Use of Decision Analysis in Security Risk Analysis
➤ Gửi thông báo lỗi ⚠️ Báo cáo tài liệu vi phạmNội dung chi tiết: Use of Decision Analysis in Security Risk Analysis
Use of Decision Analysis in Security Risk Analysis
Page 1Focused Risk AnalysisUse of Decision Analysis in Security Risk AnalysisVersion of Monday, November 07, 2005Farrokh Alemi, Ph.D.Jenny SinkuleThis Use of Decision Analysis in Security Risk Analysiss research was supported in parts by the National Capital Region Critical Infrastructure Project (NCR-CIP), a multi-university consortium managed by George Mason University, under grant S03-TU-03 by the U.S. Department of Homeland Security’s Urban Area Security Initiative, and grant #2003CKWX0199 by Use of Decision Analysis in Security Risk Analysis the U.S. Department of Justice’s Community Oriented Policing Services Program. The views expressed are those of the authors, and do not necessarily rUse of Decision Analysis in Security Risk Analysis
eflect those of the Dept, of Homeland Security or the Dept, of Justice.This chapter is based on Alemi F, Arya V, Sinkule JA. Sobczak p. Final Report oPage 1Focused Risk AnalysisUse of Decision Analysis in Security Risk AnalysisVersion of Monday, November 07, 2005Farrokh Alemi, Ph.D.Jenny SinkuleThis Use of Decision Analysis in Security Risk Analysis authors and at http!' eimston.doit.gmu.edwlKalthscietKt'RiskAnalysis'BestPraaiceierRisL^ssessiiKnt.dix Accessed on November 6, 2005.Page 2Focused Risk AnalysisIntroductionThese days, (here is a palpable frustration with risk analysis and vulnerability assessments as critics believe it has misdirect Use of Decision Analysis in Security Risk Analysised security and recovery efforts. Some think that these tools are misinforming us and causing an epidemic of fear.1 Organizations may misunderstand smUse of Decision Analysis in Security Risk Analysis
all probabilities of rare events and may seek remedies that cause more harm than the original threat? Many risk assessments rely on expert opinions asPage 1Focused Risk AnalysisUse of Decision Analysis in Security Risk AnalysisVersion of Monday, November 07, 2005Farrokh Alemi, Ph.D.Jenny SinkuleThis Use of Decision Analysis in Security Risk Analysiso the fallibility of human judgment. Psychological research has shown that we often exhibit selective memory bias for events which are personally relevant?'4'5 In addition, emotionally arousing events often cause individuals to recall the event with greater detail and specificity.67 Often, rare even Use of Decision Analysis in Security Risk Analysists are personally relevant to many, and are of an emotionally arousing nature. A hospital which is attacked by terrorists, killing hundreds of helplesUse of Decision Analysis in Security Risk Analysis
s patients is highly personally relevant to even those unaffected directly by the attack because such an event exposes everyone’s vulnerability. By thPage 1Focused Risk AnalysisUse of Decision Analysis in Security Risk AnalysisVersion of Monday, November 07, 2005Farrokh Alemi, Ph.D.Jenny SinkuleThis Use of Decision Analysis in Security Risk Analysisill cause such events to stick out in our minds and distort our understanding of the probability of the attack. Our memory of such events will be more salient and vivid than for other events. In sum. humans are bad at estimating the probability of events accurately.Other critics point out that the r Use of Decision Analysis in Security Risk Analysiseal problem is not miscommunication about the risk but faulty analysis leading to wrong priorities? Organizations may protect against long lists of seUse of Decision Analysis in Security Risk Analysis
curity threats that are not likely to happen and fail to safe guard prevalentPage 3Focused Risk Analysisrisks. For example, such reviews may pul an AnPage 1Focused Risk AnalysisUse of Decision Analysis in Security Risk AnalysisVersion of Monday, November 07, 2005Farrokh Alemi, Ph.D.Jenny SinkuleThis Use of Decision Analysis in Security Risk Analysiss priorities lor action and ranks potential threats.Let us Stan with a few obvious principles and assumptions. Risk analysis is no help when it recommends that all security steps are equally important and should be pursued. 10 be helpful, risk analysis must set priorities. 10 set priorities, it must Use of Decision Analysis in Security Risk Analysis have a process that could establish that risk of one event is higher than another. To understand differential risks, it must do so based on some objeUse of Decision Analysis in Security Risk Analysis
