1 Election Operations Assessment Summary Election Assistance Commission.

Slides:



Advertisements
Similar presentations
The fast, easy to use assessment tool
Advertisements

IEEE P1622 Meeting, Oct 2011 IEEE P1622 Meeting October 24-25, 2011 Overview of IEEE P1622 Draft Standard for Electronic Distribution of Blank Ballots.
Auditing Concepts.
Systems Analysis and Design 9th Edition
TGDC Meeting, July 2011 Review of VVSG 1.1 Nelson Hastings, Ph.D. Technical Project Leader for Voting Standards, ITL
Genius online Appraisal Management System 1. Appraiser Configuration Getting Started Appraisal Management let the user to effectively conduct a users.
Overview of Key Rule Features
Project Risks and Feasibility Assessment Advanced Systems Analysis and Design.
Computer Security: Principles and Practice
Copyright © 2003 by Prentice Hall Computers: Tools for an Information Age Chapter 12 Spreadsheets and Business Graphics: Facts and Figures.
Voting System Qualification How it happens and why.
TESTING THE SECRUITY OF ELECTRONIC VOTING SYSTEM Presented By: NIPUN NANDA
12/9-10/2009 TGDC Meeting TGDC Recommendations Research as requested by the EAC John P. Wack National Institute of Standards and Technology
TGDC Meeting, December 2011 Andrew Regenscheid National Institute of Standards and Technology Update on UOCAVA Risk Assessment by.
TGDC Meeting, July 2011 Update on the UOCAVA Working Group Andrew Regenscheid Mathematician, Computer Security Division, ITL
VA Pain Coach (VPC) Mobile Applications (Apps) Phase Two (MAP2)
Visual 3. 1 Lesson 3 Risk Assessment and Risk Mitigation.
An Internet Voting System Manager Yonghua Li Kansas State University October 19, 2001 MSE Project - Phase I.
TGDC Meeting, Jan 2011 VVSG 2.0 and Beyond: Usability and Accessibility Issues, Gaps, and Performance Tests Sharon Laskowski, PhD National Institute of.
WorkPlace Pro Utilities.
Managing the development and purchase of information systems (Part 1)
Lecture 32 Risk Management (Cont’d)
Computers: Tools for an Information Age Chapter 12 Spreadsheets and Business Graphics: Facts and Figures.
An Architecture For Electronic Voting Master Thesis Presentation Clifford Allen McCullough Department of Computer Science University of Colorado at Colorado.
Using Advanced Formatting and Analysis Tools. 2 Working with Grouped Worksheets: Grouping Worksheets  Data is entered simultaneously on all worksheets.
Computers Are Your Future © 2006 Prentice-Hall, Inc.
MAPLDDesign Integrity Concepts What Do You Mean It Doesn’t Do What We Thought? Validating a Design.
5.2 Scope: This standard defines common data interchange formats for event records for voting systems. Voting systems, including election administration.
Security+ Guide to Network Security Fundamentals, Third Edition Chapter 9 Performing Vulnerability Assessments.
Software Architecture Evaluation Methodologies Presented By: Anthony Register.
TGDC Meeting, July 2010 Report of the UOCAVA Working Group John Wack National Institute of Standards and Technology DRAFT.
NIST Voting Program Page 1 NIST Voting Program Lynne Rosenthal National Institute of Standards and Technology
Computers in Society Electronic Voting. Team Projects What is your name? Application? Presentation? Copyright The software industry The open source business.
CSCE 201 Secure Software Development Best Practices.
TGDC Meeting, Jan 2011 Help America Vote Act (HAVA) Roadmap Nelson Hastings National Institute of Standards and Technology
Copyright © 2007 Pearson Education Canada 23-1 Chapter 23: Using Advanced Skills.
Using Total Quality Management Tools to Improve the Quality of Crash Data John Woosley Louisiana State University.
1 11/2004 – N.Campanis for MPUG Western NY Chapter Working Session Nick Campanis Presented to MPUG – Western NY Chapter Working Session November 10, 2004.
Printed Reports Analysis questions –Who will use the report? –What is the purpose of the report? –When or how often is the report needed? –Where does the.
Project Management in Marketing Deirdre Makepeace Level Verifier – Professional Diploma Assignment brief June and September 2014.
ON “SOFTWARE ENGINEERING” SUBJECT TOPIC “RISK ANALYSIS AND MANAGEMENT” MASTER OF COMPUTER APPLICATION (5th Semester) Presented by: ANOOP GANGWAR SRMSCET,
TGDC Meeting, Jan 2011 VVSG 2.0 and Beyond: Usability and Accessibility Issues, Gaps, and Performance Tests Sharon Laskowski, PhD National Institute of.
Template for CORAS Risk Analysis. The eight steps of a CORAS risk analysis.
© 2012 Cengage Learning. All Rights Reserved. This edition is intended for use outside of the U.S. only, with content that may be different from the U.S.
Dr. Gerry Firmansyah CID Business Continuity and Disaster Recovery Planning for IT (W-XIV)
PMP Study Guide Chapter 6: Risk Planning (Unit 8).
Introduction and Overview
8 Principles of Effective Documentation.
Auditing Concepts.
Exploring Excel Chapter 8 The Expert User:
Strategic Information Initiatives
CHAPTER11 Project Risk Management
Business System Development
FORMAL SYSTEM DEVELOPMENT METHODOLOGIES
PM 584 Competitive Success/snaptutorial.com
MPA TM543Competitive Success/snaptutorial.com
CIS 333 RANK Perfect Education/ cis333rank.com.
PM 584 Education for Service/snaptutorial.com
BIS 221 RANK Education for Service-- bis221rank.com.
MPA TM543 Education for Service- -snaptutorial.com
DATA COLLECTION, MANAGEMENT AND ANALYSIS
Lessons Learned from a Functional Hazard Analysis (FHA)
GE 6757 TOTAL QUALITY MANAGEMENT
Risk Assessment = Risky Business
Introduction and Overview
DMAIC Analyze, Improve, Control
Risk Analysis and HIPAA Security
LO2 - Be Able to Design IT Systems to Meet Business Needs
Feasibility Report.
MANAGEMENT of INFORMATION SECURITY, Fifth Edition
Presentation transcript:

