-LARS
Standards need to be able to quantify risk, splitting it up in its components of probability and consequence.
While IEC61508 details probability to a great extent, but only has a weak bond to specific consequences for S IL levels, that can only be found in the annex C of IEC6150854 (PART 5) referencing the ALARP principle.
ALARP relates to the cost of a lost human life.
So with a valuation of a human life, a monetary value can be directly linked to a SIL and hence give an indicator of the damage a cyber-attack should incur in order to require precautionary measures to the extent of SIL 4, with the interesting question if readily available SHA-1 general or 2nd pre-image collisions is of that magnitude.
2.4.1 The money value of a man
-LARS
Each year, European countries are required to report their national estimate of “Value of Preventing a Casualty”, VPC to the European Rail Agency (ERA) due to the “Commission Directive 2009/149/EC of 27 November 2009 amending Directive 2004/49/EC of the European Parliament and of the Council as regards Common Safety Indicators and common methods to calculate accident costs”55, specifically R1156 and R1657 with the Danish Value of Preventing a Fatality being 2’839’534.88372€58 in 2014, though it has a high degree of uncertainty59, it is the official value for Denmark60(§79 STK 2).
In order to understand the number and how it translates into monetary value it is important to know the models used to derive the value, as they are very different and hence not directly comparable.
With some economists using the Human Capital(HK) approach devised by Dublin & Lotka61 from the 1930s for quantification of risk.
Below is a brief summary on methodologies for the Money value of a man:
2.4.1.1 Human Capital (HK)
-LARS
In 1954 Reynolds writes “The Cost of Road Accidents”62 which mentions:
“The occurrence of road accidents inflicts a burden on the community which may be considered in two parts.
(i)The pain, fear, and suffering imposed by the occurrence, or the risk of occurrence, of road accidents. These are considered of great importance in a society that values human life and human welfare.
(ii)The more concrete and ascertainable burdens in the form of the net loss of output of goods and services due to death and injury and the expenditure of resources necessary to make good the effects of accidents, e.g. medical expenses, vehicle repairs and costs of administration.
54 International Electrotechnical Commission, “IEC 61508 Functional Safety of Electrical/Electronic/Programmable Electronic Safety-Related Systems.”
55 Commission Directive 2009/149/EC.
56 “Common Safety Indicators Reported by the Na tional Safety Authorities - R11 - National Value of Preventing a Fatality - Denmark 2006-2014.”
57 “Common Safety Indicators Reported by the National Safety Authorities - R16 - Fall Back Value of Preventing a Fatality - Denmark 2006-2014.”
58 “Common Safety Indicators, Denmark 2014, Version 1, Validated (R11).”
59 Danish Ministry of Transport and COWI, “Rapport om værdisætning af transportens eksterne omkostninger.”
60 “Jernbanelov - Retsinformation.dk.”
61 Dublin and Lotka, The Money Value of a Man.
62 Reynolds, “The Cost of Road Accidents.”
For a variety of reasons it is beyond the competence of the economist to assign objective values to the losses suffered under (i) and this paper is therefore confined to the estimation of the burdens listed under (ii). “
While the evaluation of factors in (i) are clearly mentioned as missing, the values and methods of obtaining (ii), using the term “Human Capital” (HK) have been used for decades as the only value of asserting the cost for society regarding risk of casualties up into the 1960s63, with the methodology being used until 1977 by the Danish National Safety Authority (Trafikstyrelsen)64.
Following the HK approach, there is no incentive to help people who are unable to contribute financially to society such as elderly and handicapped citizens, actually there is an incentive to lessen the safety levels of those groups, using the money on the labour force instead.
This decreased prioritisation of safety for the population not contributing positively to the GDP can easily lead to the “dead-anyway” effect65.
It is this absence of (ii) that leads to the next development; the Value of a Statistical Life (VSL).
2.4.1.2 Value of a Statistical Life (VSL)
-LARS
In their T430 report (PAGE 30)66 The British Rail Safety and Standards Board (RS S B) defines VSL as:
“A willingness to pay-based VPC is essentially the aggregate, across affected members of society, of individual willingness to pay for (typically very small) risk reductions which will on average prevent one fatality. What the VPC is most emphatically not is the “price of a life” in the sense of a sum that would compensate the typical individual for the certainty of his/her own premature death – for most of us no sum, however large, would serve this purpose.”[ edited to account for other abbreviation use of the RSSB]
VSL is in other words, the added value put on top of society’s loss of GDP (HK), to account for human life being more precious than the net product contributed to society67. This is akin to the appreciation and hence
monetary evaluation of “preservation of green areas in cities” and “endangered wildlife” that have become part of the Cost-Benefit Analysis (CBA) with the advance of Multiple-Criteria Decision Analysis (MCDA) that are used in the railway and road sector.
63 Hultkrantz and Svensson, “The Value of a Statistical Life in Sweden.”
64 COWI and Vejdirektoratet, “Trafikøkonomiske Enhedspriser for uheld - Alternative metoder til opgørelse af Velfærdstabet (Arbejdsnotat).”
