A Risk- and Fuzzy Set-Based Methodology for Advanced Concept Technology Demonstration Military Utility Assessment Design

The U.S. Department of Defense Advanced Concept Technology Demonstration (ACTD) and derivative, rapid acquisition programs offer timely solutions to critical military needs by assessing the utility of technologies mature enough to be fielded without application of traditional, defense system development processes. Military utility assessments (MUA) are ACTDs\u27 most critical features, but the lack of a standard for identifying assessment criteria tailored to specific demonstrations risks poorly informed acquisition decisions and the military operations those decisions are intended to support. The purpose of this research was to develop and deploy a methodology for identifying measures of effectiveness integral to advanced concept technology demonstration military utility assessment design. Within a context determined by attributes of complex systems, the research observed twin premises that ACTD assessment designs should accommodate: all risks possible when incorporating demonstration prototypes within superior and complex, joint military operations metasystems; and the ambiguities and other of what have been termed “fuzzy” manifestations of the cognition and language with which end-user, military operators craft and express perspectives required to identify measures of effectiveness fundamental to MUA designs. The effort pursued three research questions: (1) How might joint military operations metasystem models guide the identification of ACTD measures of effectiveness? (2) How might be developed and employed joint military metasystem models with which can be identified ACTD measures of effectiveness? (3) How useful might ACTD managers and analysts find the MUA design methodology developed and deployed with this research? The deployed methodology stimulated answers to these research questions by uniquely combining tailored versions of established risk assessment methods with a fuzzy method for resolving small group preferences. The risk assessment methods honored one research premise while enabling the identification and employment of a joint military operations metasystem model suited to MUA design needs of a simulated ACTD. The fuzzy preference method honored the second research premise as it, too, promoted metasystem model employment. The complete methodology was shown to hold favor with a large segment of a community expert in managing and assessing the utility of ACTDs emphasizing critical, joint military service needs

Eliciting Informative Priors by Modelling Expert Decision Making

This article introduces a new method for eliciting prior distributions from experts. The method models an expert decision-making process to infer a prior probability distribution for a rare event $A$. More specifically, assuming there exists a decision-making process closely related to $A$ which forms a decision $Y$, where a history of decisions have been collected. By modelling the data observed to make the historic decisions, using a Bayesian model, an analyst can infer a distribution for the parameters of the random variable $Y$. This distribution can be used to approximate the prior distribution for the parameters of the random variable for event $A$. This method is novel in the field of prior elicitation and has the potential of improving upon current methods by using real-life decision-making processes, that can carry real-life consequences, and, because it does not require an expert to have statistical knowledge. Future decision making can be improved upon using this method, as it highlights variables that are impacting the decision making process. An application for eliciting a prior distribution of recidivism, for an individual, is used to explain this method further

Review and Evaluation of the J100â 10 Risk and Resilience Management Standard for Water and Wastewater Systems

Risk analysis standards are often employed to protect critical infrastructures, which are vital to a nation’s security, economy, and safety of its citizens. We present an analysis framework for evaluating such standards and apply it to the J100â 10 risk analysis standard for water and wastewater systems. In doing so, we identify gaps between practices recommended in the standard and the state of the art. While individual processes found within infrastructure risk analysis standards have been evaluated in the past, we present a foundational review and focus specifically on water systems. By highlighting both the conceptual shortcomings and practical limitations, we aim to prioritize the shortcomings needed to be addressed. Key findings from this study include (1) risk definitions fail to address notions of uncertainty, (2) the sole use of â worst reasonable caseâ assumptions can lead to mischaracterizations of risk, (3) analysis of risk and resilience at the threatâ asset resolution ignores dependencies within the system, and (4) stakeholder values need to be assessed when balancing the tradeoffs between risk reduction and resilience enhancement.Peer Reviewedhttps://deepblue.lib.umich.edu/bitstream/2027.42/154262/1/risa13421_am.pdfhttps://deepblue.lib.umich.edu/bitstream/2027.42/154262/2/risa13421.pd

