1 / 39

Security and Risk Analysis

Security and Risk Analysis. PSU’s new Minor & Major Potentially Rewarding Career A Lifelong Perspective. Overview of Key Skills in SRA. SRA Curriculum Prepares for SRA Careers Acquire Skillsets of Analysis Techniques to Protect Critical Infrastructures

teneil
Télécharger la présentation

Security and Risk Analysis

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Security and Risk Analysis PSU’s new Minor & Major Potentially Rewarding Career A Lifelong Perspective

  2. Overview of Key Skills in SRA • SRA Curriculum Prepares for SRA Careers • Acquire Skillsets of Analysis Techniques to Protect Critical Infrastructures • Cyber-Infrastructure is Cross-Cutting & IST’s Major Advantages • Security is Key Outcome for Protection • Privacy is Key Outcome but Sometimes a Balancing Factor with Security • Understanding Threats is Key Skill • e.g., Crimes, Terrorism, Service/Parts Failures, Suspicion

  3. Core SRA Curriculum Intro Security & Risk Analysis (SRA 111) Intro People, Information & Tech (IST 110) Freshman Threat of Terrorism & Crime (SRA 211) Statistics (STAT 200) CMPSC 101 Decision Theory & Analysis (SRA 231) Overview of Information Security (SRA 221) Sophomore Risk Management: Assessment & Mitigation (SRA 311) Legal, Ethical, and Regulatory Issues (IST 432) Junior Intelligence Analysis & Modeling Information & Cyber Security Social Factor & Risk Option IST 440W Capstone

  4. Critical Infrastructure • Basic facilities, services, and installations needed for functioning of a community or society • “Infrastructure” • Framework of interdependent networks and systems comprising identifiable industries, institutions (including people and procedures), and distribution capabilities that • provide a reliable flow of products and services • essential to the defense, economic security, smooth functioning of government, and society • “Critical” • national infrastructures • so vital that their incapacity or destruction would have a debilitating impact on • defense or economic security

  5. What are the “Critical Infrastructures?” • telecommunications; • electrical power systems; • gas & oil storage & transportation; • banking and finance; • transportation; • water supply systems; • emergency services • e.g., medical, police, fire, rescue • continuity of government. • National Defense

  6. Threats of Terrorism: a History • Some Eras of Terrorism • French Revolution 18th Centruy • from Fr word “terrorisme” • from Latin v. terrere - to cause to tremble • 1795 Jacobin’s "Reign of Terror“ • 19th Century • Anarchists in Czarist Russia • Irish Nationalism separation from UK • 20th Century • KKK, IRA, Palestinian • 21st Century: 9.11 attacks

  7. 2001 Terrorist Incidents Map

  8. Intensity of Terrorist Acts • Measures of Intensity • Incident Counts • What role of frequency in intensity? • Results Measures • Injuries, casualties, $ losses, fear, counter-measure investment, civil liberty losses • Cluster Analyses • Geographic, sector, tools • SNA of connections w/in clusters

  9. Determining Threats • Depends on the focus: • Source - person/group inspiring fear or dread, source of danger • Communication - warning of imminent unpleasantness, declared intent or determination to inflict harm • Condition – menace, exploitable vulnerability • Chance or risk - potential for harm from unwanted event, potential violation of security • Threat > 50% - probable, threat < 50% - possible • Depends on the Target • Physical Assets • Continuing Operations • Economic & Business • Defense • Emergency Services

  10. What is Security? Depends on the focus: • State/Condition – free from danger, injury, anxiety, fear @ various levels of analysis (e.g.,indiv., org., system, nation); protected • Descriptor of device or process – enables counter-measures &/or defense • Entity – dept. or function responsible • Actions – defensive, counter-measure to reduce risk, exclusion of unauthorized acts • Business/legal • Collateral • Investment (K): stocks & bonds, options (puts & calls) … • “Warm puppy”

  11. Security Threats Related to Terrorism • Targets are Largely Critical Infrastructure and Key Resources • Homeland Security Advisory System from HSPD-3 & 5 • Warnings as set of graduated “Threat Conditions”

