Saturday, 22 December 2007

Monte Carlo method (in risk analysis)

The Monte Carlo method can also aid in other risk methodologies such as Time-based analysis (Curtis, et al 2001). It further allows the determination of the range of possible outcomes and delivers a normalised distribution of probabilities for likelihood.

Combining stochastic techniques with Bayesian probability and complex time series analysis techniques such as Heteroscedastic mapping is mathematically complex, but can aid in situations where accuracy is crucial.

  • A number of stochastic techniques have been developed to aid in the risk management process.
  • These are based on complex mathematical models that use stochastically generated random values to compute likelihood and other ratios for our analysis model.

Some existing tools for risk analysis

Crystal ball
Crystal ball is a simple Monte Carlo simulation/analysis product. It uses tornado analysis and life in hyperacute sampling. Crystal ball is one of the simpler stochastic risk analysis tools available.

Risk +
Risk + is designed for performing schedule risk analysis. It is a simple time based analysis system used to identify potential faults in a fault tree style. Risk + uses Monte Carlo simulations to determine likelihood. This enables the product to demonstrate a possible cost by using the resource allocation values that it has created through cost histogram. This probability histogram is based on stochastically determined outcomes.

Cobra is particularly useful for organisations that use ISO 17799 as a security model. It is used to measure the ISMS of the organisation against the 10 core controls of ISO 17799. Cobra uses a cost justification model based on cost benefit analysis. Cobra integrates they risk dynamics based approach to knowledge-based questionnaires. It in my oppinion offers little value when the cost is taken into account.

Octave is one of the leading risk methodologies. It is a little vague in places and to qualatitive for my tastes.

Risk Management and IT Governance

  • The need for a corporate governance framework
  • The need for an internal control framework
  • The relationship between governance, the internal control framework and risk management
  • COSO & COBIT® - The background

More on these next time.

Sunday....AND VACATIONS!!!

Time to get to writing, visiting and the role of farmer.

Being Christmas, posts will have a few breaks.

Time-based Analysis (TBA)

Time-based analysis is a quantitative analysis that uses only a small amount of qualitative measures. TBA is extremely effective in measuring the adequacy of a control. This is also useful in terms of fault preparation (Delphi Group, 2005).

TBA involves analysis of the systems to identify:

  • The preventative controls (P)
  • The detective controls (D)
  • And the reactive controls on the system (R)
TBA measures all things in terms of time. As long as the time to detect and react to an incident is less than the amount of time to prevent the fault risk is maintained at an acceptable level. Thus, the aim when implementing TBA is to maintain the following situation:

The detective controls (D) + the reactive controls on the system (R) are less then the Preventative controls (P), or:
  • D + R < [P]

And a measurable loss occurs when:

  • D + R > [P].
To analyse controls under a TBA, first assume that preventative controls fail then asked the questions:

  1. How long does it take for detective controls to be enacted?
  2. How long following detection, does it take for a response to be initiated?
The aims of a TBA based risk strategy include reducing both D & R. this can be achieved by improving the detective controls or improving the reactive controls. The TBA model assumes that all preventative controls will eventually fail given enough time (SANS, 2005).

In determining a target, the costs of the preventative, detective and reactive controls are taken into account to create a cost benefit analysis. TBA is one of the simpler quantitative methods of risk analysis and management that is available.

Should Australian companies be encouraged to adopt socially and environmentally responsible business practices and if so, how?

As previously stated directors have fiduciary duties as seen under Sections 180 & 181 of the Corporations Act 2001(Cth)*. These duties alone encourage the corporations to become more attuned to the specific needs of their stakeholders and identify new stakeholder groups within their corporate community.

There has also been an increase in the methods of evaluating the performance of most corporations which have brought about the interest of the communities in general. In other words not only the business communities but the public in general have increased their interest in corporate social responsibility (CSR) thus putting their purchasing power to work in order to influence these companies.

Another method of convincing the companies they should adopt CSR is the company’s “…desire to improve governmental relations in order to avoid longer term regulation”*.

In various studies undertaken to address CSR and its application to Australian companies it was found that the concept of CSR was readily accepted by three very different groups. They were the government, non-government organisations (NGO) both national and international, and surprisingly large corporations*.

It is not surprising to see the initiatives supported by the government as this is a global endeavour and as part of the global community Australia but be seen to be doing its part otherwise pressure will put on the government by the other countries to comply, as we have seen by the governments refusal to adopt the Kyoto Accord. Through CSR and the government’s support of it in the Australian business community the world can see and judge that our government that responsibility seriously.

Neither should it be surprising for the NGO’s and large corporations to support CSR as they, ultimately, believe this will help their bottom line in meeting the CSR of their own companies or groups. Added to that, the fact that many of the larger corporations are of an international nature, either as a subsidiary or a parent company with subsidiaries in other countries.
So the NGO’s will gain from the larger corporations, in particular charity groups, and the larger corporations gain by becoming involved in those smaller groups thus proving to their stakeholders they have the best interests of their companies in mind.

