Quantitative - PowerPoint PPT Presentation


PPT – Quantitative PowerPoint presentation | free to download - id: 5d9307-ZWZiZ


The Adobe Flash plugin is needed to view this content

Get the plugin now

View by Category
About This Presentation



Quantitative Risk Analysis Sanjay Goel University at Albany, SUNY Fall 2004 Course Outline Unit 1: What is a Security Assessment? Definitions and Nomenclature Unit ... – PowerPoint PPT presentation

Number of Views:361
Avg rating:3.0/5.0
Slides: 84
Provided by: salvator7
Learn more at: http://www.albany.edu


Write a Comment
User Comments (0)
Transcript and Presenter's Notes

Title: Quantitative

  • Quantitative
  • Risk Analysis
  • Sanjay Goel
  • University at Albany, SUNY
  • Fall 2004

Course Outline
  • gt Unit 1 What is a Security Assessment?
  • Definitions and Nomenclature
  • Unit 2 What kinds of threats exist?
  • Malicious Threats (Viruses Worms) and
    Unintentional Threats
  • Unit 3 What kinds of threats exist? (contd)
  • Malicious Threats (Spoofing, Session Hijacking,
  • Unit 4 How to perform security assessment?
  • Risk Analysis Qualitative Risk Analysis
  • Unit 5 Remediation of risks?
  • Risk Analysis Quantitative Risk Analysis

Quantitative Risk AnalysisOutline for this unit
  • Module 1 Quantitative Risk Analysis and ALE
  • Module 2 Risk Aggregation
  • Module 3 Case Study
  • Module 4 Cost Benefit Analysis and Regression
  • Module 5 Modeling Uncertainties

Module 1Quantitative Risk Analysis and ALE
Quantitative Risk Analysis and ALEOutline
  • What is Risk Analysis?
  • What is Quantitative Risk Analysis?
  • What are the steps involved?
  • How to determine the Likelihood of Exploitation?
  • How to determine Risk Exposure?
  • How to compute Annual Loss Expectancy (ALE)?
  • Examples
  • Gym Locker
  • Hard Drive Failure
  • Virus Attack

Quantitative Risk Analysis and ALERisk Analysis
  • Risk analysis involves the identification and
    assessment of the levels of risks calculated from
    the known values of assets and the levels of
    threats to, and vulnerabilities of, those assets.
  • It involves the interaction of the following
  • Assets
  • Vulnerabilities
  • Threats
  • Impacts
  • Likelihoods
  • Controls

Quantitative Risk Analysis and ALERisk Analysis
Concept Map
  • Threats exploit system vulnerabilities which
    expose system assets.
  • Security controls protect against threats by
    meeting security requirements established on the
    basis of asset values.

Source Australian Standard Handbook of
Information Security Risk Management HB231-2000
Quantitative Risk Analysis and ALEQuantitative
Risk Analysis
  • Quantitative risk analysis methods are based on
    statistical data and compute numerical values of
  • By quantifying risk, we can justify the benefits
    of spending money to implement controls.
  • It involves three steps
  • Estimation of individual risks
  • Aggregation of risks
  • Identification of controls to mitigate risk

Quantitative Risk Analysis and ALERisk Analysis
  • Security risks can be analyzed by the following
  • Identify and determine the value of assets
  • Determine vulnerabilities
  • Estimate likelihood of exploitation
  • Compute frequency of each attack (with w/o
    controls) using statistical data
  • Compute Annualized Loss Expectancy
  • Compute exposure of each asset given frequency of
  • Survey applicable controls and their costs
  • Perform a cost-benefit analysis
  • Compare exposure with controls and without
    controls to determine the optimum control

Quantitative Risk Analysis and ALEDetermining
Assets and Vulnerabilities
  • Identification of Assets and Vulnerabilities is
    the same for both Qualitative and Quantitative
    Risk Analysis
  • The differences in both of these is in terms of
  • Qualitative Risk Analysis is more subjective and
  • Quantitative Risk Analysis is based on actual
    numerical costs and impacts.

