Multi-Attribute Risk
Assessment
Shawn A. Butler
Computer Science Department
Carnegie Mellon University
16 October 2002
1
Advantages of Multi-Attribute
Risk Assessments
•
Provides a systematic and repeatable
method for evaluating risks
•
Helps organizations identify and prioritize
security requirements
•
Makes explicit expectations about attack
consequences
•
Provides insights into the affect of
uncertainty
2
Some Terminology
•
Threats - events, which could lead to an
information system compromise.
(Examples: denial of service attacks, procedural violations, IP
spoofing, etc.)
•
•
•
Attacks -An attack (a) is an instance of a
threat that results in an information system
compromise. that has an outcome (Oa)
Outcome - one or more consequences (Xj).
Consequence – Damage (xj)from a successful
attack
(Examples: lost productivity, lost revenue, damaged public image, lost
lives)
3
(Threat)
Denial of Service
(Outcomes)
X1
X2
Lost Productivity Lost Revenue
Attacks
(Consequence Values (x 1, x2, x 3)
a1
3 hours
$0
a2
40 hours
$20,000
a3
10 hours
$500
X3
Damaged
Public Image
none
moderate
slight
Outcome
4
Security Architecture
Security Architecture Development Process
Development Process
Threats
Available
Countermeasures
Risk
Assessment
Outcomes
Prioritized
Risks
Policies
System
Design
Select
Countermeasures
Security
Components
Develop
Security
Architecture
Requirements
Security Architecture
5
Multi-attribute Risk Assessment
Process
Outcomes
Threat
Definition
Threats
Expected Frequency
of Attack
Org
Threats
Estimate
Outcome
Values
Most Likely
Outcomes
S.M.
Best Est.
Compute
Threat
Indexes
Additive
Model
Risks
Prioritized
Sensitivity
Analysis
Security
Manager Questions
6
The Additive Model
TIa = Freqa * (j=attributeswj * vj(xaj ))
•
Check additivity assumptions to see if the additive
form is valid
•
•
•
Assess the single-attribute value functions v1, v2, …, vn
•
Conduct sensitivity analysis to see how sensitive the
ranking is to model assumptions
Assess the weighting factors w1, w2, …, wn
Compute the value of each alternative and rank
alternatives
7
Independence Assumptions
Tradeoffs between two consequence values
— holding all other consequence values fixed —
do not depend on where we hold the other attributes fixed
8
Assess Single Consequence Value
Function
vj(xaj )
1
1
1
0
xj *
Linear
0
xj*
Convex
0
xj*
Concave
9
Weight the Consequences
wj
Outcome
Attribute
Rank
Assessed
Preference
Lost
Productivity
1
100
.42
Public
Reputation
2
80
.33
Regulatory
Penalties
3
40
.17
Lost Revenue
4
20
.08
Weight
(wj)
10
Distribution for Input Frequency System Scanning
X <=7.06
5%
0.14
X <=16.93
95%
Mean = 11.99855
0.12
0.1
0.08
0.06
0.04
0.02
0
0
5
10
15
20
25
11
Compute Value and Rank
Alternatives
Outcome Consequences
Lost
Revenue
Reputation
w =.08
w =.33
Lost
Productivity
Reg.
Penalt.
w =.42
w =.17
TI
Threats
freq/yr
Procedural
Violation
4,380
$2
.0002
1
.25
2hrs
.0083
0
0
376.69
24
$182
.0152
2
.5
1hrs
.0042
2
.67
6.75
912
$0
0
0
0
3hrs
.0125
0
0
80.03
Theft
Virus
12
Developing Requirements
Threat
System Scanning
Virus
Security Technologies
• Host-Based IDS
• Vulnerability Assessment Scanners
• Penetration Testing Tools
• Network Based IDS
• Network Monitoring Tools
• Hardened OS
• Hardened OS
• Electronic Signature
• Host-Based IDS
• Anti-virus software
• Mobile Code Scanners
13
Threat Indexes as a Percentage of
Total Threat Index
Threat Indexes as a Percentage of Total Threat Index
Other
22%
Compromising
Emanations
3%
Password Guessing
20%
Contamination
3%
Signal Interception
4%
Denial of Service
Attack
5%
Internal Vandalism
5%
Compromise
19%
System Scanning
10%
Alteration
9%
14
Order
SAEM’s Top Threats
Security Manager’s
1
Procedural Violation
Personal Computer Abuse
2
Virus
Theft
3
Personal Computer Abuse
Virus
Threats
Expected
Frequency
Public
Image
Lost
Productivity
Customer
Relationships
Procedural
Violation
360,000/yr
None
$100
None
26,000/yr
Mild
$4,000
Moderately
Mild
2,000/yr
Mild
$250
None
Virus
Personal
Computer
Abuse
15
Case Study Results
Commercial-Case
Outcomes
Hospital-Case
• Damaged Public Image
• Patient Care
• Damaged Customer
• Damaged Public Image
• Lost Revenue
• Physician Perceptions
Relationships
Threats
27
15
Initial Correlation
Coefficient
.19
.53
Final Correlation
Coefficient
.86
.81
Refinements
Top Threats
Adjusted both inputs and
initial ranking
Viruses
Adjusted inputs
• Alterations
• Viruses
16
• Compromising Emanations
Conclusions
•
Multi-attribute Risk Assessments provide
insight during risk assessment process
•
Multi-attribute Risk Assessments can help
security manager’s prioritize risks, which
leads to prioritized requirements
•
Inexperienced security managers will be
able to benefit from information collected
from other organizations
17