The quantification of information security risk using fuzzy logic and Monte Carlo simulation.

Vorster, Anita

04 June 2008

The quantification of information security risks is currently highly subjective. Values for information such as impact and probability, which are estimated during risk analysis, are mostly estimated by people or experts internal or external to the organization. Because the estimation of these values is done by people, all with different backgrounds and personalities, the values are exposed to subjectivity. The chance of any two people estimating the same value for risk analysis information is rare. There will always be a degree of uncertainty and imprecision in the values estimated. It is therefore during the data-gathering phase of risk analysis that the problem of subjectivity lies. To address the problem of subjectivity, techniques that mathematically deal with and present uncertainty and imprecision are used to estimate values for probability and impact. During this research a model for the objective estimation of probability was developed. The model uses mostly input values that are entirely objective, but also a small number of subjective input values. It is in these subjective input values that fuzzy logic and Monte Carlo simulation come into play. Fuzzy logic takes a qualitative subjective value and gives it an objective value, and Monte Carlo simulation complements fuzzy logic by giving a cumulative distribution function to the uncertain, imprecise input variable. In this way subjectivity is dealt with and the result of the model is a probability value that is estimated objectively. The same model that was used for the objective estimation of probability was used to estimate impact objectively. The end result of the research is the combination of the models to use the objective impact and probability values in a formula that calculates risk. The risk factors are then calculated objectively. A prototype was developed as proof that the process of objective information security risk quantification can be implemented in practice. / Prof. L. Labuschagne

Risk assessment

Monte Carlo method

Fuzzy logic

Computer security

Information technology risk assessment

The relationship between entity related corporate governance factors and the establishment of separate risk management committee in South Africa

Sekome, Nkoko Blessy

10 June 2014

M.Com. (Computer Auditing) / This dissertation aims to explore the entity characteristics associated with the implementation of the board-level stand-alone risk management committee (RMC) in South Africa. We developed a battery of econometric models based on triangulation of corporate governance theories which linked an entity’s decision to set up a separate risk management committee (RMC) in its board structures as a dependent variable and a host of entity-specific factors as independent variables. Data collected from audited annual reports of 181 JSE-listed non-financial entities was analysed using logistics regression estimation procedures. Our results show a strong positive relationship between the likelihood that an entity would establish a separate RMC, on the one hand, and board independence, board size, entity size, and industry type, on the other. Our study fails to find support for the hypothesis that an entity’s characteristics – such as the independence of the board chairman, the use of Big Four audit firms, financial reporting risks, and levels of financial leverage – do influence an entity’s decision to form a separate RMC. Our findings emphasize the role that information asymmetry between executive and non-executive directors, agency cost and potential damage to reputation capital of directors; diversity in background, expertise, and skills of directors; economies of scale in absorbing RMC costs; and industry-specific institutions and norms play in an entity’s decision to form a separate RMC. The implication of our findings is that policy-makers should consider the size and composition of boards and also take cognizance of entity size and industry-specific idiosyncrasies in setting recommended corporate governance practices.

Auditing - Data processing

Financial risk management - South Africa

Information technology - Risk assessment

Corporate governance - South Africa

Critical success factors for the implementation of an operational risk management system for South African financial services organisations

Gibson, Michael David

02 1900

Operational risk has become an increasingly important topic within financial institutions of late, resulting in an increased spend by financial service organisations on operational risk management solutions. While this move is positive, evidence has shown that information technology implementations have tended to have low rates of success. Research highlighted that a series of defined critical success factors could reduce the risk of implementation failure. Investigations into the literature revealed that no critical success factors had been defined for the implementation of an operational risk management system. Through a literature study, a list of 29 critical success factors was identified. To confirm these factors, a questionnaire was developed. The questionnaire was distributed to an identified target audience within the South African financial services community. Reponses to the questionnaire revealed that 27 of the 29 critical success factors were deemed important and critical to the implementation of an operational risk management system. / Business Management / M. Com. (Business Management)

Operational risk management

Financial services organisations

658.155

Financial risk management

Banks and banking -- Risk management

Banks and banking -- Operational risk

Bank and banking -- Process control

A probabilistic and multi-objective conceptual design methodology for the evaluation of thermal management systems on air-breathing hypersonic vehicles