Quantitative Risk Analysis and ALEDetermine
Likelihood of Exploitation
  • Likelihood relates to the stringency of existing
  • i.e. likelihood that someone or something will
    evade controls
  • Several approaches to computing probability of an
  • classical, frequency and subjective
  • Probabilities hard to compute using classical
  • Frequency can be computed by tracking failures
    that result in security breaches or create new
    vulnerabilities can be identified
  • e.g. operating systems can track hardware
    failures, failed login attempts, changes in the
    sizes of data files, etc.
  • Difficult to obtain frequency of attacks using
    statistical data.Why?
  • Data is difficult to obtain often inaccurate
  • If automatic tracking is not feasible, expert
    judgment is used to determine frequency

Quantitative Risk Analysis and ALEApproaches
  • Delphi Approach
  • Probability in terms of integers (e.g. 1-10)
  • Normalized
  • Probability in between 0 (not possible) and 1

Quantitative Risk Analysis and ALEDelphi Approach
  • Subjective probability technique originally
    devised to deal with public policy decisions
  • Assumes experts can make informed decisions
  • Results from several experts analyzed
  • Estimates are revised until consensus is reached
    among experts

Frequency Ratings
More than once a day 10
Once a day 9
Once every three days 8
Once a week 7
Once in two weeks 6
Once a month 5
Once every four months 4
Once a year 3
Once every three years 2
Less than once in three years 1
Quantitative Risk Analysis and ALERisk Exposure
  • Risk is usually measured as per annum and is
    quantified by risk exposure.
  • ALE (Annual Loss Expectancy, expressed as
  • If an event is associated with a loss
  • The probability of an occurrence is in the range
  • 0 (not possible) and 1 (certain)
  • Quantifying the effects of a risk by multiplying
    risk impact by risk probability yields risk

Quantitative Risk Analysis and ALEIntangible
  • Incorporating intangible assets within
    Quantitative Risk Analysis is difficult as it is
    hard to put a price on things such as trust,
    reputation, or human life.
  • However, it is necessary to put an as accurate a
    value as possible when factoring these assets
    within risk analysis as they may be even more
    important than tangible assets.

Quantitative Risk Analysis and ALEComputing ALE
  • Single Loss Expectancy Loss to an asset if event
  • Value of the lost asset Ci
  • Impact on the Asset (if event occurs) Pi
  • SLE Ci Pi
  • Annualized Rate of Occurrence (ARO)
    characterizes, on an annualized basis, the
    frequency with which a threat is expected to
  • Annualized Loss Expectancy (ALE) computes risk
    using the probability of an event occurring over
    one year.
  • Formulation 
  • ALE (SLE)(ARO)
  • Source Handbook of Information Security
    Management, Micki Krause and Harold F. Tipton

Quantitative Risk Analysis and ALEExample 1
Gym Locker
  • Scenario There is a gym locker used by its
    members to store clothes and other valuables. The
    lockers cannot be locked, but locks can be
  • You need to determine
  • Risk exposure for gym members
  • Controls to reduce risk

Quantitative Risk Analysis and ALEExample 1
Gym Locker, contd.
  • Identify assets and determine value
  • Clothes 50
  • Wallet 100
  • Glasses 100
  • Sports equipment 30
  • Drivers license 20
  • Car keys 100
  • House keys 60
  • Tapes and walkman 40
  • ____
  • Total Loss/week 500
  • Find vulnerability
  • Theft
  • Accidental loss
  • Disclosure of information (e.g. read wallet)
  • Vandalism

Quantitative Risk Analysis and ALEExample 1
Gym Locker, contd.
  • Estimate likelihood of exploitation
  • 10 (more than once a day)
  • 9 (once a day)
  • 7 (once a week)
  • 6 (once every two weeks)
  • 5 (once a month)
  • For theft estimated likelihood is 7
  • Figure annual loss
  • 500 worth of loss each week, 52 weeks in a
  • 26,000 loss per year
  • 4 (once every four months)
  • 3 (once a year)
  • 2 (once every three years)
  • 1 (less than once every 3 years)

Quantitative Risk Analysis and ALEExample 1
Gym Locker, contd.
  • Determine cost of added security
  • New lock 5
  • Replacement for lost key 10
  • On average members lose one key twice a month (24
    times per year)
  • Estimate likelihood of exploitation under added
  • The new likelihood of theft could be estimated at
    a 4.
  • Cost Benefit Analysis
  • Revised Losses (including cost of controls)
  • (500 4) (1524) 2360
  • Net savings 26000 2360 23640

