1

INSE 6320 -- Week 1

Risk Analysis for Information and Systems Engineering

• Go over Course Outline

• What is Risk?
• Introduction to Risk Analysis

Dr. M. AMAYRI Concordia University

 2

Instructor: Dr. M. AMAYRI

• Office: EV 7.647

• Lectures: Mondays, Wednesdays 11:45 - 2:30PM

• Office Hours: Wednesdays 09:00 - 10:00

• E-Mail: [email protected]

• TA: Maher Dissem

• Office: EV 4. 214

• E-Mail: [email protected]

• Office Hours: Thursdays 03:00pm to 04:00 pm

 3

What is INSE 6320?

• INSE 6320 is an Information and Systems Engineering course

• Engineering systems are almost always designed, constructed, and
operated under unavoidable conditions of risk and uncertainty.
• You will learn how to:
▪ Assess risk for systems engineering using probability theory and statistics
▪ Use the basic tools of risk analysis: fault trees, event trees, simulation models,
and influence diagrams
▪ Model uncertainty and measure risk through various methods
▪ Implement quantitative risk analyses, and develop strategies to identify, assess,
monitor and mitigate risk.
 4

Roadmap of the Course?

INSE 6320

Risk & Uncertainty Fault & Event Decision Theory

Trees

Probability Statistical Influence Risk

Inference Reliability Expert Opinion Diagrams Management
Distributions

Weibull Risk
Analysis Measurement

Exam 1 Exam 2
 5

Administration
• Course web page:
• MyConcordia Portal (Moodle)
• It’s highly advised to check Moodle regularly.
• Syllabus, Slides, Assignments, Projects, etc…
▪ Go to MyConcordia Portal (Moodle).

• Preliminary exam dates and project due date:

▪ Exam1
• May 29, 2024 (in class)

▪ Project due
• Presentations: June 10,12 (in class)
• Report: June 18, 2024 (by midnight)

▪ Exam 2
• June 17, 2024 (in class)
 6

Grading Policy
Important Dates:

• May 29, 2024: Exam1

• June 18, 2024: Project Report
Exam 1 25% • June 17, 2024: Exam2
Project 50% • June 10, 12, 2024: Project presentation
Exam 2 25%

Final Project
• Final reports due on April 12, 2024 before midnight.
• A final project report, completed by team of four.
• The term project will have only one component: written report.
• More details posted on: Moodle
 7

What is Risk?
• Risk as a science was born in the sixteenth century Renaissance, a time of
discovery
• The word risk is derived from the early Italian risicare, which means “to dare”
• Today, risk is defined as the possibility of loss
• Loss – The loss can be either a bad outcome or a lost opportunity
• Choice – Unless there is a choice, there is no risk management

Definition:
The likelihood that a particular threat using a specific attack, will
exploit a particular vulnerability of a system that results in an
undesirable consequence.

(Definition from National Information Systems Security (INFOSEC) Glossary,

NSTISSI No. 4009, Aug. 1997)
 8

What is Risk?
• The probability that a particular threat will exploit a particular vulnerability

• Risk can be described in terms of probability (the possibility of risk), consequence

(the loss), and time frame

• Probability is the likelihood that the consequence will occur

• Consequence is the effect of an unsatisfactory outcome

• Time Frame refers to when the risk will occur during the product lifecycle, e.g. long,
medium, short, imminent ...

• Risks are future events with a probability of occurrence and a potential for loss

• Many problems that arise in software development efforts were first known as risks by
someone on the project staff

• Caught in time, risks can be avoided, negated or have their impacts reduced
 9

Risk Applications
 10

Probability
• Probability and risk surround us. Elements of this underlie every decision we
make, be it as simple as crossing a road or as major as buying a car or house.
• How likely is a future problem to occur?
• Often difficult to define precisely

• Probability can be defined as a percentage, a phrase or a relative number:

Probability Uncertainty Rank

> 80% Almost certainly, highly likely 5

61%-80% Probable, likely, probably, we believe 4
41%-60% We doubt, improbable, better than even 3
21%-40% Unlikely, probably not 2
< 21% Highly unlikely, chances are slight 1
 11

The Risk Equation

Risk = Probability x Consequence
= Function(Threat, Vulnerability, Consequence)

• Threat : Any person, circumstance or event with the potential to cause loss
or damage (Possible Danger).

• Vulnerability: Any weakness that can be exploited by an adversary or

through accident (in physical, technical, administrative).