Ordaz, Irian

18 November 2008

This thesis addresses the challenges associated with thermal management systems (TMS) evaluation and selection in the conceptual design of hypersonic, air-breathing vehicles with sustained cruise. The proposed methodology identifies analysis tools and techniques which allow the proper investigation of the design space for various thermal management technologies. The design space exploration environment and alternative multi-objective decision making technique defined as Pareto-based Joint Probability Decision Making (PJPDM) is based on the approximation of 3-D Pareto frontiers and probabilistic technology effectiveness maps. These are generated through the evaluation of a Pareto Fitness function and Monte Carlo analysis. In contrast to Joint Probability Decision Making (JPDM), the proposed PJPDM technique does not require preemptive knowledge of weighting factors for competing objectives or goal constraints which can introduce bias into the final solution. Preemptive bias in a complex problem can degrade the overall capabilities of the final design. The implementation of PJPDM in this thesis eliminates the need for the numerical optimizer which is required with JPDM in order to improve upon a solution. In addition, a physics-based formulation is presented for the quantification of TMS safety effectiveness corresponding to debris impact/damage and how it can be applied towards risk mitigation. Lastly, a formulation loosely based on non-preemptive Goal Programming with equal weighted deviations is provided for the resolution of the inverse design space. This key step helps link vehicle capabilities to TMS technology subsystems in a top-down design approach. The methodology provides the designer more knowledge up front to help make proper engineering decisions and assumptions in the conceptual design phase regarding which technologies show greatest promise, and how to guide future technology research.

Pareto frontiers

3-D

Performance

Economics

Safety

Normal boundary intersection

Pareto fitness

Risk mitigation

Safety margin

Technology maps

Uncertainty

Pareto

Technology Risk assessment

Risk management

Design and technology

Technology

Critical success factors for the implementation of an operational risk management system for South African financial services organisations

Gibson, Michael David

29 February 2012

Operational risk has become an increasingly important topic within financial institutions of late, resulting in an increased spend by financial service organisations on operational risk management solutions. While this move is positive, evidence has shown that information technology implementations have tended to have low rates of success. Research highlighted that a series of defined critical success factors could reduce the risk of implementation failure. Investigations into the literature revealed that no critical success factors had been defined for the implementation of an operational risk management system. Through a literature study, a list of 29 critical success factors was identified. To confirm these factors, a questionnaire was developed. The questionnaire was distributed to an identified target audience within the South African financial services community. Reponses to the questionnaire revealed that 27 of the 29 critical success factors were deemed important and critical to the implementation of an operational risk management system. / Business Management / M. Com. (Business Management)

Operational risk management

Financial services organisations

658.155

Financial risk management

Banks and banking -- Risk management

Banks and banking -- Operational risk

Bank and banking -- Process control

Evaluation de la sûreté de systèmes dynamiques hybrides complexes : application aux systèmes hydrauliques / Safety assessment of complex hybrid dynamic systems : application to hydraulic systems

Broy, Perrine

12 March 2014

Ces travaux s'intéressent à l'estimation de la fiabilité des évacuateurs de crues vannés. Le comportement fiabilistes de ces systèmes hydrauliques dépend à la fois d'événements aléatoires discrets, mais aussi de l'évolution d'une variable déterministe continue : ce sont des systèmes dynamiques hybrides. Pour ces systèmes, l'événement redouté est réalisé lorsque le niveau de la retenue atteint un seuil de sûreté. La démarche de fiabilité dynamique proposée dans cette thèse vise à prendre en compte l’information temporelle de la modélisation à la synthèse d'indicateurs fiabilistes pour l'aide à la décision et développe deux contributions :1) L'élaboration d'une base de connaissances dédiée à la description des évacuateurs de crue en termes de fiabilité dynamique. Chaque classe de composants est décrite par un automate stochastique hybride dont les états sont les différentes phases de son fonctionnement. 2) Le suivi de la simulation de Monte Carlo et le traitement et l'analyse des "histoires" (séquence de tous les états activés et des dates d'activation) obtenues en simulation pour construire des indicateurs de fiabilité classique (probabilité d'occurrence de l'évènement redouté, identification des coupes équivalentes prépondérantes, ...). Des indicateurs de fiabilité dynamique basés sur la classification des histoires en fonction des dates de défaillance des composants concernés et sur l'estimation de l'importance dynamique sont aussi proposés / Hydraulic systems are hybrid dynamic systems whose evolution is a combination between discrete stochastic events on the one hand and continuous deterministic phenomena on the other hand. The undesired event is achieved when the dam level reaches a security threshold. In the frame of gated spillways dynamic reliability, the proposed methodology takes into account the temporal information during modeling and synthesis of reliability indicators for decision support.The first contribution of this work is the development of a knowledge base to describe a class of systems. Each component is described by a stochastic hybrid automaton whose states are the different working modes.The second contribution is Monte Carlo simulation monitoring and treatment results. A story is the sequence of all activated states and activation dates during the algorithm passage for a simulation. The analysis of results provides classical reliability indicators, such as the time evolution of the undesired event probability or the identification of predominant equivalent cuts. Our predictive approach is based on stories classification depending on components failure dates, then dynamic importance is assessed

