Cybersecurity is often a balancing act between risk and cost. Every security solution adds a cost in terms of efficiency or effectiveness, if not of money. Identifying ways to make risk assessment consistent and accurate are the goals of the seven articles cited here. The first paper was presented at HOT SoS 2014, the Symposium and Bootcamp on the Science of Security (HotSoS), a research event centered on the Science of Security held April 8-9, 2014 in Raleigh, North Carolina.

- Qian Liu, Juhee Bae, Benjamin Watson, Anne McLaughhlin, William Enck. "Modeling and Sensing Risky User Behavior on Mobile Devices" 2014 HOT SoS, Symposium and Conference on. Raleigh, NC. (To be published in Journals of the ACM, 2014) (ID#:14-1416) Temporarily available at: http://www.hot-sos.org/2014/proceedings/papers.pdf As mobile technology begins to dominate computing, understanding how their use impacts security becomes increasingly important. Fortunately, this challenge is also an opportunity: the rich set of sensors with which most mobile devices are equipped provide a rich contextual dataset, one that should enable mobile user behavior to be modeled well enough to predict when users are likely to act insecurely, and provide cognitively grounded explanations of those behaviors. We will evaluate this hypothesis with a series of experiments designed first to confirm that mobile sensor data can reliably predict user stress, and that users experiencing such stress are more likely to act insecurely. Keywords: Security, user behavior, mobile, risk estimation

- Haisjackl, C.; Felderer, M.; Breu, R., "RisCal -- A Risk Estimation Tool for Software Engineering Purposes," Software Engineering and Advanced Applications (SEAA), 2013 39th EUROMICRO Conference on , vol., no., pp.292,299, 4-6 Sept. 2013. (ID#:14-1417) Available at: http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6619524&isnumber=6619471 Decision making in software engineering requires the consideration of risk information. The reliability of risk information is strongly influenced by the underlying risk estimation process which consists of the steps risk identification, risk analysis and risk prioritization. In this paper we present a novel risk estimation tool for software engineering pruposes called RisCal. RisCal is based on a generic risk model and supports the integration of manually and automatically determined metrics into the risk estimation. This makes the tool applicable for arbitrary software engineering activities like risk-based testing or release planning. We show how RisCal supports risk identification, analysis and prioritizations, provide an estimation example, and discuss its application to risk-based testing and release planning. Keywords: decision making; program testing; risk analysis; software metrics; RisCal; automatically determined metrics; decision making; generic risk model; manually determined metrics; release planning; risk analysis; risk estimation process; risk estimation tool; risk identification; risk information; risk prioritization; risk-based testing; software engineering activities; software engineering pruposes; Estimation; Measurement; Planning; Risk management; Software engineering; Testing; Release Planning; Risk Estimation; Risk-based Testing; Software Risk Management; Test Management

- Ramler, R.; Felderer, M., "Experiences from an Initial Study on Risk Probability Estimation Based on Expert Opinion," Software Measurement and the 2013 Eighth International Conference on Software Process and Product Measurement (IWSM-MENSURA), 2013 Joint Conference of the 23rd International Workshop on , vol., no., pp.93,97, 23-26 Oct. 2013. (ID#:14-1418) Available at: http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6693227&isnumber=6693201 Determining the factor probability in risk estimation requires detailed knowledge about the software product and the development process. Basing estimates on expert opinion may be a viable approach if no other data is available. Objective: In this paper we analyze initial results from estimating the risk probability based on expert opinion to answer the questions (1) Are expert opinions consistent? (2) Do expert opinions reflect the actual situation? (3) How can the results be improved? Approach: An industry project serves as case for our study. In this project six members provided initial risk estimates for the components of a software system. The resulting estimates are compared to each other to reveal the agreement between experts and they are compared to the actual risk probabilities derived in an ex-post analysis from the released version. Results: We found a moderate agreement between the rations of the individual experts. We found a significant accuracy when compared to the risk probabilities computed from the actual defects. We identified a number of lessons learned useful for improving the simple initial estimation approach applied in the studied project. Conclusions: Risk estimates have successfully been derived from subjective expert opinions. However, additional measures should be applied to triangulate and improve expert estimates. keywords: probability; risk analysis; software product lines; expert opinion; factor probability; product development process; risk probability estimation; software product; software system; Business; Estimation; Interviews; Software measurement; Software quality; Testing; expert opinion elicitation; risk estimation; risk probability; software risk measurement

- Krishnan, S.R.; Seelamantula, C.S.; Chakravarti, P., "Spatially Adaptive Kernel Regression Using Risk Estimation," Signal Processing Letters, IEEE , vol.21, no.4, pp.445,448, April 2014. (ID#:14-1419) Available at: http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6734684&isnumber=6732989 An important question in kernel regression is one of estimating the order and bandwidth parameters from available noisy data. We propose to solve the problem within a risk estimation framework. Considering an independent and identically distributed (i.i.d.) Gaussian observations model, we use Stein's unbiased risk estimator (SURE) to estimate a weighted mean-square error (MSE) risk, and optimize it with respect to the order and bandwidth parameters. The two parameters are thus spatially adapted in such a manner that noise smoothing and fine structure preservation are simultaneously achieved. On the application side, we consider the problem of image restoration from uniform/non-uniform data, and show that the SURE approach to spatially adaptive kernel regression results in better quality estimation compared with its spatially non-adaptive counterparts. The denoising results obtained are comparable to those obtained using other state-of-the-art techniques, and in some scenarios, superior. Keywords: Gaussian processes; image denoising; image restoration; mean square error methods; regression analysis; Gaussian observations model; SURE; Stein unbiased risk estimator; fine structure preservation; image denoising; image restoration; noise smoothing; quality estimation; risk estimation; spatially adaptive kernel regression; weighted mean-square error; Bandwidth; Cost function; Estimation; Kernel; Noise measurement; Signal processing algorithms; Smoothing methods; Denoising; Stein's unbiased risk estimator (SURE);nonparametric regression; spatially adaptive kernel regression

