats (Spoofing, Session Hijacking,

Miscellaneous)

Unit 4: How to perform security assessment?– Risk Analysis: Qualitative Risk Analysis

Unit 5: Remediation of risks?– Risk Analysis: Quantitative Risk Analysis

Page 3: Quantitative   Risk Analysis Sanjay Goel University at Albany, SUNY

3Sanjay Goel, School of Business/Center for Information Forensics and AssuranceUniversity at Albany Proprietary Information

Module 1: Quantitative Risk Analysis and ALE

Module 2: Risk Aggregation

Module 3: Case Study

Module 4: Cost Benefit Analysis and Regression Testing

Module 5: Modeling Uncertainties

Quantitative Risk AnalysisOutline for this unit

Page 4: Quantitative   Risk Analysis Sanjay Goel University at Albany, SUNY

Module 1Quantitative Risk Analysis

and ALE

Page 5: Quantitative   Risk Analysis Sanjay Goel University at Albany, SUNY

5Sanjay Goel, School of Business/Center for Information Forensics and AssuranceUniversity at Albany Proprietary Information

• What is Risk Analysis?• What is Quantitative Risk Analysis?• What are the steps involved?• How to determine the Likelihood of

Exploitation?• How to determine Risk Exposure?• How to compute Annual Loss Expectancy

(ALE)?• Examples

– Gym Locker– Hard Drive Failure– Virus Attack

Quantitative Risk Analysis and ALEOutline

Page 6: Quantitative   Risk Analysis Sanjay Goel University at Albany, SUNY

6Sanjay Goel, School of Business/Center for Information Forensics and AssuranceUniversity at Albany Proprietary Information

• Risk analysis involves the identification and assessment of the levels of risks calculated from the known values of assets and the levels of threats to, and vulnerabilities of, those assets.

• It involves the interaction of the following elements:– Assets– Vulnerabilities– Threats– Impacts– Likelihoods– Controls

Quantitative Risk Analysis and ALERisk Analysis Definition

Page 7: Quantitative   Risk Analysis Sanjay Goel University at Albany, SUNY

7Sanjay Goel, School of Business/Center for Information Forensics and AssuranceUniversity at Albany Proprietary Information

Quantitative Risk Analysis and ALERisk Analysis Concept Map

Source: Australian Standard Handbook of Information Security Risk Management – HB231-2000

• Threats exploit system vulnerabilities which expose system assets.

• Security controls protect against threats by meeting security requirements established on the basis of asset values.

Page 8: Quantitative   Risk Analysis Sanjay Goel University at Albany, SUNY

8Sanjay Goel, School of Business/Center for Information Forensics and AssuranceUniversity at Albany Proprietary Information

• Quantitative risk analysis methods are based on statistical data and compute numerical values of risk

• By quantifying risk, we can justify the benefits of spending money to implement controls.

• It involves three steps– Estimation of individual risks– Aggregation of risks– Identification of controls to mitigate risk

Quantitative Risk Analysis and ALEQuantitative Risk Analysis

Page 9: Quantitative   Risk Analysis Sanjay Goel University at Albany, SUNY

9Sanjay Goel, School of Business/Center for Information Forensics and AssuranceUniversity at Albany Proprietary Information

Security risks can be analyzed by the following steps:• Identify and determine the value of assets• Determine vulnerabilities• Estimate likelihood of exploitation

– Compute frequency of each attack (with & w/o controls) using statistical data

• Compute Annualized Loss Expectancy– Compute exposure of each asset given frequency of

attacks

• Survey applicable controls and their costs• Perform a cost-benefit analysis

– Compare exposure with controls and without controls to determine the optimum control

Quantitative Risk Analysis and ALERisk Analysis Steps

Page 10: Quantitative   Risk Analysis Sanjay Goel University at Albany, SUNY

10Sanjay Goel, School of Business/Center for Information Forensics and AssuranceUniversity at Albany Proprietary Information

• Identification of Assets and Vulnerabilities is the same for both Qualitative and Quantitative Risk Analysis

• The differences in both of these is in terms of valuation:– Qualitative Risk Analysis is more subjective

and relative– Quantitative Risk Analysis is based on actual

numerical costs and impacts.

Quantitative Risk Analysis and ALEDetermining Assets and Vulnerabilities

Page 11: Quantitative   Risk Analysis Sanjay Goel University at Albany, SUNY

11Sanjay Goel, School of Business/Center for Information Forensics and AssuranceUniversity at Albany Proprietary Information

• Likelihood relates to the stringency of existing controls – i.e. likelihood that someone or something will evade controls

• Several approaches to computing probability of an event– classical, frequency and subjective

• Probabilities hard to compute using classical methods– Frequency can be computed by tracking failures that result in

security breaches or create new vulnerabilities can be identified– e.g. operating systems can track hardware failures, failed login

attempts, changes in the sizes of data files, etc.

• Difficult to obtain frequency of attacks using statistical data.Why?– Data is difficult to obtain & often inaccurate

• If automatic tracking is not feasible, expert judgment is used to determine frequency

Quantitative Risk Analysis and ALEDetermine Likelihood of Exploitation

Page 12: Quantitative   Risk Analysis Sanjay Goel University at Albany, SUNY

12Sanjay Goel, School of Business/Center for Information Forensics and AssuranceUniversity at Albany Proprietary Information

• Delphi Approach– Probability in terms of integers (e.g. 1-

10)

• Normalized– Probability in between 0 (not possible)

and 1 (certain)

Quantitative Risk Analysis and ALEApproaches

Page 13: Quantitative   Risk Analysis Sanjay Goel University at Albany, SUNY

13Sanjay Goel, School of Business/Center for Information Forensics and AssuranceUniversity at Albany Proprietary Information

• Subjective probability technique originally devised to deal with public policy decisions

• Assumes experts can make informed decisions

• Results from several experts analyzed

• Estimates are revised until consensus is reached among experts

Quantitative Risk Analysis and ALEDelphi ApproachFrequency Ratin

gs

More than once a day 10

Once a day 9

Once every three days

8

Once a week 7

Once in two weeks 6

Once a month 5

Once every four months

4

Once a year 3

Once every three years

2

Less than once in three years

1

Page 14: Quantitative   Risk Analysis Sanjay Goel University at Albany, SUNY

14Sanjay Goel, School of Business/Center for Information Forensics and AssuranceUniversity at Albany Proprietary Information

• Risk is usually measured as $ per annum and is quantified by risk exposure.– ALE (Annual Loss Expectancy, expressed as:

$/year)

• If an event is associated with a loss– LOSS = RISK IMPACT ($)

• The probability of an occurrence is in the range of:– 0 (not possible) and 1 (certain)

• Quantifying the effects of a risk by multiplying risk impact by risk probability yields risk exposure.– RISK EXPOSURE = RISK IMPACT x RISK

PROBABILITY

Quantitative Risk Analysis and ALERisk Exposure

Page 15: Quantitative   Risk Analysis Sanjay Goel University at Albany, SUNY

15Sanjay Goel, School of Business/Center for Information Forensics and AssuranceUniversity at Albany Proprietary Information

• Incorporating intangible assets within Quantitative Risk Analysis is difficult as it is hard to put a price on things such as trust, reputation, or human life.

