ORA:

Organizational Risk Analyzer


Kathleen M. Carley, Director of the center for Computational Analysis of Social and Organizational Systems, ISRI, Carnegie Mellon University, Pittsburgh, PA 15213, Office: 412-268-6016, FAX: 412-268-2338; Email: kathleen.carley@cs.cmu.edu 

ORA is a risk assessment tool for locating individuals or groups that are potential risks given social, knowledge and task network information.  Essentially, first you use information about people to “connect the dots.”  Then, ORA examines this network and finds those dots, those people, who represent a threat to the overall system.  Individuals are risks, e,g,, if their removal from the network would debilitate it (the critical employee)  or if they were to feed false information to others they could create havoc (the rumor monger).  

Based on network theory, social psychology, operations research, and management theory a series of measures of “criticality” have been developed at CMU.  Just as critical path algorithms can be used to locate those tasks that are critical from a project management perspective, the ORA algorithms can find those people, types of skills or knowledge and tasks that are critical from a performance and information security perspective.  Each of the measures we have developed are calculated by ORA on the basis of network data like that in the following table. 

 

 

People

Knowledge

Tasks

People

Social Network
Who knows who

Knowledge Network
Who knows what

Assignment Network
Who does what

Knowledge

 

Information Network
What informs what

Needs Network
What knowledge is needed to do the task

Tasks

 

 

Precedence Network
Which task must be done before which

 

ORA can be applied both within a traditional organization or on covert networks.

Applying ORA to an organization, key actors who by virtue of who they know, what they know, and what they are doing are potential risks to the security of a company can be determined.  Applying ORA to a covert network, key actors whose removal will damage the adaptability or performance of the covert network can be determined.  A critical feature that is currently being built is a “sensitivity” indicator for each threat metric which estimates, given the level of accuracy of the underlying network, how sure we can be that the person identified as key really is key.

 

A prototype system exists that is set in the corporate context.  It’s focus is on locating potential “hackers” and assessing overall corporate information security risks from a personnel as opposed to technology perspective.  It has been used by students to determine, given hypothetical organizations, the security risks endemic in different organizational designs  and to assess tradeoffs in performance versus security of the corporate intellectual property.

At the CASOS Summer Institute, CASOS Ph.D. students have the chance to display and discuss their projects and work, including work on ORA. The 2008 CASOS Summer Institute posters are:

"Unsupervised Plan Detection In Maritime GPS Data"
"Extending ORA for Spatial and Temporal Data"
©Copyright by CASOS