ORA is a risk assessment tool for locating individuals or groups that are potential risks given social, knowledge and task network information.  Essentially, first you use information about people to “connect the dots.”  Then, ORA examines this network and finds those dots, those people, who represent a threat to the overall system.  Individuals are risks, e,g,, if their removal from the network would debilitate it (the critical employee)  or if they were to feed false information to others they could create havoc (the rumor monger).  

Based on network theory, social psychology, operations research, and management theory a series of measures of “criticality” have been developed at CMU.  Just as critical path algorithms can be used to locate those tasks that are critical from a project management perspective, the ORA algorithms can find those people, types of skills or knowledge and tasks that are critical from a performance and information security perspective.  Each of the measures we have developed are calculated by ORA on the basis of network data like that in the following table. 

 

 

ORA can be applied both within a traditional organization or on covert networks.

Applying ORA to an organization, key actors who by virtue of who they know, what they know, and what they are doing are potential risks to the security of a company can be determined.  Applying ORA to a covert network, key actors whose removal will damage the adaptability or performance of the covert network can be determined.  A critical feature that is currently being built is a “sensitivity” indicator for each threat metric which estimates, given the level of accuracy of the underlying network, how sure we can be that the person identified as key really is key.

 

A prototype system exists that is set in the corporate context.  It’s focus is on locating potential “hackers” and assessing overall corporate information security risks from a personnel as opposed to technology perspective.  It has been used by students to determine, given hypothetical organizations, the security risks endemic in different organizational designs  and to assess tradeoffs in performance versus security of the corporate intellectual property.