Lecture 7

Introduction to
Safety Science
(WM0801TU)
Professor Pieter van Gelder

Safety and Security Science Section, TPM
Lecture JAN. 11th 2024
Lectures in TPM Room A, Every Thursday

15.45h – 17.30h
Delft
University of 1/50
Technology
Challenge the future

Delft
University of 2/50
Technology

Outline for today (LO1 and LO6)
• Bayesian inference \ networks

• Security risk analysis
• Sample examination questions
At the end of this course, you should be able to:

• LO1. Explain the principles of safety -, security - and risk management
• LO2. Discuss the role of human factors in systems safety
• LO3. Explain the principles of systems decompositioning and causal analysis of undesired events using fault/event
trees and Bayesian networks
• LO4. Analyse data with quantitative methods for safety assessment and risk estimation
• LO5. Apply quantitative methods on systems for risk-informed decision making
• LO6. Perform security risk analysis using game theoretical and Bayesian analysis techniques
Delft
University of 3/50
Technology

Part I
Causal Inference &

Security Analysis
Delft
4/50
University of
Technology 4
5
Antivirus is effective!
• People who have installed antivirus have fewer security
incidents than those who haven’t.
• What can we conclude?
Delft
University of 5/50
Technology

6
Experimental studies
• What to do in order to find out whether the installation of anti-
virus software leads to fewer security incidents?
• How can we exclude ‘security-awareness’ as self-selection bias?
Delft
University of 6/50
Technology

What is an experiment?
Population
Sample
Group 1 Group 2 Split Random

Intervention Action 1 (install anti
Action 1 Action 2 virus)
Action 2 (install
placebo)
Evaluation
Observation Observation
7/50
Comparison
Delft
University of
Technology

Wat is no experiment?
Population
Sample
Split existing
Group 1 Group 2
Intervention own choice

Action 1 Action 2
Evaluation
Observation Observation
Comparison
Delft
University of 8/50
Technology

Examples
Experiment No experiment No experiment
Selection Clients calling after Every 5th client All clients

22.00h
Split Dice Age Choice of client

Even ® anti virus Old ® anti virus ? ® anti virus
Odd ® placebo Young ® placebo ? ® placebo
Intervention Groep 1: anti virus Groep 1: anti Groep 1: anti

Groep 2: placebo virus virus
Groep 2: placebo Groep 2: placebo
Delft
University of 9/50
Technology

Investigating the dependence of some
10
measured quantity on a number of

independent variables (factors), each
taking 2 levels
Run X1 X2 X3 X4 X5 X6 X7 X8 X9 X10 X11
1 + + + + + + + + + + +
2 − + − + + + − − − + −
3 − − + − + + + − − − +
4 + − − + − + + + − − −
5 − + − − + − + + + − −
6 − − + − − + − + + + −
7 − − − + − − + − + + +
8 + − − − + − − + − + +
9 + + − − − + − − + − +
10 + + + − − − + − − + −
11 − + + + − − − + − − +
12 + − + + + − − − + − −
Delft
University of 10/50
Technology

PB design
• The factors are orthogonal
• Each combination of two factors occurs as often as
other combinations
• The design is efficient
• For k factors only k + 1 cells are needed
Delft
University of 11/50
Technology

12
Causality
• Slow internet connection may be caused by a Malware Attack
(amongst others)
• Popups may be caused by a Denial of Service Attack or a
Malware Attack (amongst others)
• A fault tree could represent this as:

• Slow internet connection = OR{Malware, others} maybe even a combination of factors
• Popups = OR{DoS, Malware, others}
Delft
University of 12/50
Technology

13
A directed acyclic graph
showing causes and
effects consisting of
nodes and arcs
Malware attack Denial of service

attack
Internet connection Popups
Delft
University of 13/50
Technology

14
Let’s assume prior probabilities for the
causes
and conditional probabilities for the
effects
• P(DoS) = 0.01
• P(Malware attack) = 0.05
• P(Slow internet connection | Malware attack) = 0.9

