Risk Management
Chao-Hsien Chu, Ph.D.
College of Information Sciences and Technology
The Pennsylvania State University
University Park, PA 16802
chu@ist.psu.edu
IST 515
Objectives
This module will familiarize you with the following:
• The basic terminology used in risk management
• The role and importance of risk management
practices.
• The identification of asset, threat, and vulnerability.
• Risk assessment methodologies.
• Risk assessment process.
• Risk management principles.
• Controls to identify, rate, and reduce the risk to
specific information assets.
Readings
• Tipton, H. and Henry, K. (Eds.), Official (ISC)2 Guide to the
CISSP CBK, Auerbach, 2007. Domain 1 (Required).
• Stoneburner, G., Goguen, A. and Feringa, A., “Risk Management
Guide for Information Technology Systems,” NIST SP 800-30,
July 2002. (Required)
• Stine, K., Kissel, R., Barker, W. C., Fahlsing, J. and Gulick, J.,
“Guide for Mapping Types of Information and Information
Systems to Security Categories,” NIST SP 800-60, August 2008.
• Wikipedia, “Failure Mode and Effects Analysis,”
http://en.wikipedia.org/wiki/Failure_mode_and_effects_analysis
• Marquis, H., “Ten Steps to Do It Yourself CRAMM,” 2006.
http://www.itsmsolutions.com/newsletters/DITYvol2iss8.htm
Readings - Examples
• Tan, D., “Quantitative Risk Analysis Step-By-Step,” SANS
Institute, 2002.
• R. Marchany, “Conducting a Risk Analysis,” in Mark Luker
and Rodney Petersen (Eds), Computer and Network Security
in Higher Education, Chapter 3, EDUCAUSE. (STAR
Project).
• H. P. In, Y.-G. Kim, T. Lee, C.-J. Moon, Y. J., and I. Kim, "A
Security Risk Analysis Model for Information Systems," D.-K.
Baik (Ed.): AsiaSim 2004, LNAI 3398, Springer, pp. 505–513,
2005. (Quantitative Method)
Essential Terminologies
Vulnerability:

A flaw or weakness in a system security procedures,
design, implementation, or internal controls that could be
exercised and result in a security breach or a violation of
the system’s security policy.
Threat:

The potential for a threat-source to exercise (accidentally
trigger or intentionally exploit) a specific vulnerability.
Threat-Source:

Either (1) intent and method targeted at the intentional
exploitation of a vulnerability or (2) a situation and method
that may accidentally trigger a vulnerability.
Elements of Risk Management
Risk Assessment
Risk Management
Safeguards
Assets
Data
Facilities
Hardware
Software
Vulnerability
Risk
Threat
Safeguards
Vulnerability
(NIST-SP-800-12)
•
•
•
•
Risk avoidance.
Risk transfer.
Risk mitigation.
Risk acceptance.
Essential Terminologies
Risk:



The possibility of loss (American Heritage Dictionary).
The net negative impact of the exercise of a vulnerability, considering
both the probability and the impact of occurrence (NIST SP 800-30).
A function of the likelihood of a given threat-source’s exercising a
particular potential vulnerability, and the resulting impact of the
adverse event on the organization.
Risk Management:



The technique or profession of assessing, minimizing, and preventing
accidental loss to a business, as through the use of insurance, safety
measures (Random House Dictionary).
Reduces risks by defining and controlling threats and vulnerabilities
((ISC)2).
The process of identifying risk, assessing risk, and taking steps to
reduce risk to an acceptable level (NIST SP 800-30).
Examples of Critical Assets

People and skills
 Goodwill
 Intellectual Property
 Hardware/Software
 Data
 Documentation
 Supplies
 Physical plant
 Money
Logical
Asset
Value
Physical
Asset
Common Computer Threats

Errors and omissions.
 Fraud and theft.
 Employee sabotage.
 Loss of physical and infrastructure support.
 Malicious hackers.
 Industrial espionage.
 Malicious code.
 Threats to personal privacy.
 Insider threats.
Common Threat Sources

Natural Threats. Floods, earthquakes, tornadoes,
landslides, avalanches, electrical storms, and other such
events.
 Human Threats. Malicious outsider or insider, terrorist, spy
political, human intervention.
 Environmental Threats. Long-term power failure, pollution,
chemicals, liquid leakage.
 Technical Threats. Hardware/software failure, malicious
code, unauthorized use.


