Appendix 1: Random Walk Mean and Variance 1

(1)

Epilogue

A university education in security risk management is still an uncommon occur- rence. This condition begs the question of where security professionals learn to assess security risk and thereby address security-related issues.

Arguably security is not like traditional professions where more contemplative approaches to problem solving are encouraged if not required. Security professionals are expected to respond to evolving threats on a moment’s notice. This need for immediacy drives a focus on tactics over strategy. Consequently, theory typically takes a backseat to the day-to-day struggles inherent to protecting people, property and information.

It is not surprising that security professionals typically learn about security risk through on-the-job training. The advantage of experience is a realistic appreciation of what does and doesn’t work as well as in facilitating a hands-on approach to problem solving. The potential downside is a reliance on informal, i.e., non-risk- based, methods to assess security risk. Therefore, situations at odds with experience are not necessarily addressed in the most effective and/or efﬁcient manner.

Inconsistencies in the results of security risk assessments reﬂect the lack of a standardized, risk-based assessment methodology, which is in part a consequence of the absence of pedagogy. However, it is certainly true that many successful security professionals never studied theory, and it is not clear they have suffered one iota as a result. This fact doesn’t mean that theory is irrelevant. Rather, it suggests an opportunity to broaden current perspectives and enhance existing capabilities.

Although traditional scientiﬁc disciplines allow and even encourage differences in data interpretation, such interpretations are always grounded in a conceptual foundation that everyone in theﬁeld accepts as the basis for problem solving. The objective of this text has been to specify such a foundation for security risk assessment as well as to identify assessment techniques and metrics that enable practical applications of the theory.

A signiﬁcant consequence of any conceptual foundation is the formulation of core theoretical principles. In this case, such principles deﬁne a canonical threat scenario

C. S. Young, Risk and the Theory of Security Risk Assessment, Advanced Sciences and Technologies for Security Applications,

https://doi.org/10.1007/978-3-030-30600-7

267

(2)

as well as standard assessment criteria. The upshot is a structured framework for assessing risk, and the ability to generalize about risk-relevance in a consistent and repeatable fashion.

In particular, the principles of threat scenario equivalence and the universality of risk ensure that the process used to assess security risk is always the same irrespective of the threat scenario details. A very practical result of the theory is the ability to prioritize security controls across disparate threat scenarios.

A complete treatment of the theory includes some non-traditional topics that might seem to stretch the limits on relevance if not reality. However, these topics actually reflect the breadth of the subject matter as much as the unconstrained imagination of the author. One theme common to all topics is that the basis for security risk assessment is inherently scientific. Although it is clearly possible to conduct an assessment without being a scientist, it is not possible to be rigorous without adopting a scientific approach.

In that vein, numerous examples drawn from science and technology are woven into explanations of the theory. These are often presented to help visualize concepts, but their frequency hints at deeper connections. Furthermore, many assessment techniques were borrowed from traditional disciplines. Such appropriations support the contention that security risk management constitutes a discipline in its own right.

Much of the theory of security risk assessment concerns issues speciﬁc to the likelihood component of risk. Estimates of likelihood relate to the type of uncertainty inherent to a given threat scenario, which in turn is linked to the presence or absence of threat incidents.

Importantly, there are two types of uncertainty associated with the likelihood component of risk. Their difference is what drives estimates of probability versus potential, where the latter is used to assess likelihood in the absence of a statistically signiﬁcant number of threat incidents. Overcoming the statistical handicap presented by a dearth of incidents motivates the use of stochastic processes, and thereby leverage the laws of probability.

The theory of security risk assessment has applicability to scenarios other than those relating to security. Assessing risk relies on constructs and relationships that are applicable to any scenario where“loss” is a possible outcome. Arguably, every scenario consisting of a choice between outcomes ﬁts into this category, which supports the contention that the processes used to assess risk and make decisions are identical.

Three quite dissimilar books inspired some of the major themes that have helped characterize the theory. Their diversity is evidence of the breadth of topics that relate to security risk assessment and management. Perhaps the most signiﬁcant contribu- tions came from Consilience; The Unity of Knowledge. In that book, E. O. Wilson, a prominent Harvard biologist, discusses how knowledge is intrinsically uniﬁed. In his view disparate disciplines are connected via a few natural laws, which he terms consilience. Wilson’s work inspired a holistic and interdisciplinary perspective that is central to the theory of security risk assessment.