• P(Slow internet connection | No malware attack) = 0.1
• P(Popups | Malware and DoS) = 0.9
• P(Popups | no Malware and no DoS) = 0.1
• P(Popups | Malware and no DoS) = 0.8
• P(Popups | no Malware and DoS) = 0.2
Delft
University of 14/50
Technology

15
Probabilistic inference Total Probability, Bayes
Malware attack Denial of service ...
True 5% True 1%
False 95% False 99%
Can make inference about impact
Slow 14% False 86%

Normal86% True 14%
Delft
University of 15/50
Technology

16
Two important equations
Delft
University of 16/50
Technology

17
Theorem of total probability different from above
• P(IC = slow) = P(IC=slow|MA=true) * P(MA=true) +

P(IC=slow|MA=false) * P(MA=false)
• P(IC = slow) = 0.9*0.05 + 0.1*0.95 = 0.14
Delft
University of 17/50
Technology

18
Predictive reasoning Bayes
True 100% True 1%

False 0% False 99%
Slow 90% False 20%

Normal10% True 80%
Delft
University of 18/50
Technology

19
Predictive reasoning Bayes
True 100% True 100%

False 0% False 0%
Predictions if x is100%, what would happen to y
Slow 90% False 10%

Normal10% True 90%
Delft
University of 19/50
Technology

20
Diagnostic reasoning Bayees
True 32% True 1%

False 68% False 99%
If Y is 100%, what could X have been
Slow 100% False 67%

Normal 0% True 33%
Delft
University of 20/50
Technology

21
Bayes theorem
• P(MA=true | IC=slow) = P(IC = slow | MA =true) *
P(MA=true)/P(IC=slow)
• P(MA=true | IC=slow) = 0.9 *0.05/0.14 = 0.32
Delft
University of 21/50
Technology

22
Inter-causal reasoning
True 32% True 100%

False 68% False 0%
Slow 100% False 58%

Normal 0% True 43%
Delft
University of 22/50
Technology

23
Observations
• A Bayesian network is a probabilistic graphical model that
represents a set of random variables and their conditional
dependencies via a directed acyclic graph. It is very suitable to
represent the probabilistic relationships between causes
(attacks) and consequences (symptoms), indicated by the arcs in
the graph.
• The Bayesian network can be used for probabilistic inference,
predictive reasoning, diagnostic reasoning and intercausal
reasoning.
Delft
University of 23/50
Technology

24
Observations
• Bayesian networks are updated, and new (failue) probabilities
can be recalculated, when new data is observed, which can be
called a learning process.
• Software is available at:
• https://download.bayesfusion.com/files.html?category=Academ
ia
• Background information available at:
• Bayesian network models in cyber security: a systematic review, S
Chockalingam, W Pieters, A Teixeira, P van Gelder, 2017 Nordic
Conference on Secure IT Systems, 105-122.
Delft
University of 24/50
Technology

25
BN Medical example
Delft
University of 25/50
Technology

26
Medical example
• https://demo.bayesfusion.com/bayesbox.html
• Select: diagnosis of liver disorders
• The rectangular orange colored nodes represent diseases, the

blue nodes represent patient history, including risk factors, and
green nodes represent observations and test results.
Delft
University of 26/50
Technology

27
Questions and
comments?
• For your exam you should be able to construct a simple BN and

to conduct predictive and diagnostic reasoning for given prior
and conditional probabilities.
Delft
University of 27/50
Technology

Safety analysis vs Security
analysis
Safety analysis Security analysis
qAccidental events qIntentional events
qRandom failure/natural qAttacks by adversaries
hazards/human error
qProbability of failure qLikelihood of attack
üHistorical data üThreats (types of adversary and
üExperimental data attack)
üExpert judgment üAttractiveness
üVulnerability
Delft
28/50
28
University of
Technology

Security Risk Analysis
Consequence 1.1. Critical units
assessment 1.2. Severity of consequences
1
Delft
29/50
29
University of
Technology

