Risk Analysis and the Security Survey 3rd edition

Risk Analysis and the Security Survey 3rd edition

Chapter 3

Risk Measurement

Risk Measurement

Introduction • Risk measurement used later to determine

the cost of an unfavorable event; • Aids in predicting how often an event may

occur in a given time period; • Two necessities:

– Quantitative means to express cost; – Logical expression of frequency of occurrence;

• Year most logical time period because of budget cycles.

Cost Valuation & Frequency of Occurrence

• Unnecessary to make precise statements of impact and probability;

• Impact and frequency simplified into factors of 10;


• If the cost valuation (impact) of the event is:

$10, let i = 1

$100, let i = 2

$1,000, let i = 3

$10,000, let i = 4

$100,000, let i = 5

$1,000,000, let i = 6

$10,000,000, let i = 7

$100,000,000, let i = 8.


• If the estimated frequency of occurrence is:

Once in 300 years, let f = 1

Once in thirty years,

let f = 2

Once in three years, let f = 3

Once in a hundred days,

let f = 4

Once in ten days, let f = 5

Once per day, let f = 6

Ten times per day, let f = 7

100 times per day, let f = 8.


Annual loss expectancy (ALE) is the product of impact and frequency. When using the

values of f and i derived from the conversion tables, you can approximate the value of ALE

by the formula:


ALE=10(f+i-3)/3

• i = cost valuation (impact); – If $10 value then i=1 to $100,000,000 then i =

8; • f = frequency of occurrence;

– If occurs once in 3,00 years then f = 1 to 100 times/day then f = 8;


• Alternate method:


• Commonality of events; – Access; – Natural disasters; – Environmental hazards; – Facility housing; – Work environment; – Value.

Principals of Probability

• Risk is the possible happening of an undesirable event;

• An event is a definable occurrence - described in two ways: – In terms of the damage it will present; – In terms of the probability of its occurrence.

Principals of Probability

• A Risk is described in terms of its potential occurrence and its capacity for potential loss.

• Probability is the study of the possibility of occurrence.

• Probability based on philosophical proofs.– Derived in 1792 by the Marquis de Laplace.– Not based on mathematical proofs. – 10 principals:

Probability, Risk, and Security

• The goal of security design is to decrease the ratio of unfavorable events to total events.

• Similar events in different locations – add the ratios of favorable cases where the probabilities are different.

• Two events that have no relation to each other are considered to be independent. – Applies to Principal #3.


– Examples:• Lightning striking twice.• Security penetration and simultaneous security

system failure.

• Principle 4 expresses the relation between dependent events (probability of the first event is multiplied by the probability of the second event if the second event).– Example: Breaking and entering followed by

theft, to produce a burglary.


• Past events do not affect future events (principal #5).– Cannot assume that a security breach will not

occur again.– Probabilities of events are not guarantees.

• Principal #6 describes the relation between all causes and probable causes.– Example: Circumstantial evidence.


• Principal 7 involves the basis of confidence limits.

• Mathematical hope relates the potential gain to the probability of obtaining the gain (principal 8).– Allows the utility of a procedure to be

expressed in monetary and probabilistic terms.


• Principle 9 allows for the fact that any solution to a problem introduces risk (i.e., it may fail).

• Principle 10 relates the amount and potential of risk to the wealth of the protected entity. – Solution could be to do nothing.

Estimating Frequency of Occurrence

• Loss expectancy can be projected with a satisfactory degree of confidence.– Must have sufficiently large database or

becomes educated guess.

Documents

Risk Analysis and the Security Survey 3rd edition