The second inﬂuential work was Axis and Circumference; The Cylindrical Shape of Plants and Animals, by Stephen A. Wainwright, another Harvard biologist. The

268 Epilogue

(3)

author discusses how shape, and speciﬁcally the cylindrical shape, is part of a natural pattern that improves an organism’s competitive advantage. In particular, his dis- cussion of scale in nature prompted thoughts on how to represent changes to risk factors and their effect on the magnitude of security risk.

The third book is An Introduction to Information Theory, Symbols, Signals and Noise, by John R. Pierce. Information theory uses stochastic principles to quantify information transmission. Pierce shows how it is relevant to a variety of disciplines, which inspired ideas on how information theory might be applied to threat scenario complexity, a signiﬁcant contributor to the likelihood component of risk.

Finally, although security risk management has traditionally decoupled theory from practice, it is unclear how to evaluate the effect of this decoupling. What is clear is that assessing and managing security risk are often integral to an organization’s business strategy. Simultaneously, the sophistication of adversaries and the advanced technologies at their disposal have driven the requirement for more effective and cost effective security solutions.

Therefore, a rational basis for security decisions will become increasingly nec- essary to both improve assessment accuracy and to justify expensive security strategies. The overarching challenge in addressing these requirements is to demon- strate the tangible beneﬁts of pedagogy to security practitioners since theory is merely an academic exercise without a connection to the real world. However, implementing security measures without a rigorous means of assessing risk inevita- bly invites error and inefﬁciency.

Epilogue 269

(4)

Appendices

Appendix 1: Random Walk Mean and Variance

¹

Consider a security control knob perturbed by mechanical noise. The Gaussian White Noise source causes the knob to be displaced in either the clockwise or counter-clockwise direction. The displacement of the knob after N steps is x, which is the desired statistic.

Let s_idenote a positive or negative displacement, i.e., a step, of the i-th change in position. We ﬁrst assume the most general case where a probability distribution describes the i-th displacement and where displacements are notﬁxed distances.

First, note the following:

x¼ s1þ s2þ . . . : þ SN¼X^N

i¼1

si ð1Þ

The mean value of x ¼ <x> is given by N<s>, where <s> is the mean displacement-per-perturbation of the knob. The dispersion of x (the second moment in statistical parlance), or <Δx²> is given by N <Δs²>, where <Δs²> is the dispersion of the distribution of displacements-per-perturbation.

The dispersion, <Δx²> equals (x– < x>)²by deﬁnition. In words, the dispersion equals the square of the width of the distribution of the net displacement about its mean value, <x>. The square root of the dispersion is <Δx²>^1/2, i.e., the root mean square (RMS) deviation from the mean. The RMS metric is a direct measurement of the width of the distribution of displacements about the mean.

1F. Reif, op cit.

C. S. Young, Risk and the Theory of Security Risk Assessment, Advanced Sciences and Technologies for Security Applications,

https://doi.org/10.1007/978-3-030-30600-7

270

(5)

Suppose each perturbation displaces the security control knob aﬁxed distance “l”

in either a clockwise or counter clockwise direction. The results of Chap.8can be used to calculate the dispersion of the distribution of perturbations as well as the total displacement after N perturbations. Such statistics could facilitate a risk-based monitoring strategy for threat scenarios affected by random processes.

Assume the probability of a clockwise perturbation of distance l is p. The probability of a counter clockwise perturbation of distance l is 1 – p or q. The mean displacement-per-step, <s>, is as follows:

< s >¼ pl þ q lð Þ ¼ 2pl l ¼ 2p 1ð Þl ð2Þ After N perturbations, the mean displacement equals,

< x >¼ p qð ÞNl ð3Þ

The dispersion, i.e., variance in the distribution of displacements is given by the following,

x < x >

ð Þ²¼< Δx²>¼ 4pqNl² ð4Þ

Therefore, the RMS deviation from the mean of the distribution of perturbed displacements equals,

< Δx²>¹⁼²¼ 2l pqNð Þ¹⁼² ð5Þ

Appendix 2: Time and Ensemble Averages

²

Consider a variable that fluctuates randomly with time, R(t). There could be N systems in an ensemble of such variables, where each member of the ensemble is subject to random fluctuations. The ensemble average, i.e., the average of all N members of the ensemble at a specific time, t1is given by the following indefinite integral, which some readers might recognize as the expectation value.

