Given multivariate, multidimensional events generated by adaptive human agents, perhaps it would not be too far a stretch to claim that no two events are precisely the same. Given the absence of actuarial data, what can a poor security architect do?
Answer the question with a short paragraph, with a minimum of 300 words. APA formatting but do not include a title page, abstract or table of contents. Body and references only in your post.
A minimum of two references are required. One reference for the book is acceptable but multiple references are allowed. There should be multiple citations within the body of the paper. Note that an in-text citation includes authors name, year of publication and the page number where the paraphrased material is located.
University of the Cumberlands
School of Computer & Information Sciences
ISOL-536 – Security Architecture & Design
Chapter 3: Security Architecture of Systems
Chapter 3: Security Architecture of Systems
3.1 Why Is Enterprise Architecture Important?
3.2 The Security in Architecture
3.3 Diagramming For Security Analysis
3.4 Seeing and Applying Patterns
3.5 System Architecture Diagrams and Protocol Interchange Flows (Data Flow Diagrams)
3.5.1 Security Touches All Domains
3.5.2 Component Views
3.6 Whats Important?
3.6.1 What Is Architecturally Interesting?
3.7 Understanding the Architecture of a System
3.7.1 Size Really Does Matter
3.8 Applying Principles and Patterns to Specific Designs
3.8.1 Principles, But Not Solely Principles
3.1 Why Is Enterprise Architecture Important?
A survey of 7,000 years of history of human kind would conclude that the only known
strategy for accommodating extreme complexity and high rates of change is architecture.
If you cant describe something, you cant create it, whether it is an airplane, a hundred
story building, a computer, an automobile . . . or an enterprise. Once you get a
complex product created and you want to change it, the basis for change is its descriptive
representations.
Any process, manual or digital, that contributes to the overall goals of
the enterprise, of the entire system taken as a whole, is then, necessarily,
a part of the enterprise architecture. Thus, a manually executed process
will, by definition, include the people who execute that process:
People, process, and technology.
3.2 The Security in Architecture
An assessor (usually a security architect) must then be proficient in
architecture in order to understand and manipulate system architectures.
In addition, the security architect also brings substantial specialized
knowledge to the practice of security assessment. Hence, we start with
solutions or systems architectures and their representations and then
apply security to them.
3.2 The Security in Architecture Cont.
Mario Godinez et al. (2010) categorize architectures into several
different layers, as follows:
Conceptual Level This level is closest to business definitions, business processes,
and enterprise standards.
Logical Level This level of the Reference Architecture translates conceptual
design into logical design.
Physical Level This level of the Reference Architecture translates the logical
design into physical structures and often products.
3.3 Diagramming For Security Analysis
Figure 3.1 A simplistic Web architecture diagram.
The diagram does show something of the system: There is some sort of interaction between a users computer
and a server. The server interacts with another set of servers in some manner. So there are obviously at least three
different components involved. The brick wall is a standard representation of a firewall. Apparently, theres some
kind of security control between the user and the middle server. Because the arrows are double headed, we dont
know which component calls the others. It is just as likely that the servers on the far right call the middle server
as the other way around.
3.3 Diagramming For Security Analysis Cont.
Figure 3.2 Marketing architecture for a business intelligence product.
From Figure 3.2, we know that, somehow, a warehouse (whatever that is) communicates with data sources.
Even though we understand, by studying
Figure 3.2, that theres some sort of
application platforman operating
environment that might call various modules
that are being considered as applications
We do not know what that execution entails,
whether application in this diagram should
be considered as atomic, with attack surfaces
exposed, or whether this is simply a functional
nomenclature to express functionality about
which customers will have
some interest.
3.3 Diagramming For Security Analysis Cont.
Figure 3.3 Sample external web architecture.
Figure 3.3 Explain how to securely allow HTTP traffic to be processed by internal resources that were not originally designed to be exposed to the constant attack levels of the Internet. The diagram was not intended for architecture analysis. However, unlike Figure 3.1, several trust-level boundaries are clearly delineated. Internet traffic must pass a firewall before HTTP/S traffic is terminated at a web server. The web server is separated by a second firewall from the application server. Finally, there is a third firewall between the entire DMZ network and the internal networks (the cloud in the lower right-hand corner of the diagram).
3.3 Diagramming For Security Analysis Cont.
The security architect has a requirement for abstraction that is different from most of the other architects working on a system. As we shall see further along, we reduce to a unit that presents the relevant attack surfaces. The reduction is dependent on other factors in an assessment, which were enumerated earlier:
Active threat agents that attack similar systems
Infrastructure security capabilities
Expected deployment model
Distribution of executables or other deployable units
The computer programming languages that have been used
Relevant operating system(s) and runtime
or execution environment(s)
3.3 Diagramming For Security Analysis Cont.
Figure 3.4, from a defensible perimeter
standpoint, and from the standpoint of
a typical security architect, we have a
three-tier application:
Web server
Application server
Database
For this architecture, the Web server tier
includes disk storage. Static content to be
served by the system resides in this forward most
layer. Next, further back in the system,
where it is not directly exposed to HTTP-based
Attacks. there is an application server that runs
dynamic code. We dont know from this diagram
what protocol is used between the Web server and
The application server.
Figure 3.3 Sample external web architecture. (Courtesy of the SANS Institute.)
3.3 Diagramming For Security Analysis Cont.
Figure 3.5 Two-component endpoint
application and driver.
Figure 3.5 represents a completely different type of architecture compared to a web application. In this case, there are only two components (Ive purposely simplified the architecture): a user interface (UI) and a kernel driver. The entire application resides on some sort of independent computing device (often called an endpoint). Although a standard desktop computer is shown, this type of architecture shows up on laptops, mobile devices,
and all sorts of different endpoint types that can be
generalized to most operating systems. The separation of
the UI from a higher privileged system function is a classic
architecture pattern that crops up again and again.
3.4 Seeing and Applying Patterns
A pattern is a common and repeating idiom of solution design and architecture. A pattern is defined as a solution to a problem in the context of an application.
