1 / 16

Risk Assessment

Risk Assessment. Farrokh Alemi, Ph.D. Monday, July 14, 2003. Objectives. To assess the probability of release of PHI Almost never occurs When it occurs, steps are taken to avoid it happening in same fashion in future. Risk Analysis. A set of scenarios Probability of occurrence of hazard

jack
Download Presentation

Risk Assessment

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Risk Assessment Farrokh Alemi, Ph.D. Monday, July 14, 2003

  2. Objectives • To assess the probability of release of PHI • Almost never occurs • When it occurs, steps are taken to avoid it happening in same fashion in future

  3. Risk Analysis • A set of scenarios • Probability of occurrence of hazard • Probability of containment • Probability of consequence

  4. Historical Precedence • Aerospace industry and Apollo flights • Accidents lead to revision of probabilities • Nuclear industry • Three mile island led to revisions

  5. Law of Total Probability p (B) = i p(B|Ai) p(Ai) A2 A3 B A4 A1

  6. Fault Tree Analysis • The top event is release of PHI • The intermediate events are ways in which PHI can be released • The basic events are observable events • Fault trees rely on Boolean logic to analyze probability of an event • “And” is shown as • “Or is shown as

  7. Components of Risk Analysis • EPHI boundary definition • Threat identification • Vulnerability identification • Security control analysis • Risk likelihood determination • Impact analysis • Risk determination • Security control recommendations Based on Steve Weil’s recommendations

  8. Inventory of PHI Internal and external interfaces of information systems Identification of the primary users of the information systems and PHI Top Event: PHI Definition

  9. Intermediate Events: Threats Unauthorized Disclosure Natural Human Environment Flood HAZMAT Intentional Unintentional Hurricane Power Failure Omission Error entry Physical IT attack

  10. Basic Events: Causes of Intermediate Events IT Attack Successful IT Attacked Controls fail Access Network failure Desktop Spy ware Authentication

  11. Boolean Algebra • If X and Y must happen before the event happens, the probability of the event is p(X)p(Y) • If X or Y can lead to the event, then the probability of the event is p(X) + p(Y)

  12. Unauthorized Disclosure Natural Human Environment Flood HAZMAT Intentional Unintentional Hurricane Power Failure Omission Error entry Physical IT attack Equivalent Descriptions • P(Unauthorized disclosure) = p(Natural) + p(Human) + p(Environment) • P(Natural) = p(Flood) + p(Hurricane) • P(Human) = p(Intentional) + p(Unintentional) • P(Intentional) = p(Physical) + p(IT attack) • Etc.

  13. IT Attack Successful IT Attacked Controls fail Access Network failure Desktop Spy ware Authentication Equivalent Descriptions • P(IT attack successful) = p(IT attack) . p(Controls failure) • P(IT attack) = p(Network) + p(Desktop) • P(Control failure) = p(authentication) + p(Access)

  14. Assessment of Basic Event Probabilities • Subjective • Frequency • One observation of rare event after s days of success • P(day of success)=Number of days of success / (1 + Number of days of success) • Provides a procedure for converting days between two failures to probability of failure • Last flood was 2 months ago, what is probability of no floods in any day? =1 - 59/60 • On average time between virus infection of desk top is 2 weeks, what is probability of infection per day? = 1/14

  15. Estimate Probability of Unauthorized Disclosure Unauthorized Disclosure Natural Human Environment Flood HAZMAT Intentional Unintentional Hurricane Power Failure Omission Error entry Physical IT attack

  16. Recommendations After Risk Assessment • Mitigate • Eliminate • Insure • Hedge

More Related