Project risk analysis has a broad range of applications, just as the definition of a project is broad. Project risk analysis is concerned with the assessment of the risks and uncertainties that threaten a project.

What is Project?A temporary endeavor undertaken to create a

unique product of service.In the broadest sense a project is specific, finite

task to accomplished; whether large or small scale; long or short run.

What is Risk?The probability that a particular threat will exploit a particular vulnerability.

Risk analysis is the review of the risks associated with a particular event or action. It is applied to projects, information technology, security issues and any action where risks may be analyzed on a quantitative and qualitative basis. Risk analysis is a component of risk management.

6

Risk Management Cycle

Slide #7

Risk Analysis

1. Calculate the (quantitative) likelihood of each identified hazard

2. Calculate the (quantitative) consequences that are expected to occur for each hazard

3. Develop a locally-tailored qualitative system of measurement

4. Translate all quantitative data into qualitative measures

8

Who should be Involved?

Security ExpertsInternal domain expertsManagers responsible for implementing

controls

Slide #9

Assets

Identify Assets

Critical Assets

Identify AssetsPhysical Assets

Buildings, computersLogical Assets

Intellectual property, reputation

Slide #11

Critical AssetsPeople and skillsGoodwillHardware/SoftwareDocumentationPhysical plantMoney

Slide #12

ThreatsAn expression of intention to inflict evil

injury or damageAttacks against key security services

Confidentiality, integrity, availability

Slide #13

VulnerabilitiesFlaw or weakness in system that can be

exploited to violate system integrity.Security ProceduresDesignImplementation

Threats trigger vulnerabilitiesAccidentalMalicious

Slide #14

Controls/CountermeasuresMechanisms or procedures for

mitigating vulnerabilitiesPreventDetectRecover

Understand cost and coverage of controlControls follow vulnerability and threat

analysisSlide #15

Risk/Control Trade OffsOnly Safe Asset is a Dead Asset

Asset that is completely locked away is safe, but useless

Trade-off between safety and availablityDo not waste effort on efforts with low loss

valueDon’t spend resources to protect garbage

Control only has to be good enough, not absoluteMake it tough enough to discourage enemy Slide #16

Types of Risk AnalysisQuantitative

Assigns real numbers to costs of safeguards and damageAnnual loss exposure (ALE)Probability of event occurringCan be unreliable/inaccurate

Qualitative Judges an organization’s risk to threatsBased on judgment, intuition, and experienceRanks the seriousness of the threats for the sensitivity of the

assertsSubjective, lacks hard numbers to justify return on investment

Slide #17

Quantitative vs. QualitativeQuantitative Analysis

Uses mathematical/ statistical data to derive numerical descriptions of risk

More precise analysisMore difficult to

perform

QualitativeUses defined terms

(words) to describe and categorize risk

Less precise analysisEasier to perform

Session 18

ConsequenceDeaths/Fatalities (Human)Injuries (Human)Damages (Cost, reported in US dollars)

Session 18

Direct Losses

FatalitiesInjuriesRepair and replacement of damaged or

destroyed public and private structuresRelocation costs/temporary housingLoss of business inventory/agricultureLoss of income/rental costsCommunity response costsCleanup costs

20

Indirect Losses

Loss of incomeInput/output losses of businessesReductions in business /personal spending

– “ripple effects”Loss of institutional knowledgeMental illnessBereavement

Tangible Losses

Cost of building repair/replacementResponse costsLoss of inventoryLoss of income

22

Intangible Losses

Cultural lossesStressMental illnessSentimental ValueEnvironmental LossesFatalities/Injuries

23

Quantitative Analysis Outline1. Identify and value assets2. Determine vulnerabilities and impact3. Estimate likelihood of exploitation4. Compute Annual Loss Exposure 5. Survey applicable controls and their

costs6. Project annual savings from control

QuantitativeRisk = Risk-impact x Risk-Probability

Loss of car: risk-impact is cost to replace car, e.g. $10,000

Probability of car loss: 0.10 Risk = 10,000 x 0.10 = 1,000

General measured per yearAnnual Loss Exposure (ALE)

Slide #25

Qualitative Risk AnalysisGenerally used in Information Security

Hard to make meaningful valuations and meaningful probabilities

Relative ordering is faster and more importantMany approaches to performing qualitative

risk analysisSame basic steps as quantitative analysis

Still identifying asserts, threats, vulnerabilities, and controls

Just evaluating importance differently

Slide #26

Problem IdentifyStep 1: Identify Scope

Bound the problemStep 2: Assemble team

Include subject matter experts, management in charge of implementing, users

Step 3: Identify ThreatsPick from lists of known threatsBrainstorm new threatsMixing threats and vulnerabilities here...

Slide #27

Threat prioritizationPrioritize threats for each assert

Likelihood of occurrenceDefine a fixed threat rating

Associate a rating with each threatApproximation to the risk probability in

quantitative approach

Slide #28

Loss ImpactWith each threat determine loss impactDefine a fixed ranking

Used to prioritize damage to asset from threat

Slide #29

Changes in Human Activities

Population GrowthEconomic GrowthTechnological InnovationSocial ExpectationsGrowing Interdependence

30

In project risk analysis can understand that project may be risk or not. what ever the risk it may be high or low the investor take decision.

31