140 likes | 341 Views
Unit Outline Quantitative Risk Analysis. Module 1: Quantitative Risk Analysis and ALE Module 2: Case Study Module 3: Cost Benefit Analysis and Regression Testing Module 4: Modeling Uncertainties Module 5: Summary. Module 4 Modeling Uncertainties.
E N D
Unit OutlineQuantitative Risk Analysis Module 1: Quantitative Risk Analysis and ALE Module 2:Case Study Module 3: Cost Benefit Analysis and Regression Testing Module 4: Modeling Uncertainties Module 5: Summary
Modeling UncertaintiesLearning Objectives • Students should be able to: • Identify ways to model uncertainty in risk. • Understand the Monte Carlo Simulation approach. • Recognize how to model valuation of assets, frequency of threats, impact of threats, controls, and distribution of risk exposure. • Understand how to perform a sensitivity analysis for risk exposure
Modeling UncertaintiesModeling Uncertainties • Uncertainty exists regarding value that should be assumed by one or more independent variables in the Risk Model. • Contributions to the model’s uncertainty • Lack of knowledge about particular values • Knowledge that some values might always vary • If it cannot be determined with certainty what value one or more input variables in a model will assume, this uncertainty is naturally reflected on the outcome of the dependent variable(s). • The risk metric is: • not determined by the value of its independent variables (asset values and vulnerabilities, frequency and impact of threats) • a function of the probability distribution of each of these random variables • A good approach to dealing with uncertainty >> simulation
Modeling Uncertainties Monte Carlo Simulation: Approach • The approach follows the following steps: • Develop risk model • Define the shape and parameters of probability distributions of each input variable • Run Monte Carlo simulation • Build histogram for dependent variables in the model (risk and updated risk) • Compute summary statistics for dependent variables in model • Perform sensitivity analysis to detect variability sources • Analyze potential dependency relationships among variables in model
Modeling Uncertainties Monte Carlo Simulation: Value of Assets Truncated Normal Distribution(mean = 50) • Asset values here are samples and do not represent collected data • In real cases real assets of the organization need to be identified • Value needs to be assigned to the assets
Modeling Uncertainties Monte Carlo Simulation: Frequency of Threats • Annualized frequency of threats is required to compute the annualized loss expectancy. • This data can be collected from several sources • Tracking and collecting data from Internal logs • Report from agencies such as CERT
Modeling Uncertainties Monte Carlo Simulation: Impact of Threats Triangular distribution (mode, max=1, min=0)
Modeling UncertaintiesMonte Carlo Simulation: Controls Triangular distribution( mode, max=1, min=0)
Histogram of Exposure Risk Modeling Uncertainties Monte Carlo Simulation: Risk Exposure Distribution Cumulative Distribution
Histogram of Reduced Exposure Risk Modeling Uncertainties Monte Carlo Simulation: Reduced Risk Exposure Cumulative Distribution
Modeling UncertaintiesMonte Carlo Simulation: Sensitivity Analysis
Modeling UncertaintiesAssignment • Using the data provided in the case study, or your own risk analysis, use Monte Carlo Simulation to provide a graphical display.
Modeling UncertaintiesSummary • Uncertainty exists in the analysis due to unknown or inaccurate values from data collected. • Simulation can be used to counteract uncertainty in the analysis. • First, a risk model and parameters and shape of probability distributions of each input variable should be defined. Then a Monte Carlo simulation should be run, a histogram built and summary statistics computed for the dependent variables. A sensitivity analysis should then be performed to detect sources of variability.