There are architectural patterns that may be abstracted from specific architectures:
Standard e-commerce Web tiers
Creating a portal to backend application services
Database as the point of integration between disparate functions
Message bus as the point of integration between disparate functions
Integration through proprietary protocol
Web services for third-party integration
Service-oriented architecture (SOA)
Federated authentication [usually Security Assertion Markup Language (SAML)]
Web authentication validation using a session token
Employing a kernel driver to capture or alter system traffic
Modelviewcontroller (MVC)
Separation of presentation from business logic
JavaBeans for reusable components
Automated process orchestration
And more
3.4 Seeing and Applying Patterns Cont.
In order to recognize patternswhether architectural or securityone has to have a representation of the architecture. There are many forms of architectural representation. Certainly, an architecture can be described in a specification document through descriptive paragraphs. Even with a well-drawn set of diagrams, the components and flows will typically need to be documented in prose as well as diagramed. That is, details will be described in words, as well. It is possible, with sufficient diagrams and a written explanation, that a security assessment can be performed with little or no interaction.
3.5 System Architecture Diagrams and Protocol
Interchange Flows (Data Flow Diagrams)
Figure 3.6 Conceptual enterprise architecture.
In Figure 3.6, we get some sense that there are technological infrastructures that are key to the business flows and processes. For instance, Integrations implies some
sort of messaging bus technology. Details like a message bus and other infrastructures might be shown in the conceptual architecture only if the technologies were standards
within the organization. Details like a message bus might also be depicted if these details will in some manner enhance the understanding of what the architecture is trying to accomplish at a business level. Mostly, technologies will be represented
at a very gross level; details are unimportant within the conceptual architecture. There are some important details, however, that the security architect can glean from a conceptual architecture.
3.5 System Architecture Diagrams and Protocol
Interchange Flows (Data Flow Diagrams)
Cont.
Figure 3.7 Component enterprise architecture.
Figure 3.7 represents the same enterprise architecture
that was depicted in Figure 3.6. Figure 3.6 represents a conceptual view, whereas Figure 3.7 represents the
component view.
3.5.1 Security Touches All Domains
Like any practice, the enterprise architect can only understand so many factors and so many technologies. Usually, anyone operating at the enterprise level will be an expert in many domains. The reason they depend upon security architects is because the enterprise architects are typically not security experts. Security is a matrix function across every other domain. Some security controls are reasonably separate and distinct, and thus, can be placed in their own component space, whereas other controls must be embedded within the functionality of each component. It is our task as security architects to help our sister and brother architects understand the nature of security as a matrix domain.
3.5.2 Component Views
Presentations have been split from external integrations as the integrations are sited in a special area: Extranet. That is typical at an enterprise, where organizations are cross-connected with special, leased lines and other
point-to-point solutions, such as virtual private networks (VPN). Access is
granted based upon business contracts and relationships. Allowing data
exchange after contracts are confirmed is a different relationship than
encouraging interested parties to be customers through a presentation of
customer services and online shopping (eCommerce). Because these two
modes of interaction are fundamentally different, they are often segmented
into different zones: web site zone (for the public and customers) and Extranet
(for business partners).
3.6 Whats Important?
Architecturally interesting is dependent upon a number of factors. Unfortunately, there is no simple answer to this problem. When assessing,
if youre left with a lot of questions, or the diagram only answers one or two,
its probably too soft. On the other hand, if your eyes glaze over from all
the detail, you probably need to come up one or two levels of granularity, at
least to get started.
3.6.1 What Is Architecturally Interesting?
The architecture diagram needs to represent the appropriate logical components. But, unfortunately, what constitutes logical components is dependent upon three factors:
Deployment model
Infrastructure (and execution environment)
Attack method
19
3.7 Understanding the Architecture of a System
The question that needs answering in order to factor the architecture properly for attack surfaces is at what level of specificity can components be treated as atomic? In other words, how deep should the analysis decompose an architecture? What constitutes meaningless detail that confuses the picture?
20
3.7.1 Size Really Does Matter
Figure 3.8 Anti-virus endpoint architecture.
The AV runs in a separate process space; it receives commands from the UI, which also runs in a separate process. Despite what you may believe, quite often, AV engines do not run at high privilege. This is purposive. But, AV engines typically communicate or receive communications from higher privilege components, such as system drivers and the like. The UI will be running at the privilege level of the user (unless the security architect has made a big mistake!).
The foregoing details why most anti-virus and malware programs employ digital signatures rendered over executable binary files. The digital signature can be validated by each process before communications commence. Each process will verify that, indeed, the process attempting to communicate is the intended process. Although not entirely foolproof, binary signature validation can provide a significant barrier to an attack to a more trusted process from a less than trusted source.
21
3.8 Applying Principles and Patterns to Specific
Designs
Figure 3.9 Mobile security application endpoint architecture.
The art of architecture involves the skill of recognizing and then applying abstract patterns while, at the same time, understanding any local details that will be ignored through the application of patterns. Any unique local circumstances are also important and will have to be attended to properly.
It is not that locally specific details should be completely ignored. Rather, in the interest of achieving an architectural view, these implementation details are overlooked until a broader view can be established. That broader view is the architecture. As the architecture proceeds to specific design, the implementation details, things like specific operating system services that are or are not available, once again come to the fore and must receive attention.
22
3.8.1 Principles, But Not Solely Principles
The Open Web Application Security Project (OWASP) provides a distillation of several of the most well known sets of principles:
Apply defense in depth (complete mediation).
Use a positive security model (fail-safe defaults, minimize attack surface).
Fail securely.
Run with least privilege.
Avoid security by obscurity (open design).
Keep security simple (verifiable, economy of mechanism).
Detect intrusions (compromise recording).
Dont trust infrastructure.
Dont trust services.
Establish secure defaults.
23
Chapter 3: Summary
By abstracting general architectural patterns from specific architectures, we can apply known effective security solutions in order to build the security posture. There will be times, however, when we must be creative in response to architecture situations that are as yet unknown or that are exceptional. Still, a body of typical patterns and solutions helps to cut down the complexity when determining an appropriate set of requirements for a system under analysis.
