Risk analysis in cost planning and its effect on efficiency in capital cost budgeting

Builds on earlier work which reported on the experience of the Hong Kong Government in using risk analysis techniques in capital cost estimating. In 1993 the Hong Kong Government implemented a methodology for capital cost estimating using risk analysis (ERA) in its public works planning. This calculated amount replaces the pre-1993 contingency allowance, which was merely a percentage addition on top of the base estimate of a project. Adopts a team approach to identify, classify and cost the uncertainties associated with a project. The sum of the average risk allowance for the identified risk events thus becomes the contingency. A study of the effect of ERA was carried out to compare the variability and consistency of the contingency estimates between non-ERA and ERA projects. The preliminary results of a survey showed a highly significant difference in variation and consistency between these groups. This analysis indicates the successful use of the ERA method for public works projects to reduce unnecessary and  exaggerated allowance for risk. However, the contingency allowance for ERA projects was also considered high. Adds data from the UK with descriptions of 41 private sector projects which fall into the non-ERA category and reflect better performance in the determining of contingency allowances.

The case for pre-mediation caucusing and a written risk analysis: an arranged marriage can be tempting.

This paper formed the basis of a presentation to the Law Institute, Victoria, on 11 November 2002. The motivation for this paper has come from the recent writings of Laurence Boulle/. J. H. Wade4. and Gegorio Billikopf-Eucina5 • In addition to the acumen contained in the writings of the three authors above, this paper is laced with assertions and anecdotal evidence derived from the authors' experience in a variety of negotiation and mediation settings.

A review of critical information infrastructure protection within IT security guidelines

This research takes the form of a review and looks at the current advisories offered to informationl security professionals in Ihe area of critical information infrastructure protection A critical information infrastructure protection mode! is also presented along with a critical review of some of lhe recent formal guidance that has been offered. The Critical lnformation Infrastructure Protection - Risk Analysis-Methodology (CIlP-RAM) is then offered as a solution to the lack of information and advice.

A framework for merging inconsistent beliefs in security protocol analysis

This paper proposes a framework for merging inconsistent beliefs in the analysis of security protocols. The merge application is a procedure of computing the inferred beliefs of message sources and resolving the conflicts among the sources. Some security properties of secure messages are used to ensure the correctness of authentication of messages. Several instances are presented, and demonstrate our method is useful in resolving inconsistent beliefs in secure messages.

Security protection for critical infrastructure

Understanding and managing information infrastructure (II) security risks is a priority to most organizations dealing with information technology and information warfare (IW) scenarios today (Libicki, 2000). Traditional security risk analysis (SRA) was well suited to these tasks within the paradigm of computer security, where the focus was on securing tangible items such as computing and communications equipment (NCS,1996; Cramer, 1998). With the growth of information interchange and reliance on information infrastructure, the ability to understand where vulnerabilities lie within an organization, regardless of size, has become extremely difficult (NIPC, 1996). To place a value on the information that is owned and used by an organization is virtually an impossible task. The suitability of risk analysis to assist in managing IW and information infrastructure-related security risks is unqualified, however studies have been undertaken to build frameworks and methodologies for modeling information warfare attacks (Molander, Riddile, & Wilson, 1996; Johnson, 1997; Hutchinson & Warren, 2001) which will assist greatly in applying risk analysis concepts and methodologies to the burgeoning information technology security paradigm, information warfare.

Rule-based dependency models for security protocol analysis

Security protocol analysis has been discussed for quite some time in the past few years. Although formal methods have been widely used to identify various vulnerabilities, mainly susceptibility to freshness attacks and impersonation, the arisen inconsistent data between principals and collusion attacks held by a group of dishonest principals have been largely ignored. Moreover, the previous methods focus on reasoning about certain security-related properties and detecting known attacks against secure message, whereas there have been insufficient efforts to handle the above hidden but powerful attacks. In this paper, we address these critical issues and prove the efficiency and intuitiveness of rule-based dependency models in defending a protocol against the attacks. This is able to provide a numerical estimation to measure he occurrence of these attacks. It will be useful in enhancing the current protocol analysis.

An emergent security risk : critical infrastructures and information warfare

This paper examines the emergent security risk that information warfare poses to critical infrastructure systems, particularly as governments are increasingly concerned with protecting these assets against attack or disruption. Initially it outlines critical infrastructure systems and the notion of information warfare. It then discusses the potential implications and examining the concerns and vulnerabilities such cyber attacks would pose, utilising exemplar online attack occurrences. It then examines the current Australian situation before suggesting some considerations to mitigate the potential risk that information warfare poses to critical infrastructure systems, and by association: government, industry and the wider community.

Supply chain management security : the weak link of Australian critical infrastructure protection

Secure management of Australia’s commercial Critical Infrastructure presents ongoing challenges to both the owners of this infrastructure as well as to the Australian Federal government. The security management process is currently managed through high-level information sharing via collaboration, but does this situation suit the commercial sector? One of the issues facing Australia is that the majority of critical infrastructure resides under the control of the business sector and certain aspects such of the critical infrastructure such as Supply Chain Management (SCM) systems are distributed entities that span a number of commercial organisations. Another issue is that these SCM systems can be used for the transportation of varied items, such as retail items or food. This paper will explore the security issue related to food SCM systems and their relationship to critical infrastructure. The paper will focuses upon the security and risk issues associated with SCM system protection within the realms of critical infrastructure protection. The paper will review the security standard ISO 28000 - Supply Chain Security Management Standard. The paper will propose a new conceptual security risk analysis approach that will form the basis of a future Security Risk Analysis approach. This new approach will be aimed at protecting SCM systems.

Towards a knowledge perspective in information security risk assessments - an illustrative case study

Many methodologies exist to assess the security risks associated with unauthorized leakage, modification and interruption of information for a given organisation. We argue that the traditional orientation of these methodologies, towards the identification and assessment of technical information assets, obscures key risks associated with the cultivation and deployment of organisational knowledge. Our argument is developed through an illustrative case study in which a well-documented methodology is applied to a complex data back-up process. This process is seen to depend, in subtle and often informal ways, on knowledge to sustain operational complexity, handle exceptions and make frequent interventions. Although typical information security methodologies identify people as critical assets, we suggest a new approach might draw on more detailed accounts of individual knowledge, collective knowledge, and their relationship to organisational processes. Drawing on the knowledge management literature, we suggest mechanisms to incorporate these knowledge-based considerations into the scope of information security risk methodologies.