The environment and climate change could be another big winner with CSR not just in Australia but globally.

The second in a series of four reports released by the International Panel on Climate Change (IPPC) in Brussels recently described a very bleak view about the impact climate change will have on humans and the places they live*. In a Canadian report it was stated that their own government had to get its head out of the sand and stop climate change beginning at the corporate level other wise Canada will not only be failing its own stakeholders (citizens) but also globally letting down the poorest nations*.

Cannot the same be said for us in Australia? Are we not letting down the poorer nations by our own stance on global warming? Certainly a connection is seen between that failure and the CSR of our companies. But is the best way to deal with this changing the legislation to force all companies in Australia to adopt CSR?

Friday, 21 December 2007

Risk dynamics

Risk dynamics looks at risk analysis and risk mitigation, as in equilibrium (Rodrigues, 2001).
Thus, making a change to any control or other risk factor will impact another term.

Some risk dynamic terms include:

  • cost to secure
  • level of threat
  • severity of the vulnerability
  • the impact and consequences of any exposure
  • time to detect an incident
  • the time to respond to an incident
  • recovery time
  • the overall risk
Risk dynamics is a qualitative approach to risk that uses the formula:
  • Threat X Vulnerability = Risk
Risk Professionals should understand this methodology, its weaknesses and its benefits. They should understand the processes and stages involved with this methodology.

Thursday, 20 December 2007

Should the Corporations Act require certain types of companies to report on the social and environmental impact of their activities?

At this point it is important to point out that Corporate Social Responsibility (CRS) developed out of the conduct of the large multinational corporations who had not only the financial capacity but also the brand recognition to influence their stakeholders and the governments as well as others outside their circle of responsibility*.

In looking at the smaller national companies and how the CSR can effect their functioning it becomes evident that they will not be able to keep up with the larger multinationals but this does not mean they should be exempt from their CSR’s.

More and more stakeholders and potential stakeholders in companies are coming to depend upon the reports published by these companies with reference to their participation in corporate social responsibilities activities. This involves the triple bottom reporting previously mentioned which includes information on the companies profit objectives, their goals for environmental impact, and their social contribution.

Given the economic, social and environmental impact companies can make in this high tech world wether they are large or small there is, understandably, the possibility of control by legislation. This could certainly be seen as a positive thing by the global community but possibly not by the smaller national companies. They could conceivably argue that with Sections 180 and 181 of the Corporations Act* which controls the fiduciary duties of the directors no further legislation is necessary. And this may be true for those small companies; however, if the government is intent on changing the legislation then it would be to its benefit that they include clauses which would require certain companies to report on their social and environmental impact.

Such example companies might be mining companies, logging companies, nuclear industries, waste disposal companies and any other ones which would have a direct impact on the environment and social affects of their particular industries. These reports should be forthcoming no matter the size of the company depending upon the industry within which it is involved.

CCA - cause consequence analysis

RISO labs (Riso National Laboratory: 307-312) developed CCA (Cause consequence analysis) which is essentially a fault tree based approach. It is commonly used for analysis of security and safety problems. CCA and fault trees can be easily applied to almost any technology or system (Keong, 2004).

The tree based approach involves the following steps:

  1. Identify an event
  2. Determine the underlying causes of the event
  3. For each underlying cause identify the causes or initiating events
  4. Repeat until the underlying cause becomes uncontrollable

The CCA process is repeated until the final underlying cause is beyond the organisation’s control (whether through cost or other factors). Thus the process ends when there is no value in continuing to decompose the problem further.

CCA combines both fault trees and event trees. As a result, CCA is good for incident handling analysis, both pre-and post-incident. This helps us to determine how an actual incident may occur. CCA is commonly used as a form of qualitative analysis for determining possible failures.

Fault trees

  1. Identify faults
  2. Determine underlying causes of the faults

Event trees

  1. Identify faults.
  2. Identify consequences

FMECA analysis

MIL-STD-1629 Procedures for Performing a Failure Mode, Effects and Criticality Analysis should (but seldom is) be taught in any introductory risk course. Failure mode, effects and criticality analysis helps to identify:

  • Risk factors,
    - Preventative controls.
    - Corrective controls
  • FMECA couples business continuity planning or disaster recovery into the initial analysis
    - identifies potential failures
    - identifies the worst case for all failures
    - occurrence and effects of failure are reduced through additional controls

FMECA summary
This process involves a detailed analysis based on qualitative methods. It is reasonably objective, helps to identifies controls and issues and also identifies residual risk.
The FMECA Process consists of the following stages:

  1. Define the system or target
    What is the systems mission?
    How does the system interface with other systems?
    What expectations for example, performance and reliability affect the system
  2. Create a block diagrams
    FMECA relies on the creation of block diagrams
    Diagrams illustrate all functional entities, and how the information flows between them.
  3. Identify all possible individual modules system failures and system interface failures:
    Every block in every line that connects the block is a potential point of failure.
    Identify how each failure would affect the overall mission of the system
  4. Analyse each possible failure in a terms of a worst-case scenario.
    Determine a severity level for the failure.
    Assign this value to the possible outcome.
  5. Identify,
    Mechanisms for detecting failures.
    Compensating controls relating to the failures.
  6. Create describe any actions necessary to prevent or eliminate the failure or effects of the failure
    Define additional, setting controls to prevent or detect the failure
  7. Analyse and describe any and all effects of the additional controls
    define the roles and responsibilities to address the compensating controls
  8. Document the analysis
    Explain the problems found in the solutions.
    Document residual risks -i.e. days without compensating controls.
  9. Describe the potential impact of these residual risks.

Wednesday, 19 December 2007

General Risk analysis

Risk analysis is the art (SANS, 2005) and science of determining the real and potential value of an asset, while simultaneously attempting to predict the likelihood of loss based on mitigating security controls [NIST (800-30) and Bosworth, 2002].

Risk analysis: techniques and methods

Risk analysis models - There are two basic forms of risk analysis:

  • Qualitative
  • Quantitative
Quantitative analysis will be based on object of data analysing the sufficiency of controls, and uses some numerical method. Qualitative is designed to analyse the quality of the system from a subjective point of view. These models each have benefits and downsides to be considered.


The two simple models of quantitative risk that all risk professionals must know:
  • Annualised loss
  • Likelihood of loss

In addition, understand that there are other (BETTER) quantitative methods.

Qualitative analysis is the easiest type analysis, but the results are easily skewed by personal opinion (Bosworth, 2002, Ch 47).

These methods are typically focused on measuring or estimating threat and vulnerability. Qualitative analysis is the simplest and cheapest method of analysing risk, but should never be forgotten that perception is not always accurate end of the results are based on guesswork (Dodson, 2005).

Overview of Risk Methods

  • General types of risk analysis
  • CCA
  • Risk Dynamics
  • Time Based
  • Monte Carlo

Stochastically determined ARIMA(p,d,q) and Inference Models

These methods are truly quantitative.

They help predict any realistic detection, response and thus exposure time. This may be differentiated by the type of attack. This type of statistical method is to have a downside in that they are more expensive than the other methods. The level of knowledge needed to conduct this type of analysis is not readily available and the level of knowledge of the organisation needed by the analyst often excludes using an external consultant in all but the smallest of risk analysis engagements.

Next - the other risk methods...

Tuesday, 18 December 2007

What is an Enthymeme?

An enthymeme is an informally stated syllogism.

A syllogism being a three-part deductive argument.

The enthymeme is sometimes defined as a "truncated syllogism" since either the major or minor premise found in that more formal method of reasoning is left implied.

As an Example (ironically for me as it is one that is Sophist in nature):

"We cannot trust you, for you have lied in the past".

This enthymeme exists with the major premise of the complete syllogism missing:

  1. Those who lie to "us" cannot be trusted. (This is the Major premise which is omitted)
  2. You have lied to "us" in the past. (This is the Minor premise as stated)
  3. You may not be trusted. (This 3rd point is the Conclusion as is stated)

The nature of consciousness

Churchland's postulation of the truth of “Chomskian” linguistics is as integral to Churchland’s 1994 publication as to Churchland’s 1984 one. It is apparent that Churchland has presumed the truth of Chomsky's position in Matter and Consciousness (Churchland, 1984). In this, Churchland takes as fact the precision attached to a “Chomskian” elucidation of “conscious intelligence”.

In respect of an artificial conscious through Artificial Intelligence, Churchland, (1984, p 100) argues that consciousness results in “rules [of arithmetic] you already know ... So you already possess a self conscious command of one formal system. And given that you can think at all, you also have at least some tacit command of the general logic of propositions as well, which is another formal system. What is more interesting is that any formal system can be automated”.

He further supposes that “artificial languages [ BASIC, PASCAL etc.] are much simpler in structure and content than human natural language, but the differences may be differences only of degree, ... the theoretical work of Noam Chomsky and the generative grammar approach to linguistics have done a great deal to explain the human capacity for language-use in terms that invite simulation by computer”. (Churchland, P. 1984, p 16).

This enthymeme is presupposed in its conclusion but leads to a system such as Chomsky's rules. When we discern intrinsically, then except if one has such instinctive acquaintance of the methods language and, subsequently, contemplation, and by association, consciousness is unattainable.

“… But we lack any insight into the nature of consciousness” (Chomsky, N. 1995, p 36).

