Unit Outline Quantitative Risk Analysis - PowerPoint PPT Presentation

1 / 15
About This Presentation
Title:

Unit Outline Quantitative Risk Analysis

Description:

We are using this equation to calculate cost: Ci = Csi Cri x t ... The machine is not owned; a new one would have to be acquired. Cost Benefit Analysis ... – PowerPoint PPT presentation

Number of Views:27
Avg rating:3.0/5.0
Slides: 16
Provided by: Alb55
Learn more at: http://www.albany.edu
Category:

less

Transcript and Presenter's Notes

Title: Unit Outline Quantitative Risk Analysis


1
Unit OutlineQuantitative Risk Analysis
  • Module 1 Quantitative Risk Analysis and ALE
  • Module 2 Case Study
  • ? Module 3 Cost Benefit Analysis Regression
    Testing
  • Module 4 Modeling Uncertainties
  • Module 5 Summary

2
Module 3Cost Benefit Analysis Regression
Testing
3
Cost Benefit Analysis Learning Objectives
  • Students should be able to
  • Understand how to use matrices for cost benefit
    analysis.
  • Calculate risk leverage.
  • Comprehend how regression testing is used.

4
Cost Benefit AnalysisMatrix Cost Benefit Analysis
  • The exposure before controls is equal to the
    summation of the aggregate values for impact
    value x threat value. (Vulnerability/Threat
    Matrix) In this case, the value is equal to
    1,617,234.13
  • The exposure after controls is equal to the sum
    of all of the multiplied threat importance
    values.
  • For example, in the Hardware Failure column, we
    will take each of the threat importance values
    and subtract them each from 1. These values
    should be multiplied together. (Threat/Control
    Matrix)
  • This will give us (1-.10) x (1 - .10) x (1 -
    .70) x (1 - .20) 0.1944
  • This value will be multiplied by the threat
    importance value
  • 0.1944 x 10907.90 2120.48
  • (cost with controls of Hardware Failure)
  • Do this for all threat columns and then summate
  • all the values. This value is equal to
    33,780.67

5
Cost Benefit Analysis Matrix Example
  • We are using this equation to calculate cost
  • Ci Csi Cri x t
  • Where Ci is the total cost of control i.
  • Csi is the static (one-time) cost of the control.
  • Cri is the additional cost per day (maintenance,
    updates, etc.) for the control.
  • t is equal to time (if calculating for a year,
    would equal 365).
  • We show how to compute the costs of the controls
    for example cases. Spare Laptops 2,500 x 200
    500,000
  • Warranties (3 year) 100 x 4,000 (laptops
    desktops) 1000 x 10 (regional servers)
    1,200 (HQ Server) 411,200
  • Physical Controls 50,000
  • Security Policy (creation, implementation,
    enforcement) 640 x 365 233,600
  • It is left to the user to accurate compute the
    cost of the controls and then compare the
    exposure with and without controls

6
Cost Benefit Analysis Risk Leverage
  • Costs are associated with both
  • Potential Risk Impact
  • Reducing Risk Impact
  • Risk Leverage is the difference in risk exposure
    divided by the cost of reducing the risk
  • Let
  • rf be the risk exposure after imposing controls
  • ri be the risk exposure prior to imposing
    controls
  • c be the cost of controls
  • Leverage l (ri-rf)/c
  • This tells you how many times the
  • reduction in risk exposure is greater
  • then the cost of controls.

7
Cost Benefit AnalysisExample 4 Unauthorized
access
  • Scenario A company uses a common carrier to link
    to a network for certain computing applications.
    The company has identified the risks of
    unauthorized access to data and computing
    facilities through the network. These risks can
    be eliminated by replacement of remote network
    access with the requirement to access the system
    only from a machine operated on the company
    premises. The machine is not owned a new one
    would have to be acquired.

8
Cost Benefit AnalysisExample 4 Unauthorized
Access
Cost/Benefit Analysis for Replacing Network Access
Item Amount
Risk unauthorized access and use Risk unauthorized access and use
Access to unauthorized data and programs 100,000 _at_ 2 likelihood per year 2,000
Unauthorized use of computing facilities 10,000 _at_ 40 likelihood per year 4,000
Expected annual loss (2,000 4,000) 6,000
Effectiveness of network control 100 -6,000
9
Cost Benefit AnalysisExample 4 Unauthorized
Access
Network Control cost Network Control cost
Hardware (50,000 amortized over 5 years) 10,000
Software (20,000 amortized over 5 years) 4,000
Support personnel (each year) 40,000
Annual cost 54,000
Expected annual loss (6,000 6,000 54,000) 54,000
Savings (6,000 54,000) -48,000
10
Regression TestingExample 5 Graphical Cost
Benefit Analysis
  • Scenario This is a case where use of regression
    testing is being considered after making an
    upgrade to fix a security flaw. We want to
    determine if regression testing is economical in
    this scenario.
  • Regression Testing means applying tests to verify
    that all remaining functions are unaffected by
    the change.
  • Lets refer to the diagram on the following slide,
    to compare the risk impact of doing regression
    testing with not doing it.
  • Upper part of the diagram
  • the risk of conducting regression testing
  • Lower part of the diagram
  • shows the risks of not doing regression testing

11

Regression TestingExample 5 Cost Savings
  • In the two cases, one of three things can happen
    if regression is done
  • We find a critical fault
  • We miss finding the critical fault
  • There are no critical faults to be found.
  • For each possibility
  • Calculate the probability of an unwanted outcome,
    P(UO).
  • Associate a loss with that unwanted outcome,
    L(UO).

12
Regression Testing Example 5 Calculation
In our example, if we do regression testing and
miss a critical fault in the system (a
probability of 0.05), the loss could be 30
million. Multiplying the two, we find the risk
exposure for that strategy to be 1.5 million. As
the calculations in the figure prove, it is much
safer to do regression testing than to skip it.
Combined Risk Exposure
13
Cost Benefit AnalysisAssignment
  • Do a cost benefit analysis based on the matrix
    that you have created for your own organization.

14
Cost Benefit Analysis Regression TestingSummary
  • Cost Benefit Analysis is useful in determining
    whether the costs of controls is actually
    beneficial in terms of actual return or savings
    than the losses incurred by the risks they are
    meant to mitigate.
  • Cost Benefit Analysis
  • LEVERAGE (RISK EXPOSUREbefore reduction
    RISK EXPOSUREafter reduction)
    ________________________________________________

    COST OF REDUCTION
  • Regression Testing
  • Used for comparing risk impact

15
Cost Benefit Analysis Matrix Example
  • Leverage l (ri-rf)/c
  • ri 251,037.60 x 365 91,628,724
  • rf 15,851.19 x 365 5,785,684.35
  • C 30,864,796
  • 251,037 15,851.19 / 30,864,796 .008
  • 91,628,724 - 5,785,684.35 / 30,864,796 2.78
  • The reduction in risk exposure is almost 3x
    greater than the cost of controls
Write a Comment
User Comments (0)
About PowerShow.com
Home About Us Terms and Conditions Privacy Policy Presentation Removal Request Contact Us
Copyright 2024 CrystalGraphics, Inc. — All rights Reserved. PowerShow.com is a trademark of CrystalGraphics, Inc.
The PowerPoint PPT presentation: "Unit Outline Quantitative Risk Analysis" is the property of its rightful owner.
Do you have PowerPoint slides to share? If so, share your PPT presentation slides online with PowerShow.com. It's FREE!