Risk Analysis, Risk Assessment, Risk Management"Risk Analysis helps establish a good security posture; Risk Management keeps it that way"
- B. D. Jenkins (1998).
"If your entire Security Infrastructure is not sound your business could fail."
Why does it often require a unique situation to make the risk clear? Could we possibly consider all threats?
Risk Management Holds the Key to Security and Trust: In a Nutshell, Riskohåndtering er nøkkelen til sikkerhet og tillit
Security Risk Analysis holds the key: A security policy framework is necessary to support the security infrastructure required for the secure movement of sensitive information across and within national boundaries. To ensure the secure operation of this kind of infrastructure, it is necessary to have some well-founded practice for the identification of security risks (as well as the application of appropriate controls to manage risks). This practice can be formalised and (semi)-automated by the use of formal methods and tools which increase the reliability of the system specification (and therefore users' confidence in it). This is important since the security of a system is largely dependent upon the accuracy of its specification. To be truly beneficial, the risk analysis framework must be granular enough to produce a customisable roadmap of which problems exist, and to rank them in order of severity, which facilitates making decisions about which ones to deal with first. CORAS (A Platform for Risk Analysis of Security-critical Systems) is an EU/IST project within the 5th framework programme, the basic idea for which was proposed and initiated by the author in an attempt to meet the requirements mentioned above, among others. Its main objective is to develop a practical (the word practical emphasised) framework for a precise, unambiguous and efficient risk analysis, by exploiting the synthesis of risk analysis methods with object-oriented modelling, (semi-)formal methods and tools, in order to improve the security risk analysis and security policy implementation of security-critical systems. Since the critical infrastructures of, for example, medical services, banking and finance, gas and electricity industries, transportation, water, and telecommunications are making use of the public Internet for communication, not least for the exchange of business, administrative and research information, it must be our aim to make these critical infrastructures totally secure and unassailable.
There are already in existence standards for the management of information security, which are commonly accepted and publicly available specifications:
Risk Analysis, Assessment, Management, based on  AS/NZS 4360:1999 and  NS 5814
Risk Analysis Methodologies
- Risk Analysis : A systematic use of available information to determine how often specified events may occur and the magnitude of their consequences. Risk Analysis : A systematic approach for describing and/or calculating risk. Risk analysis involves the identification of undesired events, and the causes and consequences of these events.
- Risk Assessment : The overall process of risk analysis and risk evaluation
- Risk Management : The culture, processes and structures that are directed towards the effective management of potential opportunities and adverse effects.
- Risk Management Process : The systematic application of management policies, procedures and practices to the tasks of establishing the context, identifying, analysing, evaluating, treating, monitoring and communicating risk.
- Risk Evaluation : The process used to determine risk management priorities by comparing the level of risk against predetermined standards, target risk levels or other criteria. Risk Evaluation : A comparison of the results of a risk analysis with the acceptance criteria for risk and other decision criteria.
- FMECA (Failure Modes, Effects and Criticality Analysis)
- FMEA (Failure Mode and Effect Analysis)
- IEC 60812 (FMEA Analysis techniques for system reliability)
- SAE ARP 5580 (FMEA Practices for Non-Automobile Applications)
- SAE J1739 (Design FMEA, Process FMEA and Machinery FMEA)
- FTA (Fault Tree Analysis)
- IEC 61025 (Fault Tree Analysis)
- NUREG-0492 (Fault Tree Handbook)
- NASA (Fault Tree Handbook - Aerospace Applications)
- HAZOP (HAzard and Operability Analysis)
- CCA (Cause Consequence Analysis)
- MORT (Management Oversight Risk Tree)
- SMORT (Safety Management Organization Review Technique)
- Risk Analysis Bibliographies by Tan Hiap Keong
- Security/Survivability Systems Analysis (S/SSA)
- CEA - Cost-Effectiveness Analysis in Emergency Medicine, Computer, and more by Zui-Shen Yen , and
Primer on Cost-Effectiveness Analysis: Effective Clinical Practice
- Cost Benefit Analysis
- Introduction to Cost-Benefit Analysis
- Cost Benefit Analysis Method (CBAM)
- BCA - Benefit-Cost-Analysis for the use of Intelligent Transportation Technology
- CPR Perspective: Cost-benefit Analysis
- Cost/Benefit Analysis- Decision Making from Mind Tools
- SQUARE Project: Cost/Benefit Analysis Framework for Information Security Improvement Projects
in Small Companies
- OMNI (Organising Medical Networked Information) Cost-Benefit Analysis
- Cost-Benefit Handbook
- Australian Government - Cost-Benefit Analysis
- RCBA - Risk-Cost-Benefit Assessment
As is frequently pointed out RCBA has certain limitations when it comes to managing technological risk. And these limitations are primarily due to the participation of humans in the processes, which makes them prone to human error, and limited by our limited ability to identify a comprehensive list of all potential risk factors, to determine cause-effect relationships, to deal with problems of complexity and coupling, to handle the uncertainties of modeling a complex system, etc. These limitations can to a certain extent be dealt with adapting a holistic approach to managing risks, an approach that takes into account legal, societal, technological, organizational, environmental and human factors. For RCBA to be effective its approach should be holistic and multidisciplinary. As an example, "the role of the law in technological security is that it sets security standards, formulates security requirements, and itself constitutes a security measure by supporting other security measures, thus influencing technology and technological developments, which in turn influence human behavior within society, which in its turn influences legislation and legal practice".
