EXPERIMENTAL VALIDATION OF A RISK ASSESSMENT METHOD

Transcription

EXPERIMENTAL VALIDATION OF A RISK ASSESSMENT METHOD
EXPERIMENTAL VALIDATION OF A RISK
ASSESSMENT METHOD
EELCO VRIEZEKOLK, SANDRO ETALLE, ROEL WIERINGA
OVERVIEW
THE PAPER, AND THIS PRESENTATION
Contribution: an approach to testing reliability of a method
Step 1: Identify and mitigate cause of variation
Step 2: Validation of effectiveness of mitigations
Step 3: Conduct experiment
Step 4: Analyse the results
Motivation: we are developing a risk assessment method,
for telecommunication service availability risks.
Results:
- the approach, description and test
- specific lessons for improving our risk assessment
- expert judgements (as ours) can have low reliability
Experimental Validation of a Risk Assessment Method, REFSQ2015
24-3-2015
2
RELIABILITY OF A METHOD
WHAT IS IT, WHY IS IT RELEVANT
A method is like a recipe, like an instrument.
If you use it as instructed, it will yield desired results.
Feasibility is desirable. Effort, skillset.
Validity is desirable. Sometimes difficult to ascertain.
Reliability is desirable.
▪
▪
!  Repeatability
!  Robustness
Consistency
Reproducibility (test–test)
!  Stability (test–retest)
To test reliability: apply the method multiple times, compare the results.
Experimental Validation of a Risk Assessment Method, REFSQ2015
24-3-2015
3
RELIABILITY OF A METHOD
WHAT IS IT, WHY IS IT RELEVANT
A method is like a recipe, like an instrument.
If you use it as instructed, it will yield desired results.
Feasibility is desirable. Effort, skillset.
Validity is desirable. Sometimes difficult to ascertain.
Reliability is desirable.
▪
▪
!  Repeatability
!  Robustness
Consistency
Source: Krippendorff, K. (2004) Content analysis:
an introduction to its methodology, Sage
Publications.
Reproducibility (test–test)
!  Stability (test–retest)
To test reliability: apply the method multiple times, compare the results.
Experimental Validation of a Risk Assessment Method, REFSQ2015
24-3-2015
4
DESIGN OF EXPERIMENTS TO TEST RELIABILITY
TEST THROUGH MULTIPLE APPLICATIONS, COMPARE RESULTS
!  Unreliable method
high variation in results
!  Low variation in results
reliable method
!  High variation in results
unreliable method ?
Causes of variation:
Environ!  Internal
ment
1.  the method itself
!  Contextual
2.  the subjects applying the method
3.  the case to which the method is applied
4.  then environment in which the method us applied.
Subjects
Case
Method
Results
Control contextual causes, then argue that observed variation must be due to causes
internal to the method.
Experimental Validation of a Risk Assessment Method, REFSQ2015
24-3-2015
5
STEP 1: IDENTIFY AND MITIGATE CAUSE OF VARIATION
AND STEP 2: VALIDATION OF MITIGATIONS
a.  Subjects applying the method: understand, be capable, be motivated.
!  misapplication and misunderstanding
!  lack of experience or expert knowledge
!  sufficiently motivated
Subjects
Case
Use of students is not necessarily a threat to validity.
b.  Case to which the method is applied.
!  avoid ambiguity
!  avoid interobserver disagreement, contentious
Environment
Method
Results
c.  Environment during application.
!  time, resources
!  physical comfort
Experimental Validation of a Risk Assessment Method, REFSQ2015
24-3-2015
6
STEP 4: ANALYSE RESULTS
MEASURE INTER-RATER RELIABILITY (IRR)
IRR = 1 – Observed disagreement
/ Expected disagreement
!  Scale: nominal (categorical), ordinal, interval, ratio scales.
!  Complete vs. partially incomplete (omitted items).
Measure
Raters
Scale
Missing data
Cohen’s κ,
Scott’s π
2
nominal
no
Fleiss’ κ
≥2
nominal
no
Spearman’s ρ
2
ordinal
no
Krippendorff’s α
≥2
any
yes
Experimental Validation of a Risk Assessment Method, REFSQ2015
24-3-2015
7
OUR EXPERIMENT
VALIDATING RELIABILITY OF OUR RISK ASSESSMENT METHOD
Risks to an organization, availability of telecommunication services.
!  Hazards on technical components; existing services.
!  Based on diagrams of telecommunication services.
!  Expert judgment: lack of information (infrastructure, risk scenarios)
for each component:
for each vulnerability:
assess likelihood of incident (ordinal / abstain),
assess impact of incident (ordinal / abstain).
Six teams of three students, each team making 138 frequency and 138
impact assessments.
Experimental Validation of a Risk Assessment Method, REFSQ2015
24-3-2015
8
FSQ
OUR EXPERIMENT
VALIDATING RELIABILITY OF OUR RISK ASSESSMENT METHOD
Risks to an organization, availability of telecommunication services.
employee 1
employee 2
!  Hazards on technical
relay server components; existing services.
external
contact
desktop
laptop
!  Based on diagrams of telecommunication
services.
carton
designer
graphic
artist
work station a
work station b
ethernet cable b
!  Expert judgment: lack of information
(infrastructure,
risk
scenarios)desk cable d
desk cable a
desk cable b
desk cable c
ext. mail server
MX 1
MX 2
for each component: DMZ
Department
Department
for each vulnerability:
1
2
assess
likelihood
of
incident
ethernet
cable a
ethernet
cable c (ordinal / abstain),
assess impact of incident (ordinal / abstain).
Server LAN
Firewall ext
Firewall DMZ
Firewall int
File server
Mail server
DHCP server
Six
teams of three
students, each
team making 138 frequency and 138
internet
fiber optic
DNS server
ethernet cable d
impact assessments.
Experimental Validation of a Risk Assessment Method, REFSQ2015
24-3-2015
9
CONCLUSIONS
EXPERT JUDGEMENT, LOW RELIABILITY
Approach to testing reliability expected to be more generally applicable.
Our experiment’s results had low reliability (high variation).
!  partially explained by contextual causes (not fully mitigated)
!  found one internal cause for variation
improvements to our method.
!  our method has to rely on expert judgments
–  Knowledge on architecture & risk scenarios is incomplete.
Implications for expert-based methods:
!  Experts retain a responsibility.
!  (Risk assessment) methods must support justification.
Experimental Validation of a Risk Assessment Method, REFSQ2015
24-3-2015
10