Physical Threats. Closed-circuit TV failure, perimeter
defense failure.
Operational Threats. Automated or manual process.
Human Threats
Threat-Source
Motivation
Threat Actions
• Hacker
• Cracker
• Challenge
• Ego
• Rebellion
•
•
•
•
Hacking
Social engineering
System intrusion, break-ins
Unauthorized system access
• Computer
criminal
• Destruction of information
• Illegal information
disclosure
• Monetary gain
• Unauthorized data alteration
•
•
•
•
•
Computer crime
Fraudulent act
Information bribery
Spoofing
System intrusion
•
•
•
•
•
•
•
•
•
Bomb/Terrorism
Information warfare
System attack
System penetration
System tampering
• Terrorist
Blackmail
Destruction
Exploitation
Revenge
Threat-Source
• Industrial
espionage
• Insider
Motivation
• Competitive advantage
• Economic espionage
•
•
•
•
•
•
Curiosity
Ego
Intelligence
Monetary gain
Revenge
Unintentional errors and
omissions
Threat Actions
•
•
•
•
•
•
Economic exploitation
Information theft
Intrusion on personal privacy
Social engineering
System penetration
Unauthorized system access
• Assault on an employee
• Blackmail
• Browsing of proprietary
information
• Computer abuse
• Fraud and theft
• Information bribery
• Input of falsified, corrupted data
• Interception
• Malicious code
• Sale of personal information
• System bugs
• System intrusion
• System sabotage
• Unauthorized system access
Vulnerabilities
• Flaw or weakness in system that can be exploited
to violate system integrity.
– Security Procedures
– Design
– Implementation
• Threats trigger vulnerabilities:
– Accidental
– Malicious
Vulnerability Sources








