Presentation is loading. Please wait.

Presentation is loading. Please wait.

Risk Assessment Farrokh Alemi, Ph.D. Monday, July 14, 2003.

Published byDulcie Carr Modified over 9 years ago

Similar presentations

Presentation on theme: "Risk Assessment Farrokh Alemi, Ph.D. Monday, July 14, 2003."— Presentation transcript:

1 Risk Assessment Farrokh Alemi, Ph.D. Monday, July 14, 2003

2 Objectives To assess the probability of release of PHI Almost never occurs When it occurs, steps are taken to avoid it happening in same fashion in future

3 Risk Analysis A set of scenarios Probability of occurrence of hazard Probability of containment Probability of consequence

4 Historical Precedence Aerospace industry and Apollo flights Accidents lead to revision of probabilities Nuclear industry Three mile island led to revisions

5 Law of Total Probability p (B) =  i p(B|A i ) p(A i ) B A2 A1 A3 A4

6 Fault Tree Analysis The top event is release of PHI The intermediate events are ways in which PHI can be released The basic events are observable events Fault trees rely on Boolean logic to analyze probability of an event “And” is shown as “Or is shown as

7 Components of Risk Analysis EPHI boundary definition Threat identification Vulnerability identification Security control analysis Risk likelihood determination Impact analysis Risk determination Security control recommendations Based on Steve Weil’s recommendations

8 Top Event: PHI Definition Inventory of PHI Internal and external interfaces of information systems Identification of the primary users of the information systems and PHI

9 Intermediate Events: Threats Unauthorized Disclosure EnvironmentNatural Hurricane Unintentional Human HAZMAT Power Failure Intentional IT attackPhysical Flood Error entry Omission

10 Basic Events: Causes of Intermediate Events IT Attack Successful IT Attacked Controls fail Network failure Desktop Spy ware Authentication Access

11 Boolean Algebra If X and Y must happen before the event happens, the probability of the event is p(X)p(Y) If X or Y can lead to the event, then the probability of the event is p(X) + p(Y)

12 Equivalent Descriptions P(Unauthorized disclosure) = p(Natural) + p(Human) + p(Environment) P(Natural) = p(Flood) + p(Hurricane) P(Human) = p(Intentional) + p(Unintentional) P(Intentional) = p(Physical) + p(IT attack) Etc. Unauthorized Disclosure EnvironmentNatural Hurricane Unintentional Human HAZMAT Power Failure Intentiona l IT attackPhysical Flood Error entry Omission

13 IT Attack Success ful IT Attacke d Controls fail Network failure Desktop Spy ware Authentication Access Equivalent Descriptions P(IT attack successful) = p(IT attack). p(Controls failure) P(IT attack) = p(Network) + p(Desktop) P(Control failure) = p(authentication) + p(Access)

14 Assessment of Basic Event Probabilities Subjective Frequency One observation of rare event after s days of success P(day of success)=Number of days of success / (1 + Number of days of success) Provides a procedure for converting days between two failures to probability of failure Last flood was 2 months ago, what is probability of no floods in any day? =1 - 59/60 On average time between virus infection of desk top is 2 weeks, what is probability of infection per day? = 1/14

15 Estimate Probability of Unauthorized Disclosure Unauthorized Disclosure EnvironmentNatural Hurricane Unintentional Human HAZMAT Power Failure Intentional IT attackPhysical Flood Error entry Omission

16 Recommendations After Risk Assessment Mitigate Eliminate Insure Hedge

Download ppt "Risk Assessment Farrokh Alemi, Ph.D. Monday, July 14, 2003."

Similar presentations

Security+ All-In-One Edition Chapter 17 – Risk Management

Security+ All-In-One Edition Chapter 17 – Risk Management
Integra Consult A/S Safety Assessment. Integra Consult A/S SAFETY ASSESSMENT Objective Objective –Demonstrate that an acceptable level of safety will.

Integra Consult A/S Safety Assessment. Integra Consult A/S SAFETY ASSESSMENT Objective Objective –Demonstrate that an acceptable level of safety will.
Chapter 10. Understand the importance of establishing a health care organization-wide security program. Identify significant threats—internal, external,

Chapter 10. Understand the importance of establishing a health care organization-wide security program. Identify significant threats—internal, external,
Frequencies Estimation Ricki M Mulia, ST. MSc. Unsafe Act Unsafe Condition HAZARD EXPOSURE Penyakit Akibat kerja RISK Kecelakaan kerja Higiene Industri.

Frequencies Estimation Ricki M Mulia, ST. MSc. Unsafe Act Unsafe Condition HAZARD EXPOSURE Penyakit Akibat kerja RISK Kecelakaan kerja Higiene Industri.
Risk Assessment What is RISK?  requires vulnerability  likelihood of successful attack  amount of potential damage Two approaches:  threat modeling.

Risk Assessment What is RISK?  requires vulnerability  likelihood of successful attack  amount of potential damage Two approaches:  threat modeling.
Introduction to Probabilities Farrokh Alemi, Ph.D. Saturday, February 21, 2004.

Introduction to Probabilities Farrokh Alemi, Ph.D. Saturday, February 21, 2004.
CST 481/598 Many thanks to Jeni Li.  Potential negative impact to an asset  Probability of a loss  A function of three variables  The probability.

CST 481/598 Many thanks to Jeni Li.  Potential negative impact to an asset  Probability of a loss  A function of three variables  The probability.
Probabilistic Risk Analysis Farrokh Alemi, Ph.D. April 12, 2004.

Probabilistic Risk Analysis Farrokh Alemi, Ph.D. April 12, 2004.
SWE Introduction to Software Engineering

SWE Introduction to Software Engineering
Title slide PIPELINE QRA SEMINAR. PIPELINE RISK ASSESSMENT INTRODUCTION TO RISK IDENTIFICATION 2.

Title slide PIPELINE QRA SEMINAR. PIPELINE RISK ASSESSMENT INTRODUCTION TO RISK IDENTIFICATION 2.
Title slide PIPELINE QRA SEMINAR. PIPELINE RISK ASSESSMENT INTRODUCTION TO GENERAL RISK MANAGEMENT 2.

Title slide PIPELINE QRA SEMINAR. PIPELINE RISK ASSESSMENT INTRODUCTION TO GENERAL RISK MANAGEMENT 2.
Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Quantitative.

Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Quantitative.
Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Information.

Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Information.
Annex I: Methods & Tools prepared by some members of the ICH Q9 EWG for example only; not an official policy/guidance July 2006, slide 1 ICH Q9 QUALITY.

Annex I: Methods & Tools prepared by some members of the ICH Q9 EWG for example only; not an official policy/guidance July 2006, slide 1 ICH Q9 QUALITY.
CIS 376 Bruce R. Maxim UM-Dearborn

CIS 376 Bruce R. Maxim UM-Dearborn
What is Fault Tree Analysis?

What is Fault Tree Analysis?
Basics of Fault Tree and Event Tree Analysis Supplement to Fire Hazard Assessment for Nuclear Engineering Professionals Icove and Ruggles (2011) Funded.

Basics of Fault Tree and Event Tree Analysis Supplement to Fire Hazard Assessment for Nuclear Engineering Professionals Icove and Ruggles (2011) Funded.
Application Threat Modeling Workshop

Application Threat Modeling Workshop
Discrete Probability Distributions

Discrete Probability Distributions
Software Project Management

Software Project Management

Similar presentations

Ads by Google