Fiabilité

Sécurité des systèmes

Disponibilité (systèmes)

Technologie -- Evaluation du risque

Modèles mathématiques

Simulation, méthodes de

Déversoirs

Systèmes complexes

Processus stochastiques

Reliability

System safety

Systems availability

Technology -- Risk assessment

Mathematical models

Simulation methods

Spilways

Complex systems

Stochastic processes

620

A risk based approach for managing information technology security risk within a dynamic environment

Mahopo, Ntombizodwa Bessy

11 1900

Information technology (IT) security, which is concerned with protecting the confidentiality, integrity and availability of information technology assets, inherently possesses a significant amount of known and unknown risks. The need to manage IT security risk is regarded as an important aspect in the daily operations within organisations. IT security risk management has gained considerable attention over the past decade due to the collapse of some large organisations in the world. Previous investigative research in the field of IT security has indicated that despite the efforts that organisations use to reduce IT security risks, the trend of IT security attacks is still increasing. One of the contributing factors to poor management of IT security risk is attributed to the fact that IT security risk management is often left to the technical security technologists who do not necessarily employ formal risk management tools and reasoning. For this reason, organisations find themselves in a position where they do not have the correct approach to identify, assess and treat IT security risks. The IT security discipline is complex in nature and requires specialised skills. Organisations generally struggle to find a combination of IT security and risk management skills in corporate markets. The scarcity of skills leaves organisations with either IT security technologists who do not apply risk management principles to manage IT security risk or risk management specialists who do not understand IT security in order to manage IT security risk. Furthermore, IT is dynamic in nature and introduces new threats and vulnerabilities as it evolves. Taking a look at the development of personal computers over the past 20 years is indicative of how change has been constant in this field, from big desktop computers to small mobile computing devices found today. The requirement to protect IT against threats associated with desktops was far less than the requirement associated with protecting mobile devices. There is pressure for organisations to ensure that they stay abreast with the current technology and associated risks. Failure to understand and manage IT security risk is often cited as a major cause of concern within most organisations’ IT environments because comprehensive approaches to identify, assess and treat IT security risk are not consistently applied. This is due to the fact that the trend of IT security attacks across the globe is on the increase, resulting in gaps when managing IT security risk. Employing a formal risk based approach in managing IT security risk ensures that risks of importance to an organisation are accounted for and receive the correct level of attention. Defining an approach of how IT security risk is managed should be seen as a fundamental task and is the basis of this research. This study aims to contribute to the field of IT security by developing an approach that assists organisations in treating IT security risk more effectively. This is achieved through the use of a combination of existing best practice IT security frameworks and standards principles, basic risk management principles, as well as existing threat modelling processes. The approach developed in this study serves to encourage formal IT security risk management practices within organisations to ensure that IT security risk is accounted for by senior leadership. Furthermore, the approach is anticipated to be more proactive and iterative in nature to ensure that external factors that influence the increasing trend of IT security threats within the IT environment are acknowledged by organisations as technology evolves. / Computing / M. Sc. (Computing)

IT

IT security

Risk

Risk management

IT security threat modelling

IT security management

OCTAVE

COBIT

ITIL

ISO 27001/2

ISF Standard of Good Practice

005.82

Computer security -- Standards

Cyberterrorism

Risques et perceptions des risques: analyse historique et critique / Risks and risks perceptions: historical and critical analysis