- RISK: Risk Assessment, Risk Communication, and Risk Management: Disaster Central
Adaptive Risk Management
Risk Management: The purpose of risk management is to
change the future, not to explain the past - Dan Borge
Risk Management Maturity: Adaptive Risk Management is the Next Generation Model
Adaptive Risk Assessment Modeling System (ARAMS)
Adaptive Risk Management by Prof. Mihaela Ulieru, The University of New Brunswick, also ARM - Adaptive Risk Management Platform for Emergency Response Operations, Adaptive Risk Management for Networked Critical Infrastructure
An adaptive risk management system is a system which is capable to learn, adapt, prevent, identify and respond to new/unknown threats in critical time much like biological organisms adapt and respond to threats in their struggle for survival. It essentially incorporates the characteristics and properties of genetic, holonic, AI, complex adaptive theory, and others, whose combination has a supra-additive synergistic effect.
"Genetic algorithms are algorithms that work via the process of natural selection. They begin with a sample set of potential solutions which then evolves toward a set of more optimal solutions. Within the sample set, solutions that are poor tend to die out while better solutions mate and propagate their advantageous traits, thus introducing more solutions into the set that boast greater potential", for a brief introduction to genetic alogrithms see JGAP and Moshe Sipper
A holon is a self-similar or fractal structure that is stable, coherent and that consists of several holons as sub-structures and is itself a part of a greater whole (for more info see Adaptive Risk Holarchy, Concepts for Holonic Manufacturing, Holonic Solutions, Holonic Software Development, Holonic Multiagent Systems, etc.)
Artificial Neural Networks (ANNs) have been developed as a mathematical modelling of a human cognition system based on our knowledge about how biological neural cells (neurons) function in the brain. ANNs can be described either as mathematical and computational models for non-linear function approximation, data classification, clustering and non-parametric regression or as simulations of the behavior of collections of model biological neurons. ANNs can be used in a variety of powerful ways: to learn and reproduce rules or operations from given examples; to analyze and generalize from sample facts and make predictions from these; or to memorize characteristics and features of given data and to match or make associations from new data to the old data. ANNs can be seen as an adaptive system that is able to learn from the data that flows through the network and change its response according to it. For more information on ANN see Neural Computation: The Nature of Learning, Memory and Plasticity in an artificial neural network or Artificial neural network
"Several Artificial Intelligence (AI) techniques have found applications in the field of risk management. Neural networks and fuzzy modeling are two system paradigms that lie at extreme poles of artificial intelligence system modeling. Neural networks can be viewed as 'black boxes' in which the process is unknown but there are many examples or observations. Fuzzy models, on the other hand can be viewed as 'white boxes' in which structured human knowledge is used to model the system and no data is required.
Most of the real world problems, however, typically present a 'grey box' situation, where there are some observations and some structured human knowledge. A new technique called neuro-fuzzy modeling, which incorporates neural network learning concepts into fuzzy inference systems, forms a pivotal technique in what is today known as soft computing. A notable contribution was the development of the adaptive neuro fuzzy inference system (ANFIS) and its generalized version, CANFIS exploiting the equivalence of radial basis function networks (RBFNs) from neural network theory and various fuzzy inference system (FIS) models, to provide a performance superior to that of conventional neural networks and Fuzzy Inference systems." - Radha Arur, Polaris Software - 21 Feb 2006
Three major characteristics of complex adaptive systems can be distinguished:
- active monitoring ensuring the organization's sensitivity to detect risk,
- agility ensuring its flexibility to respond to risk, and
- adaptive learning ensuring the capability of the organization's resources to mitigate risk.
Yet, according to WOLFASI the conceptual components of a general adaptive security infrastructure are Detector, Analyser, and Responder:
- The Detector senses, collects, and distributes information about the security environment
- The Analyzer processes Detector data, along with other information (e.g. security policy, threat levels, or node trust levels) and occasionally proposes actions to bring about a new stage
- The Responder executes the actions as directed by the Analyzer. These actions could include adjusting preventive mechanisms, adjusting detector settings, adjusting internal systems parameters, etc.
A European website presents science research and multimedia on health, food and risks
This European website specialises in presenting multimedia content on public funded European research in the areas of Health, Genomics and Food Safety. In addition, information and arguments on relevant risk issues are covered. The science subjects are treated in easy to understand modules for educators, students, interested public and film producers.