Chapter 3: Summary
END
University of the Cumberlands
School of Computer & Information Sciences
ISOL-536 – Security Architecture & Design
Chapter 4 – Information Security Risk
Chapter 4 – Information Security Risk
4.1 Rating with Incomplete Information
4.2 Gut Feeling and Mental Arithmetic
4.3 Real-World Calculation
4.4 Personal Security Posture
4.5 Just Because It Might Be Bad, Is It?
4.6 The Components of Risk
4.6.1 Threat
4.6.2 Exposure
4.6.3 Vulnerability
4.6.4 Impact
4.7 Business Impact
4.7.1 Data Sensitivity Scales
4.8 Risk Audiences
4.8.1 The Risk Owner
4.8.2 Desired Security Posture
4.9 Summary
4.1 Rating with Incomplete Information
It would be extraordinarily helpful if the standard insurance risk equation could be calculated for
information security risks.
Probability * Annualized Loss = Risk
However, this equation requires data that simply are not available in sufficient quantities for a statistical analysis comparable to actuarial data that are used by insurance companies to calculate risk. In order to calculate probability, one must have enough statistical data on mathematically comparable events. Unfortunately, generally speaking, few security incidents in the computer realm are particularly mathematically similar. Given multivariate, multidimensional events generated by adaptive human agents, perhaps it wouldnt be too far a stretch to claim that no two events are precisely the same?
Given the absence of actuarial data, what can a poor security architect do?
4.2 Gut Feeling and Mental Arithmetic
Experienced security architects do these back of the napkin calculations fairly
rapidly. Theyve seen dozens, perhaps hundreds, of systems. Having rated risk for
hundreds or perhaps many more attack vectors, they get very comfortable
delivering risk pronouncements consistently. With experience
comes a gut feeling, perhaps an intuitive grasp, of the organizations risk posture.
Intimacy with the infrastructure and security capabilities allows the assessor to
understand the relative risk of any particular vulnerability or attack vector. This is
especially true if the vulnerability and attack vector are well understood by the
assessor. But what if one hasnt seen hundreds of systems? What does one do
when just starting out?
4.3 Real-World Calculation
For the purposes of architecture assessment for security, risk may be thought of as:
Credible Attack Vector * Impact = Risk Rating
Where:
Credible Attack Vector (CAV) = 0 < CAV > 1
Impact = An ordinal that lies within a predetermined range such
that 0 < Impact >
Predetermined limit (Example: 0 < Impact > 500)
4.4 Personal Security Posture
Personal risk predilection will have to be factored out of any risk calculations performed for an organizations systems. The analyst is not trying to make the system under analysis safe enough for him or herself. She is trying to provide sufficient security to enable the mission of the organization. Know thyself is an important maxim with which to begin.
4.5 Just Because It Might Be Bad, Is It?
Given certain types of attacks, there is absolute certainty in the world of computer security: Unprotected Internet addressable systems will be attacked. The uncertainty lies in the frequency of successful attacks versus noise, uncertainty in whether the attacks will be sophisticated or not, how sophisticated, and which threat agents may get to the unprotected system first. Further, defenders wont necessarily know the objectives of the attackers. Uncertainty lies not within a probability of the event, but rather in the details of the event, the specificity of the event.
4.5 Just Because It Might Be Bad, Is It? – Cont.
We are interested in preventing credible attack vectors from success, whatever the goals of the attackers may be. We are constraining our definition of risk to:
Human threat agents
Attacks aimed at computer systems
Attack methods meant to abuse or misuse a system
4.6 The Components of Risk
There is a collection of conditions that each must be true in order for there to be any significant computer security risk. If any one of the conditions is not true, that is, the condition doesnt exist or has been interrupted, then that single missing condition can negate the ability of an attack to succeed.
To illustrate how network defenders can act on their knowledge of their adversaries
tactics, the paper lays out the multiple steps an attacker must proceed through to plan
and execute an attack. These steps are the kill chain. While the attacker must complete
all of these steps to execute a successful attack, the defender only has to stop the attacker
from completing any one of these steps to thwart the attack.
4.6.1 Threat
The term threat is scattered about in the literature and in parlance among practitioners. In some methodologies, threat is used to mean some type of attack methodology, such as spoofing or brute force password cracking. Under certain circumstances, it may make sense to conflate all of the components of threat into an attack methodology. This approach presumes two things:
All attack methodologies can be considered equal.
There are sufficient resources to guard against every attack methodology.
4.6.1 Threat Cont.
In order to understand how relevant any particular threat agent is to a particular attack surface, impact or loss to the organization, and the level of protection required to dissuade that particular type of attacker.
Threat agent
Threat goals
Threat capabilities
Threat work factor
Threat risk tolerance
4.6.2 Exposure
In organizations that dont employ any separation of duties between roles, administrative staff may have the run of backend servers, databases, and even applications. In situations like this, the system administrators can cause catastrophic damage.
Even in mature and well-run shops, administrative staff will have significant power to do damage. The excepted protections against misuse of this power are:
Strict separation of duties
Independent monitoring of the administrative activities to identify abuse of administrative access
Restriction of outbound capabilities at the time when and on the network where administrative
duties are being carried out
Restriction of inbound vectors of attack to administrative staff when they are carrying out
their duties
4.6.2 Exposure Cont.
In the world of highly targeted phishing attacks, where a persons social relations, their interests, even their patterns of usage, can be studied in detail, a highly targeted spear-phishing attack can be delivered that is very difficult to recognize. Consequently, these highly targeted spear-phishing techniques are much more difficult to resist. The highly targeted attacks are still relatively rare compared to a shotgun approach. If you, the reader, maintain a more or less public Web persona with an email address attached to that persona, you will no doubt see your share of untargeted attacks every day that is, email spam or phishing attacks.
4.6.2 Exposure Cont.
Exposure is the ability of an attacker to make contact with the vulnerability. It is the availability of vulnerabilities for exploitation. The attacker must be able to make use of whatever media the vulnerability expresses itself through. As a general rule, vulnerabilities have a presentation. The system presents the vulnerability through an input to the system, some avenue through which the system takes in data. Classic inputs are:
The user interface
A command-line interface (CLI)
Any network protocol
A file read (including configuration files)
Inter-process communication
A system driver
4.6.3 Vulnerability
Treatments to protect against the vulnerability tend to apply to many variations of that vulnerability. Hence, the security architect performing assessments must know the classes of vulnerability that can occur for that kind of system. Understanding each variation of that class of vulnerability isnt necessary. Instead, what is required is the understanding of how those vulnerabilities occur and how they may be protected.