Risk Assessment Framework for Evaluation of Cybersecurity Threats and Vulnerabilities in Medical Devices

Medical devices are vulnerable to cybersecurity exploitation and, while they can provide improvements to clinical care, they can put healthcare organizations and their patients at risk of adverse impacts. Evidence has shown that the proliferation of devices on medical networks present cybersecurity challenges for healthcare organizations due to their lack of built-in cybersecurity controls and the inability for organizations to implement security controls on them. The negative impacts of cybersecurity exploitation in healthcare can include the loss of patient confidentiality, risk to patient safety, negative financial consequences for the organization, and loss of business reputation. Assessing the risk of vulnerabilities and threats to medical devices can inform healthcare organizations toward prioritization of resources to reduce risk most effectively. In this research, we build upon a database-driven approach to risk assessment that is based on the elements of threat, vulnerability, asset, and control (TVA-C). We contribute a novel framework for the cybersecurity risk assessment of medical devices. Using a series of papers, we answer questions related to the risk assessment of networked medical devices. We first conducted a case study empirical analysis that determined the scope of security vulnerabilities in a typical computerized medical environment. We then created a cybersecurity risk framework to identify threats and vulnerabilities to medical devices and produce a quantified risk assessment. These results supported actionable decision making at managerial and operational levels of a typical healthcare organization. Finally, we applied the framework using a data set of medical devices received from a partnering healthcare organization. We compare the assessment results of our framework to a commercial risk assessment vulnerability management system used to analyze the same assets. The study also compares our framework results to the NIST Common Vulnerability Scoring System (CVSS) scores related to identified vulnerabilities reported through the Common Vulnerability and Exposure (CVE) program. As a result of these studies, we recognize several contributions to the area of healthcare cybersecurity. To begin with, we provide the first comprehensive vulnerability assessment of a robotic surgical environment, using a da Vinci surgical robot along with its supporting computing assets. This assessment supports the assertion that networked computer environments are at risk of being compromised in healthcare facilities. Next, our framework, known as MedDevRisk, provides a novel method for risk quantification. In addition, our assessment approach uniquely considers the assets that are of value to a medical organization, going beyond the medical device itself. Finally, our incorporation of risk scenarios into the framework represents a novel approach to medical device risk assessment, which was synthesized from other well-known standards. To our knowledge, our research is the first to apply a quantified assessment framework to the problem area of healthcare cybersecurity and medical networked devices. We would conclude that a reduction in the uncertainty about the riskiness of the cybersecurity status of medical devices can be achieved using this framework

Decision support for choice of security solution: the Aspect-Oriented Risk Driven Development (AORDD)framework

In security assessment and management there is no single correct solution to the identified security problems or challenges. Instead there are only choices and tradeoffs. The main reason for this is that modern information systems and security critical information systems in particular must perform at the contracted or expected security level, make effective use of available resources and meet end-users' expectations. Balancing these needs while also fulfilling development, project and financial perspectives, such as budget and TTM constraints, mean that decision makers have to evaluate alternative security solutions.\ud \ud This work describes parts of an approach that supports decision makers in choosing one or a set of security solutions among alternatives. The approach is called the Aspect-Oriented Risk Driven Development (AORDD) framework, combines Aspect-Oriented Modeling (AOM) and Risk Driven Development (RDD) techniques and consists of the seven components: (1) An iterative AORDD process. (2) Security solution aspect repository. (3) Estimation repository to store experience from estimation of security risks and security solution variables involved in security solution decisions. (4) RDD annotation rules for security risk and security solution variable estimation. (5) The AORDD security solution trade-off analysis and trade-o¤ tool BBN topology. (6) Rule set for how to transfer RDD information from the annotated UML diagrams into the trad-off tool BBN topology. (7) Trust-based information aggregation schema to aggregate disparate information in the trade-o¤ tool BBN topology. This work focuses on components 5 and 7, which are the two core components in the AORDD framework