Quantitative Risk Analysis and ALEExample 2
Hard Drive Failure
  • The chance of your hard drive failing is once
    every three years
  • Probability 1/3
  • Intrinsic Cost
  • 300 to buy new disk
  • Hours of effort to reload OS and software
  • 10 hours
  • Hours to re-key assignments from last backup
  • 4 hours
  • Pay per hour of effort
  • 10.00 per hour
  • Total loss (risk impact)
  • 300 10 x (104) 440
  • Annual Loss Expectancy (pa per annum)
  • (440 x 1/3)pa 147 pa

Quantitative Risk Analysis and ALEExample 3
Virus Attack
  • Situation Virus Attack on same system
  • You frequently swap files with other people, but
    have no anti-virus software running.
  • Assume an attack every 6 months (Probability 2
    per year)
  • No need to buy a new disk
  • Rebuild effort (10 4) hours
  • Total loss 10 x (10 4) 140
  • ALE (140 x 2) pa 280 pa

Quantitative Risk Analysis and ALE Questions 1
and 2
  • Why is it important to quantify risk?
  • Give the definitions for
  • Single Loss Expectancy
  • Annualized Rate of Occurrence
  • Annual Loss Expectancy

Quantitative Risk Analysis and ALE Question 3
  • For this situation
  • Same system as examples 2 and 3

Module 2Risk Aggregation
Risk AggregationOutline
  • How do you determine risk posture?
  • What is this risk aggregation model?
  • Matrices
  • Asset/Vulnerability
  • Vulnerability/Threat
  • Threat/Control

Risk AggregationRisk Posture
  • Individual risks aggregated Total risk posture
  • True comparison of relative risks of different
  • Mathematical approach for aggregation provided
  • Methodology standardized
  • Data needs to be customized to organization
  • Controls can reduce the cost of exposure
  • Need to determine optimum controls for
  • Methodology for determining controls shown next
  • Analysis should be undertaken to see the impact
    of new projects on security

Risk AggregationModel
  • Let
  • A be a vector of loss of an asset where al is the
    lth asset, s.t., 0 lt l lt L
  • V be a vector of vulnerabilities where vk is the
    kth vulnerability, s.t., 0 lt k lt K
  • T be a vector of threats where tj is the jth
    asset, s.t., 0 lt j lt J
  • C be the vector of vulnerabilities where ci is
    the ith control, s.t., 0 lt i lt I
  • Also Ma be the matrix that defines the impact of
    vulnerabilities (breach in security) on assets,
    where, akl is the impact of kth vulnerability on
    the lth asset
  • Also Mß be the matrix that defines the impact of
    threats on the vulnerabilities, where, ßjk is the
    impact of jth threat on kth vulnerability
  • Also M? be the matrix that defines the impact of
    a controls (breach in security) on the threats,
    where, ?ij is the impact of ith control on the
    jth threat

The notation is graphically explained in the next
few slides
Risk AggregationModel, contd.
A (Assets)
  • Data Collection
  • Primary Data from corporations that track
    financial losses due to different attacks
  • Secondary Data from the reports of financial loss
    from organizations like CERT, CSI/FBI and AIG
  • Data specific to a corporation, could perhaps be
    classified into different groups of companies

V (Vulnerabilities)
  • Where akl is the Impact of vulnerability k on
    given asset l.
  • i.e. fraction of the asset value that will be
    lost if the vulnerability is exploited

Risk AggregationModel, contd.
V (Vulnerabilities)
  • Data Collection
  • Threat data and frequency of threats is
    information that is routinely collected in CERT
    and other such agencies.
  • Log data and collected data from the organization
    itself can be another source of information
  • Data can also be collected via use of automated
    monitoring tools

T (Threats)
bjk is the probability that threat j will exploit
vulnerability k
Risk AggregationModel, contd.
T (Threats)
  • Data Collection
  • Approximate control data can be procured from
    various industry vendors who have done extensive
    testing with tools.
  • Other sources of data can be independent agencies
    which do analysis on tools.

C (Controls)
gij is the fraction by which controls reduce the
frequency of a threat exploiting a vulnerability
Risk AggregationModel, contd.
Then losses if no control exist
Then losses if controls exist
  • sum
  • ? product

Risk AggregationOptimization
If ? is the maximum allocated budget for controls
the optimization problem can be formulated as
Risk AggregationQuestion 1
  • How would you collect data for the following
  • Assets and Values
  • Potential Threats
  • Exploitable Vulnerabilities
  • Possible Controls

Module 3Case Study
Case StudyOutline
  • What is the case about?
  • What would fit into the categories of
  • Assets
  • Vulnerabilities
  • Threats
  • Controls
  • Filling in the matrices
  • Asset/Vulnerability
  • Vulnerability/Threat
  • Threat/Control

