Vermelding onderdeel organisatie

April 21, 2023

1

Security and Technology (WM0823TU) Lecture 1: Introduction

Jan van den Berg

Faculty of Technology, Policy and Management

Home page: http://www.tbm.tudelft.nl/live/pagina.jsp?id=352a81e9-563c-4098-8a54-d424dbc1e41b&lang=en

Email: j.vandenberg@tudelft.nl

April 21, 2023 2

Agenda

• From a ‘Society at Risk’ to a ‘Risk Society’• Defining/Dealing with Risk• Course ‘Security and Technology’: focus and

setup

April 21, 2023 3

Our Society and its Risks

• Society is based on complex (critical) infrastructures that often apply sophisticated technology:

• (inter)national water and energy supply• production factories • (inter)national supply chain• public transport services• healthcare system• Internet and other ICT services• financial services • river and sea flooding defense system • …

• Infrastructures are often highly interdependent (why?)

April 21, 2023 4

Infrastructures, example

physical: road, water

physical: mechanical

physical: electricity

Earth

physical: hardware

virtual: software

•Strongly interweaved•Many SPOFs

(single points of failure)

April 21, 2023 5

Society at risk

• Due to intentional threats like terrorism, smuggle, theft, fraud, …, our society has security problems

• Due to unintentional threats or hazards like natural disasters, human errors, technical failures, …, our society has safety problems

in short, our society is at risk, i.e., our society is in a permanent state of risk as a consequence of a long modernization process

• Q: Which (un)intentional threats related to the safety or security problems your are interested in, do you know?

April 21, 2023 6

Risk Society

• In order to deal with the risks related to safety and security (S&S) problems, we can take measures:• preventative measures like … to prevent S&S incidents

to occur• detective like … to detect S&S incidents that occur• corrective like … to recover from S&S incidents that have

occurred and been detected

• A Risk Society [Beck, 1992] is a society organized in response to risk: “it is a society that, unlike any preceding culture, lives in the future rather than the past” [http://en.wikipedia.org/wiki/Risk_society]

April 21, 2023 7

Agenda

• From a ‘Society at Risk’ to a ‘Risk Society’…• Defining/Dealing with Risk• Course ‘Security and Technology’: focus and

setup

April 21, 2023 8

The word risk has an ambiguous meaning…

• Risk = danger: run a risk = risico/gevaar lopen om …• Risk = threat: global sea level rise concerns a high risk for

Holland• Risk = probability: there is a high risk, (s)he will …• Risk = possible loss: ‘eigen risico’ for an insurance • Risk = …

• Q: what other meanings for the word risk do you know?

In each context, there is a high need to define risk properly

April 21, 2023 9

What’s the problem?

• We all strongly depend on many resources including other people, nature, devices, services, money, … at all kinds of scales (in your house, city, province, land, continent, world, …)

• Sometimes, the word capabilities is used instead referring to human capabilities, economic forces (capital, labor, nature, information), ...

• Threats or hazards like… may menace these resources/capabilities (you name it!)• Vulnerabilities (in the defense) of a resource let the threats result (with a certain probability) in incidents having a certain impact: there is a RISK!!• Due to the risk certain, possibly overlapping, measures are taken: preventative, detective and corrective

valuable resourceor capability

threats

measures

April 21, 2023 10

What is risk?

• The concept of risk denotes a potential negative impact to some characteristic of value that may arise from future events or, in other words,

• Risks are events or conditions that may occur, and whose occurrence, if they do take place, have a harmful or negative effect or, in engineering terms,

• Risk = Expected Loss = i pi x li where • li represents the loss in case of event i• pi represents the probability that event i occurs, i.e., pi =

pi,threat * pi,measure fails

• Note: further decomposition of probabilities is often possible

[source: Wikipedia, partly adapted]

What is risk, cont.?

• In a world of infinity possible losses where we define a loss distribution f (l ) of all possible losses l, then the risk = expected loss is given by

risk = ∫ f (l ) l dl

• Discuss the relationship between this formula and the previous one (only difference is continuous versus discrete sample space…, why?)

April 21, 2023 11

April 21, 2023 12

Values at risk

• Note that the interpretation of this quantified definition of loss is important in practice… (to be discussed)

• In addition, quantification of certain values might be (almost) impossible: values/valuable resources include• economic values, most often expressed in quantities of

money, but also in terms like business continuity, creditworthiness, reputation level

• human values, including love, education, eco-food, healthcare, safety and security, freedom, democracy

• moral values, such as being respectful, being polite, being unpretentious, being sustainable, being helpful, having privacy, being generous, being equal, having the same rights, the right of having a house and income

April 21, 2023 13

Measuring risk

• Risk can be measured in quantitative or qualitative terms• In both cases, measuring is often very difficult:

• probability of having a water flood or nuclear explosion in the Netherlands * economical impact = expected loss = risk

• probability of loosing more than 20% of your investment in the stock market during the next year yields an expected loss (risk) …

• danger of losing your best friend is hard to define in risk terms• risk of an energy supply interruption of more than 2 days is …• risk of experiencing a privacy breach on the Internet is …• risk of reputation loss due to an employee’s mistake is …• probability of a terrorist attack in the Hague, Delft, or Rotterdam

* possible impact = risk

April 21, 2023 14

Measuring risk, cont.

