Risk Management of Software and Information Systems
Project Description and Significance
Sandia assists in the design and evaluation of a wide variety of computerized systems ranging from those where system functions are software-driven (such as nuclear power plant control systems) to those that are information providers (such as medical database systems). This work is important to federal agencies such as DOE and DoD, as well as to private enterprises such as banks, health care providers.
These systems have requirements for integrity (i.e., accuracy, correctness), availability, and confidentiality (i.e., security). The details and relative importance of these multiple "surety" requirements depend on how these systems are used. For example, systems protecting classified information have stringent confidentiality requirements, systems that control nuclear power plants consider software integrity (correct operation) a high priority to ensure safety, and banking systems need to ensure data accuracy and availability.
An important step in the design and development of software systems is a methodical assessment of risks: what is the probability that certain requirements will not be met, in what ways can this happen, and what are the consequences? An understanding of the total risk picture is necessary in order to make intelligent risk management decisions and to arrive at a balanced implementation. A balanced implementation for any given requirement (accuracy, availability, confidentiality) has a similar risk factor across the whole system. Conversely, an unbalanced implementation may have "strong doors" but "weak windows." A balanced implementation across requirements considers interactions, trade-offs, and priorities. Applying a risk-management methodology enables us to recognize the weakest paths, so that resources can be applied appropriately to achieve balance at an acceptable level of residual risk. This approach is illustrated in the following figure.
Risk-Based Design
Sandia's Contribution
Sandia's advanced information technology program has funded development of a unique methodology for assessing risks in the development and use of software systems. This work reflects a combination of Sandia's extensive expertise in computer security, probabilistic risk assessment, vulnerability analysis, and systems engineering.
The methodology helps the system developer to:
identify risks, their sources, and consequences
prioritize risk-reduction needs
select risk-reduction measures
evaluate trade-offs and dependencies.
Matrices and directed graphs are used for information capture, exploratory analysis ("what-iffing"), and documenting final decisions. Capturing design rationale and other risk-related decisions in this way not only produces a better system today, but it also provides a basis for evaluating changes to the system in the future. The methodology has been partially realized in a PC-based toolset.
Risk Assessment Process
For further information, contact:
Sharon K. Chapa
Sandia National Laboratories, MS-0449
Albuquerque, NM 87185-0449
Phone: (505) 844-2251
e-mail: skfletc@sandia.gov
Submitted October 1996 Layout design by Wanda Mar.
Submitted October 1996