Security Analysis: A Critical Thinking Approach

Security Analysis: A Critical-Thinking Approach is for anyone desiring to learn techniques for generating the best answers to complex questions and best solutions to complex problems. It furnishes current and future analysts in national security, homeland security, law enforcement, and corporate security an alternative, comprehensive process for conducting both intelligence analysis and policy analysis. The target audience is upper-division undergraduate students and new graduate students, along with entry-level practitioner trainees. The book centers on a Security Analysis Critical-Thinking Framework that synthesizes critical-thinking and existing analytic techniques. Ample examples are provided to assist readers in comprehending the material. Newly created material includes techniques for analyzing beliefs and political cultures. The book also functions as an introduction to Foreign Policy and Security Studies.https://encompass.eku.edu/ekuopen/1005/thumbnail.jp

Conflicting Objectives in Decisions

This book deals with quantitative approaches in making decisions when conflicting objectives are present. This problem is central to many applications of decision analysis, policy analysis, operational research, etc. in a wide range of fields, for example, business, economics, engineering, psychology, and planning. The book surveys different approaches to the same problem area and each approach is discussed in considerable detail so that the coverage of the book is both broad and deep. The problem of conflicting objectives is of paramount importance, both in planned and market economies, and this book represents a cross-cultural mixture of approaches from many countries to the same class of problem

Robustness of Multiple Objective Decision Analysis Preference Functions

This research investigated value and utility functions in multiobjective decision analysis to examine the relationship between them in a military decision making context. The impact of these differences was examined to improve implementation efficiency. The robustness of the decision model was examined with respect to the preference functions to reduce the time burden imposed on the decision maker. Data for decision making in a military context supports the distinction between value and utility functions. Relationships between value and utility functions and risk attitudes were found to be complex. Elicitation error was significantly smaller than the difference between value and utility functions. Risk attitudes were generally neither constant across the domain of the evaluation measure nor consistent between evaluation measures. An improved measure of differences between preference functions, the weighted root means square, is introduced and a goodness of fit criterion established. An improved measure of risk attitudes employing utility functions is developed. Response Surface Methodology was applied to improve the efficiency of decision analysis utility model applications through establishing the robustness of decision models to the preference functions. An algorithm was developed and employs this information to provide a hybrid value-utility model that offers increased elicitation efficiency

Analysis of Layered Social Networks

Prevention of near-term terrorist attacks requires an understanding of current terrorist organizations to include their composition, the actors involved, and how they operate to achieve their objectives. To aid this understanding, operations research, sociological, and behavioral theory relevant to the study of social networks are applied, thereby providing theoretical foundations for new methodologies to analyze non-cooperative organizations, defined as those trying to hide their structure or are unwilling to provide information regarding their operations. Techniques applying information regarding multiple dimensions of interpersonal relationships, inferring from them the strengths of interpersonal ties, are explored. A layered network construct is offered that provides new analytic opportunities and insights generally unaccounted for in traditional social network analyses. These provide decision makers improved courses of action designed to impute influence upon an adversarial network, thereby achieving a desired influence, perception, or outcome to one or more actors within the target network. This knowledge may also be used to identify key individuals, relationships, and organizational practices. Subsequently, such analysis may lead to the identification of exploitable weaknesses to either eliminate the network as a whole, cause it to become operationally ineffective, or influence it to directly or indirectly support National Security Strategy

Methods for eliciting informative prior distributions: A critical review

Eliciting informative prior distributions for Bayesian inference can often be complex and challenging. Although popular methods rely on asking experts probability-based questions to quantify uncertainty, these methods are not without their drawbacks, and many alternative elicitation methods exist. This paper explores methods for eliciting informative priors categorized by type and briefly discusses their strengths and limitations. Most of the review literature in this field focuses on a particular type of elicitation approach. The primary aim of this work, however, is to provide a more complete yet macro view of the state of the art by highlighting new (and old) approaches in one clear easy-to-read article. Two representative applications are used throughout to explore the suitability, or lack thereof, of the existing methods, one of which highlights a challenge that has not been addressed in the literature yet. We identify some of the gaps in the present work and discuss directions for future research