• However, it is necessary to put an as accurate a value as possible when factoring these assets within risk analysis as they may be even more important than tangible assets.

Quantitative Risk Analysis and ALEIntangible Assets

Page 16: Quantitative   Risk Analysis Sanjay Goel University at Albany, SUNY

16Sanjay Goel, School of Business/Center for Information Forensics and AssuranceUniversity at Albany Proprietary Information

• Single Loss Expectancy: Loss to an asset if event occurs– Value of the lost asset = Ci – Impact on the Asset (if event occurs) = Pi– SLE = Ci * Pi

• Annualized Rate of Occurrence (ARO) characterizes, on an annualized basis, the frequency with which a threat is expected to occur.

• Annualized Loss Expectancy (ALE) computes risk using the probability of an event occurring over one year.

• Formulation â€“ ALE = (SLE)(ARO)

• Source: Handbook of Information Security Management, Micki Krause and Harold F. Tipton

Quantitative Risk Analysis and ALEComputing ALE

Page 17: Quantitative   Risk Analysis Sanjay Goel University at Albany, SUNY

17Sanjay Goel, School of Business/Center for Information Forensics and AssuranceUniversity at Albany Proprietary Information

Quantitative Risk Analysis and ALEExample #1: Gym LockerScenario: There is a gym locker used by

its members to store clothes and other valuables. The lockers cannot be locked, but locks can be purchased.

You need to determine:

1) Risk exposure for gym members

2) Controls to reduce risk

Page 18: Quantitative   Risk Analysis Sanjay Goel University at Albany, SUNY

18Sanjay Goel, School of Business/Center for Information Forensics and AssuranceUniversity at Albany Proprietary Information

• Identify assets and determine value– Clothes $50– Wallet $100– Glasses $100– Sports equipment $30– Driver’s license $20– Car keys $100– House keys $60– Tapes and walkman $40

____– Total Loss/week: $500

• Find vulnerability– Theft– Accidental loss– Disclosure of information (e.g. read wallet)– Vandalism

Quantitative Risk Analysis and ALEExample #1: Gym Locker, cont’d.

Page 19: Quantitative   Risk Analysis Sanjay Goel University at Albany, SUNY

19Sanjay Goel, School of Business/Center for Information Forensics and AssuranceUniversity at Albany Proprietary Information

• Estimate likelihood of exploitation– 10 (more than once a day)– 9 (once a day)– 7 (once a week)– 6 (once every two weeks)– 5 (once a month)

• For theft: estimated likelihood is 7• Figure annual loss:

– ~$500 worth of loss each week, ~52 weeks in a year

– ~$26,000 loss per year

Quantitative Risk Analysis and ALEExample #1: Gym Locker, cont’d.

– 4 (once every four months)– 3 (once a year)– 2 (once every three years)– 1 (less than once every 3

years)

Page 20: Quantitative   Risk Analysis Sanjay Goel University at Albany, SUNY

20Sanjay Goel, School of Business/Center for Information Forensics and AssuranceUniversity at Albany Proprietary Information

• Determine cost of added security – New lock $5

– Replacement for lost key $10

– On average members lose one key twice a month (24 times per year)

• Estimate likelihood of exploitation under added security – The new likelihood of theft could be estimated at a 4.

• Cost Benefit Analysis

– Revised Losses (including cost of controls) =

(500 * 4) + (15*24) = 2360

– Net savings = 26000 – 2360 = 23640

Quantitative Risk Analysis and ALEExample #1: Gym Locker, cont’d.

Page 21: Quantitative   Risk Analysis Sanjay Goel University at Albany, SUNY

21Sanjay Goel, School of Business/Center for Information Forensics and AssuranceUniversity at Albany Proprietary Information

• The chance of your hard drive failing is once every three years– Probability = 1/3

• Intrinsic Cost– $300 to buy new disk

• Hours of effort to reload OS and software– 10 hours

• Hours to re-key assignments from last backup– 4 hours

• Pay per hour of effort– $10.00 per hour

• Total loss (risk impact)– $300 + 10 x (10+4) = $440

• Annual Loss Expectancy (pa = per annum)– (440 x 1/3)$pa = $147 pa

Quantitative Risk Analysis and ALEExample #2: Hard Drive Failure

Page 22: Quantitative   Risk Analysis Sanjay Goel University at Albany, SUNY

22Sanjay Goel, School of Business/Center for Information Forensics and AssuranceUniversity at Albany Proprietary Information

• Situation: Virus Attack on same system– You frequently swap files with other people,

but have no anti-virus software running.

– Assume an attack every 6 months (Probability = 2 per year)

– No need to buy a new disk

– Rebuild effort (10 + 4) hours

– Total loss = $10 x (10 + 4) = $140

– ALE = ($140 x 2) $pa = $280 pa

Quantitative Risk Analysis and ALEExample #3: Virus Attack

Page 23: Quantitative   Risk Analysis Sanjay Goel University at Albany, SUNY

23Sanjay Goel, School of Business/Center for Information Forensics and AssuranceUniversity at Albany Proprietary Information

Quantitative Risk Analysis and ALE Questions 1 and 2

1) Why is it important to quantify risk?