Kermisch, Céline

18 February 2008

Etude historique des conditions d’émergence du champ de recherches de la perception des risques ;analyse critique du paradigme psychométrique et de la théorie culturaliste, ainsi que des conceptions du risque qui les sous-tend. /<p>Historical study of the emergence conditions of risk perception as a research field; critical analysis of the psychometric paradigm and cultural theory, as well as of the underlying risk conceptions. / Doctorat en Philosophie / info:eu-repo/semantics/nonPublished

Sciences humaines

Philosophie de la religion

Risk perception

Risk assessment -- Philosophy

Technology -- Philosophy

Technology -- Risk assessment

Personality and culture

Psychometrics

Perception du risque

Gestion du risque -- Philosophie

Technologie -- Philosophie

Technologie -- Evaluation du risque

Personnalité et culture

Psychométrie

philosophie des techniques

hazard

expressed preferences

Risque

risque technologique

perception du risque

danger

préférences révélées

revealed preferences

philosophy of technology

théorie culturaliste

préférences exprimées

psychométrie

risk

risk perception

psychometric paradigm

cultural theory

technological risk

Beitrag zur ganzheitlichen Sicherheitsforschung wasserstoffbasierter Technologien

Römer, L., Partmann, C., Lippmann, W., Hurtado, A.

25 November 2019

Mit der fortschreitenden Entwicklung wasserstoffbasierter Energiesysteme geht die Notwendigkeit einher, die neuen Technologiekonzepte hinsichtlich deren Sicherheit zu analysieren und zu bewerten. Ziel des vorliegenden Papers ist daher zunächst die Beschreibung des aktuellen Standes zur Sicherheitsforschung für wasserstoffbasierte Energiesysteme. Die durchgeführte Literaturauswertung erfolgte mit den Schwerpunkten Analyseziele, Anwendungsbereiche und angewendete Methoden. Durch Unterschiede hinsichtlich dieser Schwerpunkte in der herangezogenen Literatur ist die Vergleichbarkeit und Verknüpfung der Ergebnisse erschwert. Zusätzlich liefern die ausgewerteten Studien gegensätzliche Schlussfolgerungen zur Bewertung der Sicherheit von wasserstoffbasierten Systemen. Eine beispielhafte Gegenüberstellung der Analyse eines Einzelsystems zu der Analyse eines Gesamtsystems verdeutlich darüber hinaus die Notwendigkeit für ganzheitliche Analysen in der Wertschöpfungskette von Wasserstoff. Ein einheitliches Fazit zur Sicherheit wasserstoffbasierter Energiesysteme ist anhand der ausgewerteten Studien aufgrund der großen Unsicherheiten und der Widersprüchlichkeiten in den Ergebnissen der Analysen aktuell nicht möglich. Hierfür sind weiterführende Arbeiten erforderlich. / The progressive development of hydrogen-based energy systems is accompanied by the need to analyse and evaluate new technology concepts in terms of their safety. Therefore, the aim of this paper is therefore to describe the current state of the safety research for hydrogen-based energy systems. The literature analysis was carried out with a focus on analysis goals, areas of application and applied methods. Differences with regard to these focuses in the cited literature make it difficult to compare and link the results. In addition, the evaluated studies provide contradictory conclusions for the evaluation of the safety of hydrogen-based systems. In an exemplary comparison of the analysis of an individual system with the analysis of an overall system, the need for holistic analyses in the hydrogen value chain is further illustrated. A consistent conclusion on the safety of hydrogen-based energy systems is currently not possible on the basis of the analysed studies due to the large uncertainties and the contradictions in the results of the analyses. Consequently, further work is required. A consistent conclusion on the safety of hydrogen-based energy systems is currently not possible on the basis of the analysed studies due to the large uncertainties and the contradictions in the results of the analyses. Consequently, further work is required.

info:eu-repo/classification/ddc/600

ddc:600

info:eu-repo/classification/ddc/620

ddc:620

info:eu-repo/classification/ddc/629

ddc:629

info:eu-repo/classification/ddc/660

ddc:660

info:eu-repo/classification/ddc/665

ddc:665

Wasserstoffenergietechnik; Risikoanalyse