Date post: | 01-Jan-2016 |
Category: |
Documents |
Upload: | dorian-raymond |
View: | 27 times |
Download: | 0 times |
Risk Analysis and the Security Survey 3rd edition
Chapter 3
Risk Measurement
Risk Measurement
Introduction • Risk measurement used later to determine
the cost of an unfavorable event; • Aids in predicting how often an event may
occur in a given time period; • Two necessities:
– Quantitative means to express cost; – Logical expression of frequency of occurrence;
• Year most logical time period because of budget cycles.
Cost Valuation & Frequency of Occurrence
• Unnecessary to make precise statements of impact and probability;
• Impact and frequency simplified into factors of 10;
Cost Valuation & Frequency of Occurrence
• If the cost valuation (impact) of the event is:
$10, let i = 1
$100, let i = 2
$1,000, let i = 3
$10,000, let i = 4
$100,000, let i = 5
$1,000,000, let i = 6
$10,000,000, let i = 7
$100,000,000, let i = 8.
Cost Valuation & Frequency of Occurrence
• If the estimated frequency of occurrence is:
Once in 300 years, let f = 1
Once in thirty years,
let f = 2
Once in three years, let f = 3
Once in a hundred days,
let f = 4
Once in ten days, let f = 5
Once per day, let f = 6
Ten times per day, let f = 7
100 times per day, let f = 8.
Cost Valuation & Frequency of Occurrence
Annual loss expectancy (ALE) is the product of impact and frequency. When using the
values of f and i derived from the conversion tables, you can approximate the value of ALE
by the formula:
Cost Valuation & Frequency of Occurrence
ALE=10(f+i-3)/3
• i = cost valuation (impact); – If $10 value then i=1 to $100,000,000 then i =
8; • f = frequency of occurrence;
– If occurs once in 3,00 years then f = 1 to 100 times/day then f = 8;
Cost Valuation & Frequency of Occurrence
• Alternate method:
Cost Valuation & Frequency of Occurrence
• Commonality of events; – Access; – Natural disasters; – Environmental hazards; – Facility housing; – Work environment; – Value.
Principals of Probability
• Risk is the possible happening of an undesirable event;
• An event is a definable occurrence - described in two ways: – In terms of the damage it will present; – In terms of the probability of its occurrence.
Principals of Probability
• A Risk is described in terms of its potential occurrence and its capacity for potential loss.
• Probability is the study of the possibility of occurrence.
• Probability based on philosophical proofs.– Derived in 1792 by the Marquis de Laplace.– Not based on mathematical proofs. – 10 principals:
Probability, Risk, and Security
• The goal of security design is to decrease the ratio of unfavorable events to total events.
• Similar events in different locations – add the ratios of favorable cases where the probabilities are different.
• Two events that have no relation to each other are considered to be independent. – Applies to Principal #3.
Probability, Risk, and Security
– Examples:• Lightning striking twice.• Security penetration and simultaneous security
system failure.
• Principle 4 expresses the relation between dependent events (probability of the first event is multiplied by the probability of the second event if the second event).– Example: Breaking and entering followed by
theft, to produce a burglary.
Probability, Risk, and Security
• Past events do not affect future events (principal #5).– Cannot assume that a security breach will not
occur again.– Probabilities of events are not guarantees.
• Principal #6 describes the relation between all causes and probable causes.– Example: Circumstantial evidence.
Probability, Risk, and Security
• Principal 7 involves the basis of confidence limits.
• Mathematical hope relates the potential gain to the probability of obtaining the gain (principal 8).– Allows the utility of a procedure to be
expressed in monetary and probabilistic terms.
Probability, Risk, and Security
• Principle 9 allows for the fact that any solution to a problem introduces risk (i.e., it may fail).
• Principle 10 relates the amount and potential of risk to the wealth of the protected entity. – Solution could be to do nothing.
Estimating Frequency of Occurrence
• Loss expectancy can be projected with a satisfactory degree of confidence.– Must have sufficiently large database or
becomes educated guess.