Case StudyExample
  • Use the information that you have learned in the
    lecture in the following case study of a
    government organization.
  • Remember these key steps for determining ALE
  • Identify and determine the value of assets
  • Determine vulnerabilities
  • Estimate likelihood of exploitation
  • Compute ALE
  • Survey applicable controls and their costs
  • Perform a cost-benefit analysis

Case StudyCase
An organization delivers service throughout New
York State. As part of the planning process to
prepare the annual budget, the Commissioner has
asked the Information Technology Director to
perform a risk analysis to determine the
organizations vulnerability to threats against
its information assets, and to determine the
appropriate level of expenditures to protect
against these vulnerabilities. The organization
consists of 4,000 employees working in 200
locations, which are organized into 10 regions.
The average rate of pay for the employees is
20/hr. Cost benefit analysis has been done on
the IT resource deployment, and the current
structure is the most beneficial to the
organization, so all security recommendations
should be based on the current asset
deployment. Each of the 200 locations has
approximately 20 employees using an equal number
of desktop and laptop computers for their
fieldwork. These computers are used to collect
information related to the people served by the
organization, including personally identifying
information. Half of each employees time is
spent collecting information from the clients
using shared laptop computers, and half is spent
processing the client information at the field
office using desktop computers. Replacement cost
for the laptops is 2,500 and for the desktop is
1,500. Each of the 10 regions has a network
server, which stores all of the work activities
of the employees in that region. Each server will
cost 30,000 to replace, plus 80 hours of staff
time. Each incident involving a server costs the
organization approximately 1,600 in IT staff
resources for recovery. Each incident where
financial records or personal information is
compromised costs the organization 15,000 in
lawyers time and settlement payouts. Assume that
the total assets of the organization are worth 10
million dollars. The organization has begun
charging fees for the public records it collects.
This information is sold from the organization
website at headquarters, via credit card
transactions. All of the regional computers are
linked to the headquarters via an internal
network, and the headquarters has one connection
to the Internet. The headquarters servers query
the regional servers to fulfill the transactions.
The fees collected are approximately 10,000 per
day distributed equally from each region, and the
transactions are uniformly spread out over a 24
hour period.
Case StudyExample- Assets (Tangible)
  • Transaction Revenue- amount of profit from
  • Data- client information
  • Laptops- shared, used for collecting information
  • Desktops- shared, used for processing client
  • Regional Servers- stores all work activities of
    employees in region
  • HQ Server- query regional servers to fulfill

Case StudyExample- Asset Valuations (Cost per
Transaction Revenue 10,000 per day Data
(Liability) 10 million (total assets of
organization) Laptops ½ x 200 (locations) x
20 (employees) x 2,500 (laptop cost)
5,000,000 Desktops ½ x 200 (locations) x 20
(employees) x 1,500 (desktop cost)
3,000,000 Regional Servers 30,000 (server
cost)x 10 (regions) 80 (hours) x 20 (pay
rate) x 10 (regions) 10,000 (transaction
revenue) 326,000 HQ Server 10,000
(transaction revenue) 100,000 (cost of HQ
server) 80 (hours) x 20 (pay rate) x 10
(regions) 126,000
Case StudyExample- Vulnerabilities
  • Vulnerabilities are weaknesses that can be
  • Vulnerabilities
  • Laptop Computers
  • Desktop Computers
  • Regional Servers
  • HQ server
  • Network Infrastructure
  • Software
  • Computers and Servers are vulnerable to network
    attacks such as viruses/worms, intrusion
    hardware failures
  • Laptops are especially vulnerable to theft

Case StudyExample- Threats
  • Threats are malicious benign events that can
    exploit vulnerabilities
  • Several Threats exist
  • Hardware Failure
  • Software Failure
  • Theft
  • Denial of Service
  • Viruses/Worms
  • Insider Attacks
  • Intrusion and Theft of Information

Case StudyExample- Controls
  • Intrusion detection and firewall upgrades on HQ
  • mitigate HQ server failure and recovery
  • Anti-Virus Software
  • mitigates threat of worms, viruses, DOS attacks,
    and some intrusions
  • Firewall upgrades
  • mitigates threats of DOS attacks and some
    intrusions, worms and viruses
  • Redundant HQ Server
  • reduces loss of transaction revenue
  • Spare laptop computers at each location
  • reduces loss of transaction revenue and
  • Warranties
  • reduces loss of transaction revenue and cost of
    procuring replacements
  • Insurance
  • offset cost of liability
  • Physical Controls
  • reduce probability of theft
  • Security Policy
  • can be used to reduce most threats.