65 Pratt and Zeckhauser, “Willingness to Pay and the Distribution of Risk and Wealth.”
66 Rail Safety & Standards Board, “T430 Assessment of the Value for Preventing a Fatality Phase 1.”
67 Shogren et al., “Resolving Differences in Willingness to Pay and Willingness to Accept.”
Figure 10 MCDA criteria used in various European countries 68(PAGE 24)
The figure above shows how European countries vary in their use of components in a national infrastructure Cost Benefit Analysis. Values that cannot be measured on the free market as they are public goods, that have to be estimated via proxies in Revealed Preference or Stated Preference studies; so called “soft methods” marked in yellow above. Combined with economic terms such as time savings, construction and maintenance costs; so called “hard methods” marked in red and blue above.
Combining the soft values of VSL with the hard numbers of HK a more comprehensive method emerges: The VPC.
2.4.1.3 Value of Preventing a Casualty
-LARS
This method springs from the combination of asserting a value to human life and emotional suffering of the family, as well as accounting for the loss of GDP for society.
It is the method ERA / European Commission Directive 2009/149/EC69 requires the member states to use.
Hence it is a Common Safety Indicator that has widespread use throughout the railway sector in Europe.
68 EUNET / European Commission, “Socio-Economic and Spatial Impacts of Transport.”
69 Commission Directive 2009/149/EC.
2.4.1.4 ALARP
-LARS
The ALARP principle stems from a valuation of life: The risk of causing death to an employee.
Starting with British mines, workers wanted their employers to improve the safety rather than just considering profit as a meter and to do so the British justice system and government needed a method to weigh costs of safety measures against that of the risk of a lost human life.
The result being the “As Low As Reasonably Practicable” methodology of the 1950s70(PAGE 5).
It is this British ALARP principle that IEC 61508 references, with the classifications seen below:
Table 1 Risk classification from IEC6150871(CHAPTER 5), based on ALARP72.
FREQUENCY CONSEQUENCE
CATASTROPHIC CRITICAL MARGINAL NEGLIGIBLE
FREQUENT I I I II
PROBABLE I I II III
OCCASIONAL I II III III
REMOTE II III III IV
IMPROBABLE III III IV IV
INCREDIBLE IV IV IV IV
NOTE1 The actual population with risk classes I, II, III and IV will be sector dependent and will also depend upon what the actual frequencies are for frequent, probable, etc. Therefore, this table should be seen as an example of how such a table could be populated, rather than as a specification for future use.
NOTE2 Determination of the safety integrity level from the frequencies in this table is outlined in Annex D in IEC 61508.
Interpretation of risk classes
RISK CLASS INTERPRETATION
CLASS I Intolerable risk
CLASS II Undesirable risk, and tolerable only if risk reduction is impracticable or if the costs are grossly disproportionate to the improvement gained
CLASS III Tolerable risk if the cost of risk reduction would exceed the improvement gained CLASS IV Negligible risk
70 Rail Safety & Standards Board, “T430 Assessment of the Value for Preventing a Fatality Phase 1.”
71 International Electrotechnical Commission, “IEC 61508 Functional Safety of Electrical/Electronic/Programmable Electronic Safety-Related Systems.”
72 Great Britain. Health and Safety Executive, Reducing Risks, Protecting People.
SP/RP WTP
WTA VSL VPC HK
L
Figure 11 Basics of VPC: Stated/Revealed Preference surveys gives a Willingness To Pay/Accept leading to a Value of a Statistical Life, that combined with Human Kapital gives a Value of Preventing a Casualty
With the standard noting that:
“Frequent could denote an event that is likely to be continually experienced, which could be specified as a frequency greater than 10 per year. A critical consequence could be a single death and/or multiple severe injuries”
While vague, it gives enough information to classify cyber threats and with the conversion factor of VPC monetary damages can be extrapolated to desired SIL levels as well.
2.4.2 Epistemic uncertainty in Danish VSL
-LARS
The uncertainty stems from a report done by Kidholm in 1995, where 55% of the respondents took family into consideration73(PAGE 129,149), as well as the yearly adjustment model that was updated in 2010, adjusting the figure to 15’000’000,00 DKK in 2007 prices74.
Those are the reasons for a suggested sensitivity analysis of 300% and 33% by the ministry of finance75 and why that while the official Danish valuation is 2’839’534,88372€ (ERA CSI R16) the amount of digits are misleading, they stem from a number being set to 15 million DKK with an uncertainty of a factor 3.
3 Collision Probability
-ALEXANDER
The primary strength of cryptographic hash functions is in its non-reversible nature, as well as the infeasibility of finding two inputs that produce the same output. It is however not impossible and this section is dedicated to exploring the probabilistic constraints governing hash functions and their collisions. The idealized hash methods under consideration in this section are treated as black-box function and any attacks against specific hash algorithms are ignored. All mentions of output size is in terms of total amount of values it can attain and not the amount of bits.