EUSEM is funded through the sixth Framework Programme of the European Commission
Risk Analysis Tools/Products
- The Australian Standard 4360 Risk management portal
- List of Risk Analysis, Assessment and Management Tools
- Isograph Direct Reliability, Availability, Maintainability, Safety Analysis Software
- Risk Analysis and Management System (RAMS)
- Toolkit for RAMS from IsographDirect
- FIDUCIA - Modelling Risk in Interoperable Public Key Infrastructures
- CORA - Cost-of-Risk-Analysis System
- BayesEngineTM Technology
- Introduction to Security Risk Analysis and the COBRA Approach
- Reliability, Availability, Maintainability and Safety Solutions from Reliability Software
- Reliability, Availability and Maintainability Software Tools from ITEM
- eRisk Managemet Model from mi2g
- List of Risk Analysis Books from Palisade
- Risk Analysis, Monte Carlo Simulation, Forcasting, Optimization - from Crystal Ball
- Callio Technologies offers ISO 17799 BS7799 Security Policies Software Tools and Expertise
- Tufin SecureTrack - Firewall Policy Auditing, Tracking and Compliance
- Proteus Enterprise Integrated Compliance and Information Risk Management Software - From InfoGov
- ASSET (Automated Security Self-Evaluation Tool) from NIST
- OCTAVE (Operationally Critical Threat, Asset, and Vulnerability Evaluation) from SEI
- Risk Management Software Tools
Risk Analysis and Related Links
- Norwegian Directorate for Civil Defence and Emergency Planning (DCDEP): Risk Management
- Norwegian: NORSOK STANDARD Z-013 RISK AND EMERGENCY PREPAREDNESS ANALYSIS
- Statistical Analysis of Risk at NR
- Crisis and Risk Network (CRN)
- RiskIT: Risk IT Framework for Management of IT Related Business Risks
- Best Practice SQA, Auditing and Reviews
- Risks of Cyber Attack to Supervisory Control and Data Acquisition for Water Supply
- The Security Search Engine
- Federal Information Processing Standards Publications
- Risk Management Guide for Information Technology Systems: Recommendations of the National Institute of Standards and Technology
- Information Security on the Internet: Internet Risks
- Information Security and Computer Crime
- Crime Resources - Crime Related News, Books and Web Resources.
- eRisks.com: Risk Wisdom
- Quantitative Risk Assessment(QRA)
- PHA - Process Hazard Analysis News
- Quantitative Risk Assessment(QRA) News
- Global Association of Risk Professionals
- Risk Assessment & Policy Association
- Risk Assessment Information System Page
- SRA/Glossary of Risk Analysis Terms
- Risk Glossaries
- RiskWorld: risk-related news, events, societies, etc.
- A Guide to Security Risk Management for Information Technology Systems (MG-2)
- Reliability, Availability, Maintainability and Safety Solutions from Reliability Software
- Infrastructure Vulnerabilities and Critical Infrastructure Protection (CIP)
- Articles / White Papers on Risk Analysis - from Crystal Ball
- Nonprofit Risk Management Center - A source for tools, advice and training to control risk..
- RIMS - Risk and Insurance Management Society, Inc.
- PRMIA - News and Risk Management Links
- NZSIT - The New Zealand Security of Information Technology Publications
- PROVENTION Consortium
- Hazard Risk Management: Useful Links
- Social Risk Management
- Risk Management Forum
- Vulnerability Assessment Techniques and Applications (VATA)
- USDA: Risk Assessment
- Paula D. Gordon's Homeland Security Website with the extensive List of Selected Homeland Security References and Resources
- Norwegian Research Center for Computers and Law
- National Center for the Study of
Counter Terrorism & CyberCrime at Norwich University
- Eastern Michigan University: Center for Regional and National Security
- Defense Security Services (DSS)
- Cyber Security: A Crisis of Prioritization, Report to the President, February 2005
- Digital Evidence Research Programme from BIICL (British Institute of International and Comparative Law)
- NIFS (National Institute of Forensic Science): Serving the forensic science community
- Risk Modeling - King's College, University of London
- Adaptive Risk Management Laboratory - Prof. Mihaela Ulieru, PhD, The University of New Brunswick
- Peter G. Neumann's RISKS and Inside Risks, Computer-Related Risks, The Book
- Invest Sign - project management software
- CN&S' Network Security Risk Management, and Computer-Assisted Digital Investigation and Golbal Intrusion Detection Systems
- Project Risk Management Related Links
- The Risks Digest
Carlo Method Risk Analysis
on Risk Analysis, Assessment, Management
Open Source Risk Management Tools
I proffer my sincere apologies for linking to most of the sites above prior to asking permission,
in the event of inconvenience having been caused!