A General Method for Quantifying Risk Using Probabilistic Graph Models
Abstract
An important challenge in the analysis of Risk, Reliability and safety is to provide a functional method that a risk manager considers simple, transparent, intuitive, complete and standalone, without the need to acquire external offtheshelf (OTS) software. The sole purpose of this paper is to propose such a method. The method represents a novel approach where the graphtheoretic models used in an analysis rest on a hierarchical network of Modules, each module a model of some subsystem. It provides a complete framework for resolving all statistical dependencies and probabilistic uncertainties. In a short series of steps, the method measures the costs, elapsed times, vulnerability scores and the overall risk, reliability and safety as a threat  or multiple simultaneous threats
–
progress through the hierarchy. The method is economical and efficient, consisting of at most 100 network vertices and requiring an insignificant amount of computation time. Cycles are resolved in a simple and economical manner, requiring the addition of only a single vertex to the network. When a module has too many inputs
–
violating the “three input rule” discussed below –
the work required to resolve statistical dependencies grows exponentially. This statistical problem was solved, needing only one additional vertex per violation. Four support files needed to collect all the data and to execute the method have been included with the paper. A user manual has been appended to this research document to assist and guide a user during the application of the method. It provides stepbystep instructions for building a graph model, for specifying and recording the semantics of the model in a dedicated data structure, and for computing the value of various performance criteria.
Keywords
Risk Analysis, Reliability Analysis, Multiple Threats, Modeling Methods, Vulnerability Analysis, Safety and Reliability Analysis, GraphTheoretic Methods
1. Introduction
Risk Analysis problems are complex and have received considerable attention in the literature [1,2,4,5]. Many graphtheoretic methods and tools have been developed to solve these problems, some generating graphs that contain hundreds
–
even thousands
–
of nodes [3,18,21]. The size and complexity of such graphs often exceed the ability to visualize, understand and interpret the solutions generated with such models. The process of entering the data needed to specify the properties of each node and edge can be an enormous task. Executing such models typically requires the acquisition, installation and use of offtheshelf (OTS) software whose maintenance may demand technical support provided by outside vendors. It is unwise to assume that all risk managers or their analysts have sufficient knowledge to understand such products, and to find them sufficiently intuitive. What may be worse, however, is to ignore the fact that complex problems are solved in stages, starting with a simple model, and progressing towards a more comprehensive approach as more knowledge is acquired. In this paper, we present a simple, intuitive and standalone method to address such limitations. The method also provides improved solutions to several problems that have received insufficient attention in the literature: 1. It accounts for all statistical uncertainties and dependencies. 2. In deriving the probability of reaching the ultimate target, it finds a simpler and more economical solution to
“
the
cycle problem”.
3. It produces values for the following performance criteria: a. The costs and other consequences incurred at every vertex as transitions are attempted from the starting vertices to the top vertex. b. The times elapsed at every vertex during every transition. c. The values of significant CVSS metrics. d. A final estimate of Risk
4. It is general in the sense that it is not confined to the analysis of computers and networks, but also applies to virtually any risk, reliability, or benefit analysis. 5. By employing only two linked components contained in Microsoft Office, Word and Excel, it provides a standalone capability not requiring any OTS or other external software. 6. It also avoids the exorbitant increase in statistical calculations required to process nodes whose indegree is excessive. We have made no attempt to model terrorists or intruders [6,7].
What happens in a terrorist’s or intruder’s
brain is almost never known, especially apriori: Why postulate a model? However, some qualitative information about them may be derived indirectly by estimating the degree of difficulty they face when attempting to materialize their objectives. This estimation results in a rather obvious CVSS score [10,11]:
“
How difficult are their tasks?
“.
Attack Graphs are frequently used in risk analyses, but such analyses focus mostly on the progress of intruders or terrorists through computers and networks, and Electrical Grid penetrations. While such graphs remain important tools in risk analysis, other approaches are sometimes needed. The method presented here rests on a more general multilevel hierarchical model consisting of Modules, each module the model of a subsystem. Implemented as a mathematical graph, the model was principally designed to address risk analysis problems. It can also be used to address a multitude of other issues. Foremost, it can be applied to solve reliability problems where the graph can be interpreted as a Fault Tree [8,9]: The reliability of a system is often an important
–
though often overlooked  factor in estimating the risks resulting from operating a system. Other applications include the stepwise progress of a disease, a fire, a mechanical failure, a military conflict, the propagation of cracks in a metal bridge, and so on.
2. Graphs
Graphs are an effective modeling tool for analyzing risks or benefits that evolve in an ordered series of discrete and probabilistic steps. In this paper, the model is a graph that is structured as a network of
interconnected Modules, each module a subgraph of the overall graph. It is constructed using one major principle: Reachability. The graph and its modules have two layers, a Topological Layer and a Semantics Layer. The topological layer models the physical variables and parameters, and their connections. The semantics layer endows the physical layer with the mathematical and logical relationships required for the computation of Risk.
Every vertex v in the graph is defined by a quintuple:
v
=
<
n(v), p(v), C(v), T(v), V(v)
>
,
1. The vertex name n(v). The name specifies the location and type of a facility or object at risk. When the graph is a structure for reaching more abstract objectives, the names specify these objectives. 2. The probability p(v) of reaching v. It is also the probability of Vertex v.
Prob(v
i
reaches v) = prob[(T(v
i
,v) = 1)*prob(
⋀
=1
precondition j for Target v is evaded)] ..[1]
where T(v
i
,v) is the event that the transition T from v
i
to v is successful, and m = 3.
Transitions and preconditions are typically independent. Then, for n=4,
p(v) = [ prob
⋁
−1=1
v
i
reaches v)*p(v
i
))]*[prob(
⋀
=1
precondition j for Target v is evaded)]..[2] Let A
i
= prob(v
i
reaches v)*p(v
i
), and B
j
= prob(precondition j for Target v is evaded), then p(v) = [ A
1
+ A
2
+ A
3
–
(A
1
A
2
)* A
2
 (A
2
A
3
)* A
3
 (A
1
A
3
)* A
3
+((A
1

(A
2
,A
3
))*(A
2

A
3
)*A
3
) ] * *((B
1

(B
2
,B
3
))*(B
2

B
3
)*B
3
)
…………….[3]
where pairwise dependencies may be ignored and, to simplify notation, the vertical bars were used to denote statistical dependence.
3. The numerical consequences C(v) incurred in reaching v. This component is the sum of the average of all consequences accumulated at the inputs to v, and of the incremental consequences incurred in