Project risk analysis

4. Project risk analysis has a broad range of
applications, just as the definition of a project is
broad. Project risk analysis is concerned with the
assessment of the risks and uncertainties that
threaten a project.

5. What is Project?
A temporary endeavor undertaken to create a
unique product of service.
In the broadest sense a project is specific, finite
task to accomplished; whether large or small scale; long
or short run.
What is Risk?
The probability that a particular threat will exploit
a particular vulnerability.

6. Risk analysis is the review of the risks associated
with a particular event or action. It is applied to
projects, information technology, security issues
and any action where risks may be analyzed on a
quantitative and qualitative basis. Risk analysis
is a component of risk management.
6

7. Risk Management Cycle
Slide #7

8. Risk Analysis
1. Calculate the (quantitative) likelihood
of each identified hazard
2. Calculate the (quantitative)
consequences that are expected to
occur for each hazard
3. Develop a locally-tailored qualitative
system of measurement
4. Translate all quantitative data into
qualitative measures
8

9. Who should be Involved?
Security Experts
Internal domain experts
Managers responsible for implementing
controls
Slide #9

10. Assets
Identify Assets
Critical Assets

11. Identify Assets
Physical Assets
Buildings, computers
Logical Assets
Intellectual property, reputation
Slide #11

12. Critical Assets
People and skills
Goodwill
Hardware/Software
Documentation
Physical plant
Money
Slide #12

13. Threats
An expression of intention to inflict evil
injury or damage
Attacks against key security services
Confidentiality, integrity, availability
Slide #13

14. Vulnerabilities
Flaw or weakness in system that can be
exploited to violate system integrity.
Security Procedures
Design
Implementation
Threats trigger vulnerabilities
Accidental
Malicious
Slide #14

15. Controls/Countermeasures
Mechanisms or procedures for
mitigating vulnerabilities
Prevent
Detect
Recover
Understand cost and coverage of control
Controls follow vulnerability and threat
analysis
Slide #15

16. Risk/Control Trade Offs
Only Safe Asset is a Dead Asset
Asset that is completely locked away is safe,
but useless
Trade-off between safety and availablity
Do not waste effort on efforts with low loss
value
Don’t spend resources to protect garbage
Control only has to be good enough, not
absolute
Make it tough enough to discourage enemy Slide #16

17. Types of Risk Analysis
Quantitative
Assigns real numbers to costs of safeguards and damage
Annual loss exposure (ALE)
Probability of event occurring
Can be unreliable/inaccurate
Qualitative
Judges an organization’s risk to threats
Based on judgment, intuition, and experience
Ranks the seriousness of the threats for the sensitivity of the
asserts
Subjective, lacks hard numbers to justify return on investment
Slide #17

18. Quantitative vs. Qualitative
Quantitative Analysis
Uses mathematical/
statistical data to derive
numerical descriptions
of risk
More precise analysis
More difficult to
perform
Qualitative
Uses defined terms
(words) to describe and
categorize risk
Less precise analysis
Easier to perform
Session 18

19. Consequence
Deaths/Fatalities (Human)
Injuries (Human)
Damages (Cost, reported in US dollars)
Session 18

20. Direct Losses
Fatalities
Injuries
Repair and replacement of damaged or
destroyed public and private structures
Relocation costs/temporary housing
Loss of business inventory/agriculture
Loss of income/rental costs
Community response costs
Cleanup costs
20

21. Indirect Losses
Loss of income
Input/output losses of businesses
Reductions in business /personal spending
– “ripple effects”
Loss of institutional knowledge
Mental illness
Bereavement

22. Tangible Losses
Cost of building repair/replacement
Response costs
Loss of inventory
Loss of income
22

23. Intangible Losses
Cultural losses
Stress
Mental illness
Sentimental Value
Environmental Losses
Fatalities/Injuries
23

24. Quantitative Analysis Outline
1. Identify and value assets
2. Determine vulnerabilities and impact
3. Estimate likelihood of exploitation
4. Compute Annual Loss Exposure
5. Survey applicable controls and their
costs
6. Project annual savings from control

25. Quantitative
Risk = Risk-impact x Risk-Probability
Loss of car: risk-impact is cost to
replace car, e.g. $10,000
Probability of car loss: 0.10
Risk = 10,000 x 0.10 = 1,000
General measured per year
Annual Loss Exposure (ALE)
Slide #25

26. Qualitative Risk Analysis
Generally used in Information Security
Hard to make meaningful valuations and
meaningful probabilities
Relative ordering is faster and more important
Many approaches to performing qualitative
risk analysis
Same basic steps as quantitative analysis
Still identifying asserts, threats, vulnerabilities, and
controls
Just evaluating importance differently
Slide #26

27. Problem Identify
Step 1: Identify Scope
Bound the problem
Step 2: Assemble team
Include subject matter experts, management in
charge of implementing, users
Step 3: Identify Threats
Pick from lists of known threats
Brainstorm new threats
Mixing threats and vulnerabilities here...
Slide #27

28. Threat prioritization
Prioritize threats for each assert
Likelihood of occurrence
Define a fixed threat rating
Associate a rating with each threat
Approximation to the risk probability in
quantitative approach
Slide #28

29. Loss Impact
With each threat determine loss impact
Define a fixed ranking
Used to prioritize damage to asset from
threat
Slide #29

30. Changes in Human Activities
Population Growth
Economic Growth
Technological Innovation
Social Expectations
Growing Interdependence
30

31. In project risk analysis can understand that
project may be risk or not. what ever the
risk it may be high or low the investor
take decision.
31