Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Quantitative Risk Analysis Module 1: Quantitative Risk Analysis and ALE Module 2: Case Study Module 3: Cost Benefit Analysis and Regression Testing Module 4: Modeling Uncertainties Module 5: Summary
Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 2 Summary Quantitative Risk Analysis Risk Exposure – RISK EXPOSURE = RISK IMPACT x RISK PROBABILITY Annual Loss Expectancy (ALE) – Identify and determine the value of assets – Determine vulnerabilities – Estimate likelihood of exploitation – Compute ALE – Survey applicable controls and their costs – Perform a cost-benefit analysis
Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 3 Summary Qualitative Risk Analysis Risk Aggregation: Optimization – simple formulation Cost Benefit Analysis LEVERAGE = (RISK EXPOSURE before reduction – RISK EXPOSURE after reduction ) ________________________________________________ COST OF REDUCTION Decision Tree – Graphical method for cost-benefit analysis Monte Carlo Simulation – 1)Develop risk model, 2) Define the shape and parameters, 3)Run simulation, 4)Build histogram, 5)Compute summary statistics, 6)Perform sensitivity analysis, 7)Analyze potential dependency relationship
Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 4 Suggested Reading Quantitative Risk Analysis Alberts, C., & Dorofee, A. (2003). Managing Information Security Risks: The OCTAVE SM Approach. New York, NY: Addison-Wesley. Barber, B. and Davey, J. (1992). The use of the CCTA risk analysis and management methodology CRAMM. Proc. MEDINFO92, North Holland, 1589 –1593. Stolen, K., den Braber, F. & Dimitrakos T. (2002). Model- based Risk Assessment – The CORAS Approach.
Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 5 Acknowledgements Grants and Personnel Support for this work has been provided through grants from the following agencies –National Science Foundation (NSF ) –Department of Education (FIPSE) Damira Pon, from the Center of Information Forensics and Assurance contributed extensively by reviewing and editing the material Robert Bangert-Drowns from the School of Education reviewed the material from a pedagogical view. Melissa Dark & Ting Zhuang from Purdue University provided a critique of the material and facilitated creation of a distance delivery version of the course.