1 Election Operations Assessment Summary Election Assistance Commission

2 Scope of the Project Phase 1 - completed Develop generic voting system models Phase 2 - currently under review Analyze models to identify threats Use results of analysis to develop a threat assessment tool Tool will assist EAC and NIST in evaluating benefits and costs of proposed security requirements for VVSG 2.0

3 Seven types of attacks (threats) identified Attack voting equipment Perform insider attack Subvert voting process Experience technical failure Commit errors in operations Attack audit Disrupt operations

4 Voting Technologies Assessed Generic Technology Types Direct Recording Electronic (DRE) Precinct Count Optical Scan (PCOS) Central Count Optical Scan (CCOS) Vote by Mail (VBM) Vote by Phone (VBP) Internet Voting (IV) Hand Counted Paper Ballots (HCPB)

5 Explanation of Terms A threat tree is a method to outline each type of attack (i.e., threat) and the steps required to exploit a potential system vulnerability A threat matrix documents additional information to more fully describe the nature of a threat action, its implications, and possible controls to prevent or mitigate its impact

6 Describing Threats Technology threat information is described in three ways: A graphical threat tree A tabular threat tree A threat matrix

7 Graphical Threat Tree for Precinct Count Optical Scan (PCOS)

8 Tabular Threat Tree for Precinct Count Optical Scan (PCOS) T = Terminal O = Or A = And

9 Comparison of Tabular and Graphical Trees

10 Comparison of Tabular and Graphical Trees Both trees display the same information To illustrate, the colored arrows point to the corresponding information in each tree By representing trees in both tabular and graphical formats, we accommodate both textual and visual information processing styles

11 Example of PCOS Threat Matrix

12 PCOS Threat Matrix Detail This matrix detail illustrates the same PCOS Attack Voting Equipment example shown in the threat trees. The entries in the matrix describe the characteristics of each threat action identified in the threat trees.

13 Threat Instance Risk Analyzer (TIRA) Tool TIRA is an automated tool that allows the user to quantify his/her professional intuition/judgment about the likelihood of a given threat happening and its potential impact on election operations. The analyst can rerun the analysis multiple times using different assumptions to see how much the result changes. TIRA will be used by the EAC and NIST for analyzing proposed VVSG 2.0 requirements

14 How TIRA is Used Analyst creates a scenario by selecting threat instances from the trees Analyst uses TIRA worksheets to record scenario and assumptions Analyst assigns values for parameters of motivation, complexity, and impact Analyst runs TIRA simulation Result is a rank ordering of threats

15 Benefits of TIRA Organizes and structures thinking about risks Enables ‘apples to apples’ comparisons of different analysts assessments Allows analysis of hundreds of scenario variations in short period of time Permits analyst to make changes to threat matrices to create additional scenarios

16 Suggestions for Reviewing Threat Trees Begin with a technology you are familiar with. Compare what you know with what you see. Identify any missing threat actions or other elements. Remember that TIRA uses these trees as inputs for creating scenarios. If something is missing from a tree it can’t be considered in the TIRA analysis.

17 Review Questions for Threat Matrices Do you understand the terms used in the column headings? Are there other threat actions you would add? Are there other mitigations / controls you would add? Would you change any entries in the cells of the matrix? If your review time is limited, feedback on the overall matrix structure is more important than comments on the individual cells.

18 Thank you for your time

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.