Risk analysis and management using ontology Formal Analysis of Risk in Enterprise System (FARES) Presentation by Drs Peter Stephenson and Paul Stephen Prueitt Draft version 1.0 April 4, 2005
High level Business Model The Advanced Group Inc (sales and marketing) The Center for Digital Forensics Studies LTD (tool development) OntologyStream Inc (ontology repository) Other partners (core technology providers, certification providers, authorized providers, outsourced management) Products FARES (Formal Analysis of Risk in Enterprise System) TRM (True Risk Management, requires FARES to start) Tools DOF (Differential Ontology Framework with composite of patented technologies, designed to be refactored (in 2007 ) into CoreSystem virtual engine) Assessment instruments and methodologies Paring and filtering tools acting on real time data flow Pricing FARES ( $75 K plus, 90 day process) TRM ( $50 K plus, 1 year process) must follow a FARES project. Sales expectations (Now completing one $100K project, one new project almost sold to begin in April.) Two new projects each month between May and December. One very large project ($500 phase 1 is possible to begin in April).
The FARES certification (Doug Weidner and Art Murray) Certification and university curriculum (George Washington University) The Center for Digital Forensics Studies LTD (tool and methodology development) OntologyStream Inc (ontology standards, formal and science considerations) Products FARES Certification, degree programs within the knowledge science and knowledge technology disciplines. Pricing FARES ( $1,995 per individual instruction, two weeks followed by three month Risk Practicum project (discounted FARES project rate (10%)) Enrolment expectations: ( As the market for FARES develops, we expect to train 200 – 500 certified practitioners. At the present time, the market need is very well defined, but no comparable tool exists other than FARES.) Benefits: Certification will allow participation in an Open but Protected Red Hat type business model, controlled by the Center for Digital Forensics Studies.
FARES Institute Certification Prerequisites: Some computer security certification and/or knowledge management certification. Certification authority, KMPro.org, KMCI, etc; will provide the necessary training required to run a FARES project. Contributes to a Public but Protected ontology repository where top down regulatory constraints produce standard configurations that exist as potential TO-BE frameworks The practicum will be supported using FARES tools and methodology, with FARES Institute project royalty between 10 – 20 K. FARES project royalty will be fixed at 20% invoiced contract including Time and Materials. Additional oversight by senior Institute personnel to be negotiated. Ontologies Repository Certification of Ontology Construction tools and methodologies On-going research is the responsibility of the FARES Institute Science Board.
On the generality of the FARES product An enterprise system can be any “complex” system. The power that is found in the application of a FARES product comes from the universality of the target of application. For Example: The Formal Analysis of Risk in Enterprise System has been applied to the analysis of data derived from the measurement of acidity levels in fish ponds. This application produces different types of ontology structure as the assessment and analysis methodology is varied. The objective of the application is, however, the same as FARES as originally applied to IT RISKS. Gains is the “other side” of Risk: Analysis of structure and activity leading to a delineation of the categories of RISK to the system. A generalization of this analysis leads to a delineation of categories of GAIN to the system. The development and use of enterprise specific organized sets of concept indicators (ie ontology such as encoded in OWL), is highly natural. Differential Ontology Framework has features related to the perceptual measurement process, the cognitive process and that action activity. Humans understand this architecture.
The Fundamental Diagram explaining DOF Scientific Origins: J. J. Gibson (late 1950s) Ecological Physics, Evolutionary Psychology, and Cognitive Engineering, and other literatures Does a human Community of Practice (CoP) have a perceptional, cognitive and/or action system? Depends: Some groups within the State Department (yes) Some groups at HIST, NSF, DARPA, etc (yes) Some groups in the Academy (yes) Other groups in these same organizations (no, not at all) Knowledge Management community (No, not really) Computer Security and Information Assurance community (No, not really) Iraqi Sunni community in Iraq in March 2005 (this might be forming)
Differential Ontology Framework Applications: Increase the degree of executive decision making capacity and the degree of cognitive capability available to a human community of practice, such as a group in the US State Department, or a group in US Treasury. Business entities use this software to develop a greater understanding of Enterprise Risks.
