50 likes | 270 Views
Unit Outline Quantitative Risk Analysis. Module 1: Quantitative Risk Analysis and ALE Module 2: Case Study Module 3: Cost Benefit Analysis and Regression Testing Module 4: Modeling Uncertainties Module 5: Summary. Summary Quantitative Risk Analysis. Risk Exposure
E N D
Unit OutlineQuantitative Risk Analysis Module 1: Quantitative Risk Analysis and ALE Module 2:Case Study Module 3: Cost Benefit Analysis and Regression Testing Module 4: Modeling Uncertainties Module 5: Summary
SummaryQuantitative Risk Analysis • Risk Exposure • RISK EXPOSURE = RISK IMPACT x RISK PROBABILITY • Annual Loss Expectancy (ALE) • Identify and determine the value of assets • Determine vulnerabilities • Estimate likelihood of exploitation • Compute ALE • Survey applicable controls and their costs • Perform a cost-benefit analysis
SummaryQualitative Risk Analysis • Risk Aggregation: • Optimization • simple formulation • Cost Benefit Analysis • LEVERAGE = (RISK EXPOSUREbefore reduction – RISK EXPOSUREafter reduction) ________________________________________________ COST OF REDUCTION • Decision Tree • Graphical method for cost-benefit analysis • Monte Carlo Simulation • 1)Develop risk model, 2) Define the shape and parameters, 3)Run simulation, 4)Build histogram, 5)Compute summary statistics, 6)Perform sensitivity analysis, 7)Analyze potential dependency relationship
Suggested ReadingQuantitative Risk Analysis • Alberts, C., & Dorofee, A. (2003). Managing Information Security Risks: The OCTAVESM Approach. New York, NY: Addison-Wesley. • Barber, B. and Davey, J. (1992). The use of the CCTA risk analysis and management methodology CRAMM. Proc. MEDINFO92, North Holland, 1589 –1593. • Stolen, K., den Braber, F. & Dimitrakos T. (2002). Model-based Risk Assessment – The CORAS Approach.
AcknowledgementsGrants and Personnel • Support for this work has been provided through grants from the following agencies • National Science Foundation (NSF 0210379) • Department of Education (FIPSE) • Damira Pon, from the Center of Information Forensics and Assurance contributed extensively by reviewing and editing the material • Robert Bangert-Drowns from the School of Education reviewed the material from a pedagogical view. • Melissa Dark & Ting Zhuang from Purdue University provided a critique of the material and facilitated creation of a distance delivery version of the course.