c live defensible fad - relying on consensus is not enough unless one can show that the consensus is based on actual events. This paper show's how accPage 1Focused Risk AnalysisUse of Decision Analysis in Security Risk AnalysisVersion of Monday, November 07, 2005Farrokh Alemi, Ph.D.Jenny SinkuleThis Use of Decision Analysis in Security Risk Analysisd objective analysis.We have heard of three possible objections to our recommended probabilistic and focused security risk analysis. First, that terrorism and major catastrophic events arc rare and therefore itis not possible to measure their frequency.10 Second that it is not practical to do so: pr Use of Decision Analysis in Security Risk Analysisobabilistic risk assessment is too time consuming and cumbersome. Finally, third that it should not be done because objective risk analysis focuses onUse of Decision Analysis in Security Risk Analysis
historical precedents and leaves organizations vulnerable to new and emerging ducats. These ar e important critic ism of probabilistic risk analysis Page 1Focused Risk AnalysisUse of Decision Analysis in Security Risk AnalysisVersion of Monday, November 07, 2005Farrokh Alemi, Ph.D.Jenny SinkuleThis Use of Decision Analysis in Security Risk Analysisve analysis, it may be done in shorter lime, even though it relies onObjections to probabilistic risk analysis:1Probability of rare events cannot be measured2Probabilistic analysis takes too long3Il misses new threatsPage 4Focused Risk Analysisobjective data. Second, we show that by using new probab Use of Decision Analysis in Security Risk Analysisility tools it is possible to estimate the chances of very rare events occurring. While these estimates are not precise to the last digit, they are acUse of Decision Analysis in Security Risk Analysis
curate in magnitude and provide a consistent method of tracking probabilities of many rare events. Furthermore, we show by way of examples, how the mePage 1Focused Risk AnalysisUse of Decision Analysis in Security Risk AnalysisVersion of Monday, November 07, 2005Farrokh Alemi, Ph.D.Jenny SinkuleThis Use of Decision Analysis in Security Risk Analysisns.DefinitionsBefore we proceed, it is important to define various terms. Risk analysis assesses the probability of an adverse outcome, in this case security violations. We include in this broad definition terrorism, cyber attacks, and physical attacks. Risk analysis is not the same as threat analys Use of Decision Analysis in Security Risk Analysisis, where die environment is scanned for credible attacks against the organization. Figure 1 shows the relationship between environmental threats, orgUse of Decision Analysis in Security Risk Analysis
anization vulnerabilities and security violations.Page 5Focused Risk AnalysisFigure 1: Threats, vulnerability and security violationsOrganization vulnPage 1Focused Risk AnalysisUse of Decision Analysis in Security Risk AnalysisVersion of Monday, November 07, 2005Farrokh Alemi, Ph.D.Jenny SinkuleThis Use of Decision Analysis in Security Risk Analysismationtechnology steps that organizations can take to reduce their vulnerability or mitigate the consequences of security violations. To conduct a vulnerability assessment, one needs to step back from actual security violations and ask for causes of security violations. When a security violation occ Use of Decision Analysis in Security Risk Analysisurs there are often multiple causes for it. For example, a hacker or a cyber terrorist might be able to gain access to the organization network througUse of Decision Analysis in Security Risk Analysis
h a disgruntled employee. Using our definition, penetration into the network is considered a security violation and the disgruntled employee as vulnerPage 1Focused Risk AnalysisUse of Decision Analysis in Security Risk AnalysisVersion of Monday, November 07, 2005Farrokh Alemi, Ph.D.Jenny SinkuleThis Use of Decision Analysis in Security Risk Analysisilities, and security controls.Page 1Focused Risk AnalysisUse of Decision Analysis in Security Risk AnalysisVersion of Monday, November 07, 2005Farrokh Alemi, Ph.D.Jenny SinkuleThisGọi ngay
Chat zalo
Facebook