Towards Validating Risk Indicators Based on Measurement Theory (Extended version)

Due to the lack of quantitative information and for cost-efficiency, most risk assessment methods use partially ordered values (e.g. high, medium, low) as risk indicators. In practice it is common to validate risk indicators by asking stakeholders whether they make sense. This way of validation is subjective, thus error prone. If the metrics are wrong (not meaningful), then they may lead system owners to distribute security investments inefficiently. For instance, in an extended enterprise this may mean over investing in service level agreements or obtaining a contract that provides a lower security level than the system requires. Therefore, when validating risk assessment methods it is important to validate the meaningfulness of the risk indicators that they use. In this paper we investigate how to validate the meaningfulness of risk indicators based on measurement theory. Furthermore, to analyze the applicability of the measurement theory to risk indicators, we analyze the indicators used by a risk assessment method specially developed for assessing confidentiality risks in networks of organizations

Towards Validating Risk Indicators Based on Measurement Theory

Due to the lack of quantitative information and for cost-efficiency purpose, most risk assessment methods use partially ordered values (e.g. high, medium, low) as risk indicators.\ud In practice it is common to validate risk scales by asking stakeholders whether they make sense. This way of validation is subjective, thus error prone. If the metrics are wrong (not meaningful), then they may lead system owners to distribute security investments inefficiently. Therefore, when validating risk assessment methods it is important to validate the meaningfulness of the risk scales that they use. In this paper we investigate how to validate the meaningfulness of risk indicators based on measurement theory. Furthermore, to analyze the applicability of measurement theory to risk indicators, we analyze the indicators used by a particular risk assessment method specially developed for assessing confidentiality risks in networks of organizations

Architecture-based Qualitative Risk Analysis for Availability of IT Infrastructures

An IT risk assessment must deliver the best possible quality of results in a time-effective way. Organisations are used to customise the general-purpose standard risk assessment methods in a way that can satisfy their requirements. In this paper we present the QualTD Model and method, which is meant to be employed together with standard risk assessment methods for the qualitative assessment of availability risks of IT architectures, or parts of them. The QualTD Model is based on our previous quantitative model, but geared to industrial practice since it does not require quantitative data which is often too costly to acquire. We validate the model and method in a real-world case by performing a risk assessment on the authentication and authorisation system of a large multinational company and by evaluating the results w.r.t. the goals of the stakeholders of the system. We also perform a review of the most popular standard risk assessment methods and an analysis of which one can be actually integrated with our QualTD Model

Scoping study brief - Potential for adaptation and mitigation

This brief presents the findings of a scoping study on potential for adaptation and mitigation in East Africa, conducted as a requirement for the Climate Resilient Agribusiness for Tomorrow (CRAFT) Project, under Work Stream 3 on Enabling Environment for Climate-Smart Agriculture (CSA). The purpose was to ascertain the potential for adaptation and mitigation under CRAFT

Model-Based Mitigation of Availability Risks

The assessment and mitigation of risks related to the availability of the IT infrastructure is becoming increasingly important in modern organizations. Unfortunately, present standards for Risk Assessment and Mitigation show limitations when evaluating and mitigating availability risks. This is due to the fact that they do not fully consider the dependencies between the constituents of an IT infrastructure that are paramount in large enterprises. These dependencies make the technical problem of assessing availability issues very challenging. In this paper we define a method and a tool for carrying out a Risk Mitigation activity which allows to assess the global impact of a set of risks and to choose the best set of countermeasures to cope with them. To this end, the presence of a tool is necessary due to the high complexity of the assessment problem. Our approach can be integrated in present Risk Management methodologies (e.g. COBIT) to provide a more precise Risk Mitigation activity. We substantiate the viability of this approach by showing that most of the input required by the tool is available as part of a standard business continuity plan, and/or by performing a common tool-assisted Risk Management

Consistency and stability of risk indicators: The case of road infrastructures

Over the last decade, the World Road Association – PIARC and several European research projects, among which Ecoroads, have encouraged a promising reflection on risk analysis methods, acceptance criteria and safety practices applied to the road system. The goal of this research activity is the definition of best practice for safety analysis and management to be applied to network TERN (Trans European Road Network). Quantitative Risk Analysis (QRA) provides much information on safety management. Nevertheless, the potential fragility of the method, stochastic uncertainties (both parameters and models), and ethical aspect of criteria must be adequately analyzed. This paper focuses on all these aspects, assessing the reliability of QRA due to modeling errors and statistical errors, and assessing the statistical consistency of Risk Indicators of QRA

Mapping South African farming sector vulnerability to climate change and variability: A subnational assessment

"This paper analyzes the vulnerability of South African farmers to climate change and variability by developing a vulnerability index and comparing vulnerability indicators across the nine provinces of the country. Nineteen environmental and socio-economic indicators are identified to reflect the three components of vulnerability: exposure, sensitivity, and adaptive capacity. The results of the study show that the region's most vulnerable to climate change and variability also have a higher capacity to adapt to climate change. Furthermore, vulnerability to climate change and variability is intrinsically linked with social and economic development. The Western Cape and Gauteng provinces, which have high levels of infrastructure development, high literacy rates, and low shares of agriculture in total GDP, are relatively low on the vulnerability index. In contrast, the highly vulnerable regions of Limpopo, KwaZulu Natal and the Eastern Cape are characterized by densely populated rural areas, large numbers of small-scale farmers, high dependency on rainfed agriculture and high land degradation. These large differences in the extent of vulnerability among provinces suggest that policy makers should develop region-specific policies and address climate change at the local level." from authors' abstractClimate change, Agriculture, Vulnerability, Adaptive capacity, Exposure, Sensitivity, Climate variability,

Decision aid problems criteria for infrastructure networks vulnerability analysis (regular paper)

Natural disasters through infrastructure networks might aggravate or mitigate consequences to stakes. The objective of this paper is to characterize this kind of situation in order to provide a solid foundation for the decision aid. This characterization includes a description of the typology, actions and potential actions identification, determining preference systems, as well as a set of specific problems to each phase