< R tð Þ>1 e¼ lim

N!1ð1=NÞX^N

i¼1

Rið Þ ¼t Z

x1ð Þp xt ð 1, t1Þdx1 ð6Þ

2https://www.nii.ac.jp/qis/ﬁrst-quantum/forStudents/lecture/pdf/noise/chapter1.pdf

Appendices 271

(6)

The mean square value of R or second-order ensemble average, i.e., the variance, is written as follows:

< R²>e¼ 1=Nð ÞX^N

i¼1

R_i²ð Þ ¼< Rt ²> < R>² ð7Þ

We can also specify a time average for the i-th member of the ensemble:

< Rið Þ>t t¼ lim

T!11=T Z

þT=2

T=2

Rið Þdtt ð8Þ

The time and ensemble average are not the same thing in general. The former represents the average of the value of all N members of the ensemble at a speciﬁc time. In contrast, the time average computes the average value of one member of the ensemble over some interval in its time history.

A process is ergodic if the following is true:

< R tð Þ>1 e¼< Rið Þ>t t ð9Þ The second order time average or mean square is given by,

< Rið Þt ²>¼ lim

T!11=T Z

þT=2

T=2

Rið Þt

½ ²dt ð10Þ

The autocorrelation function measures the self-similarity of a variable measured at time t relative to a later timeτ:

< Rið ÞRt iðtþ τÞ >¼ lim

T!11=T Z

þT=2

T=2

Rið ÞRt iðtþ τÞ

½ dt ð11Þ

272 Appendices

(7)

Appendix 3: Theory of Security Risk Assessment Summary Table

The following table is a summary of some of the key elements of the theory of security risk assessment.

Element or feature 1

Element or feature 5 Components

of risk

Likelihood Potential Vulnerability Impact Probability

distribution of threat incidents;

uncertainty due to distribution variance. Spon- taneous threat incidents where arrival is a random variable.

Risk factor- related incidents or a change in the magnitude of a risk factor yields infer- ences about the likelihood component of risk

Loss or dam- age due to a threat incident

Vulnerability- per-threat incident or per-risk factor

Threat scenario elements

Threats Entities affected by threats

Environment where threats and entities interact

Risk components (I, V, L) determine threat-entity relationship

Fundamental expression of (unmanaged) risk: Risk (threat scenario)¼ I x V x L

Threat scenario catego- ries and features

Static Dynamic Behavioral Complex Random

dC/dt dR/

dt and dC/dx dR/

dx Information entropy is stable

dC/dt < dR/

dt or dC/dx < dR/

dx Information entropy is unstable

Contains behavioral risk factors

Contains complexity risk factors Complexity metric is the likelihood of a speciﬁc threat scenario state:

C_m¼ 2^-MH

Threat incident is a random variable

(continued)

Appendices 273

(8)

Element or feature 5 Risk factor

types

Apex Spatial Temporal Behavioral Complexity

Dominant contributor to the magnitude of threat scenario risk.

Distribution of risk factors within a threat scenario environment affects the magnitude of threat scenario risk

Persistent or intermittent presence affects the magnitude of threat scenario risk

Behavior or features of entities affect the magnitude of threat scenario risk

Number of risk factors.

Uncertainty in risk management, i.e., the applica- tion of security controls to risk factors

Systemic security risk metrics

Persistence Transience Trending Concentration Proliferation R xΔt dR/ΔC ΔI/t, ΔR⁰/t

andΔR/t

R/X R x X

R¼ number of risk factors

M¼ number of risk factors in complexity threat scenarios C¼ security control

I¼ impact V¼ vulnerability L¼ likelihood

H¼ information entropy of a security risk management process ΔI ¼ change in the number of threat incidents

ΔR ¼ change in the number of risk factors ΔR⁰¼ change in the magnitude of a risk factor X¼ number of assets

t¼ continuous time

Δt ¼ average time interval risk factors remain unaddressed ΔC ¼ security control duration

dR¼ risk factor duration

274 Appendices