Mission Oriented Risk and Design Analysis of Critical Information Systems

ABSTRACT
Future military operations are becoming increasingly dependent on critical information systems. This paper describes a value-based information assurance methodology for Mission Oriented Risk and Design Analysis (MORDA) of information systems. The MORDA methodology was developed from 1998 to 2005 and has been successfully applied on seven major Department of Defense risk assessment studies, including a Joint Staff J6 mandated risk assessment of the Global Command and Control System. MORDA is a quantitative risk assessment and risk management process that uses risk analysis techniques and multiple objective decision analysis models to evaluate information system designs. MORDA models include adversary models; attacks trees; user models; service provider models; and integration and analysis models. The process provides a method for determining an optimum allocation of system design and operation resources that will ensure an operable information system in a hostile and malicious operating environment. MORDA uses subject matter expert teams from various disciplines to collect data and incorporates expert knowledge on adversaries, information systems technologies, and operation of the information system in the mission environment. The availability of key experts and cross-discipline teamwork are critical elements of the process.