Quantitative Methodology for Assessing State-Level Nuclear Security Measures

Myers, Christopher 1985-

14 March 2013

The international community faces a growing threat from nuclear terrorism. The complexity of the threats of nuclear terrorism, the variety of nuclear security measures that States can devote resources towards to address the threats, and the limited resources States have to invest in these nuclear security measures make it imperative that resources are applied in the most effective way possible. In this dissertation, we develop a quantitative, risk-based methodology that States can employ to gain a better understanding of the nuclear threat they face, assist them in determining what nuclear security measures they should invest in, and facilitate communication to stake-holders to request and justify investment in these measures. The risk-based methodology has been developed employing a combination of pathways analysis, game-theory, multiple-attribute utility analysis, decision theory and risk analysis. The methodology was designed to account for the wide variety of nuclear security measures that States can invest in, the range of possible consequences from different nuclear threats, and the severity of these consequences to the State. In addition, the methodology models the adversary's strategic decision making while accounting for the capabilities, motivations, and disincentives that may influence which nuclear threat a terrorist group will attempt. The methodology is introduced into a Visual Basic for Applications code, which we demonstrate through verification and qualitative validation tests. We then develop three State nuclear infrastructures with varying levels of complexity, meant to provide a realistic representation of real-world States. We then utilize the code to evaluate the risk of nuclear terrorism against terrorist threats that have different motivations for nuclear terrorism to demonstrate how different motivations for nuclear terrorism may affect both State-level risk and the State's optimal risk-reduction strategy. These risk analyses are then used to both evaluate various nuclear security strategies and determine which nuclear security measures will have the greatest risk-reduction value. Finally, we conduct a sensitivity analysis on capabilities of terrorist groups to understand how changes in these capabilities affect the State-level risk from nuclear terrorism.

Terrorism Risk Analysis

Security Risk Analysis

Nuclear Terrorism

A risk assessment and optimisation model for minimising network security risk and cost

Viduto, Valentina

January 2012

Network security risk analysis has received great attention within the scientific community, due to the current proliferation of network attacks and threats. Although, considerable effort has been placed on improving security best practices, insufficient effort has been expanded on seeking to understand the relationship between risk-related variables and objectives related to cost-effective network security decisions. This thesis seeks to improve the body of knowledge focusing on the trade-offs between financial costs and risk while analysing the impact an identified vulnerability may have on confidentiality, integrity and availability (CIA). Both security best practices and risk assessment methodologies have been extensively investigated to give a clear picture of the main limitations in the area of risk analysis. The work begins by analysing information visualisation techniques, which are used to build attack scenarios and identify additional threats and vulnerabilities. Special attention is paid to attack graphs, which have been used as a base to design a novel visualisation technique, referred to as an Onion Skin Layered Technique (OSLT), used to improve system knowledge as well as for threat identification. By analysing a list of threats and vulnerabilities during the first risk assessment stages, the work focuses on the development of a novel Risk Assessment and Optimisation Model (RAOM), which expands the knowledge of risk analysis by formulating a multi-objective optimisation problem, where objectives such as cost and risk are to be minimised. The optimisation routine is developed so as to accommodate conflicting objectives and to provide the human decision maker with an optimum solution set. The aim is to minimise the cost of security countermeasures without increasing the risk of a vulnerability being exploited by a threat and resulting in some impact on CIA. Due to the multi-objective nature of the problem a performance comparison between multi-objective Tabu Search (MOTS) Methods, Exhaustive Search and a multi-objective Genetic Algorithm (MOGA) has been also carried out. Finally, extensive experimentation has been carried out with both artificial and real world problem data (taken from the case study) to show that the method is capable of delivering solutions for real world problem data sets.