2) Give the definitions for:a. Single Loss Expectancyb. Annualized Rate of Occurrencec. Annual Loss Expectancy

Page 24: Quantitative   Risk Analysis Sanjay Goel University at Albany, SUNY

24Sanjay Goel, School of Business/Center for Information Forensics and AssuranceUniversity at Albany Proprietary Information

Quantitative Risk Analysis and ALE Question 3

3) For this situation:a. Same system as examples 2 and 3

Page 25: Quantitative   Risk Analysis Sanjay Goel University at Albany, SUNY

Module 2Risk Aggregation

Page 26: Quantitative   Risk Analysis Sanjay Goel University at Albany, SUNY

26Sanjay Goel, School of Business/Center for Information Forensics and AssuranceUniversity at Albany Proprietary Information

• How do you determine risk posture?• What is this risk aggregation model?• Matrices

– Asset/Vulnerability– Vulnerability/Threat– Threat/Control

Risk AggregationOutline

Page 27: Quantitative   Risk Analysis Sanjay Goel University at Albany, SUNY

27Sanjay Goel, School of Business/Center for Information Forensics and AssuranceUniversity at Albany Proprietary Information

• Individual risks aggregated = Total risk posture– True comparison of relative risks of different

organizations

• Mathematical approach for aggregation provided– Methodology standardized– Data needs to be customized to organization

• Controls can reduce the cost of exposure– Need to determine optimum controls for organization– Methodology for determining controls shown next slide

• Analysis should be undertaken to see the impact of new projects on security

Risk AggregationRisk Posture

Page 28: Quantitative   Risk Analysis Sanjay Goel University at Albany, SUNY

28Sanjay Goel, School of Business/Center for Information Forensics and AssuranceUniversity at Albany Proprietary Information

• Let:– A be a vector of loss of an asset where al is the lth asset, s.t.,

0 < l < L

– V be a vector of vulnerabilities where vk is the kth vulnerability, s.t., 0 < k < K

– T be a vector of threats where tj is the jth asset, s.t., 0 < j < J

– C be the vector of vulnerabilities where ci is the ith control, s.t., 0 < i < I

– Also Mα be the matrix that defines the impact of vulnerabilities (breach in security) on assets, where, αkl is the impact of kth vulnerability on the lth asset

– Also Mβ be the matrix that defines the impact of threats on the vulnerabilities, where, βjk is the impact of jth threat on kth vulnerability

– Also Mγ be the matrix that defines the impact of a controls (breach in security) on the threats, where, γij is the impact of ith control on the jth threat

Risk AggregationModel

The notation is graphically explained in the next few slides

Page 29: Quantitative   Risk Analysis Sanjay Goel University at Albany, SUNY

29Sanjay Goel, School of Business/Center for Information Forensics and AssuranceUniversity at Albany Proprietary Information

Risk AggregationModel, cont’d.

kl

A (Assets)

V

(Vu

lnera

bil

itie

s)

• Where kl is the Impact of vulnerability k on given asset l.– i.e. fraction of the asset

value that will be lost if the vulnerability is exploited

L

K

• Data Collection:– Primary Data from

corporations that track financial losses due to different attacks

– Secondary Data from the reports of financial loss from organizations like CERT, CSI/FBI and AIG

– Data specific to a corporation, could perhaps be classified into different groups of companies

Page 30: Quantitative   Risk Analysis Sanjay Goel University at Albany, SUNY

30Sanjay Goel, School of Business/Center for Information Forensics and AssuranceUniversity at Albany Proprietary Information

Risk AggregationModel, cont’d.

jk

V (Vulnerabilities)

T (

Th

reats

)

jk is the probability that threat j will exploit vulnerability k

K

J

• Data Collection:– Threat data and

frequency of threats is information that is routinely collected in CERT and other such agencies.

– Log data and collected data from the organization itself can be another source of information

– Data can also be collected via use of automated monitoring tools

Page 31: Quantitative   Risk Analysis Sanjay Goel University at Albany, SUNY

31Sanjay Goel, School of Business/Center for Information Forensics and AssuranceUniversity at Albany Proprietary Information

Risk AggregationModel, cont’d.

ij

T (Threats)

C (

Con

trols

)

ij is the fraction by which controls reduce the frequency of a threat exploiting a vulnerability

J

I

• Data Collection:– Approximate control data

can be procured from various industry vendors who have done extensive testing with tools.

– Other sources of data can be independent agencies which do analysis on tools.

Page 32: Quantitative   Risk Analysis Sanjay Goel University at Albany, SUNY

32Sanjay Goel, School of Business/Center for Information Forensics and AssuranceUniversity at Albany Proprietary Information

Then losses if no control exist

Risk AggregationModel, cont’d.

J

j

K

k

I

iilkl

L

ljk

I

iij CaR

1 1 11 1

)(*

)1( ijij

Then losses if controls exist

lkljk

J

j

K

k

L

lj atR

1 1 1

= sum

= product

Page 33: Quantitative   Risk Analysis Sanjay Goel University at Albany, SUNY

33Sanjay Goel, School of Business/Center for Information Forensics and AssuranceUniversity at Albany Proprietary Information

Risk AggregationOptimization

If ζ is the maximum allocated budget for controls the optimization problem can be formulated as:

J

j

K

klkl

L

ljk

I

iij aRMinimize

1 1 1 1

)(*:

I

iiCwhere

1,

Page 34: Quantitative   Risk Analysis Sanjay Goel University at Albany, SUNY

34Sanjay Goel, School of Business/Center for Information Forensics and AssuranceUniversity at Albany Proprietary Information

1) How would you collect data for the following:a. Assets and Values

b. Potential Threats

c. Exploitable Vulnerabilities

d. Possible Controls

Risk AggregationQuestion 1

Page 35: Quantitative   Risk Analysis Sanjay Goel University at Albany, SUNY

Module 3Case Study

Page 36: Quantitative   Risk Analysis Sanjay Goel University at Albany, SUNY

36Sanjay Goel, School of Business/Center for Information Forensics and AssuranceUniversity at Albany Proprietary Information

• What is the case about?• What would fit into the categories of:

– Assets– Vulnerabilities– Threats– Controls

• Filling in the matrices– Asset/Vulnerability– Vulnerability/Threat– Threat/Control

Case StudyOutline

Page 37: Quantitative   Risk Analysis Sanjay Goel University at Albany, SUNY

37Sanjay Goel, School of Business/Center for Information Forensics and AssuranceUniversity at Albany Proprietary Information

Case StudyExample

• Use the information that you have learned in the lecture in the following case study of a government organization. • Remember these key steps for determining ALE

– Identify and determine the value of assets– Determine vulnerabilities– Estimate likelihood of exploitation– Compute ALE– Survey applicable controls and their costs– Perform a cost-benefit analysis

Page 38: Quantitative   Risk Analysis Sanjay Goel University at Albany, SUNY

38Sanjay Goel, School of Business/Center for Information Forensics and AssuranceUniversity at Albany Proprietary Information

Case StudyCaseAn organization delivers service throughout New York State. As part of the planning process to prepare the annual budget, the Commissioner has asked the Information Technology Director to perform a risk analysis to determine the organization’s vulnerability to threats against its information assets, and to determine the appropriate level of expenditures to protect against these vulnerabilities.