Case StudyAsset/Vulnerability Matrix
  • The coefficients of this matrix are usually based
    on internal data as well as financial loss
  • For the current example we will assume data for
    illustration of the concept
  • Transactions are mostly associated with the
    regional servers which store the data, the HQ
    server which takes all requests, and the network
    infrastructure with which clients access the
    data. (.30 each)
  • Laptops, desktops and software is only associated
    with the remaining 10 (.033 each)
  • Data that is located on laptops and desktops make
    up only 10 of total data because they are only
    used for collecting and processing.
  • The regional servers contain all other data.
  • Other assets are associated at 100 with their
    respective vulnerabilities. (e.g. laptops with
    laptops, desktops with desktops, etc.)

Case StudyAsset/Vulnerability Matrix, contd.
Assets Vulnerabilities Transaction Revenue Data (Liability) Laptops Desktops Regional Servers HQ Server Aggregates (Impact)
Input Asset Values ? 10,000 10,000,000 5,000,000 3,000,000 326,000 126,000 S (asset value x vulnerability)
Laptops .033 .05 1 0 0 0 5,500,330
Desktops .033 .05 0 1 0 0 3,500,330
Regional Servers .30 .90 0 0 1 0 9,329,000
HQ Servers .30 0 0 0 0 1 129,000
Network Infrast. .30 0 0 0 0 0 3000
Software .033 0 0 0 0 0 330
  • Customize matrix to assets vulnerabilities
    applicable to case
  • Compute cost of each asset and put them in the
    value row
  • Determine correlation with vulnerability and
  • Compute the sum of product of vulnerability
    asset values add to impact column

Case StudyVulnerability/Threat Matrix
  • The coefficients of this matrix are usually based
    on data from the literature, e.g.,
  • if rate of failure of hardware is rf (per unit
  • the number of pieces of hardware is n then
  • the total number of failed components during a
    time period is rfn
  • the fraction of hardware that fails is rfn/n rf
  • For the current example we will assume data for
    illustration of the concept
  • Failure rate of laptops is .001 per day (i.e.,
    one in a thousand laptops encounters hardware
    failure during a day)
  • Similarly failure rate of a desktop is .0002
    (i.e. 2 in ten thousand desktops would encounter
    hardware failure in a given day.
  • Hardware failure can cause loss of software,
    however, our assumption is that all software is
    replaceable from backups

Case StudyVulnerability/Threat Matrix, contd.
  • We assume that the hardware failure will disrupt
    the network once every one hundred days
  • There is 0.3 percent chance that software failure
    can lead to failure of desktops
  • We assume that there is a .01 chance of a laptop
    being stolen, .001 for a desktop, and .0002 for
  • There is a very low chance that network equipment
    is stolen since it is kept in secure rooms
  • When equipment is stolen some software may have
    been stolen as well
  • We assume that denial-of-service is primarily
    targeted at servers and not individual machines
  • We assume that the denial-of-service can disable
    machines as well as cause destruction of software
  • Insider attacks are primarily meant to exploit
    data disable machines
  • We assume that the servers have less access thus
    are less vulnerable to insider attacks

Case StudyVulnerability/Threat Matrix, contd.
Vulnerabilities Threats Laptops Desktops Regional Servers HQ Servers Network Infrast. Software Aggregates (Threat Importance)
Input Impact Aggregates? 5,500,330 3,500,330 9,329,000 129,000 3,000 330 S (impact value x threat value)
Hardware Failure .001 .0002 .0002 .0002 .01 0 8,122.00
Software Failure .003 .003 .003 .003 0 0 55,375.98
Equipment Theft .0160 .001 .0002 .0002 .0001 .005 93,399.16
Denial of Service .0001 .0001 .001 .001 0 0 10,358.07
Viruses/Worms .003 .003 .003 .003 0 .001 55,376.31
Insider Attacks .001 .001 .0001 .0001 .0001 .001 9,947.09
Intrusion .001 .001 .001 .001 0 .001 18,458.99
  • Complete matrix based on the specific case
  • Add values from the Impact column of the previous
  • Determine association between threat and
  • Compute aggregate exposure values by multiplying
    impact and the associations

