Risk Analysis, Risk Assessment, Risk Management

Security Risk Analysis holds the key: A security policy framework is necessary to support the security infrastructure required for the secure movement of sensitive information across and within national boundaries. To ensure the secure operation of this kind of infrastructure, it is necessary to have some well-founded practice for the identification of security risks (as well as the application of appropriate controls to manage risks). This practice can be formalised and (semi)-automated by the use of formal methods and tools which increase the reliability of the system specification (and therefore users' confidence in it). This is important since the security of a system is largely dependent upon the accuracy of its specification. To be truly beneficial, the risk analysis framework must be granular enough to produce a customisable roadmap of which problems exist, and to rank them in order of severity, which facilitates making decisions about which ones to deal with first. CORAS (A Platform for Risk Analysis of Security-critical Systems) is an EU/IST project within the 5th framework programme, the basic idea for which was proposed and initiated by the author in an attempt to meet the requirements mentioned above, among others. Its main objective is to develop a practical (the word practical emphasised) framework for a precise, unambiguous and efficient risk analysis, by exploiting the synthesis of risk analysis methods with object-oriented modelling, (semi-)formal methods and tools, in order to improve the security risk analysis and security policy implementation of security-critical systems. Since the critical infrastructures of, for example, medical services, banking and finance, gas and electricity industries, transportation, water, and telecommunications are making use of the public Internet for communication, not least for the exchange of business, administrative and research information, it must be our aim to make these critical infrastructures totally secure and unassailable.

There are already in existence standards for the management of information security, which are commonly accepted and publicly available specifications:

• BS7799 Part 1 (1999): Code of Practice for information Security Management(BS7799)
• ISO 17799 - The Information Security Standard
• ISO 17799 The ISO 17799 Software Directory, and The ISO17799 NEWS page
• ISO 17799 Papers: BS 7799 By Biju Mukund
• International ISO 17799 User Group
• ISO TR 13335: Guidelines for Management of Information Technology Security-GMITS
• CSA Model Code for the Protection of Personal Information
• Diffuse Information Security Standards, including the above
• COBIT (Control Objectives for Information and Related Technologies) specification produced by the Information Systems Audit and Control Foundation
• COBIT Forums and Information
• CRAMM - the UK Government's Risk Analysis and Management Method
• The ISO 9000-14000 family of standards
• The National Institute of Standards and Technology (NIST)
• NASA Probabilistic Risk Assessment Procedures Guide for NASA Managers and Practitioners
• References to other standards

• Risk Analysis [1]: A systematic use of available information to determine how often specified events may occur and the magnitude of their consequences. Risk Analysis [2]: A systematic approach for describing and/or calculating risk. Risk analysis involves the identification of undesired events, and the causes and consequences of these events.
• Risk Assessment [1]: The overall process of risk analysis and risk evaluation
• Risk Management [1]: The culture, processes and structures that are directed towards the effective management of potential opportunities and adverse effects.
• Risk Management Process [1]: The systematic application of management policies, procedures and practices to the tasks of establishing the context, identifying, analysing, evaluating, treating, monitoring and communicating risk.
• Risk Evaluation [1]: The process used to determine risk management priorities by comparing the level of risk against predetermined standards, target risk levels or other criteria. Risk Evaluation [2]: A comparison of the results of a risk analysis with the acceptance criteria for risk and other decision criteria.

• FMECA (Failure Modes, Effects and Criticality Analysis)
• MIL-STD (Procedures for Performing a FMECA)
• FMECA.COM
• FMEA (Failure Mode and Effect Analysis)
• IEC 60812 (FMEA Analysis techniques for system reliability)
• SAE ARP 5580 (FMEA Practices for Non-Automobile Applications)
• SAE J1739 (Design FMEA, Process FMEA and Machinery FMEA)
• FTA (Fault Tree Analysis)
• IEC 61025 (Fault Tree Analysis)
• NUREG-0492 (Fault Tree Handbook)
• NASA (Fault Tree Handbook - Aerospace Applications)
• HAZOP (HAzard and Operability Analysis)
• IEC 61882 (HAZOP Application guide)
• CCA (Cause Consequence Analysis)
• MORT (Management Oversight Risk Tree)
• SMORT (Safety Management Organization Review Technique)
• Risk Analysis Bibliographies by Tan Hiap Keong
• Security/Survivability Systems Analysis (S/SSA)
• CEA - Cost-Effectiveness Analysis in Emergency Medicine, Computer, and more by Zui-Shen Yen , and
  Primer on Cost-Effectiveness Analysis: Effective Clinical Practice
• Cost Benefit Analysis
• Introduction to Cost-Benefit Analysis
• Cost Benefit Analysis Method (CBAM)
• BCA - Benefit-Cost-Analysis for the use of Intelligent Transportation Technology
• CPR Perspective: Cost-benefit Analysis
• Cost/Benefit Analysis- Decision Making from Mind Tools
• SQUARE Project: Cost/Benefit Analysis Framework for Information Security Improvement Projects in Small Companies
• OMNI (Organising Medical Networked Information) Cost-Benefit Analysis
• Cost-Benefit Handbook
• Australian Government - Cost-Benefit Analysis
• RCBA - Risk-Cost-Benefit Assessment
  As is frequently pointed out RCBA has certain limitations when it comes to managing technological risk. And these limitations are primarily due to the participation of humans in the processes, which makes them prone to human error, and limited by our limited ability to identify a comprehensive list of all potential risk factors, to determine cause-effect relationships, to deal with problems of complexity and coupling, to handle the uncertainties of modeling a complex system, etc. These limitations can to a certain extent be dealt with adapting a holistic approach to managing risks, an approach that takes into account legal, societal, technological, organizational, environmental and human factors. For RCBA to be effective its approach should be holistic and multidisciplinary. As an example, "the role of the law in technological security is that it sets security standards, formulates security requirements, and itself constitutes a security measure by supporting other security measures, thus influencing technology and technological developments, which in turn influence human behavior within society, which in its turn influences legislation and legal practice".


