0:00

Welcome to Lesson 31.

Â In this lesson, we're going to take a closer look at risk analysis.

Â Risk analysis is an integral part of risk management which, as we saw, was

Â an integral part of the four cybersecurity models we examined in Part 2 and Part 3.

Â Risk management is the process of selecting and

Â prioritizing countermeasures based upon cost-benefit analysis.

Â 0:39

We saw how RAMCAP estimated risk as the product of estimates for

Â consequence, threat, and vulnerability.

Â Using RAMCAP, we estimated the risk reduction worth of each countermeasure,

Â then calculated the corresponding return on investment

Â by dividing risk by estimated cost.

Â Cost benefit analysis consisted of choosing

Â the countermeasure that provided the highest calculated return on investment.

Â 1:06

As we noted in Lesson 20, RAMCAP was developed by the American Society of

Â Mechanical Engineers at the request of the White House shortly after 9/11.

Â RAMCAP was specifically formulated to help assess risk

Â across all infrastructure assets and

Â sectors to help prioritize protective investments at the national level.

Â Unfortunately, RAMCAP fell into obscurity shortly after

Â it was introduced in the 2006 National Infrastructure Protection Plan.

Â One of the reasons RAMCAP fell into disuse

Â was that many believe there is no one size fits all when it comes to risk analysis.

Â Indeed, there are an estimated 250 critical infrastructure risk

Â methodologies, which begs the question.

Â Why so many?

Â The answer lies in the fact that each methodology

Â is the result of a different set of tradeoffs.

Â RAMCAP itself is uniquely distinguished by its own set of tradeoffs.

Â It begins with the question of completeness.

Â Do you analyze the network or the nodes?

Â In other words, do you also include interdependencies in your risk analysis?

Â RAMCAP does not include interdependencies in its risk analysis.

Â RAMCAP risk analysis focuses on the individual asset.

Â Many researchers justifiably argue

Â that risk analysis is incomplete without considering interdependencies.

Â There are at least 30 models specializing in interdependency analysis.

Â Interdependency models,

Â though, must be highly detailed to yield reasonable results.

Â Since assets are part of the network detail,

Â they must be assessed at some level individually.

Â Thus, it is reasonable to begin risk analysis with an asset, but

Â understand, the analysis is incomplete without including the network.

Â 2:54

In analyzing an asset,

Â the next tradeoff is qualitative versus quantitative risk analysis.

Â Qualitative risk analysis simplifies risk assessments

Â by reducing inputs to a manageable set of judgements.

Â The risk and vulnerability analysis method employed in Denmark provides one example

Â of a qualitative approach.

Â A general criticism of qualitative methods, though, is that the poor

Â resolution of input data can lead to erroneous or misleading results.

Â By comparison,

Â quantitative methods promote confidence in results by reducing subjectivity.

Â 3:31

RAMCAP chose a quantitative approach in order to attain higher

Â confidence in the risk results compared to qualitative methods.

Â The quantitative approach, however, is tempered by precision.

Â Various methods are advocated to achieve a high level of precision in estimating

Â risk, including Bayesian networks, conditional linear Gaussian networks,

Â stochastic models, and other formal quantitative methods.

Â With proven records of performance in diverse fields of engineering, finance,

Â health care, and meteorology.

Â What trips up these methods with critical infrastructure is the lack of data for

Â statistical analysis of man-made catastrophic incidents.

Â RAMCAP encourages precision at every step in the risk analysis process, but

Â accepts that in the absence of complete data, precision is an unattainable goal.

Â 4:30

In a similar manner the absence of hard data has forced the adoption of informal

Â means for estimating risk, compared to the previous cited formal means.

Â Thus, RAMCAP estimates risk as the product of consequence, threat, and vulnerability.

Â This approach is acceptable so

Â long as the risk results can be made consistent across assets and sectors.

Â RAMCAP achieves consistency by systematically applying the same risk

Â formulation across assets and sectors.

Â Consistency can be further improved by applying rigorous methods for

Â estimating terms in the RAMCAP formulation.

Â 5:10

Rigorous methods for estimating consequence, threat, and

Â vulnerability values, encompass various means of elicitation and modeling.

Â The Delphi method is perhaps the best known rigorous system

Â among elicitation methods.

Â Fault trees, event trees, reliability block diagrams, and other causal

Â analysis methods, are well respected in reliability and safety engineering.

Â Such rigorous methods, though, require substantial investments in time and

Â resources, making them impractical for a large scale application.

Â Alternatively, RAMCAP employs a bounded system to elicit consequence, threat,

Â and vulnerability values, based on a standard set of reference scenarios.

Â These scenarios currently include 41 different natural and man-made hazards.

Â Using these same reference scenarios also promotes interoperability by facilitating

Â comparison of RAMCAP risk results across infrastructure assets and sectors.

Â The ability to compare risk results, apples to apples, across assets and

Â sectors perfectly suited the purpose for which RAMCAP was designed.

Â Specifically, to make strategic decisions about national investments

Â in critical infrastructure protection.

Â 6:29

The point of this lesson, with respect to cybersecurity, is that infrastructure

Â owners and operators may undergo a similar exercise to develop their own risk

Â analysis methodology that's tailored to their own unique set of circumstances.

Â Okay, let us review what we have learned here.

Â 1, There is no absolute security; all security entails risk.

Â 2, Risk analysis provides a means for

Â assessing the cost-benefit return on security investments.

Â 3, All risk formulations are a product of the tradeoffs chosen in making them.

Â 4, When it comes to critical infrastructure,

Â the first tradeoff is the choise of analyzing the network or

Â the asset; no risk analysis is complete without considering the network.

Â 5, Quantitative risk analysis offers more confidence in results

Â compared to qualitative risk analysis, but at the expense of time.

Â 6, The precision of a quantitative risk analysis

Â is determined by the choice of absolute or relative values.

Â 7, The accuracy of a quantitative risk analysis

Â is determined by the choice of using formal or informal methods.

Â 8, The consistency of results will be enhanced

Â by taking a systematic versus an ad hoc approach to risk analysis.

Â 9, The time needed to conduct a risk analysis will be reduced

Â by taking a bounded approach versus a rigorous approach.

Â 10, The ability to compare risk results across assets and

Â sectors can only be achieved by using a homogenous

Â versus heterogeneous set of conditions in the method formulation.

Â 8:20

And 11, In the absence of specific recommendations for

Â risk methodologies pertaining to cybersecurity models, owners and operators

Â may develop their own methods tailored to their own unique circumstances.

Â