Previous risk assessment document of the IT system
assessed.
Audit reports, system anomaly reports, security review
reports, and system test and evaluation reports.
Vulnerability lists such as NIST I-CAT vulnerability
database (http://icat.nist.gov)
Security advisors.
Vendor advisories.
Commercial computer/incident/emergency response teams
and post list (e.g., SecurityFocus.com)
Information Assurance Vulnerability Alert and bulletins
for military systems.
System software security analyses.
Vulnerability/Threat Pairs
Vulnerability
Terminated employee’s
system ID are not removed
from the system
Company firewall allows
inbound telnet and guest ID
enabled on XYZ server
The vendor has identified
flaws in the security design
of the system
Threat-Source
Threat Action
Terminated employees
Dialing into the company’s
network and assessing
company proprietary data
Unauthorized users
Using telnet to XYZ server
and browsing system files
with the guest ID
Unauthorized users
Obtaining unauthorized
access to sensitive system
files based on known
system vulnerabilities
Data center uses water
sprinklers to suppress fire;
tarpaulins to protect
Fire, negligent persons
hardware and equipment
from water damage are not in
place
Water sprinklers being
turned on in the data center
Types of Risk Analysis
• Quantitative:
– Assigns real numbers to costs of safeguards and damage
– Annual loss exposure (ALE)
– Probability of event occurring
– Can be unreliable/inaccurate
• Qualitative:
– Judges an organization’s risk to threats
– Based on judgment, intuition, and experience
– Ranks the seriousness of the threats for the sensitivity of
the asserts
– Subjective, lacks hard numbers to justify return on
investment
Process of Quantitative Analysis
• Seek initial management approval.
• Establish a risk assessment team.
• Review information currently available within the
organization.
• Estimate the loss – SLE (Single Loss Expectancy )
SLE = asset value (in $) × exposure factor (loss in successful
threat exploit, as %)
• Calculate the Annualized Rate of Occurrence (ARO) - how
often a threat will be successful in exploiting a vulnerability
over the period of a year (or Likelihood of Exploitation)
• Calculate the Annualized Loss Expectancy (ALE):
ALE = ARO × SLE
Example of Quantitative Analysis
• Risk = Risk-impact x Risk-Probability
– Loss of car: risk-impact is cost to replace car,
e.g. $10,000
– Probability of car loss: 0.10
– Risk = 10,000 x 0.10 = 1,000
• General measured per year
– Annual Loss Exposure (ALE)
Elements of Security Risks
Classification of Assets, Threats and
Vulnerabilities
Asset
Threat
Vulnerability
1. Information/Data
1. Human/Non-human
2. Documents
2. Network/Physical
Documents, Personnel,
3. Hardware
3.Technical/Environment
Regulation
4. Software
4. Inside/Outside
5. Human Resource
5. Accidental/Deliberate
6. Circumstances
1. Administering
2. Physical Circumstances
or Facilities
3. Technical Hardware,
Software, Communication/
Network
Example of Risk Analysis
Logic of Risk Analysis
• RISK = Loss * Probability
• Loss means the decline of asset value when an asset
is exposed to some vulnerabilities.
• Probability means the probability of threatoccurrence from the corresponding vulnerabilities.
• Total Risk of AM3
= 100 x (0.8 x 0.5 + 0.9 x 0.7 + 0.6 x 0.4) / 3
= 100 x 1.27 / 3
= 42.3
The effectiveness of Risk Mitigation
Methods
Mitigation Method
Vulnerability Model
Vaccine
Smart Card
Firewall
VM1 (unprotected major
communication facilities)
0.2
0.6
0.1*
VM2 (unfit network management)
0.6
0.5
0.5
VM3 (unprotected storage devices)
0.3
0.2
0.1
Mitigation Effect
• Applying a risk mitigation method to some
vulnerabilities can reduce the rate of not only one
vulnerability but also several related vulnerabilities
simultaneously.
• We can get the rate of risk reduction effectively
with considering which vulnerabilities can be affected
by selecting some risk mitigation methods.
• Risk reduction after applying firewall
= 100 * (0.1 * 0.5 + 0.5 * 0.7 + 0.1 * 0.4) / 3
= 100 * 0.44 / 3 = 14.7
Risk Analysis
• What kind of threats can be reduced?
• What are residual risks if the risk mitigations are
applied?
• What is the ROI of each risk mitigation?
• ROI = Benefit / Cost
• Benefit = (initial risk) - (residual risk after the risk
mitigation method is applied)
• Total Cost = Acquisition Cost + Operation Cost +
Business Opportunity Cost
Process of Qualitative Assessment
•
•
•
•
Seek management approval to conduct analysis.
Form a risk assessment team.
Request related documents.
Setup interviews with organizational members to identify
vulnerabilities, threats and countermeasures.
• Analyze the data. Matching the threat to a vulnerability,
matching threats to assets, determining how likely the
threat is to exploit the vulnerability, determining the impact
to the organization in the event an exploit is successful and
matching current and planned countermeasures (that is,
protection) to the threat–vulnerability pair.
• Calculate risk.
• Recommend countermeasures and calculate residual risk.
Likelihood Definitions
Likelihood
Level
Likelihood Definition
High
The threat-source is highly motivated and sufficiently
capable, and controls to prevent the vulnerability from
being exercised are ineffective.
Medium
Low
The threat-source is motivated and capable, but
controls are in place that may impede successful
exercise of the vulnerability.
The threat-source lacks motivation or capability, or
controls are in place to prevent, or at least
significantly impede, the vulnerability from being
exercised.
Magnitude of Impact Definitions
Magnitude
of Impact
High
Medium
Low
Impact Definition
Exercise of the vulnerability (1) may result in the highly
