Structuring & Visualising Risk Management

Ho, Wei Seng Alan (2006). Structuring & Visualising Risk Management MPhil Thesis, School of Information Technology and Electrical Engineering, University of Queensland.

Attached Files (Some files may be inaccessible until you login with your UQ eSpace credentials)
Name Description MIMEType Size Downloads
n01front-Wei-Seng-HO.pdf n01front-Wei-Seng-HO.pdf application/pdf 1.59MB 3
n02content-Wei-Seng-HO.pdf n02content-Wei-Seng-HO.pdf application/pdf 1.59MB 3
Author Ho, Wei Seng Alan
Thesis Title Structuring & Visualising Risk Management
School, Centre or Institute School of Information Technology and Electrical Engineering
Institution University of Queensland
Publication date 2006
Thesis type MPhil Thesis
Supervisor Dr Robert Colomb
Subjects 280100 Information Systems
Abstract/Summary The dictionary defines risk as the potential harm that may arise from some present process or from some future event while vulnerability is the state of being vulnerable or exposed. Risk management helps to boost security by analysing current vulnerabilities in the organisation and assessing their likelihood in relation to the materialisation of a risk. In this project’s context, a relationship between risk and vulnerability can be defined as a particular vulnerability that is contributing to the materialisation of a risk. However, such relationships between risks and vulnerabilities are often complex and poses a challenge for human understanding. It is necessary to provide visualisation to easily see the relationships between risks and vulnerabilities and vulnerabilities that are contributing to the materialisation of a risk. In this project, the development of a causal network was proposed to visualise the relationships between risks and vulnerabilities. Through using deduction to reason about the likelihood of the risk under conditions of the presence or absence of vulnerabilities, the proposed causal network can help to structure the vulnerabilities into categories with relation to the risks that they are contributing to. Then, with visualisation included to present the categorisation, it allows the user to have a structured way in seeing a top-level view of risks that are high, medium or low in severity as well as a drill-down view of individual vulnerabilities that are contributing to a risk. In addition, a belief calculus called Subjective Logic (SL) was introduced to aid risk experts in expressing their opinion about vulnerabilities and risks in a more realistic approach, which is enabling them to differentiate between their gut feeling and past experiences. Instead of representing opinion in a one-dimensional (1D) scalar format, SL is adapted to represent conditional and joint probability calculations, as well as combining two joint probabilities in a three-dimensional (3D) format (belief, disbelief and uncertainty). This provides a richer input for risk assessment because SL is suitable for such situation where there is more or less uncertainty about whether a given proposition is true or false. The visualisation strategy is also adapted to exploit the richer risk assessment so that it provides the user a richer risk picture that enables them to make value–added risk assessment and mitigation strategies. This project believes the causal network together with SL can help organisation allocate valuable resources to derive mitigation strategies to resolve risks.

Citation counts: Google Scholar Search Google Scholar
Created: Fri, 21 Nov 2008, 14:25:27 EST