The organization consists of 4,000 employees working in 200 locations, which are organized into 10 regions. The average rate of pay for the employees is $20/hr. Cost benefit analysis has been done on the IT resource deployment, and the current structure is the most beneficial to the organization, so all security recommendations should be based on the current asset deployment.

Each of the 200 locations has approximately 20 employees using an equal number of desktop and laptop computers for their fieldwork. These computers are used to collect information related to the people served by the organization, including personally identifying information. Half of each employee’s time is spent collecting information from the clients using shared laptop computers, and half is spent processing the client information at the field office using desktop computers. Replacement cost for the laptops is $2,500 and for the desktop is $1,500.

Each of the 10 regions has a network server, which stores all of the work activities of the employees in that region. Each server will cost $30,000 to replace, plus 80 hours of staff time. Each incident involving a server costs the organization approximately $1,600 in IT staff resources for recovery. Each incident where financial records or personal information is compromised costs the organization $15,000 in lawyers time and settlement payouts. Assume that the total assets of the organization are worth 10 million dollars.

The organization has begun charging fees for the public records it collects. This information is sold from the organization website at headquarters, via credit card transactions. All of the regional computers are linked to the headquarters via an internal network, and the headquarters has one connection to the Internet. The headquarters servers query the regional servers to fulfill the transactions. The fees collected are approximately $10,000 per day distributed equally from each region, and the transactions are uniformly spread out over a 24 hour period.

Page 39: Quantitative   Risk Analysis Sanjay Goel University at Albany, SUNY

39Sanjay Goel, School of Business/Center for Information Forensics and AssuranceUniversity at Albany Proprietary Information

Case StudyExample- Assets (Tangible)

• Transaction Revenue- amount of profit from

transactions

• Data- client information

• Laptops- shared, used for collecting

information

• Desktops- shared, used for processing client

information

• Regional Servers- stores all work activities of

employees in region

• HQ Server- query regional servers to fulfill

transactions

Page 40: Quantitative   Risk Analysis Sanjay Goel University at Albany, SUNY

40Sanjay Goel, School of Business/Center for Information Forensics and AssuranceUniversity at Albany Proprietary Information

Case StudyExample- Asset Valuations (Cost per Day)

Transaction Revenue $10,000 per day

Data (Liability) $10 million (total assets of organization)

Laptops ½ x 200 (locations) x 20 (employees) x

$2,500 (laptop cost) = $5,000,000

Desktops ½ x 200 (locations) x 20 (employees) x$1,500 (desktop cost) = $3,000,000

Regional Servers $30,000 (server cost)x 10 (regions) +

80 (hours) x $20 (pay rate) x 10 (regions)+

$10,000 (transaction revenue) = $326,000

HQ Server $10,000 (transaction revenue) + $100,000 (cost of HQ server) + 80 (hours) x $20 (pay rate) x 10

(regions) = $126,000

Page 41: Quantitative   Risk Analysis Sanjay Goel University at Albany, SUNY

41Sanjay Goel, School of Business/Center for Information Forensics and AssuranceUniversity at Albany Proprietary Information

Case StudyExample- Vulnerabilities

• Vulnerabilities are weaknesses that can be exploited

• Vulnerabilities– Laptop Computers

– Desktop Computers

– Regional Servers

– HQ server

– Network Infrastructure

– Software

• Computers and Servers are vulnerable to network attacks such as viruses/worms, intrusion & hardware failures

• Laptops are especially vulnerable to theft

Page 42: Quantitative   Risk Analysis Sanjay Goel University at Albany, SUNY

42Sanjay Goel, School of Business/Center for Information Forensics and AssuranceUniversity at Albany Proprietary Information

Case StudyExample- Threats

• Threats are malicious & benign events that can exploit vulnerabilities

• Several Threats exist– Hardware Failure– Software Failure– Theft– Denial of Service– Viruses/Worms– Insider Attacks– Intrusion and Theft of Information

Page 43: Quantitative   Risk Analysis Sanjay Goel University at Albany, SUNY

43Sanjay Goel, School of Business/Center for Information Forensics and AssuranceUniversity at Albany Proprietary Information

Case StudyExample- Controls

•Intrusion detection and firewall upgrades on HQ Server – mitigate HQ server failure and recovery

•Anti-Virus Software– mitigates threat of worms, viruses, DOS attacks, and some intrusions

• Firewall upgrades– mitigates threats of DOS attacks and some intrusions, worms and viruses

• Redundant HQ Server– reduces loss of transaction revenue

•Spare laptop computers at each location– reduces loss of transaction revenue and productivity

• Warranties– reduces loss of transaction revenue and cost of procuring replacements

• Insurance– offset cost of liability

• Physical Controls– reduce probability of theft

• Security Policy– can be used to reduce most threats.

Page 44: Quantitative   Risk Analysis Sanjay Goel University at Albany, SUNY

44Sanjay Goel, School of Business/Center for Information Forensics and AssuranceUniversity at Albany Proprietary Information

Case StudyAsset/Vulnerability Matrix• The coefficients of this matrix are usually

based on internal data as well as financial loss organizations

• For the current example we will assume data for illustration of the concept– Transactions are mostly associated with the

regional servers which store the data, the HQ server which takes all requests, and the network infrastructure with which clients access the data. (.30 each)

– Laptops, desktops and software is only associated with the remaining 10% (.033 each)

– Data that is located on laptops and desktops make up only 10% of total data because they are only used for collecting and processing.

– The regional servers contain all other data.– Other assets are associated at 100% with their

respective vulnerabilities. (e.g. laptops with laptops, desktops with desktops, etc.)

Page 45: Quantitative   Risk Analysis Sanjay Goel University at Albany, SUNY

45Sanjay Goel, School of Business/Center for Information Forensics and AssuranceUniversity at Albany Proprietary Information

Case StudyAsset/Vulnerability Matrix, cont’d.

