1 Attachment(s)

How to interpret summation notation...

Hi all,

I'm an ICT specialist geared towards networking, however for a new project I went out of my comfort zone and went to design a complete Information Security Management System. In scope of that, I found a simple risk assessment method created by Goel&Chen. This method uses 3 matrices and 3 summation formulas to get a value assigned to each risk/threat. I checked on the formula and found an explanation on how the summation works and so on. My problem is, that with the given information in their document, I fail to understand exactly which parameters to place where. This is the extract out of their document that I need help on:

"The methodology proposed in the paper uses three separate matrices, i.e. vulnerability matrix, threat matrix and control matrix to collect the data that is required for risk analysis. The vulnerability matrix (Table 1) contains the associations between the assets and vulnerabilities in the organization, the threat matrix (Table 2) similarly contains the relationships between the vulnerabilities and threats, and the control matrix (Table 3) contains the links between the threats and controls. Each cell in a table contains the value of the relationship between the row and the column element of the table (e.g. asset and vulnerability). It uses one of the three values, i.e. low, medium or high.

3

When the risk analysis is initially conducted, lists of assets, vulnerabilities, threats, and controls are generated and added to the respective tables. The matrices are then populated by adding data that correlates the row of the matrix with the column of the matrix. Finally, the data from the vulnerability matrix is aggregated using Equation 1 and then cascaded on to Table 2. Similarly, data in the threat matrix is aggregated using equation 2 and cascaded on to Table 3. The data from the Control matrix is then aggregated to obtain the relative importance of the different controls.

Attachment 26812
Let us assume that there are

*m* assets where the relative cost of asset

*aj* is

*Cj (j = 1,…, n)*. Also let

*cij* be the impact of vulnerability

*vi* on asset

*aj*. Then the relative cumulative impact of vulnerability

*vi *on the assets of the organizations is:

_{j=n} __V___{i}=

Σv

_{ij }*C

_{j} ^{j=1}
"

The table has been filled in with fictive values.

I'm a bit confused by the the subscript parameters, not sure of what to fill in. Could anyone help me with this?

Re: How to interpret summation notation...

I'm not sure I understand the details of the model. There seems to be 3 levels to it. But it sounds like each level is just a matrix of values that gets multiplied and added in pretty much the same way.

So I'm looking at the equation $\displaystyle v_i = \sum_{j=1}^{n}v_{ij}c_j$. This just means $\displaystyle v_i = v_{i1}c_1 + v_{i2}c_2 + \dots + v_{in}c_n$. The vulnerability $\displaystyle v_i$ of each asset is the sum of the vulnerability from all sources. There are n sources, and the vulnerability of asset i from source j is $\displaystyle v_{ij}c_j$, where $\displaystyle c_j$ measures the vulnerability at source j, and $\displaystyle v_{ij}$ measures how important source j is to asset i.

I've probably butchered your model, but hopefully that helps a little with the math.

- Hollywood

1 Attachment(s)

Re: How to interpret summation notation...

I think I may have figured it out...I got some more insight to what needs to be filled in on the first (emtpy) line in the raster.

The first line in the raster is the C value, standing for the cost of an asset.

So, let's assume the following partial) raster:

Attachment 26819

The assets being the trade secrets and so on.

So, the relative vulnerability impact V_{i}

j=10

= Σv_{ij *}C_{j}

j=1

where v_{i} = v_{1} = web servers, and C_{j} is the value granted to each asset on the first line

= (0*9)+(3*3)+(9*9)+(9*9)+(9*3)+(9*3)+(3*1)+(9*3)+(9 *3)+(9*1) = 291

Care to confirm if I'm right with this way of writing out the formula? :)

Re: How to interpret summation notation...

Yes, that looks right.

- Hollywood