• Consequence: The amount of loss or damage that can be expected from a

successful attack. Also refereed to as impact, loss or cost

Laptop 5000$ is stolen,

What’s the impact?
 12

Assets
Business Asset is any thing has measurable value to the
organization
• Tangible value: actual cost of the asset and can be expressed in monetary
term.
• Intangible value: value can’t be measured (reputation, customer influence,
future loss,…)

Example:

A company sells products via website and it earns 5000$ an hour, the web server
hosting the website fails and is down for hours:

the cost to repair total?

 13

What is Risk Analysis?

• The process of identifying, assessing, and reducing risks to an
acceptable level
▪ Defines and controls threats and vulnerabilities
▪ Implements risk reduction measures

• An analytic discipline with three parts:

▪ Risk assessment: determine what the risks are
▪ Risk management: evaluating alternatives for mitigating the risk
▪ Risk communication: presenting this material in an
understandable way to decision makers and/or the public
 14
Risk Management Process
Practice of identifying assessing controlling and mitigating risks

Identify threats, vulnerabilities,

and impact
relevant to the organization
 15
Risk Management Process
Practice of identifying assessing controlling and mitigating risks

• Identify assets— value

• Identify threats, vulnerabilities to the assets
• Identify likelihood of vulnerability being exploited by threats
• Identify the impact of risk
• Identify a risk response

After

• Implementation and testing controls

• Evaluating controls
 16

Basic Risk Analysis Structure

• Evaluate
▪ Value of computing and information assets
▪ Vulnerabilities of the system
▪ Threats from inside and outside
▪ Risk priorities

Risk = Probability x Impact

• Examine
= Function(Threat,Vulnerability,Impact)
▪ Availability of security countermeasures
▪ Effectiveness of countermeasures
▪ Costs (installation, operation, etc.) of countermeasures
• Implement and Monitor
 17

Benefits of Risk Analysis

• Assurance that greatest risks have been identified and addressed

• Increased understanding of risks
• Mechanism for reaching consensus
• Support for needed controls
• Means for communicating results

Example in work space:

1. Recognise and control hazards in your
workplace.
2. Create awareness among your employees –
and use it as a training tool.
3. Set risk management standards based on
acceptable safe practices and legal
requirements.
4. Reduce incidents in the workplace.
5. Save costs by being proactive instead of
reactive.
 18

Risk Handling Strategies

Remember that risk management is not risk elimination !!

Risk management includes: Identifying risk, assessing risks, determining which risk will be handled, taking
steps to reduce risks to an acceptable level

• Avoiding:
• Eliminating the source of the risk
• Eliminating the exposure of assets to the risk
• Sharing or Transferring: shifting responsibility to another party
• Insurance
• Outsourcing the activity
• Mitigating: risk reduction, implementing controls (cost of control should not exceed
the benefits)
• Accepting
 19

Types of Risk Analysis: How to Calculate Risk?

• Quantitative
▪ Assigns real numbers to costs of safeguards and damage
▪ Annual loss exposure (ALE)
▪ Probability of event occurring
▪ Can be unreliable/inaccurate

• Qualitative
▪ Judges an organization’s risk to threats
▪ Based on judgment, intuition, and experience
▪ Ranks the seriousness of the threats for the sensitivity of the
asserts
▪ Subjective, lacks hard numbers to justify return on investment
 20

Qualitative Risk Analysis

• Generally used in Information Security
▪ Hard to make meaningful valuations and meaningful probabilities
▪ Relative ordering is faster and more important
• Many approaches to performing qualitative risk analysis
• Same basic steps as quantitative analysis
▪ Still identifying asserts, threats, vulnerabilities, and controls
▪ Just evaluating importance differently

Example:
▪ “The system is weak in this area and we know
that our adversary has the capability and
motivation to get to the data in the system so the
likelihood of this event occurring is high.”
 21

Qualitative Representation of Risk

Qualitative risk representations are often used for quick evaluations and screening.