Assets

Vulnerabilities

Transaction Revenue

Data (Liability)

Laptops Desktops Regional Servers

HQ Server

Aggregates(Impact)

Input Asset Values

10,000 10,000,000

5,000,000

3,000,000

326,000 126,000

asset value x vulnerability)

Laptops .033 .05 1 0 0 0 5,500,330

Desktops .033 .05 0 1 0 0 3,500,330

Regional Servers

.30 .90 0 0 1 0 9,329,000

HQ Servers

.30 0 0 0 0 1 129,000

Network Infrast.

.30 0 0 0 0 0 3000

Software .033 0 0 0 0 0 330

• Customize matrix to assets & vulnerabilities applicable to case

– Compute cost of each asset and put them in the value row

– Determine correlation with vulnerability and asset

– Compute the sum of product of vulnerability & asset values; add to impact column

Page 46: Quantitative   Risk Analysis Sanjay Goel University at Albany, SUNY

46Sanjay Goel, School of Business/Center for Information Forensics and AssuranceUniversity at Albany Proprietary Information

Case StudyVulnerability/Threat Matrix

• The coefficients of this matrix are usually based on data from the literature, e.g.,– if rate of failure of hardware is rf (per unit time) – the number of pieces of hardware is n then – the total number of failed components during a time

period is rf*n– the fraction of hardware that fails is rf*n/n= rf

• For the current example we will assume data for illustration of the concept– Failure rate of laptops is .001 per day (i.e., one in a

thousand laptops encounters hardware failure during a day)

– Similarly failure rate of a desktop is .0002 (i.e. 2 in ten thousand desktops would encounter hardware failure in a given day.

– Hardware failure can cause loss of software, however, our assumption is that all software is replaceable from backups

Page 47: Quantitative   Risk Analysis Sanjay Goel University at Albany, SUNY

47Sanjay Goel, School of Business/Center for Information Forensics and AssuranceUniversity at Albany Proprietary Information

Case StudyVulnerability/Threat Matrix, cont’d.

– We assume that the hardware failure will disrupt the network once every one hundred days

– There is 0.3 percent chance that software failure can lead to failure of desktops

– We assume that there is a .01 chance of a laptop being stolen, .001 for a desktop, and .0002 for servers.

– There is a very low chance that network equipment is stolen since it is kept in secure rooms (.0001)

– When equipment is stolen some software may have been stolen as well

– We assume that denial-of-service is primarily targeted at servers and not individual machines

– We assume that the denial-of-service can disable machines as well as cause destruction of software

– Insider attacks are primarily meant to exploit data & disable machines

– We assume that the servers have less access thus are less vulnerable to insider attacks

Page 48: Quantitative   Risk Analysis Sanjay Goel University at Albany, SUNY

48Sanjay Goel, School of Business/Center for Information Forensics and AssuranceUniversity at Albany Proprietary Information

Case StudyVulnerability/Threat Matrix, cont’d.

Vulnerabilities

Threats

Laptops Desktops Regional Servers

HQ Servers

Network Infrast.

Software Aggregates (Threat

Importance)

Input Impact Aggregates

5,500,330

3,500,330

9,329,000

129,000

3,000 330 impact value x threat

value)

Hardware Failure

.001 .0002 .0002 .0002 .01 0 8,122.00

Software Failure

.003 .003 .003 .003 0 0 55,375.98

Equipment Theft

.0160 .001 .0002 .0002 .0001 .005 93,399.16

Denial of Service

.0001 .0001 .001 .001 0 0 10,358.07

Viruses/Worms

.003 .003 .003 .003 0 .001 55,376.31

Insider Attacks

.001 .001 .0001 .0001 .0001 .001 9,947.09

Intrusion .001 .001 .001 .001 0 .001 18,458.99

• Complete matrix based on the specific case– Add values from the Impact column of the previous matrix– Determine association between threat and vulnerability– Compute aggregate exposure values by multiplying impact and the associations

Page 49: Quantitative   Risk Analysis Sanjay Goel University at Albany, SUNY

49Sanjay Goel, School of Business/Center for Information Forensics and AssuranceUniversity at Albany Proprietary Information

Case StudyThreat/Control Matrix• Some of these controls have threats associated with

them. However, these are secondary considerations and we will be focusing on primary threats.

• We assume that IDS systems will control 30% of the DOS attacks, 30% of Viruses and Worms and 90% of intrusions– In addition, IDS systems do not impact insider attacks

• Anti-Virus Software will prevent 90% of Viruses and Worms.

• That upgrades to a firewall will greatly control (90% each) of DOS attacks, as well as Viruses and Worms. It will control 30% of intrusions, but not insider attacks.

• A redundant HQ server will control 10% of hardware failure (when the original HQ server fails). This is the same percentage for theft and insider attacks.

• Also, a redundant HQ server will help with 80% in cases of DOS attacks on the HQ server.

• Spare laptops will assist in cases of hardware failure and theft (30% because of volume).

Page 50: Quantitative   Risk Analysis Sanjay Goel University at Albany, SUNY

50Sanjay Goel, School of Business/Center for Information Forensics and AssuranceUniversity at Albany Proprietary Information

Case StudyThreat/Control Matrix, cont’d.• We assume that warranties will help with 70% of both

hardware failure and software failure. While it will assist with the cost of new hardware or software, will not reduce employee time.

• It is determined that insurance will be able to control 90% of impacts from the threats of theft, DOS attacks, Virus/Worm attacks, Insider Attacks, and Intrusion.

• Physical controls (locks, key cards, biometrics, etc.) will control 90% of theft.

• Also, it is assumed that a security policy will assist with 20% of all threats since every policy can have procedures which can assist in prevention.

• Customize matrix based on the specific case– Add values from the threat importance column of the

previous matrix– Determine impact of different controls on different

threats– Multiply (1-impact) throughout threat column and

multiply to threat importance to get values.

Page 51: Quantitative   Risk Analysis Sanjay Goel University at Albany, SUNY

51Sanjay Goel, School of Business/Center for Information Forensics and AssuranceUniversity at Albany Proprietary Information

Case StudyThreat/Control Matrix, cont’d.

