Welcome to Lesson 31. In this lesson we're going to take a closer look at risk analysis. Risk analysis is an integral part of risk management. Which, as we saw, was an integral part of the four cybersecurity models we examined in part two and part three. Risk management is the process of selecting and prioritizing countermeasures based upon cost-benefit analysis. Risk analysis facilitates cost-benefit analysis by providing an estimate of risk associated with a particular countermeasure. In lesson 20 we examined the application of a risk analysis method called RAMCAP. We saw how RAMCAP estimated risk as the product of estimates for consequence, threat, and vulnerability. Using RAMCAP, we estimated the risk reduction worth of each countermeasure, then calculated the corresponding return on investment by dividing risk by estimated cost. Cost benefit analysis consisted of choosing the countermeasure that provided the highest calculated return on investment. As we noted in lesson 20, RAMCAP was developed by the American Society of Mechanical Engineers at the request of the White House, shortly after 9/11. RAMCAP was specifically formulated to help assess risk across all infrastructure assets and sectors, to help prioritize protective investments at the national level. Unfortunately, RAMCAP fell into obscurity, shortly after it was introduced in the 2006 National Infrastructure Protection Plan. One of the reasons RAMCAP fell into disuse, was that many believe there is no one size fits all when it comes to risk analysis. Indeed, there are an estimated 250 critical infrastructure risk methodologies, which begs the question, why so many? The answer lies in the fact that each methodology is the result of a different set of tradeoffs. RAMCAP itself is uniquely distinguished by its own set of tradeoffs. It begins with the question of completeness. Do you analyze the network or the nodes? In other words, do you also include interdependencies in your risk analysis? RAMCAP does not include interdependencies in its risk analysis. RAMCAP risk analysis focuses on the individual asset. Many researchers justifiably argue that risk analysis is incomplete without considering interdependencies. There are at least 30 models specializing in interdependency analysis. Interdependency models though, must be highly detailed to yield reasonable results. Since assets are part of the network detail, they must be assessed, at some level, individually. Thus it is reasonable to begin with risk analysis with an asset. But understand, the analysis is incomplete without including the network. This was the path chosen by RAMCAP. In analyzing an asset, the next tradeoff is qualitative versus quantitative risk analysis. Qualitative risk analysis simplifies risk assessments by reducing inputs to a manageable set of judgements. The risk and vulnerability analysis method employed in Denmark, provides one example of a qualitative approach. A general criticism of qualitative methods though, is that the poor resolution of input data can lead to erroneous or misleading results. By comparison, quantitative methods promote confidence in results by reducing subjectivity. RAMCAP chose a quantitative approach in order to attain higher confidence in the risk results compared to qualitative methods. The quantitative approach, however, is tempered by precision. Various methods are advocated to achieve a high level of precision in estimating risk. Including Bayesian networks, conditional linear Gaussian networks, stochastic models ,and other formal quantitative methods with proven records of performance in diverse fields of engineering, finance, health care and meteorology. What trips up these methods with critical infrastructure is the lack of data for statistical analysis of man made catastrophic incidents. RAMCAP encourages precision at every step in the risk analysis process, but accepts that in the absence of complete data, precision is an unattainable goal. RAMCAP is satisfied, therefore, that the corresponding risk results must necessarily be relative and not absolute. In a similar manner, the absence of hard data has forced the adoption of informal means for estimating risk, compared to the previous cited formal means. Thus RAMCAP estimates risk as the product of consequence, threat, and vulnerability. This approach is acceptable, so long as the risk results can be made consistent across assets and sectors. RAMCAP achieves consistency by systematically applying the same risk formulation across assets and sectors. Consistency can be further improved by applying rigorous methods for estimating terms in the RAMCAP formulation. Rigorous methods for estimating consequence, threat, and vulnerability values, encompass various means of elicitation and modeling. The Delphi method is perhaps the best known rigorous system among elicitation methods. Faultries, eventries, reliability block diagrams and other causal analysis methods are well respected on reliability and safety engineering. Such rigorous methods though, requires substantial investments, and time, and resources, making them impractical for a large scale application. Alternatively, RAMCAP employs a bounded system to elicit consequence, threat, and vulnerability values, based on a standard set of reference scenarios. These scenarios currently include 41 different natural and man-made hazards. Using these same reference scenarios also promotes interoperability by facilitating comparison of RAMCAP risk results across infrastructure assets and sectors. The ability to compare risk results, apples to apples, across assets and sectors, perfectly suited the purpose for which RAMCAP was designed. Specifically, to make strategic decisions about national investments in critical infrastructure protection. The point of this lesson, with respect to cybersecurity, is that infrastructure owners and operators may undergo a similar exercise to develop their own risk analysis methodology that's tailored to their own unique set of circumstances. Okay, let us review what we have learned here. 1, there is no absolute security, all security entails risk. 2, risk analysis provides a means for assessing the cost-benefit return on security investments. 3, all risk formulations are a product of the tradeoffs chosen in making them. 4, when it comes to critical infrastructure, the first tradeoff is the choice of analyzing the network or the asset. No risk analysis is complete without considering the network. 5, quantitative risk analysis offers more confidence in results compared to qualitative risk analysis, but at the expense of time. 6, the precision of a quantitative risk analysis is determined by the choice of absolute or relative values. 7, the accuracy of a quantitative risk analysis is determined by the choice of using formal or informal methods. 8, the consistency of results will be enhanced by taking a systematic versus, an ad hoc, approach to risk analysis. 9, the time needed to conduct a risk analysis will be reduced by taking a bounded approach versus a rigorous approach. 10, the ability to compare risk results across assets and sectors can only be achieved by using a homogeneous versus a heterogeneous set of conditions in the method formulation. And 11, in the absence of specific recommendations for risk methodologies pertaining to cybersecurity models, owners and operators may develop their own methods tailored to their own unique circumstances. Please join me for lesson 32, when we start looking at alternative solutions to the cybersecurity problem. Thank you.