Consequence Severity Table
Description Rank
• On-site minor injury; no fatalities Minor
• Up to $100,000 property damage
• A few days of business interruption
• On-site serious injuries; no fatalities Moderate

• $100, 000 – $1,000,000 property damage
• A few weeks of business interruption
• On-site several fatalities; off-site injuries Major

• $1,000, 000 – $10,000,000 property damage
• A few months of business interruption
• On-site multiple fatalities; off-site several fatalities Catastrophic

• More than $10,000,000 property damage
• A few years of business interruption
Delft
30/50
University of
Technology 30
1
Threat 2.1. Type of adversary

assessment 2.2. Type of attack
2
Delft
31/50
University of
Technology 31
Threat assessment
Type of Adversary Type of Attack

qExternal • Release of hazardous materials
üTerrorists • Theft of hazardous materials
üCriminals • Major damage to target’s infrastructures
üThieves
• Theft of confidential information
qInternal
• Damage to equipment
üEmployees
üVisitors
üContractors
qHybrid
Delft
32/50
University of
Technology 32
1

2
Attractiveness
analysis 3. Evaluate attractiveness of the target
3
Delft
33/50
University of
Technology 33
Attractiveness analysis
• Potential for causing maximum casualties
• Potential for causing maximum economic damage
• Proximity of the target to densely populated area
• Proximity of critical units to the object’s boundary
• High reputation of the target
• Recognizability of critical units
Delft
34/50
University of
Technology 34
1

2
Attractiveness
assessment 3. Evaluate attractiveness of the target
3
Vulnerability
analysis 4. Evaluate vulnerability of the target
4
Delft
35/50
University of
Technology 35
Vulnerability analysis
• Ease of access to/escape from the target
• Security barriers (fence, surveillance, guards)
• Control systems can easily be tampered
• Etc.
Delft
36/50
University of
Technology 36
1

assessment
2.2. Type of attack
2
Attack Likelihood
Attractiveness
assessment 3. Evaluate attractiveness of the target
3
Vulnerability
assessment 4. Evaluate vulnerability of the target
4
like safety a multiplication
Security risk
analysis Security Risk = F (Attack likelihood , consequence)
5
Delft
37/50
University of
Technology 37
Risk Matrix
Severity
Catastrophic Major Moderate Minor
Likelihood
High High High High Medium

Medium High High Medium Low
Low High Medium Low Low
Very low Medium Low Low Low
Delft
38/50
University of
Technology 38
Part II
Final Examination
Briefing
Delft
39/50
University of
Technology 39
Examination preparation
• Written exam via ANS on Campus on Jan. 22nd 18.30 – 21.30h
• Do not forget to register for the exam (MyTUDelft)
https://www.tudelft.nl/en/student/education/courses-and-
examinations/examinations/registration-for-examinations
• Exam is based on lecture slides.

• Exam is closed book (any formula that is needed will be provided).
• Extra individual exam opportunity?

Discuss the matter with an academic counsellor before sending a request in
writing to the Board of Examiners.
https://www.tudelft.nl/en/student/faculties/3me-student-
portal/organisation/boards-of-examiners/procedures/extra-individual-exam-
opportunity
Delft
University of 40/50
Technology

• Calculator, Excel 365 and Word 365 are provided on the system.
There is no other software needed.
• The exam will be closed-book but a formula sheet (a PDF file) is

provided for any formula that is necessary in the exam. This PDF
file will be available on the S: (Shared) network drive. We will not
publish this formula sheet now as it might imply that these are the
only things you need to study for the exam.
Delft
University of 41/50
Technology

• Have you not registered?
Delft
University of 42/50
Technology

Examples of examination
questions
Delft
University of 43/50
Technology

An examination question about
fault tree analysis
Bulb 1
Fuse
Switch
Bulb 2
Power
Source
Delft
University of 44/50
Technology