4.6.4 Impact
Given the importance of customers trusting an organization, should the compromised server get used to attack customers, or to display inappropriate messages, such a situation might result in a more significant loss. What if that server has become a base of operations for attackers to get at more sensitive systems? In any of the foregoing scenarios, a single compromised server among thousands that are untouched may be seen as a much greater loss.
4.7 Business Impact
The technical impact from a heap overflow might be the execution of code of the attackers choosing in the context of an application at whatever operating system privileges that application is running. These technical details are certainly important when building defenses against these attacks. Further, the technical impact helps coders understand where the bug is in the code, and technical details help to understand how to fix the issue. But the technical impact isnt typically important to organizational risk decision makers. For them, the impact must be spelled out in terms of the organizations objectives. We might term this business impact, as opposed to technical impact.
4.7.1 Data Sensitivity Scales
A mature security architecture practice will understand the data sensitivity rating scale of the organization and how to apply it to different data types. By classifying the sensitivity of data, the assessor has information about the required security posture needed to protect the data to the level that is required. Further to the point of this section, loss or impact can be expressed in business terms by noting which data are targets and by understanding the potential effects on the system and the organization when particular data are disclosed or tampered with. Data sensitivity, then, becomes a shorthand tool for expressing the business impact of a risk.
4.8 Risk Audiences
There are different audiences, different stakeholders, who need to understand risk through unique, individualized perspectives. Its a good practice to craft risk messages that can be understood from the perspectives of each stakeholder group. As has been noted, decision makers, namely, organization leaders, typically prefer that risk be stated in business terms, what Ive termed business impact. Business impact is the effect that the successful exercise of a credible attack vector will have on the organizations operations and goals.
4.8.1 The Risk Owner
Raising risk means bringing the untreated or residual risk to a decision maker for a risk decision. These decisions typically take one of three mutually exclusive forms:
Assumption of the risk: proceed without treatment, that is, the organization agrees to bear the burden of the consequences, should an impact occur.
Craft an exception to treating the risk immediately, that is, fix the risk later, on an agreed-upon schedule.
Treat the risk immediately.
4.8.2 Desired Security Posture
There is no easy prescription or recipe to determine the desired risk posture. One can turn to the organizations security policy and standards as a starting point. In organizations whose cyber-security function is relatively mature, there may exist standard that point the way to the controls that must be implemented.
Chapter 4: Summary
In this chapter, we have narrowed the scope of the term risk to precisely fit the purpose of security assessment and threat modeling. We have proposed one methodology as an example of how risk can be understood and rated fairly easily. Whatever methodology is used, it will have to be repeatable by the analysts wholl provide security assessments, build threat models, and provide requirements for a systems security posture.
Chapter 4: Summary
END
[Professor Name]
[Professor Email]@ucumberlands.edu
image4.emf
image5.emf
image6.emf
image7.png
image8.emf
image9.emf
image10.emf
image11.emf
image12.emf
image13.png
image1.emf
image2.emf
SHOW MORE…
article summary
2 pages.
JU N E 2007 PR O J E C T MA N A G E M E N T JO U R N A L 39
PROJECT SCHEDULING:
IMPROVED APPROACH TO INCORPORATE
UNCERTAINTY USING BAYESIAN NETWORKS
Project scheduling inevitably involves
uncertainty. The basic inputs (i.e., time,
cost, and resources for each activity) are
not deterministic and are affected by var-
ious sources of uncertainty. Moreover,
there is a causal relationship between
these uncertainty sources and project
parameters; this causality is not modeled
in current state-of-the-art project plan-
ning techniques (such as simulation tech-
niques). This paper introduces an
approach, using Bayesian network mod-
eling, that addresses both uncertainty
and causality in project scheduling.
Bayesian networks have been widely used
in a range of decision-support applica-
tions, but the application to project man-
agement is novel. The model presented
empowers the traditional critical path
method (CPM) to handle uncertainty and
also provides explanatory analysis to elic-
it, represent, and manage different
sources of uncertainty in project planning.
Keywords: project scheduling;
uncertainty; Bayesian networks;
critical path method; CPM
2007 by the Project Management Institute
Vol. 38, No. 2, 39-49, ISSN 8756-9728/03
Introduction
Project scheduling is difficult because it inevitably involves uncertainty.
Uncertainty in real-world projects arises from the following characteristics:
Uniqueness (no similar experience)
Variability (trade-off between performance measures like time, cost, and quality)
Ambiguity (lack of clarity, lack of data, lack of structure, and bias in estimates).
Many different techniques and tools have been developed to support better
project scheduling, and these tools are used seriously by a large majority of proj-
ect managers (Fox & Spence, 1998; Pollack-Johnson, 1998). Yet, quantifying
uncertainty is rarely prominent in these approaches.
This paper focuses especially on the problem of handling uncertainty in proj-
ect scheduling. The next section elaborates on the nature of uncertainty in project
scheduling and summarizes the current state of the art. The proposed approach is
to adapt one of the best-used scheduling techniques, critical path method (CPM)
(Kelly, 1961), and incorporate it into an explicit uncertainty model (using
Bayesian networks). The paper summarizes the basic CPM methodology and nota-
tion, presents a brief introduction to Bayesian networks, and describes how the
CPM approach can be incorporated (using a simple illustrative example). Also dis-
cussed is a mechanism to implement the model in real-world projects, and sug-
gestions on how to move forward and possible future modifications are presented.
The Nature of Uncertainty in Project Scheduling
A Guide to the Project Management Body of Knowledge (PMBOK Guide)Third edi-
tion (PMI, 2004) identifies risk management as a key area of project management:
Project risk management includes the processes concerned with conducting
risk management planning, identification, analysis, response, and monitoring
and control on a project.
Central to risk management is the issue of handling uncertainty. Ward and
Chapman (2003) argued that current project risk management processes induce a
restricted focus on managing project uncertainty. They believe it is because the
term risk has become associated with events rather than more general sources
of significant uncertainty.
VAHID KHODAKARAMI, Queen Mary University of London, United Kingdom
NORMAN FENTON, Queen Mary University of London, United Kingdom
MARTIN NEIL, Queen Mary University of London, United Kingdom
ABSTRACT
JU N E 2007 PR O J E C T MA N A G E M E N T JO U R N A L40
pendence of activity duration in a
project network. Moreover, being
event-oriented (assuming project
risks as independent events),
MCS and the tools that implement
it do not identify the sources of
uncertainty.