005.8

How companies manage IT security : A comparative study of Pakistan and Sweden

Qureshi, Mustafa Ali, Khalid, Farhan

January 2013

IT security provides comprehensive picture both internally and externally by act of ensuring that data is not lost when critical issues arise. In spite of the world has now been replaced with an imperative approach. The companies are using widely desktop computers, laptops, ipads, smart phones and workstation. The sum of all this has been influence to the IT based information and communication system in companies.   The purpose is to do research by taking a critical look at how different kind of business and non-business companies manage their IT security in Pakistan and Sweden with specific emphasis on the administrative controls. As the IT security has a list of steps but the authors focused on three major functions: IT security policy, IT security plan and IT security risk analysis.   As soon as the topic was selected the emphasis was laid on collecting and reading material related to the IT security. It became clear that the most relevant and interesting task was not merely to investigate how different companies in Pakistan and Sweden manage their IT security but infact try to understand what kind of steps and measures lies behind to achieve them. The method was adopted qualitative because it fulfil the requirements which authors want to achieve in the form of deeper understanding how different companies manage IT security in two different countries.   This study concluded that Pakistani companies in terms of IT security policy should focus on data ware houses by implementing policies for securing of exploiting the data and in case of Swedish company IT managers should implement policies for securing of personal data. Evaluation techniques are missing from the companies of Pakistan and Sweden in IT security plan. Enhancing the performing of IT risk analysis to countermeasure the threat. Pakistani companies should focus on business model of information asset. In case of Swedish company higher level and more detailed analysis can apply to core areas of the IT system. These proposed points for improvements could also help in more understanding of IT security in Pakistan and Sweden.

Information systems

IT security

IT security Policy

IT security Planning

Perform IT security risk analysis

IT security Bulletin

Information Systems

A Political-security risk analysis of Uganda

Fouche, Philippus Jacobus

20 August 2003

The aim of this study is to analyse political-security risk in Uganda. It emanates from the research question: Does Uganda pose a political-security risk to prospective foreign investment or involvement? The need to move beyond a political risk analysis without entering into a country risk analysis, poses the research problem to develop a political-security risk analysis framework and to apply it to Uganda. This problem generates three subsidiary questions: How appropriate (or inappropriate) are existing risk analysis frameworks? Do existing frameworks contain generic elements that can provide a basis for a synthesised framework? To what extent is a country specific framework applicable to other countries? Therefore, three sub-problems are addressed, namely to determine the appropriateness of selected frameworks; to identify generic elements to construct a synthesised framework; and to assess the applicability of this framework for the analysis of political-security risk in other African countries. Following a definition of the concepts risk, country risk, political risk and political-security risk (analysis), selected frameworks for risk analysis were analysed. The generic elements of these frameworks, namely The Economist (EIU), Business Environment Risk Intelligence (BERI), International Country Risk Guide (ICRG) and Political Risk Services (PRS) frameworks, were reduced to three categories and synthesised into a single framework which was applied to Uganda. The categories of risk indicators pertained to security, political and socio-economic risks respectively. These indicators and the allocated risk scores were used to construct a political-security risk index in respect of which the summed scores provided an index figure of risk that was interpreted in accordance with an interpretation scale. In respect of Uganda, its more recent political history was described and the political, security and socio-economic circumstances prevailing in the country analysed. These conditions were assessed and measured against the indicated risk factors and according to the risk index. The summed political-security risk index score for Uganda was 55.5 out of a maximum of 100. In accordance with the interpretation scale, this constitutes an intermediate risk. Based on this Uganda is not, at present, the most suitable destination for foreign investment or involvement. This does not disallow investment or involvement but if indeed the case, it should be done with circumspection. The situation is volatile to the extent that it can rapidly change for the better or the worse, depending on trends concerning the risk categories, or more specifically a turn of events in respect of a particular key risk indicator. Since the synthesised risk analysis framework is able to accommodate key variables pertaining to politics and security in African states, and since it has provided an indication of risk in respect of Uganda, it is suggested for application to other African states. The need for modification, based on the particularities of other countries, is not excluded. It is also proposed that similar exercises be conducted at intervals of six months. This will indicate whether the variables used were, in fact, valid and reliable, and whether additional variables should be included. The repetition of the analysis also indicates risk trends and allows for the monitoring of risks, which will be conducive to risk management. / Dissertation (MSS (Political Sciences))--University of Pretoria, 2003. / Political Sciences / unrestricted

Foreign direct investment

Country risk analysis

Country riks

Risk analysis

Risk

Political-security risk analysis

Synthesised risk analysis framework

Political risk

Political-security risk

Political risk analysis

UCTD