  • Chomsky, N. (1995) “The Minimalist Program”. MIT Press. Cambridge, Mass.
  • Churchland, P. (1984) “Matter and Consciousness”. MIT Press, Cambridge, Mass.
  • Churchland, P. (1994) “Review of Searle (1992)” in ‘London Review of Books’, 12th May, 1994.

Identifying and classifying risk

A risk analysis is a process that consists of numerous stages
Controls MatrixAn example risk treatment matrix is listed below (as modelled from NIST (800-42) and Microsoft (2004)).

A control matrix is a tool to allow you to quickly see what you are doing well and what you need to improve.

Implementing a risk mitigation strategy

  • A Gap analysis allows the identification of controls that have not been implemented (Dodson, 2005).
  • Threat modelling is a tool to determine the type and level of threats that your organisation faces (Myagmar, 2005).
  • Development of attack trees is helpful in finding out how your organisation is vulnerable
    (Moore, 2001).
Decide whether each gap from the gap analysis should be either accepted or mitigated and what type of controls are needed.

  • Plan
  • Do
  • Check
  • Act

Plan, the plan phase consists of an identification of the problem, followed by analyse the problem identified. The key components of this phase include threat and vulnerability analysis.

Do, the next phase of the PDCA process requires the development and implementation of ISMS (information security management system) components. This phase includes controls.

Check, the check phase consists of an evaluation of the previously implemented ISMS components for controls. Although audit is a control in itself, it should also be used to measure effectiveness of the overall process and its components.

Act, finally, the act phase of a PDCA based process requires that the organisation continuously improve its performance. Using constant incremental improvements, the organisation should be able to consistently improve its security systems minimising risk while remaining cost-effective.


General Risk analysis

Monday, 17 December 2007

RISK & Risk Management (A Short Introduction in Series)

It is common to jump at every issue and vulnerability released today, a situation that often leads to disenchantment with the risk and security process.

In this series of postings, We will consider and discuss how to implement risk based controls that can not only help secure systems more effectively but also save money. In these sessions, we shall start by looking at how to implement effective risk based controls, so you can regain comfort in the security of your organisation.

Some of the Key topics I shall cover include:

  • Qualitative and quantitative risk, and what differentiates the processes.
  • How to add value to a risk engagement and some common pitfalls.
  • How to look at risk in a non-emotionally and gain a return on investment from the risk process.
Risk management and how it relates to Good Corporate Governance
(or it’s all about business)

Risk modelling is just the start, rather Security is a process, not a product. "Security products will not save you" (Bruce Schneier).

As it currently stands, risk analysis and risk management are disciplines that have increased in popularity recently (Vaughn et al, 2004) due to a perceived lack of qualified and experienced professionals (Dark, 2004.b).

But we are still in the dark! (Sorry, bad play on names)

Some Taxonomy
What is a process?
Processes are the methods that we used to achieve our objectives. What we need to think about is how are processes implemented within an organisation?

An objective is a goal or something that you wish to accomplish. Consider who sets objectives and how are these designed to help achieve effective risk management?

Controls of the mechanisms through which we reach our goals, but what are controls?

The question of what is an audit control and how is the effectiveness of the control evaluated is one that is frequently encountered. Controls are useless if they are not effective so how do we ensure that any control is effective and may be justified in cost terms?

There are a variety of control frameworks. Which one is not so important. Finding and matching the levels of controls to your organisation and business model is the goal.

Policies are themselves controls. Every policy in the organisation should relate to a business or organisational objective. The question to ask is who sets policy and how?

When assessing risk, it is essential to ask and also understand:
  • How does an organisation ensure that the practices are what is in effect?
  • Policies and practices should match, how is this checked?
  • When a practice doesn't match. There is an issue – how do issues get resolved?
A system is defined in NIST (800-30) as any collection of processes, and/or devices that accomplishes an objective. The risk professional needs to have a comprehensive understanding of systems design and testing.

Identifying classify risk.

Sunday, 16 December 2007

Another short weekend

Although the length remains constant, it feels this way. It passes in the mind and perception plays its games with us.
It seems just days ago that I cleaned the garden up and replanted it.
Now, it is Christmas time and the holidays are upon us.
And that which we planted, we find coming to fruition.
As we approach another harvest.
In a week the greens will be ready to start picking.
With christmas coming only a week away, I have a trip to the farm for a day and then back to arrange things. One more week at work, and then a vacation.

Though I have 3 papers, 2 University courses, 2 Uni boards and 3 books to work on... And this is forgetting the annual trip to the farm to do fencing and the like!

Otherwise, there are a few simple things to relax.
Sleep, what is that?

Virtually everything that Hector Berlioz composed was inspired by a literary or theatrical idea. Live large. Live well. Live full and never settle for average!