Consequence of Occurrence
Probability
of Occurrence Very Low Low Moderate High Very High

Very Low
Low
Moderate
High
Very High

Low Risk Medium Risk High Risk

 22

Quantitative Risk Analysis

• Risk analysis involves the identification and assessment of

the levels of risks calculated from the known values of
assets and the levels of threats to, and vulnerabilities of,
those assets.
• It involves the interaction of the following elements:
▪ Assets
▪ Vulnerabilities
▪ Threats
▪ Impacts
▪ Likelihoods
▪ Controls
 23

Quantitative Risk Analysis

• Quantitative risk analysis methods are based on statistical

data and compute numerical values of risk. They assign a
dollar value to risk.
• By quantifying risk, we can justify the benefits of spending
money to implement controls.
• It involves three steps
▪ Estimation of individual risks
▪ Aggregation of risks
▪ Identification of controls to mitigate risk
 24

Quantitative Risk Analysis

• Risk = Impact x Probability
▪ Loss of car: risk-impact is cost to replace car, e.g. $10,000
▪ Probability of car loss: 0.10
▪ Risk = 10,000 x 0.10 = 1,000
• Risk Management is about controlling risk. To control a risk
▪ Reduce the Probability
and/or
▪ Reduce the Impact

• Single loss Expectancy (SLE): how much loss for one event?

• Risk calculation (per year):

▪ Annual Loss Expectancy (ALE) = SLE x Annual Rate of Occurrence (ARO)
▪ ARO is Probability or frequency of the threat occurring in one year. For
example, if a fire occurs once every 25 years, then ARO=1/25
 25

Quantitative Risk Analysis

• Step 1: Estimate Potential Loss.
Single Loss Expectancy (SLE): Loss to an asset if event occurs
▪ Value of the lost asset (Asset Value $) = AV is the replacement cost and/or income
derived through the use of an asset
▪ Impact on the Asset (if event occurs) or Exposure Factor (%) = EF is the portion of
asset’s value lost through a threat (also called impact)
▪ SLE = AV ($) x EF (%)

• Step 2: Conduct Threat Likelihood Analysis.

Annualized Rate of Occurrence (ARO) characterizes, on an annualized basis, the frequency
with which a threat is expected to occur. It’s the number of times per year an incident is
likely to happen.

• Step 3: Calculate Annual Loss Expectancy.

Annualized Loss Expectancy (ALE) computes risk using the probability of an event occurring
over one year.
▪ ALE = SLE x ARO
 26

Cost Benefit Analysis (CBA)

After risks have been identified steps can be taken to

reduce or mange them.
Cost of control: includes the purchase cost + operational
cost over the lifetime of the control.
Protected benefits: potential benefits gained from
implementing the control.
Loss before control - loss after control = Cost of control
 27

Quantitative Risk Analysis

Example #1: Gym Locker

Scenario: There is a gym locker used by its members to

store clothes and other valuables. The lockers cannot
be locked, but locks can be purchased.
You need to determine:
1) Risk exposure for gym members
2) Controls to reduce risk
 28

Quantitative Risk Analysis

Example #1: Gym Locker, cont’d.

• Identify assets and determine value

▪ Clothes $50
▪ Wallet $100
▪ Glasses $100
▪ Sports equipment $30
▪ Driver’s license $20
▪ Car keys $100
▪ House keys $60
▪ USB $40
____
▪ Total Loss/week: $500
• Find vulnerability
▪ Theft
▪ Accidental loss
▪ Disclosure of information (e.g. read wallet)
▪ …
 29

Quantitative Risk Analysis

Example #1: Gym Locker, cont’d.

• Estimate likelihood of exploitation

• 10 (more than once a day)
• 9 (once a day)
• 7 (once a week)
• 6 (once every two weeks)
• 5 (once a month)
• 4 (once every four months)
• 3 (once a year)
• 2 (once every three years)
• 1 (less than once every 3 years)

• For theft: estimated likelihood is 7

• Figure annual loss:

▪ ~$500 worth of loss each week
▪ ~52 weeks in a year
▪ ~$26,000 loss per year
 30

Quantitative Risk Analysis

Example #1: Gym Locker, cont’d.

• Determine cost of added security

▪ New lock $5
▪ Replacement for lost key $10
▪ On average members lose one key twice a month (24 times per year)
• Estimate likelihood of exploitation under added security
▪ The new likelihood of theft could be estimated at a 4 (once every 4 months).
• Cost Benefit Analysis (CBA)
▪ Revised Losses (including cost of controls) =
(500 * 3) + (15*24) = 1860
▪ Net savings = 26000 – 1860 = 24140

• CBA = ALE (prior to control) – ALE (post-control) – ACS

where ACS = annual cost of the safeguard.
 31

First Lecture answers the following question:

• What risk is and its relationship to threat, vulnerability, and asset

loss?

• What the major components of risk?

• What risk management is and how important it is to the

organization?

• What some risk identification techniques are?

• What some risk management techniques are?

 32

Tips for success

• Expect to spend enough time studying the material of the course
• Start every assignment early
• Don’t fall behind
• Ask if you don’t know
• Do your own work