Case StudyThreat/Control Matrix
  • Some of these controls have threats associated
    with them. However, these are secondary
    considerations and we will be focusing on primary
  • We assume that IDS systems will control 30 of
    the DOS attacks, 30 of Viruses and Worms and 90
    of intrusions
  • In addition, IDS systems do not impact insider
  • Anti-Virus Software will prevent 90 of Viruses
    and Worms.
  • That upgrades to a firewall will greatly control
    (90 each) of DOS attacks, as well as Viruses and
    Worms. It will control 30 of intrusions, but not
    insider attacks.
  • A redundant HQ server will control 10 of
    hardware failure (when the original HQ server
    fails). This is the same percentage for theft and
    insider attacks.
  • Also, a redundant HQ server will help with 80 in
    cases of DOS attacks on the HQ server.
  • Spare laptops will assist in cases of hardware
    failure and theft (30 because of volume).

Case StudyThreat/Control Matrix, contd.
  • We assume that warranties will help with 70 of
    both hardware failure and software failure. While
    it will assist with the cost of new hardware or
    software, will not reduce employee time.
  • It is determined that insurance will be able to
    control 90 of impacts from the threats of theft,
    DOS attacks, Virus/Worm attacks, Insider Attacks,
    and Intrusion.
  • Physical controls (locks, key cards, biometrics,
    etc.) will control 90 of theft.
  • Also, it is assumed that a security policy will
    assist with 20 of all threats since every policy
    can have procedures which can assist in
  • Customize matrix based on the specific case
  • Add values from the threat importance column of
    the previous matrix
  • Determine impact of different controls on
    different threats
  • Multiply (1-impact) throughout threat column and
    multiply to threat importance to get values.

Case StudyThreat/Control Matrix, contd.
Threats Controls Hardware Failure Software Failure Theft Denial of Service Viruses/ Worms Insider Attacks Intrusion Aggregates
Input Threat Importance Values? 8,122.00 55,375.98 93,399.16 10,358.07 55,376.31 9,947.09 18,458.99 S (threat importance x impact of controls)
Intrusion Detection 0 0 0 .30 .30 0 .90 36,333.41
Anti-Virus 0 0 0 0 .90 0 0 49,838.68
Firewall Upgrades 0 0 0 .90 .90 0 .30 64,698.64
Redundant HQ Server .10 0 .10 .80 0 .10 0 19,433.28
Spare Laptops .30 0 .30 0 0 0 0 30,456.35
Warranties .70 .70 0 0 0 0 0 44,448.59
Insurance 0 0 .90 .90 .90 .90 .90 168,785.66
Physical Controls 0 0 .90 0 0 0 0 84,059.24
Security Policy .20 .20 .20 .20 .20 .20 .20 50,207.52
Calculate Exposure with Controls ? 1,228.05 13,290.24 470.73 11.60 31.01 716.19 103.37
Case StudyAssignment
  • Given the matrices and the example case provided,
    use this same methodology in application to
    determine the information security risk in your
    own organization.

Module 4Cost Benefit Analysis Regression
Cost Benefit Analysis Regression TestingOutline
  • How to use matrices for cost benefit analysis?
  • How to calculate Risk Leverage?
  • Applying the case study example
  • Examples
  • Unauthorized Access
  • Graphical Cost Benefit Analysis with Regression

Cost Benefit AnalysisMatrix Cost Benefit Analysis
  • The exposure before controls is equal to the
    summation of the aggregate values for impact
    value x threat value. (Vulnerability/Threat
  • In this case, the value is equal to 251,037.60
  • The exposure after controls is equal to the sum
    of all of the multiplied threat importance
  • For example, in the Hardware Failure column, we
    will take each of the threat importance values
    and subtract them each from 1. These values
    should be multiplied together. (Threat/Control
  • This will give us (1-.10) x (1 - .30) x (1 -
    .70) x (1 - .20) 0.15
  • This value will be multiplied by the threat
    importance value 0.15 x 8,122.00 1,218.30
    (cost with controls of Hardware Failure)
  • Do this for all Threat columns and then summate
    all the values.
  • This value is equal to 15,851.19

Cost Benefit Analysis Risk Leverage
  • Costs are associated with both
  • Potential Risk Impact
  • Reducing Risk Impact
  • Risk Leverage is the difference in risk exposure
    divided by the cost of reducing the risk
  • Let
  • rf be the risk exposure after imposing controls
  • ri be the risk exposure prior to imposing
  • c be the cost of controls
  • Leverage l (ri-rf)/c
  • This tells you how many times the reduction in
    risk exposure is greater then the cost of

