A Method for Developing Qualitative Security Risk Assessment Algorithms

We present a method for developing qualitative security risk assessment algorithms where the input captures the dynamic state of the target of analysis. This facilitates continuous monitoring. The intended users of the method are security and risk practitioners interested in developing assessment algorithms for their own or their client’s organization. Managers and decision makers will typically be end users of the assessments provided by the algorithms. To promote stakeholder involvement, the method is designed to ensure that the algorithm and the underlying risk model are simple to understand. We have employed the method to create assessment algorithms for 10 common cyber attacks, and use one of these to demonstrate the approach.acceptedVersio

Risk-Based Decision Support Model for Offshore Installations

Background: During major maintenance projects on offshore installations, flotels are often used to accommodate the personnel. A gangway connects the flotel to the installation. If the offshore conditions are unfavorable, the responsible operatives need to decide whether to lift (disconnect) the gangway from the installation. If this is not done, there is a risk that an uncontrolled autolift (disconnection) occurs, causing harm to personnel and equipment. Objectives: We present a decision support model, developed using the DEXi tool for multi-criteria decision making, which produces advice on whether to disconnect/connect the gangway from/to the installation. Moreover, we report on our development method and experiences from the process, including the efforts invested. An evaluation of the resulting model is also offered, primarily based on feedback from a small group of offshore operatives and domain experts representing the end user target group. Methods/Approach: The decision support model was developed systematically in four steps: establish context, develop the model, tune the model, and collect feedback on the model. Results: The results indicate that the decision support model provides advice that corresponds with expert expectations, captures all aspects that are important for the assessment, is comprehensible to domain experts, and that the expected benefit justifies the effort for developing the model. Conclusions: We find the results promising, and believe that the approach can be fruitful in a wider range of risk-based decision support scenarios. Moreover, this paper can help other decision support developers decide whether a similar approach can suit them