costly loss of major tangible assets or resources; (2) may
significantly violate, harm, or impede an organization’s
mission, reputation, or interest; or (3) may result in human
death or serious injury.
Exercise of the vulnerability (1) may result in the costly loss
of tangible assets or resources; (2) may violate, harm, or
impede an organization’s mission, reputation, or interest; or
(3) may result in human injury.
Exercise of the vulnerability (1) may result in the loss of
some tangible assets or resources or (2) may noticeably
affect an organization’s mission, reputation, or interest.
Risk-Level Matrix
Threat
Likelihood
Impact
Low
(10)
Medium
(50)
High
(100)
High (1.0)
Low
10 x 1.0 = 10
Medium
50 x 1.0 = 50
High
100 x 1.0 = 100
Medium (0.5)
Low
10 x 0.5 = 5
Medium
50 x 0.5 = 25
Medium
100 x 0.5 = 50
Low (0.1)
Low
10 x 0.1 = 1
Low
50 x 0.1 =5
Low
100 x 0.1 = 10
Risk Scale and Necessary Actions
Risk Level
Risk Description and Necessary Actions
High
If an observation or finding is evaluated as a high
risk, there is a strong need for corrective measures.
An existing system may continue to operate, but a
corrective action plan must be put in place as soon as
possible.
Medium
If an observation is rated as medium risk, corrective
actions are needed and a plan must be developed to
incorporate these actions within a reasonable period
of time.
Low
If an observation is described as low risk, the
system’s DAA must determine whether corrective
actions are still required or decide to accept the risk.
Example of Risk Scales
Likelihood
Impact
5. Extreme
4. Very High
3. Medium
2. Low
1. Negligible
1
Rare
2
Unlikely
3
Moderate
4
Likely
5
Almost
Certain
Comments
Because of the time constraint, I will not
continue to cover the remaining slides. As you
can see, there are more materials and examples
that we can cover in a class lesson. If you are
interested in the topic, please read the materials
by yourself or consider to take an in-depth
course like IST 564 or SRA 330. Both courses
cover extensively on risk management.
Assets and Their Priority
Description of Asset
Authentication-authorization services
DNS name server
Physical plant, environmental servers
DNS name server (secondary)
Network (routers, servers, modems, etc.)
HR database server
Payroll server
Production control servers
Client systems (Win95/NT, Macs)
Database group “crash-and-burn” system
Machine Name Priority+
host1.dept.edu
C
host2.dept.edu
C
host3.dept.edu
C
host4.dept.edu
C
host5.dept.edu
C
host6.dept.edu
E
host7.dept.edu
E
host8.dept.edu
N
host9.dept.edu
N
host10.dept.edu
N
+ C, critical element; E, essential; N, normal
STAR Project
Definition of Priority
• Critical: If the loss of its function would result
in the university ceasing to function as a
business entity.
• Essential: The loss of asset would cripple the
university’s capacity to function, but it could
survive for a week or so without the asset. All
effort would be made to restore the function
within a week.
• Normal: If the loss of asset resulted in some
inconvenience.
STAR Project
Asset Weight Matrix to Prioritize IT Assets
A/A
Authenticationauthorization services
DNS name server (primary)
Physical plant,
environmental Servers
DNS name server
(secondary)
Network (routers, servers,
modems, etc.)
HR database server
Total Votes
DNS(p)
Plant
9
9
4.5
9
5
9
0
9
5
2
9
4.5
9
5
0
DNS(s) Network
0
0
3.5
9
7
0
0
0
0
4
4
3.5
4
9
7.5
22
28.5
10.5
45
HR
0
19.5
STAR Project
List of Controls for Critical Risks
Risk
Clear text
Description
Clear text data moving among our systems and networks
Client system access control
Control of access to distributed desktop client workstations
Construction mistakes
Service interruptions during construction, renovations
Key person dependency
Too few staff to cover critical responsibilities
Natural disaster
Flood, earthquake, fire, etc.
Passwords
Selection, security, number of passwords, etc.
Physical security (IS internal)
IS private space (machine room, wire closets, offices, etc.)
Physical security (IS external)
IS public space (laboratories, classrooms, library, etc.)
Spoofing
E-mail and IP address forgery or circumvention
Data disclosure
Inappropriate acquisition or release of university data
System administration practices Adequacy of knowledge, skills, and procedures
Operational policies
Appropriate strategies, directions, and policies
STAR Project
Summary of Compliance Matrix
IS Assets
Site 1
Site 2
Site 3
Site 4
Unix Security Risks
Overall
OK
System admin. practices
OK
OK
Data disclosure
Fail
OK
Caution
Passwords
OK
Caution
OK
Key person dependency
OK
Fail
Future
Future
Caution
Caution
OK
Future
Physical security
STAR Project
Risk Assessment Methodologies
• NIST SP 800-30 and 800-66 (HIPAA).
• OCTAVE (Operationally Critical Threat, Asset
and Vulnerability Evaluation). Carnegie Mellon
University.
• FRAP (Facilitated Risk Analysis Process). Tom
Peltier.
• CRAMM (CCTA Risk Analysis and
Management Method).
• Spanning Tree Analysis.
• Failure Modes and Effect Analysis.
Risk Assessment Methodologies
Method
Source
Feature
Industry
NIST SP 800-30; 800-66
NIST
Qualitative
Healthcare;
HIPAA
OCAVE
Carnegie Mellon Univ.
Software Institute
Qualitative
Software
FRAP (Facilitated Risk
Analysis Process)
Tom Peltier, 2005
Qualitative
General
CRAMM (CCTA Risk
Analysis and Management
Method)
Central Computing and
Telecommunications
Agency, 2007
Qualitative
NATO; Unisys;
RAC
Spanning Tree Analysis
(ISC)2 Information Systems
Security Engineering
Professional
Quantitative
FMEA (Failure Modes and
Effect Analysis)
US Military, 1940
Quantitative
Hardware &
software systems
Aerospace;
Automotive
Risk Assessment Process -NIST