• RISK: Risk Assessment, Risk Communication, and Risk Management: Disaster Central

Risk Management: The purpose of risk management is to change the future, not to explain the past - Dan Borge

Risk Management Maturity: Adaptive Risk Management is the Next Generation Model

Adaptive Risk Assessment Modeling System (ARAMS)

Adaptive Risk Management by Prof. Mihaela Ulieru, The University of New Brunswick, also ARM - Adaptive Risk Management Platform for Emergency Response Operations, Adaptive Risk Management for Networked Critical Infrastructure


An adaptive risk management system is a system which is capable to learn, adapt, prevent, identify and respond to new/unknown threats in critical time much like biological organisms adapt and respond to threats in their struggle for survival. It essentially incorporates the characteristics and properties of genetic, holonic, AI, complex adaptive theory, and others, whose combination has a supra-additive synergistic effect.

"Genetic algorithms are algorithms that work via the process of natural selection. They begin with a sample set of potential solutions which then evolves toward a set of more optimal solutions. Within the sample set, solutions that are poor tend to die out while better solutions mate and propagate their advantageous traits, thus introducing more solutions into the set that boast greater potential", for a brief introduction to genetic alogrithms see JGAP and Moshe Sipper

A holon is a self-similar or fractal structure that is stable, coherent and that consists of several holons as sub-structures and is itself a part of a greater whole (for more info see Adaptive Risk Holarchy, Concepts for Holonic Manufacturing, Holonic Solutions, Holonic Software Development, Holonic Multiagent Systems, etc.)

Artificial Neural Networks (ANNs) have been developed as a mathematical modelling of a human cognition system based on our knowledge about how biological neural cells (neurons) function in the brain. ANNs can be described either as mathematical and computational models for non-linear function approximation, data classification, clustering and non-parametric regression or as simulations of the behavior of collections of model biological neurons. ANNs can be used in a variety of powerful ways: to learn and reproduce rules or operations from given examples; to analyze and generalize from sample facts and make predictions from these; or to memorize characteristics and features of given data and to match or make associations from new data to the old data. ANNs can be seen as an adaptive system that is able to learn from the data that flows through the network and change its response according to it. For more information on ANN see Neural Computation: The Nature of Learning, Memory and Plasticity in an artificial neural network or Artificial neural network

"Several Artificial Intelligence (AI) techniques have found applications in the field of risk management. Neural networks and fuzzy modeling are two system paradigms that lie at extreme poles of artificial intelligence system modeling. Neural networks can be viewed as 'black boxes' in which the process is unknown but there are many examples or observations. Fuzzy models, on the other hand can be viewed as 'white boxes' in which structured human knowledge is used to model the system and no data is required. Most of the real world problems, however, typically present a 'grey box' situation, where there are some observations and some structured human knowledge. A new technique called neuro-fuzzy modeling, which incorporates neural network learning concepts into fuzzy inference systems, forms a pivotal technique in what is today known as soft computing. A notable contribution was the development of the adaptive neuro fuzzy inference system (ANFIS) and its generalized version, CANFIS exploiting the equivalence of radial basis function networks (RBFNs) from neural network theory and various fuzzy inference system (FIS) models, to provide a performance superior to that of conventional neural networks and Fuzzy Inference systems." - Radha Arur, Polaris Software - 21 Feb 2006

Three major characteristics of complex adaptive systems can be distinguished:
1. active monitoring ensuring the organization's sensitivity to detect risk,
2. agility ensuring its flexibility to respond to risk, and
3. adaptive learning ensuring the capability of the organization's resources to mitigate risk.

Yet, according to WOLFASI the conceptual components of a general adaptive security infrastructure are Detector, Analyser, and Responder:
1. The Detector senses, collects, and distributes information about the security environment
2. The Analyzer processes Detector data, along with other information (e.g. security policy, threat levels, or node trust levels) and occasionally proposes actions to bring about a new stage
3. The Responder executes the actions as directed by the Analyzer. These actions could include adjusting preventive mechanisms, adjusting detector settings, adjusting internal systems parameters, etc.

A European website presents science research and multimedia on health, food and risks

Risk Analysis Tools/Products

• The Australian Standard 4360 Risk management portal
• List of Risk Analysis, Assessment and Management Tools
• Isograph Direct Reliability, Availability, Maintainability, Safety Analysis Software
• @RiskAccelerator
• Risk Analysis and Management System (RAMS)
• Toolkit for RAMS from IsographDirect
• FIDUCIA - Modelling Risk in Interoperable Public Key Infrastructures
• CORA - Cost-of-Risk-Analysis System
• BayesEngineTM Technology
• Introduction to Security Risk Analysis and the COBRA Approach
• Reliability, Availability, Maintainability and Safety Solutions from Reliability Software
• Reliability, Availability and Maintainability Software Tools from ITEM
• eRisk Managemet Model from mi2g
• List of Risk Analysis Books from Palisade
• Risk Analysis, Monte Carlo Simulation, Forcasting, Optimization - from Crystal Ball
• Callio Technologies offers ISO 17799 BS7799 Security Policies Software Tools and Expertise
• Tufin SecureTrack - Firewall Policy Auditing, Tracking and Compliance
• Proteus Enterprise Integrated Compliance and Information Risk Management Software - From InfoGov
• ASSET (Automated Security Self-Evaluation Tool) from NIST
• OCTAVE (Operationally Critical Threat, Asset, and Vulnerability Evaluation) from SEI
• Risk Management Software Tools