Year
1986
Abstract
At the Los Alamos National Laboratory we are developing the framework for generating knowledge based systems that perform automated risk analyses on an organization's assets. An organization's assets can be subdivided into tangible and intan gible assets. Tangible assets include facilities, materiel, personnel, and time, while intangible assets include such factors as reputation, em ployee morale, and technical knowledge. The potential loss exposure of an asset is dependent upon the threats (both static and dynamic), the vulnerabilities in the mechanisms protecting the assets from the threats, and the consequences of the threats successfully exploiting the protective systems vulnerabilities. The methodology is based upon decision analysis, fuzzy set theory, natural language processing, and event- tree structures. The Los Alamos Vulnerability and Risk Assessment (LAVA) methodology has been applied to computer security. LAVA is modeled using an interactive questionnaire in natural language and is fully automated on a personal computer. The program generates both summary reports for use by both management personnel and detailed reports for use by operations staff. LAVA has been in use by the Nuclear Regulatory Commission and the National Bureau of Standards for nearly two years and is presently under evaluation by other governmental agencies.