- Babuscia, A., Kar-Ming Cheung, "Statistical Risk Estimation for Communication System Design," Systems Journal, IEEE , vol.7, no.1, pp.125,136, March 2013. (ID#:14-1420) Available at: http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6264116&isnumber=6466438 Spacecraft is complex systems that involve different subsystems and multiple relationships among them. For these reasons, the design of a spacecraft is an evolutionary process that starts from requirements and evolves over time across different design phases. During this process, a lot of changes can happen. They can affect mass and power at component, subsystem, and system levels. Each spacecraft has to respect the overall constraints in terms of mass and power: for this reason, it is important to be sure that the design does not exceed these limitations. Current practice in the system model primarily deals with this problem by allocating margins on individual components and on individual subsystems. However, a statistical characterization of the fluctuations in mass and power of the overall system (i.e., the spacecraft) is missing. This lack of an adequate statistical characterization would result in a risky spacecraft design that might not fit the mission constraints and requirements, or in a conservative design that might not fully utilize the available resources. Due to the complexity of the problem and due to the different expertise and knowledge required to develop a complete risk model for a spacecraft design, this research is focused on risk estimation for a specific spacecraft subsystem, the communication subsystem. The current research aims to be a "proof of concept" of a risk-based design optimization approach, which can then be further expanded to the design of other subsystems as well as to the whole spacecraft. The objective of this paper is to develop a mathematical approach to quantify the likelihood that the major design drivers of mass and power of a space communication system would meet the spacecraft and mission requirements and constraints through the mission design lifecycle. Using this approach the communication system designers will be able to evaluate and compare different communication architectures in a risk tradeoff perspective. The results described in the presentation include a baseline communication system design tool, and a statistical characterization of the design risks through a combination of historical mission data and expert opinion contributions. An application example of the communication system of a university spacecraft is presented. Keywords: mathematical analysis; optimization; risk analysis; space communication links; space vehicles; statistical analysis; communication subsystem; communication system design; communication system designers; design phases; evolutionary process; historical mission data; mathematical approach; risk model; risk tradeoff prospective; risk-based design optimization approach; space communication system; spacecraft design; spacecraft subsystem; statistical characterization; statistical risk estimation; system model; university spacecraft; Antennas; Communication systems; Computational modeling; Data models; Databases; Estimation; Space vehicles; Biases; communication system; density estimation; design risk; expert elicitation; heuristics; risk analysis

- Moussa Ouedraogo, Manel Khodja, Djamel Khadraoui, "Towards a Risk Based Assessment of QoS Degradation for Critical Infrastructure" Proceedings of the 2013 International Conference on Availability, Reliability and Security, September 2013. (Pages 538-545) (ID#:14-1421) Available at: http://dl.acm.org/citation.cfm?id=2545118.2545245&coll=DL&dl=GUIDE&CFID=449793911&CFTOKEN=46643839 or http://dx.doi.org/10.1109/ARES.2013.71 In this paper, we first present an attack-graph based estimation of security risk and its aggregation from lower level components to an entire service. We then presents an initiative towards appreciating how the quality of service (QoS) parameters of a service may be affected as a result of fluctuations in the cyber security risk level. Because the service provided by critical infrastructure is often vital, providing an approach that enables the operator to foresee any QoS degradation as a result of a security event is paramount. We provide an illustration of the risk estimation approach along with a description of an initial prototype developed using a multi-agent platform. Keywords: Critical infrastructure, Vulnerabilities, Risk, Quality of Service

- Severien Nkurunziza, Fuqi Chen, "On extension of some identities for the bias and risk functions in elliptically contoured distributions" Journal of Multivariate Analysis, Volume 122, November, 2013 (Pages 190-201). (ID#:14-1422) Available at: http://dl.acm.org/citation.cfm?id=2532872.2532997&coll=DL&dl=GUIDE&CFID=449793911&CFTOKEN=46643839 or http://dx.doi.org/10.1016/j.jmva.2013.07.005 In this paper, we are interested in an estimation problem concerning the mean parameter of a random matrix whose distribution is elliptically contoured. We derive two general formulas for the bias and risk functions of a class of multidimensional shrinkage-type estimators. As a by product, we generalize some recent identities established in Gaussian sample cases for which the shrinking random part is a single Kronecker-product. Here, the variance-covariance matrix of the shrinking random part is the sum of two Kronecker-products. Keywords: 62F25, 62H12, Bias function, Elliptically contoured distribution, Kronecker-product, Matrix estimation, Risk function, Stein rules

**Note:**

Articles listed on these pages have been found on publicly available internet pages and are cited with links to those pages. Some of the information included herein has been reprinted with permission from the authors or data repositories. Direct any requests via Email to SoS.Project (at) SecureDataBank.net for removal of the links or modifications to specific citations. Please include the ID# of the specific citation in your correspondence.