Application of Cost-Benefit Analysis and Risk Analysis

Using CBA and risk assessment, I was able to answer the question:
Is there an optimal level of security investment for small businesses to protect themselves from cyber-threats?

As it  turns out, the solution lies in identifying, and then mitigating, the risk-level of the business. I was able to create five questions, when answered, would allow a small business owner to determine which solutions work best for him. Then using those solutions, I can estimate monthly expenses that allow the benefits of protection to be equal to (or less than) the cost to maintain the solution.

The post has been published at lguelch.blogspot.com. The Excel spreadsheet used to define risk levels and compute the cost-benefit analysis can be accessed from: leslie.guelcher/files/cost_benefit_template.xlsx.

Feel free to post any questions or comments about the template or conclusions here or at lguelch.

Bayesian Analysis of Intelligence or Improved Advice to Decision-Makers

Introduction:

Although not the standard article, M. Elisabeth Pat-Cornell and David M. Blum’s ongoing research into the use of Bayesian analysis in intelligence problems is extremely relevant to the current subject matter. Their work builds on previous and ongoing research conducted by the National Center for Risk and Economic Analysis of Terrorism Events (CREATE).

(http://create.usc.edu/)

Summary:

According to the article, one of the main problems facing US national and homeland security is the response to very-near future threats. While longer term threats allow the time to build reports and plan courses of action, near term threats do not. As a result, analysts need to be able to judge the reliability of the new threat information in the context of all available intelligence in order to both minimize risk as well as responses to false threats. Researchers at CREATE have previously determined that Bayesian analysis is useful in such situations, as a way to gauge the credibility of potential threat scenarios. Furthermore, Bayesian analysis has been used in conjunction with various other analytical approaches, including probabilistic risk analysis, game theory, and Markov models.

Although the use of Bayesian analysis to measure threats is not new, it has not yet been adopted by the intelligence community, for several reasons:

1) the idea of the prior in intelligence has not been well defined;

2) academic research tends to assume a substantial amount of pre-processing by analysts to produce intelligence reports from raw intelligence feeds;

3) many Bayesian tools evaluate only a single hypothesis, ignoring multiple strategic interests;

4) crises imply a short but moving time horizon, which current models lack;

5) the process through which new intelligence data relating to a threat updates the prior belief about the threat has been considered trivial.

This new research seeks to remove these obstacles by incorporating a moving time-horizon into dynamic signaling games to better simulate crises, and also by creating a new model which will eliminate the intelligence community’s resistance to Bayesian techniques. The researchers then go through an in-depth research proposal, a case study, and the deliverables, of which the final results will be released in August 2012.

Further Readings:

Another research project on a similar topic is Bayesian Approach to Intelligence Analysis: (http://create.usc.edu/2011/03/bayesian_approach_to_intellige.html)

History of Bayesian analysis in risk assessment: http://www.usc.edu/dept/create/assets/001/50765.pdf

Probabilistic Modeling of Terrorist Threats: A Systems Analysis Approach to Setting Priorities Among Countermeasures: http://www.ingentaconnect.com/content/mors/mor/2002/00000007/00000004/art00004 (Purchase required)

Source:

http://create.usc.edu/2010/06/bayesian_analysis_of_intellige.html