As argued by Ward and Chapman
(2003), managing uncertainty in proj-
ects is not just about managing per-
ceived threats, opportunities, and their
implication. A proper uncertainty
management provides for identifying
various sources of uncertainty, under-
standing the origins of them, and then
managing them to deal with desirable
or undesirable implications.
Capturing uncertainty in proj-
ects needs to go beyond variability
and available data. It needs to
address ambiguity and incorporate
structure and knowledge (Chapman
& Ward, 2000). In order to measure
and analyze uncertainty properly, we
need to model relations between
trigger (source), and risk and impacts
(consequences). Because projects are
usually one-off experiences, their
uncertainty is epistemic (i.e., related
to a lack of complete knowledge)
rather than aleatoric (i.e., related to
randomness). The duration of a task
is uncertain because there is no sim-
ilar experience before, so data is
incomplete and suffers from impreci-
sion and inaccuracy. The estimation
of this sort of uncertainty is mostly
subjective and based on estimator
judgment. Any estimation is condi-
tionally dependent on some assump-
tions and conditionseven if
they are not mentioned explicitly.
These assumptions and conditions
are major sources of uncertainty
and need to be addressed and han-
dled explicitly.
The most well-established
approach to handling uncertainty in
these circumstances is the Bayesian
approach (Efron, 2004; Goldstein,
2006). Where complex causal rela-
tionships are involved, the Bayesian
approach is extended by using
Bayesian networks. The challenge is
to incorporate the CPM approach
into Bayesian networks.
In different project management
processes there are different aspects of
uncertainty. The focus of this paper is on
uncertainty in project scheduling. The
most obvious area of uncertainty here is
in estimating duration for a particular
activity. Difficulty in this estimation can
arise from a lack of knowledge of what is
involved as well as from the uncertain
consequences of potential threats or
opportunities. This uncertainty arises
from one or more of the following:
Level of available and required
resources
Trade-off between resources and time
Possible occurrence of uncertain
events (i.e., risks)
Causal factors and interdependencies
including common casual factors
that affect more than one activity
(such as organizational issues)
Lack of previous experience and use of
subjective rather than objective data
Incomplete or imprecise data or lack
of data at all
Uncertainty about the basis of subjec-
tive estimation (i.e., bias in estimation).
The best-known technique to sup-
port project scheduling is CPM. This
technique, which is adapted by the
most widely used project management
software tools, is purely deterministic.
It makes no attempt to handle or quan-
tify uncertainty. However, a number of
techniques, such as program evaluation
and review technique (PERT), critical
chain scheduling (CCS) and Monte
Carlo simulation (MCS), do try to han-
dle uncertainty, as follows:
PERT (Malcom, Roseboom, Clark, &
Fazer, 1959; Miller, 1962; Moder,
1988) incorporates uncertainty in a
restricted sense by using a probabil-
ity distribution for each task.
Instead of having a single determin-
istic value, three different estimates
(pessimistic, optimistic, and most
likely) are approximated. Then the
critical path and the start and fin-
ish date are calculated by the use of
distributions means and applying
probability rules. Results in PERT
are more realistic than CPM, but
PERT does not address explicitly any
of the sources of uncertainty previ-
ously listed.
Critical chain (CC) scheduling is
based on Goldratts theory of con-
straints (Goldratt, 1997). For mini-
mizing the impact of Parkinsons
Law (jobs expand to fill the allocat-
ed time), CC uses a 50% confidence
interval for each task in project
scheduling. The safety time (remain-
ing 50%) associated with each task
is shifted to the end of the critical
chain (longest chain) to form the
project buffer. Although it is claimed
that the CC approach is the most
important breakthrough in project
management history, its oversim-
plicity is a concern for many compa-
nies that do not understand both the
strength and weakness of CC and
apply it regardless of their particular
and unique circumstances (Pinto,
1999). The assumption that all task
durations are overestimated by a cer-
tain factor is questionable. The main
issue is: How does the project man-
ager determine the safety time? (Raz,
Barnes, & Dvir, 2003). CC relies on
a fixed, right-skewed probability for
activities, which may be inappropri-
ate (Herroelen & Leus, 2001), and a
sound estimation of project and
activity duration (and consequently
the buffer size) is still essential
(Trietsch, 2005).
Monte Carlo simulation (MCS) was
first proposed for project scheduling
in the early 1960s (Van Slyke, 1963)
and implemented in the 1980s
(Fishman, 1986). In the 1990s,
because of improvements in comput-
er technology, MCS rapidly became
the dominant technique for han-
dling uncertainty in project schedul-
ing (Cook, 2001). A survey by the
Project Management Institute (PMI,
1999) showed that nearly 20% of
project management software pack-
ages support MCS. For example,
PertMaster (PertMaster, 2006)
accepts scheduling data from tools
like MS-Project and Primavera and
incorporates MCS to provide project
risk analysis in time and cost.
However, the Monte Carlo approach
has attracted some criticism. Van
Dorp and Duffey (1999) explained
the weakness of Monte Carlo simula-
tion in assuming statistical inde-
JU N E 2007 PR O J E C T MA N A G E M E N T JO U R N A L 41
CPM Methodology and Notation
CPM (Moder, 1988) is a deterministic
technique that, by use of a network of
dependencies between tasks and given
deterministic values for task durations,
calculates the longest path in the net-
work called the critical path. The
length of the critical path is the earli-
est time for project completion. The
critical path can be identified by deter-
mining the following parameters for
each activity:
Dduration
ESearliest start time
EFearliest finish time
LSlatest start time
LFlatest finish time.
The earliest start and finish times
of each activity are determined by
working forward through the network
and determining the earliest time at
which an activity can start and finish,
considering its predecessor activities.
For each activity j:
ESj = Max [ESi + Di ;
over predecessor activities i]
EFj = ESj+ Dj
The latest start and finish times are
the latest times that an activity can
start and finish without delaying the
project and are found by working
backward through the network. For
each activity i:
LFi = Min [LFj Dj ;
over successor activities j]
LSi = LFi Di
The activitys total float (TF)
(i.e., the amount that the activitys
duration can be increased without
increasing the overall project comple-
tion time) is the difference in the latest
and earliest finish times of each activi-
ty. A critical activity is one with no TF
and should receive special attention
(delay in a critical activity will delay
the entire project). The critical path
then is the path(s) through the net-
work whose activities have minimal TF.