ThreatsControls

Hardware

Failure

Software

Failure

Theft Denial of

Service

Viruses/Worms

Insider Attacks

Intrusion

Aggregates

Input Threat Importance Values

8,122.00

55,375.98

93,399.16

10,358.07

55,376.31

9,947.09

18,458.99

threat importance x

impact of controls)

Intrusion Detection

0 0 0 .30 .30 0 .90 36,333.41

Anti-Virus 0 0 0 0 .90 0 0 49,838.68

Firewall Upgrades

0 0 0 .90 .90 0 .30 64,698.64

Redundant HQ Server

.10 0 .10 .80 0 .10 0 19,433.28

Spare Laptops .30 0 .30 0 0 0 0 30,456.35

Warranties .70 .70 0 0 0 0 0 44,448.59

Insurance 0 0 .90 .90 .90 .90 .90 168,785.66

Physical Controls

0 0 .90 0 0 0 0 84,059.24

Security Policy .20 .20 .20 .20 .20 .20 .20 50,207.52

Calculate Exposure with Controls

1,228.05

13,290.24

470.73 11.60 31.01 716.19 103.37

Page 52: Quantitative   Risk Analysis Sanjay Goel University at Albany, SUNY

52Sanjay Goel, School of Business/Center for Information Forensics and AssuranceUniversity at Albany Proprietary Information

• Given the matrices and the example case provided, use this same methodology in application to determine the information security risk in your own organization.

Case StudyAssignment

Page 53: Quantitative   Risk Analysis Sanjay Goel University at Albany, SUNY

Module 4Cost Benefit Analysis & Regression Testing

Page 54: Quantitative   Risk Analysis Sanjay Goel University at Albany, SUNY

54Sanjay Goel, School of Business/Center for Information Forensics and AssuranceUniversity at Albany Proprietary Information

• How to use matrices for cost benefit analysis?

• How to calculate Risk Leverage?• Applying the case study example• Examples

– Unauthorized Access– Graphical Cost Benefit Analysis with

Regression Testing

Cost Benefit Analysis & Regression TestingOutline

Page 55: Quantitative   Risk Analysis Sanjay Goel University at Albany, SUNY

55Sanjay Goel, School of Business/Center for Information Forensics and AssuranceUniversity at Albany Proprietary Information

Cost Benefit AnalysisMatrix Cost Benefit Analysis• The exposure before controls is equal to the

summation of the aggregate values for impact value x threat value. (Vulnerability/Threat Matrix)

– In this case, the value is equal to: $251,037.60

• The exposure after controls is equal to the sum of all of the multiplied threat importance values.

• For example, in the Hardware Failure column, we will take each of the threat importance values and subtract them each from 1. These values should be multiplied together. (Threat/Control Matrix)

– This will give us: (1-.10) x (1 - .30) x (1 - .70) x (1 - .20) = 0.15

– This value will be multiplied by the threat importance value: 0.15 x $8,122.00 = $1,218.30 (cost with controls of Hardware Failure)

– Do this for all Threat columns and then summate all the values.

– This value is equal to: $15,851.19

Page 56: Quantitative   Risk Analysis Sanjay Goel University at Albany, SUNY

56Sanjay Goel, School of Business/Center for Information Forensics and AssuranceUniversity at Albany Proprietary Information

• Costs are associated with both:– Potential Risk Impact– Reducing Risk Impact

• Risk Leverage is the difference in risk exposure divided by the cost of reducing the risk

• Let – rf be the risk exposure after imposing controls

– ri be the risk exposure prior to imposing controls

– c be the cost of controls

Leverage l = (ri-rf)/c• This tells you how many times the reduction in

risk exposure is greater then the cost of controls.

Cost Benefit Analysis Risk Leverage

Page 57: Quantitative   Risk Analysis Sanjay Goel University at Albany, SUNY

57Sanjay Goel, School of Business/Center for Information Forensics and AssuranceUniversity at Albany Proprietary Information

• We are using this equation to calculate cost:– Ci = Csi + Cri x t– Where Ci is the total cost of control i.– Csi is the static (one-time) cost of the control.– Cri is the additional cost per day (maintenance, updates, etc.) for the

control.– t is equal to time (if calculating for a year, would equal 365).

• We are assuming cost of control values for this example:– Intrusion Detection: $21,000 x 11 + $160 x 11 x 365 = $873,400– Anti-Virus: $1,876 x 4,000 (laptops & desktops) + $1,876 x 11 (number of

servers) = $7,524,636 + 11 x $160 x 365 = $8,167,036– Firewall Upgrades: $10,000 x 211 + $160 x 211 = $2,143,760 – Redundant HQ Server: $100,000 + $160 x 365 = $158,400– Spare Laptops: $2,500 x 200 = $500,000– Warranties (3 year): $100 x 4,000 (laptops & desktops) + $1000 x 10 (regional

servers) + $1,200 (HQ Server) = $411,200– Insurance: $5,000,000 (per 365 days)– Physical Controls: $5,000 x 211 + $160 x 211 x 365 = $13,377,400– Security Policy (creation, implementation, enforcement): $640 x 365 =

$233,600

Cost Benefit Analysis Matrix Example

Page 58: Quantitative   Risk Analysis Sanjay Goel University at Albany, SUNY

58Sanjay Goel, School of Business/Center for Information Forensics and AssuranceUniversity at Albany Proprietary Information

• Leverage l = (ri-rf)/c

– ri = $251,037.60 x 365 = $91,628,724

– rf = $15,851.19 x 365 = $5,785,684.35

– C = $30,864,796

• $251,037 – $15,851.19 / $30,864,796 = .008

• $91,628,724 - $5,785,684.35 / $30,864,796 = 2.78

– The reduction in risk exposure is almost 3x greater than the cost of

controls

Cost Benefit Analysis Matrix Example

Page 59: Quantitative   Risk Analysis Sanjay Goel University at Albany, SUNY

59Sanjay Goel, School of Business/Center for Information Forensics and AssuranceUniversity at Albany Proprietary Information

• Scenario: A company uses a common carrier to link to a network for certain computing applications. The company has identified the risks of unauthorized access to data and computing facilities through the network. These risks can be eliminated by replacement of remote network access with the requirement to access the system only from a machine operated on the company premises. The machine is not owned; a new one would have to be acquired.

