About Us Our Work Employment News & Events
MITRE Remote Access for MITRE Staff and Partners Site Map
Our Work
Overview
Mission Areas
Systems Engineering
Information Technology
MITRE Research Program
MITRE Federal Employee Fellowship Program
Technology Transfer Office
Technical Papers

Follow Us:
Visit MITRE on Facebook
Visit MITRE on Twitter
Visit MITRE on Linkedin
Visit MITRE on YouTube
View MITRE's RSS Feeds
View MITRE's Mobile Apps
Home > Our Work > Technical Papers >

The Risk-to-Mission Assessment Process (RiskMAP): A Sensitivity Analysis and an Extension to Treat Confidentiality Issues

October 2009

Jim Watters, The MITRE Corporation
Shaun Morrissey, The MITRE Corporation
Deborah Bodeau, The MITRE Corporation
Sue Cohn Powers, The MITRE Corporation

ABSTRACT

As part of the I3P's Survivability and Recovery of PCS project, The MITRE Corporation conducted a sensitivity analysis of its Risk-to-Mission Assessment Process (RiskMAP) methodology, and developed an extension to RiskMAP, to address Confidentiality as a security issue along with Integrity and Availability.

The initial purpose of the sensitivity analysis was to determine the range of conditions under which RiskMAP's calculation of relative weights for Tasks, Assets and Nodes would behave as order-preserving operations. Over the course of the sensitivity analysis, the RiskMAP team reexamined the methodology's mathematical foundations and the techniques used to generate the primary RiskMAP artifacts: A dependency network and a series of Pareto-style charts that rank-order Mission Objectives, Tasks, Information Assets, and Network Nodes.

While the sensitivity analysis confirmed that the RiskMAP application of Analytic Hierarchy Process (AHP) techniques is sound, the application of Quality Function Deployment (QFD) methods requires care to avoid over-simplification and misinterpretation of the Pareto charts. A number of refinements are developed and described that allow the user to identify and portray the criticality of each Task, Asset, or Node to a single Mission Objective.

The RiskMAP team also developed a methodological extension to enable separate treatment of Confidentiality, Integrity and Availability (C-I-A) within the basic RiskMAP framework. By introducing vectors to represent criticality and risk values with respect to C-I-A, the extension retains the overall character of the current approach. However, the change does increase the complexity and the data input load for the user. The RiskMAP team explored one possible implementation that would limit the added complexity and data input load by a customized MS Excel GUI backed up by a MS Access data base.

The results of the team's work provide improvements that can be applied individually or together in any future RiskMAP application.

View/Download Document

Additional Search Keywords

N/A

 

Page last updated: November 3, 2009   |   Top of page

Homeland Security Center Center for Enterprise Modernization Command, Control, Communications and Intelligence Center Center for Advanced Aviation System Development

 
 
 

Solutions That Make a Difference.®
Copyright © 1997-2013, The MITRE Corporation. All rights reserved.
MITRE is a registered trademark of The MITRE Corporation.
Material on this site may be copied and distributed with permission only.
IDG's Computerworld Names MITRE a "Best Place to Work in IT" for Eighth Straight Year The Boston Globe Ranks MITRE Number 6 Top Place to Work Fast Company Names MITRE One of the "World's 50 Most Innovative Companies"
 

Privacy Policy | Contact Us