Development steps, for FARES (applied to State of Michigan Information Assurance Audit) Development of an ontology with an editor like Protégé Concepts related to Threats, Vulnerabilities, Impacts and Inter-domain communications are specified but the set of concepts about Risks is not. Domain expert, Peter Stephenson, used the methods of “Descriptive Enumeration” (DE) and community polling to develop the set of concepts properties and relationships. Peter’s role here is to represent what he knows about these realities without being concerned about computable inference or ontology representation standards. He used Protégé as a typewriter to write out concepts, specify relationship and properties. It is a very creative process. Requires a trained analyst.
The modular architecture in DOF within FARES Three levels – upper, middle and scoped ontology individuals - are used. The top level has a higher level abstraction for each of the core concepts that are in each of five middle level ontologies. Initially these middle level ontologies were developed manually for Threats, Vulnerabilities, Impacts, and Inter-domain communication channels. The current FARES project has automated the development of a set of Risk concepts, through the measurement of event log data. Goal: An “formative” ontology over Risks is to be developed as a consequence of a measurement process over some data set. It is important to see that, in theory, any one of the five “upper level ontologies” can be deleted and built using a data source, the other four, and the process we are proto- typing. Of course, one discovers what one discovers, and human tacit knowledge is involved in any of these HIP processes since human in the loop is core to DOF use. The process makes the developed ontology very specific to the organization that FARES is being delivered to. How does one judge the results?: A “arm-chair” evaluation is used whereby knowledgeable individuals look at how and why various steps are done, and make a subjective evaluation about the results. We also have a mapping between Risk evaluation ontology and a numerical value with quantitative metrics. This mapping provided an informed measure of Risk that can be converted to a financial and legal statement.
Top and middle ontology Scoped ontology Human expert
The Fundamental Diagram First level: Data Instance Example: Custom’s manifest data e i w I / s i. The event is measured (by humans or algorithms) in a report having both relational database type “structured” data and weakly structured free form human language text. Example: Cyber Security or Information Assurance data e i co-occurrence patterns The event is measured (by algorithms) and expressed as a record in a log file. In both cases, a FARES or modified FARES product establishes the ontology resources for a more long term “True Risk Analysis” (TRA) process. DOF grounds the Fundamental Diagram with correspondence to several levels of event observation
The Fundamental Diagram Second level: Concept Instance Instance aggregation into a “collapse” of many instances into a category. Example: the concept of “two-ness” allows one to talk about any instances of two things. These aggregation of instance into category produces a bypass to many scalability problems (the scalability issue never comes up in practice). The aggregation process is called “semantic extraction” of instances into Subject Matter Indicators (SMIs) that reference “concepts’. These concepts provide context for any specific data instance. There are several classes of patents on semantic extraction, all of these are useful within DOF, and none is perfect with respect to always being right.
Matching Subject Matter Indicators to concepts SMIs are found using algorithms. The algorithms are complex and require expert use, however the results of good work produces a computational filter that is used to profile the SMI and to thus allow parsing programs to identify SMIs in new sources of data. SMIs always produce a conjecture that a concept is present. Once the conjecture is examined by a human, the concept’s “neighborhood” in the explicit ontology can be reproduced as the basis for a small scoped ontology individual. Concepts are expressed through a process of human descriptive enumeration and iterative refinement. In the State of Michigan FARES project, Threats, Vulnerabilities, Impacts and Inter-domain communications are separate middle DOF ontology each having about 40 concepts. These ontologies also have relationships, attributes and properties and some subsumption (subconcept) relationships. However, they are designed to be subsetting rather than to use as the basis for “inference”. Because we do not use the Ontology Inference Layer in OWL, we convert the OWL formatted information into Ontology referential bases (Orbs) encoded information. Using one of several semantic extraction tools we create SMI representation of the concepts that are encoded in the DOF ontology. Thus a common representational standard exists between the SMIs and the set of explicitly defined concepts. This gives computability.
Large scale FARES deployment model (500K plus)