  12. White Collar Crime under US Law • … illegal acts which are characterized by deceit, concealment, or violation of trust and which are not dependent upon the application or threat of physical force or violence” • Pervasive approach in U.S. but not in Europe

  13. Various Frauds: Bankruptcy fraud Medical/Healthcare Fraud Credit Card Fraud Consumer fraud Tax Fraud Securities/Financial Fraud Insider trading Forgery Embezzlement Counterfeiting MoneyLaundering Antitrust Bribery Environmental crime Pension fund crime RICO crimes Public corruption Extortion Computer crime Trade Secret Theft Economic Espionage Significant White Collar Crimes

  14. What is Organized Crime? • Criminal Enterprise (FBI def) – • Group of individuals with identified hierarchy, or comparable structure • Engaged in significant criminal activity • Often engage in multiple criminal activities • Generally have extensive supporting networks • Organized Crime (FBI def) – • Any group having some manner of a formalized structure • Primary objective is to obtain money through illegal activities • Maintain their position through the use of actual or threatened violence, corrupt public officials, graft, or extortion • Generally have a significant impact on the people in their locales, region, or the country as a whole

  15. Risks of Corporate, Organized & White-Collar Crime are Diffuse • Victims • General public & environmental quality (pollution) • Consumer (price fixing, unsafe products) • Employee (unsafe working conditions) • Government (tax fraud) • Competitor (price-fixing) • Risks: • Economic security, Safety, Government Integrity & Effectiveness, Market Integrity

  16. Pre-9.11: Pro-Privacy Momentum • Privacy Fundamentalists’ Successes • Shifting Public Opinion to Pre-Emptive Protections • Privacy Law Expansion • Self-Regulation Initiatives • Privacy Regulation Proliferated • Online (COPPA), Financial (G/L/B), Health (HIPPA), Encryption Strengthened

  17. Post 9.11: Pendulum Swings Back • Privacy Advocates in Retreat • Battle lines redrawn from former aggressive posture • Now defending existing privacy • Striving to mute expansion of government investigatory powers without appearing obstructionist • Government Investigation Hawks have Success • Public opinion shifting, in re, government intrusions • Law Enforcement gaining new powers: USA Patriot Act • The Major Challenge: Finding Acceptable Equilibrium • Classic Trade-off: Privacy vs. Security

  18. American Segmentation on Privacy • Privacy Fundamentalists Value privacy highly, Summarily reject claims that PII needs are legitimate, Advocate general refusal to disclose PII, Seek strong regulation of privacy rights, Held steady @ 25% of population • Privacy Pragmatists Balance privacy with societal needs, Examine privacy policies & practices, Disclose PII when economically rational, Support industry self-regulation unless ineffective, Grew from 55% in 1990 to 63% in 2000 • Privacy Unconcerned Typically unconcerned so trust in benefits from disclosing PII, Unlikely to support strong privacy rights, Declining from 20% in 1990 to 12% in 2000 Source: Alan F. Westin, Interpretive Essay in Public Records and the Responsible Use of Information, Choicepoint, 2000

  19. Conceptual Framework: Privacy (vs. or w/) Security • Privacy-Security Conundrum • Privacy-Security Complement

  20. Privacy-Security Conundrum • Irreconcilable, Zero-Sum Tradeoff • Strong privacy rights externalities • Privacy compromises security • Intruders/terrorists enjoy excessive anonymity • Strong security requires limited privacy • Intrusion/attack deterred by ltd. privacy • security enhanced with liberty limitations

  21. Hand/Posner/Bagby Model Privacy Is their a trade off between Privacy & Security? Security

  22. Hand/Posner/Bagby Model Privacy Is their a trade off between Privacy & Security? Security

  23. Hand/Posner/Bagby Model Security Is their a trade off between Privacy & Security? Privacy

  24. Privacy-Security Complement • Privacy-security conundrum is too simplistic • Liberty enables security • EX: flight averts injury • Isolation protects prey • Self-imposed seclusion & anonymity • Privacy Diminished w/ insecure PII • History of predator misuse of public databases • Security Requirements under Privacy Law protects against ID Theft & Stalking • http://www.privacyrights.org/ar/ChronDataBreaches.htm