The CPM approach is very simple
and provides very useful and funda-
mental information about a project
and its activities schedule. However,
because of its single-point estimate
assumption, it is too simplistic to be
used in complex projects. The chal-
lenge is to incorporate the inevitable
uncertainty.
Proposed BN Solution
Bayesian Networks (BNs) are recog-
nized as a mature formalism for han-
dling causality and uncertainty
(Heckerman, Mamdani, & Wellman,
1995). This section provides a brief
overview of BNs and describes a new
approach for scheduling project activi-
ties in which CPM parameters (i.e., ES,
EF, LS, and LF) are determined in a BN.
Bayesian Networks: An Overview
Bayesian networks (also known as
belief networks, causal probabilistic
networks, causal nets, graphical proba-
bility networks, probabilistic cause-
effect models, and probabilistic influ-
ence diagrams) provide decision sup-
port for a wide range of problems
involving uncertainty and probabilistic
reasoning. Examples of real-world
applications can be found in
Heckerman et al. (1995), Fenton,
Krause, and Neil (2002), and Neil,
Fenton, Forey, and Harris (2001). A BN
is a directed graph, together with an
associated set of probability tables.
The graph consists of nodes and arcs.
Figure 1 shows a simple BN that mod-
els the cause of delay in a particular
task in a project. The nodes represent
uncertain variables, which may or may
not be observable. Each node has a set
of states (e.g. on time and late for
Subcontract node). The arcs repre-
sent causal or influential relationships
between variables. (e.g., subcontract
and staff experience may cause a
delay in task). There is a probability
table for each node, providing the
probabilities of each state of the vari-
able. For variables without parents
(called prior nodes), the table just
contains the marginal probabilities
(e.g., for the subcontract node P(on-
time)=0.95 and P(late)=0.05). This is
also called prior distribution that
represents the prior belief (state of
knowledge) about the variable. For
each variable with parents, the proba-
bility table has conditional probabili-
ties for each combination of the
parents states (see, for example, the
probability table for a delay in task
Figure 1: A Bayesian network contains nodes, arcs and probability table
JU N E 2007 PR O J E C T MA N A G E M E N T JO U R N A L42
in Figure 1). This is also called the
likelihood function that represents
the likelihood of a state of a variable
given a particular state of its parent.
The main use of BNs is in situa-
tions that require statistical inference.
In addition to statements about the
probabilities of events, users have
some evidence (i.e., some variable
states or events that have actually been
observed), and can infer the probabili-
ties of other variables, which have not
as yet been observed. These observed
values represent a posterior probabili-
ty, and by applying Bayesean rules in
each affected node, users can influence
other BN nodes via propagation, mod-
ifying the probability distributions. For
example, the probability that the task
finishes on time, with no observation,
is 0.855 (see Figure 2a). However if we
know that the subcontractor failed to
deliver on time, this probability
updates to 0.49 (see Figure 2b).
The key benefits of BNs that make
them highly suitable for the project
planning domain are that they:
Explicitly quantify uncertainty and model
the causal relation between variables
Enable reasoning from effect to cause as
well as from cause to effect (propaga-
tion is both forward and backward)
Make it possible to overturn previ-
ous beliefs in the light of new data
Make predictions with incomplete data
Combine subjective and objective data
Enable users to arrive at decisions
that are based on visible auditable
reasoning.
BNs, as a tool for decision support,
have been deployed in domains rang-
ing from medicine to politics. BNs
potentially address many of the uncer-
tainty issues previously discussed. In
particular, incorporating CPM-style
scheduling into a BN framework makes
it possible to properly handle uncer-
tainty in project scheduling.
There are numerous commercial
tools that enable users to build BN
models and run the propagation calcu-
lations. With such tools it is possible to
perform fast propagation in large BNs
(with hundreds of nodes). In this
paper, AgenaRisk (2006) was used,
since it can model continuous vari-
ables (as opposed to just discrete).
BN for Activity Duration
Figure 3 shows a prototype BN that the
authors have built to model uncertain-
ty sources and their affects on duration
of a particular activity. The model con-
tains variables that capture the uncer-
tain nature of activity duration. Initial
duration estimation is the first esti-
mation of the activitys duration; it is
estimated based on historical data,
previous experience, or simply expert
judgment. Resources incorporate any
affecting factor that can increase or
decrease the activity duration. It is a
ranked node, which for simplicity here
is restricted to three levels: low, aver-
age, and high. The level of resources
can be inferred from so-called indica-
tor nodes. Hence, the causal link is
from the resources directly to observ-
able indicator values like the cost,
the experience of available people
and the level of available technology.
There are many alternative indicators.
An important and novel aspect of this
approach is to allow the model to be
adapted to use whichever indicators
are available.
The power of this model is better
understood by showing the results of
running it under various scenarios. It is
possible to enter observations any-
where in the model to perform not just
predictions but also many types of
trade-off and explanatory analysis. So,
for example, observations for the ini-
tial duration estimation and resources
can be entered and the model will
show the distributions for duration.
Figure 4 shows how the distribution of
the activity duration in which the ini-
tial estimation is five days changes
when the level of its available
resources goes from low to high. (All
the subsequent figures are outputs
from the AgenaRisk software.)
Another possible analysis in this
model is the trade-off analysis between
duration and resources when there is a
time constraint for activity duration
and it is interesting to know about the
level of required resource. For example,
consider an activity in which the initial
duration is estimated as five days but
must be finished in three days. Figure 5
shows the probability distribution of
required resources to meet this dura-
tion constraint. Note how it is skewed
toward high.
Figure 2: New evidence updates the probability
JU N E 2007 PR O J E C T MA N A G E M E N T JO U R N A L 43
Figure 5: Level of required Resources when there is a constraint on Duration
Mapping CPM to BN
The main components of CPM net-
works are activities. Activities are linked
together to represent dependencies. In
order to map a CPM network to a BN,
it is necessary to first map a single
activity. Each of the activity parameters
are represented as a variable (node) in
the BN.
