Security Risk Metricsor

How I Learned to Love Fear and Uncertainty

11/22/11

Carl S. Youngcyoung@strozfriedberg.com

(212) 766-6004

Security Risk Management:Intuition Versus Analytics

2

Failed Intuition or Miscalculation?

3

The Fundamentals:Threats and Risk

4

Threats!

5

Threats?

6

Threats

• Threats cause harm or loss• Threats make you “worse off”• Threats are contextual…what does THAT mean?

7

Risk

• Risk is an inherent property of threats• Risk is what makes a threat threatening• If there is no risk then there is no threat

(and vice versa)• There is also no need for security consultants!

8

The Components of Risk

Three components of risk: 1) impact (importance) 2) likelihood (probability or potential) 3) vulnerability (exposure to loss/harm)

9

The Fundamental Expression of Risk

10

Risk (threat) = Likelihood x Vulnerability x Impact

The Vulnerability Component of Risk:

Understanding the Threat

11

The Vulnerability Component of Risk

• Recall threats are contextual• Why? Component of risk can vary with each

scenario• Must be precise in characterizing the threat and

associated risk • Example: “Terrorism”. Timothy McVeigh

(Oklahoma City bomber) versus Charles Whitman (University of Texas sniper)?

• What about risk mitigation?

12

Example: The Threat of Electrocution from Lightning

13

versus

Electrocution Scenario 1 Electrocution Scenario 2

Lightning and the Vulnerability Component of Risk

• The vulnerability component of risk for each scenario is different

• Scenario 1: your body acts as an electrical conductor between the cloud and the earth…you’ve got a problem

• Scenario 2: the charges distribute themselves around the car’s metal surface…you’re probably ok

14

The Likelihood Component of Risk:Predicting the Future

15

Likelihood Component of Risk:Tools of the Trade

• Some security incidents do occur at random 1) Nuclear disintegrations of radioisotopes

2) Security equipment failures Certain threat scenarios are relatively stable over

time Standard statistical distribution apply

(e.g., Poisson, Normal, Binomial) Specify mean and uncertainty in the mean (i.e.,

standard deviation)

16

Likelihood or Potential?

• Is it ok to estimate the likelihood of future incidents based on previous incidents?

• Yes, if conditions remain relatively stable* • OR the incidents occur at random• Otherwise it is more precise to speak of

‘potential’ for incident occurrence

17* The rate of incident occurrence >> change in influencing conditions.

What is Security Risk Management Really All About?

• Educated trade-offs between the components of risk for each impactful threat

• Such trade-offs form the basis for a security risk management strategy

• Risk component trade-offs are what security directors are paid to do!

18

Security Director Fantasy Job Advertisement

19

A US-based international corporation is seeking qualified candidates to apply for the position of Global Security Director with responsibilities and compensation as follows:

1) Make educated trade-offs regarding the components of risk for each impactful security threat

2) Design and implement culturally acceptable and cost-effective security solutions based on the aforementioned trade-offs

(i.e., develop a security risk management strategy) 3) Effectively communicate security risk to all levels of the organization 4) Salary: ~ $1M/per annum* * Welcome to MY fantasy

It’s Not So Easy: The Security Risk Management Conundrum

• Security risk management is inherently defensive• Does a low number of security incidents mean

there is an effective security strategy in place?• Perhaps you’ve just been lucky or the bad guys

are indifferent

20

Effective Risk Management?

21

And Security Risk Management is a Zero Sum Game…Finite Resources

22

PropertyTheft

Terrorism Physical Assaults

InformationTheft/Insiders

Measuring The Vulnerability Component of Risk:

Coping with Fear

23

Security Risk Measurements

• How can you measure the risk associated with security threats if there is a low number of incidents?

• Measure risk indirectly by measuring a risk factor rather than instances of the threat itself

24

Identifying Risk Factors

• Risk factors are characteristics or properties of a threat that enhance a component of risk

• Threat = tropical diseases. Risk factor = travel to tropical climates

• Threat = shark attacks. Risk factor = swimming in the ocean

• Threat = leukemia. Risk factor = exposure to radioactive material

• Threat = car accident. Risk factor = teenage drivers

25

Physical Threats

• Physical quantities (e.g., vapor concentration, overpressure, signal intensity) associated with physical threats

• These quantities often scale with parameters of distance or time

• Can estimate limits on “safe” separation distances, exposure times, et al.

• Thereby establish risk metrics and mitigation strategies

26

Example: Vehicle-Borne Explosive Threat

• Overpressure and impulse determine building damage

• Expressions scale with distance and explosive payload (limited by vehicle capacity)

• Estimate “safe” distances and payloads (risk factors) to yield risk metrics and inform mitigation strategy

27

Explosive Threats: Effect of Distance and Payload on Risk Factors

28

0

200

400

600

800

1000

1200

1400

1600

1800

0 10 100 1000 10000 50000

NET EXPLOSIVE WEIGHT (lbs-TNT)

DIS

TA

NC

E (

fee

t)

Total Destruction

Failure of Concrete Walls

Minor Building Damage

Window Glass Breakage/Some Minor

Building Damage

Example: Internal Contamination from External Chemical Vapor Threats

• The percentage of contaminated room air as a function of time is given by a simple first order differential equation

• The solution is the exponential function, C = C0eRt

• Calculation of the time, t, knowing, the rate of air exchange across the facade, R, yields a risk metric

• Shelter-in-place as a mitigation strategy?