Cost Benefit Analysis Matrix Example
  • We are using this equation to calculate cost
  • Ci Csi Cri x t
  • Where Ci is the total cost of control i.
  • Csi is the static (one-time) cost of the control.
  • Cri is the additional cost per day (maintenance,
    updates, etc.) for the control.
  • t is equal to time (if calculating for a year,
    would equal 365).
  • We are assuming cost of control values for this
  • Intrusion Detection 21,000 x 11 160 x 11 x
    365 873,400
  • Anti-Virus 1,876 x 4,000 (laptops desktops)
    1,876 x 11 (number of servers) 7,524,636 11
    x 160 x 365 8,167,036
  • Firewall Upgrades 10,000 x 211 160 x 211
  • Redundant HQ Server 100,000 160 x 365
  • Spare Laptops 2,500 x 200 500,000
  • Warranties (3 year) 100 x 4,000 (laptops
    desktops) 1000 x 10 (regional servers)
    1,200 (HQ Server) 411,200
  • Insurance 5,000,000 (per 365 days)
  • Physical Controls 5,000 x 211 160 x 211 x
    365 13,377,400
  • Security Policy (creation, implementation,
    enforcement) 640 x 365 233,600

Cost Benefit Analysis Matrix Example
  • Leverage l (ri-rf)/c
  • ri 251,037.60 x 365 91,628,724
  • rf 15,851.19 x 365 5,785,684.35
  • C 30,864,796
  • 251,037 15,851.19 / 30,864,796 .008
  • 91,628,724 - 5,785,684.35 / 30,864,796 2.78
  • The reduction in risk exposure is almost 3x
    greater than the cost of controls

Cost Benefit AnalysisExample 4 Unauthorized
  • Scenario A company uses a common carrier to link
    to a network for certain computing applications.
    The company has identified the risks of
    unauthorized access to data and computing
    facilities through the network. These risks can
    be eliminated by replacement of remote network
    access with the requirement to access the system
    only from a machine operated on the company
    premises. The machine is not owned a new one
    would have to be acquired.

Cost Benefit AnalysisExample 4 Unauthorized
Cost/Benefit Analysis for Replacing Network Access
Item Amount
Risk unauthorized access and use Risk unauthorized access and use
Access to unauthorized data and programs 100,000 _at_ 2 likelihood per year 2,000
Unauthorized use of computing facilities 10,000 _at_ 40 likelihood per year 4,000
Expected annual loss (2,000 4,000) 6,000
Effectiveness of network control 100 -6,000
Cost Benefit AnalysisExample 4 Unauthorized
Network Control cost Network Control cost
Hardware (50,000 amortized over 5 years) 10,000
Software (20,000 amortized over 5 years) 4,000
Support personnel (each year) 40,000
Annual cost 54,000
Expected annual loss (6,000 6,000 54,000) 54,000
Savings (6,000 54,000) -48,000
Regression TestingExample 5 Graphical Cost
Benefit Analysis
  • Scenario This is a case where use of regression
    testing is being considered after making an
    upgrade to fix a security flaw. We want to
    determine if regression testing is economical in
    this scenario.
  • Regression Testing means applying tests to verify
    that all remaining functions are unaffected by
    the change.
  • Lets refer to the diagram on the following slide,
    to compare the risk impact of doing regression
    testing with not doing it.
  • Upper part of the diagram
  • the risk of conducting regression testing
  • Lower part of the diagram
  • shows the risks of not doing regression testing


Regression TestingExample 5 Cost Savings
  • In the two cases, one of three things can happen
    if regression is done
  • We find a critical fault
  • We miss finding the critical fault
  • There are no critical faults to be found.
  • For each possibility
  • Calculate the probability of an unwanted outcome,
  • Associate a loss with that unwanted outcome,

Regression TestingExample 5 Calculation
In our example, if we do regression testing and
miss a critical fault in the system (a
probability of 0.05), the loss could be 30
million. Multiplying the two, we find the risk
exposure for that strategy to be 1.5 million. As
the calculations in the figure prove, it is much
safer to do regression testing than to skip it.
Combined Risk Exposure
Cost Benefit Analysis and Regression Testing
Questions 1 and 2
  1. What is regression testing?
  2. What is the calculated risk exposure for not
    doing a regression testing, if finding a critical
    fault has a probability of 0.35 and the loss is
    estimated at 4.5 million dollars.