Figure 6 shows a schematic model
of the BN fragment associated with an
activity. It clearly shows the relation
between the activity parameters and
also the relation with predecessor and
successor activities.
The next step is to define the con-
necting link between dependent activi-
ties. The forward pass in CPM is
mapped as a link between the EF of
each activity to the ES of the successor
activities. The backward-pass in CPM is
mapped as a link between the LS of
each activity to the LF of the predeces-
sor activities.
Example
The following illustrates this mapping
process. The example is deliberately
very simple to avoid extra complexity
in the BN. How the approach can be
used in real-size projects is discussed
later in the paper.
Consider a small project with five
activitiesA, B, C, D, and E. The activ-
ity on arc (AOA) network of the project
is shown in Figure 7.
The results of the CPM calculation
are summarized in Table 1. Activities
A, C, and E with TF=0 are critical and
the overall project takes 20 days (i.e.,
earliest finish of activity E).
Figure 8 shows the full BN repre-
sentation of the previous example.
Each activity has five associated nodes.
Forward pass calculation of CPM is
done through the connection between
the ES and EF. Activity A, the first activ-
ity of the project, has no predecessor,
so its ES is set to zero. Activity A is
predecessor for activities B and C so
the EF of activity A is linked to the ES
of activities B and C. The EF of activity
B is linked to the ES of its successor,
activity D. And finally, the EF of activi-
ties C and D are connected to the ES of
activity E. In fact, the ES of activity E is
the maximum of the EF of activities C
Figure 3: Bayesian network for activity duration
Figure 4: Probability distribution for duration (days) changes when the level of resources changes
JU N E 2007 PR O J E C T MA N A G E M E N T JO U R N A L44
one scenario is to see how changing
the resource level affects the project
completion time.
Figure 10 compares the distribu-
tions for project completion time as
the level of peoples experience
changes. When peoples experience
changes from low to high, the mean
of finishing time changes from 22.7
days to 19.5 days and the 90% confi-
dence interval changes from 26.3
days to 22.9 days.
Another useful analysis is when
there is a constraint on the project
completion time and we want to
know how many resources are need-
ed. Figure 11 illustrates this trade-off
between project time and required
resources. If the project needs to be
completed in 18 days (instead of the
baseline 20 days) then the resource
required for activity A most likely
must be high; if the project comple-
tion is set to 22, the resource level for
activity A moves significantly in the
direction of low.
The next scenario investigates the
impact of risk in activity A on the
project completion time as it is
shown in Figure 12. When there is a
risk in activity A, the mean of distri-
bution for the project completion
time changes from 19.9 days to 22.6
days and the 90% confidence interval
changes from 22.5 days to 25.3 days.
One important advantage of
BNs is their potential for parameter
learning, which is shown in the
next scenario. Imagine activity A
actually finishes in seven days,
even though it was originally esti-
mated as five days. Because activity
A has taken more time than was
expected, the level of resources has
probably not been sufficient.
By entering this observation the
model gives the resource probability
for activity A as illustrated in Figure
13. This can update the analysts
belief about the actual level of avail-
able resources.
Assuming both activities A and E
use the same resources (e.g., people),
the updated knowledge about the
level of available resources from
activity A (which is finished) can be
entered as evidence in the resources
and D. The EF of activity E is the earli-
est time for project completion time.
The same approach is used for
backward CPM calculations connecting
the LF and LS. Activity E is the last activ-
ity of the project and has no successor,
so its LF is set to EF. Activity E is succes-
sor of activities C and D so the LS of
activity E is linked to the LF of activities
C and D. The LS of activity D is linked
to the LF of its predecessor activity B.
And finally, the LS of activities B and C
are linked to the LF of activity A. The LF
of activity A is the minimum of the LS
of activities B and C.
For simplicity in this example, it is
assumed that activities A and E are
more risky and need more detailed
analysis. For all other activities the
uncertainty about duration is expressed
simply by a normal distribution.
Results
This section explores different scenar-
ios of the BN model in Figure 8. The
main objective is to predict the proj-
ect completion time (i.e., the earliest
finish of E) in such a way that it fully
characterizes uncertainty.
Suppose the initial estimation
of activities duration is the same as
in Table 1. Suppose the resource
level for activities A and E is medi-
um. If the earliest start of activity A
is set to zero, the distribution for
project completion is shown in
Figure 9a. The distributions mean is
20 days as was expected from the
CPM analysis. However, unlike
CPM, the prediction is not a single
point and its variance is 4. Figure 9b
illustrates the cumulative distribu-
tion of finishing time, which shows
the probability of completing the
project before a given time. For
example, with a probability of 90%
the project will finish in 22 days.
In addition to this baseline sce-
nario, by entering various evidence
(observations) to the model, it is pos-
sible to analyze the project schedule
from different aspects. For example,
Figure 6: Schematic of BN for an activity
Figure 7: CPM network
JU N E 2007 PR O J E C T MA N A G E M E N T JO U R N A L 45
for activity E (which is not started
yet) and consequently updates the
project completion time. Figure 14
shows the distributions of comple-
tion time when the level of available
resource of activity E is learned from
the actual duration of activity A.
Another application of parameter
learning in these models is the ability
to incorporate and learn about bias in
estimation. So, if there are several
observations in which actual task
completion times are underestimated,
the model learns that this may be due
to bias rather than unforeseen risks,
and this information will inform sub-
sequent predictions. Work on this type
of application (called dynamic learn-
ing), is still in progress and can be a
possible way of extending the BN ver-
sion of CPM.
Figure 8: Overview of BN for example (1)
JU N E 2007 PR O J E C T MA N A G E M E N T JO U R N A L46
Object-Oriented Bayesian
Network (OOBN)
It is clear from Figure 8 that even simple
CPM networks lead to fairly large BNs.
In real-sized projects with several activi-
ties, constructing the network needs a
huge effort, which is not effective espe-
cially for users without much experience
in BNs. However, this complexity can be
handled using the so-called object-ori-
ented Bayesian network (OOBN)
approach (Koller & Pfeffer, 1997). This
approach, analogous to the object-ori-
ented programming languages, supports
a natural framework for abstraction and
refinement, which allows complex
domains to be described in terms of
interrelated objects.
The basic element in OOBN is an
object; an entity with an identity, state,
and behavior. An object has a set of
attributes each of which is an object.