System characterization.
Vulnerability identification.
Threat identification.
Countermeasure identification.
Likelihood determination.
Impact determination.
Risk determination.
Additional countermeasures recommendations.
Document results.
Input
Risk Assessment Activities
Output
Hardware/software
System interfaces
Data & information
People
System mission
1. System Characterization
• System boundary
• System functions
• Systems and data
criticality
• System and data
sensitivity
• History of attack
• Data from intelligence
agencies
2. Threat Identification
• Threat statement
• Reports from prior risk
assessment
• Audit comments
• Security requirements
• Security test results
3. Vulnerability Identification
• List of potential
vulnerabilities
•
•
•
•
•
• Current controls
• Planned controls
•
•
•
•
Threat-source motivation
Threat capacity
Nature of vulnerability
Current controls
4. Control Analysis
• List of current and
planned controls
5. Likelihood Determination
• Likelihood rating
Input
Risk Assessment Activities
• Mission impact analysis
• Asset criticality
assessment
• Data criticality
• Data sensitivity
6. Impact Analysis
• Likelihood of threat
exploitation
• Magnitude of impact
• Adequacy of planned or
current controls
• Loss of integrity
• Loss of availability
• Loss of confidentiality
Output
• Impact rating
7. Risk Determination
• Risk and
associated risk
levels
8. Control Recommendation
• Recommended
controls
9. Result Documentation
• Risk assessment
report
Risk Mitigation Action Points
Threat
Source
System
Design
Yes
Vulnerable
Yes
Exploitable
No
No
No Risk
No Risk
Risk
Exists
Attacker’s
Cost < Gain
No
Accept Risk
Yes
Vulnerability
to attack exists
Loss
Anticipated
> Threshold
No
Accept Risk
Yes
&
Unacceptable
Risk
How Risk Management Work?
Risk Assessment
Define
Boundaries,
Scope, and
methodology
Risk Mitigation
Select
Safeguard*
Collect and
Synthesize
Data
Interpret
Results
* There are many approaches to safeguard selection
Accept
Residual
Risk
Implement
Control
Risk Management Cycle
From GAO/AIMD-99-139
Risk Management Principles




