Risk Analysis in a Security Context

Course Composition and Objectives

• Systems Analysis: Fully identify and describe a system of value to a decision maker.
  • Define the following terms and phrases:
    • security, security context, risk, analysis, risk analysis, risk management, risk assessment, risk communication, risk control, vulnerability, threat, consequence, countermeasure, mitigation, benefits, costs, return on investment, protector, defender, attacker, asset, value, utility, detect, defend, devalue, deter, dissuade, delay, defeat, probability, possibility, uncertainty, confidence, susceptibility, system, success, failure, components, interdependency, security, protection (and others).
  • Describe a system from multiple perspectives using one or more structured analytic techniques (e.g., hierarchical holographic modeling).
  • Identify the parts of a system (i.e., the things) and how they relate to one another (i.e., relations). Define systems “S” and the combination of things “T” and relations among things “R.”
  • Describe how systems might fail by applying suitable analytics techniques
• Risk Assessment: Make and defend coherent statements about threats, vulnerabilities, consequences and risk.
  • Define the following terms: scenario, vulnerability, threat, consequence, probability, security context.
  • Define a security context consisting of Protector, Asset, and Threat.
  • Articulate the three questions of risk assessment, namely:
    • What can happen? The answer to this question is a complete set of risk scenarios within the specified security context.
    • How likely is it to happen? The answer to this question is the probability of each scenario.
    • What are the consequences if it does happen? The answer to this question is the impact each scenario would have on the decision maker supposing it occurred.
  • Properly scope a risk assessment by establishing a security context and identify boundary conditions for analysis.
  • Identify scenarios, and assess their probability and consequences using context appropriate analytic techniques
  • Construct arguments about risk using structured argumentation.
• Risk Communication: Create a risk communication tailored to meet the specific interests of a target audience.
  • Articulate the three questions of risk communication:
    • What do decision makers know about the risks?
    • What does the analyst know about the risks? Typically, the answer to this question mirrors risk assessment results.
    • How should this gap in risk knowledge be bridged?
  • Communicate actionable recommendations to decision makers about risk and what can be done about it.
  • Explain to decision makers the analytic process used to develop risk information in a manner that maximizes decision maker trust in the process.
• Risk Control:  Evaluate the merits of alternative risk mitigation proposals in terms of their benefits, costs and other intangibles.
  • Articulate the three questions of risk control:
    • What can be done about the risks?
    • What real options are available to reduce risk?
    • What is the best option?
  • Discuss the concept of “risk acceptance”
  • Identify strategies for mitigating, transferring or eliminating risk in different security contexts, to include both human and technological solutions
  • Explain how the techniques used for risk assessment are also used to evaluate measures to control risk
• Risk Analysis: Synthesize the materials covered in the course to produce a risk study.
  • Apply at least one model of critical evaluation (e.g., see Paul & Elder*) to dissect and appraise real risk analysis products
    • Paul & Elder propose 8 Elements of Thought, a scheme to use when dissecting arguments. The student would address each of the following elements of a risk analysis product:
      • Purpose
      • Question at Issue
      • Point of View
      • Assumptions
      • Concepts
      • Data and Information
      • Inferences
      • Implications
    • Paul & Elder also propose 9 “Intellectual Standards” for appraising an argument. The student would address the following:
      • Fairness
      • Clarity
      • Precision
      • Accuracy
      • Breadth
      • Depth
      • Logic
      • Significance
      • Relevance
• Instructors Choice: Instructors may choose topics and learning objectives that meet the spirit of the course as defined here. Instructors may choose to devote more time to the learning objectives listed above or to add additional, complementary objectives. Supplementary material and objectives should not overlap with the defined content of other courses in the curriculum.
  • Some example topics include:
    • Distinguish between multiple viewpoints on systems:
      • Realism vs. Constructionism
      • Holism vs. Reductionism
    • Collect and organize data in a systematic way using different approaches (e.g., data classification systems)
    • Calibrate subjective probability judgments

Course Description

SRA 311 (Risk Analysis in a Security Context) is the gateway course to entry-level career opportunities in the risk analysis field. The entire course is focused educating and training students on how to apply a variety of analytic techniques to answer the “ten questions of risk management” illustrated in the diagram below:

Everything about this course is focused on developing analytical skills aimed at producing credible and meaningful answers to each of these questions. Within the College of IST, many of the risks considered center on those created by intelligent adversaries, including cybercriminals and terrorists, although risks may also include natural disasters, system failures, accidents, etc. The goal of this course is to assure that students successfully completing SRA 311 are capable of applying a diverse set of analytic techniques to answer questions in contexts such as information security, counter terrorism and intelligence, or any other particular field where security is at issue.