  25. Some SRA Analysis Methods Social Network Analysis Risk Management Cost/Risk-Benefit Analyses

  26. Social Networking Theory (SNT) • Derived From Network Theory • Analysis of Network structure, behavior • Provides Useful insights into network design, optimization, enables predictions • Emerging framework applicable in natural phenomena & organism behavior (e.g., computer science, biology, criminology) • SNT maps relationships or associations among individuals, formal or informal groups: • To determine power, influence, communication/info flows • Social Structure composed of: • Nodes, objects, individuals, groups • Ties, links, paths • Alternative paradigm from Sociology’s traditional focus on each individual’s attributes

  27. Social Network Diagram

  28. Social Network Analysis (SNA) • Enables Mapping: • ID unknown or new members • Monitor flows: information, influence, $ … • Structure of sub-groups or clusters • E.g., hierarchical, virtual, leaderless, flat orgs • Enables Prosecution • Enables Prevention

  29. SNA Promise for Counter-Terrorism & Law Enforcement • Identify terrorist or organized crime groups • ID participants in such groups • Identify witnesses & evidence repositories: • To Prosecute past acts • To Prevent planned future acts • To Deter future organizing, conspiracies, “accessorizing,” attempts, recruitment

  30. SNA Method Applied to Counter-Terrorism & Law Enforcement • General method: • Determine nodes & links • EX: Victims & suspects names, address, phones# • Next classify links • Timing, Frequency, Volume, Content • EX: landline & cell calls, emails, texting, IMs, F2F encounters, family relationships, friends, co-workers, independent professional colleagues … • Always look for new nodes & links

  31. What is Risk Management? • Integration of risk, risk assessment, strategy development & implementation • Decision-making process; considerations: • Political, social, economic, engineering factors • Perform risk assessment for reasonably predictable hazards • Develop, analyze & compare options • Select optimal response for safety from that hazard • Decisions: • Accept exposure or • Reduce vulnerability - either mitigate risks or apply efficient control • Identification; acceptance or offsetting of threatening risks • Hedge risks: employ financial analysis & trading techniques

  32. General Risk Mgt Types • Risks: environment, technology, humans, organizations, politics • Some have Physical causes • Traditional risk managements focusing on natural disasters, fires, accidents, death, terrorism, crime • Some have Legal causes: • E.G., lawsuits, legislation, regulation • Some have Financial causes • Financial risk management: Investment risks managed using traded financial instruments, hedging, derivative securities, options, futures, offsetting positions, portfolio techniques

  33. Why Perform Risk Management? • Objectives: • Reduce different risks related to a pre-selected domain to the level accepted by individual, organization, society • Achieve intended results • Invest in most promising projects • Reduce surprises & losses • No pain …. No Gain • Calculated risks may yield favorable results • Risk management permits optimizing efforts

  34. Basic Risk Management Process • ID Risk • Identification of risk in selected domain • Plan Risk Management Process • Map social scope: • Stakeholders’ objectives • Risks evaluation methods & constraints • Define framework Risk Mgt activities • Analyze Risks • Mitigate Risks

  35. Threat of Computer Security Breach Source: Economist.com

  36. Risk Analysis Methods • Decision trees • Probability Estimates of branches • Game theory: strategic anticipation of moves/actions, response formulation • Estimation of costs, probabilities • Prediction of events, political reactions • Simulation techniques • Cost-Benefit Analysis for investments or expenditures • Discounted Cash Flow predominant technique • (Real) Options (Black-Scholes, binomial, Monte Carlo) • Geographic Reasoning

  37. Cost-Benefit Analysis (C-B/A) • Formal discipline to appraise, or assess, the case for a (risk mgt) project or proposal • Weigh total expected costs against total expected benefits • A/K/A Cost effectiveness • Present Value & Discounted Cash Flow • Net Present Value, Benefit Cost Ratio

  38. Risk Treatment/Mitigation • Retention • Acknowledge Risks • Budget costs • Mitigate or Reduction • Change practices & procedures to minimize risks or impact on key constituencies • Eliminate or Avoid • Discontinue risky operations • Transfer • Insurance, Underwriter

More Related