Cost Benefit AnalysisExample #4: Unauthorized access

Page 60: Quantitative   Risk Analysis Sanjay Goel University at Albany, SUNY

Item Amount

Risk: unauthorized access and use

Access to unauthorized data and programs $100,000 @ 2% likelihood per year

$2,000

Unauthorized use of computing facilities $10,000 @ 40% likelihood per year

$4,000

Expected annual loss (2,000 + 4,000)

$6,000

Effectiveness of network control: 100%

-$6,000

Cost Benefit AnalysisExample #4: Unauthorized Access

Cost/Benefit Analysis for Replacing Network Access

Page 61: Quantitative   Risk Analysis Sanjay Goel University at Albany, SUNY

61Sanjay Goel, School of Business/Center for Information Forensics and AssuranceUniversity at Albany Proprietary Information

Network Control cost:

Hardware (50,000 amortized over 5 years)

+$10,000

Software (20,000 amortized over 5 years)

+$4,000

Support personnel (each year) +$40,000

Annual cost $54,000

Expected annual loss (6,000 – 6,000 +54,000)

$54,000

Savings (6,000 – 54,000) -$48,000

Cost Benefit AnalysisExample #4: Unauthorized Access

Page 62: Quantitative   Risk Analysis Sanjay Goel University at Albany, SUNY

62Sanjay Goel, School of Business/Center for Information Forensics and AssuranceUniversity at Albany Proprietary Information

• Scenario: This is a case where use of regression testing is being considered after making an upgrade to fix a security flaw. We want to determine if regression testing is economical in this scenario.

• Regression Testing means applying tests to verify that all remaining functions are unaffected by the change.

• Lets refer to the diagram on the following slide, to compare the risk impact of doing regression testing with not doing it.

• Upper part of the diagram– the risk of conducting regression testing

• Lower part of the diagram– shows the risks of not doing regression testing

Regression TestingExample #5: Graphical Cost Benefit Analysis

Page 63: Quantitative   Risk Analysis Sanjay Goel University at Albany, SUNY

63Sanjay Goel, School of Business/Center for Information Forensics and AssuranceUniversity at Albany Proprietary Information

• In the two cases, one of three things can happen if regression is done:– We find a critical fault – We miss finding the critical fault– There are no critical faults to be found.

• For each possibility– Calculate the probability of an unwanted

outcome, P(UO). – Associate a loss with that unwanted

outcome, L(UO).

Regression TestingExample #5: Cost Savings

Page 64: Quantitative   Risk Analysis Sanjay Goel University at Albany, SUNY

64Sanjay Goel, School of Business/Center for Information Forensics and AssuranceUniversity at Albany Proprietary Information

CombinedRisk

Exposure

Do regression

testing?

yes

no

P(UO) = 0.75

P(UO) = 0.05

P(UO) = 0.20

P(UO) = 0.05

P(UO) = 0.75

P(UO) = 0.20

Find critical fault

Don’t find critical fault

No critical fault

Find critical fault

Don’t find critical fault

No critical fault

L(UO) = $0.5M

L(UO) = $30M

L(UO) = $0.5M

L(UO) = $0.5M

L(UO) = $30M

L(UO) = $0.5M

Risk Exposure

$0.375M

$1.500M

$0.100M

$1.975M

$0.125M

$16.500M

$0.100M

$16.725M

Regression TestingExample #5: Calculation

In our example, if we do regression testing and miss a critical fault in the system (a probability of 0.05), the loss could be $30 million. Multiplying the two, we find the risk exposure for that strategy to be $1.5 million. As the calculations in the figure prove, it is much safer to do regression testing than to skip it.

Page 65: Quantitative   Risk Analysis Sanjay Goel University at Albany, SUNY

65Sanjay Goel, School of Business/Center for Information Forensics and AssuranceUniversity at Albany Proprietary Information

1) What is regression testing?

2) What is the calculated risk exposure for not doing a regression testing, if finding a critical fault has a probability of 0.35 and the loss is estimated at 4.5 million dollars.

Cost Benefit Analysis and Regression Testing Questions 1 and 2

Page 66: Quantitative   Risk Analysis Sanjay Goel University at Albany, SUNY

66Sanjay Goel, School of Business/Center for Information Forensics and AssuranceUniversity at Albany Proprietary Information

• Do a cost benefit analysis based on the matrix that you have created for your own organization.

Cost Benefit Analysis & Regression TestingAssignment

Page 67: Quantitative   Risk Analysis Sanjay Goel University at Albany, SUNY

Module 5Modeling Uncertainties

Page 68: Quantitative   Risk Analysis Sanjay Goel University at Albany, SUNY

68Sanjay Goel, School of Business/Center for Information Forensics and AssuranceUniversity at Albany Proprietary Information

• How do you model?• Monte Carlo Simulation

– What is the approach?– How to model valuation of assets?– How to model frequency of threats?– How to model impact of threats?– How to model controls?– How to model distribution of risk exposure?– How to perform a sensitivity analysis for

risk exposure?

Modeling UncertaintiesOutline

Page 69: Quantitative   Risk Analysis Sanjay Goel University at Albany, SUNY

69Sanjay Goel, School of Business/Center for Information Forensics and AssuranceUniversity at Albany Proprietary Information

• Uncertainty exists regarding value that should be assumed by one or more independent variables in the Risk Model.

• Contributions to the model’s uncertainty – Lack of knowledge about particular values– Knowledge that some values might always vary

• If it cannot be determined with certainty what value one or more input variables in a model will assume, this uncertainty is naturally reflected on the outcome of the dependent variable(s).

• The risk metric is:– not determined by the value of its independent variables

(asset values and vulnerabilities, frequency and impact of threats)

– a function of the probability distribution of each of these random variables

• A good approach to dealing with uncertainty >> simulation

Modeling UncertaintiesModeling Uncertainties

Page 70: Quantitative   Risk Analysis Sanjay Goel University at Albany, SUNY

70Sanjay Goel, School of Business/Center for Information Forensics and AssuranceUniversity at Albany Proprietary Information

• The approach follows the following steps:

– Develop risk model– Define the shape and parameters of

probability distributions of each input variable

– Run Monte Carlo simulation

– Build histogram for dependent variables in the model (risk and updated risk)

– Compute summary statistics for dependent variables in model

– Perform sensitivity analysis to detect variability sources

– Analyze potential dependency relationships among variables in model

Modeling Uncertainties Monte Carlo Simulation: Approach

Page 71: Quantitative   Risk Analysis Sanjay Goel University at Albany, SUNY

71Sanjay Goel, School of Business/Center for Information Forensics and AssuranceUniversity at Albany Proprietary Information

Truncated Normal Distribution(mean = 50)

Mean = 50.00

36.88 44.44 52.00 59.55 67.11

Sample

Modeling Uncertainties Monte Carlo Simulation: Value of Assets

• Asset values here are samples and do not represent collected data– In real cases real assets of the organization

need to be identified– Value needs to be assigned to the assets

Page 72: Quantitative   Risk Analysis Sanjay Goel University at Albany, SUNY

72Sanjay Goel, School of Business/Center for Information Forensics and AssuranceUniversity at Albany Proprietary Information

Modeling Uncertainties Monte Carlo Simulation: Frequency of Threats

• Annualized frequency of threats is required to compute the annualized loss expectancy.