Each object is assigned to a class.
Classes provide the ability to describe a
general, reusable network that can be
used in different instances. A class in
OOBN is a BN fragment.
The proposed model has a highly
repetitive structure and fits the object-
oriented framework perfectly. The
internal parts of the activity subnet
(see Figure 6) are encapsulated within
the activity class as shown in Figure 15.
Table 1: Activities time (days) and summary of CPM calculations
Figure 9: Distribution of project completion (days) for main scenario in example (1)
Figure 10: Change in project time distribution (days) when level of people’s experience changes
JU N E 2007 PR O J E C T MA N A G E M E N T JO U R N A L 47
Classes can be used as libraries
and combined into a model as needed.
By connecting interrelated objects,
complex networks with several dozen
nodes can be constructed easily. Figure
16 shows the OOBN model for the
example previously presented.
The OOBN approach can also sig-
nificantly improve the performance of
inference in the model. Although a full
discussion of the OOBN approach to
this particular problem is beyond the
scope of this paper, the key point to
note is that there is an existing mecha-
nism (and implementation of it) that
enables the proposed solution to be
genuinely scaled-up to real-world
projects. Moreover, research is emerg-
ing to develop the new generation of
BNs tools and algorithms that support
OOBN concept both in constructing
large-scale models and also in propa-
gation aspects.
Conclusions and How to Move Forward
Handling risk and uncertainty is
increasingly seen as a crucial compo-
nent of project management and plan-
ning. One classic problem is how to
incorporate uncertainty in project
scheduling. Despite the availability of
different approaches and tools, the
dilemma is still challenging. Most cur-
rent techniques for handling risk and
uncertainty in project scheduling (sim-
ulation-based techniques) are often
Figure 11: Probability of required resource changes when the time constraint changes
Figure 13: Learnt probability distribution resource when the actual duration is seven days
Figure 12: The impact of occurring risk in activity A on the project completion time
JU N E 2007 PR O J E C T MA N A G E M E N T JO U R N A L48
event-oriented and try to model the
impact of possible threats on project
performance. They ignore the source
of uncertainty and the causal relations
between project parameters. More
advanced techniques are required to
capture different aspects of uncertainty
in projects.
This paper has proposed a new
approach that makes it possible to
incorporate risk, uncertainty, and
causality in project scheduling.
Specifically, the authors have shown
how a Bayesian network model can
be generated from a projects CPM
network. Part of this process is auto-
matic and part involves identifying
specific risks (which may be common
to many activities) and resource indi-
cators. The approach brings the full
weight and power of BN analysis to
bear on the problem of project sched-
uling. This makes it possible to:
Capture different sources of uncer-
tainty and use them to inform proj-
ect scheduling
Express uncertainty about comple-
tion time for each activity and the
whole project with full probability
distributions
Model the trade-off between time
and resources in project activities
Use what-if? analysis
Learn from data so that predictions
become more relevant and accurate.
The application of the approach
was explained by use of a simple
example. In order to upscale this to
real projects with many activities the
approach must be extended to use
the so-called object-oriented BNs.
There is ongoing work to accommo-
date such object-oriented modeling
so that building a BN version of a
CPM is just as simple as building a
basic CPM model.
Other extensions to the work
described here include:
Incorporating additional uncertainty
sources in the duration network
Handling dynamic parameter learn-
ing as more information becomes
available when the project progresses
Handling common causal risks that
affect more than one activity
Handling management action when
the project is behind its plan.
Figure 14: completion time (days) based on learned parameters compare with baseline scenario
Figure 15: OO model for the presented example
Figure 15: Activity class encapsulates internal parts of network
JU N E 2007 PR O J E C T MA N A G E M E N T JO U R N A L 49
References
AgenaRisk. (2006). Available at
www.agenarisk.com
Chapman, C., & Ward, S. (2000).
Estimation and evaluation of uncer-
tainty: A minimalist first pass
approach. International Journal of
Project Management, 18, 369383.
Cook, M. S. (2001). Real-world
Monte Carlo analysis. Proceeding of
PMI Annual Seminars and Symposium,
Nashville, TN.
Efron, B. (2004). Bayesians, fre-
quentists, and scientists. Journal of the
American Statistical Association,
100(469), 15.
Fenton, N. E., Krause, P., & Neil,
M. (2002). Software measurement:
Uncertainty and causal modeling. IEEE
Software 10(4), 116122.
Fishman, G. S. (1986). A Monte
Carlo sampling plan for estimating
network reliability. Operations Research,
34(4), 581594.
Fox, T. L., & Spence, J. W. (1998).
Tools of the trade: A survey of project
management tools. Project Management
Journal, 29, 2028.
Goldstein, M. (2006). Subjective
Bayesian analysis: Principle and prac-
tice2. Bayesian Analysis, 1(3), 403420.
Goldratt, E. M. (1997). Critical
chain. Great Barrington: The North
River Press Publishing Corporation.
Heckerman, D., Mamdani, A., &
Wellman, M. (1995). Real-world appli-
cations of Bayesian networks. Comm
ACM, 38(3), 2526.
Herroelen, W., & Leus, R. (2001).
On the merits and pitfalls of critical
chain scheduling. Journal of Operations
Management, 19, 559577.
Kelly, J. E. (1961). Critical path
planning and scheduling mathematical
bases. Operations Research, 9, 246320.
Koller, D., & Pfeffer, A. (1997).
Object-oriented Bayesian networks. In
D. Geiger & P. Shenoy, (Eds.),
Proceedings of the Thirteenth annual
Conference on Uncertainty in Artificial
Intelligence (UAI-97) (pp. 302313),
San Francisco, CA.
Malcolm, D. G., Roseboom, J. H.,
Clark, C. E., & Fazer, W. (1959).
Application of a technique for research
and development program evaluation.
Operations Research, 7(5), 646669.
Miller R. W. (1962). How to plan
and control with PERT. Harvard
Business Review, 93104.
Moder, J. (1988). Network tech-
niques in project management. Project
Management Handbook, 2nd edition
(pp. 324373). New York: Van
Nostrand Reinhold.
Neil, M., Fenton, N., Forey, S. &
Harris, R. (2001). Using Bayesian belief
networks to predict the reliability of
military vehicles. IEE Computing and
Control En