Formalized Risk Assessment for Safety and Security
For researchers in safety and security, this work offers a conceptual framework for unified risk assessment, but it is incremental as it adapts existing DEVS paradigm without empirical validation.
The paper proposes a unified risk assessment approach for safety and security based on discrete event systems (DEVS), distinguishing accidental and intentional failures via different aggregation of risk contributions. The method is shown to be consistent with traditional risk notions but non-computable, making it more suitable for IT security, with power grids as an example.
The manifold interactions between safety and security aspects makes it plausible to handle safety and security risks in an unified way. The paper develops a corresponding approach based on the discrete event systems (DEVS) paradigm. The simulation-based calculation of an individual system evolution path provides the contribution of this special path of dynamics to the overall risk of running the system. Accidentally and intentionally caused failures are distinguished by the way, in which the risk contributions of the various evolution paths are aggregated to the overall risk. The consistency of the proposed risk assessment method with 'traditional' notions of risk shows its plausibility. Its non-computability, on the other hand, makes the proposed risk assessment better suitable to the IT security domain than other concepts of risk developed for both safety and security. Power grids are discussed as an application example and demonstrates some of the advantages of the proposed method.