• This data can be collected from several sources – Tracking and collecting data from Internal logs– Report from agencies such as CERT

Page 73: Quantitative   Risk Analysis Sanjay Goel University at Albany, SUNY

73Sanjay Goel, School of Business/Center for Information Forensics and AssuranceUniversity at Albany Proprietary Information

Mean = 0.37

0.00 0.25 0.50 0.75 1.00

D34

Triangular distribution (mode, max=1, min=0)

Modeling Uncertainties Monte Carlo Simulation: Impact of Threats

Page 74: Quantitative   Risk Analysis Sanjay Goel University at Albany, SUNY

74Sanjay Goel, School of Business/Center for Information Forensics and AssuranceUniversity at Albany Proprietary Information

Triangular distribution( mode, max=1, min=0)

Mean = 0.53

0.00 0.25 0.50 0.75 1.00

H40

Modeling Uncertainties Monte Carlo Simulation: Controls

Page 75: Quantitative   Risk Analysis Sanjay Goel University at Albany, SUNY

75Sanjay Goel, School of Business/Center for Information Forensics and AssuranceUniversity at Albany Proprietary Information

Histogram of Exposure Risk(1000 runs)

0

5

10

15

20

25

30

5610 10627 15643 20660 25677

Risk (in $)

Fre

qu

en

cy

Histogram of Exposure Risk

Cumulative Distribution of Exposure Risk(1000 runs)

0

100

200

300

400

500

600

700

800

900

1000

5610 10627 15643 20660 25677

Risk (in $)

Fre

qu

ency

Cumulative Distribution

Modeling Uncertainties Monte Carlo Simulation: Risk Exposure Distribution

Page 76: Quantitative   Risk Analysis Sanjay Goel University at Albany, SUNY

76Sanjay Goel, School of Business/Center for Information Forensics and AssuranceUniversity at Albany Proprietary Information

Histogram of Reduced Exposure Risk(1000 runs)

0

5

10

15

20

25

30

35

40

45

47 271 496 720 945

Risk (in $)

Fre

qu

ency

Histogram of Reduced Exposure Risk

Cumulative Distribution of Reduced Exposure Risk(1000 runs)

0

100

200

300

400

500

600

700

800

900

1000

47 271 496 720 945

Risk (in $)

Fre

qu

ency

Cumulative Distribution

Modeling Uncertainties Monte Carlo Simulation: Reduced Risk Exposure

Page 77: Quantitative   Risk Analysis Sanjay Goel University at Albany, SUNY

77Sanjay Goel, School of Business/Center for Information Forensics and AssuranceUniversity at Albany Proprietary Information

Sensitivity AnalysisExposure Risk

-100.0% -80.0% -60.0% -40.0% -20.0% 0.0% 20.0% 40.0% 60.0% 80.0% 100.0%

Worms

Passw ord Based Attacks

Viruses

Intrusion

Overflow Attacks

Annualized Frequency

Modeling Uncertainties Monte Carlo Simulation: Sensitivity Analysis

Page 78: Quantitative   Risk Analysis Sanjay Goel University at Albany, SUNY

78Sanjay Goel, School of Business/Center for Information Forensics and AssuranceUniversity at Albany Proprietary Information

1) Why does uncertainty exist within risk analysis?

2) Describe the approach towards Monte Carlo Simulation.

Modeling UncertaintiesQuestions 1 and 2

Page 79: Quantitative   Risk Analysis Sanjay Goel University at Albany, SUNY

79Sanjay Goel, School of Business/Center for Information Forensics and AssuranceUniversity at Albany Proprietary Information

• Using the data provided in the case study, or your own risk analysis, use Monte Carlo Simulation to provide a graphical display.

Modeling UncertaintiesAssignment

Page 80: Quantitative   Risk Analysis Sanjay Goel University at Albany, SUNY

80Sanjay Goel, School of Business/Center for Information Forensics and AssuranceUniversity at Albany Proprietary Information

Appendix

Page 81: Quantitative   Risk Analysis Sanjay Goel University at Albany, SUNY

81Sanjay Goel, School of Business/Center for Information Forensics and AssuranceUniversity at Albany Proprietary Information

Quantitative AnalysisSummary

• Risk Exposure– RISK EXPOSURE = RISK IMPACT x RISK PROBABILITY

•Annual Loss Expectancy (ALE)– Identify and determine the value of assets– Determine vulnerabilities– Estimate likelihood of exploitation– Compute ALE– Survey applicable controls and their costs– Perform a cost-benefit analysis

Page 82: Quantitative   Risk Analysis Sanjay Goel University at Albany, SUNY

82Sanjay Goel, School of Business/Center for Information Forensics and AssuranceUniversity at Albany Proprietary Information

Quantitative AnalysisSummary Cont’d.

•Risk Aggregation:

•Optimization– simple formulation

•Cost Benefit Analysis LEVERAGE = (RISK EXPOSUREbefore reduction – RISK EXPOSUREafter

reduction) ________________________________________________ COST OF REDUCTION

•Regression Testing–Used for comparing risk impact

•Monte Carlo Simulation– 1)Develop risk model, 2) Define the shape and parameters, 3)Run simulation, 4)Build histogram, 5)Compute summary statistics, 6)Perform sensitivity analysis, 7)Analyze potential dependency relationship

*

1 1

:k Q k Q

j jk j

Minimize R such that

J

j

K

k

I

iilkl

L

ljk

I

iijj CatR

1 1 11 1

)(*

)1( ijiij q

Page 83: Quantitative   Risk Analysis Sanjay Goel University at Albany, SUNY

83Sanjay Goel, School of Business/Center for Information Forensics and AssuranceUniversity at Albany Proprietary Information

Acknowledgements Grants & Personnel

• Support for this work has been provided through the following grants – NSF 0210379– FIPSE P116B020477

• Damira Pon, from the Center of Information Forensics and Assurance contributed extensively by reviewing and editing the material

• Robert Bangert-Drowns from the School of Education provided extensive review of the material from a pedagogical view.