IEEE Technology and Society Magazine - March 2017 - 53

technological configuration to end-user vulnerability,
specifically the additional risk of Internet-enabled medical implant devices.

Classical Risk Analysis
Classical risk analysis begins with a description of the
system of interest [6]. Generally, such systems are only
defined implicitly, lacking a definition of specific configuration of the system, i.e., a precise definition of the
streams, components, and subsystems, and interconnection architecture. The analysis develops an expertgenerated list of possible hazards (either specific or
hazard-types) and of associated possible harms. The
analysis is completed by using a lookup table to assign
a risk category according to each combination of identified hazard and consequent harm. Although valuable,
the practice of carrying out a risk analysis suffers from
several drawbacks:
■ Reliance on system definition precision, without
which resulting assessments of hazards are
imprecise.
■ Given the plethora of possible hazards, the process is
inherently likely to fail to identify all relevant hazards.
■ Some hazards may be statistically predictable from
historical data, but for others, experts may either
inaccurately assess probability, or fail to identify a
case where a hazard is intentional.
■ A "probability of occurrence" assessment does not
take into account the specific state of the system at
some instant in time - if the system is close to
design capacity at the instant when a hazard occurs,
the probability of the hazard causing harm, may be
higher than if the hazard occurred at an instant
when the system load was low.
■ The use of categories to correlate harm and hazard
is normally coarse-grained, not accounting for
changes to system configuration.
Application of classical risk analysis to design decisions for implanted devices (as a general case) is difficult due to the unknown nature of environmental
threats, the long design life with consequent possibility of emergent hazards and the inability of coarsegrained risk analysis to inform detailed design
decisions. Moreover, the analysis may omit consideration of the added threat of malicious intent enabled
by connectivity functionality.

Foundational Concepts
of the Proposed "Exposure" Metric

qualitatively different from the effect of a random hazard. The intentional hazard will occur every time one
elects to cause the hazard and hence has a probability
of occurrence of 1.0. An autonomous malicious entity
will also actively seek weaknesses and attempt to
thwart mitigatory or contingency measures, regardless
of whether these have been identified by a risk assessment exercise. Thus, for intentionally guided hazards
(or for the long timeframes envisaged in this case) the
risk "probability" concept has limited usefulness. The
significance of this distinction may not be fully appreciated in practice.

Linkage of Hazard to Weakness
Events external to a technology system only threaten
the output of the technology system when the external events align with a technology system weakness.
Irrespective of probability of occurrence, if the hazard

Successful operation of medical
devices can be life saving,
but the consequences of failure
are severe.

does not align with a system weakness then the event
occurrence is unimportant, as it will not compromise
system performance [7]. Conversely, if an unidentified
weakness exists within a technological system, unrecognized hazards may exist that align with the
weakness, creating unrecognized contributions to
overall vulnerability.

The Importance of System
Technological Configuration
If the configuration of a particular technology system is
changed, weaknesses may be removed or added. For
each weakness added, additional external events
should be re-categorized as hazards - and for weaknesses removed, the associated external events cease
to be hazards.

An "Exposure" Metric Developed and Described

Intended Hazards

Refining the Need for an Exposure Metric

Terrorism or sabotage in particular must be considered as intentional type of hazard. The effect of an
intentional type of hazard upon a risk assessment is

Assessing the contribution of a technological system's
configuration to the vulnerability of its end user calls
for an approach that derives a quantitative measure

march 2017

∕

IEEE Technology and Society Magazine

Table of Contents for the Digital Edition of IEEE Technology and Society Magazine - March 2017