ORA is a risk assessment tool for locating individuals or groups that are potential risks given social, knowledge and task network information. Essentially, first you use information about people to “connect the dots.” Then, ORA examines this network and finds those dots, those people, who represent a threat to the overall system. Individuals are risks, e,g,, if their removal from the network would debilitate it (the critical employee) or if they were to feed false information to others they could create havoc (the rumor monger).
Based on network theory, social psychology, operations research, and management theory a series of measures of “criticality” have been developed at CMU. Just as critical path algorithms can be used to locate those tasks that are critical from a project management perspective, the ORA algorithms can find those people, types of skills or knowledge and tasks that are critical from a performance and information security perspective. Each of the measures we have developed are calculated by ORA on the basis of network data like that in the following table.