Room Dark
Power off Both bulbs

burned out
B1 B2
Fuse Switch Power
Delft
University of 45/50
Technology

The fault tree can be represented as:
TE = OR{Fuse, Switch, Power source, AND{B1,B2}}
Given component probabilities of failure of 10% for

each component, the probability of the occurrence of
the top event becomes, under the assumption of
independent component failures:
1-(1-0.1)*(1-0.1)*(1-0.1)*(1-0.1*0.1) = 0.278
Delft
University of 46/50
Technology

An examination question about
Event tree analysis
Start of Fire Extinction by Extinction by Extinction by

Sprinkler Personnel Fire brigade
Minimal
Yes
Moderate loss
Yes
No Large loss
Yes
No
Catastrophic
No
Delft
University of 47/50
Technology

Event tree
Start of Fire Extinction by Extinction by Extinction by Probability

Sprinkler Personnel Fire brigade
p=10-4 0.6 10-4
Yes p=0.6
0.32 10-4
Yes p= 0.8
No p=0.4 0.72 10-5
Yes p= 0.9
No p= 0.2
0.8 10-6
No p= 0.1
Delft
University of 48/50
Technology

An examination question
about security analysis:
Infrared cameras for
detection of terrorists at
airports
Delft
University of 49/50
Technology

An experiment with 20 persons
A correct prediction of 75% and 92% (average 85%)
Delft
University of 50/50
Technology

This seems like a reasonable
test, but when applied at
Schiphol, it delivers:
- Even if the test is 99.9% reliable, 40,000 people per year remain
detected as suspicious while innocent
- The false alarm rate will weaken the attention of the Marechaussee.
Delft
University of 51/50
Technology

Fill in the 5 basic events in the fault
tree below to reach the top event
basic events- events that can’t be decomposed more
Delft
University of 52/50
Technology

Probability of the Top Event?
• Estimate the probability of reaching the attacker’s goal, given the

above probabilities of succesfully attacking the 5 components
within this system, by using the probability calculation rules for
AND and OR gates.
Delft
University of 53/50
Technology

Fault tree of SSB NW
Delft
University of 54/50
Technology

Probability propagation to SF
Delft
University of 55/50
Technology

Fault tree of a Defibrilator
Delft
University of 56/50
Technology

Defibrilator :
failure of electricity supply
Geen stroom
naar electr. blok
STROOMVOORZIENING
Batterijlader Laadknop faalt Batterijen falen

faalt
LADER LAADKNOP BATTERIJEN
Batterij faalt Reserve batterij

faalt
BATTERIJ RES. BATTERIJ
Delft
University of 57/50
Technology

Calculate the probability of the
failure of electricity supply
Given component probabilities of
failure:
•Batterijlader(s) : Pl =0,1
•Batterij : Pb = 0,05
•Res. Batterij : Pr = 0,1
•Laadknop : Pk = 5. 10-3
Delft
University of 58/50
Technology

Example – PB Design
A company is producing a new chemical product that might be exploded by
three potential factors, including temperature, humidity, and the density of
catalyst. Using a Plackett-Burman design, identify the 4 experiments that
need to be conducted in order to investigate which of the three potential
factors contribute most to the explosion risk.
Take the upper-left 3x4 matrix
Temperature Humidity Catalyst
density
From the PB design with 11 factors
Low Dry <30%
Text
High Humid >30%
1. High, humid, >30% n factors = n columns, n +1

rows
2. High, dry, <30%
3. Low, humid, <30%
4. Low, Dry, >30%
Delft
University of 59/50
Technology

Example – Bayesian Probability
According to the reports by the Dutch police, not wearing seatbelt contributes
to 85% of road fatalities, while the overall seatbelt use rate in the
Netherlands is 80%. What is the probability of a road fatality while driving in
highway A12 and not wearing seatbelt and given that we know from the past
data that the probability of road fatality on this highway is 1%.?
P(A|B) = P(B|A)P(A)/P(B)
P(fatality | no seatbelt) =
P(no seatbelt | fatality) P(fatality) / P(no seatbelt)
= 0.85*0.01/0.20 = 0.042
Delft
University of 60/50
Technology