• Despite the difficulties of measuring it, it is often tried to measure risk:• In finance e.g., risk in financial markets is often defined as

the ‘volatility’ of the returns (expressed in the standard deviation of the returns), and ‘value at risk’ equals the maximum amount of money an investor is expected to lose, with a given (low) probability (like 1%, 2%): note the different semantics of risk here!!

• To prevent water floods, according to the ‘Delta plan’, dikes in the Netherlands should be constructed in such a way that the probability of a sea water flood is reduced to once in 10000 years; calculating the economic damage is still another story…

April 21, 2023 15

9/11 and other terrorist attacks

• Security risks caused by terrorists’ threats have a long history: threats usually lead to incidents by exploiting existing vulnerabilities

• Incidents like 9/11 (USA) have made the world especially aware of not-earlier-exploited vulnerabilities (interesting discussion: to what extent the security threats in this case were already existing before the actual occurrence…)

• Compare to the exploitation of (newly discovered) vulnerabilities in computer systems, as done by hackers

April 21, 2023 16

(Inter)national S&S programs

• S&S programs are available in all kinds of domains• Critical infrastructure security programs [see e.g.

http://www.iwar.org.uk/cip/index.htm]

• energy supply: oil, water, electricity, gas, …• public transport: train, underground, bus, taxi• (inter)national supply chain of goods• (inter)national food production programs (including water)• banking system• governmental services

• Homeland security: the ‘Making the Nation Safer’ program of the USA [see http://www.homelandsecurity.org/Default.aspx?AspxAutoDetectCookieSupport=1]

April 21, 2023 17

(Inter)national S&S programs, cont.

• Basel Committee of Banking Supervision, having as its objective ‘to enhance understanding of key supervisory issues and improve the quality of banking supervision worldwide’, and more [see http://www.bis.org/bcbs/index.htm]

• Delta Plan for securing the Netherlands against sea water floods [see http://www.deltawerken.com/Deltawerken/16.html]

April 21, 2023 18

Dealing with risk

• If risks are considered to be too high, they should be managed risk management

• Risk/Security management roughly concerns the (often dynamic) process of1. acceptable risk definition: defining what is an

acceptable level of risk in a given environment2. risk analysis: analyzing the expected impact of all

possible incidents in that environment3. countermeasures’ design: taking measures to reduce

the risk to the defined acceptable level (to be elaborated later on!)

April 21, 2023 19

Dealing with risk, an example

Information Security approach at KLM/AF:

April 21, 2023 20

Agenda

• From a ‘Society at Risk’ to a ‘Risk Society’…• Defining/Dealing with Risk• Course ‘Security and Technology’: focus and

setup

April 21, 2023 21

Goal of this course

• Understanding the nature of SSJ problems• Getting familiarized with all kinds of Risk

Management approaches for dealing with SSJ problems, in several • technology domains (like ICT, civil engineering) or • domains that strongly depend on/apply technology

(finance, supply chain, public safety, forensics)

where much attention is paid to• modeling of risk (both data and expert driven)• determination of risk

This course and SRM Framework

April 21, 2023 22

April 21, 2023 23

Course overview (provisional)Week # Date Subjects Lecturer

35 (1) Tuesday August 31 introduction: the risk society and the goals of the security & technology course

JvdB

36 (2) Monday September 6

risk and its definitions, modeling and determination; financial risks: dealing with market risk

JvdB

36 (3) Wednesday September 8

financial risks cont.: dealing with credit risk, operational risk, …

JvdB

37 (4) Monday September 13

reliability of software, human factors, and their lessons for the management of the Maeslant storm surge barrier

JvdB

37 (5) Wednesday September 15

securing the supply chain: some case studies

YT/JvdB

38 (6) Monday September 20

information security, an introduction JvdB

38 (7) Wednesday September 22

quantified return on information security investment

JvdB

39 (8) Monday September 27

information quality in public safety networks

NB

39 (9) Wednesday September 29

trust algorithms for e-commerce and other Internet applications

JvdB

40 (10) Monday October 4 calculation techniques for risk analysis in river- and coastal engineering

PvG

40 (11) Wednesday October 6

intelligente data analyse t.b.v. forensisch onderzoek

CV/MI

41 (12) Monday October 11 wrap-up, preparation for the final examination

JvdB

Course Materials

• PPT presentations, with references to underlying material like articles, wikipedia, reports, theses;

• Parts from the book edited by J. Talbot en M. Jakeman, “SRMBOK, Security Risk Managament Body of Knowledge”, published by RMIA, 2008.

April 21, 2023 24

Assignments and Grading

• The majority of lectures provided end up in an individual or small group assignment that usually should be handed in one week later.

•  The course is concluded with a written examination where knowledge, understanding and skills wrt ‘security and technology’ are tested.

• The final grading is based on the assignments handed in (33.3%) and the result obtained for the written examination (66.7%).

April 21, 2023 25

Questions????

April 21, 2023 26