1. Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Quantitative Risk Analysis Module 1: Quantitative Risk Analysis and ALE Module 2: Case Study Module 3: Cost Benefit Analysis and Regression Testing Module 4: Modeling Uncertainties  Module 5: Summary

2. Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 2 Summary Quantitative Risk Analysis Risk Exposure – RISK EXPOSURE = RISK IMPACT x RISK PROBABILITY Annual Loss Expectancy (ALE) – Identify and determine the value of assets – Determine vulnerabilities – Estimate likelihood of exploitation – Compute ALE – Survey applicable controls and their costs – Perform a cost-benefit analysis

3. Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 3 Summary Qualitative Risk Analysis Risk Aggregation: Optimization – simple formulation Cost Benefit Analysis LEVERAGE = (RISK EXPOSURE before reduction – RISK EXPOSURE after reduction ) ________________________________________________ COST OF REDUCTION Decision Tree – Graphical method for cost-benefit analysis Monte Carlo Simulation – 1)Develop risk model, 2) Define the shape and parameters, 3)Run simulation, 4)Build histogram, 5)Compute summary statistics, 6)Perform sensitivity analysis, 7)Analyze potential dependency relationship

4. Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 4 Suggested Reading Quantitative Risk Analysis Alberts, C., & Dorofee, A. (2003). Managing Information Security Risks: The OCTAVE SM Approach. New York, NY: Addison-Wesley. Barber, B. and Davey, J. (1992). The use of the CCTA risk analysis and management methodology CRAMM. Proc. MEDINFO92, North Holland, 1589 –1593. Stolen, K., den Braber, F. & Dimitrakos T. (2002). Model- based Risk Assessment – The CORAS Approach.

5. Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 5 Acknowledgements Grants and Personnel Support for this work has been provided through grants from the following agencies –National Science Foundation (NSF 0210379) –Department of Education (FIPSE) Damira Pon, from the Center of Information Forensics and Assurance contributed extensively by reviewing and editing the material Robert Bangert-Drowns from the School of Education reviewed the material from a pedagogical view. Melissa Dark & Ting Zhuang from Purdue University provided a critique of the material and facilitated creation of a distance delivery version of the course.