29

Percentage of Room Contamination as a Function of Time

30

0

100

200

300

400

500

600

0 10 20 30 40 50 60 70 80 90

Percentage of Contaminated Room Air

Min

ute

s

Leaky

Air-Tight

Time and Distance Risk Factors: Recurring Physical Models

• Harmonic oscillator (mass on a spring); f = -kx• Point sources of energy; Intensity ~ 1/r2

• Exponential increase or decay; rate of change with time or distance is proportional to the amount of “stuff” present

31

The Building as a Harmonic Oscillator:

Response to Explosive Forces

32

Time duration of explosive force (relative to the natural period of vibration) determines if overpressure or impulse dominates

Point Sources of Radiated Energy: Vulnerability to Radiofrequency

Interception

33

Exponential Decay:Radioactivity (R) of Isotopes

34

R = Roe-λt Also describes room contamination shown previously

What About Non-Physical Threats like Property Theft?

• Threat = theft of property in a facility• Risk factor = unauthorized physical access*• Measure the number of unauthorized entries

with existing systems; indirect measurement of risk

• Apply enhanced risk mitigation if required• Measure again after deployment of enhanced

mitigation

35

* Note! Thefts can occur courtesy of authorized individuals too. Must identify other risk factors

More Non-Physical Threats:Computer Virus Persistence

• Social network (e.g., e-mail) connectivity described by power law, P(k) = k-γ; so called “scale-free” distribution

• Connectivity (i.e., number of links/node), k, directly affects the probability of a virus infecting other nodes

• Network size, connectivity, and number of nodes are risk factors for computer virus persistence

36Infection Dynamics on the Internet; David B. Chang and Carl S. Young, Computers and Security, 24, 280-286 (2005)

Living with Uncertainty: Measuring the Likelihood

Component of Risk

37

Standard Deviation and Uncertainty The Certainty of Uncertainty

Randomly occurring incidents or stable scenarios-the uncertainty is characterized by the standard deviation, σ ~ √N (N = number of incidents)

Good news! We are certain about the uncertainty for random or stable incident scenarios

Establish confidence intervals for the likelihood of future incidents

38

Uncertainty Gives Way to Anxiety

39

You still feel uneasy about the inherent uncertainty of security risk

How can you relieve the stress?

Decreasing UncertaintyMore Incidents!

• N = the number of security incidents• σ = standard deviation = uncertainty in

distribution of randomly occurring incidents• Let’s say σ = N/10. σ = √N = N/10 so N = 100 • You won’t be happy unless σ = N/100• σ = √N = N/100 so N = 10,000• Do you really want more incidents to reduce

uncertainty?

40

Increasing UncertaintyGive the Bad Guys More Options

• You are the security director of a large company• A terrorist attack against one of your company’s

10 facilities is virtually certain • Probability of attack at a single facility is 1/10 • You recommend building 10 new facilities• Probability is now only 1/20! • See previous job advertisement for security

director opening 41

Uncertainty Can Be Your Friend!Increasing Noise

• You are on a secret mission and concerned about electronic surveillance by the enemy

• Assume: transmitter signal (S) and ambient noise (N) are uncorrelated and radio frequency noise is random

• Signal averaging limit = S/N = √n(S/σ); σ = the standard deviation (uncertainty) of one measurement caused by noise, n = # measurements in enemy signal averaging

• Want the enemy to have large uncertainty in his/her measurement (i.e., large σ)

42

Uncertainty and the Vulnerability Component of Risk*

• Overpressure and impulse cause injuries mostly via glass breakage; recall scaling with distance and explosive payload

• Characterize uncertainty in distance and payload as normal distributions

• Model window behavior as a mass on a spring• Determine the window “probability of

protection” in terms of potential distance and payload scenarios

43

* Probabilistic Estimates of Vulnerability to Explosive Overpressures and Impulses; D.B. Chang, C.S. Young, The Journal of Physical Security, Volume 4(2), 2010

Lessons on Uncertainty

• There is always uncertainty in measuring the likelihood component of risk

• The degree of uncertainty is known for random or stable threat scenarios

• The degree of uncertainty is unknown for all other threat scenarios

• Need to recognize which is which

44

Putting it All Together:A Risk Assessment and Mitigation Framework

45

The Risk Management Process

46

UniqueUniqueThreatThreat

CharacterizedCharacterizedbyby RiskRisk Manifested ByManifested By

Risk Risk ModelsModels

DrivesDrives MitigationMitigation UtilizesUtilizes AssessAssess--mentsments

Likelihood of Likelihood of ThreatThreat

OccurrenceOccurrence

VulnerabilityVulnerabilityto Threat to Threat

OccurrenceOccurrence

Impact ofImpact ofThreat OccurrenceThreat Occurrence

Risk Factor 1Risk Factor 1

Risk Factor 2Risk Factor 2

Risk Factor NRisk Factor N

MMEEAASSUURREESS

GeneratesGenerates

Mitigation 1Mitigation 1

Mitigation 2Mitigation 2

Mitigation NMitigation N

PerformancePerformanceCriterion/Criterion/

SpecificationsSpecifications

PerformancePerformanceCriterion/Criterion/

SpecificationsSpecifications

Performance Performance Criterion/Criterion/

SpecificationsSpecifications

BBAASSEEDD

OONN

StandardsStandardsMetricsMetricsOrganizational Tolerance for

Risk

Operational Requirements

Example: Visual Monitoring

• Control = visual monitoring• Method = CCTV• Operational requirement = identification-level• Current operational capability = recognition-level• Camera and monitor performance specification =

60 pixels/linear foot of the horizontal scene • Cost of upgrade to meet enhanced operational

requirement = ?• Directly relate risk to the cost of risk mitigation

47

Threats, Risk, Fear and Uncertainty Summary

• Threats are bad (but they’re only relatively bad) • Fear of threats is also bad (but not for security

consultants)• Directors of security manage risk by making risk

component trade-offs (but for a lot less than $1M a year!)

• Risk is inherently uncertain (but what isn’t?)• Uncertainty can be reduced (but at a price)

48