Risk Avoidance. Is the practice of coming up with
alternatives so that the risk in question is not realized.
Risk Transfer. Is the practice of passing on the risk in
question to another entity, such as an insurance company.
Risk Mitigation. Is the practice of eliminating or
significantly decreasing the level of risk presented. E.g.,
company can put countermeasure such as firewall, IDS etc.
in place to deter malicious from accessing the highly
sensitive information.
Risk Acceptance. Is the practice of simply accepting
certain risk (s), typically based on a business decision that
may also weigh the cost versus the benefit of dealing with
the risk in another way.
Risk Mitigation Options






Risk Assumption. To accept the potential risk and continue operating
the IT system or to implement controls to lower the risk to an
acceptable level.
Risk Avoidance. To avoid the risk by eliminating the risk cause and/or
consequence (e.g., forgo certain functions of the system or shut down
the system when risks are identified)
Risk Limitation. To limit the risk by implementing controls that
minimize the adverse impact of a threat’s exercising a vulnerability
(e.g., use of supporting, preventive, detective controls).
Risk Planning. To manage risk by developing a risk mitigation plan that
prioritizes, implements, and maintains controls.
Research and Acknowledgment. To lower the risk of loss by
acknowledging the vulnerability or flaw and researching controls to
correct the vulnerability.
Risk Transference. To transfer the risk by using other options to
compensate for the loss, such as purchasing insurance.
Risk Management Actions
Likelihood
Impact
Low
Significant
Moderate
Minor
Considerable
management
required
Risks may be
worth accepting
with monitoring
Accept risks
Medium
High
Must manage
and monitor risks
Extensive
management
essential
Management
effort worthwhile
Management
effort required
Accept, but
monitor risks
Manage and
monitor risks
Controls
• Mechanisms or procedures for mitigating
vulnerabilities
– Prevent
– Detect
– Recover
• Understand cost and coverage of control
• Controls follow vulnerability and threat
analysis
Risk Mitigation Strategy
When vulnerability (or flaw, weakness) exists  implement
assurance techniques to reduce the likelihood of a vulnerability’s
being exercised.
 When a vulnerability can be exercised  apply layered
protections, architectural designs, and administrative controls to
minimize the risk of or prevent this occurrence.
 When the attacker’s cost is less than the potential gain  apply
protections to decrease an attacker’s motivation by increasing the
attacker’s cost (e.g., use of system controls such as limiting what a
system user can access and do can significantly reduce an attacker’s
gain).
 When loss is too great  apply design principles, architectural
designs, and technical and nontechnical protections to limit the
extent of the attack, thereby reducing the potential for loss.

Input
• Risk levels from
the risk assessment
report
• Risk assessment
report
Risk Mitigation Activities
Output
1. Prioritize Actions
• Actions ranking
from high to low
2. Evaluate Recommended
Control Options
• List of possible
controls
• Feasibility
• Effectiveness
3. Conduct Cost-Benefit Analysis
• Impact of implementing
• Impact of not implementing
• Associated costs
4. Select Controls
• Selected controls
5. Assign Responsibility
• List of responsible
persons
• Risks and associated risk
levels
• Prioritized actions
• Recommended controls
• Selected planned controls
• Responsible persons
• Start date
• Target completion date
• Maintenance requirements
6. Develop Safeguard
Implementation Plan
7. Implement Selected Controls
• Cost-benefit
analysis
• Safeguard
implementation
plan
• Residual risks
Categories of Security Control
Security controls, when used appropriately, can prevent, limit, or deter
threat-source damage to an organization’s mission. An organization
should consider technical, management, and operational security
control, or a combination of such controls, to maximum the
effectiveness of controls for their IT systems and organization.



Technical Controls. These controls usually involve system
architecture, engineering disciplines, and security packages with a
mix of hardware, software, and firmware.
Management Controls. These controls focus on the stipulation of
information protection policy, guidelines, and standards.
Operational Controls. These controls ensure that security procedures
are properly enforced and implemented in accordance with the
organization’s goals and mission.
Framework of Technical Security Controls
Transaction
Privacy
User
or
Process
Authentication
Nonrepudiation
Authorization
Audit
Access Control
Enforcement
Proof of
Wholeness
Intrusion Detection
and Containment
Resource
State Restore
Protected Communications
(Safe from disclosure, substitution, modifications & replay)
Identification
Cryptographic Key Management
Security Administration
System Protections
(least privilege, object reuse, process separation)
Prevent
Detect, Recover
Support
Management Security Controls
Preventive:
 Assign security responsibility.
 Develop and maintain system security plan.
 Implement personnel security controls such as separation of
duties, least privilege, and user computer access registration
and termination.
 Conduct security awareness and technical training.
Detection:
 Implement personnel security controls such as personnel
clearance, background investigations, rotation of duties.
 Conduct periodic review of security controls.
 Perform periodic system audits.
 Conduct ongoing risk management.
 Authorize IT systems to address and accept residual risk.
Management Security Controls
Recovery:
 Provide continuity of support and develop, test, and
maintain the continuity of operations plan.
 Establish an incident response capability to prepare for,
recognize, report, and respond to the incident and return
the system to operational status.
Operational Security Controls
Preventive:
 Control data media access and disposal (e.g., physical access
control, degaussing method)
 Limit external data distribution (e.g., use of labeling)
 Control software viruses
 Safeguard computing facility
 Secure wiring closets that house hubs and cables
 Provide backup capability
 Establish off-site storage procedures and security
 Protect laptops, personal computers (PC), workstations
 Protect IT assets from fire damage
 Provide emergency power source
 Control the humidity and temperature of the computing facility
Detection:
 Provide physical security
 Ensure environmental security.
Potential Projects
•
•
•
•
Developing a risk management plan.
A qualitative risk assessment approach to xxx
A quantitative risk assessment approach to xxx
A comparative analysis of risk assessment
methods.