Cost Benefit Analysis Regression
  • Do a cost benefit analysis based on the matrix
    that you have created for your own organization.

Module 5Modeling Uncertainties
Modeling UncertaintiesOutline
  • How do you model?
  • Monte Carlo Simulation
  • What is the approach?
  • How to model valuation of assets?
  • How to model frequency of threats?
  • How to model impact of threats?
  • How to model controls?
  • How to model distribution of risk exposure?
  • How to perform a sensitivity analysis for risk

Modeling UncertaintiesModeling Uncertainties
  • Uncertainty exists regarding value that should be
    assumed by one or more independent variables in
    the Risk Model.
  • Contributions to the models uncertainty
  • Lack of knowledge about particular values
  • Knowledge that some values might always vary
  • If it cannot be determined with certainty what
    value one or more input variables in a model will
    assume, this uncertainty is naturally reflected
    on the outcome of the dependent variable(s).
  • The risk metric is
  • not determined by the value of its independent
    variables (asset values and vulnerabilities,
    frequency and impact of threats)
  • a function of the probability distribution of
    each of these random variables
  • A good approach to dealing with uncertainty gtgt

Modeling Uncertainties Monte Carlo Simulation
  • The approach follows the following steps
  • Develop risk model
  • Define the shape and parameters of probability
    distributions of each input variable
  • Run Monte Carlo simulation
  • Build histogram for dependent variables in the
    model (risk and updated risk)
  • Compute summary statistics for dependent
    variables in model
  • Perform sensitivity analysis to detect
    variability sources
  • Analyze potential dependency relationships among
    variables in model

Modeling Uncertainties Monte Carlo Simulation
Value of Assets
Truncated Normal Distribution(mean 50)
  • Asset values here are samples and do not
    represent collected data
  • In real cases real assets of the organization
    need to be identified
  • Value needs to be assigned to the assets

Modeling Uncertainties Monte Carlo Simulation
Frequency of Threats
  • Annualized frequency of threats is required to
    compute the annualized loss expectancy.
  • This data can be collected from several sources
  • Tracking and collecting data from Internal logs
  • Report from agencies such as CERT

Modeling Uncertainties Monte Carlo Simulation
Impact of Threats
Triangular distribution (mode, max1, min0)
Modeling Uncertainties Monte Carlo Simulation
Triangular distribution( mode, max1, min0)
Modeling Uncertainties Monte Carlo Simulation
Risk Exposure Distribution
Cumulative Distribution
Modeling Uncertainties Monte Carlo Simulation
Reduced Risk Exposure
Cumulative Distribution
Modeling Uncertainties Monte Carlo Simulation
Sensitivity Analysis
Modeling UncertaintiesQuestions 1 and 2
  1. Why does uncertainty exist within risk analysis?
  2. Describe the approach towards Monte Carlo

Modeling UncertaintiesAssignment
  • Using the data provided in the case study, or
    your own risk analysis, use Monte Carlo
    Simulation to provide a graphical display.

Quantitative AnalysisSummary
  • Risk Exposure
  • Annual Loss Expectancy (ALE)
  • Identify and determine the value of assets
  • Determine vulnerabilities
  • Estimate likelihood of exploitation
  • Compute ALE
  • Survey applicable controls and their costs
  • Perform a cost-benefit analysis

Quantitative AnalysisSummary Contd.
  • Risk Aggregation
  • Optimization
  • simple formulation
  • Cost Benefit Analysis
  • LEVERAGE (RISK EXPOSUREbefore reduction
    RISK EXPOSUREafter reduction)

  • Regression Testing
  • Used for comparing risk impact
  • Monte Carlo Simulation
  • 1)Develop risk model, 2) Define the shape and
    parameters, 3)Run simulation, 4)Build histogram,
    5)Compute summary statistics, 6)Perform
    sensitivity analysis, 7)Analyze potential
    dependency relationship

Acknowledgements Grants Personnel
  • Support for this work has been provided through
    the following grants
  • NSF 0210379
  • FIPSE P116B020477
  • Damira Pon, from the Center of Information
    Forensics and Assurance contributed extensively
    by reviewing and editing the material
  • Robert Bangert-Drowns from the School of
    Education provided extensive review of the
    material from a pedagogical view.
About PowerShow.com