Example – Block Diagram
Given that the reliability for each system A C

component is 90%, what is the most
accurate probability of failure in this system? D
System failure = (A ⋂ B) U (B ⋂ C) U D B
= [(A ⋂ B) U (B ⋂ C)] U D
= [(0.1*0.1)+(0.1*0.1)-0.01*0.01] +
0.1 – [0.1*0.0199]= 0.1179
Delft
University of 61/50
Technology

Example – Pay-off Matrix
S1: hot S2: cold

Given the following pay-off matrix with weather, weather, no
scenarios S1 and S2 and safety measures flammable flammable
conditions conditions
D1 and D2:
D1: separate
storage barrels
670 840
Assuming 0.35 as the coefficient of
optimism and using Hurwicz Criterion, D2: place
which decision should be made for the barriers
990 700
safety measures? between
barrels
D1: ω (maximum pay-off) + (1- ω) (minimum pay-off) = 0.35*(840)+0.65*(670) = 729.5

D2: same way: value = (0.35*990)+(0.65*700) = 801.5
Choose D2: place barriers between barrels
Delft
University of 62/50
Technology

Example – System failure
Top
Event
What is the most accurate
description of this fault tree and
what is the equivalent block
diagram?
TE = B or (A and C) E1 E2
B
C
A B B C
Delft
University of 63/50
Technology

Example – Fault tree
What are the minimum cut sets of this

fault tree? And what is the probability of
the top event, given that the probability of
basic events are 20% -use MC to calculate
the probability of the top event.
Minimum cut sets:
{A} {B} {C} {ADE} {ADEC}
Delft
University of 64/50
Technology

Example – MCMC Simulation
Delft
University of 65/50
Technology

Thank you and success with your exam!
Delft
University of 66/50
Technology

Lecture 7

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Lecture 7

Uploaded by

Copyright:

Available Formats

Introduction to

Professor Pieter van Gelder

Lecture JAN. 11th 2024

Lectures in TPM Room A, Every Thursday

Challenge the future

Challenge the future

• Bayesian inference \ networks

At the end of this course, you should be able to:

Challenge the future

Causal Inference &

• What can we conclude?

Challenge the future

Challenge the future

Group 1 Group 2 Split Random

Challenge the future

Intervention own choice

Challenge the future

Selection Clients calling after Every 5th client All clients

Split Dice Age Choice of client

Intervention Groep 1: anti virus Groep 1: anti Groep 1: anti

Challenge the future

measured quantity on a number of

Challenge the future

Challenge the future

• A fault tree could represent this as:

• Popups = OR{DoS, Malware, others}

Challenge the future

Malware attack Denial of service

Internet connection Popups

Challenge the future

• P(Slow internet connection | Malware attack) = 0.9

Challenge the future

Probabilistic inference Total Probability, Bayes

Malware attack Denial of service ...

Can make inference about impact

Internet connection Popups

Slow 14% False 86%

Challenge the future

Two important equations

Challenge the future

Theorem of total probability different from above

• P(IC = slow) = P(IC=slow|MA=true) * P(MA=true) +

• P(IC = slow) = 0.9*0.05 + 0.1*0.95 = 0.14

Challenge the future

Predictive reasoning Bayes

Malware attack Denial of service ...

True 100% True 1%

Internet connection Popups

Slow 90% False 20%

Challenge the future

Predictive reasoning Bayes

Malware attack Denial of service ...

True 100% True 100%

Internet connection Popups

Slow 90% False 10%

Challenge the future

Diagnostic reasoning Bayees

Malware attack Denial of service ...

True 32% True 1%

Internet connection Popups

Slow 100% False 67%

Challenge the future

• P(MA=true | IC=slow) = 0.9 *0.05/0.14 = 0.32

Challenge the future

• P(IC = slow) = 0.90.05 + 0.10.95 = 0.14

D1: ω (maximum pay-off) + (1- ω) (minimum pay-off) = 0.35(840)+0.65(670) = 729.5